Extracting your original seczone from an iPhone NOR dump

In this post secpack will refer to the key that unlocks the baseband for reprogramming. The secpack should match the firmware currently on the phone. This file is required for ieraser to work.

The seczone is the encrypted data that uniquely identifies your phone. This is the data that iphonesimfree.com (ipsf) replaced with zeroes in order to unlock the phone. This behavior is fine as long as Apple doesn't upgrade their software to check the RSA key, but I prefer the way the iphone-dev team is handling things in a reversible manner, so I want my phone's unique key back.

So to recover the data lost by ipsf you need one of the following:

• The cache file ipsf generated and left on your phone, if you have subsequently restored your phone it is gone
• A dump of the entire nor using a program like speedynor
• The geohot version of ipsf's unlock also left a nice file on your machine with the data needed to undo the process.

Since the only topic that isn't already well documented is the dump of the entire nor, I will cover this method.

Back before the first unlock came out I used speedynor's older brother that took forever to run. I had dumped this file because I was wanting to looking into it at some point but hadn't gotten around to it. Lucky for me, because ipsf claimed a full unlock, but what they did was exploit a flaw in the RSA key system. I first pulled just the seczone from the file using dd. dd if=dump of=seczone.bin skip=0x3FA000 count=0x2000 bs=1 is the relevant section. If you open the seczone.bin file in hexdump -Cv you will notice that up to 0x100 are all FF, and your key starts at 0x400 and goes to 0x480. An ipsf seczone will have zeroes from 0x400 to 0x453. So I took this seczone.bin dump to a Windows PC and ran geomaker.exe against it which generate a secpack.bin_loader file. The geomaker application is unfortunately Windows only, but I managed to run it in wine. Geomaker makes what seems to be a special bootloader that restores the RSA key. I also grabbed a copy of ieraser v2 and the revirgin software. I was using a different version of the firmware than the one mentioned in most other articles, and things weren't going well with iUnlock so I used ieraser first. Then I flashed it to 03.14.08_G which came from the 1.0.2 release of iPhone OS. Once I had 3.14.08_G on the phone I ran iUnlock and everything went perfectly.

Extracting your iPhone bootloader

After jailbreaking your phone, install SSH and copy over speedynor from iPhone elite. It will dump your NOR into a file called geodump. SCP back geodump and run dd if=geodump of=bootloader.bin count=0x20000 bs=1. This should drop the bootloader from your phone to the bootloader.bin file.

Generating an iPhone secpack

A secpack is a little piece of data that is required to update the baseband on your iPhone. The file is 2048k in size and can be generated using the ICE*.{eep,fls} files that come in the Apple iPhone restore download. Once you have this file in place you can use a tool like ieraser to wipe your baseband, and then apply new baseband software using bbupdate. For a full description of what a secpack contains you might appreciate this blog post on secpack authentication.

Download one of the ipsw files from Apple. For example the 1.1.4 firmware from Apple. The ipsw file which is normally downloaded by iTunes before your phone is upgraded or restored is actually just a zip file with a different extension. Some browsers will unzip the file automatically which is sort of annoying.

You will need to visit the iPhone elite downloads section and procure 8900decrypter, and vfdecrypt (optional). These two programs will decrypt the dmg files within the ipsw zip file. 8900decrypter is the only tool necessary for getting to the ICE files. This program will decrypt any 8900 type file encrypted with the key 0x188458A6D15034DFE386F23B61D43774. iPhone elite description of 8900decrypter.