GeoSn0w

Verified Security Researcher



Threads: 276

Joined: Jun 2019

Reputation: Posts: 670Threads: 276Joined: Jun 2019Reputation: 82 #1



For the sake of this post, I will use an iPod Touch 2019 (iPod Touch 7) which has the A10 Chip (compatible with CheckM8). I am also using the latest version of the CheckM8 exploit which is part of the ipwndfu repo on @axi0mX's GitHub.



Now, as you probably know, if you wanna build an iOS CFW you need to patch iBEC, iBSS, iBoot, the Ramdisk and so on. These are part of an IMG4 / IM4P container on 64-Bit iOS devices, and IMG3 containers on 32-Bit devices like iPhone 5, iPhone 5C and 4S. The container is encrypted. The key used to decrypt it is only available on the device's silicon and it cannot be extracted and used outside. However, using CheckM8, we can get access to the AES engine and ask it to derivate the decryption KEY and IV for us by feeding it the KBAG from the firmware component. Of course, normally, iOS turns this engine off ass soon as iBoot finishes doing its job at boot-time, but using this exploit we can just use it how much we want.



Keep in mind that each iOS device has a different key, so the decryption keys for iBEC for example from my iPod 7 will not work on the same iBEC from the same iOS version your iPhone 5S (for example). Each device model has a different GID key. Brute-forcing the key is useless. There way too many possible keys it would take billions of years to brute-force if even possible. While the GID key remains tightly encapsulated and protected, we can still take advantage of it if the iOS device is pwned at iBoot or SecureROM level.



Important note: The Key and IV used to decrypt the iOS components are actually stored inside each component as part of their IMG4 container inside the KBAG. However, the KEY + IV pair is also encrypted with another unique key called a GID key. This is the key we can never extract. Using the open window checkM8 brings to this key through the AES engine, we can decrypt the KBAG which will render the unencrypted plain-text Key and IV used to decrypt the actual data.



1.0 Gathering your tools:



For this operation, you will need a couple of tools. They are all listed here, available for you to download.

Please do keep in mind that at the time I am writing this write-up, you can only do this on a macOS machine. Either virtual or physical.



> ipwndfu:

> IMG4TOOL:

> IMG4:



2.0 Obtaining the right iPSW file for your iOS version and device.



Of course, if you wanna decrypt the iOS for your device, you need the proper IPSW you wanna convert into a CFW. I recommend using ipsw.me to get the iPSW file for your iOS version and your device. Once you have it, rename it from ".ipsw" to ".zip" so that you can extract it. Double-click on the archive to extract it and wait until the extraction is complete.



Inside the iPSW you can see that there is a specific directory structure. Inside the DFU folder, you can find the iBEC and iBSS. Apple combines nowadays the firmware for multiple devices with the same screen size into the same IPSW, so make sure you get the files for your model. Usually, they are named after the device identifier.



For the sake of this write-up, I will extract the iBoot and the iBSS for my iPod and place them on my Desktop.



3.0 Obtaining the KBAG from the IM4P / IMG4 firmware component.



As I said, the decryption keys for each component are stored inside the component itself, but they're encrypted. The encrypted chunk is called a KBAG. We can use IMG4TOOL by @tihmstar to extract the KBAG.



In Terminal run the following commands:



Code: chmod 775 /path/to/your/compiled/IMG4TOOL

./img4tool -a /path/to/encrypted/file

Then press Return (Enter).



In my case, it looks like this:







As you can see, the program yields two different KBAGs, num 1 and num 2. You're interested in num 1 because that one is for RELEASE fused devices. The other one is for DEVELOPMENT devices which they use internally at the factory.

You need to copy the long alphanumeric string after num: 1. That is your KBAG.



So in my case, the KBAG is:



Code: 493d1322792f9688c135567ee1c30e388ef162b030d229a986f8fded4b0a45d2cb1971400fb93cf6b884bf223b11944d

4.0 Decrypting the KBAG with CheckM8 and a compatible pwned device.



As you can see, we got the KBAG, but it's completely useless. We cannot use it to decrypt the data because the KBAG is an encrypted pair of KEY + IV. We need to pwn the matching device with checkm8 in DFU mode, and then use the AES engine to decrypt the KBAG.



