PDA

View Full Version : iPhone OS Restore Image (93MB)




MacRumors
Jun 30, 2007, 08:30 PM
http://www.macrumors.com/images/macrumorsthreadlogo.gif (http://www.macrumors.com)

Inventive users can download the iPhone 1A543a restore image (93MB) (http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-3538.20070629.B7vXa/iPhone1,1_1.0_1A543a_Restore.ipsw) from Apple.

The link was discovered through iTunes 7.3, which offers users the capability to restore their iPhone to factory default settings. The resultant .zip file provides a Firmware Folder and two DMG (one password protected).

There have been some ongoing efforts to unlock the Apple iPhone, but no documented success. According to one blogger (http://tnkgrl.wordpress.com/2007/06/30/unboxing-the-apple-iphone/), the Apple iPhone becomes locked to your SIM which you use to activate it (photo (http://flickr.com/photos/tnkgrl/668687038/)), but the iPhone's SIM can succesfully be used in another AT&T phone.



diehardmacfan
Jun 30, 2007, 10:13 PM
i think apple removed this from their website. When i click on the link it says that is cant be found on their server and then it suggests another document, which is the OS but i can't get to that either. I hope whoever has the image saved, will try to hack it and work their way to unlocking it;)

arn
Jun 30, 2007, 10:15 PM
i think apple removed this from their website. When i click on the link it says that is cant be found on their server and then it suggests another document, which is the OS but i can't get to that either. I hope whoever has the image saved, will try to hack it and work their way to unlocking it;)

I fixed the link.

arn

deannnnn
Jun 30, 2007, 11:55 PM
Referring to the picture from Flickr,
What happens when you press 'Dismiss'?
Does it let you use the iPod or data through Wifi?

diehardmacfan
Jul 1, 2007, 11:11 AM
Referring to the picture from Flickr,
What happens when you press 'Dismiss'?
Does it let you use the iPod or data through Wifi?

yeh will someone please try that

from the picture it looks like that would work. If so, then one would have to activate the phone with the sim card, then take it out, and put in a different sim card, and cancel the service with AT&T. Then one would be able to use all the features besides the phone for the cost of the $36 activation fee plus another sim card.

Someone please try this with an iphone.

P.S. Is it possible to boot from this image on a computer just like people booted from the Apple T.V. image on their computers.

Billy Boo Bob
Jul 1, 2007, 12:30 PM
P.S. Is it possible to boot from this image on a computer just like people booted from the Apple T.V. image on their computers.

I really, really doubt it. The phone's OS is compiled to run on ARM processors, not Intels, for starters.

Now an emulation layer may show up someday so you can run the phone's OS inside a window. That would be fun, even if not really useful.

nattyD
Jul 1, 2007, 09:32 PM
This is a interesting discovery! Not only do we now have the OS to the iPhone it includes some additional information. One major point being that the iPhone contains a preset RAM image. Which is... weird.

DMG: 694-5259-38.dmg
Contains: RAM image. Along with most instructions for the iPhone (try opening it with a hex editor and you will see what I mean).
Notes: This 'disk image' has the right extension but the data inside has been stored in a way that has an unusual format and Disk Utility cant mount it because of this. I have tried other utilities for mounting the image and repairing it etc. Nothing so far has worked. :(

DMG: 694-5262-39.dmg
Contains: The OS (which is a stripped down version of Leopard) and the extensions/modifications needed to use features of the iPhone.
Notes: This disk image is is the right format and can be mounted. Unfortunately that would require a password because it is protected. I know a few people have been running brute force attacks on the password with no luck so far. :(


The next part of the iPhone package is the two other files inside the main folder (not the Firmware folder)

File: kernelcache.restore.release.s5l8900xrb
Contains: The cache of the kernel stored on the iPhone. It's encrypted so I can't grab much from this.
Notes: This is encrypted. The key must either be on the iPhone OS its self to decrypt the contents. Or the key is in iTunes.

