subject:"\[Linux4nano\-dev\] iPhone firmware encryption"

Re: [Linux4nano-dev] iPhone firmware encryption

2007-09-15 Thread mat h

ok, thanks. that explains alot.

On 9/15/07, Biscuit Thomas <[EMAIL PROTECTED]> wrote:
>
> The FAT16 refers to the partition that stores the Nike data, thus words
> like calorie and mile, etc. It refers to the rsrc.img.
> ___
> Linux4nano-dev mailing list
> [email protected]
> https://mail.gna.org/listinfo/linux4nano-dev
> http://www.linux4nano.org
>

-- 
We explore... and you call us criminals.
We seek after knowledge... and you call us criminals.
We exist without skin color, without nationality, without religious bias...
and you call us criminals.
You build atomic bombs, you wage wars, you murder, cheat, and lie to us and
try to make us believe it's for our own good...
yet we're the criminals.

WAUSHARE ROX __
Join the dark side we've got cheese
Annoying people since 1992
If you hate me, I love you too. It ain't my fault I'm better than you
Save Water, Drink Beer
God Made Women First, Then He Had A Better Idea.
If Barbie is soo popular...how come you have to buy her friends?
Don't play stupid with me... I'm better at it!
You were so cute when you were a baby...What happened?
My folks were always asking me to wear underpants. What am I, the pope?
I'm calling the police!... Right after I flush some tings.
Join the army, see the world, meet interesting people, and kill them.
___
Linux4nano-dev mailing list
[email protected]
https://mail.gna.org/listinfo/linux4nano-dev
http://www.linux4nano.org

Re: [Linux4nano-dev] iPhone firmware encryption

2007-09-15 Thread Biscuit Thomas

The FAT16 refers to the partition that stores the Nike data, thus words like
calorie and mile, etc. It refers to the rsrc.img.
___
Linux4nano-dev mailing list
[email protected]
https://mail.gna.org/listinfo/linux4nano-dev
http://www.linux4nano.org

Re: [Linux4nano-dev] iPhone firmware encryption

2007-09-15 Thread JD

The new extract2g version is commited ;)

An auto-detection feature try 1g, 2g and 3g locations
(0x4200, 0x4800 and 0x5000) and if this fail extract2g simply search
for 'NAND' or 'ATA!' words.

JD.

On 15/09/2007, JD <[EMAIL PROTECTED]> wrote:
> On 15/09/2007, Emmanuel Fleury <[EMAIL PROTECTED]> wrote:
> > Emmanuel Fleury wrote:
> > > Emmanuel Fleury wrote:
> > >> PS: I'm still fighting against this WebDAV crap !!!
> > >
> > > Finally done... I went back to the bzip2 format... don't ask me why but
> > > it worked (I guess it has something to do with the file checksum,
> > > changing the name is not enough):
> > >
> > > Get it at:
> > > http://www.labri.fr/~fleury/download/ipodnano/firmwares-nano.tar.bz2
> > >
> > > This archive is complete and has a proper script that must work properly.
> > >
> > > Sorry for this long long serie of "Yes, it's uploaded", "No, it's not",
> > > "Yes, it is", "No, it's not", ... :)
> > >
> > > Regards
> >
> > One very last bit of information, the latest iPod Nano 2G firmware
> > (26.1.0.1) seems to be different from the others:
> >
> > ***
> >
> > 26.1.0.1.ipsw
> > Archive:  ../archives/iPod_26.1.0.1.ipsw
> >   inflating: Firmware-26.9.0.1
> >   inflating: manifest.plist
> > ../extract2g/extract2g compiled at 09:31:02 Sep 15 2007.
> >
> > Cannot find at least one valid part in the dump.
> >
> > ***
> >
> > I don't have time to look at it now (I have to prepare courses for next
> > week). So, if somebody has some spare time, feel free to try (and, yes,
> > it's still a zip format ;)).
> >
> > PS: JD, it could be nice to add an auto-detect scheme in the extract2g
> > tool to extract 1G, 2G (and, why not, 3G) firmwares. :-P
>
> I'm on it ;)
>
> JD.
>

___
Linux4nano-dev mailing list
[email protected]
https://mail.gna.org/listinfo/linux4nano-dev
http://www.linux4nano.org

Re: [Linux4nano-dev] iPhone firmware encryption

2007-09-15 Thread mat h

Fat16 header: 5E00 after all the 0's
jump instruction (3bytes):
0xEB - something in asm
0x3C - something in asm
0x90 - asm nop

OEM name (8bytes):
MTOOL399 - reference to MTOOLS  version 3.99

bytes per sector - 0x02,0x03 i think
im not sure if theres any padding. but i think the fat16 partition starts at
5E00

5E10 - total number of file allocation tables
In order for the fat table to be valid this should be 0x2 in the ipod
firmware this=2

Therfore I say this is the fat16 header and the image is made with mtools,
this should be verry usefull, mabey they used some internal feature of
mtools to encrypt the firmware? or mobe its only obfusticated. I dont have
time to look into this atm but will post back soon

On 9/15/07, JD <[EMAIL PROTECTED]> wrote:
>
> On 15/09/2007, Emmanuel Fleury <[EMAIL PROTECTED]> wrote:
> > Emmanuel Fleury wrote:
> > > Emmanuel Fleury wrote:
> > >> PS: I'm still fighting against this WebDAV crap !!!
> > >
> > > Finally done... I went back to the bzip2 format... don't ask me why
> but
> > > it worked (I guess it has something to do with the file checksum,
> > > changing the name is not enough):
> > >
> > > Get it at:
> > > http://www.labri.fr/~fleury/download/ipodnano/firmwares-nano.tar.bz2
> > >
> > > This archive is complete and has a proper script that must work
> properly.
> > >
> > > Sorry for this long long serie of "Yes, it's uploaded", "No, it's
> not",
> > > "Yes, it is", "No, it's not", ... :)
> > >
> > > Regards
> >
> > One very last bit of information, the latest iPod Nano 2G firmware
> > (26.1.0.1) seems to be different from the others:
> >
> > ***
> >
> > 26.1.0.1.ipsw
> > Archive:  ../archives/iPod_26.1.0.1.ipsw
> >   inflating: Firmware-26.9.0.1
> >   inflating: manifest.plist
> > ../extract2g/extract2g compiled at 09:31:02 Sep 15 2007.
> >
> > Cannot find at least one valid part in the dump.
> >
> > ***
> >
> > I don't have time to look at it now (I have to prepare courses for next
> > week). So, if somebody has some spare time, feel free to try (and, yes,
> > it's still a zip format ;)).
> >
> > PS: JD, it could be nice to add an auto-detect scheme in the extract2g
> > tool to extract 1G, 2G (and, why not, 3G) firmwares. :-P
>
> I'm on it ;)
>
> JD.
>
> ___
> Linux4nano-dev mailing list
> [email protected]
> https://mail.gna.org/listinfo/linux4nano-dev
> http://www.linux4nano.org
>

-- 
We explore... and you call us criminals.
We seek after knowledge... and you call us criminals.
We exist without skin color, without nationality, without religious bias...
and you call us criminals.
You build atomic bombs, you wage wars, you murder, cheat, and lie to us and
try to make us believe it's for our own good...
yet we're the criminals.

