Obtaining IMG3 Keys

From The Apple Wiki

Method 1[edit source]

This is one way of getting the IMG3 keys using iBoot/iBEC patch based on the Dev Team's and Geohot's exploits and was tested on both Linux and Windows OS. Epic thanks to #xpwn crew on irc.osx86.hu !

What you need[edit source]

Summary[edit source]

Patched a function in the iBEC file so that it will branch to the desired memory location when the associated iboot command is called in ibooter. The desired memory location is at 0x09000000 as indicated by an earlier Geohot post and the iboot command chosen is "clearenv" in this documentation. The desired memory location will be housing the codes that enable and call the hardware AES engine so that the KBAG data can be decrypted for Keys/IV.

Steps[edit source]

Unpack iBEC.m68ap.RELEASE.dfu[edit source]

Utilizing xpwntool, enter this command:

xpwntool <original iBEC file> <unpacked iBEC file>
xpwntool iBEC.m68ap.RELEASE.dfu unpacked_iBEC

Patching iBEC.m68ap.RELEASE.dfu[edit source]


ROM:180074A0                 PUSH    {R4,R5,R7,LR} ;"clearenv" routine starts here
ROM:180074A2                 ADD     R7, SP, #8
ROM:180074A4                 ADDS    R4, R1, #0
ROM:180074A6                 CMP     R0, #1
ROM:180074A8                 BGT     loc_180074B4
ROM:180074AA                 LDR     R0, =aNotEnoughArgum


ROM:180074A0                 LDR     R3, =0x9000000
ROM:180074A2                 BX      R3
ROM:180074A2 ; ---------------------------------------------------------------------------
ROM:180074A4 dword_180074A4  DCD 0x9000000           ; DATA XREF: ROM:180074A0�r
ROM:180074A8 ; ---------------------------------------------------------------------------
ROM:180074A8                 BGT     loc_180074B4
ROM:180074AA                 LDR     R0, =aNotEnoughArgum 

You will notice that iBEC starts at 0x18000000 but in your Hex Editor, just do the following changes at 0x74A0:

0x000074A0: 00 4b 18 47 00 00 00 09

The idea is to tell clearenv routine to branch to 0x09000000 and BX is used because the codes to be used at 0x09000000 later will be in ARM. This "clearenv" routine is in THUMB mode. BX will enable them to switch. Save and name your modified iBEC, for example iBECmod.

Packing the modified iBEC[edit source]

Using xpwntool:

xpwntool iBECmod iBEC.patch -t iBEC.m68ap.RELEASE.dfu

Note that the original iBEC file has to be used after -t as a template. IBEC.patch will be your modified, packed iBEC file.

Executing patched iBEC in ibooter[edit source]

Windows[edit source]

Put iPHUC and your patched iBEC in the same folder. Boot iPHUC and boot your iPhone in recovery mode. Type the following into iPHUC once it recognizes your iPhone:

filecopytophone iBEC.patch

It should return "filecopytophone: 0"
Then type this:

cmd go

Your iPhone will reboot and display a blank black screen immediately. You are now ready to proceed with sending the payload and the KBAG that you want to decrypt.

Linux[edit source]

Put your iPhone in recovery mode, connect the USB cable and launch ibooter. Press ^F (CTRL+F) and Enter, you will be prompted for a file name, type and patched iBEC file name and press enter. Next you will be prompted for memory location to load. Enter 0x9000000 for that and press enter.

Now type:


to execute the patched iBEC. Your iPhone will reboot into a blank screen and that's good. You need to reconnect the ibooter after the "reboot".

Calling The Hardware AES Engine[edit source]

Type the following ARM codes in iBooter. Those were slightly modified geohot codes.

mw 0x9000000 0xe92d4090       // stmdb   sp!, {r4, r7, lr}
mw 0x9000004 0xe59f0038       // ldr     r0, [pc, #56]   
mw 0x9000008 0xe59f1038       // ldr     r1, [pc, #56]   ; EnableDecrypt at 0x9000048
mw 0x900000c 0xe5810000       // str     r0, [r1]
mw 0x9000010 0xe59f0024       // ldr     r0, [pc, #36]   ; Data ptr at 0x900003c
mw 0x9000014 0xe3a01020       // mov     r1, #32 ; 0x20 bytes to be decrypted
mw 0x9000018 0xe3a02001       // mov     r2, #1  ; 0x1
mw 0x900001c 0xe3a03000       // mov     r3, #0  ; 0x0
mw 0x9000020 0xe1a0700d       // mov     r7, sp
mw 0x9000024 0xe24dd004       // sub     sp, sp, #4      ; 0x4
mw 0x9000028 0xe58d3000       // str     r3, [sp]
mw 0x900002c 0xe59f400c       // ldr     r4, [pc, #12]   ; AESDecrypt at 0x9000040
mw 0x9000030 0xe12fff34       // blx     r4
mw 0x9000034 0xe1a0d007       // mov     sp, r7
mw 0x9000038 0xe8bd8090       // ldmia   sp!, {r4, r7, pc}
mw 0x900003c 0x09000100        
mw 0x9000040 0x18001791       
mw 0x9000044 0x43a343a3
mw 0x9000048 0x180015c0  
mw 0x9000100 0x5418c5de       // KBAG data from 5A347 3G restore Ramdisk
mw 0x9000104 0x7e30b0ff
mw 0x9000108 0x0ea9b00e
mw 0x900010c 0x421f6288

Now, we are going to call "clearenv" in iBooter to execute the above codes (recall that we have patched "clearenv" in iBEC to allow it to branch to the above memory location). Simply type


and enter.

Get The Keys/IV[edit source]

Phew!! Now, let's get the goodies. Simply type:

mdb 0x9000100

Let's see what you get in there!!!!

Notes[edit source]

There exists much easier method for getting the Keys/IVs (A matter of typing just a command line) but this is more fun. ;)

Method 2[edit source]

There is no "easier" method. You need access to the phone's AES engine, or you need to extract the GID Key from the phone.

This is fully understood: The phone has an AES key embedded inside of it. That key is needed to decrypt the KBAG section of new IMG3 files.

I couldn't get OpeniBoot running, so I wrote some code to call the iBoot function. And no, I don't have the source, I wrote it just as you see it :) This patch is to 1.1.4 iBoot, and you also need to patch a function to jump to 0x9000000. ~geohot

iBoot Patch[edit source]

//aes caller
mw 0x9000000 0xE1A0700E
mw 0x9000004 0xE59F0018
mw 0x9000008 0xE3A01020  //size
mw 0x900000C 0xE3A02001  //1=gid-key 2=uid-key
mw 0x9000010 0xE3A03000
mw 0x9000014 0xE58D3000
mw 0x9000018 0xE59F4008
mw 0x900001C 0xE12FFF34
mw 0x9000020 0xE12FFF17
mw 0x9000024 0x09000100  //data
mw 0x9000028 0x18001791  //ptr to function

//enable decrypt
mw 0x180015C0 0x43A343A3

Tests on Key 0x837[edit source]

//test encrypt
mw 0x9000100 0x6C2D5A34
mw 0x9000104 0x58D05050
mw 0x9000108 0x31A40D78
mw 0x900010C 0x150E71F0
go 0x9000000
mdb 0x9000100 0x10
//test decrypt
mw 0x9000100 0xA6588418
mw 0x9000104 0xDF3450D1
mw 0x9000108 0x3BF286E3
mw 0x900010C 0x7437D461
go 0x9000000
mdb 0x9000100 0x10