Monday, January 28, 2008

Decrypt iPhone filesystem Firmware using Mac OS or Linux

If you use Mac OS and want to extract the iPhone Firmware in your computer, you can follow the instructions below. If you use Windows PC, please refer to another post here

(1) get the vfdecrypt binary for Mac (Universal Binary)

If you use linux, you can get the source code from here and compile with
gcc vfdecrypt.c -o vfdecrypt -lcrypto

For this linux version, line 357 should be changed to
  while((c = getopt(argc, argv, "hvi:o:p:k:")) != -1) {

(2) Run the shell script below to download the firmware and get the decrypted dmg






# default is to get the latest firmware
# you can pass multiple arguments
# in command line to get more than one
if [ $# -lt 1 ]

for ipsw_ver in $getipsw
ipswname=$(eval "echo \$$(echo ipswname${ipsw_ver})")
ipswurl=$(eval "echo \$$(echo ipswurl${ipsw_ver})")
decryptedname=$(eval "echo \$$(echo decrypted${ipsw_ver})")
dmgname=$(eval "echo \$$(echo dmgname${ipsw_ver})")
key=$(eval "echo \$$(echo key${ipsw_ver})")
if [ -f "$ipswpath" ]
echo Firmware $ipsw_ver "$ipswname" found
echo Downloading firmware $ipsw_ver $ipswname
curl "$ipswurl" > $ipswpath

if [ -f "$decryptpath" ]
echo Firmware $ipsw_ver "$decryptedname" found
if [ -f "$ipswpath" ]
echo Extracting firmware $ipsw_ver $dmgname
unzip -o $ipswname $dmgname -d .
if [ -f "$dmgname" ]
echo Decrypting firmware $ipsw_ver $ipswname
./vfdecrypt -i $dmgname -o $decryptedname -k $key
echo Jobs Completed!!!

(3) Mount the decrypted dmg in Mac OS by double click the filename

(4) For Firmware key for 1.0.1 you can run
strings 009-7662-6.dmg | egrep "^[0-9a-fA-F]{72}$"
and This is how you find the key.

(5) This is where you can find the Firmware download link from Apple

If you find this info useful, please consider to $1 by clicking the Donate button.

Friday, January 25, 2008

Decrypt iPhone filesystem Firmware

This shows how to extract the iphone filesystem software (firmware files) from Apple iphone software download using PC (source from iPhone Dev wiki)

(1) For Firmware 1.0.1
(i) get the vfdecrypt101.exe from Rapid share
(ii) get the Apple's iPhone firmware 1.0.1 and rename it with extension .zip and unzip it
(run) vfdecrypt101 main_dmg_of_101.dmg decrypted101.dmg

(2) For Firmware 1.0.2
(i) get the vfdecrypt102.exe from Rapid share
(ii) get the Apple's iPhone firmware 1.0.2 and rename it with extension .zip and unzip it
(run) vfdecrypt102.exe 694-5298-5.dmg decrypted102.dmg

(3) For Firmware 1.1.1
(i) get the vfdecrypt111.exe from Rapid share
(ii) get the Apple's iPhone firmware 1.1.1 and rename it with extension .zip and unzip it
(run) vfdecrypt111.exe 022-3602-17.dmg decrypted111.dmg

(4) For Firmware 1.1.2
(i) get the vfdecrypt112.exe from Rapid share
(ii) get the Apple's iPhone firmware 1.1.2 and rename it with extension .zip and unzip it
(run) vfdecrypt112.exe 022-3725-1.dmg decrypted112.dmg

(5) For Firmware 1.1.3
(i) get the vfdecrypt.exe from Rapid Share
(ii) get the Apple's iPhone firmware 1.1.3 and rename it with extension .zip and unzip it
(run) vfdecrypt -i 022-3743-100.dmg -o decrypted113.dmg -k 11070c11d93b9be5069b643204451ed95aad37df7b332d10e48fd3d23c62fca517055816

