Page 7 of 8 FirstFirst ... 5678 LastLast
Results 121 to 140 of 160

Your favorite Apple, iPhone, iPad, iOS, Jailbreak, and Cydia site.


Thread: Let's put our minds together on this 3GS 3.1.3 New Bootrom Issue

  1. #121
    iPhone? More like MyPhone katmeef's Avatar
    Join Date
    Mar 2010
    Location
    Hamilton, ON
    Posts
    265
    Thanks
    14
    Thanked 19 Times in 12 Posts

    Quote Originally Posted by pheroah View Post
    Katmeef a stupid question but just to make sure, did you decode this base-64 strings or are just comparing text based.

    If you haven't done so, decode them first into hex and use a hex editor, that will show the ECID plus some Apple Root Certificate, i am trying to figure out the rest.
    i looked in the hex editor but wasn't able to find the ECID in the blob

    Quote Originally Posted by yazz2020 View Post
    if your ECID is for example 0000011a2b3c4d5e in a hexedit app the ECID will be byte reversed meaning 5e4d3c2b1a010000. hope this explains it.
    thanks, will take a look in hexedit for my ECID reversed in this way.

    ////

    ok so ECID of 0000036D7A051D4E, translates into 4E1D057A6D030000 reversed as in your example.

    Here is the first few lines of my 3.1.3 blob in text:
    <data>
    RElDRUAAAAAIAAAATh0Fem0DAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAEhTSFOMAAAAgAAAAF8UlbkB2l Duf3GzsOKp
    l9W27jKKy2oALg0DbxdLXRVzeioqbeslSZ0bL5MRY9u3ZtPdnj zvjlkIN/cI
    CWfG1hLNrSllq5QBiV2u8U8xHPdtCWS2xM4dJqARhjbUN3zYWB 7w2lQQJpt8
    7jAow0g2GLmB4yAg3GZLBCxjAy8F7MW0VFJFQ4EHAAB1BwAAMI ID+DCCAuCg

    Here is the hex of the first few lines of the same blob
    00000130 0A 09 09 3C 6B 65 79 3E 42 6C 6F 62 3C 2F 6B 65 ...<key>Blob</ke
    00000140 79 3E 0A 09 09 3C 64 61 74 61 3E 0A 09 09 52 45 y>...<data>...RE
    00000150 6C 44 52 55 41 41 41 41 41 49 41 41 41 41 54 68 lDRUAAAAAIAAAATh
    00000160 30 46 65 6D 30 44 41 41 41 41 41 41 41 41 41 41 0Fem0DAAAAAAAAAA
    00000170 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
    00000180 41 41 41 41 41 41 41 41 41 41 0A 09 09 41 41 41 AAAAAAAAAA...AAA
    00000190 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
    000001A0 41 41 41 41 41 41 45 68 54 53 46 4F 4D 41 41 41 AAAAAAEhTSFOMAAA
    000001B0 41 67 41 41 41 41 46 38 55 6C 62 6B 42 32 6C 44 AgAAAAF8UlbkB2lD
    000001C0 75 66 33 47 7A 73 4F 4B 70 0A 09 09 6C 39 57 32 uf3GzsOKp...l9W2
    000001D0 37 6A 4B 4B 79 32 6F 41 4C 67 30 44 62 78 64 4C 7jKKy2oALg0DbxdL
    000001E0 58 52 56 7A 65 69 6F 71 62 65 73 6C 53 5A 30 62 XRVzeioqbeslSZ0b
    000001F0 4C 35 4D 52 59 39 75 33 5A 74 50 64 6E 6A 7A 76 L5MRY9u3ZtPdnjzv
    00000200 6A 6C 6B 49 4E 2F 63 49 0A 09 09 43 57 66 47 31 jlkIN/cI...CWfG1
    00000210 68 4C 4E 72 53 6C 6C 71 35 51 42 69 56 32 75 38 hLNrSllq5QBiV2u8
    00000220 55 38 78 48 50 64 74 43 57 53 32 78 4D 34 64 4A U8xHPdtCWS2xM4dJ
    00000230 71 41 52 68 6A 62 55 4E 33 7A 59 57 42 37 77 32 qARhjbUN3zYWB7w2
    00000240 6C 51 51 4A 70 74 38 0A 09 09 37 6A 41 6F 77 30 lQQJpt8...7jAow0
    00000250 67 32 47 4C 6D 42 34 79 41 67 33 47 5A 4C 42 43 g2GLmB4yAg3GZLBC
    00000260 78 6A 41 79 38 46 37 4D 57 30 56 46 4A 46 51 34 xjAy8F7MW0VFJFQ4
    00000270 45 48 41 41 42 31 42 77 41 41 4D 49 49 44 2B 44 EHAAB1BwAAMIID+D
    00000280 43 43 41 75 43 67 0A 09 09 41 77 49 42 41 67 49 CCAuCg...

    i'm not seeing my ECID in there reversed (4E1D057A6D030000) - am I missing it?