File: Restore.plist
Contains: This holds key information about the iPhone's restore process. If it can be applied etc.
Notes: None. Just open and your done. Altho you might be able to change the location of the firmware that it restores (You can change it, but some other part of the restore might not like that)


Next bit is the Firmware folder. Surprise, surprise this contains the firmware and its resources so I don't really need to run over the files because its mostly self explanatory. But here is the contents.

Folder: Firmware
Contents:
all_flash
all_flash.m68ap.production
applelogo.img2
batterycharging.img2
batterylow0.img2
batterylow1.img2
DeviceTree.m68ap.img2
iBoot.m68ap.RELEASE.img2
LLB.m68ap.RELEASE.img2
manifest
needservice.img2
recoverymode.img2


dfu
iBSS.m68ap.RELEASE.dfu
WTF.s5l8900xall.RELEASE.dfu



The file, manifest, checks all the files for modifications.

Also .img2 has no resemblance to pictures except they may contain some.


Thats all I've got so far. Hope it helps!

jcohen9229
Jul 2, 2007, 01:05 AM
what are some good brute force programs

nattyD
Jul 2, 2007, 02:58 AM
what are some good brute force programs

I dont think the moderators would appreciate me talking about that kind of thing here so I will PM you with some details. There arent many tools out there for .dmg files.

nattyD

Edit: If anyone else wants to do that kind of thing just PM me.

dr_lha
Jul 2, 2007, 09:03 AM
.dmg files use 128 bit AES encryption. Brute forcing is not an option unless you have several millennia to spare.

Metatron
Jul 2, 2007, 09:58 AM
.dmg files use 128 bit AES encryption. Brute forcing is not an option unless you have several millennia to spare.

oh come now...in 5 years the budget processor of the time will be able to crack it in under a minute. But who will care by then???

dr_lha
Jul 2, 2007, 10:15 AM
oh come now...in 5 years the budget processor of the time will be able to crack it in under a minute.
Under a minute? Unless there's a breakthrough of massive proportions in the next five years I think you might be overestimating the increase of CPU speed in the next 5 years.

Its quite possible that someone might find an alternative to brute forcing to break AES 128 in the next five years though.

From Wikipedia:
The amount of time required to break a 128 bit key is also daunting. Each of the 2128 possibilities must be checked. This is an enormous number, 340,282,366,920,938,463,463,374,607,431,768,211,456 in decimal. If a device could be built that could check a billion billion keys (10^18) per second, 10,790,283,070,806 years would still be required to exhaust the key space. By way of comparison, the age of the universe is only about 13,000,000,000(1.3 \times 10^{10}) years.

(Although on average an attacker will find the key after searching only half the possible keys, this makes no practical difference given the time scales involved.)

mkrishnan
Jul 2, 2007, 10:32 AM
So are there any components that are not encrypted, that might lead the way for people to "slipstream" hacks into the image? ;)

P.S. is there anything like a network archive/install or software update on the iPhone? Forgive me if this was brought up in one of the main threads already. :o

rockstarjoe
Jul 2, 2007, 10:47 AM
How does a 93MB restore give you a 700MB OS? I'm confused.

korndog2003
Jul 2, 2007, 10:50 AM
Hmm maybe if users go after the windows version of the restore file. Maybe a little more luck there.

diehardmacfan
Jul 2, 2007, 01:26 PM
so if itunes can get the info off of the DMG, then the password must be in iTunes, or iTunes retreives the password from the internet.

would that be a logical assumption?

wouldn't it be easier to try to get the iphone to mount in disk mode with some hacking, then one could just image that

Killyp
Jul 2, 2007, 01:40 PM
How does a 93MB restore give you a 700MB OS? I'm confused.

The same way a 4.7 gb DVD gives you a 20 GB OS X install ;) I believe it works off the same principal PNG uses in comparison with BMP, only stores the minimum amount of information requires like a 'palette' rather than storing everything in a format which allows for every single possibility...

Metatron
Jul 2, 2007, 02:06 PM
Under a minute? Unless there's a breakthrough of massive proportions in the next five years I think you might be overestimating the increase of CPU speed in the next 5 years.

