Initially used in iPhone OS 2.0 beta 4, IMG 3 files were created to address the problems with the older 8900/IMG2 combination. This format was used on all devices using 32-bit processors (S5L8955 (A6X) and earlier). All 64-bit processors (S5L8960 (A7) and newer) use the IMG4 format.
Problems with IMG2
The biggest problem with the 8900/IMG2 format combination was that they all were encrypted with the same key: Key 0x837. IMG3 addressed this glaring security hole by encrypting each payload with its own IV/key. This IV/key pair is stored in the file with the payload, but is itself encrypted with the GID key, a key shared by all devices with the same processor. The GID key is burned into the processor and cannot be accessed directly; Instead, every time the key is needed, the processor will be instructed to use it (at no time providing it to the kernel or user code).
File Format
Despite requiring a bit more to process, at least when compared to the 8900/IMG2 combination, the IMG3 file is quite simple. It consists of a 20 byte header followed by a series of tags, one after the other.
Img3 {
0 u32 magic // '3gmI' ('Img3' in little endian)
4 u32 fileSize
8 u32 tagsSize // size of file minus 0x14 header
C u32 shshTagOffset
10 u32 ident // seems to be the same as the TYPE tag's contents
14 Img3Tag[] tags
}Tags
A "tag" is a chunk consisting of a the four byte "magic," two 32 bit sizes, the actual contents, and, optionally, some padding. For a list of known tags, visit the main page on firmware tags.
Img3Tag
{
0 u32 magic
4 u32 fullSize // including header and padding
8 u32 size // including padding
C u8[] data
???? u8[] padding
}