(6) For Firmware 1.1.4
(i) get the vfdecrypt.exe from Rapid Share
(ii) get the Apple's iPhone firmware 1.1.4 and rename it with extension .zip and unzip it
(run) vfdecrypt -i 022-3894-4.dmg -o decrypted114.dmg -k d0a0c0977bd4b6350b256d6650ec9eca419b6f961f593e74b7e5b93e010b698ca6cca1fe

(7) For Firmware 2.0 beta (Build 5A225c) (MD5 8254ccf38735bc74b38fb432ce982081) (expired 8 April 2008)
(i) Google Search iPhone1,1_2.0_5A225c_Restore.ipsw
(ii) Rename it with extension .zip and unzip it
(run) vfdecrypt -i 018-3473-4.dmg -o decrypted20b2.dmg -k ea14f3ec624c7fdbd52e108aa92d13b16f6b0b940c841f7bbc7792099dae45da928d13e7

(8) For Firmware 2.0 beta (Build 5A240d) (MD5 429142d57db7cf94d4c29ee4da7f21cc) (to be expired 15 May 2008)
(i) Google Search iPhone1_1_2.0_5A240d_Restore.ipsw
(ii) Rename it with extension .zip and unzip it
(run) vfdecrypt -i 018-3553-6.dmg -o decrypted20b3.dmg -k e24bfab40a2e5d3dc25e089291846e5615b640897ae8b424946c587bcf53b201a1041d36

(9) For Firmware 2.0 beta (Build 5A258f) (MD5 f7a2937c32615545ba339c330356d9ad) (to be expired 4 June 2008)
(i) Google Search iPhone 2.0 Beta 4 (5a258f)
(ii) Rename it with extension .zip and unzip it (unzip -o iPhone1,1_2.0_5A258f_Restore.ipsw 018-3585-6.dmg)
(run) ./vfdecrypt -i 018-3585-6.dmg -o decrypted20b4.dmg -k 198d6602ba2ad2d427adf7058045fff5f20d05846622c186cca3d423ad03b5bc3f43c61c

Read detail steps for decrypt iPhone firmware 1.1.3 here

(a)To run the vfdecrypt in PC you need libeay32.dll
as well
(b)To extract the contents in the dmg image in PC you need hfsexplorer or dmg2img.exe
You need Java Runtime if you use hfsexplorer

You can also use PowerISO 4.0 in Windows to examine and extract contents of Mac OS X *.dmg file

you can mount the decrypted image directly in Mac OS or Linux. To mount DMG
dd if=694-5259-38.dmg of=ramdisk.dmg bs=512 skip=4 conv=sync
mount -o loop decrpyted112.img /mnt/decrypted112


The key for the 1.01 revision is : 28c909fc6d322fa18940f03279d70880e59a4507998347c70d5b8ca7ef090ecccc15e82d

The key for the 1.02 revision is : 7d5962d0b582ec2557c2cade50de90f4353a1c1de07b74212513fef9cc71fb890574bfe5

The key for the 1.1.1 revision is : f45de7637a62b200950e550f4144696d7ff3dc5f0b19c8efdf194c88f3bc2fa808fea3b3

The key for the 1.1.2 revision is :

The key for the 1.1.3 revision is :

The key for the 1.1.4 revision is : d0a0c0977bd4b6350b256d6650ec9eca419b6f961f593e74b7e5b93e010b698ca6cca1fe

The key for the 1.2.0 beta (Build 5A147p) (md5 iPhone1,1_1.2_5A147p_Restore.ipsw = 3539f0b912812fd56ac1019d8fce4fc2 ) is: 86bec353ddfbe3fb750e9d7905801f79791e69acf65d16930d288e697644c76f16c4f16d

The key for the 2.0 beta (Build 5A225c) (md5 iPhone1,1_2.0_5A225c_Restore.ipsw = 8254ccf38735bc74b38fb432ce982081 ) is: ea14f3ec624c7fdbd52e108aa92d13b16f6b0b940c841f7bbc7792099dae45da928d13e7

The key for the 2.0 beta (Build 5A240d) (md5 iPhone1_1_2.0_5A240d_Restore.ipsw = 429142d57db7cf94d4c29ee4da7f21cc) is: e24bfab40a2e5d3dc25e089291846e5615b640897ae8b424946c587bcf53b201a1041d36

