UPDATE: In firmware 2.0.5A258f, the ramdisk is no longer a 8900 file, it’s just a normal ramdisk (slightly prepended/appened), so this tool will not work (currently) on 2.0.5A258f has been updated to support the latest firmware 2.0 5A258f. UPDATE: Works on 5A274d as well.
UPDATE: Fixed a bug that causes decryption failure if there are spaces in path/filename.
UPDATE: Added a routine to fix the generated DMG.
This is a small tool to simplify some firmware related jobs. Normally, you will take the following steps when you’ve got a new firmware:
1. Decompress firmware
2. Decrypt ramdisk
3. Extract rootfs decryption key
4. Decrypt rootfs
5. Extract important files
If you are on Mac OS X, you are lucky because you can easily find all the needed tools for the above jobs, and you can write an easy wrapper script to automate these jobs, but on Windows, there seems no such a tool yet, that’s why I write this small tool, gzDecryptor, check the following snapshot:
You may get gzDecryptor from HERE.
To use gzDecryptor, simply choose your firmware file, and click Decrypt button, it will create a folder (same name as your firmware, but without extension) and extract firmware contents into the folder, then a decrypted folder will be created to hold all the decrypted files.
gzDecryptor uses openssl to decrypt ramdisk, uses vfdecrypt to decrypt rootfs, uses dmg2img (code from soft-upgrade) to extract the partition from decrypted rootfs, then it tries to extract baseband files and secpack.
After the decryption, you get the following files:
ramdisk.dmg (mountable ramdisk image)
rootfs.dmg (mountable rootfs image)
key.txt (contains rootfs decryption key)
secpack
ICE*.fls, ICE*.eep (baseband firmware)
lockdownd
The following is the snapshot of the decrypted files for firmware 2.0 Build 5A258f:
NOTICE: The decompressed rootfs is mountable on Mac OS X but you have to ignore the warning message, the message is because the file might have some useless bytes appended/prepended.
UPDATE: The tool now tries to fix the generated DMG and to remove the useless bytes, hopefully this can remove the warning message.
36 Comments
lebeya32.dll ? where i can find it?
thnx
Thx!
but a file is missing.
liveay32.dll.
i meant
libeay32.dll
lol :)
I’ve download libeya32.dll (Google rules!!!), but it can’t fild input dot aes_cbc_encrypt procedure. George, can you upload this file?
thx
(sorry for my english)
I keep getting the Missing ssleay32.dll at Decrypting ramdisk stage (although i have that file in my XP \windows\system32 )
Ok, package updated and contains needed DLLs so you don’t have to install OpenSSL manually. Please download the new package.
Hi George, i re-downloaded the package (now, no errors about missing files), buy it errors while trying to decrypt ramdisk, only unpacks the .ipsw
@sourgrape, sorry no idea because I just tried it on another WinXP machine, and worked fine for me.
heh …no worries, i know how to do it manually.
I’m just intrigued why it doesn’t pass the decrypt ramdisk stage…dunno
Anyway, keep it up, it’s always a pleasure to read your blog and test your apps =)
Link it statically.
It’s alive!!!
Thanks to George!!!
Hi George,
Thanks for the great tool.
@sourgrape, I’m just intrigued why it doesn’t pass the decrypt ramdisk stage…dunno
Extract iDecryptor to root directory, and copy fw to same folder, this works !
(It will not work if the iDecryptor folder/ipsw folder is on the desktop etc … (lengthy/long dirs !))
V!kram (India)
I find some bug:
if fw name like this “iPhone 2.0 (5A240d).ipsw” (with space), iDecryptor says “Error”
What is the recommended program for mounting the .DMGs?
I’m using PowerISO, and it will mount all ramdisks and the 1.1.3/4 file systems, but none of the 2.0 file systems..
haha thats weird as hell i guess great minds think alike i have been working on something that does the same thing but is not as awesome as yours :P (no gui, doesn’t get secpack, no 5a258f support, named ipswdecrypt)
btw i know this might be the wrong place but if you are not too busy can you ask francis to upload the latest rev of ipswtool he has been working on to the svn? he showed me screenshots but didnt upload it becasue the old one is still there. thanks man!
@James: There are no free apps for it afaik. you could always check the bay if you really didn’t want to pay :P
The best one by far is one called MacDrive. It actually mounts the dmg so that you can browse it like a real hard drive in the My Computer window, and it will mount the other hard drive if you have OSx86 installed on your computer also.
@Vikram
You’re absolutely right!! :-)
I had the tool in a folder at the desktop…no dice. Moved to root, all done, thanks.
And major props to George once again.
@King Chronic: It seems like that is a little excessive for me, and it requires more than 1GB of RAM, which I don’t have.
Do you know what program George is using in the screenshot, by any chance?
Hi George
It doesnt work for me.
I tried it on both iPhone1,1_1.1.4_4A102_Restore.ipsw and iPhone1,1_1.1.3_4A93_Restore.ipsw.
but fails to decrypt the ramdisk.
Actually, George, I think you get that warning message even if you just use a straight-up vfdecrypted rootfs (that’s been happening to me for 1.1.4), so it probably isn’t dmg2img. Don’t know what causes it.
@planetbeing, I just tried a vfdecrypted rootfs, and yes there’s warning when trying to mount it.
@George, I hope you’ll fix a bug with decrypting rootfs iphone beta software (5A240d) (PowerISO and MacDrive can’t open rootfs.dmg).
How can I see rootfs 5A240d on my WinPC
@cartman, yeah I know that, you may mount it on OS X (ignore warning message). I’ll fix it in next update.
@George, I haven’t Mac…
hm, i have an itouch firmware, will it work?
New version is working fine.
gzDecryptor Cannot Decryptor 1.1.1 - 1.1.4
It works for 1.1.2, 1.1.3, 1.1.4, 1.2, 2.0.
1.0 , 1.0.1 , 1.0.2 , 2.0(5A225c) , 2.0(5A240d) Can Decrypt.
But 1.1.1 , 1.1.2 , 1.1.3 , 1.1.4 Can’t Decrypt.
Error Messenge: (ERROR: Unable to find decryption key)
Works fine for me, its your problem.
@George Zhu
可以告诉我哪里可以下载到firmware 2.0.5A258f 吗?找了好久找不到:(
谢谢
gzDecryptor works flawlessly on beta 5 firmware … - thx George !
1204
Anyone know how the baseband and secpack are extracted from the ramdisk?
This tool works perfect until beta 8, then it cannot find the decrypt key anymore. Any chance on a update ?
Yes the same here works perfect until beta 8.
cannot find the decrypt key.
Would you update the tool for beta 8 to work?
One Trackback
[...] More info, via George Zhu’s Blog [...]