UID – Is a hardware encryption key and unique per device. It is used to generate key 0x835, key 0x89B. The key is only accessible from kernel mode and can not available to user land process. However the restriction can be bypassed by patching IOAESAccelerator kernel service.
GID – Is a hardware encryption key and unique for every iPhone model. It is used to generate key 0x837.
Key 0x835 – Computed at boot time by the kernel. The key is generated by encrypting the hex value 01010101010101010101010101010101 with UID key. It is used as a device key and protects the class keys. The key is also used to encrypt Backup keychain database.
Key 0x837 – Generated by encrypting 345A2D6C5050D058780DA431F0710E15 with GID key. The key is used to decrypt iOS files during firmware update.
Key 0x89B – Computed at boot time by the kernel. The key is generated by encrypting the hex value 183E99676BB03C546FA468F51C0CBD49 with UID key.
Jean Sigwald from Sogeti has released open source forensic tool kit including the scripts to extract keys, decrypt keybags, bruteforce iPhone passcode, etc.
I’ve compiled the code and prepared executables which can be executed directly on the iPhone. The executable files works for all iOS 5 devices including iPhone 4s and iPad 2.
Extract Keys on iPhone:
1. Jailbreak your iPhone.
2. Install openssh from cydia. This allows to do SSH to the device.
3. On Windows workstation, download AESTools, Winscp & Putty tools.
4. Connect iPhone and workstation to the same WI-FI network.
5. Run winscp and connect to the iPhone by typing iPhone IP address, root as username and alpine as password.
6.Copy device_infos, bruteforce, kernel_patcher executables to iPhone root directory.
7.Run putty and connect to the iPhone by typing iPhone IP, root as username and alpine as password.
8.On putty terminal, type below commands to change the permissions of executable files loaded onto device.
chmod 777 kernel_patcher chmod 777 device_infos chmod 777 bruteforce
9. Hardware keys can only be accessed from kernel. In order to use them from user land first we have to patch
IOAESAccelerator kernel service. Kernel_patcher script modifies the kernel and patches IOAESAccelerator.
10. Running device_info extract the keys and stores in a plist file.
11. Data protection class keys stored in the system keybag can be extracted by running bruteforce script. Class keys are protected with passcode key and key 0x835. The script bruteforces the passcode and grabs the passcode key. Later it extracts the keys from keybag and stores the result in a plist file.
Note: The scripts works only on iOS 5.x devices.