iPhone OS Restore Image (93MB)

[MacRumors]

Inventive users can download the iPhone 1A543a restore image (93MB) from Apple.

The link was discovered through iTunes 7.3, which offers users the capability to restore their iPhone to factory default settings. The resultant .zip file provides a Firmware Folder and two DMG (one password protected).

There have been some ongoing efforts to unlock the Apple iPhone, but no documented success. According to one blogger, the Apple iPhone becomes locked to your SIM which you use to activate it (photo), but the iPhone's SIM can succesfully be used in another AT&T phone.

 

[diehardmacfan]

i think apple removed this from their website. When i click on the link it says that is cant be found on their server and then it suggests another document, which is the OS but i can't get to that either. I hope whoever has the image saved, will try to hack it and work their way to unlocking it

 

[arn]

i think apple removed this from their website. When i click on the link it says that is cant be found on their server and then it suggests another document, which is the OS but i can't get to that either. I hope whoever has the image saved, will try to hack it and work their way to unlocking it

I fixed the link.

arn

 

[deannnnn]

Referring to the picture from Flickr,
What happens when you press 'Dismiss'?
Does it let you use the iPod or data through Wifi?

 

[diehardmacfan]

Referring to the picture from Flickr,
What happens when you press 'Dismiss'?
Does it let you use the iPod or data through Wifi?

yeh will someone please try that

from the picture it looks like that would work. If so, then one would have to activate the phone with the sim card, then take it out, and put in a different sim card, and cancel the service with AT&T. Then one would be able to use all the features besides the phone for the cost of the $36 activation fee plus another sim card.

Someone please try this with an iphone.

P.S. Is it possible to boot from this image on a computer just like people booted from the Apple T.V. image on their computers.

 

[Billy Boo Bob]

P.S. Is it possible to boot from this image on a computer just like people booted from the Apple T.V. image on their computers.

I really, really doubt it. The phone's OS is compiled to run on ARM processors, not Intels, for starters.

Now an emulation layer may show up someday so you can run the phone's OS inside a window. That would be fun, even if not really useful.

 

[nattyD]

This is a interesting discovery! Not only do we now have the OS to the iPhone it includes some additional information. One major point being that the iPhone contains a preset RAM image. Which is... weird.

DMG: 694-5259-38.dmg
Contains: RAM image. Along with most instructions for the iPhone (try opening it with a hex editor and you will see what I mean).
Notes: This 'disk image' has the right extension but the data inside has been stored in a way that has an unusual format and Disk Utility cant mount it because of this. I have tried other utilities for mounting the image and repairing it etc. Nothing so far has worked.

DMG: 694-5262-39.dmg
Contains: The OS (which is a stripped down version of Leopard) and the extensions/modifications needed to use features of the iPhone.
Notes: This disk image is is the right format and can be mounted. Unfortunately that would require a password because it is protected. I know a few people have been running brute force attacks on the password with no luck so far.


The next part of the iPhone package is the two other files inside the main folder (not the Firmware folder)

File: kernelcache.restore.release.s5l8900xrb
Contains: The cache of the kernel stored on the iPhone. It's encrypted so I can't grab much from this.
Notes: This is encrypted. The key must either be on the iPhone OS its self to decrypt the contents. Or the key is in iTunes.

File: Restore.plist
Contains: This holds key information about the iPhone's restore process. If it can be applied etc.
Notes: None. Just open and your done. Altho you might be able to change the location of the firmware that it restores (You can change it, but some other part of the restore might not like that)


Next bit is the Firmware folder. Surprise, surprise this contains the firmware and its resources so I don't really need to run over the files because its mostly self explanatory. But here is the contents.

Folder: Firmware
Contents:

• all_flash
  1. all_flash.m68ap.production
     1. applelogo.img2
     2. batterycharging.img2
     3. batterylow0.img2
     4. batterylow1.img2
     5. DeviceTree.m68ap.img2
     6. iBoot.m68ap.RELEASE.img2
     7. LLB.m68ap.RELEASE.img2
     8. manifest
     9. needservice.img2
     10. recoverymode.img2
• dfu
  1. iBSS.m68ap.RELEASE.dfu
  2. WTF.s5l8900xall.RELEASE.dfu

The file, manifest, checks all the files for modifications.

Also .img2 has no resemblance to pictures except they may contain some.


Thats all I've got so far. Hope it helps!

 

[jcohen9229]

what are some good brute force programs

 

[nattyD]

what are some good brute force programs

I dont think the moderators would appreciate me talking about that kind of thing here so I will PM you with some details. There arent many tools out there for .dmg files.

nattyD

Edit: If anyone else wants to do that kind of thing just PM me.

 

[dr_lha]

.dmg files use 128 bit AES encryption. Brute forcing is not an option unless you have several millennia to spare.

 

[Metatron]

.dmg files use 128 bit AES encryption. Brute forcing is not an option unless you have several millennia to spare.

oh come now...in 5 years the budget processor of the time will be able to crack it in under a minute. But who will care by then???

 

[dr_lha]

oh come now...in 5 years the budget processor of the time will be able to crack it in under a minute.

Under a minute? Unless there's a breakthrough of massive proportions in the next five years I think you might be overestimating the increase of CPU speed in the next 5 years.