WAUSHARE ROX __
Join the dark side we've got cheese
Annoying people since 1992
If you hate me, I love you too. It ain't my fault I'm better than you
Save Water, Drink Beer
God Made Women First, Then He Had A Better Idea.
If Barbie is soo popular...how come you have to buy her friends?
Don't play stupid with me... I'm better at it!
You were so cute when you were a baby...What happened?
My folks were always asking me to wear underpants. What am I, the pope?
I'm calling the police!... Right after I flush some tings.
Join the army, see the world, meet interesting people, and kill them.
___
Linux4nano-dev mailing list
[email protected]
https://mail.gna.org/listinfo/linux4nano-dev
http://www.linux4nano.org

Re: [Linux4nano-dev] iPhone firmware encryption

2007-09-15 Thread JD

On 15/09/2007, Emmanuel Fleury <[EMAIL PROTECTED]> wrote:
> Emmanuel Fleury wrote:
> > Emmanuel Fleury wrote:
> >> PS: I'm still fighting against this WebDAV crap !!!
> >
> > Finally done... I went back to the bzip2 format... don't ask me why but
> > it worked (I guess it has something to do with the file checksum,
> > changing the name is not enough):
> >
> > Get it at:
> > http://www.labri.fr/~fleury/download/ipodnano/firmwares-nano.tar.bz2
> >
> > This archive is complete and has a proper script that must work properly.
> >
> > Sorry for this long long serie of "Yes, it's uploaded", "No, it's not",
> > "Yes, it is", "No, it's not", ... :)
> >
> > Regards
>
> One very last bit of information, the latest iPod Nano 2G firmware
> (26.1.0.1) seems to be different from the others:
>
> ***
>
> 26.1.0.1.ipsw
> Archive:  ../archives/iPod_26.1.0.1.ipsw
>   inflating: Firmware-26.9.0.1
>   inflating: manifest.plist
> ../extract2g/extract2g compiled at 09:31:02 Sep 15 2007.
>
> Cannot find at least one valid part in the dump.
>
> ***
>
> I don't have time to look at it now (I have to prepare courses for next
> week). So, if somebody has some spare time, feel free to try (and, yes,
> it's still a zip format ;)).
>
> PS: JD, it could be nice to add an auto-detect scheme in the extract2g
> tool to extract 1G, 2G (and, why not, 3G) firmwares. :-P

I'm on it ;)

JD.

___
Linux4nano-dev mailing list
[email protected]
https://mail.gna.org/listinfo/linux4nano-dev
http://www.linux4nano.org

Re: [Linux4nano-dev] iPhone firmware encryption

2007-09-15 Thread mat h

Before I continue I think I found the program used to make the disk image
and the FAT16 header:
Fat16 header: 5E00 after all the 0's
jump instruction (3bytes):
0xEB - something in asm
0x3C - something in asm
0x90 - asm nop
bytes per sector - 0x02,0x03 i think
im not sure if theres any padding. but i think the fat16 partition starts at
5E00

5E10 - total number of file alocation tables, has to be 2 and it is 2



OEM name (8bytes):
MTOOL399 - reference to MTOOLS  version 3.99


YAY i think this is the header!

I g2g but heres the rest of my message
enjoy :)

1B844 - start 0's

1BFFE - end 0s, nike xml

1D0AA - start 0's

1D7FE - end 0's, nike xml

1E856 - start 0's

.. skipped just intervals of nike shit with variing amouts of 0's between...

3D6A9 - last byte of xml

3D7FF - strings of data:
adjust~4xml
tCals.xml(with varing bytes separating)
CALIBW~1XML
lots more bit seperated strings
(filenames)

lots more of these segments of data.
from this I can persume that in these segments are file names, ~n
(n=number<10) is a . for a extention.
one thing that comes to mind is dos(fat16?) naming convention that filenames
larger than (8?) character are truncated with ~1 or ~2 etc.

after these segments is the "encrypted data"

Notes
strings
]ih[ - ]hi[ backwards
nansoso - anme character?


On 9/15/07, mat h <[EMAIL PROTECTED]> wrote:
>
> heres a preview of my thourough disection of the ipod firmware
>
> ive been studying ipod firmware 19.8.1.3 using xvi32 these are my notes
>
> 0x0A seems to be a verry common end of data bit possible EOF?
>
> line 5e10 - IPODRESOURCEFAT16
> Fat16? That could come in use, fat16 partitions have a standard header.
> Could be used to verify a successfull decryption
>
> line 61ed - character sets
> Characters are printed in hex:
> 00 01 02 01 03 -> FF
>
>  line 63F1 - character set again
> 00 02 01 02 -> FF
> after FF there is another FF. is it like null termination?
>
>  ... lots more character sets with different seperating numbers.
>
> line E012 - Ipod resources
> each letter sepperated by 0x00
>
>  ... 0x00s
>
> line 127F6 - data starts again with multiple references to
>  miles xml (http://www.miles8.com/xna/)? 
> calorie(always seprated by other bits)
> calorie.x (always seprated by other bits) xml?
>  I'm thinking mabe a bitswapping alogrithim (moving places)
>
>  line 12FDB - start of xml data
> category="calorie"
> Appears to be the language data for things like menu names, etc
> vp... items, control handlers? Could be usefull in a buffer overflow.
>
>  140A6 - start of zeros
>
> 147FF - end of zeros
> xml data relating to multilingual nike running thinggi.
> again more vptriggers possible buffer overflows.
>
>  15801 - start 0's
>
> 15FF - end 0's
> more xml data same kinda thing as above.
>
>  1707E - start 0's
>
> 177FF - end 0's, more xml data relating to nike running thing
>
> 188AA - start 0's
>
> 18FFF - end 0's
> I think each 1 of these nike xml files are different pages on the ipod.
>
> 1A054 - start 0's
>
> 1A7FF - end 0's
> more xml data for nike (YAWN im sick of bloody nike)
>
> to be continued in next message
>
> On 9/15/07, Emmanuel Fleury <[EMAIL PROTECTED]> wrote:
> >
> > Emmanuel Fleury wrote:
> > >
> > > PS: I'm still fighting against this WebDAV crap !!!
> >
> > Finally done... I went back to the bzip2 format... don't ask me why but
> > it worked (I guess it has something to do with the file checksum,
> > changing the name is not enough):
> >
> > Get it at:
> > http://www.labri.fr/~fleury/download/ipodnano/firmwares-nano.tar.bz2
> >
> > This archive is complete and has a proper script that must work
> > properly.
> >
> > Sorry for this long long serie of "Yes, it's uploaded", "No, it's not",
> > "Yes, it is", "No, it's not", ... :)
> >
> > Regards
> > --
> > Emmanuel Fleury
> >
> > I worry about my child and the Internet all the time, even though
> > she's too young to have logged on yet. Here's what I worry about.
> > I worry that 10 or 15 years from now, she will come to me and say
> > 'Daddy, where were you when they took freedom of the press away
> > from the Internet?'.
> >   -- Mike Godwin
> >
> > ___
> > Linux4nano-dev mailing list
> > [email protected]
> > https://mail.gna.org/listinfo/linux4nano-dev
> > http://www.linux4nano.org
> >
>
>
>
> --
> We explore... and you call us criminals.
> We seek after knowledge... and you call us criminals.
> We exist without skin color, without nationality, without religious
> bias... and you call us criminals.
> You build atomic bombs, you wage wars, you murder, cheat, and lie to us
> and try to make us believe it's for our own good...
> yet we're the criminals.
>
> WAUSHARE ROX __
> Join the dark side we've got cheese
> Annoying people since 1992
> If you hate me, I love you too. It ain't my fault I'm better than you

Re: [Linux4nano-dev] iPhone firmware encryption

2007-09-15 Thread Emmanuel Fleury

mat h wrote:
> heres a preview of my thourough disection of the ipod firmware
> 
> ive been studying ipod firmware 19.8.1.3 using xvi32 these are my notes

Hmm, consider looking at the pictures stored at
http://www.labri.fr/~fleury/download/ipodnano/ (svg and png). They are
more or less summing up what we already know about the firmware.