The key for the 2.0 beta (Build 5A258f) (md5 iPhone1,1_2.0_5A258f_Restore.ipsw = f7a2937c32615545ba339c330356d9ad) is: 198d6602ba2ad2d427adf7058045fff5f20d05846622c186cca3d423ad03b5bc3f43c61c

read this for the decrypt method

The key for the 2.0 beta (Build 5A274d) (md5 iPhone1,1_2.0_5A274d_Restore.ipsw = 1e671faa31d876602161d9bb463e15da) is: 589df25eaa4ff0a5e29e1425fb99bf50957888ff098ba2fcb72cf130f40e15e00bcf2fc7

Read this on how to find the key for firmware 1.1.1 or above

For example, firmware 1.1.4, you can find the decrypt key by running this in Mac OS X Terminal

# first extract the ramdisk image file from the ipsw file
unzip -o iPhone1,1_1.1.4_4A102_Restore.ipsw 022-3896-4.dmg -d .

# strip off the first 0x800 bytes and the trailing certificate
dd if=022-3896-4.dmg of=022-3896-4.stripped.dmg bs=512 skip=4 count=36640 conv=sync

# use the method of GEORGE HOTZ and ignore the error
openssl enc -d -in 022-3896-4.stripped.dmg -out ramdisk-022-3896-4.dmg -aes-128-cbc -K 188458A6D15034DFE386F23B61D43774 -iv 0

# print out the ramdisk key from the image
strings ramdisk-022-3896-4.dmg | egrep "^[0-9a-fA-F]{72}$"

If you have the 8900decryptor binary, you can get the same decrypted image file and key from

./8900decryptor 022-3896-4.dmg 022-3896-4.8900decrypted.dmg
strings 022-3896-4.8900decrypted.dmg | egrep "^[0-9a-fA-F]{72}$"

If you find this info useful, please consider to $1 by clicking the Donate button.

Wednesday, January 23, 2008

Create US iTunes Account (if you are outside US and don't have US credit card)

see here for the latest instruction for App Store purchase without US credit card information

Recently there were problems upgrading of iPod Touch to firmware 1.1.3 for countries where there is no iTunes Music Store. Below is one of the methods that you can create US iTunes Account.

(1) Goto this website
and get a Redeem code (see below screen dump) to redeem it in US iTunes Store (you need iTunes Application in your PC/Mac)
Code Expiration: September 30th, 2008

(2) Open iTunes and click iTunes store. Look at the right handside and found the quick links. Click the “Redeem” under quick links.

(3) Enter the code you copied from Step 1.

(4) Choose to create a new account. Enter a valid US address (find it in Google), you need valid and matching city (e.g. Piscataway), state(e.g. NJ) and zipcode (e.g. 08854) and telephone number (3 digits for area code and 7 digits for telephone number) e.g. (852)9123456 and you own email address. Choose none for payment method to create a new iTunes Account.
You find a valid address in US, you can also make use of Google Map in iPhone. For example, first search a city say San Franciso, then search Starbucks.

(5) Then you will get 34 free songs from iTunes and these songs will goto your "purchased" playlist. Now you can grab the Album Art and free song of the week.

(6) Buy US iTunes gift certificate from ebay (search here) or from your friend in US (tell him to email you the Activation Code and the Card Serial Number)

(7) Redeem your gift certificate in iTunes and start enjoy purchase songs and videos or upgrade your iPod Touch to Firmware 1.1.3 (you need US$19.99 + tax)

(8) Sometimes, the activation code of the gift certificate is difficult to read, after a few retries, you will be presented with a help link that put you to another screen and ask you to input the activation code and card serial number from the bottom left hand side of the iTunes gift card (as per screen dump below)

(9) Alternatively, even with no value in iTunes account you could get free iTunes songs from here

If you find this info useful, please consider to $1 by clicking the Donate button.

