Difference between revisions of "Firmware decryption"

From freemyipod.org
Jump to: navigation, search
 
(10 intermediate revisions by 5 users not shown)
Line 1: Line 1:
Understanding how the iPhone and iPod touch is encrypted and cracked is crucial to cracking the Nano's encryption. Apple is likely to have used very similar methods on the iPhone and iPod touch to the Nanos, especially the 4G. The 4G Nano is extremely similar to the iPod Touch 2G, sharing the same processor.
+
{{Template:Outdated|reason=iBugger is deprecated, and some links are dead}}
 +
 
 +
 
 +
==Background==
 +
Encrypting the firmware started with the release of iPod 4G. Only the AUPD part is encrypted, it uses RC4 encryption and the key is contained within the firmware. The iPodLinux project has more information about understanding and decrypting it: http://ipodlinux.org/wiki/Flash_Decryption
 +
 
 +
Starting with [[Nano 2G]], the encryption method changed. The best guess so far is that the encryption is AES-CBC with 128-bit blocks and a 128-bit key. The key isn't found yet, but it is not needed to decrypt the firmware.
 +
 
 +
After discovering the notes exploit, it became possible to upload and execute custom code on the ipods. TheSeven wrote an utility (ipodcrypt.py), which allows decrypting parts of the firmware using the iPod's crypto engine. The utility is being loaded via [[iBugger]] in the iPod's memory then the encrypted data is being sent. After the decryption process completes, the decrypted data is downloaded.
 +
 
 +
==ipodcrypt==
 +
The ipodcrypt utility has the following features:
 +
 
 +
for [[Nano 2G]]:
 +
 
 +
*encrypt/decrypt DFU image
 +
*encrypt/decrypt firmware file contents
 +
*encrypt/decrypt dump of NOR flash's contents
 +
 
 +
for [[Nano 4G]]:
 +
 
 +
*decrypt firmware file contents
 +
 
 +
The process of decrypting is taking part on the iPod itself, so you must have a compatible device in order to use the utility. Also, you must run the iBugger utility on the device before using ipodcrypt.
 +
 
 +
You can find both utilities in the development snapshot, which is located on the iLoader homepage: http://the-seven.tk/ipod/iloader/sourcecode.php
 +
 
 +
In order to run these utilities, you will need the Python interpreter installed, the pyUSB module and libusb. It is possible to run the utilities on both Windows and Linux.
 +
==Prerequisites==
 +
===Windows===
 +
First you need TheSeven's iBugger USB driver (http://l4n.clustur.com/data/theseven/releases/iBugger%20Windows%20Driver.7z). It uses libusb-win32 1.1.x. (see notes below)
 +
 
 +
Next, you need ActivePython (http://www.activestate.com/activepython) or another Python distribution for Windows. You can get ActivePython's latest version at: http://www.activestate.com/activepython/downloads
 +
 
 +
You also need [http://pyusb.sourceforge.net/ pyUSB] - a Python module for communicating with USB devices. Its download page is: You can get it from the [http://sourceforge.net/projects/pyusb/files/ download page] or [http://developer.berlios.de/project/showfiles.php?group_id=4354 another mirror]. The 0.x branch is compatible with the libusb version included TheSeven's iBugger driver.
 +
 
 +
'''Important note''': If you are using Windows Vista/7, you'll need the signed (1.2.x) version of libusb-win32. Otherwise the driver will install (after confirmation that it is unsigned), but it will not load unless you disable driver signature check, which is not recommended.
 +
 
 +
To use the 1.2.x version, you need to extract in the folder where you extracted the iBugger driver, then overwrite the .dll and .sys with the ones in 1.2.x package. Installing the driver then is as usual.
 +
 
 +
'''Important note 2''': You may need to kill iTunes's iPod service if you have iTunes installed, and to uninstall the iPod drivers that iTunes installed, before following the above instructions
 +
===Linux===
 +
Python is usually included in most distributions, so you don't need to worry about installing it. If you have easy_install, you can install pyUSB with:
 +
<pre>
 +
easy_install install pyusb
 +
</pre>
 +
Otherwise, you need to download it and install it manually as in the Windows instructions.
 +
 
