Difference between revisions of "Firmware decryption"

From freemyipod.org
Jump to: navigation, search
(Prerequisites)
Line 29: Line 29:
 
Next, you need ActivePython (http://www.activestate.com/activepython) or another Python distribution for Windows. You can get ActivePython's latest version at: http://www.activestate.com/activepython/downloads
 
Next, you need ActivePython (http://www.activestate.com/activepython) or another Python distribution for Windows. You can get ActivePython's latest version at: http://www.activestate.com/activepython/downloads
  
You also need pyUSB (http://pyusb.sourceforge.net/) - a Python module that provides command for communicating with USB devices. Its download page is: http://sourceforge.net/projects/pyusb/files/ (newer versions) or http://developer.berlios.de/project/showfiles.php?group_id=4354 (another mirror). The 0.x branch is compatible with the libusb version included TheSeven's iBugger driver.
+
You also need [http://pyusb.sourceforge.net/ pyUSB] - a Python module for communicating with USB devices. Its download page is: You can get it from the [http://sourceforge.net/projects/pyusb/files/ download page] or [http://developer.berlios.de/project/showfiles.php?group_id=4354 another mirror]. The 0.x branch is compatible with the libusb version included TheSeven's iBugger driver.
  
Important note:
+
'''Important note''': If you are using Windows Vista/7, you'll need the signed (1.2.x) version of libusb-win32. Otherwise the driver will install (after confirmation that it is unsigned), but it will not load unless you disable driver signature check, which is not recommended.
If you are using Windows Vista/7, you'll need the signed (1.2.x) version of libusb-win32. Otherwise the driver will install (after confirmation that it is unsigned), but it will not load unless you disable driver signature check, which is not recommended.
 
  
 
To use the 1.2.x version, you need to extract in the folder where you extracted the iBugger driver, then overwrite the .dll and .sys with the ones in 1.2.x package. Installing the driver then is as usual.
 
To use the 1.2.x version, you need to extract in the folder where you extracted the iBugger driver, then overwrite the .dll and .sys with the ones in 1.2.x package. Installing the driver then is as usual.
  
Important note 2:
+
'''Important note 2''': You may need to kill iTunes's iPod service if you have iTunes installed, and to uninstall the iPod drivers that iTunes installed, before following the above instructions
You may need to kill iTunes's iPod service if you have iTunes installed, and to uninstall the iPod drivers that iTunes installed, before following the above instructions
 
 
===Linux===
 
===Linux===
 
Python is usually included in most distributions, so you don't need to worry about installing it. If you have easy_install, you can install pyUSB with:
 
Python is usually included in most distributions, so you don't need to worry about installing it. If you have easy_install, you can install pyUSB with:
 
+
<pre>
 
easy_install install pyusb
 
easy_install install pyusb
 
+
</pre>
 
Otherwise, you need to download it and install it manually as in the Windows instructions.
 
Otherwise, you need to download it and install it manually as in the Windows instructions.
  
Line 48: Line 46:
 
===Mac OS X===
 
===Mac OS X===
 
(to be added later)
 
(to be added later)
 +
 
==Helpful pages==
 
==Helpful pages==
 
http://ipodlinux.org/wiki/Flash_Decryption
 
http://ipodlinux.org/wiki/Flash_Decryption

Revision as of 02:48, 3 August 2010

Background

Encrypting the firmware started with the release of iPod 4G. Only the AUPD part is encrypted, it uses RC4 encryption and the key is contained within the firmware. The iPodLinux project has more information about understanding and decrypting it: http://ipodlinux.org/wiki/Flash_Decryption

Starting with Nano 2G, the encryption method changed. The best guess so far is that the encryption is AES-CBC with 128-bit blocks and a 128-bit key. The key isn't found yet, but it is not needed to decrypt the firmware.

After discovering the notes exploit, it became possible to upload and execute custom code on the ipods. TheSeven wrote an utility (ipodcrypt.py), which allows decrypting parts of the firmware using the iPod's crypto engine. The utility is being loaded via iBugger in the iPod's memory, then the encrypted data is being send. After the decryption process completes, the decrypted data is downloaded.

ipodcrypt

The ipodcrypt utility has the following features:

for Nano 2G:

  • encrypt/decrypt DFU image
  • encrypt/decrypt firmware file contents
  • encrypt/decrypt dump of NOR flash's contents

for Nano 4G:

  • decrypt firmware file contents

The process of decrypting is taking part on the iPod itself, so you must have a compatible device in order to use the utility. Also, you must run the iBugger utility on the device before using ipodcrypt.

You can find both utilities in the development snapshot, which is located on the iLoader homepage: http://the-seven.tk/ipod/iloader/sourcecode.php

In order to run these utilities, you will need the Python interpreter installed, the pyUSB module and libusb. It is possible to run the utilities on both Windows and Linux.

Prerequisites

Windows

First you need TheSeven's iBugger USB driver (http://l4n.clustur.com/data/theseven/releases/iBugger%20Windows%20Driver.7z). It uses libusb-win32 1.1.x. (see notes below)

Next, you need ActivePython (http://www.activestate.com/activepython) or another Python distribution for Windows. You can get ActivePython's latest version at: http://www.activestate.com/activepython/downloads

You also need pyUSB - a Python module for communicating with USB devices. Its download page is: You can get it from the download page or another mirror. The 0.x branch is compatible with the libusb version included TheSeven's iBugger driver.

Important note: If you are using Windows Vista/7, you'll need the signed (1.2.x) version of libusb-win32. Otherwise the driver will install (after confirmation that it is unsigned), but it will not load unless you disable driver signature check, which is not recommended.

To use the 1.2.x version, you need to extract in the folder where you extracted the iBugger driver, then overwrite the .dll and .sys with the ones in 1.2.x package. Installing the driver then is as usual.

Important note 2: You may need to kill iTunes's iPod service if you have iTunes installed, and to uninstall the iPod drivers that iTunes installed, before following the above instructions

Linux

Python is usually included in most distributions, so you don't need to worry about installing it. If you have easy_install, you can install pyUSB with:

easy_install install pyusb

Otherwise, you need to download it and install it manually as in the Windows instructions.

To install libusb, you need to use your distribution's package management utility and look for libusb, then install it.

Mac OS X

(to be added later)

Helpful pages

http://ipodlinux.org/wiki/Flash_Decryption

http://home.gna.org/linux4nano/download/crypto_synth-1.0.pdf

http://code.google.com/p/iphone-elite/w/list

http://code.google.com/p/chronicdev/w/list

http://wikee.iphwn.org/

http://iphonejtag.blogspot.com/