Follow these steps to get your device in PWNED DFU MODE with CheckM8.



1) Plug the device to the computer using a USB cable.

2) Press and hold POWER + either HOME if you have an iPhone 6S Plus or older, or Volume DOWN until the phone goes dark.

3) Wait 5 seconds while holding both after the screen goes black.

4) Release the Power button but keep holding HOME or Volume Down depending on the device, for 14 more seconds.

5) Release the HOME / Volume Down button.

6) Now run the ipwndfu in terminal.



The command should look like this, assuming you extracted the GitHub repo for ipwndfu in a folder on Desktop:



Code: cd /Users/geosn0w/Desktop/ipwndfu-master

./ipwndfu -p

You may need to run the ./ipwndfu -p more than once if it fails. Once it succeeds it should look like mine:







Now that the device is pwned, we can abuse its AES engine to decrypt our KEY + IV.

To decrypt the KBAG, we need to run "./ipwndfu --decrypt-gid=YOUR KBAG" in Terminal. It should look like this once done:







As you can see, the decryption was successful and we obtained yet another confusing string. Fear not, this is the actual KEY and IV, but they are concatenated.



5.0 Extracting the KEY + IV for your component



That long string is basically the KEY and the IV, you just don't know how much of it is the key and how much of it is the IV. The first 64 characters are the KEY and the rest 32 are the IV.



So in this case, the KEY is:

570c42b1ae1af1ab9639b5b4b1983938b52b19662dabd101d74ca0529aa914e5



And the IV is:

3080bfc320a827ac89d3106831a06166



6.0 Using the KEY + IV to decrypt the firmware component



Now we can use the KEY + IV and the tool called IMG4 to actually decrypt iBSS / iBoot etc.

To do that, we need to run the following commands:



Code: chmod 775 /Users/geosn0w/Desktop/img4

/Users/geosn0w/Desktop/img4 -image /Users/geosn0w/Desktop/iBoot.n112.RELEASE.im4p iBoot-Decrypted-AF 570c42b1ae1af1ab9639b5b4b1983938b52b19662dabd101d74ca0529aa914e53080bfc320a827ac89d3106831a06166

Of course, adapt the paths for your computer/locations.



Once we press enter, we should get only one word: the type of the file. In this case "ibot" means iBoot file. This means that the decryption was successful. You can see that by the fact that a new file was created with the second file name you specified (iBoot-Decrypted-AF) and when you open that file in a HEX editor, it should look like this.







And that's all :-) You can now patch, reverse engineer or do whatever to the decrypted file.

~GeoSn0w (@FCE365)