Regards
-- 
Emmanuel Fleury

Please provide the date of your death.
  -- from an IRS letter

___
Linux4nano-dev mailing list
[email protected]
https://mail.gna.org/listinfo/linux4nano-dev
http://www.linux4nano.org

Re: [Linux4nano-dev] iPhone firmware encryption

2007-09-15 Thread Emmanuel Fleury

Emmanuel Fleury wrote:
> Emmanuel Fleury wrote:
>> PS: I'm still fighting against this WebDAV crap !!!
> 
> Finally done... I went back to the bzip2 format... don't ask me why but
> it worked (I guess it has something to do with the file checksum,
> changing the name is not enough):
> 
> Get it at:
> http://www.labri.fr/~fleury/download/ipodnano/firmwares-nano.tar.bz2
> 
> This archive is complete and has a proper script that must work properly.
> 
> Sorry for this long long serie of "Yes, it's uploaded", "No, it's not",
> "Yes, it is", "No, it's not", ... :)
> 
> Regards

One very last bit of information, the latest iPod Nano 2G firmware
(26.1.0.1) seems to be different from the others:

***

26.1.0.1.ipsw
Archive:  ../archives/iPod_26.1.0.1.ipsw
  inflating: Firmware-26.9.0.1
  inflating: manifest.plist
../extract2g/extract2g compiled at 09:31:02 Sep 15 2007.

Cannot find at least one valid part in the dump.

***

I don't have time to look at it now (I have to prepare courses for next
week). So, if somebody has some spare time, feel free to try (and, yes,
it's still a zip format ;)).

PS: JD, it could be nice to add an auto-detect scheme in the extract2g
tool to extract 1G, 2G (and, why not, 3G) firmwares. :-P

Regards
-- 
Emmanuel Fleury

And in the end, reality always tends to hit theory hard in the
face when you least expect it.
  -- Linus Torvalds

___
Linux4nano-dev mailing list
[email protected]
https://mail.gna.org/listinfo/linux4nano-dev
http://www.linux4nano.org

Re: [Linux4nano-dev] iPhone firmware encryption

2007-09-15 Thread mat h

heres a preview of my thourough disection of the ipod firmware

ive been studying ipod firmware 19.8.1.3 using xvi32 these are my notes

0x0A seems to be a verry common end of data bit possible EOF?

line 5e10 - IPODRESOURCEFAT16
Fat16? That could come in use, fat16 partitions have a standard header.
Could be used to verify a successfull decryption

line 61ed - character sets
Characters are printed in hex:
00 01 02 01 03 -> FF

 line 63F1 - character set again
00 02 01 02 -> FF
after FF there is another FF. is it like null termination?

 ... lots more character sets with different seperating numbers.

line E012 - Ipod resources
each letter sepperated by 0x00

 ... 0x00s

line 127F6 - data starts again with multiple references to
 miles xml (http://www.miles8.com/xna/)? 
calorie(always seprated by other bits)
calorie.x (always seprated by other bits) xml?
 I'm thinking mabe a bitswapping alogrithim (moving places)

 line 12FDB - start of xml data
category="calorie"
Appears to be the language data for things like menu names, etc
vp... items, control handlers? Could be usefull in a buffer overflow.

 140A6 - start of zeros

147FF - end of zeros
xml data relating to multilingual nike running thinggi.
again more vptriggers possible buffer overflows.

 15801 - start 0's

15FF - end 0's
more xml data same kinda thing as above.

 1707E - start 0's

177FF - end 0's, more xml data relating to nike running thing

188AA - start 0's

18FFF - end 0's
I think each 1 of these nike xml files are different pages on the ipod.

1A054 - start 0's

1A7FF - end 0's
more xml data for nike (YAWN im sick of bloody nike)

to be continued in next message

On 9/15/07, Emmanuel Fleury <[EMAIL PROTECTED]> wrote:
>
> Emmanuel Fleury wrote:
> >
> > PS: I'm still fighting against this WebDAV crap !!!
>
> Finally done... I went back to the bzip2 format... don't ask me why but
> it worked (I guess it has something to do with the file checksum,
> changing the name is not enough):
>
> Get it at:
> http://www.labri.fr/~fleury/download/ipodnano/firmwares-nano.tar.bz2
>
> This archive is complete and has a proper script that must work properly.
>
> Sorry for this long long serie of "Yes, it's uploaded", "No, it's not",
> "Yes, it is", "No, it's not", ... :)
>
> Regards
> --
> Emmanuel Fleury
>
> I worry about my child and the Internet all the time, even though
> she's too young to have logged on yet. Here's what I worry about.
> I worry that 10 or 15 years from now, she will come to me and say
> 'Daddy, where were you when they took freedom of the press away
> from the Internet?'.
>   -- Mike Godwin
>
> ___
> Linux4nano-dev mailing list
> [email protected]
> https://mail.gna.org/listinfo/linux4nano-dev
> http://www.linux4nano.org
>

-- 
We explore... and you call us criminals.
We seek after knowledge... and you call us criminals.
We exist without skin color, without nationality, without religious bias...
and you call us criminals.
You build atomic bombs, you wage wars, you murder, cheat, and lie to us and
try to make us believe it's for our own good...
yet we're the criminals.

WAUSHARE ROX __
Join the dark side we've got cheese
Annoying people since 1992
If you hate me, I love you too. It ain't my fault I'm better than you
Save Water, Drink Beer
God Made Women First, Then He Had A Better Idea.
If Barbie is soo popular...how come you have to buy her friends?
Don't play stupid with me... I'm better at it!
You were so cute when you were a baby...What happened?
My folks were always asking me to wear underpants. What am I, the pope?
I'm calling the police!... Right after I flush some tings.
Join the army, see the world, meet interesting people, and kill them.
___
Linux4nano-dev mailing list
[email protected]
https://mail.gna.org/listinfo/linux4nano-dev
http://www.linux4nano.org

Re: [Linux4nano-dev] iPhone firmware encryption

2007-09-15 Thread Emmanuel Fleury

Emmanuel Fleury wrote:
> 
> PS: I'm still fighting against this WebDAV crap !!!

Finally done... I went back to the bzip2 format... don't ask me why but
it worked (I guess it has something to do with the file checksum,
changing the name is not enough):

Get it at:
http://www.labri.fr/~fleury/download/ipodnano/firmwares-nano.tar.bz2

This archive is complete and has a proper script that must work properly.

