Extracting your original seczone from an iPhone NOR dump
In this post secpack will refer to the key that unlocks the baseband for reprogramming. The secpack should match the firmware currently on the phone. This file is required for ieraser to work.
The seczone is the encrypted data that uniquely identifies your phone. This is the data that iphonesimfree.com (ipsf) replaced with zeroes in order to unlock the phone. This behavior is fine as long as Apple doesn't upgrade their software to check the RSA key, but I prefer the way the iphone-dev team is handling things in a reversible manner, so I want my phone's unique key back.
So to recover the data lost by ipsf you need one of the following:
Back before the first unlock came out I used speedynor's older brother that took forever to run. I had dumped this file because I was wanting to looking into it at some point but hadn't gotten around to it. Lucky for me, because ipsf claimed a full unlock, but what they did was exploit a flaw in the RSA key system. I first pulled just the seczone from the file using dd. dd if=dump of=seczone.bin skip=0x3FA000 count=0x2000 bs=1 is the relevant section. If you open the seczone.bin file in hexdump -Cv you will notice that up to 0x100 are all FF, and your key starts at 0x400 and goes to 0x480. An ipsf seczone will have zeroes from 0x400 to 0x453. So I took this seczone.bin dump to a Windows PC and ran geomaker.exe against it which generate a secpack.bin_loader file. The geomaker application is unfortunately Windows only, but I managed to run it in wine. Geomaker makes what seems to be a special bootloader that restores the RSA key. I also grabbed a copy of ieraser v2 and the revirgin software. I was using a different version of the firmware than the one mentioned in most other articles, and things weren't going well with iUnlock so I used ieraser first. Then I flashed it to 03.14.08_G which came from the 1.0.2 release of iPhone OS. Once I had 3.14.08_G on the phone I ran iUnlock and everything went perfectly.
The seczone is the encrypted data that uniquely identifies your phone. This is the data that iphonesimfree.com (ipsf) replaced with zeroes in order to unlock the phone. This behavior is fine as long as Apple doesn't upgrade their software to check the RSA key, but I prefer the way the iphone-dev team is handling things in a reversible manner, so I want my phone's unique key back.
So to recover the data lost by ipsf you need one of the following:
- The cache file ipsf generated and left on your phone, if you have subsequently restored your phone it is gone
- A dump of the entire nor using a program like speedynor
- The geohot version of ipsf's unlock also left a nice file on your machine with the data needed to undo the process.
Back before the first unlock came out I used speedynor's older brother that took forever to run. I had dumped this file because I was wanting to looking into it at some point but hadn't gotten around to it. Lucky for me, because ipsf claimed a full unlock, but what they did was exploit a flaw in the RSA key system. I first pulled just the seczone from the file using dd. dd if=dump of=seczone.bin skip=0x3FA000 count=0x2000 bs=1 is the relevant section. If you open the seczone.bin file in hexdump -Cv you will notice that up to 0x100 are all FF, and your key starts at 0x400 and goes to 0x480. An ipsf seczone will have zeroes from 0x400 to 0x453. So I took this seczone.bin dump to a Windows PC and ran geomaker.exe against it which generate a secpack.bin_loader file. The geomaker application is unfortunately Windows only, but I managed to run it in wine. Geomaker makes what seems to be a special bootloader that restores the RSA key. I also grabbed a copy of ieraser v2 and the revirgin software. I was using a different version of the firmware than the one mentioned in most other articles, and things weren't going well with iUnlock so I used ieraser first. Then I flashed it to 03.14.08_G which came from the 1.0.2 release of iPhone OS. Once I had 3.14.08_G on the phone I ran iUnlock and everything went perfectly.
posted by CameronPalmer at
8:10 PM
0 Comments:
Post a Comment
Subscribe to Post Comments [Atom]
<< Home