NOTE: This forum is not endorsed in any way by Apple Inc. iPhone and iOS are trademarks of Apple Inc. All the info provided here is strictly for educational purposes. You are the only one responsible for how you use this information. In this post, I am going to show you how to decrypt the iOS Boot Chain components such as iBEC, iBSS, iBoot, the Restore Ramdisk and so on by derivating their keys using the CheckM8 SecureROM (BootROM) exploit. We're going to do this for iOS 13.x but you could use literally any version on the supported devices. The supported devices are the iPhone 4S all the way up to iPhone X and everything in between.For the sake of this post, I will use an iPod Touch 2019 (iPod Touch 7) which has the A10 Chip (compatible with CheckM8). I am also using the latest version of the CheckM8 exploit which is part of the ipwndfu repo on @axi0mX's GitHub.Now, as you probably know, if you wanna build an iOS CFW you need to patch iBEC, iBSS, iBoot, the Ramdisk and so on. These are part of an IMG4 / IM4P container on 64-Bit iOS devices, and IMG3 containers on 32-Bit devices like iPhone 5, iPhone 5C and 4S. The container is encrypted. The key used to decrypt it is only available on the device's silicon and it cannot be extracted and used outside. However, using CheckM8, we can get access to the AES engine and ask it to derivate the decryption KEY and IV for us by feeding it the KBAG from the firmware component. Of course, normally, iOS turns this engine off ass soon as iBoot finishes doing its job at boot-time, but using this exploit we can just use it how much we want.Keep in mind that each iOS device has a different key, so the decryption keys for iBEC for example from my iPod 7 will not work on the same iBEC from the same iOS version your iPhone 5S (for example). Each device model has a different GID key. Brute-forcing the key is useless. There way too many possible keys it would take billions of years to brute-force if even possible. While the GID key remains tightly encapsulated and protected, we can still take advantage of it if the iOS device is pwned at iBoot or SecureROM level.Important note: The Key and IV used to decrypt the iOS components are actually stored inside each component as part of their IMG4 container inside the KBAG. However, the KEY + IV pair is also encrypted with another unique key called a GID key. This is the key we can never extract. Using the open window checkM8 brings to this key through the AES engine, we can decrypt the KBAG which will render the unencrypted plain-text Key and IV used to decrypt the actual data.For this operation, you will need a couple of tools. They are all listed here, available for you to download.Please do keep in mind that at the time I am writing this write-up, you can only do this on a macOS machine. Either virtual or physical.> ipwndfu: https://github.com/axi0mX/ipwndfu > IMG4TOOL: https://github.com/tihmstar/img4tool > IMG4: https://mega.nz/#!kh9HwALK!z65nLcHWj_Ivu...q3XHe97_Vg Of course, if you wanna decrypt the iOS for your device, you need the proper IPSW you wanna convert into a CFW. I recommend using ipsw.me to get the iPSW file for your iOS version and your device. Once you have it, rename it from ".ipsw" to ".zip" so that you can extract it. Double-click on the archive to extract it and wait until the extraction is complete.Inside the iPSW you can see that there is a specific directory structure. Inside the DFU folder, you can find the iBEC and iBSS. Apple combines nowadays the firmware for multiple devices with the same screen size into the same IPSW, so make sure you get the files for your model. Usually, they are named after the device identifier.For the sake of this write-up, I will extract the iBoot and the iBSS for my iPod and place them on my Desktop.As I said, the decryption keys for each component are stored inside the component itself, but they're encrypted. The encrypted chunk is called a KBAG. We can use IMG4TOOL by @tihmstar to extract the KBAG.In Terminal run the following commands:Then press Return (Enter).In my case, it looks like this:As you can see, the program yields two different KBAGs, num 1 and num 2. You're interested in num 1 because that one is for RELEASE fused devices. The other one is for DEVELOPMENT devices which they use internally at the factory.You need to copy the long alphanumeric string after num: 1. That is your KBAG.So in my case, the KBAG is:As you can see, we got the KBAG, but it's completely useless. We cannot use it to decrypt the data because the KBAG is an encrypted pair of KEY + IV. We need to pwn the matching device with checkm8 in DFU mode, and then use the AES engine to decrypt the KBAG.Follow these steps to get your device in PWNED DFU MODE with CheckM8.1) Plug the device to the computer using a USB cable.2) Press and hold POWER + either HOME if you have an iPhone 6S Plus or older, or Volume DOWN until the phone goes dark.3) Wait 5 seconds while holding both after the screen goes black.4) Release the Power button but keep holding HOME or Volume Down depending on the device, for 14 more seconds.5) Release the HOME / Volume Down button.6) Now run the ipwndfu in terminal.The command should look like this, assuming you extracted the GitHub repo for ipwndfu in a folder on Desktop:You may need to run the ./ipwndfu -p more than once if it fails. Once it succeeds it should look like mine:Now that the device is pwned, we can abuse its AES engine to decrypt our KEY + IV.To decrypt the KBAG, we need to run "./ipwndfu --decrypt-gid=YOUR KBAG" in Terminal. It should look like this once done:As you can see, the decryption was successful and we obtained yet another confusing string. Fear not, this is the actual KEY and IV, but they are concatenated.That long string is basically the KEY and the IV, you just don't know how much of it is the key and how much of it is the IV. The first 64 characters are the KEY and the rest 32 are the IV.So in this case, the KEY is:570c42b1ae1af1ab9639b5b4b1983938b52b19662dabd101d74ca0529aa914e5And the IV is:3080bfc320a827ac89d3106831a06166Now we can use the KEY + IV and the tool called IMG4 to actually decrypt iBSS / iBoot etc.To do that, we need to run the following commands:Of course, adapt the paths for your computer/locations.Once we press enter, we should get only one word: the type of the file. In this case "ibot" means iBoot file. This means that the decryption was successful. You can see that by the fact that a new file was created with the second file name you specified (iBoot-Decrypted-AF) and when you open that file in a HEX editor, it should look like this.And that's all :-) You can now patch, reverse engineer or do whatever to the decrypted file.~GeoSn0w (@FCE365)NOTE: This forum is not endorsed in any way by Apple Inc. iPhone and iOS are trademarks of Apple Inc. All the info provided here is strictly for educational purposes. You are the only one responsible for how you use this information. Website Find Reply AkaBastard