Sorry for this long long serie of "Yes, it's uploaded", "No, it's not",
"Yes, it is", "No, it's not", ... :)

Regards
-- 
Emmanuel Fleury

I worry about my child and the Internet all the time, even though
she's too young to have logged on yet. Here's what I worry about.
I worry that 10 or 15 years from now, she will come to me and say
'Daddy, where were you when they took freedom of the press away
 from the Internet?'.
  -- Mike Godwin

___
Linux4nano-dev mailing list
[email protected]
https://mail.gna.org/listinfo/linux4nano-dev
http://www.linux4nano.org

Re: [Linux4nano-dev] iPhone firmware encryption

2007-09-15 Thread Emmanuel Fleury

mat h wrote:
> it worked for me, i got most of them and only a read error.

Good ! But the script had a small error, the firmware directory should
be 'archives' and not 'backup' -->

FMWDIR=archives

Then it should work properly.

PS: I'm still fighting against this WebDAV crap !!!

Regards
-- 
Emmanuel Fleury

Help me out, and I won't ever call "netfilter" a heap of stinking dung
again. Do we have a deal?
  -- Linus Torvalds

___
Linux4nano-dev mailing list
[email protected]
https://mail.gna.org/listinfo/linux4nano-dev
http://www.linux4nano.org

Re: [Linux4nano-dev] iPhone firmware encryption

2007-09-15 Thread mat h

it worked for me, i got most of them and only a read error.

On 9/15/07, Emmanuel Fleury <[EMAIL PROTECTED]> wrote:
>
> Gr,
>
> I really have trouble with the upload... I send a mail when the archive
> will be ok...
>
> Stay tuned.
>
> Regards
> --
> Emmanuel Fleury
>
> Education is an admirable thing,
> but nothing that is worth knowing can be taught.
>   -- Oscar Wilde
>
> ___
> Linux4nano-dev mailing list
> [email protected]
> https://mail.gna.org/listinfo/linux4nano-dev
> http://www.linux4nano.org
>

-- 
We explore... and you call us criminals.
We seek after knowledge... and you call us criminals.
We exist without skin color, without nationality, without religious bias...
and you call us criminals.
You build atomic bombs, you wage wars, you murder, cheat, and lie to us and
try to make us believe it's for our own good...
yet we're the criminals.

WAUSHARE ROX __
Join the dark side we've got cheese
Annoying people since 1992
If you hate me, I love you too. It ain't my fault I'm better than you
Save Water, Drink Beer
God Made Women First, Then He Had A Better Idea.
If Barbie is soo popular...how come you have to buy her friends?
Don't play stupid with me... I'm better at it!
You were so cute when you were a baby...What happened?
My folks were always asking me to wear underpants. What am I, the pope?
I'm calling the police!... Right after I flush some tings.
Join the army, see the world, meet interesting people, and kill them.
___
Linux4nano-dev mailing list
[email protected]
https://mail.gna.org/listinfo/linux4nano-dev
http://www.linux4nano.org

Re: [Linux4nano-dev] iPhone firmware encryption

2007-09-15 Thread Emmanuel Fleury

Gr,

I really have trouble with the upload... I send a mail when the archive
will be ok...

Stay tuned.

Regards
-- 
Emmanuel Fleury

Education is an admirable thing,
but nothing that is worth knowing can be taught.
  -- Oscar Wilde

___
Linux4nano-dev mailing list
[email protected]
https://mail.gna.org/listinfo/linux4nano-dev
http://www.linux4nano.org

Re: [Linux4nano-dev] iPhone firmware encryption

2007-09-15 Thread Emmanuel Fleury

mat h wrote:
> Damn I'm an idiot I thought I had found something new:
> lol Ill send it anyway in case  its usefull
> 
> Ive been looking at the .ipw files wondering what the PK as the first 2
> bytes where
> I think I know what the files are compressed and encrypted with!
> Did anyone notice that the first 2 characters in the file where PK, I rember
> playing with PK zip when I was only 8 years old, Its a PKZip file!

Wow, soon you will discover the wheel, then. :)

Regards
-- 
Emmanuel Fleury

You must unlearn what you have learned.
  -- Yoda, Star Wars (George Lucas)

___
Linux4nano-dev mailing list
[email protected]
https://mail.gna.org/listinfo/linux4nano-dev
http://www.linux4nano.org

Re: [Linux4nano-dev] iPhone firmware encryption

2007-09-15 Thread Emmanuel Fleury

Emmanuel Fleury wrote:
> mat h wrote:
>> The link to the firmwares are broken. Damn.
> 
> I did removed it for a short while. It should be back on-line at:
> http://www.labri.fr/~fleury/download/ipodnano/firmwares-nano.tar.bz2
> 
> I did a small script (extract-all.sh) that should help for the
> extraction of all the different parts of the firmwares.

Hmmm, for some unknown reasons, I had tu upload a gzip version of the
archive on the server because the bzip2 was stalling each time. So the
URL is in fact:
http://www.labri.fr/~fleury/download/ipodnano/firmwares-nano.tar.gz

Because it might worth it to notice, the archive (218MB) has the
following list of firmwares:

iPod Nano 1G:
-
iPod_14.1.3.1.ipsw
iPod_17.1.3.1.ipsw

iPod Nano 2G:
-
iPod_19.1.1.0.ipsw
iPod_19.1.1.1.black_8GB.ipsw
iPod_19.1.1.1.ipsw
iPod_19.1.1.2.ipsw
iPod_19.1.1.3.ipsw
iPod_26.1.0.1.ipsw

iPod Nano 3G:
-
iPod_29.1.1.3.ipsw

Just in case somebody has time to play with a 3G firmware to see what
changed in it.

Regards
-- 
Emmanuel Fleury

The difference between us and a computer is that,
the computer is blindingly stupid, but it is capable
of being stupid many, many million times a second.
  -- Douglas Adams

___
Linux4nano-dev mailing list
[email protected]
https://mail.gna.org/listinfo/linux4nano-dev
http://www.linux4nano.org

Re: [Linux4nano-dev] iPhone firmware encryption

2007-09-15 Thread mat h

Damn I'm an idiot I thought I had found something new:
lol Ill send it anyway in case  its usefull

Ive been looking at the .ipw files wondering what the PK as the first 2
bytes where
I think I know what the files are compressed and encrypted with!
Did anyone notice that the first 2 characters in the file where PK, I rember
playing with PK zip when I was only 8 years old, Its a PKZip file!

the first 10 bytes match the PK zip header:
50 4B 03 04 14 00 00 00 08 00

full header:
   00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F  ASCII
   ---   
0: 50 4B 03 04 14 00 00 00 08 00 00 00 00 00 19 A1
PK..
00010: EB 0D C2 45 00 00 50 69 00 00 07 00 00 00 31 21
..1!
00020: 4D 53 48 4F 57 E4 BC 7B 5C 53 47 DA 38 3E 67 CEMSHOW...
http://members.tripod.com/~petlibrary/ZIP.HTM

enjoy :)

On 9/14/07, Emmanuel Fleury <[EMAIL PROTECTED]> wrote:
> mat h wrote:
> > The link to the firmwares are broken. Damn.
>
> I did removed it for a short while. It should be back on-line at:
> http://www.labri.fr/~fleury/download/ipodnano/firmwares-nano.tar.bz2
>
> I did a small script (extract-all.sh) that should help for the
> extraction of all the different parts of the firmwares.
>
> Regards
> --
> Emmanuel Fleury
>
> There are only 10 types of people in the world.
> Those who understand binary and those who don't
>   -- Unknown
>
> ___
> Linux4nano-dev mailing list
> [email protected]
> https://mail.gna.org/listinfo/linux4nano-dev
> http://www.linux4nano.org
>

-- 
We explore... and you call us criminals.
We seek after knowledge... and you call us criminals.
We exist without skin color, without nationality, without religious bias...
and you call us criminals.
You build atomic bombs, you wage wars, you murder, cheat, and lie to us and
try to make us believe it's for our own good...
yet we're the criminals.

