Contents

IMG3 Tag: KBAG

The KBAG tag is an array of bytes, usually encrypted with the GID key. It consists of a "magic," some info about the tag and IV/key pair, and the IV and key themselves.

Tag Format

Img3KbagTag {
   0  uint32  magic;       // "GABK" ("KBAG" in little endian)
   4  uint32  totalLength; // including header
   8  uint32  dataLength;  // excluding this 0xC header and padding
   C  uint32  cryptState;  // 0x1: IV/key are encrypted with the GID key
                           // 0x2: Used with a second KBAG for the S5L8920; use is unknown
  10  uint32  aesType;     //  0x80: AES-128 (16 byte key)
                           //  0xC0: AES-192 (24 byte key)
                           // 0x100: AES-256 (32 byte key)
  14  uint8[16] iv;
  24  uint8[16/24/32] key; // length depends on "aesType"
????  uint8[] pad;
}

Example Tag

The following tag is from the AppleLogo file from the 2.0 (build 5A347) build for the original iPhone (iPhone1,1).

0 1 2 3 4 5 6 7 8 9 A B C D E F
1C80 47 41 42 4B
1C90 44 00 00 00 38 00 00 00 01 00 00 00 80 00 00 00
1CA0 CA 5C 08 00 96 7C 23 64 8C 1F 24 FE 6A BD 34 19
1CB0 35 30 CF F9 80 84 9C 41 7F 49 F0 14 D1 2B F2 73
1CC0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
OffsetLengthExplanation
1C8C4magic: When interpreted in little endian order, these bytes give the string KBAG.
1C904totalLength: Indicates that this tag is 0x44 (68) bytes long.
1C944dataLength: Indicates that this tag (without the header) is 0x38 (56) bytes long.
1C984cryptState: Indicates that this tag's IV/key pair is encrypted with the GID key.
1C9C4aesType: Indicates that the DATA tag is encrypted with AES-128.
1CA016iv: The encrypted IV.
1CB016key: The encrypted key.
1CC016pad: Padding.