Overview
IPSF is known to zero out the LTOKEN in seczone, this may be recovered by using the cache file (which contains the original values before IPSF). Those of you that have fully restored the phone after IPSF, sorry you don’t have the chance to get this cache file anymore, shoot your complaints to IPSF.
Saving the cache
IPSF users should do the following: 1. Make sure you have the BSD subsystem on your iPhone 2. Log into your iPhone and type:
cp $(find /var/root/Library/Caches/bbsimfree -name "*.cache") /ipsf.cache
If you get an error like “missing destination file” then you either have no cache (you’re not able to recover) or you typed something wrong. 3. Copy that ipsf.cache off of your iPhone and save it! It contains very valuable data. The existence of this important file was reported by sh1n1gam1 on the elite team’s forum.
Using the cache
To recover your token manually, do the following:
1. Using a hex editor, find the LTOKEN1.0 string in the cache and note its starting offset (call this value “A”).
2. Compute the offset of encrypted seczone, which will be 0×810 bytes after the start of that string:
B = A + 0x810.
suppose A = 0×1E7, then B = 0×1E7 + 0×810 = 0×9F7 (See How IPSF Work for details about that 0×810 constant).
3. Extract the 0×2000 bytes beginning at that offset B into a file called “en”.
4. Run geohot’s deipsf program (source code included at the end of this article, you have to compile it) to produce the “de” file. That is your original seczone (Note: deipsf works only on little-endian architectures like x86 or ARM).
5. Sanity check the “de” file. It should begin with 0×100 bytes of “FF”, and then non-FF bytes. If you don’t see that, then something went wrong … try again. If everything’s fine, rename “de” to “seczone.bin”.
6. Take the following steps to write the original seczone back to your phone (get the tools IPSF Revirginizer) :
Produce our special loader on Windows geomaker.exe seczone.bin (produce seczone_loader.bin, seczone.bin is the original seczone)Do fixing on iPhone ./iUnlock 314secpack seczone_loader.bin (write our special bootloader - the fixer) bbupdater -v (let our bootloader do the magic) bbupdater -f ICE03.14.08_G.fls -e ICE03.14.08_G.eep (reflash the baseband) bbupdater -v
Source code of deipsf (written by Geohot):
#include#include unsigned int corecrypto(unsigned int *key, unsigned int r1) { int r0=key[(r1>>0x18)+(0x48/4)]; r0+=key[((r1>>0x10)&0xff)+(0x448/4)]; r0^=key[((r1>>0x8)&0xff)+(0x848/4)]; r0+=key[(r1&0xff)+(0xC48/4)]; return r0; } void dodecrypt(unsigned int *key, unsigned int *r1, unsigned int *r2) { int nr1=*r1; int nr2=*r2; int nr4; int t; for(t=0x11;t>0x1;t--) { nr4=key[t]^nr1; nr1=corecrypto(key,nr4)^nr2; nr2=nr4; } //printf("Decrypt Pre XOR, %8.8x %8.8x\n", nr1, nr2); *r1=key[0]^nr2; *r2=key[1]^nr1; } void doencrypt(unsigned int *key, unsigned int *r1, unsigned int *r2) { int t; int nr1=*r1; int nr2=*r2; int nr4; for(t=0;t<0x10;t++) { nr4=key[t]^nr1; nr1=corecrypto(key, nr4)^nr2; nr2=nr4; } //printf("Encrypt Pre XOR, %8.8x %8.8x\n", nr1, nr2); *r1=key[0x11]^nr2; *r2=key[0x10]^nr1; } void genkey(unsigned int *key, char salt[], int len) //0xB000C304->0xB000D34C=0x1048 { unsigned int br3=0,r3=0,r6,memloc; unsigned int r0=0xA413598F; // printf("Filling hash tables... %8.8X\n",r0); for(r6=0;r6<4;r6++) { br3=(r6< <0xA)+0x48; for(r3=0;r3<0x100;r3++) //0-0xD47 { key[(br3)/4+r3]=r0; r0*=0x59; } } //r0=0xA413598F; // printf("Adding salt... %8.8X\n",r0); int strpos=0,r2,r4,keypos=0; for(r6=0;r6<0x12;r6++) //salter { r2=0; for(r4=0;r4<4;r4++) { r2=r2<<8; r2|=salt[strpos]; strpos++; if(strpos==len) strpos=0; } key[keypos]=r2^r0; // printf("%x=%x\n",keypos,r2^r0); r0*=0x59; keypos++; } int s1=0, s2=0; // printf("3rd section\n"); for(r6=0; r6<0x12; r6+=2) { doencrypt(key, &s1, &s2); // printf("3: %8.8x %8.8x\n", s1, s2); key[r6]=s1; key[r6+1]=s2; } //printf("4th section\n"); for(r6=0;r6<4;r6++) { br3=(r6<<0xA)+0x48; for(r3=0;r3<0x100;r3+=2) { //printf("4: %8.8x %8.8x\n", s1, s2); doencrypt(key, &s1, &s2); key[(br3)/4+r3]=s1; key[(br3)/4+r3+1]=s2; } } } int main() { unsigned int key[0x412]; printf("IPSF Decrypter by geohot\n"); printf("I get better at reversing every day :)\n"); genkey(key, "iphonesimfree.com", 0x11); printf("Key generated\n"); FILE *f=fopen("en","rb"); int fsize; unsigned char *buffer; fseek(f, 0, SEEK_END); fsize=ftell(f); printf("File size: %d\n", fsize); rewind(f); buffer=(unsigned char*)malloc(fsize); fread(buffer,1,fsize,f); fclose(f); printf("File read\n"); int a; for(a=0;a { dodecrypt(key, &buffer[a], &buffer[a+4]); //printf("Decrypting: %d\n",a); } printf("Decryption done\n"); f=fopen("de","wb"); fwrite(buffer,1,fsize,f); fclose(f); printf("File written\n"); // system("PAUSE"); return 0; }
One Comment
Hello,
I was able to retrive the cache file. But I dont know how to run geohot’s deipsf program and compile it.
Could you give me any hint on this? Or is there a GUI for this?
Thanks
Aldo