IMG3 Tag: KBAG

Contents

The KBAG (Key Bag) IMG3 tag is an array of bytes, usually encrypted with the GID key. It consists of some information about the IV/key pair used to encrypt the payload, and the IV/key pair itself.

Tag Format

Img3KbagTag {
   0  uint32     magic      // 'GABK' ('KBAG' in little endian)
   4  uint32     paddedSize // including header
   8  uint32     size
   C  uint32     cryptType  // 1: IV/Key are encrypted with the GID key
                            // 2: IV/Key are encrypted with the development GID key
  10  uint32     aesSize    // the number of bits in the key:
                            //  0x80: AES-128 (16 bytes)
                            //  0xC0: AES-192 (24 bytes)
                            // 0x100: AES-256 (32 bytes)
  14  uint8[16]  iv
  24  uint8[]    key        // `aesSize / 8` bytes
????  uint8[]    padding    // optional
}

Example Tag

The following tag is from the AppleLogo payload from the 2.0 (build 5A347) build for the iPhone (iPhone1,1).

Offset0123456789ABCDEFASCII
1C804741424B GABK
1C9044000000380000000100000080000000D...8...........
1CA0CA5C0800967C23648C1F24FE6ABD3419.\...|#d..$.j.4.
1CB03530CFF980849C417F49F014D12BF27350.....A.I...+.s
1CC000000000000000000000000000000000................
OffsetLengthExplanation
0x1C8C4magic: When interpreted in little endian order, these bytes give the string, KBAG.
0x1C904paddedSize: This tag is 0x44 (68) bytes long.
0x1C944size: The actual payload is 0x38 (56) bytes long.
0x1C984cryptType: This tag is encrypted with the GID key.
0x1C9C4aesSize: The key is 0x80 (128) bits long.
0x1CA016iv: The encrypted IV.
0x1CB016key: The encrypted key.
0x1CC016padding