|
GenPass
Tool to get 3.x ASR key for rootfs
Featured // genpass
// get asr key for 3.x firmware
//
// by posixninja, geohot, and chronic
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <openssl/sha.h>
#include <openssl/evp.h>
#define BUF_SIZE 0x100000
#define SHA256_DIGEST_LENGTH 32
typedef unsigned char uint8;
typedef unsigned int uint32;
typedef unsigned long long uint64;
uint64 u32_to_u64(uint32 msq, uint32 lsq) {
uint64 ms = (uint64)msq;
uint64 ls = (uint64)lsq;
return ls | (ms << 32);
}
uint64 hash_platform(const char* platform) {
uint8* md = malloc(SHA_DIGEST_LENGTH);
SHA1(platform, strlen(platform), md);
uint64 hash = u32_to_u64(
((md[0] << 24) | (md[1] << 16) | (md[2] << 8) | md[3]),
((md[4] << 24) | (md[5] << 16) | (md[6] << 8) | md[7])
);
free(md);
return hash;
}
uint64 ramdisk_size(const char* ramdisk) {
struct stat filestat;
if(stat(ramdisk, &filestat) < 0) {
return 0;
}
return (uint64)filestat.st_size;
}
void keydump(uint8* passphrase,int l) {
int i=0;
for(i=0; i<l; i++) {
printf("%02x", passphrase[i]);
} printf("\n");
}
int compare(const uint32* a, const uint32* b) {
if(*a < *b) return -1;
if(*a > *b) return 1;
return 0;
}
const char platform[]="s5l8900x";
const char ramdisk[]="ramdisk.dmg";
int main(int argc, char* argv[]) {
if(argc<3) {printf("%s: <platform> <ramdisk> <main>\n", argv[0]); return -1;}
uint32 saltedHash[4];
uint64 salt[4];
salt[0] = 0xad79d29de5e2ac9e;
salt[1] = 0xe6af2eb19e23925b;
salt[2] = 0x3f1375b4bd88815c;
salt[3] = 0x3bdff4e5564a9f87;
FILE* fd = fopen(argv[2], "rb");
int i = 0;
int x = 0;
SHA256_CTX ctx;
uint8* buffer = NULL;
uint8* passphrase = NULL;
uint64 totalSize = ramdisk_size(argv[2]);
uint64 platformHash = hash_platform(argv[1]);
/*printf("size: %I64x plat: %s plathash %I64x\n", totalSize,
platform,platformHash);*/
for(i=0;i<4;i++)
{
salt[i]+=platformHash;
//printf("%d: %I64x\n", i, salt[i]);
}
for(i = 0; i < 4; i++) {
saltedHash[i] = ((uint32)(salt[i] % totalSize)) & 0xFFFFFE00;
}
qsort(&saltedHash, 4, 4, &compare);
SHA256_Init(&ctx);
SHA256_Update(&ctx, salt, 32);
int r=0;
i=0; //hash count
buffer = malloc(BUF_SIZE);
passphrase = malloc(SHA256_DIGEST_LENGTH);
while(r<totalSize) {
x = fread(buffer, 1, BUF_SIZE, fd);
SHA256_Update(&ctx, buffer, x);
if(i<4) //some salts remain
{
if(r >= (saltedHash[i]+0x4000)) i++;
else if( r < saltedHash[i] && saltedHash[i] < (r+x) )
{
if( (saltedHash[i]+0x4000) < r )
SHA256_Update(&ctx, buffer, saltedHash[i]-r);
else SHA256_Update(&ctx, buffer+(saltedHash[i]-r),
( (x-(saltedHash[i]-r))<0x4000) ? (x-(saltedHash[i]-r)) : 0x4000 );
}
}
r+=x;
}
fclose(fd);
SHA256_Final(passphrase, &ctx);
printf("passphrase: ");
keydump(passphrase, SHA256_DIGEST_LENGTH);
if(buffer) free(buffer);
if(argc==4) //do main as well
{
fd=fopen(argv[3],"rb");
EVP_CIPHER_CTX ctx;
int offset=0x1D4;
uint8 data[0x30];
uint8 out[0x30]; int outlen,tmplen;
int a;
for(a=0;a<7;a++)
{
fseek(fd, offset, SEEK_SET); offset+=0x268;
fread(data, 1, 0x30, fd);
EVP_CIPHER_CTX_init(&ctx);
EVP_DecryptInit_ex(&ctx, EVP_des_ede3_cbc(),
NULL, passphrase, &passphrase[24]);
EVP_DecryptUpdate(&ctx, out, &outlen, data, 0x30);
if(!EVP_DecryptFinal_ex(&ctx, out + outlen, &tmplen))
printf("not block %d\n", a);
else
break;
}
printf("vfdecryptk: ");
keydump(out, 0x24);
}
if(passphrase) free(passphrase);
return 0;
}
|
► Sign in to add a comment
I have absolutely NO idea what this means, but: AWESOME!
@pogoyoyo No. This has nothing to do with an unlock. This code to generate the passkey to decrypt the main iPhone OS... It makes Pwnage jailbreaks easy(ier).
whaa? what's this mean?
And... how do we use it ? Do we have to compile it ? (Cause I tried... and failed...)
what adlekob said - some help?
gcc -o <out> <in> -lssl -lcrypto
sillywilly I've some some error, when I try to compile source...
what file format do we need to put this is? .c? I know about compiling it.
And if i compiled it, would it be illegal to distrobute it, or even give a guide on how to compile it and use it?
if any had an answer email me: jprincey2k8@yahoo.co.uk please.
