image3maker (Internal Tool)

From The Apple Wiki
Image3maker
Original author(s)Apple Inc.
Developer(s)Apple Inc.
Operating systemmacOS
Size77,760 bytes [APP]
Available inEnglish
Type?
LicenseClosed source

image3maker is an Apple internal tool used to create img3 firmware files. It's implemented in mostly C with its symbols stripped. There is an open source version by the same name, Image3maker.

From the disassembly, it appears that the Key and IV are generated via /dev/random. The GID key is loaded in from a plist at /usr/local/standalone/firmware/platform_keys.plist in order to encrypt the KEY/IV fields within the KBAG (referred to as "Keybag").

Usage

The usage information from running the binary.

Usage: image3maker [options]

image3maker: Modes:
image3maker:     --create                             Create a new image3 file
image3maker:     --update                             Update an existing image3 file
image3maker:     --hashForSigning                     Generate and print the SHA-1 hash of the signable area
image3maker:     --signWithData                       Sign with supplied data
image3maker:     --finalizeWithoutSignature           Finalize image3 file for use with authorized installation
image3maker:     --printEpoch                         Print the numeric value of the epoch specified by --epoch
image3maker:     --print                              Print the value of the tag specified by --tag
image3maker: 
image3maker: General options:
image3maker:     --unsign                             Removes signature information, allowing operations on images
image3maker:                                          that have previously been signed.
image3maker: 
image3maker: Arguments for --create and --update:
image3maker:     --imagefile <file>                   Image3 format file
image3maker:                                            In --create mode this file is created or truncated
image3maker:     --type <type>                        Hex or 4-byte ASCII type tag
image3maker:                                            This is required for --create mode, not permitted in --update mode
image3maker:     --version <version>                  Set version string
image3maker:     --epoch <security epoch>             Explicit epoch or chip name to pick system default
image3maker:                                            default for 's5l8747x' is 16
image3maker:                                            default for 's5l8920x' is 4
image3maker:                                            default for 's5l8922x' is 2
image3maker:                                            default for 's5l8930x' is 2
image3maker:                                            default for 's5l8940x' is 17
image3maker:                                            default for 's5l8942x' is 16
image3maker:                                            default for 's5l8945x' is 16
image3maker:                                            default for 's5l8947x' is 16
image3maker:                                            default for 's5l8950x' is 16
image3maker:                                            default for 's5l8955x' is 16
image3maker:     --hardwareEpoch <hardware epoch>     Set the hardware epoch
image3maker:                                          Should only be used for Image3 objects embedded in certs.
image3maker:     --domain {manufacturer|darwin|rtxc}
image3maker:     --data <data file>                   Add payload data from <data file>
image3maker:     --personalize                        Personalize the image for local storage
image3maker:     --production                         Marks the image as a production image
image3maker:     --development                        Marks the image as a development image
image3maker:     --override <override>                Set the override value.
image3maker:                                          Should only be used for Image3 objects embedded in certs.
image3maker:     --chipType <chip ID>
image3maker:     --boardID <board ID>
image3maker:     --uniqueID <unique chip ID>
image3maker:     --padWithRandomBytes                 Adds random pad data
image3maker: 
image3maker: Arguments for --hashForSigning:
image3maker:     --partialHashReservationSize <size>  Requests a partial (unfinalized) hash rather than a normal hash.
image3maker:                                            The partial hash is computed assuming that an additional size bytes
image3maker:                                            will be added to the final signed portion of the image.
image3maker: 
image3maker: Arguments for --signWithData:
image3maker:     --expectHash <hash value>            Require that the image hash to <hash value>
image3maker:     --signWithSignature <signaturefile>  Sign the image using the supplied signature file
image3maker:     --signWithCertChain <chainfile>      Place the supplied cert chain file into the signed image
image3maker: 
image3maker: Arguments for --finalizeWithoutSignature:
image3maker:     --expectHash <hash value>            Require that the image hash to <hash value>
image3maker: 
image3maker: Arguments for --print:
image3maker:     --tag <tag name>                     Tag to be printed, either a 4 character string or a hexadecimal
image3maker:                                            number prefixed with 0x
image3maker:     --skip <n>                           Requests the nth occurrence of the specified tag. Defaults to 0.