Disecting the iPhone firmware image

Place to discuss anything, almost. No politics, religion, Microsoft, or anything else that I (the nazi censor) deem inappropriate.
Post Reply
User avatar
Void Main
Site Admin
Site Admin
Posts: 5716
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Disecting the iPhone firmware image

Post by Void Main »

I'm sure someone else has probably figured this out by now but it's pretty easy to mount the firmware image under linux. First get yourself a copy of the firmware from the Apple site and then:

Code: Select all

$ unzip iPhone1,1_1.0_1A543a_Restore.ipsw
$ dd if=694-5259-38.dmg bs=2048 skip=1 of=/tmp/iphone.img
$ file /tmp/iphone.img 
/tmp/iphone.img: Macintosh HFS Extended version 4 data last mounted by: 'H+Lx', created: Tue Jun 26 18:40:30 2007, last modified: Tue Jul  3 21:20:16 2007, last checked: Tue Jun 26 20:40:30 2007, block size: 4096, number of blocks: 3838, free blocks: 440
# mount /tmp/iphone.img /mnt -o loop
Then:

Code: Select all

$ ls -l /mnt
total 4
drwxr-xr-x 1 root root  9 2007-06-26 20:40 bin
drwxr-xr-x 1 root root  2 2007-05-22 22:54 dev
lrwxr-xr-x 1 root   80 11 2007-06-26 20:40 etc -> private/etc
drwxr-xr-x 1 root root  2 2007-05-22 18:05 mnt1
drwxr-xr-x 1 root root  2 2007-05-22 18:05 mnt2
drwxr-xr-x 1 root root  3 2007-06-19 17:42 private
drwxr-xr-x 1 root root  8 2007-06-26 20:40 sbin
drwxr-xr-x 1 root root  4 2007-06-26 20:40 System
drwxr-xr-x 1 root root  7 2007-06-26 20:40 usr
Then:

Code: Select all

$ cat /mnt/etc/master.passwd
##
# User Database
# 
# Note that this file is consulted when the system is running in single-user
# mode.  At other times this information is handled by lookupd.  By default,
# lookupd gets information from NetInfo, so this file will not be consulted
# unless you have changed lookupd's configuration.
##
nobody:*:-2:-2::0:0:Unprivileged User:/var/empty:/usr/bin/false
root:XUU7aqfpey51o:0:0::0:0:System Administrator:/var/root:/bin/sh
mobile:/smx7MYTQIi2M:501:0::0:0:Mobile User:/var/mobile:/bin/sh
daemon:*:1:1::0:0:System Services:/var/root:XUU7aqfpey51o
unknown:*:99:99::0:0:Unknown User:/var/empty:/usr/bin/false
Talk about weak passwords:

Code: Select all

# john /mnt/etc/master.passwd 
Created directory: /root/.john
Loaded 2 password hashes with 2 different salts (Traditional DES [64/64 BS MMX])
alpine           (mobile)
dottie           (root)
guesses: 2  time: 0:00:00:57 (3)  c/s: 372674  trying: dewMso - dotty1
Probably totally useless information. Then again, there is a second file system image (694-5262-39.dmg) that is encrypted (encrcdsa) and maybe the password from the first one is the passphrase to decrypt/mount the second file system. I'm not sure if there is a way to decrypt encrypted dmg images in Linux. I would never purchase one of these overpriced closed up pieces of craps.

User avatar
Void Main
Site Admin
Site Admin
Posts: 5716
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Post by Void Main »

Actually I'll bet these are the keys to decrypt the second dmg file system image:

Code: Select all

$ ls -l /mnt/System/Library/Lockdown/
total 16
-rw-r--r-- 1 root root 1204 2007-05-26 15:39 SBOOT_S5L8702_DEV.pem
-rw-r--r-- 1 root root 1204 2007-05-26 15:39 SBOOT_S5L8702.pem
-rw-r--r-- 1 root root 1204 2007-05-26 15:39 SBOOT_S5L8900_DEV.pem
-rw-r--r-- 1 root root 1204 2007-05-26 15:39 SBOOT_S5L8900.pem
My guess is if you have a Mac (I don't and have never touched one) you could use the "hdiutil" utility along with those keys to mount the encrypted image. Maybe I can find a way to decrypt them in Linux.

EDIT: Actually it appears a couple of the keys are used by the "asr" (Apple Software Restore) command:

Code: Select all

$ strings /mnt/usr/sbin/asr | grep Lockdown
/System/Library/Lockdown/SBOOT_S5L8900.pem
/System/Library/Lockdown/SBOOT_S5L8900_DEV.pem
Man page:
http://developer.apple.com/documentatio ... asr.8.html

Maybe that command used with the related keys will extract the encrypted dmg file. Just speculating...

JoeDude
administrator
administrator
Posts: 355
Joined: Sun Feb 08, 2004 1:41 pm
Location: Sutton Coldfield, UK
Contact:

Post by JoeDude »

get bored much?

Master of Reality
guru
guru
Posts: 562
Joined: Thu Jan 09, 2003 8:25 pm

Post by Master of Reality »

Ah the less i hear about the iphone the better. It's so closed... you cant even edit files on it apparently... only view them. What kind of "smart" phone is that.

bah!

(although what a nice way to poke fun at a company... by looking up the passwords and all that jazz in their image.)

User avatar
Calum
guru
guru
Posts: 1349
Joined: Fri Jan 10, 2003 11:32 am
Location: Bonny Scotland
Contact:

Post by Calum »

it's just a bloody phone! and a crap one at that. It's only "innovation" is that the keypad's on a screen instead of using rubber buttons.

JoeDude
administrator
administrator
Posts: 355
Joined: Sun Feb 08, 2004 1:41 pm
Location: Sutton Coldfield, UK
Contact:

Post by JoeDude »

And a bigger screen...on the back....

It's the mobile phone version of starbucks. Without them, we never could have imagined paying $5.00 for a small cup of coffee.

User avatar
Void Main
Site Admin
Site Admin
Posts: 5716
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Post by Void Main »

JoeDude wrote:It's the mobile phone version of starbucks. Without them, we never could have imagined paying $5.00 for a small cup of coffee.
Heh heh, that's a good one. It's funny that when I was a kid you could get a cup of coffee anywhere for a dime. Of course you could get a gallon of gas for a quarter. :)

Master of Reality
guru
guru
Posts: 562
Joined: Thu Jan 09, 2003 8:25 pm

Post by Master of Reality »

I think there is some other phones without buttons (theres an LG that comes to mind), the only thing is that this has their new multitouch screen. Thats kinda cool, but not really.

Post Reply