WAUSHARE ROX __
Join the dark side we've got cheese
Annoying people since 1992
If you hate me, I love you too. It ain't my fault I'm better than you
Save Water, Drink Beer
God Made Women First, Then He Had A Better Idea.
If Barbie is soo popular...how come you have to buy her friends?
Don't play stupid with me... I'm better at it!
You were so cute when you were a baby...What happened?
My folks were always asking me to wear underpants. What am I, the pope?
I'm calling the police!... Right after I flush some tings.
Join the army, see the world, meet interesting people, and kill them.
___
Linux4nano-dev mailing list
[email protected]
https://mail.gna.org/listinfo/linux4nano-dev
http://www.linux4nano.org

Re: [Linux4nano-dev] iPhone firmware encryption

2007-09-14 Thread Emmanuel Fleury

mat h wrote:
> The link to the firmwares are broken. Damn.

I did removed it for a short while. It should be back on-line at:
http://www.labri.fr/~fleury/download/ipodnano/firmwares-nano.tar.bz2

I did a small script (extract-all.sh) that should help for the
extraction of all the different parts of the firmwares.

Regards
-- 
Emmanuel Fleury

There are only 10 types of people in the world.
Those who understand binary and those who don't
  -- Unknown

___
Linux4nano-dev mailing list
[email protected]
https://mail.gna.org/listinfo/linux4nano-dev
http://www.linux4nano.org

Re: [Linux4nano-dev] iPhone firmware encryption

2007-09-14 Thread mat h

The link to the firmwares are broken. Damn.

On 9/14/07, mat h <[EMAIL PROTECTED]> wrote:
>
> Good work, Im going to look into the encryption today and see what I find.
>
> On 9/14/07, JD <[EMAIL PROTECTED] > wrote:
> >
> > Previously in 24:
> > Jack Bauer is on the track of iPhone encryption and discovers that a
> > bunch of terrorists already crack Apple algorithms using an undercover
> > agent located in a inoffensive recovery tool.
> > While Jack shoot some kneecaps CTU still doesn't know exactly which
> > encryption algorithms Apple use in their iPhones...
> > Did Nadia will finally approve an interrogation technique that might
> > prove fatal to iPods ?
> >
> > Day 2 : 8:00 PM - 9:00 PM
> >
> > (And back to serious things :D)
> >
> > I continue to look for informations about iPhone encryption (and try
> > to link them with nanos):
> >
> > The iPhone firmware located in the .dmg file is encrypted using
> > FileVault (http://www.apple.com/fr/macosx/features/filevault/ ) an
> > Apple branded encryption system for HFS+ partitions
> > (http://developer.apple.com/technotes/tn/tn1150.html#VolumeHeader).
> >
> > I'm unable to find any clear specification about .dmg files but, in our
> > case:
> > - Clear .dmg  seems to enclose an HFS+ partition (.dmg start with an
> > header and some zero padding bytes after we've got a HFS+ header).
> > - Crypted .dmg start with an different header and payload data seems
> > to be encrypted.
> >
> > So, the iPhone firmware is encrypted with the FileVault technology.
> > And the crypted data is enclosed in the .dmg file (which also contains
> > some cryptographic informations).
> >
> > Ralf-Philipp Weinmann, Jacob Appelbaum, and Christian Fromme did a
> > FileVault reverse engineering a while ago (before iPhone I mean):
> > http://crypto.nsa.org/vilefault/
> > http://crypto.nsa.org/vilefault/23C3-VileFault.pdf
> >
> > They wrote vfdecrypt as a part of their work. A modified version of
> > this tool was used by iPhone hackers to decrypt the .dmg firmware.
> >
> > They only change a few things (recovering more data from headers, keys
> > format, ...) because the firmware .dmg (seems to) use FileVault
> > headers.
> >
> > The header is:
> > typedef struct {
> >   unsigned char sig[8];
> >   uint32_t version;
> >   uint32_t enc_iv_size;
> >   uint32_t unk1;
> >   uint32_t unk2;
> >   uint32_t unk3;
> >   uint32_t unk4;
> >   uint32_t unk5;
> >   unsigned char uuid[16];
> >   uint32_t blocksize;
> >   uint64_t datasize;
> >   uint64_t dataoffset;
> >   uint8_t filler1[0x260];
> >   uint32_t kdf_algorithm;
> >   uint32_t kdf_prng_algorithm;
> >   uint32_t kdf_iteration_count;
> >   uint32_t kdf_salt_len; /* in bytes */
> >   uint8_t  kdf_salt[32];
> >   uint32_t blob_enc_iv_size;
> >   uint8_t  blob_enc_iv[32];
> >   uint32_t blob_enc_key_bits;
> >   uint32_t blob_enc_algorithm;
> >   uint32_t blob_enc_padding;
> >   uint32_t blob_enc_mode;
> >   uint32_t encrypted_keyblob_size;
> >   uint8_t  encrypted_keyblob[0x30];
> > } cencrypted_v2_pwheader;
> >
> > Header is 832 bytes long (including unknown fields).
> >
> > Our Nano headers doesn't look like to be the same as the FileVault
> > one's.
> > That doesn't mean nano 2g aren't encrypted with FileVault algorithms
> > because
> > FileVault exist before nano2g come to stores and I really think Apple
> > doesn't have time to build from scratch a strong encryption system
> > when they got a working one (Or Apple hire a bunch of trainees in
> > their crypto labs in summer 2k6 :) ).
> >
> > Summary:
> > - iPhone firmware use FileVault encryption.
> > - iPod Nano 2g firmware doesn't seems to use exactly the same
> > FileVault system...
> > - ... but nano 2g probably use similar algorithms.
> >
> > And, last minute thoughts, maybe nano2g use OLD versions of FileVault
> > (maybe the release version of FV when nano2g was developped).
> >
> > Enjoy,
> > JD.
> >
> > ___
> > Linux4nano-dev mailing list
> > [email protected]
> > https://mail.gna.org/listinfo/linux4nano-dev
> > http://www.linux4nano.org
> >
>
>
>
> --
> We explore... and you call us criminals.
> We seek after knowledge... and you call us criminals.
> We exist without skin color, without nationality, without religious
> bias... and you call us criminals.
> You build atomic bombs, you wage wars, you murder, cheat, and lie to us
> and try to make us believe it's for our own good...
> yet we're the criminals.
>
> WAUSHARE ROX __
> Join the dark side we've got cheese
> Annoying people since 1992
> If you hate me, I love you too. It ain't my fault I'm better than you
> Save Water, Drink Beer
> God Made Women First, Then He Had A Better Idea.
> If Barbie is soo popular...how come you have to buy her friends?
> Don't play stupid with me... I'm better at it!
> You were so cute when you were a baby...What happened?
> My folks were always asking me to wear underpants. What am I, the pope?
> I'm calling the police!

