Tag Archives: IOAESAccelerator patch

Extracting AES keys from iPhone

The iPhone application processor comes with two built-in encryption keys – UID, GID. OS running on the device cannot read the hardcoded keys but it can use the keys to generate other encryption keys used for data protection, media encryption and keychain encryption. The hardcoded keys can only be used from bootloader and kernel mode.

– Is a hardware encryption key and unique per device. It is used to generate key 0x835, key 0x89B. The key is only accessible from kernel mode and can not available to user land process. However the restriction can be bypassed by patching IOAESAccelerator kernel service.

– Is a hardware encryption key and unique for every iPhone model. It is used to generate key 0x837.

Key 0x835 
– Computed at boot time by the kernel. The key is generated by encrypting the hex value 01010101010101010101010101010101 with UID key. It is used as a device key and protects the class keys. The key is also used to encrypt Backup keychain database.

Key 0x837 – Generated by encrypting 345A2D6C5050D058780DA431F0710E15 with GID key. The key is used to decrypt iOS files during firmware update.

Key 0x89B – Computed at boot time by the kernel. The key is generated by encrypting  the hex value 183E99676BB03C546FA468F51C0CBD49 with UID key.

Jean Sigwald from Sogeti has released open source forensic tool kit including the scripts to extract keys, decrypt keybags, bruteforce iPhone passcode, etc.

I’ve compiled the code and prepared executables which can be executed directly on the iPhone. The executable files works for all iOS 5 devices including iPhone 4s and iPad 2.

Extract Keys on iPhone:
1. Jailbreak your iPhone.
2. Install openssh from cydia. This allows to do SSH to the device.
3. On Windows workstation, download AESToolsWinscp & Putty tools.
4. Connect iPhone and workstation to the same WI-FI network.
5. Run winscp and connect to the iPhone by typing iPhone IP address, root as username and alpine as password.
6.Copy device_infos, bruteforce, kernel_patcher executables to iPhone root directory.
7.Run putty and connect to the iPhone by typing iPhone IP, root as username and alpine as password.
8.On putty terminal, type below commands to change the permissions of executable files loaded onto device.

chmod 777 kernel_patcher
chmod 777 device_infos
chmod 777 bruteforce

9Hardware keys can only be accessed from kernel. In order to use them from user land first we have to patch
IOAESAccelerator kernel service. Kernel_patcher script modifies the kernel and patches IOAESAccelerator.


10. Running device_info extract the keys and stores in a plist file.


11. Data protection class keys stored in the system keybag can be extracted by running bruteforce script. Class keys are protected with passcode key and key 0x835. The script bruteforces the passcode and grabs the passcode key. Later it extracts the keys from keybag and stores the result in a plist file.



Note: The scripts works only on iOS 5.x devices. 

Alternative links:


Posted by on April 22, 2012 in iPhone


Tags: , , , , , , , , , , , , , ,