Junior Member

Threads: 0

Joined: Oct 2019

Reputation: Posts: 2Threads: 0Joined: Oct 2019Reputation: 0 #2

Having a hard time compiling img4tool . Can you share it ? Hey,Having a hard time compiling img4tool . Can you share it ? Find Reply Prontera





Junior Member

Threads: 0

Joined: Oct 2019

Reputation: Posts: 4Threads: 0Joined: Oct 2019Reputation: 0 #3 (10-23-2019, 05:31 AM) AkaBastard Wrote: Hey,

Having a hard time compiling img4tool . Can you share it ?

Me too Me too Find Reply evil_shadow





Junior Member

Threads: 0

Joined: Oct 2019

Reputation: Posts: 1Threads: 0Joined: Oct 2019Reputation: 1 #4 (10-23-2019, 05:49 AM) Prontera Wrote: (10-23-2019, 05:31 AM) AkaBastard Wrote: Hey,

Having a hard time compiling img4tool . Can you share it ?

Me too



Here is it



https://www.dropbox.com/s/6tfs6z0j8rp181...l.zip?dl=0





How can i delete/patch setup.app ? Here is itHow can i delete/patch setup.app ? Find Reply best4less





Junior Member

Threads: 0

Joined: Oct 2019

Reputation: Posts: 4Threads: 0Joined: Oct 2019Reputation: 0 #5



Can anyone recommend a appropriate HEX editor for this project



This reminds me of the great old days of Pay TV card decryption



cheers I cant thank you enough for the step by step tut GeoSn0wCan anyone recommend a appropriate HEX editor for this projectThis reminds me of the great old days of Pay TV card decryptioncheers Find Reply udede





Junior Member

Threads: 0

Joined: Oct 2019

Reputation: Posts: 1Threads: 0Joined: Oct 2019Reputation: 0 #6 Hi



I have ipad 4 ios 10.3.4. Can I do this? Find Reply GeoSn0w

Verified Security Researcher



Threads: 276

Joined: Jun 2019

Reputation: Posts: 670Threads: 276Joined: Jun 2019Reputation: 82 #7 (10-23-2019, 05:46 PM) best4less Wrote: I cant thank you enough for the step by step tut GeoSn0w



Can anyone recommend a appropriate HEX editor for this project



This reminds me of the great old days of Pay TV card decryption



cheers

I use iHex from the AppStore. 0xED also works nicely. I use iHex from the AppStore. 0xED also works nicely. Website Find Reply Saraseti_Sun-Ra





Junior Member

Threads: 0

Joined: Oct 2019

Reputation: Posts: 4Threads: 0Joined: Oct 2019Reputation: 1 #8 (10-23-2019, 05:31 AM) AkaBastard Wrote: Hey,

Having a hard time compiling img4tool . Can you share it ?

If you are still having trouble try to reinstall img4tool using:



git clone --recursive and then git update --recursive it should help with compiling let me know... If you are still having trouble try to reinstall img4tool using:git clone --recursive and then git update --recursive it should help with compiling let me know... Find Reply naap737





Junior Member

Threads: 0

Joined: Oct 2019

Reputation: Posts: 7Threads: 0Joined: Oct 2019Reputation: 0 #9 When trying to get the KBAG, I am getting this error:



dyld: Library not loaded: /usr/local/opt/openssl/lib/libcrypto.1.0.0.dylib

Referenced from: /Users/XXXXXX/Desktop/img4tool

Reason: image not found

Abort trap: 6



Fix? Find Reply Saraseti_Sun-Ra





Junior Member

Threads: 0

Joined: Oct 2019

Reputation: Posts: 4Threads: 0Joined: Oct 2019Reputation: 1 #10 Hey GeoSn0w when using command /Users/xxx/Desktop/img4 -image i'm met eith this error: [e] decompression error



any thoughts? Find Reply