Re: [Linux4nano-dev] iPhone firmware encryption

2007-09-14 Thread mat h

Good work, Im going to look into the encryption today and see what I find.

On 9/14/07, JD <[EMAIL PROTECTED]> wrote:
>
> Previously in 24:
> Jack Bauer is on the track of iPhone encryption and discovers that a
> bunch of terrorists already crack Apple algorithms using an undercover
> agent located in a inoffensive recovery tool.
> While Jack shoot some kneecaps CTU still doesn't know exactly which
> encryption algorithms Apple use in their iPhones...
> Did Nadia will finally approve an interrogation technique that might
> prove fatal to iPods ?
>
> Day 2 : 8:00 PM - 9:00 PM
>
> (And back to serious things :D)
>
> I continue to look for informations about iPhone encryption (and try
> to link them with nanos):
>
> The iPhone firmware located in the .dmg file is encrypted using
> FileVault (http://www.apple.com/fr/macosx/features/filevault/) an
> Apple branded encryption system for HFS+ partitions
> (http://developer.apple.com/technotes/tn/tn1150.html#VolumeHeader).
>
> I'm unable to find any clear specification about .dmg files but, in our
> case:
> - Clear .dmg  seems to enclose an HFS+ partition (.dmg start with an
> header and some zero padding bytes after we've got a HFS+ header).
> - Crypted .dmg start with an different header and payload data seems
> to be encrypted.
>
> So, the iPhone firmware is encrypted with the FileVault technology.
> And the crypted data is enclosed in the .dmg file (which also contains
> some cryptographic informations).
>
> Ralf-Philipp Weinmann, Jacob Appelbaum, and Christian Fromme did a
> FileVault reverse engineering a while ago (before iPhone I mean):
> http://crypto.nsa.org/vilefault/
> http://crypto.nsa.org/vilefault/23C3-VileFault.pdf
>
> They wrote vfdecrypt as a part of their work. A modified version of
> this tool was used by iPhone hackers to decrypt the .dmg firmware.
>
> They only change a few things (recovering more data from headers, keys
> format, ...) because the firmware .dmg (seems to) use FileVault
> headers.
>
> The header is:
> typedef struct {
>   unsigned char sig[8];
>   uint32_t version;
>   uint32_t enc_iv_size;
>   uint32_t unk1;
>   uint32_t unk2;
>   uint32_t unk3;
>   uint32_t unk4;
>   uint32_t unk5;
>   unsigned char uuid[16];
>   uint32_t blocksize;
>   uint64_t datasize;
>   uint64_t dataoffset;
>   uint8_t filler1[0x260];
>   uint32_t kdf_algorithm;
>   uint32_t kdf_prng_algorithm;
>   uint32_t kdf_iteration_count;
>   uint32_t kdf_salt_len; /* in bytes */
>   uint8_t  kdf_salt[32];
>   uint32_t blob_enc_iv_size;
>   uint8_t  blob_enc_iv[32];
>   uint32_t blob_enc_key_bits;
>   uint32_t blob_enc_algorithm;
>   uint32_t blob_enc_padding;
>   uint32_t blob_enc_mode;
>   uint32_t encrypted_keyblob_size;
>   uint8_t  encrypted_keyblob[0x30];
> } cencrypted_v2_pwheader;
>
> Header is 832 bytes long (including unknown fields).
>
> Our Nano headers doesn't look like to be the same as the FileVault one's.
> That doesn't mean nano 2g aren't encrypted with FileVault algorithms
> because
> FileVault exist before nano2g come to stores and I really think Apple
> doesn't have time to build from scratch a strong encryption system
> when they got a working one (Or Apple hire a bunch of trainees in
> their crypto labs in summer 2k6 :) ).
>
> Summary:
> - iPhone firmware use FileVault encryption.
> - iPod Nano 2g firmware doesn't seems to use exactly the same
> FileVault system...
> - ... but nano 2g probably use similar algorithms.
>
> And, last minute thoughts, maybe nano2g use OLD versions of FileVault
> (maybe the release version of FV when nano2g was developped).
>
> Enjoy,
> JD.
>
> ___
> Linux4nano-dev mailing list
> [email protected]
> https://mail.gna.org/listinfo/linux4nano-dev
> http://www.linux4nano.org
>



-- 
We explore... and you call us criminals.
We seek after knowledge... and you call us criminals.
We exist without skin color, without nationality, without religious bias...
and you call us criminals.
You build atomic bombs, you wage wars, you murder, cheat, and lie to us and
try to make us believe it's for our own good...
yet we're the criminals.

WAUSHARE ROX __
Join the dark side we've got cheese
Annoying people since 1992
If you hate me, I love you too. It ain't my fault I'm better than you
Save Water, Drink Beer
God Made Women First, Then He Had A Better Idea.
If Barbie is soo popular...how come you have to buy her friends?
Don't play stupid with me... I'm better at it!
You were so cute when you were a baby...What happened?
My folks were always asking me to wear underpants. What am I, the pope?
I'm calling the police!... Right after I flush some tings.
Join the army, see the world, meet interesting people, and kill them.
___
Linux4nano-dev mailing list
[email protected]
https://mail.gna.org/listinfo/linux4nano-dev
http://www.linux4nano.org

Re: [Linux4nano-dev] iPhone firmware encryption

2007-09-14 Thread JD

Previously in 24:
Jack Bauer is on the track of iPhone encryption and discovers that a
bunch of terrorists already crack Apple algorithms using an undercover
agent located in a inoffensive recovery tool.
While Jack shoot some kneecaps CTU still doesn't know exactly which
encryption algorithms Apple use in their iPhones...
Did Nadia will finally approve an interrogation technique that might
prove fatal to iPods ?

Day 2 : 8:00 PM - 9:00 PM

(And back to serious things :D)

I continue to look for informations about iPhone encryption (and try
to link them with nanos):

The iPhone firmware located in the .dmg file is encrypted using
FileVault (http://www.apple.com/fr/macosx/features/filevault/) an
Apple branded encryption system for HFS+ partitions
(http://developer.apple.com/technotes/tn/tn1150.html#VolumeHeader).

I'm unable to find any clear specification about .dmg files but, in our case:
- Clear .dmg  seems to enclose an HFS+ partition (.dmg start with an
header and some zero padding bytes after we've got a HFS+ header).
- Crypted .dmg start with an different header and payload data seems
to be encrypted.

So, the iPhone firmware is encrypted with the FileVault technology.
And the crypted data is enclosed in the .dmg file (which also contains
some cryptographic informations).

Ralf-Philipp Weinmann, Jacob Appelbaum, and Christian Fromme did a
FileVault reverse engineering a while ago (before iPhone I mean):
http://crypto.nsa.org/vilefault/
http://crypto.nsa.org/vilefault/23C3-VileFault.pdf

They wrote vfdecrypt as a part of their work. A modified version of
this tool was used by iPhone hackers to decrypt the .dmg firmware.

They only change a few things (recovering more data from headers, keys
format, ...) because the firmware .dmg (seems to) use FileVault
headers.

