Tag: KBAG | iFirmware

Contents

1. Tag Format
- 1. IMG3
2. Example Tag

The KBAG (Key Bag) tag is an array of bytes, usually encrypted with the GID key. It consists of some information about the IV/key pair used to encrypt the payload, and the IV/key pair itself.

Tag Format

IMG3

Img3KbagTag {
   0  u32     magic      // 'GABK' ('KBAG' in little endian)
   4  u32     fullSize   // including header and padding
   8  u32     size       // including padding
   C  u32     cryptType  // 1: IV/Key are encrypted with the GID key
                         // 2: IV/Key are encrypted with the development GID key
  10  u32     aesSize    // the number of bits in the key:
                         //  0x80: AES-128 (16 bytes)
                         //  0xC0: AES-192 (24 bytes)
                         // 0x100: AES-256 (32 bytes)
  14  u8[16]  iv
  24  u8[]    key        // `aesSize / 8` bytes
????  u8[]    padding    // optional
}

Example Tag

The following tag is from the AppleLogo payload from the 2.0 (build 5A347) build for the iPhone (iPhone1,1).

Offset	0	1	2	3	4	5	6	7	8	9	A	B	C	D	E	F	ASCII
1C80													47	41	42	4B													G	A	B	K
1C90	44	00	00	00	38	00	00	00	01	00	00	00	80	00	00	00	D	.	.	.	8	.	.	.	.	.	.	.	.	.	.	.
1CA0	CA	5C	08	00	96	7C	23	64	8C	1F	24	FE	6A	BD	34	19	.	\	.	.	.	\|	#	d	.	.	$	.	j	.	4	.
1CB0	35	30	CF	F9	80	84	9C	41	7F	49	F0	14	D1	2B	F2	73	5	0	.	.	.	.	.	A	.	I	.	.	.	+	.	s
1CC0	00	00	00	00	00	00	00	00	00	00	00	00	00	00	00	00	.	.	.	.	.	.	.	.	.	.	.	.	.	.	.	.

Offset	Length	Explanation
0x1C8C	4	`magic`: When interpreted in little endian order, these bytes give the string, `KBAG`.
0x1C90	4	`fullSize`: This tag is 0x44 (68) bytes long.
0x1C94	4	`size`: The actual payload (including padding) is 0x38 (56) bytes long.
0x1C98	4	`cryptType`: This tag is encrypted with the GID key.
0x1C9C	4	`aesSize`: The key is 0x80 (128) bits long.
0x1CA0	16	`iv`: The encrypted IV.
0x1CB0	16	`key`: The encrypted key.
0x1CC0	16	`padding`