Difference between revisions of "Firmware decryption"
m (moved Firmware encryption to Firmware decryption) |
User890104 (talk | contribs) |
||
Line 1: | Line 1: | ||
Understanding how the iPhone and iPod touch is encrypted and cracked is crucial to cracking the Nano's encryption. Apple is likely to have used very similar methods on the iPhone and iPod touch to the Nanos, especially the 4G. The 4G Nano is extremely similar to the iPod Touch 2G, sharing the same processor. | Understanding how the iPhone and iPod touch is encrypted and cracked is crucial to cracking the Nano's encryption. Apple is likely to have used very similar methods on the iPhone and iPod touch to the Nanos, especially the 4G. The 4G Nano is extremely similar to the iPod Touch 2G, sharing the same processor. | ||
+ | |||
+ | Encrypting the firmware started with the release of iPod 4G. Only the AUPD part is encrypted, it uses RC4 encryption and the key is contained within the firmware. The iPodLinux project has more information about understanding and decrypting it: http://ipodlinux.org/wiki/Flash_Decryption | ||
+ | |||
+ | Starting with iPod Nano 2G, the encryption method changed. The best guess so far is that the encryption is AES-CBC with 128-bit blocks and a 128-bit key. The key isn't found yet, but it is not needed to decrypt the firmware. | ||
+ | |||
+ | After discovering the notes exploit, it became possible to upload and execute custom code on the ipods. TheSeven wrote an utility (ipodcrypt.py), which allows decrypting parts of the firmware using the iPod's crypto engine. The utility is being loaded via iBugger in the iPod's memory, then the encrypted data is being send. After the decryption process completes, the decrypted data is downloaded. | ||
+ | |||
+ | The ipodcrypt utility has the following features: | ||
+ | |||
+ | for Nano 2G: | ||
+ | |||
+ | - encrypt/decrypt DFU image | ||
+ | |||
+ | - encrypt/decrypt firmware file contents | ||
+ | |||
+ | - encrypt/decrypt dump of NOR flash's contents | ||
+ | |||
+ | for Nano 4G: | ||
+ | |||
+ | - decrypt firmware file contents | ||
+ | |||
+ | The process of decrypting is taking part on the iPod itself, so you must have a compatible device in order to use the utility. Also, you must run the iBugger utility on the device before using ipodcrypt. | ||
+ | |||
+ | You can find both utilities in the development snapshot, which is located on the iLoader homepage: http://the-seven.tk/ipod/iloader/sourcecode.php | ||
+ | |||
+ | In order to run these utilities, you will need the Python interpreter installed, the pyUSB module and libusb. It is possible to run the utilities on both Windows and Linux. | ||
+ | |||
+ | Windows | ||
+ | |||
+ | First you need TheSeven's iBugger USB driver (http://l4n.clustur.com/data/theseven/releases/iBugger%20Windows%20Driver.7z). It uses libusb-win32 1.1.x. (see notes below) | ||
+ | |||
+ | Next, you need ActivePython (http://www.activestate.com/activepython) or another Python distribution for Windows. You can get ActivePython's latest version at: http://www.activestate.com/activepython/downloads | ||
+ | |||
+ | You also need pyUSB (http://pyusb.sourceforge.net/) - a Python module that provides command for communicating with USB devices. Its download page is: http://sourceforge.net/projects/pyusb/files/ (newer versions) or http://developer.berlios.de/project/showfiles.php?group_id=4354 (another mirror). The 0.x branch is compatible with the libusb version included TheSeven's iBugger driver. | ||
+ | |||
+ | Important note: | ||
+ | If you are using Windows Vista/7, you'll need the signed (1.2.x) version of libusb-win32. Otherwise the driver will install (after confirmation that it is unsigned), but it will not load unless you disable driver signature check, which is not recommended. | ||
+ | |||
+ | To use the 1.2.x version, you need to extract in the folder where you extracted the iBugger driver, then overwrite the .dll and .sys with the ones in 1.2.x package. Installing the driver then is as usual. | ||
+ | |||
+ | Important note 2: | ||
+ | You may need to kill iTunes's iPod service if you have iTunes installed, and to uninstall the iPod drivers that iTunes installed, before following the above instructions | ||
+ | |||
+ | Linux | ||
+ | |||
+ | Python is usually included in most distributions, so you don't need to worry about installing it. If you have easy_install, you can install pyUSB with: | ||
+ | |||
+ | easy_install install pyusb | ||
+ | |||
+ | Otherwise, you need to download it and install it manually as in the Windows instructions. | ||
+ | |||
+ | To install libusb, you need to use your distribution's package management utility and look for libusb, then install it. | ||
+ | |||
+ | Mac OS X | ||
+ | |||
+ | (to be added later) | ||
+ | |||
+ | |||
+ | |||
+ | |||
==Helpful pages== | ==Helpful pages== | ||
+ | http://ipodlinux.org/wiki/Flash_Decryption | ||
+ | |||
http://home.gna.org/linux4nano/download/crypto_synth-1.0.pdf | http://home.gna.org/linux4nano/download/crypto_synth-1.0.pdf | ||
Revision as of 02:15, 3 August 2010
Understanding how the iPhone and iPod touch is encrypted and cracked is crucial to cracking the Nano's encryption. Apple is likely to have used very similar methods on the iPhone and iPod touch to the Nanos, especially the 4G. The 4G Nano is extremely similar to the iPod Touch 2G, sharing the same processor.
