iOS firmware decryption

1. Research on iOS Device Protec2on
nlog2n
Oct 2015

2. Objec2ve
We study both the underlying cryptographic algorithms
and firmware related vulnerabili2es for iOS in protec2ng
against aDackers exploi2ng the mobile device
– Review of iOS cryptography and exis2ng aDacks against
code signing
– Extrac2ng AES keys for iOS firmware
– Compromising code sign with either downgraded or
patched firmware

3. Research Summary
• We have analyzed iOS system where cryptography architecture and
algorithms are applied, and suggested where and how possibly certain
aDacks can be exploited against device protec2on.
• We have parsed new iOS firmware format and extracted latest SHSH blobs
for firmware code sign
– Firmware of new version is not allowed to downgrade to old version beyond Apple's
2me window. We study the possibility to break that limita2on, where device can be
boot with either "patched" firmware or downgraded version, both of which thus may
contain exploitable vulnerabili2es.
• We have par2ally extracted some low-level derived AES keys from iOS
firmware.
– These encryp2on keys are derived from hardware keys, and can be intercepted if we
break the kernel.

4. 1. iOS Key Hierarchy

5. Passcode derived Keys

6. Encryp'on keys for data protec'on
• UID key : hardware key embedded in the applica2on processor AES
engine, unique for each device. This key can be used but not read
by the CPU. Can be used from bootloader and kernel mode.
• Key 0x835 : Computed at boot 2me by the kernel. Used as "device
key" that protects class keys
– key835 = AES(UID, bytes("01010101010101010101010101010101"))
• Key 0x89B : Computed at boot 2me by the kernel. Used to encrypt
the data par22on key stored on Flash memory. Prevents reading
the data par22on key directly from the NAND chips.
– key89B = AES(UID, bytes("183e99676bb03c546fa468f51c0cbd49"))

7. Other Derived Keys
• EMF key : Data par22on encryp2on key. Also called "media key". Stored encrypted
by key 0x89B
• DKey : NSProtec2onNone class key. Used to wrap file keys for "always accessible"
files on the data par22on. Stored wrapped by key 0x835
• BAG1 key : System keybag payload key (+ini2aliza2on vector). Stored unencrypted
in effaceable area.
• Passcode key : Computed from user passcode or escrow keybag BagKey using
Apple custom deriva2on func2on. Used to unwrap class keys from system/escrow
keybags. Erased from memory as soon as the keybag keys are unwrapped.
• Filesystem key (f65dae950e906c42b254cc58fc78eece) : used to encrypt the
par22on table and system par22on (referred to as "NAND key”)
• Metadata key (92a742ab08c969bf006c9412d3cc79a5) : encrypts NAND metadata

8. 2. Compu2ng Key 0x835 on iPhone
• Key 0x835 is computed by the IOAESAccelerator kernel service at iOS boot
by encryp2ng a sta2c value 01010101010101010101010101010101 with
UID.
• UID is a hardware encryp2on key embedded in the iPhone applica2on
processor AES engine and it is unique for each device. iOS running on the
iPhone cannot read the hardware key (UID) but it uses the key to compute
Key 0x835 in kernel mode. UID is not accessible to user land process.
• This restric2on can be bypassed by patching the IOAESAccelerator kernel
service.
Environment:
MacOS: 10.11 EI Captain
Phone model:
Model: A1586
Device: iPhone 6 (jailbroken)
IPSW info:
Version: 8.3
BuildID: 12F70
Release Date: 08/04/2015
Upload Date: 04/04/2015
Filesize: 1.82 GiB

9. Developed Tools
Developed Tools (based on ios-dataprotec2on project)
• kernel_patch.c: Patch kernel so we can use
IOAESAccelerator in userland
• device_infos.c: extract encryp2on keys (par2al)
• Bruteforce.c: extract data protec2on class keys stored in the
system keybag. Class keys are protected with passcode key
and key 0x835. The script bruteforces the passcode and
grabs the passcode key. Later it extracts the keys from
keybag and stores the result in a plist file.

10. Extracted Keys (par2ally)
• Dkey:
<string>d379daef24f392fc5bfe94698e758bf114ae296cbdc3eedded
33392bae5b3ba8</string>
• ECID: <integer>5116457374519334</integer>
• EMF:
<string>f67b3fd593717ba3baa74b2fd6718903da2676fcf470a9f8f2
0eeffafa28ea54</string>
• Salt: <string>90deb1a5f99c727345992e57e667edf51999d3c6</
string>
• dataVolumeUUID: <string>eea7c772f92b4020</string>
• Udid: <string>af8e103659fedf12c63d3861c61c1870faan06a</
string>
• Uuid: <string>9c572cf33a8c490da02d4523ce42893f</string>

11. 3. Extrac2ng firmware decryp2on key
• IPSW firmware structure
058-15019-073.dmg – restore
058-14818-073.dmg – update
058-14388-073.dmg -- user

12. IM4P Format
• IMG4 firmware format is not widely studied
although SL8900/IMG3 format is well-known
• No exis2ng decryp2on key available for
iPhone6 with iOS 8.3 yet
typedef struct {
uint8_t* magic;
uint8_t* type;
uint8_t* contents;
uint8_t* data;
int dataSize;
uint8_t* kbag;
int kbagSize;
AppleImg4_t *asn1;
} img4_file_t;
See libimg4 code package
The file is an DER encoded ASN.1 object and structured
as follows:
30 Type , 0x0011 0000: P/C constructed, sequence
83 , length = 125
8E, Type, 0x1000 1110: context,
86
D3
16 Type tag indica2ng IAString
04 Length
49 4D 34 50 : “IM4P”

13. Extrac2ng kbags by Parsing IM4 File
Firmware decryp2on key may be further extracted from kbags

14. 4. Extrac2ng SHSH blobs
• Users are not allowed to downgrade (or upgrade) to iOS 8.3 auer Apple closes the
firmware signing window for iOS 8.3. Instead, they have to seDle for whatever firmware
Apple is signing, which is usually the latest.
• Extract SHSH blobs to be prepared for possible downgrade ability.
• Procedure:
– Step 1: Run TinyUmbrella
– Step 2: Connect iOS device (it doesn’t have to be jailbroken!)
– Step 3: Wait as TinyUmbrella fetches and saves blobs to file under “~/.tu/.shsh/” directory in Mac.

15. Proposed Follow-Ups
• Further working on extrac2ng AES keys for iOS
firmware
• Further working on intercep2ng code sign
with either downgraded or patched firmware