The header is:
typedef struct {
  unsigned char sig[8];
  uint32_t version;
  uint32_t enc_iv_size;
  uint32_t unk1;
  uint32_t unk2;
  uint32_t unk3;
  uint32_t unk4;
  uint32_t unk5;
  unsigned char uuid[16];
  uint32_t blocksize;
  uint64_t datasize;
  uint64_t dataoffset;
  uint8_t filler1[0x260];
  uint32_t kdf_algorithm;
  uint32_t kdf_prng_algorithm;
  uint32_t kdf_iteration_count;
  uint32_t kdf_salt_len; /* in bytes */
  uint8_t  kdf_salt[32];
  uint32_t blob_enc_iv_size;
  uint8_t  blob_enc_iv[32];
  uint32_t blob_enc_key_bits;
  uint32_t blob_enc_algorithm;
  uint32_t blob_enc_padding;
  uint32_t blob_enc_mode;
  uint32_t encrypted_keyblob_size;
  uint8_t  encrypted_keyblob[0x30];
} cencrypted_v2_pwheader;

Header is 832 bytes long (including unknown fields).

Our Nano headers doesn't look like to be the same as the FileVault one's.
That doesn't mean nano 2g aren't encrypted with FileVault algorithms because
FileVault exist before nano2g come to stores and I really think Apple
doesn't have time to build from scratch a strong encryption system
when they got a working one (Or Apple hire a bunch of trainees in
their crypto labs in summer 2k6 :) ).

Summary:
- iPhone firmware use FileVault encryption.
- iPod Nano 2g firmware doesn't seems to use exactly the same
FileVault system...
- ... but nano 2g probably use similar algorithms.

And, last minute thoughts, maybe nano2g use OLD versions of FileVault
(maybe the release version of FV when nano2g was developped).

Enjoy,
JD.

___
Linux4nano-dev mailing list
[email protected]
https://mail.gna.org/listinfo/linux4nano-dev
http://www.linux4nano.org

Re: [Linux4nano-dev] iPhone firmware encryption

2007-09-14 Thread mat h

ok if your right then in vfdecrypt.c we need to edit these 2 lines with the
ipod nano 2g key and it should work. Can anyone find these keys in a copy of
the firmware (I don't have):
convert_hex("28c909fc6d322fa18940f03279d70880", aes_key, 16);
convert_hex("e59a4507998347c70d5b8ca7ef090e15e82d", hmacsha1_key, 20);

hope this is helpfull,
mat :)

>
>
On 9/11/07, Emmanuel Fleury <[EMAIL PROTECTED]> wrote:
>
> Hi,
>
> Nice ! We should dig this.
>
> The key might differ but maybe some other hints can tell us if the
> encryption scheme is the same (then we can try to get the key).
>
> Regards
> --
> Emmanuel Fleury
>
> In God We Trust - All others must pay cash.
>   -- Unknown
>
> ___
> Linux4nano-dev mailing list
> [email protected]
> https://mail.gna.org/listinfo/linux4nano-dev
> http://www.linux4nano.org
>

-- 
We explore... and you call us criminals.
We seek after knowledge... and you call us criminals.
We exist without skin color, without nationality, without religious bias...
and you call us criminals.
You build atomic bombs, you wage wars, you murder, cheat, and lie to us and
try to make us believe it's for our own good...
yet we're the criminals.

WAUSHARE ROX __
Join the dark side we've got cheese
Annoying people since 1992
If you hate me, I love you too. It ain't my fault I'm better than you
Save Water, Drink Beer
God Made Women First, Then He Had A Better Idea.
If Barbie is soo popular...how come you have to buy her friends?
Don't play stupid with me... I'm better at it!
You were so cute when you were a baby...What happened?
My folks were always asking me to wear underpants. What am I, the pope?
I'm calling the police!... Right after I flush some tings.
Join the army, see the world, meet interesting people, and kill them.
___
Linux4nano-dev mailing list
[email protected]
https://mail.gna.org/listinfo/linux4nano-dev
http://www.linux4nano.org

Re: [Linux4nano-dev] iPhone firmware encryption

2007-09-11 Thread Emmanuel Fleury

Hi,

Nice ! We should dig this.

The key might differ but maybe some other hints can tell us if the
encryption scheme is the same (then we can try to get the key).

Regards
-- 
Emmanuel Fleury

In God We Trust - All others must pay cash.
  -- Unknown

___
Linux4nano-dev mailing list
[email protected]
https://mail.gna.org/listinfo/linux4nano-dev
http://www.linux4nano.org

Re: [Linux4nano-dev] iPhone firmware encryption

2007-09-11 Thread Manuel Naranjo

mat h escribió:
> good work JD!
>
>
W Good work JD, I hope this can help us :D.


___
Linux4nano-dev mailing list
[email protected]
https://mail.gna.org/listinfo/linux4nano-dev
http://www.linux4nano.org

Re: [Linux4nano-dev] iPhone firmware encryption

2007-09-11 Thread mat h

good work JD!

On 9/11/07, JD <[EMAIL PROTECTED]> wrote:
>
> I did some searches about the iPhone encryption, I will try to sum up
> what i found/understand (don't check everything by myself so don't be rude
> if I miss something :D).
>
> First of all the iPhone CPU seems to be an ARM, manufactured by Samsung.
> (I can't find the exact ARM ID number)
> And some hardware (like the mp3 part) is the same as nano.
> http://iphone.fiveforty.net/wiki/index.php/IPhone_Hardware_Facts
> http://www.eetimes.com/news/design/showArticle.jhtml?articleID=21811
>
> So there is no *big* hardware clues for the iPhone encryption system to be
> different from the nano one.
>
> Now let's take a look at how they decrypted the firmware:
>
> The first thing they did is to mount the iPhone system files.
> They proceed the same way as we do with our nano:
> - Download the .ipsw file from Apple servers.
> - Unpack .ipsw to get the system files.
> (the .ipsw contains some .dmg files : system files in -38.dmg and
> firmware in -39.dmg)
> - Mount it in a *n*x OS.
>
> http://iphone.fiveforty.net/wiki/index.php/Decrypt_Firmware
>
> If you want to take a look at the iPhone file system (but hate
> rapidshare):
> http://www.enseirb.fr/~brossill/in2g/ramdisk.tgz
> http://www.enseirb.fr/~brossill/in2g/llr.txt
>
> Then they run strings (http://unixhelp.ed.ac.uk/CGI/man-cgi?strings)
> on /usr/sbin/asr (a Mach-O binary).
> What is asr ? Nobody says but when we take a look on strings result :
> http://www.enseirb.fr/~brossill/in2g/strings.asr.txt
>
> we found:
> http://www.enseirb.fr/~brossill/in2g/help.asr.txt
>
> So asr seems to deal with partitions, disk images and probably iPhone
> system restoration
> (some error messages warn about server connection and related things).
>
> But the most interesting is a 72 characters long string (by string I
> mean ASCII) :
>
> $ strings asr
> ...
> [EMAIL PROTECTED]
> 1K[A0Di
> 28c909fc6d322fa18940f03279d70880e59a4507998347c70d5b8ca7ef090e15e82d
> K[A0"
> [EMAIL PROTECTED]@
> ...
>
> The first time I heard about that string I was really skeptic, but
> it's truly strange ;)
> (For those who still doesn't have a cyber-brain: a 72 characters group
> in a binary MUST mean something)
>
> Then they use a version of vfdecrypt (a Mac OSX software for OSX disk
> images encryption)
> where the input method was changed (two private AES and SHA-1 HMAC
> keys instead of 3DES-EDE passphrase).
> (HMAC ? 3DES-EDE ? Help... ;))
>
> http://landonf.bikemonkey.org/static/iphone/vfdecrypt-iphone.tar.gz
>
> They simply use the 72 char string as a password, put the encrypted
> firmware partition in, and... **SHAZAM**
> a decrypted iPhone firmware pop out of the hat. ;)
>
> Facts :
> - The iPhone firmware is encrypted with a standard Mac OS X tool for
> OS X disk images encryption.
> - The key is located in a software which seems to be used to manage
> disk restoration.
>
> I really think our nano 2g is encrypted with the same
> tool/algorithms... But as you probably notice they didn't
> get the key from the software which decrypt the iPhone firmware before
> the OS launch but from the restoration
> software.
>
> The question is : can we confirm that our encrypted firmwares are
> encrypted with this method ?
>
> JD.
>
> http://iphone.fiveforty.net/wiki/index.php/Main_Page
> http://landonf.bikemonkey.org/code/iphone
>
> ___
> Linux4nano-dev mailing list
> [email protected]
> https://mail.gna.org/listinfo/linux4nano-dev
> http://www.linux4nano.org
>