    ^^^^ found it! Thanks pheroah
    had to convert xml plist to binary with this command first, then hexedit:
    plutil -convert binary1 FILENAME.SHSH

    00000150 74 69 61 6C 44 69 67 65 73 74 54 50 61 74 68 4F tialDigestTPathO
    00000160 11 08 4D 44 49 43 45 40 00 00 00 08 00 00 00 4E [email protected]
    00000170 1D 05 7A 6D 03 00 00 00 00 00 00 00 00 00 00 00 ..zm............
    Last edited by katmeef; 2010-04-25 at 02:18 PM. Reason: Automerged Doublepost

  2. #122
    Ahhh you are missing one step in the middle... that is what i thought...

    U need to translate the coded "Garbbage" into hex, this is where a base-64 decoder comes in handy. There are a lot of them out there online even.

    I use this one personally ... Base64 Online - base64 decode and encode

  3. #123
    iPhone? More like MyPhone katmeef's Avatar
    Join Date
    Mar 2010
    Location
    Hamilton, ON
    Posts
    265
    Thanks
    14
    Thanked 19 Times in 12 Posts

    ^^^ see my edit to my last post, found a tool in OSX to do it, but it automerged posts

  4. #124
    Great, so now we need to compare the blobs from the different SHSH files and see what differences there are, i know that the ECID will be the same, also there is a reference to the apple public key which should be the same. Now what else is there we can use ?

  5. #125
    iPhone? More like MyPhone katmeef's Avatar
    Join Date
    Mar 2010
    Location
    Hamilton, ON
    Posts
    265
    Thanks
    14
    Thanked 19 Times in 12 Posts

    well, just modified a 3.1.2 shsh blob after converting it to bin1.
    searched for the original reversed ECID in hexedit, and replaced it with my reversed ECID.
    I found and replaced 20 instances.
    then converted back to xml1

    but same behaviour as before; itunes is accepting it, trying to start the upgrade, and is hanging at 'preparing iphone for restore'. the phone is just sitting with connect to itunes on it.

    so yup, we need to know what else changes in those first 5 lines. i think there might be something useful over on the iphone wiki regarding the public key...

  6. #126
    I don't know if this helps anyone, but all the blobs from my SHSH file for 3.1.3 are exactly the same except for the bytes from Offset 0x4C (76 decimal) to 0xCB (203 decimal). This is exactly 128 bytes which is another magic number in the relam of encryption. So I am sure this some encrypted info which if we can decrypt will solve everyone's problem.

  7. #127
    iPhone? More like MyPhone katmeef's Avatar
    Join Date
    Mar 2010
    Location
    Hamilton, ON
    Posts
    265
    Thanks
    14
    Thanked 19 Times in 12 Posts

    does this help pheroah
    CERT - The iPhone Wiki

  8. #128
    Since you have both 3.1.3 and 3.1.2 can you confirm that the AppleLogo blob is identical in both or not ?

  9. #129
    iPhone? More like MyPhone katmeef's Avatar
    Join Date
    Mar 2010
    Location
    Hamilton, ON
    Posts
    265
    Thanks
    14
    Thanked 19 Times in 12 Posts

    you can get the sample of 3.1.3 and 3.1.2 directly from saurik's server. do you have FWumbrella downloaded? ill pm you an ECID that works to pull both 3.1.2 and 3.1.3 keys from his server.

    Quote Originally Posted by pheroah View Post
    Since you have both 3.1.3 and 3.1.2 can you confirm that the AppleLogo blob is identical in both or not ?
    diff while in xml format of the applelogo blob has everything from the 6th line to the end of the blob as the same.

    can't opendiff if they are converted to binary, but can see stuff about Apple certification authority in hexedit further down in the blobs.

    if you want i can email you 3.1.2 and 3.1.3 blobs from the same 3gs, in both xml and binary format.
    or ill pm u the ECID and you can get them through FWumbrella.
    Last edited by katmeef; 2010-04-25 at 03:35 PM. Reason: Automerged Doublepost

  10. #130

  11. #131
    iPhone? More like MyPhone katmeef's Avatar
    Join Date
    Mar 2010
    Location
    Hamilton, ON
    Posts
    265
    Thanks
    14
    Thanked 19 Times in 12 Posts

    maybe we won't have to wait much longer!!!!
    from iH8sn0w on twitter: "LOL! @geohot -- http://limera1n.com | AND!!! // Limera1n.com - Limera 1 n | LMFAO!"

    and it resolves to same IP as blackra1n!!

    katmeefMBP:~ katmeef$ ping blackra1n.com
    PING blackra1n.com (74.220.215.72): 56 data bytes
    64 bytes from 74.220.215.72: icmp_seq=0 ttl=53 time=111.775 ms
    ^C
    --- blackra1n.com ping statistics ---
    1 packets transmitted, 1 packets received, 0.0% packet loss
    round-trip min/avg/max/stddev = 111.775/111.775/111.775/0.000 ms
    katmeefMBP:~ katmeef$ ping limera1n.com
    PING limera1n.com (74.220.215.72): 56 data bytes
    64 bytes from 74.220.215.72: icmp_seq=0 ttl=53 time=173.012 ms
    ^C
    --- limera1n.com ping statistics ---
    1 packets transmitted, 1 packets received, 0.0% packet loss
    round-trip min/avg/max/stddev = 173.012/173.012/173.012/0.000 ms
    katmeefMBP:~ katmeef$