Its quite possible that someone might find an alternative to brute forcing to break AES 128 in the next five years though.

From Wikipedia:

The amount of time required to break a 128 bit key is also daunting. Each of the 2128 possibilities must be checked. This is an enormous number, 340,282,366,920,938,463,463,374,607,431,768,211,456 in decimal. If a device could be built that could check a billion billion keys (10^18) per second, 10,790,283,070,806 years would still be required to exhaust the key space. By way of comparison, the age of the universe is only about 13,000,000,000(1.3 \times 10^{10}) years.

(Although on average an attacker will find the key after searching only half the possible keys, this makes no practical difference given the time scales involved.)

 

[mkrishnan]

So are there any components that are not encrypted, that might lead the way for people to "slipstream" hacks into the image?

P.S. is there anything like a network archive/install or software update on the iPhone? Forgive me if this was brought up in one of the main threads already.

 

[rockstarjoe]

How does a 93MB restore give you a 700MB OS? I'm confused.

 

[korndog2003]

Hmm maybe if users go after the windows version of the restore file. Maybe a little more luck there.

 

[diehardmacfan]

so if itunes can get the info off of the DMG, then the password must be in iTunes, or iTunes retreives the password from the internet.

would that be a logical assumption?

wouldn't it be easier to try to get the iphone to mount in disk mode with some hacking, then one could just image that

 

[Killyp]

How does a 93MB restore give you a 700MB OS? I'm confused.

The same way a 4.7 gb DVD gives you a 20 GB OS X install I believe it works off the same principal PNG uses in comparison with BMP, only stores the minimum amount of information requires like a 'palette' rather than storing everything in a format which allows for every single possibility...

 

[Metatron]

Under a minute? Unless there's a breakthrough of massive proportions in the next five years I think you might be overestimating the increase of CPU speed in the next 5 years.

Its quite possible that someone might find an alternative to brute forcing to break AES 128 in the next five years though.

From Wikipedia:

***note, I did say the word "crack"...

 

[dr_lha]

so if itunes can get the info off of the DMG, then the password must be in iTunes, or iTunes retreives the password from the internet.

would that be a logical assumption?

Not really, the DMG password is probably stored onboard the iPhone. iTunes presumably just uploads the DMG to the iPhone's flash memory, and the iPhone mounts it using its internal password.

 

[nattyD]

Ok now would I be right that the iPhone uses the same partition scheme as the iPod? I would think so because you cant access the iPhones OS in the normal disk that you get popping up.

Now we can save what is on the other partitions using this command in the Terminal:

# dd if=/dev/disk1s2 of=iphone_os_partition_backup

*If your iPhone is mounted in a different location (eg.disk2) then change that in the command. Just run

mount

for that information. Also s2 might not be the partition so... try others if it fails. Just dont do the main one other wise you will have you entire iPhone's main drive backed up.

Then the whole OS will be saved into one file. Which people can start dissecting if they want.

There are a few other ways of mounting the OS partition but these can be dangerous so read up if you want to.

nattyD

 

[dr_lha]

You're making a big assumption that you can access the iPhone's disk through a /dev entry I think. The iPhone does not have a "disk mode" like the iPod, so I doubt what you posted would work.

 

[nattyD]

Well the iPhone has to be mounted (but it doesnt have to be visible) for iTunes to add data to it (the data partition that is). So then you should be able to access other partitions with the Terminal.

I dont know if it will work so if someone is willing to try it please do because I'd like to have a peak around in the data of the raw OS.

And yes it is an assumption because I dont actually have one and cant get one until 2008 (bloody Australia).

 

[SpinThis!]

How does a 93MB restore give you a 700MB OS? I'm confused.

Actually the OS is around 210 MB expanded. It's the difference between measuring in binary (your OS) and decimal (the hard drive makers). On the 8GB model, you never had the full 8 GB to start with... it's closer to 7.45 GB.

 

[dr_lha]

Well the iPhone has to be mounted (but it doesnt have to be visible) for iTunes to add data to it (the data partition that is). So then you should be able to access other partitions with the Terminal.

Why? Perhaps the syncing is done through a proprietary protocol. There's no reason why it needs to be mounted as a device. The iPhone could sync through sftp for all we know, there's no techical reason why it needs to be mounted as a drive and then "hidden". If you can access it through Terminal then thats no security at all after all.

I dont know if it will work so if someone is willing to try it please do because I'd like to have a peak around in the data of the raw OS.

Well my iPhone ships before July 17th, so I'll look into it when I get it, but I don't think its going to be all that easy I'm afraid.

 

[diamond.g]

Well the iPhone has to be mounted (but it doesnt have to be visible) for iTunes to add data to it (the data partition that is). So then you should be able to access other partitions with the Terminal.

I dont know if it will work so if someone is willing to try it please do because I'd like to have a peak around in the data of the raw OS.

And yes it is an assumption because I dont actually have one and cant get one until 2008 (bloody Australia).

In Windows, the iPhone would have to show up in device manager. And if it does then there is a drive id (sorta) associated with it. All that information would be stored in the Registry. The real question is how you would present it to Windows as an actual drive letter.

In OS X it isn't showing up as a mounted drive under terminal. How are they putting data on the iPhone?