Saturday, January 19, 2008

Global proxy server for EEE PC Linux

If you use EEE PC in Linux environment and you are behind a firewall, you have to setup proxy server in various applications. These are a few examples here

(1) Firefox (web browser)

Edit -> Preferences -> Network tab -> Settings button -> choose manual proxy configuration

(2) apt-get (install/update package)

In terminal, run
export http_proxy="http://user:pw@proxyaddress:port"

e.g. in Hong Kong Public Library
export http_proxy=""

(3) svn (subversion)

edit the [global] section in this file ~/.subversion/server

e.g. in Hong Kong Public Library
http-proxy-host =
http-proxy-port = 8080

(4) wget

add the following to ~/.wgetrc file:
http_proxy =
use_proxy = off
wait = 15
use the following command option --proxy say to enable ad hoc proxy
wget --proxy

Tuesday, January 15, 2008

Copy & Paste in Terminal Window - EEE PC Linux Easy Mode

Copy & Paste in terminal window:
(1) Highlight the text in terminal window
(2) Press Shift-Insert = paste highlighted to current cursor position

Copy from terminal window and paste to other application:

(1) Highlight the text in terminal window
(2) Select other application
(3) Click Middle Mouse Button = paste highlighted text of terminal window to the current mouse position of other application

Monday, January 14, 2008

Currency and HK Stocks in iPhone

^HSI Hang Seng Index
0005.HK HSBC Holdings
0066.HK MTR Corporation
1398.HK ICBC (Hong Kong Listing)
601398.SS ICBC (Mainland Listing)
2388.HK BOC Hong Kong
3988.HK BOC (Hong Kong Listing)
601988.SS BOC (Mainland Listing)
0939.HK CCB (Hong Kong Listing)
601929.SS CCB (Mainland Listing)

JPY=X Japanese Yen
GBPUSD=X British Pound
AUD=X Australian Dollar
CHF=X Swiss Franc
CAD=X Canadian Dollar
HKD=X Hong Kong Dollar
Asian Indices
European Indices
Dow Jones

iPhone Voicemail Button Setting

Phone Operator GSM Dial Code
----------------- -------------
3(2G) *5005*86*91239123#
3(3G) *5005*86*63323232#
CSL/One2Free *5005*86*988#
HK New World *5005*86*60331238#
PCCW *5005*86*63888892#
Smartone-vodafone *5005*86*138#
PEOPLES *5005*86*218#

Other GSM codes

iPhone EDGE Setting

Phone Operator APN
----------------- ------------------
PCCW pccw
One2Free HKCSL
Sunday sgprs
HK New World internet
Smartone-vodafone smartone-vodafone


Saturday, January 12, 2008

Internet Radio in EEE PC

Stream settings in Music Manager
商業一台 mms://
商業二台 mms://
Metro 997 mmsh://
Metro Finance mmsh://
RTHK Radio 1
RTHK Radio 2
RTHK Radio 3
RTHK Radio 4
RTHK Radio 5

Settings in Media Player

商業一台 mms://
商業二台 mms://
Metro 997
Metro Finance
RTHK Radio 1 mms://
RTHK Radio 2 mms://
RTHK Radio 3 mms://
RTHK Radio 4 mms://
RTHK Radio 5 mms://

Thursday, January 10, 2008

Successful iPhone Toolchain build in eee pc

I have successfuly compile iPhone ToolChain in EEE PC environment.
svn co llvm-svn-42498 -r 42498
svn co iphone-dev-209 -r 209

The screen dump shows the project build of hp15c for iPhone.

Build script
cd ~/iphone

svn co \
llvm-svn-42498 -r 42498

svn co \
iphone-dev-209 -r 209

pushd llvm-svn-42498

./configure --enable-optimized


sudo make install



pushd iphone-dev-209

sudo mkdir /usr/local/arm-apple-darwin

mkdir -p build/odcctools

pushd build/odcctools

../../odcctools/configure --target=arm-apple-darwin \


sudo make install


pushd ~/iphone

tar -xzvf MacOSX10.4u.sdk.tgz

pushd /usr/local/arm-apple-darwin

sudo tar -xzvf ~/iphone/include2.tgz

sudo tar -xzvf ~/iphone/iphone-filesystem.tgz

cd iphone-filesystem



pushd include

./configure --with-macosx-sdk=/home/user/iphone/MacOSX10.4u.sdk

sudo bash


mkdir -p build/csu

pushd build/csu

../../csu/configure --host=arm-apple-darwin

sudo make install


mkdir -p build/llvm-gcc-4.0-iphone

pushd build/llvm-gcc-4.0-iphone

../../llvm-gcc-4.0-iphone/configure \
--enable-llvm=`llvm-config --obj-root` \
--enable-languages=c,c++,objc,obj-c++ \
--target=arm-apple-darwin \
--enable-sjlj-exceptions \
--with-heavenly=$HEAVENLY \
--with-as=/usr/local/bin/arm-apple-darwin-as \