I get many errors when using sillywilly's method and also using: gcc GenPass.c -o GenPass
I need help from the people who wrote this.
it probably won't help you anyway. You probably need to link with some libraries, also nobody will be of any help if you don't show any errors.
But you don't have to try, it probably won't be any bit useful...
Honestly, if you can't compile it, you don't need it. -lcrypto should suffice on any NIX-like OS, while -lcrypto -lgdi32 should work on Windows.
By default Mac has an ancient rev of OpenSSL, so if you look in the svn under /trunk/GenPass/docs/ I explain how I got it built on mine.
got it i think i got it
so for some reason this doesnt work for me in beta 2, it doesnt give me the proper keys for the file system. shouldn't it be used something like this?
./GenPass s5l8900x 018-4875-7.dmg 018-4872-6.dmg
genpass.c: In function `main':
genpass.c:74: warning: integer constant is too large for "long" type genpass.c:75: warning: integer constant is too large for "long" type genpass.c:76: warning: integer constant is too large for "long" type genpass.c:77: warning: integer constant is too large for "long" type genpass.c:101: warning: passing arg 4 of `qsort' from incompatible pointer type
gcc.exe genpass.o -o "iphone.exe" -L"C:/Program Files/DEV-CPP/Lib"
genpass.o(.text+0x78):genpass.c: undefined reference to `SHA1' genpass.o(.text+0x384):genpass.c: undefined reference to `SHA256_Init' genpass.o(.text+0x3a1):genpass.c: undefined reference to `SHA256_Update' genpass.o(.text+0x462):genpass.c: undefined reference to `SHA256_Update' genpass.o(.text+0x4f2):genpass.c: undefined reference to `SHA256_Update' genpass.o(.text+0x557):genpass.c: undefined reference to `SHA256_Update' genpass.o(.text+0x58a):genpass.c: undefined reference to `SHA256_Final'
genpass.o(.text+0x665):genpass.c: undefined reference to `EVP_CIPHER_CTX_init'
genpass.o(.text+0x66a):genpass.c: undefined reference to `EVP_des_ede3_cbc' genpass.o(.text+0x69d):genpass.c: undefined reference to `EVP_DecryptInit?_ex' genpass.o(.text+0x6d1):genpass.c: undefined reference to `EVP_DecryptUpdate?' genpass.o(.text+0x6f9):genpass.c: undefined reference to `EVP_DecryptFinal?_ex' collect2: ld returned 1 exit status
make.exe: [iphone.exe] Error 1
how to compile in windows?
So, I compile this code on my mac, but I can't use it, because it always got "incorrect" keys. I'll try to use many syntax (with or without platform ID, replace main and restore ramdisk image), but it doesn't work for me.
Chronic, can you check source for errors, or could you write an example for beta 2 (or, maybe beta 1 and beta 3)?
Thank you
For some reason this doesn't work with the root filesystem image from iPhone OS 3.0 beta 3. But using the same binary I get correct keys for beta 2... So is there a reason why it doesn't work with beta 3?
I keep getting the same error on my Macbook 10.5.6. I'm trying to compile it using the way will.chronicdev said but it doesn't work:
Last login: Mon Apr 20 17:39:23 on ttys000 John-Franks-MacBook?-2:~ johnny1$ cd ~/desktop/build/openssl John-Franks-MacBook?-2:openssl johnny1$ gcc genpass.c openssl/libcrypto.a -o genpass -I openssl/include/ i686-apple-darwin9-gcc-4.0.1: openssl/libcrypto.a: No such file or directory genpass.c: In function ‘hash_platform’: genpass.c:30: warning: pointer targets in passing argument 1 of ‘SHA1’ differ in signedness genpass.c: In function ‘main’: genpass.c:74: warning: integer constant is too large for ‘long’ type genpass.c:75: warning: integer constant is too large for ‘long’ type genpass.c:76: warning: integer constant is too large for ‘long’ type genpass.c:77: warning: integer constant is too large for ‘long’ type genpass.c:82: error: ‘SHA256_CTX’ undeclared (first use in this function) genpass.c:82: error: (Each undeclared identifier is reported only once genpass.c:82: error: for each function it appears in.) genpass.c:82: error: syntax error before ‘ctx’ genpass.c:101: warning: passing argument 4 of ‘qsort’ from incompatible pointer type genpass.c:103: error: ‘ctx’ undeclared (first use in this function)
nice work chronic spot on!
Hi, Nice work...How could I get IV and KEY from a firmware?
Thanks
What am I doing wrong? It seems no matter what I try, I get these compiler errors and wrong keys on both 10.5.2 and 10.5.6.
justin-clffords-mac-pro:Downloads Justin$ gcc genpass.c openssl/libcrypto.a -o genpass -I openssl/include/
genpass.c: In function ‘hash_platform’:
genpass.c:30: warning: pointer targets in passing argument 1 of ‘SHA1’ differ in signedness
genpass.c: In function ‘main’:
genpass.c:74: warning: integer constant is too large for ‘long’ type
genpass.c:75: warning: integer constant is too large for ‘long’ type
genpass.c:76: warning: integer constant is too large for ‘long’ type
genpass.c:77: warning: integer constant is too large for ‘long’ type
genpass.c:101: warning: passing argument 4 of ‘qsort’ from incompatible pointer type
Hey guy could you tell meif any one is working on iphone 3GS 3.1.3 MC model jailbreak coz it gives me the shits. coz i updated with out reading everyting properly. thnx
For if(buffer) free(buffer); and if(passphrase) free(passphrase);, you don't need to do the if, because the C standard guarantees that free(0) is well-behaved and does nothing.