Page 8 of 8 FirstFirst ... 678
Results 141 to 160 of 160

Your favorite Apple, iPhone, iPad, iOS, Jailbreak, and Cydia site.


Thread: Let's put our minds together on this 3GS 3.1.3 New Bootrom Issue

  1. #141
    iPhone? More like MyPhone katmeef's Avatar
    Join Date
    Mar 2010
    Location
    Hamilton, ON
    Posts
    265
    Thanks
    14
    Thanked 19 Times in 12 Posts

    z3r01, that's because I think I've developed clinical OCD since I purchased my iPhone...

  2. #142
    Retired Moderator z3r01's Avatar
    Join Date
    Jul 2007
    Location
    Brooklyn
    Posts
    5,697
    Thanks
    83
    Thanked 886 Times in 557 Posts

    Quote Originally Posted by Cid6.7 View Post
    Geo posted some keys for OS 4.0 has anyone tried using these to decrypt anything..?
    not the keys that they need

    Quote Originally Posted by katmeef View Post
    z3r01, that's because I think I've developed clinical OCD since I purchased my iPhone...
    lmao
    Last edited by z3r01; 2010-04-26 at 04:11 PM. Reason: Automerged Doublepost

  3. #143
    Ok been pounding my head on this dont know if this is already you guys knows.

    Each SHSH fie has 20 Blobs that Apple sign.

    1. APPLE LOGO
    2. BATTERY CHARGING
    3. BATTERY CHARGING0
    4. BATTERY CHARGING1
    5. BATTERYFULL
    6. BATTERY LOW0
    7. BATTERY LOW1
    8. BATTERY PLUGIN
    9. DEVICE TREE
    10. KERNELCACHE
    11. LLB
    12. NEEDSERVICE
    13. RECOVERYMODE
    14. RESTORE DEVICE TREE
    15. RESTORE KERNEL CACHE
    16. RESTORE LOGO
    17. RESTORE RAMDISK
    18. IBEC
    19. IBSS
    20. IBOOT

    OK each blog contains the ecid which we know is in the 1st line backwards.

    ive edited a 3.1.2 shsh file(someone elses) to have my ECID in it. Tried to downgrade and gives me error 1600. so thats a no go.

    Apple must Identify the iphone other then just the ECID....

    i found this in a log file too


    <key>@HostIpAddress</key>
    <string>192.168.0.104</string>
    <key>@HostPlatformInfo</key>
    <string>mac</string>
    <key>@Locality</key>
    <string>en_US</string>
    <key>@VersionInfo</key>
    <string>3.8</string>
    <key>ApBoardID</key>
    <integer>0</integer>
    <key>ApChipID</key>
    <integer>35104</integer>
    <key>ApECID</key>
    <integer>819701634447</integer>
    <key>ApProductionMode</key>
    <true/>
    <key>ApSecurityDomain</key>
    <integer>1</integer>
    <key>UniqueBuildID</key>
    <data>
    c/k920SerVI7eWej+fDG1nteIW4=
    </data>
    <key>iBEC</key>
    <dict>

    Partial Digest doesnt include ECID... so what is it exactly?


    i really want to figure this out any other suggestions?

    we need to figure out what is else is in that shsh file unique to the device... thats all we need i guess?


    P.S Dont flame me im new to this game so im just tryin

  4. #144
    i tried to decrypt the ibss file from 3.1.2 that i thought i had gotten signed. when i decrypt them it just looks like a bunch of garbage at the top and then in english it looks like a bunch of errors i cant find a blog anywhere in there. I was going to try to open the file and take the part of the blob we are looking for (5 lines after the ecid) and then paste it into the custom shsh file. if i could find out how to get the blob from the file I thought I got signed I would try this. If anyone knows where to find a blob in any of the files in the firmware after they get signed I would appreciate any help. I feel like Im almost there if I could just find the blob in any firmware file after it gets properly signed.

    Thanks for any help or insight.

  5. #145
    @Jeezy85: Good work, this is similar to what I found too.

    The downgrade wouldn't work for you because the blobs are still signed with a different key than the one on your phone. So you need to find the key that you can sign with in order to get the blobs resigned correctly.

    Which is what everyone is trying to achieve.

    Now, I need to go read up on this iBESS and iBEC since I think those have some important info with regards to signing, I also want to know if anyone has found information somewhere about the IV hashes that the developers keep talking about, how can they be used in the encryption/signing process?

    @MRSweet, You can not do what you are trying, if you already have a 3.1.2 SHSH file than you are good to go, if you have one that is not signed for your phone, it is useless unless you can decrypt the "garbage" that you can see, which is actually information about the files to be flashed encrypted in probably SSH-128 from what I have read on the iphonedev wiki.

  6. #146
    The problem is that the partial digest is somehow the checksum (SHA-1) of the responding file (e.g. applelogo). Apple will sign it with a public RSA key. That's the blob in your SHSH file. You ECID is in the SHSH, but seems to be not important. The important part are the 128 bytes. In your iPhone/iPod you have an unique private RSA key which decrypts the 128 bytes. If you modify the original files (iBEC, iBSS, etc.) the checksum is not longer the same and on the other hand you need the private key to decrypt the 128 bytes. I tried to find anything in these 128 bytes, I received hundert SHSH and extracted (Base64) the 128 bytes. I put them into an Excel sheet, but couldn't find anything. As long as we don't have the private key or know how Apple is encypting the SHSH we can't do anything. Only an exploit, which bypass the check in the iPhone will work. Maybe someone here is an expert of RSA and can help.