make LLVM_VERSION_INFO=2.0-svn-iphone-dev-0.3-svn

sudo make install


Automount SD card in EEE PC

  1. sudo mksir /mnt/SDCARD
  2. Edit /etc/udev/rules.d/50-xandros-udev.rules
  3. Find the comment
    # usb, removable storage
  4. Immediately after this comment, so that it will replace the Asus dialog, add the following line, changing the serial number to match your device and optionally changing the name SDCARD (in both places)

BUS=="usb", KERNEL=="sd*", SYSFS{serial}=="146030377350"
, NAME="SDCARD", OPTIONS+="last_rule"
, RUN+="/bin/mount /dev/sdb1 /mnt/SDCARD"

Configure mount point

  1. Edit /etc/fstab
  2. Add a new line at the end
/dev/sdb1              /mnt/SDCARD    vfat    rw,uid=user

Wednesday, January 9, 2008

Format SD card to Linux filesystem in eee pc

fdisk /dev/sdb
New > Primary > Enter > Write > “yes” > Quit

Format new partition /dev/sdb1 to ext3 filesystem:

mke2fs -c /dev/sdb1 # format to ext2
tune2fs -j /dev/sdb1 # convert to ext3 (optional)
e2label /dev/sdb1 SDCARD # set volume label to “SDCARD”

change ownership to user for the SDCARD after remount:
sudo chown -R user:user /media/MMC-SD/SDCARD

Tuesday, January 8, 2008

Install IE 6 in eee pc Linux

sudo apt-get install wine cabextract

download ies4linux

edit this file lib/

find this

pid=$(wget -q -b -t 1 -T 5 -U “$useragent” -o /dev/null $URL $WGETFLAGS -O “$file” | sed -e ’s/[^0-9]//g’)
change to
pid=$(LC_ALL=C LANG=C wget -q -b -t 1 -T 5 -U “$useragent” -o /dev/null $URL $WGETFLAGS -O “$file” | sed -e ’s/[^0-9]//g’)

run to istall
./ies4linux -–no-gui

after install, run IE

Monday, January 7, 2008

iPhone development using windows XP/Vista

For iPhone firmware 1.1.x development
A pre-complied binary for iPhone Toolchain (for firmware 1.1.x) is available.  It is called winchain

For iPhone firmware 2.x development
Please refer to my latest article on the iPhone toolchain SDK2.0 development
on Ubuntu as a virtual machine in Virtual PC 2007 for Windows XP/Vista

Or if you use VMWare, you can try this

For iOS SDK 4.0 / 5.0
Update for iphone toolchain4 for SDK4.x+

Friday, January 4, 2008


Install Fedora 8 in Virtual PC 2007

For installation of Fedora in Virtual PC 2007, there are problems of display and mouse during graphical installation and when using X Window.

The problems can be solved by changing the kernel paramemter in the boot option and changing the grub.conf and xorg.conf after 1st boot of post installation

(1) at the 1st [graphical] screen, hit TAB to modify boot params;

- it will show "vmlinuz initrd=initrd.img";

- add "vesa i8042.noloop psmouse.proto=imps clock=pit"


- "vesa" selects "vesa" driver instead of the "s3" one; mandatory if you

want the graphics installer. This also allowed "Millions of colors" to be used post-install.

- "i8042.noloop" makes the PS/2 mouse work, otherwise it's stuck in the center of the screen; reference: comment #45 at

- "psmouse.proto=imps" makes the mouse wheel work; optional as it's not that usefull during the install, but usefull to add it to kernel options for normal system use.

