Difference between revisions of "Firmware decryption"

From freemyipod.org
Jump to: navigation, search
Line 1: Line 1:
Understanding how the iPhone and iPod touch is encrypted and cracked is crucial to cracking the Nano's encryption. Apple is likely to have used very similar methods on the iPhone and iPod touch to the Nanos, especially the 4G. The 4G Nano is extremely similar to the iPod Touch 2G, sharing the same processor.
+
==Background==
 
 
 
Encrypting the firmware started with the release of iPod 4G. Only the AUPD part is encrypted, it uses RC4 encryption and the key is contained within the firmware. The iPodLinux project has more information about understanding and decrypting it: http://ipodlinux.org/wiki/Flash_Decryption
 
Encrypting the firmware started with the release of iPod 4G. Only the AUPD part is encrypted, it uses RC4 encryption and the key is contained within the firmware. The iPodLinux project has more information about understanding and decrypting it: http://ipodlinux.org/wiki/Flash_Decryption
  
Starting with iPod Nano 2G, the encryption method changed. The best guess so far is that the encryption is AES-CBC with 128-bit blocks and a 128-bit key. The key isn't found yet, but it is not needed to decrypt the firmware.
+
Starting with [[Nano 2G]], the encryption method changed. The best guess so far is that the encryption is AES-CBC with 128-bit blocks and a 128-bit key. The key isn't found yet, but it is not needed to decrypt the firmware.
 
 
After discovering the notes exploit, it became possible to upload and execute custom code on the ipods. TheSeven wrote an utility (ipodcrypt.py), which allows decrypting parts of the firmware using the iPod's crypto engine. The utility is being loaded via iBugger in the iPod's memory, then the encrypted data is being send. After the decryption process completes, the decrypted data is downloaded.
 
  
 +
After discovering the notes exploit, it became possible to upload and execute custom code on the ipods. TheSeven wrote an utility (ipodcrypt.py), which allows decrypting parts of the firmware using the iPod's crypto engine. The utility is being loaded via [[iBugger]] in the iPod's memory, then the encrypted data is being send. After the decryption process completes, the decrypted data is downloaded.
 +
==ipodcrypt==
 
The ipodcrypt utility has the following features:
 
The ipodcrypt utility has the following features:
  
for Nano 2G:
+
for [[Nano 2G]]:
 
 
- encrypt/decrypt DFU image
 
 
 
- encrypt/decrypt firmware file contents
 
  
- encrypt/decrypt dump of NOR flash's contents
+
*encrypt/decrypt DFU image
 +
*encrypt/decrypt firmware file contents
 +
*encrypt/decrypt dump of NOR flash's contents
  
for Nano 4G:
+
for [[Nano 4G]]:
  
- decrypt firmware file contents
+
*decrypt firmware file contents
  
 
The process of decrypting is taking part on the iPod itself, so you must have a compatible device in order to use the utility. Also, you must run the iBugger utility on the device before using ipodcrypt.
 
The process of decrypting is taking part on the iPod itself, so you must have a compatible device in order to use the utility. Also, you must run the iBugger utility on the device before using ipodcrypt.

Revision as of 02:37, 3 August 2010

Background

Encrypting the firmware started with the release of iPod 4G. Only the AUPD part is encrypted, it uses RC4 encryption and the key is contained within the firmware. The iPodLinux project has more information about understanding and decrypting it: http://ipodlinux.org/wiki/Flash_Decryption

Starting with Nano 2G, the encryption method changed. The best guess so far is that the encryption is AES-CBC with 128-bit blocks and a 128-bit key. The key isn't found yet, but it is not needed to decrypt the firmware.

After discovering the notes exploit, it became possible to upload and execute custom code on the ipods. TheSeven wrote an utility (ipodcrypt.py), which allows decrypting parts of the firmware using the iPod's crypto engine. The utility is being loaded via iBugger in the iPod's memory, then the encrypted data is being send. After the decryption process completes, the decrypted data is downloaded.

ipodcrypt

The ipodcrypt utility has the following features:

for Nano 2G:

  • encrypt/decrypt DFU image
  • encrypt/decrypt firmware file contents
  • encrypt/decrypt dump of NOR flash's contents

for Nano 4G:

  • decrypt firmware file contents

The process of decrypting is taking part on the iPod itself, so you must have a compatible device in order to use the utility. Also, you must run the iBugger utility on the device before using ipodcrypt.

You can find both utilities in the development snapshot, which is located on the iLoader homepage: http://the-seven.tk/ipod/iloader/sourcecode.php

In order to run these utilities, you will need the Python interpreter installed, the pyUSB module and libusb. It is possible to run the utilities on both Windows and Linux.

Windows

First you need TheSeven's iBugger USB driver (http://l4n.clustur.com/data/theseven/releases/iBugger%20Windows%20Driver.7z). It uses libusb-win32 1.1.x. (see notes below)

Next, you need ActivePython (http://www.activestate.com/activepython) or another Python distribution for Windows. You can get ActivePython's latest version at: http://www.activestate.com/activepython/downloads

You also need pyUSB (http://pyusb.sourceforge.net/) - a Python module that provides command for communicating with USB devices. Its download page is: http://sourceforge.net/projects/pyusb/files/ (newer versions) or http://developer.berlios.de/project/showfiles.php?group_id=4354 (another mirror). The 0.x branch is compatible with the libusb version included TheSeven's iBugger driver.

Important note: If you are using Windows Vista/7, you'll need the signed (1.2.x) version of libusb-win32. Otherwise the driver will install (after confirmation that it is unsigned), but it will not load unless you disable driver signature check, which is not recommended.

To use the 1.2.x version, you need to extract in the folder where you extracted the iBugger driver, then overwrite the .dll and .sys with the ones in 1.2.x package. Installing the driver then is as usual.

Important note 2: You may need to kill iTunes's iPod service if you have iTunes installed, and to uninstall the iPod drivers that iTunes installed, before following the above instructions

Linux

Python is usually included in most distributions, so you don't need to worry about installing it. If you have easy_install, you can install pyUSB with:

easy_install install pyusb

Otherwise, you need to download it and install it manually as in the Windows instructions.

To install libusb, you need to use your distribution's package management utility and look for libusb, then install it.

Mac OS X

(to be added later)



Helpful pages

http://ipodlinux.org/wiki/Flash_Decryption

http://home.gna.org/linux4nano/download/crypto_synth-1.0.pdf

http://code.google.com/p/iphone-elite/w/list

http://code.google.com/p/chronicdev/w/list

http://wikee.iphwn.org/

http://iphonejtag.blogspot.com/