Initially used in iPhone OS 2.0 beta 4, IMG 3 files were created to address the problems with the older 8900/IMG2 combination. This format was used on all devices using 32-bit processors (S5L8955 (A6X) and earlier). All 64-bit processors (S5L8960 (A7) and newer) use the IMG4 format.

Problems with IMG2

The biggest problem with the 8900/IMG2 format combination was that they all were encrypted with the same key: Key 0x837. IMG3 addressed this glaring security hole by encrypting each payload with its own IV/key. This IV/key pair is stored in the file with the payload, but is itself encrypted with the GID key, a key shared by all devices with the same processor. The GID key is burned into the processor and cannot be accessed directly; Instead, every time the key is needed, the processor will be instructed to use it (at no time providing it to the kernel or user code).

File Format

Despite requiring a bit more to process, at least when compared to the 8900/IMG2 combination, the IMG3 file is quite simple. It consists of a 20 byte header followed by a series of tags, one after the other.

Img3 {
   0  u32        magic          // '3gmI' ('Img3' in little endian)
   4  u32        fileSize
   8  u32        tagsSize       // size of file minus 0x14 header
   C  u32        shshTagOffset
  10  u32        ident          // seems to be the same as the TYPE tag's contents
  14  Img3Tag[]  tags


A "tag" is a chunk consisting of a the four byte "magic," two 32 bit sizes, the actual contents, and, optionally, some padding. For a list of known tags, visit the main page on firmware tags.

   0  u32   magic
   4  u32   fullSize  // including header and padding
   8  u32   size      // including padding
   C  u8[]  data
????  u8[]  padding