- "clock=pit", according to a MSKB article, resolves some problems with the time[r]; don't know how usefull is it during the install.

(2) at the 2nd [graphical] screen after boot of post install, hit TAB to modify boot params;

- add "vga=771 1"

so that the installation will go to linux single mode

(3) Edit the /etc/grub.conf

- add "vesa vga=771 i8042.noloop psmouse.proto=imps clock=pit"

(4) Edit the /etc/X11/xorg.conf and change default pixel depths to 16 from 24

Section "ServerLayout"

Identifier "Default Layout"

Screen 0 "Screen0" 0 0

InputDevice "Keyboard0" "CoreKeyboard"


Section "InputDevice"

Identifier "Keyboard0"

Driver "kbd"

Option "XkbModel" "pc105"

Option "XkbLayout" "gb"


Section "Monitor"

Identifier "Monitor0"

ModelName "LCD Panel 1680 x 1050"

HorizSync 31.5 - 67.0

VertRefresh 50.0 - 60.0

Option "dpms"


Section "Device"

Identifier "Videocard0"

Driver "vesa"


Section "Screen"

Identifier "Screen0"

Device "Videocard0"

Monitor "Monitor0"

DefaultDepth 16

SubSection "Display"

Viewport 0 0

Depth 16

Modes "1024x768"



(5) Reboot to continue post installation

Thursday, January 3, 2008

iPhone ToolChain build in EEE pc

My new EEE PC goes to technical support today due to internet sharing connection failed problem.

Today I download the iPhoneToolChain binary (intel) and install it in my ppc mac
(beware, it will overwrite your linker /usr/bin/ld)
and I have to reinstall the xcode in order to solve the problem as my ppc cannot run intel binary obviously.

the MakeFile should be changed to
-lobjc -ObjC
-framework CoreFoundation
-framework Foundation
-framework UIKit
-framework LayerKit
-framework CoreGraphics
-framework GraphicsServices
-framework Celestial
-framework MusicLibrary

This version of ToolChain seems to have a more complete header files than self build one

My objective is to put the binary file to my new EEE PC Linux for later iPhone development work.

If you need the iphone header file for 1.1.2, get it here

For example, I modified the Makefile for iCountDown as below



CFLAGS=-I/usr/local/arm-apple-darwin/include/ -fsigned-char

LDFLAGS=-lobjc \
-framework CoreFoundation \
-framework Foundation \
-framework UIKit \
-framework LayerKit \
-framework CoreGraphics \
-framework WebCore \
-framework GraphicsServices

all: ${APP}.app/${APP}

${APP}.app/${APP}: main.o iCountDown.o CDList.o SetupView.o CustomTable.o CustomTableCell.o ToggleDisplayView.o
$(LD) $(LDFLAGS) -v -o $@ $^

%.o: %.m
$(CC) -c $(CFLAGS) $(CPPFLAGS) $< -o $@

rm -f *.o

rm -f *.o ${APP}.app/${APP}

Wednesday, January 2, 2008

Personal Installation Guide of ASUS EEE PC 8G

Objective: To install Full Desktop for ASUS EEE PC

(1) Open terminal (Ctrl-Alt T)
sudo apt-get update
sudo apt-get upgrade

(2) add this source in /etc/apt/sources.list
deb p701 main

(3) Open terminal (Ctrl-Alt T)
sudo apt-get update
sudo apt-get install advanced-desktop-eeepc

(4) remove the above source in step (2)

Objective : To install binaries for gcc complier and make for iPhone toolchain in eee pc

(1) add this source in /etc/apt/sources.list
deb stable main

(2) Open terminal (Ctrl-Alt T)
sudo apt-get update
sudo apt-get install build-essential
sudo apt-get install flex
sudo apt-get install bison
sudo apt-get install subversion

(3) remove the above source in step (1)

Objective: To change language locale

(1) make sure that there is only ASUS sources in /etc/apt/sources.list

(2) Open terminal (Ctrl-Alt T)
sudo apt-get update
sudo apt-get upgrade

(3) In terminal
sudo dpkg-reconfigure locales # add and change locales

sudo kate /etc/default/locale # change current locale

Objective: Linux boot to support 2G Ram