Encrypting the firmware started with the release of iPod 4G. Only the AUPD part is encrypted, it uses RC4 encryption and the key is contained within the firmware. The iPodLinux project has more information about understanding and decrypting it: http://ipodlinux.org/wiki/Flash_Decryption
Starting with iPod Nano 2G, the encryption method changed. The best guess so far is that the encryption is AES-CBC with 128-bit blocks and a 128-bit key. The key isn't found yet, but it is not needed to decrypt the firmware.
After discovering the notes exploit, it became possible to upload and execute custom code on the ipods. TheSeven wrote an utility (ipodcrypt.py), which allows decrypting parts of the firmware using the iPod's crypto engine. The utility is being loaded via iBugger in the iPod's memory, then the encrypted data is being send. After the decryption process completes, the decrypted data is downloaded.
The ipodcrypt utility has the following features:
for Nano 2G:
- encrypt/decrypt DFU image
- encrypt/decrypt firmware file contents
- encrypt/decrypt dump of NOR flash's contents
for Nano 4G:
- decrypt firmware file contents
The process of decrypting is taking part on the iPod itself, so you must have a compatible device in order to use the utility. Also, you must run the iBugger utility on the device before using ipodcrypt.
You can find both utilities in the development snapshot, which is located on the iLoader homepage: http://the-seven.tk/ipod/iloader/sourcecode.php
In order to run these utilities, you will need the Python interpreter installed, the pyUSB module and libusb. It is possible to run the utilities on both Windows and Linux.
Windows
First you need TheSeven's iBugger USB driver (http://l4n.clustur.com/data/theseven/releases/iBugger%20Windows%20Driver.7z). It uses libusb-win32 1.1.x. (see notes below)
Next, you need ActivePython (http://www.activestate.com/activepython) or another Python distribution for Windows. You can get ActivePython's latest version at: http://www.activestate.com/activepython/downloads
You also need pyUSB (http://pyusb.sourceforge.net/) - a Python module that provides command for communicating with USB devices. Its download page is: http://sourceforge.net/projects/pyusb/files/ (newer versions) or http://developer.berlios.de/project/showfiles.php?group_id=4354 (another mirror). The 0.x branch is compatible with the libusb version included TheSeven's iBugger driver.
Important note: If you are using Windows Vista/7, you'll need the signed (1.2.x) version of libusb-win32. Otherwise the driver will install (after confirmation that it is unsigned), but it will not load unless you disable driver signature check, which is not recommended.
To use the 1.2.x version, you need to extract in the folder where you extracted the iBugger driver, then overwrite the .dll and .sys with the ones in 1.2.x package. Installing the driver then is as usual.
Important note 2: You may need to kill iTunes's iPod service if you have iTunes installed, and to uninstall the iPod drivers that iTunes installed, before following the above instructions
Linux
Python is usually included in most distributions, so you don't need to worry about installing it. If you have easy_install, you can install pyUSB with:
easy_install install pyusb
Otherwise, you need to download it and install it manually as in the Windows instructions.
To install libusb, you need to use your distribution's package management utility and look for libusb, then install it.
Mac OS X
(to be added later)
Helpful pages
http://ipodlinux.org/wiki/Flash_Decryption
http://home.gna.org/linux4nano/download/crypto_synth-1.0.pdf
http://code.google.com/p/iphone-elite/w/list