3.0 Jailbreaking Summary

Discussion in 'iPod touch Firmware 3.0 Jailbreak' started by Exosion, Mar 21, 2009.

  1. Exosion

    Exosion Member

    Joined:
    Nov 4, 2007
    Messages:
    843
    Likes Received:
    7
    Device:
    iPhone 5 (Black)
    I've seen a lot of questions floating around and I want to try to help clear some of that up.

    Please Register or Log in to view images



    The new 3.0 firmware brought some changes on the backside of things. First of all, the img3 files (iboot, custom logos, etc) aren't encrypted anymore. That's a big bonus. However, the root file system (rootfs, it's the 200MB dmg file in the firmware) is encrypted with new keys and IVs. Each firmware previous to 3.0 had an identical ASR (Apple Software Restore) which is a file that contained all the keys and ivs of the files in plain text. This file was used by iTunes when you went to restore/update to a firmware, and the dev team used it to get the keys and ivs. Now in 3.0, Apple has decided to get all sneaky on us and basically encode those keys and ivs in the ASR. iTunes 8.1 was updated with the ability to decode this new ASR and retrieve the keys and ivs when you restore. The dev team must find a way to decode the ASR (most likely by reversing the ARM) so they can obtain the keys and ivs. Once the keys and ivs are found for the rootfs, then the jailbreak is simple, and no different than any other firmware.
  2. jfb392

    jfb392 New Member

    Joined:
    Oct 20, 2007
    Messages:
    2,512
    Likes Received:
    21
    Device:
    iPod touch
    This is partially correct.
    The only key that ASR contains is the RootFS FileVault (decryption) key.
    This image (in the past, anyway) only has a key and a null IV value.

    The key/IV pair for each image is located in the KBAG section of the Img3 container though, and the decrypted value isn't stored anywhere in the firmware.
    The pair is decrypted by the hardware AES engine using the GID-key and is then used to decrypt the image.

    It is true though that the FileVault key is no longer stored as plain-text; although I'm sure iTunes 8.1 knows nothing about this.
    Important data is no longer exchanged with iTunes, since that leads to vulnerabilities.
    I assume everything is done on-device by asr and restored.

    Also, another thing that I'd like to point out: I assume image encryption will return soon.
    For now though, I don't think Apple cares about encrypting their images.
    Yes, it is weird, but I'm sure it will return.

    Oh, and another annoying thing (that I didn't expect would work anyways); 3.x doesn't like the 2.x kernel and may actually dislike any image with the TYPE Img3 section.
  3. Gitykins

    Gitykins Banned

    Joined:
    May 16, 2008
    Messages:
    3,760
    Likes Received:
    1
    iTunes isn't doing any work anymore, which means we can't dump the temporary folder to find the key, which makes it even harder to find the RootFS key, adding to the fact that it's not there in plain writing like it used to be.

    Meh, I'm sure dev team will have a field day with this and find it in an hour of trying.

    ed: ugh jfb
  4. jfb392

    jfb392 New Member

    Joined:
    Oct 20, 2007
    Messages:
    2,512
    Likes Received:
    21
    Device:
    iPod touch
    Haha, sorry Gitykins.

    Please Register or Log in to view images



    I tried repacking images into new Img3 containers and it looks like 3.0 still doesn't like that, so I guess it's time to patch the actual files.
    I put it off for so long because I'm lazy and I hate the clutter of files I end up with.

Share This Page