However, using CheckM8, we can get access to the AES engine and ask it to derivate the decryption KEY and IV for us by feeding it the KBAG from the firmware component. The key used to decrypt it is only available on the device's silicon and it cannot be extracted and used outside. These are part of an IMG4 / IM4P container on 64-Bit iOS devices, and IMG3 containers on 32-Bit devices like iPhone 5, iPhone 5C and 4S.
Now, as you probably know, if you wanna build an iOS CFW you need to patch iBEC, iBSS, iBoot, the Ramdisk and so on. I am also using the latest version of the CheckM8 exploit which is part of the ipwndfu repo on GitHub.
The supported devices are the iPhone 4S all the way up to iPhone X and everything in between.įor the sake of this post, I will use an iPod Touch 2019 (iPod Touch 7) which has the A10 Chip (compatible with CheckM8). We're going to do this for iOS 13.x but you could use literally any version on the supported devices. In this post, I am going to show you how to decrypt the iOS Boot Chain components such as iBEC, iBSS, iBoot, the Restore Ramdisk and so on by derivating their keys using the CheckM8 SecureROM (BootROM) exploit.