  12. #132
    Retired Moderator z3r01's Avatar
    Join Date
    Jul 2007
    Location
    Brooklyn
    Posts
    5,697
    Thanks
    83
    Thanked 886 Times in 557 Posts

    wow what the hell is all of that lmao at first i doubted this thread but what a fool was i

  13. #133
    [ame=http://www.ipodtouchfans.com/forums/showthread.php?t=286551]possible an avoid for Apple's Softwarecheck? - iPod touch, iPhone, and iPad forum - Multi-Touch Fans[/ame]
    check this out, I think you guys might collaborate and come up with something

  14. #134
    another possiblilty i THINK is figuring out what apple look for in the shsh file to say "yeh thats the correct firmware".. if someone can cracked that then maybe we can create a local server and redirect the host file to that to sign the 3.1.2 firmware ourself... maybe? if possible just a suggestion

  15. #135
    Default Totally Off Course !!!
    Quote Originally Posted by latner View Post
    possible an avoid for Apple's Softwarecheck? - iPod touch, iPhone, and iPad forum - Multi-Touch Fans
    check this out, I think you guys might collaborate and come up with something
    Thanks for the link, but these guys are completly going in the wrong directions, they think that the hex code is actually commands to the phone, or at least it is readable in that format.

    They need to read a little about PKI and how signing of information works. The SHSH files is simply a signed hash for each of the files that are in the firmeware to be installed. All we need is to crack the key for our phones and hey preseto, we will have the ability to sign our own files, but this is ofcourse easier said than done.

    @Jezzy85...

    That has already been figured out ... The process is simple...

    1- You Download a firmeware from Apple
    2- The firmware consists of files that will be written to your device
    3- iTunes takes your ECID from your phone and sends it to Apple
    4- Apple sends back the magic SHSH files for the firmware which consist of the following...
    - Each of the files in 2 probably hashed and signed with your public key
    - A plain partial hash of the same file (I need to confirm this)
    5- Your phone then checks these hashes with the files before it accepts them into its folders
    6- If the hash matches the file, it is written, if not it fails.
    Last edited by pheroah; 2010-04-26 at 11:35 AM. Reason: Automerged Doublepost

  16. #136
    iPhone? More like MyPhone katmeef's Avatar
    Join Date
    Mar 2010
    Location
    Hamilton, ON
    Posts
    265
    Thanks
    14
    Thanked 19 Times in 12 Posts

    Quote Originally Posted by pheroah View Post
    Thanks for the link, but these guys are completly going in the wrong directions, they think that the hex code is actually commands to the phone, or at least it is readable in that format.

    They need to read a little about PKI and how signing of information works. The SHSH files is simply a signed hash for each of the files that are in the firmeware to be installed. All we need is to crack the key for our phones and hey preseto, we will have the ability to sign our own files, but this is ofcourse easier said than done.
    'these guys' >> I stumbled across that wiki page on Geohot's blog, I believe much of what is there is by him or the dev-team

    i'm pretty sure the phone has a built in aes engine that can be accessed on a jailbroke device. We may need to wait until we get jailbreaks to figure more out.... once we have access to said engine, perhaps we can develop a tool to create 3.1.2 shsh based on a template.

    AES Keys - The iPhone Wiki
    Last edited by katmeef; 2010-04-26 at 01:55 PM.

  17. #137
    Quote Originally Posted by katmeef View Post
    'these guys' >> I stumbled across that wiki page on Geohot's blog, I believe much of what is there is by him or the dev-team
    Katmeef...I don't belive you, I think you just love attacking me, read my post, I wasn't even talking about your link I was talking about the link posted by "latner".

    Please....Count to 10 before you start writting these sarcastic messages.

  18. #138
    iPhone? More like MyPhone katmeef's Avatar
    Join Date
    Mar 2010
    Location
    Hamilton, ON
    Posts
    265
    Thanks
    14
    Thanked 19 Times in 12 Posts

    i thought you were talking bout the link i put, sorry .. that's what i get for posting first thing when i wake up ;P

    on a more productive note, have you found anything useful on the iphone wiki which might shed some light on our decryption efforts?

  19. #139
    Retired Moderator z3r01's Avatar
    Join Date
    Jul 2007
    Location
    Brooklyn
    Posts
    5,697
    Thanks
    83
    Thanked 886 Times in 557 Posts

    every time i refresh the new posts and see this thread ur the last comment katmeef lol

  20. #140
    iPhoneaholic Cid6.7's Avatar
    Join Date
    Feb 2010
    Location
    The Hive Racoon City
    Posts
    420
    Thanks
    48
    Thanked 19 Times in 18 Posts

    Geo posted some keys for OS 4.0 has anyone tried using these to decrypt anything..?

Page 7 of 8 FirstFirst ... 5678 LastLast
Posting Permissions
  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •