Difference between revisions of "IMG1"
(→IMG1 v2.0) |
|||
Line 5: | Line 5: | ||
It is sometimes called the '8900' image, which is how it was called on the original iPhone / S5L8900. It is also sometimes called the 'DFU image' format (because it's used in DFU mode to load WTF). | It is sometimes called the '8900' image, which is how it was called on the original iPhone / S5L8900. It is also sometimes called the 'DFU image' format (because it's used in DFU mode to load WTF). | ||
− | The iPhone Wiki has some basic [https://www.theiphonewiki.com/wiki/S5L_File_Formats#8900 information about the format]. However, that only describes the '1.0' version of IMG1. The lineage of IMG1 has continued in iPods long after iOS-based devices stopped its use, with IMG2/IMG3 never making it to the newer non-Touch iPods. | + | The iPhone Wiki has some basic [https://www.theiphonewiki.com/wiki/S5L_File_Formats#8900 information about the format]. However, that only describes the '1.0' version of IMG1. The lineage of IMG1 has continued in iPods long after iOS-based devices stopped its use, with IMG2/IMG3 never making it to the newer non-Touch iPods. Here we describe the known usage of IMG1, including its 2.0 version, in clickwheel iPods and non-iBoot bootroms. |
− | == | + | == Header Format == |
− | |||
− | |||
struct IMG1_20 { | struct IMG1_20 { | ||
char magic[4]; // SoC digits, eg. `8720`. | char magic[4]; // SoC digits, eg. `8720`. | ||
− | char version[3]; // `2.0` | + | char version[3]; // `1.0` or `2.0` |
− | byte format; // Encryption/signature format | + | byte format; // Encryption/signature format. See below. |
uint entrypoint; // Offset to jump to within body (after header). | uint entrypoint; // Offset to jump to within body (after header). | ||
uint bodyLen; // Size of the image body, ie. the data loaded into memory, before the | uint bodyLen; // Size of the image body, ie. the data loaded into memory, before the | ||
Line 35: | Line 33: | ||
0x600: Body, bodyLen bytes. | 0x600: Body, bodyLen bytes. | ||
... | ... | ||
− | 0x600 + bodyLen: body signature | + | 0x600 + bodyLen: body signature (for X509 formats) |
− | 0x680 + bodyLen (also 0x600+footerCertLen): certificate bundle | + | 0x680 + bodyLen (also 0x600+footerCertLen): certificate bundle (for X509 formats) |
0x680 + bodyLen + footerCertLen: end of file. | 0x680 + bodyLen + footerCertLen: end of file. | ||
Line 46: | Line 44: | ||
# dataLen = bodyLen + 0x80 + footerCertLen | # dataLen = bodyLen + 0x80 + footerCertLen | ||
− | === Differences | + | === Encryption/Signature Formats === |
+ | |||
+ | {| class="wikitable" | ||
+ | |- | ||
+ | ! Format (number) !! Header signed (SHA1+AES) !! Body encrypted !! Body signed (X509/RSA) !! Nodes | ||
+ | |- | ||
+ | | SIGNED_ENCRYPTED (1) || ✅ || ✅ || ❌ || Not accepted in 2.0. | ||
+ | |- | ||
+ | | SIGNED (2) || ✅ || ❌ || ❌ || Not accepted in 2.0. | ||
+ | |- | ||
+ | | X509_SIGNED_ENCRYPTED (3) || ✅ || ✅ || ✅|| Most (all?) released images have this type | ||
+ | |- | ||
+ | | X509_SIGNED (4) || ✅ || ❌ || ✅ || | ||
+ | |} | ||
+ | |||
+ | DFU mode in N3G,N4G,N5G seems only accepts X509_SIGNED_ENCRYPTED. | ||
+ | |||
+ | Other boot modes (notably in N3G) seem to accept other formats, but that's to be verified. N4G+/2.0 do not accept any non-X509 formats. | ||
+ | |||
+ | === Differences between v1.0 and 2.0 === | ||
+ | |||
+ | Nano4G+ use 2.0. Everything else uses 1.0. | ||
+ | |||
+ | 1.0 bootroms supports encryption formats 1,2, 3 and 4. 2.0 only supports encryption formats 3 and 4. | ||
− | + | When uploading IMG1 images via DFU, 1.0 images need to be suffixed with a CRC32 of their content. 2.0 images don't need the CRC32. | |
− | === Leftover SHA === | + | === Leftover SHA in header === |
It seems like whatever generates IMG1 images does so in the following pseudocode: | It seems like whatever generates IMG1 images does so in the following pseudocode: |
Revision as of 00:04, 13 January 2022
Contents
Introduction
IMG1 is a pseudonym for the image format used by early iOS devices and all S5L-based iPods.
It is sometimes called the '8900' image, which is how it was called on the original iPhone / S5L8900. It is also sometimes called the 'DFU image' format (because it's used in DFU mode to load WTF).
The iPhone Wiki has some basic information about the format. However, that only describes the '1.0' version of IMG1. The lineage of IMG1 has continued in iPods long after iOS-based devices stopped its use, with IMG2/IMG3 never making it to the newer non-Touch iPods. Here we describe the known usage of IMG1, including its 2.0 version, in clickwheel iPods and non-iBoot bootroms.
Header Format
struct IMG1_20 { char magic[4]; // SoC digits, eg. `8720`. char version[3]; // `1.0` or `2.0` byte format; // Encryption/signature format. See below. uint entrypoint; // Offset to jump to within body (after header). uint bodyLen; // Size of the image body, ie. the data loaded into memory, before the // signature/certificates start, after the header. uint dataLen; // Size of everything that's not the header (body + signature + certificates). uint footerCertOffset; // Offset of certificate start (after header). uint footerCertLen; // Size of certificate bundle. byte salt[32]; // Random data. ushort unk1; ushort unk2; // Security epoch? byte headerSign[16]; // AES-encrypted SHA1 signature of everything up to headerSign. byte headerLeftover[4]; // Last four bytes of unencrypted SHA1, usually leftover in images, but not // checked by firmware. Curiosity. }
The header is padded to either 0x600 (S5L8720) or 0x400 (S5L8740) bytes. The different sections are a bit tricky to reason about, there's an attempted overview:
0: Header (0x40 + 0x14 bytes, first 0x40 signed into last 0x14 bytes) 0x54: Padding until $header_size (magic dependent, 0x600 in this example) 0x600: Body, bodyLen bytes. ... 0x600 + bodyLen: body signature (for X509 formats) 0x680 + bodyLen (also 0x600+footerCertLen): certificate bundle (for X509 formats) 0x680 + bodyLen + footerCertLen: end of file.
The body signature is always 0x80 bytes long, and its length is not counted into bodyLen or footerCertLen.
A few assertions should hold:
- File size == $header_size + bodyLen + footerCertLen + 0x80
- dataLen = bodyLen + 0x80 + footerCertLen
Encryption/Signature Formats
Format (number) | Header signed (SHA1+AES) | Body encrypted | Body signed (X509/RSA) | Nodes |
---|---|---|---|---|
SIGNED_ENCRYPTED (1) | ✅ | ✅ | ❌ | Not accepted in 2.0. |
SIGNED (2) | ✅ | ❌ | ❌ | Not accepted in 2.0. |
X509_SIGNED_ENCRYPTED (3) | ✅ | ✅ | ✅ | Most (all?) released images have this type |
X509_SIGNED (4) | ✅ | ❌ | ✅ |
DFU mode in N3G,N4G,N5G seems only accepts X509_SIGNED_ENCRYPTED.
Other boot modes (notably in N3G) seem to accept other formats, but that's to be verified. N4G+/2.0 do not accept any non-X509 formats.
Differences between v1.0 and 2.0
Nano4G+ use 2.0. Everything else uses 1.0.
1.0 bootroms supports encryption formats 1,2, 3 and 4. 2.0 only supports encryption formats 3 and 4.
When uploading IMG1 images via DFU, 1.0 images need to be suffixed with a CRC32 of their content. 2.0 images don't need the CRC32.
Leftover SHA in header
It seems like whatever generates IMG1 images does so in the following pseudocode:
sha1(src=data, srcLen=0x40, dst=data+0x40) aes(src=data+0x40, size=0x10) // data is ready, ship it!
Because after the 0x10 bytes of the AES-encrypted SHA1 signature, there are 4 bytes of unencrypted SHA1 (because a SHA1 digest is 0x14 bytes, while an AES128 block is 0x10 bytes). This means that you can check the header signature yourself (or, well, 32 bits of the signature) by performing the following:
sha1s(data[0:0x40]).digest()[-4:] == data[0x50:0x54]
This has likely zero security implications, but is nonetheless a fascinating curiosity.