-- 
We explore... and you call us criminals.
We seek after knowledge... and you call us criminals.
We exist without skin color, without nationality, without religious bias...
and you call us criminals.
You build atomic bombs, you wage wars, you murder, cheat, and lie to us and
try to make us believe it's for our own good...
yet we're the criminals.

WAUSHARE ROX __
Join the dark side we've got cheese
Annoying people since 1992
If you hate me, I love you too. It ain't my fault I'm better than you
Save Water, Drink Beer
God Made Women First, Then He Had A Better Idea.
If Barbie is soo popular...how come you have to buy her friends?
Don't play stupid with me... I'm better at it!
You were so cute when you were a baby...What happened?
My folks were always asking me to wear underpants. What am I, the pope?
I'm calling the police!... Right after I flush some tings.
Join the army, see the world, meet interesting people, and kill them.
___
Linux4nano-dev mailing list
[email protected]
https://mail.gna.org/listinfo/linux4nano-dev
http://www.linux4nano.org

[Linux4nano-dev] iPhone firmware encryption

2007-09-11 Thread JD

I did some searches about the iPhone encryption, I will try to sum up
what i found/understand (don't check everything by myself so don't be rude
if I miss something :D).

First of all the iPhone CPU seems to be an ARM, manufactured by Samsung.
(I can't find the exact ARM ID number)
And some hardware (like the mp3 part) is the same as nano.
http://iphone.fiveforty.net/wiki/index.php/IPhone_Hardware_Facts
http://www.eetimes.com/news/design/showArticle.jhtml?articleID=21811

So there is no *big* hardware clues for the iPhone encryption system to be
different from the nano one.

Now let's take a look at how they decrypted the firmware:

The first thing they did is to mount the iPhone system files.
They proceed the same way as we do with our nano:
- Download the .ipsw file from Apple servers.
- Unpack .ipsw to get the system files.
(the .ipsw contains some .dmg files : system files in -38.dmg and
firmware in -39.dmg)
- Mount it in a *n*x OS.

http://iphone.fiveforty.net/wiki/index.php/Decrypt_Firmware

If you want to take a look at the iPhone file system (but hate rapidshare):
http://www.enseirb.fr/~brossill/in2g/ramdisk.tgz
http://www.enseirb.fr/~brossill/in2g/llr.txt

Then they run strings (http://unixhelp.ed.ac.uk/CGI/man-cgi?strings)
on /usr/sbin/asr (a Mach-O binary).
What is asr ? Nobody says but when we take a look on strings result :
http://www.enseirb.fr/~brossill/in2g/strings.asr.txt

we found:
http://www.enseirb.fr/~brossill/in2g/help.asr.txt

So asr seems to deal with partitions, disk images and probably iPhone
system restoration
(some error messages warn about server connection and related things).

But the most interesting is a 72 characters long string (by string I
mean ASCII) :

$ strings asr
...
[EMAIL PROTECTED]
1K[A0Di
28c909fc6d322fa18940f03279d70880e59a4507998347c70d5b8ca7ef090e15e82d
K[A0"
[EMAIL PROTECTED]@
...

The first time I heard about that string I was really skeptic, but
it's truly strange ;)
(For those who still doesn't have a cyber-brain: a 72 characters group
in a binary MUST mean something)

Then they use a version of vfdecrypt (a Mac OSX software for OSX disk
images encryption)
where the input method was changed (two private AES and SHA-1 HMAC
keys instead of 3DES-EDE passphrase).
(HMAC ? 3DES-EDE ? Help... ;))

http://landonf.bikemonkey.org/static/iphone/vfdecrypt-iphone.tar.gz

They simply use the 72 char string as a password, put the encrypted
firmware partition in, and... **SHAZAM**
a decrypted iPhone firmware pop out of the hat. ;)

Facts :
- The iPhone firmware is encrypted with a standard Mac OS X tool for
OS X disk images encryption.
- The key is located in a software which seems to be used to manage
disk restoration.

I really think our nano 2g is encrypted with the same
tool/algorithms... But as you probably notice they didn't
get the key from the software which decrypt the iPhone firmware before
the OS launch but from the restoration
software.

The question is : can we confirm that our encrypted firmwares are
encrypted with this method ?

JD.

http://iphone.fiveforty.net/wiki/index.php/Main_Page
http://landonf.bikemonkey.org/code/iphone

___
Linux4nano-dev mailing list
[email protected]
https://mail.gna.org/listinfo/linux4nano-dev
http://www.linux4nano.org

Re: [Linux4nano-dev] iPhone firmware encryption

Re: [Linux4nano-dev] iPhone firmware encryption

Re: [Linux4nano-dev] iPhone firmware encryption

Re: [Linux4nano-dev] iPhone firmware encryption

Re: [Linux4nano-dev] iPhone firmware encryption

Re: [Linux4nano-dev] iPhone firmware encryption

Re: [Linux4nano-dev] iPhone firmware encryption

Re: [Linux4nano-dev] iPhone firmware encryption

Re: [Linux4nano-dev] iPhone firmware encryption

Re: [Linux4nano-dev] iPhone firmware encryption

Re: [Linux4nano-dev] iPhone firmware encryption

Re: [Linux4nano-dev] iPhone firmware encryption

Re: [Linux4nano-dev] iPhone firmware encryption

Re: [Linux4nano-dev] iPhone firmware encryption

Re: [Linux4nano-dev] iPhone firmware encryption

Re: [Linux4nano-dev] iPhone firmware encryption

Re: [Linux4nano-dev] iPhone firmware encryption

Re: [Linux4nano-dev] iPhone firmware encryption

Re: [Linux4nano-dev] iPhone firmware encryption

Re: [Linux4nano-dev] iPhone firmware encryption

Re: [Linux4nano-dev] iPhone firmware encryption

Re: [Linux4nano-dev] iPhone firmware encryption

Re: [Linux4nano-dev] iPhone firmware encryption

Re: [Linux4nano-dev] iPhone firmware encryption

[Linux4nano-dev] iPhone firmware encryption

25 matches

Site Navigation

Mail list logo

Footer information