I did some searches about the iPhone encryption, I will try to sum up what i found/understand (don't check everything by myself so don't be rude if I miss something :D).
First of all the iPhone CPU seems to be an ARM, manufactured by Samsung. (I can't find the exact ARM ID number) And some hardware (like the mp3 part) is the same as nano. http://iphone.fiveforty.net/wiki/index.php/IPhone_Hardware_Facts http://www.eetimes.com/news/design/showArticle.jhtml?articleID=200001811 So there is no *big* hardware clues for the iPhone encryption system to be different from the nano one. Now let's take a look at how they decrypted the firmware: The first thing they did is to mount the iPhone system files. They proceed the same way as we do with our nano: - Download the .ipsw file from Apple servers. - Unpack .ipsw to get the system files. (the .ipsw contains some .dmg files : system files in -38.dmg and firmware in -39.dmg) - Mount it in a *n*x OS. http://iphone.fiveforty.net/wiki/index.php/Decrypt_Firmware If you want to take a look at the iPhone file system (but hate rapidshare): http://www.enseirb.fr/~brossill/in2g/ramdisk.tgz http://www.enseirb.fr/~brossill/in2g/llr.txt Then they run strings (http://unixhelp.ed.ac.uk/CGI/man-cgi?strings) on /usr/sbin/asr (a Mach-O binary). What is asr ? Nobody says but when we take a look on strings result : http://www.enseirb.fr/~brossill/in2g/strings.asr.txt we found: http://www.enseirb.fr/~brossill/in2g/help.asr.txt So asr seems to deal with partitions, disk images and probably iPhone system restoration (some error messages warn about server connection and related things). But the most interesting is a 72 characters long string (by string I mean ASCII) : $ strings asr ... [EMAIL PROTECTED] 1K[A0Di 28c909fc6d322fa18940f03279d70880e59a4507998347c70d5b8ca7ef090ecccc15e82d K[A0" [EMAIL PROTECTED]@ ... The first time I heard about that string I was really skeptic, but it's truly strange ;) (For those who still doesn't have a cyber-brain: a 72 characters group in a binary MUST mean something) Then they use a version of vfdecrypt (a Mac OSX software for OSX disk images encryption) where the input method was changed (two private AES and SHA-1 HMAC keys instead of 3DES-EDE passphrase). (HMAC ? 3DES-EDE ? Heeeeelp... ;)) http://landonf.bikemonkey.org/static/iphone/vfdecrypt-iphone.tar.gz They simply use the 72 char string as a password, put the encrypted firmware partition in, and... **SHAZAM** a decrypted iPhone firmware pop out of the hat. ;) Facts : - The iPhone firmware is encrypted with a standard Mac OS X tool for OS X disk images encryption. - The key is located in a software which seems to be used to manage disk restoration. I really think our nano 2g is encrypted with the same tool/algorithms... But as you probably notice they didn't get the key from the software which decrypt the iPhone firmware before the OS launch but from the restoration software. The question is : can we confirm that our encrypted firmwares are encrypted with this method ? JD. http://iphone.fiveforty.net/wiki/index.php/Main_Page http://landonf.bikemonkey.org/code/iphone _______________________________________________ Linux4nano-dev mailing list Linux4nano-dev@gna.org https://mail.gna.org/listinfo/linux4nano-dev http://www.linux4nano.org