Its quite possible that someone might find an alternative to brute forcing to break AES 128 in the next five years though.

From Wikipedia:


***note, I did say the word "crack"...

dr_lha
Jul 2, 2007, 04:50 PM
so if itunes can get the info off of the DMG, then the password must be in iTunes, or iTunes retreives the password from the internet.

would that be a logical assumption?
Not really, the DMG password is probably stored onboard the iPhone. iTunes presumably just uploads the DMG to the iPhone's flash memory, and the iPhone mounts it using its internal password.

nattyD
Jul 2, 2007, 05:05 PM
Ok now would I be right that the iPhone uses the same partition scheme as the iPod? I would think so because you cant access the iPhones OS in the normal disk that you get popping up.

Now we can save what is on the other partitions using this command in the Terminal:
# dd if=/dev/disk1s2 of=iphone_os_partition_backup

*If your iPhone is mounted in a different location (eg.disk2) then change that in the command. Just run mount for that information. Also s2 might not be the partition so... try others if it fails. Just dont do the main one other wise you will have you entire iPhone's main drive backed up.

Then the whole OS will be saved into one file. Which people can start dissecting if they want.

There are a few other ways of mounting the OS partition but these can be dangerous so read up if you want to.

nattyD

dr_lha
Jul 2, 2007, 05:13 PM
You're making a big assumption that you can access the iPhone's disk through a /dev entry I think. The iPhone does not have a "disk mode" like the iPod, so I doubt what you posted would work.

nattyD
Jul 2, 2007, 05:18 PM
Well the iPhone has to be mounted (but it doesnt have to be visible) for iTunes to add data to it (the data partition that is). So then you should be able to access other partitions with the Terminal.

I dont know if it will work so if someone is willing to try it please do because I'd like to have a peak around in the data of the raw OS.

And yes it is an assumption because I dont actually have one and cant get one until 2008 (bloody Australia).

SpinThis!
Jul 2, 2007, 05:39 PM
How does a 93MB restore give you a 700MB OS? I'm confused.
Actually the OS is around 210 MB expanded. It's the difference between measuring in binary (your OS) and decimal (the hard drive makers). On the 8GB model, you never had the full 8 GB to start with... it's closer to 7.45 GB.

dr_lha
Jul 2, 2007, 06:12 PM
Well the iPhone has to be mounted (but it doesnt have to be visible) for iTunes to add data to it (the data partition that is). So then you should be able to access other partitions with the Terminal.

Why? Perhaps the syncing is done through a proprietary protocol. There's no reason why it needs to be mounted as a device. The iPhone could sync through sftp for all we know, there's no techical reason why it needs to be mounted as a drive and then "hidden". If you can access it through Terminal then thats no security at all after all.

I dont know if it will work so if someone is willing to try it please do because I'd like to have a peak around in the data of the raw OS.

Well my iPhone ships before July 17th, so I'll look into it when I get it, but I don't think its going to be all that easy I'm afraid.

diamond.g
Jul 2, 2007, 06:15 PM
Well the iPhone has to be mounted (but it doesnt have to be visible) for iTunes to add data to it (the data partition that is). So then you should be able to access other partitions with the Terminal.

I dont know if it will work so if someone is willing to try it please do because I'd like to have a peak around in the data of the raw OS.

And yes it is an assumption because I dont actually have one and cant get one until 2008 (bloody Australia).

In Windows, the iPhone would have to show up in device manager. And if it does then there is a drive id (sorta) associated with it. All that information would be stored in the Registry. The real question is how you would present it to Windows as an actual drive letter.

In OS X it isn't showing up as a mounted drive under terminal. How are they putting data on the iPhone?

diamond.g
Jul 2, 2007, 06:20 PM
Why? Perhaps the syncing is done through a proprietary protocol. There's no reason why it needs to be mounted as a device. The iPhone could sync through sftp for all we know, there's no techical reason why it needs to be mounted as a drive and then "hidden". If you can access it through Terminal then thats no security at all after all.

Well my iPhone ships before July 17th, so I'll look into it when I get it, but I don't think its going to be all that easy I'm afraid.