  7. #147
    iPhone? More like MyPhone katmeef's Avatar
    Join Date
    Mar 2010
    Location
    Hamilton, ON
    Posts
    265
    Thanks
    14
    Thanked 19 Times in 12 Posts

    ^^ i think we need access to the hardware AES engine in the phone before we can figure the rest out. Hopefully 'spirit' will give us the ability to do so (but not sure since it's userland... but it is unteathered so i guess we'll have to wait and see)

  8. #148
    Well if we can have at least that public key pair from somewhere, we are closer to solving the issue. Since we can at least try to crack it, and there has been many published methods for cracking the keys.

    I don't think anyone has tried to crack these keys, and I do not think Apple is looking at a long key for the phones otherwise the processing on the phone would be huge.

  9. #149
    iPhone? More like MyPhone katmeef's Avatar
    Join Date
    Mar 2010
    Location
    Hamilton, ON
    Posts
    265
    Thanks
    14
    Thanked 19 Times in 12 Posts

    ^^^ public keys are contained within the phones AES co-processor, we can access them when / if we get access to the AES engine.

    but the more I think of it.. i don't think it will work... even if we get the public key and can see what's in those 5 encrypted lines, and even if we figure out what information to swap in there.... we won't have the private key to re-encrypt it in a way so that the phone's public key can decrypt our modified information....

    edit: as for CPU usage if Apple used very hard key; since the phone has a built-in AES co-processor, I don't think the load on the main processor due to decryption would be all that bad, it's like when I tossed the crypto module into my router - no more CPU spike when firing up the VPN.

    edit2: and our progress so far fooling itunes - not really progress. I loaded up someone elses 3.1.2 shsh in TinyTSS (didn't swap my ECID in) and iTunes STILL tried to flash it to the phone, failing in the same spot with the same error as when I used my SHSH with an edited ECID

    edit3: none of this post is an attack. I know sometimes I come across harsh but this is just me.
    Last edited by katmeef; 2010-04-29 at 12:41 PM. Reason: Automerged Doublepost

  10. #150
    Retired Moderator z3r01's Avatar
    Join Date
    Jul 2007
    Location
    Brooklyn
    Posts
    5,697
    Thanks
    83
    Thanked 886 Times in 557 Posts

    what if we get the keymaker from the matrix ? can that work? i think hes my superintendent of my building ,

  11. #151
    iPhone? More like MyPhone katmeef's Avatar
    Join Date
    Mar 2010
    Location
    Hamilton, ON
    Posts
    265
    Thanks
    14
    Thanked 19 Times in 12 Posts

    Quote Originally Posted by z3r01 View Post
    what if we get the keymaker from the matrix ? can that work? i think hes my superintendent of my building ,
    LOL if not him, maybe the keymaster and gatekeeper from ghostbusters can whip it together?

  12. #152
    Retired Moderator z3r01's Avatar
    Join Date
    Jul 2007
    Location
    Brooklyn
    Posts
    5,697
    Thanks
    83
    Thanked 886 Times in 557 Posts

    haaaaa, rick moranis and S.Weaver lol

  13. #153
    @katmeef...No your post is good

    Now; for your comments. If we can get the keys, we can try to run attacks to be able to find the private key from the public key. This is really simple mathematics, nothing fancy, but it takes time, and it depends on the key lengths. Anyway, this needs research and maybe the AES processor can help; if it takes some code and decrypts it, maybe we can find a way of using that in our favor.

    On the other front, if you see my original comments. If the phone is doing the decryption, than iTunes is just a middle-man, and cannot do anything to help us, bypassing it will also not help us, we need the blobs encrypted with our own keys so that the phone can accept them.

    @Z3r01 -- Are you sure he doesn't work for apple :P

  14. #154
    Retired Moderator z3r01's Avatar
    Join Date
    Jul 2007
    Location
    Brooklyn
    Posts
    5,697
    Thanks
    83
    Thanked 886 Times in 557 Posts

    here is some blobs


  15. #155
    iPhone? More like MyPhone katmeef's Avatar
    Join Date
    Mar 2010
    Location
    Hamilton, ON
    Posts
    265
    Thanks
    14
    Thanked 19 Times in 12 Posts

    @pheroah Hopefully we can get the keys after Spirit jailbreak drops, but I'm not sure if a userland jailbreak will gain us access to the AES engine,

    I don't understand the mathematics of reverse engineering a private key from the public (I didn't think this was possible) but am open to giving it a try with your assistance.

    @z3r01 classic

  16. #156
    twitpic.com/1jpb5y this is the root crt i found after i decrypted the 3.1.3 blob, this is what the iphone checks itself against inorder to see if it can be restored , this is saying that 3.1.2 stoped being signed on the effective date and i think it means that 3.1.3 will stopped being signed on july 3 2012 which means 4.0 will come out on that day or a few days before

  17. #157
    iPhoneaholic Cid6.7's Avatar
    Join Date
    Feb 2010
    Location
    The Hive Racoon City
    Posts
    420
    Thanks
    48
    Thanked 19 Times in 18 Posts

    What thats another 2 years away ? lol

  18. #158
    i ment 2010 , idk i keep typing 2012 on accident lol srry :P

  19. #159
    2012 is a typo i am sure ... the root certificate says 2010, I have the certificate a long time ago; btw, they can just issue a new one, this doesn't mean that they have to issue 4.0 on that date, just that this certificate will no longer work and they could issue another on that signs both 3.1.3 and 4.0

  20. #160
    Quote Originally Posted by Mosso View Post
    That's why it already is done.

    But 95% of the people who want a jailbreak doesnt know a ****, like that guy who would recomend olly, or the other guy who would recommend cheat engine, I mean seriously...
    use cheat engine for make a speed hack so u will get and 4.0 OS .. xD

Page 8 of 8 FirstFirst ... 678
Posting Permissions
  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •