search

tihmstar / img4tool

A tool for manipulating IMG4, IM4M and IM4P files
GNU Lesser General Public License v3.0
270 stars 105 forks source link

img4tool has an exception when trying to extract keybag on some images #27

Closed sitay1 closed 4 years ago

sitay1 commented 5 years ago

img4tool -a 17A577/iPhone_5.5_P3/Firmware/all_flash/iBoot.d21.RELEASE.im4p img4tool version: 0.162-d514ce57f4a104aebe4ba8c20cd7c45f33cf3a68 IM4P: --------- type: ibot desc: iBoot-5540.0.117.3 size: 0x000fba90

KBAG num: 1 e7cb1d847ae406db6bacbbe9a42c6d23 d972f1afd223f10133a787d8d3b6b74e8813c22401f4d0ee6e83c2771ba41c3e num: 2 72156937d055431352fdf05da10b401c 2b830aeb615befde802e36fd106fd1de8fff0960e0caaee74d4d8c617de9621c

img4tool: failed with exception: [exception]: what=[printIM4P] unexpected element at SEQUENCE index 5 code=22937612 line=350 file=img4tool.cpp commit count=26: commit sha =4c96389db50eeb7411f6e4c62eb073ef401ca6bd:

The issue comes probably from the DER parsing:

iOS13 openssl asn1parse -inform der -in 17A577/iPhone_5.5_P3/Firmware/all_flash/iBoot.d21.RELEASE.im4p -dump -dlimit 30 0:d=0 hl=5 l=1030965 cons: SEQUENCE 5:d=1 hl=2 l= 4 prim: IA5STRING :IM4P 11:d=1 hl=2 l= 4 prim: IA5STRING :ibot 17:d=1 hl=2 l= 18 prim: IA5STRING :iBoot-5540.0.117.3 37:d=1 hl=5 l=1030800 prim: OCTET STRING 0000 - 12 cc 9d 3f 6a 8d 42 06-93 c2 3b e5 a7 d9 41 84 ...?j.B...;...A. 0010 - 5e 95 74 18 34 a5 dd eb-ed 22 4b 39 7e b5 ^.t.4...."K9~. 1030842:d=1 hl=2 l= 116 prim: OCTET STRING 0000 - 30 72 30 37 02 01 01 04-10 e7 cb 1d 84 7a e4 06 0r07.........z.. 0010 - db 6b ac bb e9 a4 2c 6d-23 04 20 d9 72 f1 .k....,m#. .r. 1030960:d=1 hl=2 l= 8 cons: SEQUENCE 1030962:d=2 hl=2 l= 1 prim: INTEGER :01 1030965:d=2 hl=2 l= 3 prim: INTEGER :15DE00

when i tried to use the kbag that was printed here(kbag1) - i wasn't able to decrypt the iboot on iPhone7+

had the same issue in iPhone X 13.2.1 (17A861) - and there the decryption did work. so not sure if the kbag is correct or not.

LLB.d11.RELEASE.im4p.zip

iBoot.d11.RELEASE.im4p.zip

tihmstar commented 5 years ago

Looks like img4 file format added a new field at the end. img4tool complains because that field is unknown. For now you can ignore this, since it doesn't affect the fields before. I will take a look and try to figure out what this field does. From briefly looking at the information you provided, my first guess it that it could be the uncomressed file size. If the file is compressed it would explain why decryption fails even though you provide the correct keys (img4tool tries to check whether decryption succeeds by looking for predefined values in the decypted image)

tihmstar commented 4 years ago

Added bvx2 support in d597e2f939aacfa77897b27f83f47ad338dc7d68 Img4tool should now properly decrypt and unpack compressed images