Interesting, in Windows you can do a netstat -an to get what connections are active and what ports they are active over. I would imagine you could enable ip filtering for all ports (TCP/IP settings) and then try syncing. If it is using a port to communicate over it would fail miserably. I dunno how to do that in OS X, so I am of little help.


Lastly, is it possible to sniff the data being sent down a USB line? Maybe figure out how iTunes is talking to the iPhone by way of just listening in (as it were).

nattyD
Jul 2, 2007, 06:42 PM
Why? Perhaps the syncing is done through a proprietary protocol. There's no reason why it needs to be mounted as a device. The iPhone could sync through sftp for all we know, there's no techical reason why it needs to be mounted as a drive and then "hidden". If you can access it through Terminal then thats no security at all after all.

Your probably right. As Apple has said in the past they don't want people to do third-party stuff because it might stop other features from working. So they have tried pretty damn hard to stop it. But in the end the hackers *almost* always get in. If they are using a network protocol to sync data that could be seen in Activity Moniter (Utilities folder). You could probably pull up a log of disk activity aswell.

Lastly, is it possible to sniff the data being sent down a USB line? Maybe figure out how iTunes is talking to the iPhone by way of just listening in (as it were).
Yes it is. There are tools for Mac OS X and Windows to capture the data being sent through USB interfaces. Infact Apple includes their own USB sniffer (well they call it USB Prober) with their developers tools. Here are a few links.

SnoopyPro (Windows) - http://sourceforge.net/project/showfiles.php?group_id=34567

Apple's USB Debug Kit (Mac OS X) - http://developer.apple.com/hardwaredrivers/download/usbdebug.html
*be warned, Apple's USB Prober captures lots of info (and I mean lots)

displaced
Jul 2, 2007, 06:48 PM
I dunno how to do that in OS X, so I am of little help.

*grin*

try netstat -an ;)

(oh, and for the IP filtering, there's ipfw).

However, I'd imagine the whole end-to-end comms is wrapped in some sort of ssl encryption with device certificates verifying the authenticity of each device in the chain. There's probably not going to be a simple loophole. It'll be a painstaking slog to try to find any flaws in Apple's implementation of the security, rather than a flaw in the security model itself.

diehardmacfan
Jul 2, 2007, 08:31 PM
Your probably right. As Apple has said in the past they don't want people to do third-party stuff because it might stop other features from working. So they have tried pretty damn hard to stop it. But in the end the hackers *almost* always get in. If they are using a network protocol to sync data that could be seen in Activity Moniter (Utilities folder). You could probably pull up a log of disk activity aswell.


Yes it is. There are tools for Mac OS X and Windows to capture the data being sent through USB interfaces. Infact Apple includes their own USB sniffer (well they call it USB Prober) with their developers tools. Here are a few links.

SnoopyPro (Windows) - http://sourceforge.net/project/showfiles.php?group_id=34567

Apple's USB Debug Kit (Mac OS X) - http://developer.apple.com/hardwaredrivers/download/usbdebug.html
*be warned, Apple's USB Prober captures lots of info (and I mean lots)

i was thinking the same exact thing about sniffing the data going over USB right before i came to this forum. You read my mind. If someone could run this Apple USB Prober, while you are restoring the iphone.

So basically run this USB prober, Then hit restore in iTunes and let it work with the iphone connected. Then you will have to search through all the data and find the iPhones OS. And then we will have the operating system.

Someone please try that.

nattyD
Jul 2, 2007, 10:12 PM
i was thinking the same exact thing about sniffing the data going over USB right before i came to this forum. You read my mind. If someone could run this Apple USB Prober, while you are restoring the iphone.

So basically run this USB prober, Then hit restore in iTunes and let it work with the iphone connected. Then you will have to search through all the data and find the iPhones OS. And then we will have the operating system.

Someone please try that.

Well it depends if the OS is transfered to the iPhone as the DMG or is decrypted and then sent. The first is more likely as dr_lha pointed out before. So I think for the moment were stumped. Unless the OS is stored on an alternate partition which is looking unlikely as well. And also the USB data could be encrypted its self. As displaced pointed out it could all be ssl transfers and then... well that would be extremely hard to get anything from.

It's a 2 way street. We may figger out how to get the OS. But putting it back would be even harder.

All good things take time. So just wait. And one day it will happen. Of course if you want to help feel free to.

balamw
Jul 3, 2007, 02:17 PM
Slashdot is reporting that the iPhone's root password has already been extracted from the image, though it has not been put to any use so far.

http://www.builderau.com.au/blogs/byteclub/viewblogpost.htm?p=339270810

B

nattyD
Jul 3, 2007, 07:01 PM
Interesting stuff. The passwords for root and mobile. This is be very useful when we get into OS X and not just SpringBoard.

Unfortuantly none of these are the passwords for the DMG.

The most usefull link of iPhone hacking/cracking is http://iphone.fiveforty.net/wiki/ very interesting stuff that they have. They also have forums.

synth3tik
Jul 3, 2007, 07:30 PM
In Windows, the iPhone would have to show up in device manager. And if it does then there is a drive id (sorta) associated with it. All that information would be stored in the Registry. The real question is how you would present it to Windows as an actual drive letter.

In OS X it isn't showing up as a mounted drive under terminal. How are they putting data on the iPhone?

As was stated

Why? Perhaps the syncing is done through a proprietary protocol. There's no reason why it needs to be mounted as a device. The iPhone could sync through sftp for all we know, there's no techical reason why it needs to be mounted as a drive and then "hidden". If you can access it through Terminal then thats no security at all after all.

inkhead
Jul 4, 2007, 04:15 AM
It doesn't really matter, the "Restore iPhone to Factory Settings" contains the entire OS it's running, which you can download directly by doing a restore in iTunes to your phone (this is how they watched where it connected to get the file).

Basically the phone is like this:

It has a really fast ram disk, that (already this has DMG has been cracked) that loads instantly, then on the phone the RAM disk calls up the 91 (or so mb) OS image that is a .DMG file and unlocks the encrypted dmg in realtime on the phone. It doesn't really mater if hackers crack this OS X (iphone) DMG password or not, because somewhere in the iPhone is the password stored so that it can unlock the DMG (just like a filevault). So eventually someone with more hardare knowledge (the hackint0sh gang) is almost there is going to figure out how to monitor the iPhone decrypting the DMG (filevault style) disk image so that they won't have to keep guess at the password.

hdasmith
Jul 4, 2007, 05:38 PM
oh come now...in 5 years the budget processor of the time will be able to crack it in under a minute. But who will care by then???

Processors are getting more cores, rather than faster cores at the moment. You can't access the data more than once in any given time, so it won't make it much faster to crack.

dr_lha
Jul 4, 2007, 10:45 PM
Well the DMG did get cracked somehow, although I haven't seen any details of how they did it. I'd be interested to find out. Either the DMG encryption has a serious flaw, or someone on the inside leaked the password. ;)

shawnce
Jul 9, 2007, 04:12 PM
Processors are getting more cores, rather than faster cores at the moment. You can't access the data more than once in any given time, so it won't make it much faster to crack.

Actually that isn't true. Multiple cores can independently brute force a different subset of the key space, etc. and/or work against independent copies of the encrypted data.

korndog2003
Jul 9, 2007, 04:14 PM
Its cracked..:)

boulderomen
Sep 19, 2007, 02:00 AM
is there a way to install this without using itunes?

Redneck1089
Sep 20, 2007, 09:27 AM
is there a way to install this without using itunes?

I'd like to know this too.

My iPhone doesn't come until next week and I'm worried about the next firmware update preventing me from unlocking it. I've downloaded the current firmware in anticipation, but I'm unsure if I'll be able to upload it to my phone once this new firmware comes out.

Is there anyway to upload the existing firmware on the phone after the new firmware is released?

Redneck1089
Sep 20, 2007, 11:41 AM
Anyone?

JPyre
Sep 20, 2007, 05:27 PM
No you can't, but there is eventually always a way to do something that can't be done.