 +
To install libusb, you need to use your distribution's package management utility and look for libusb, then install it.
 +
===Mac OS X===
 +
(to be added later)
 +
 
 
==Helpful pages==
 
==Helpful pages==
 +
http://ipodlinux.org/wiki/Flash_Decryption
 +
 
http://home.gna.org/linux4nano/download/crypto_synth-1.0.pdf
 
http://home.gna.org/linux4nano/download/crypto_synth-1.0.pdf
  

Latest revision as of 23:27, 31 July 2012

Warning The information and/or topic discussed here is not up to date.

iBugger is deprecated, and some links are dead


Background

Encrypting the firmware started with the release of iPod 4G. Only the AUPD part is encrypted, it uses RC4 encryption and the key is contained within the firmware. The iPodLinux project has more information about understanding and decrypting it: http://ipodlinux.org/wiki/Flash_Decryption

Starting with Nano 2G, the encryption method changed. The best guess so far is that the encryption is AES-CBC with 128-bit blocks and a 128-bit key. The key isn't found yet, but it is not needed to decrypt the firmware.

After discovering the notes exploit, it became possible to upload and execute custom code on the ipods. TheSeven wrote an utility (ipodcrypt.py), which allows decrypting parts of the firmware using the iPod's crypto engine. The utility is being loaded via iBugger in the iPod's memory then the encrypted data is being sent. After the decryption process completes, the decrypted data is downloaded.

ipodcrypt

The ipodcrypt utility has the following features:

for Nano 2G:

  • encrypt/decrypt DFU image
  • encrypt/decrypt firmware file contents
  • encrypt/decrypt dump of NOR flash's contents

for Nano 4G:

  • decrypt firmware file contents

The process of decrypting is taking part on the iPod itself, so you must have a compatible device in order to use the utility. Also, you must run the iBugger utility on the device before using ipodcrypt.

You can find both utilities in the development snapshot, which is located on the iLoader homepage: http://the-seven.tk/ipod/iloader/sourcecode.php

In order to run these utilities, you will need the Python interpreter installed, the pyUSB module and libusb. It is possible to run the utilities on both Windows and Linux.

Prerequisites

Windows

First you need TheSeven's iBugger USB driver (http://l4n.clustur.com/data/theseven/releases/iBugger%20Windows%20Driver.7z). It uses libusb-win32 1.1.x. (see notes below)

Next, you need ActivePython (http://www.activestate.com/activepython) or another Python distribution for Windows. You can get ActivePython's latest version at: http://www.activestate.com/activepython/downloads

You also need pyUSB - a Python module for communicating with USB devices. Its download page is: You can get it from the download page or another mirror. The 0.x branch is compatible with the libusb version included TheSeven's iBugger driver.

Important note: If you are using Windows Vista/7, you'll need the signed (1.2.x) version of libusb-win32. Otherwise the driver will install (after confirmation that it is unsigned), but it will not load unless you disable driver signature check, which is not recommended.

To use the 1.2.x version, you need to extract in the folder where you extracted the iBugger driver, then overwrite the .dll and .sys with the ones in 1.2.x package. Installing the driver then is as usual.

Important note 2: You may need to kill iTunes's iPod service if you have iTunes installed, and to uninstall the iPod drivers that iTunes installed, before following the above instructions

Linux

Python is usually included in most distributions, so you don't need to worry about installing it. If you have easy_install, you can install pyUSB with:

easy_install install pyusb

Otherwise, you need to download it and install it manually as in the Windows instructions.

To install libusb, you need to use your distribution's package management utility and look for libusb, then install it.

Mac OS X

(to be added later)

Helpful pages

http://ipodlinux.org/wiki/Flash_Decryption

http://home.gna.org/linux4nano/download/crypto_synth-1.0.pdf

http://code.google.com/p/iphone-elite/w/list

http://code.google.com/p/chronicdev/w/list

http://wikee.iphwn.org/

http://iphonejtag.blogspot.com/