Difference between revisions of "Firmware decryption"
(→Prerequisites) |
m (→Background: corrected a typo) |
||
Line 4: | Line 4: | ||
Starting with [[Nano 2G]], the encryption method changed. The best guess so far is that the encryption is AES-CBC with 128-bit blocks and a 128-bit key. The key isn't found yet, but it is not needed to decrypt the firmware. | Starting with [[Nano 2G]], the encryption method changed. The best guess so far is that the encryption is AES-CBC with 128-bit blocks and a 128-bit key. The key isn't found yet, but it is not needed to decrypt the firmware. | ||
− | After discovering the notes exploit, it became possible to upload and execute custom code on the ipods. TheSeven wrote an utility (ipodcrypt.py), which allows decrypting parts of the firmware using the iPod's crypto engine. The utility is being loaded via [[iBugger]] in the iPod's memory | + | After discovering the notes exploit, it became possible to upload and execute custom code on the ipods. TheSeven wrote an utility (ipodcrypt.py), which allows decrypting parts of the firmware using the iPod's crypto engine. The utility is being loaded via [[iBugger]] in the iPod's memory then the encrypted data is being sent. After the decryption process completes, the decrypted data is downloaded. |
+ | |||
==ipodcrypt== | ==ipodcrypt== | ||
The ipodcrypt utility has the following features: | The ipodcrypt utility has the following features: |
Revision as of 15:44, 6 September 2010
Contents
Background
Encrypting the firmware started with the release of iPod 4G. Only the AUPD part is encrypted, it uses RC4 encryption and the key is contained within the firmware. The iPodLinux project has more information about understanding and decrypting it: http://ipodlinux.org/wiki/Flash_Decryption
Starting with Nano 2G, the encryption method changed. The best guess so far is that the encryption is AES-CBC with 128-bit blocks and a 128-bit key. The key isn't found yet, but it is not needed to decrypt the firmware.
After discovering the notes exploit, it became possible to upload and execute custom code on the ipods. TheSeven wrote an utility (ipodcrypt.py), which allows decrypting parts of the firmware using the iPod's crypto engine. The utility is being loaded via iBugger in the iPod's memory then the encrypted data is being sent. After the decryption process completes, the decrypted data is downloaded.
ipodcrypt
The ipodcrypt utility has the following features:
for Nano 2G:
- encrypt/decrypt DFU image
- encrypt/decrypt firmware file contents
- encrypt/decrypt dump of NOR flash's contents
for Nano 4G:
- decrypt firmware file contents
The process of decrypting is taking part on the iPod itself, so you must have a compatible device in order to use the utility. Also, you must run the iBugger utility on the device before using ipodcrypt.
You can find both utilities in the development snapshot, which is located on the iLoader homepage: http://the-seven.tk/ipod/iloader/sourcecode.php
In order to run these utilities, you will need the Python interpreter installed, the pyUSB module and libusb. It is possible to run the utilities on both Windows and Linux.
Prerequisites
Windows
First you need TheSeven's iBugger USB driver (http://l4n.clustur.com/data/theseven/releases/iBugger%20Windows%20Driver.7z). It uses libusb-win32 1.1.x. (see notes below)
Next, you need ActivePython (http://www.activestate.com/activepython) or another Python distribution for Windows. You can get ActivePython's latest version at: http://www.activestate.com/activepython/downloads
You also need pyUSB - a Python module for communicating with USB devices. Its download page is: You can get it from the download page or another mirror. The 0.x branch is compatible with the libusb version included TheSeven's iBugger driver.
Important note: If you are using Windows Vista/7, you'll need the signed (1.2.x) version of libusb-win32. Otherwise the driver will install (after confirmation that it is unsigned), but it will not load unless you disable driver signature check, which is not recommended.
To use the 1.2.x version, you need to extract in the folder where you extracted the iBugger driver, then overwrite the .dll and .sys with the ones in 1.2.x package. Installing the driver then is as usual.
Important note 2: You may need to kill iTunes's iPod service if you have iTunes installed, and to uninstall the iPod drivers that iTunes installed, before following the above instructions
Linux
Python is usually included in most distributions, so you don't need to worry about installing it. If you have easy_install, you can install pyUSB with:
easy_install install pyusb
Otherwise, you need to download it and install it manually as in the Windows instructions.
To install libusb, you need to use your distribution's package management utility and look for libusb, then install it.
Mac OS X
(to be added later)
Helpful pages
http://ipodlinux.org/wiki/Flash_Decryption
http://home.gna.org/linux4nano/download/crypto_synth-1.0.pdf
http://code.google.com/p/iphone-elite/w/list