Encryption Keys

The iPhone and iPod Touch both ship with two 128-bit keys on them. One, which Apple calls the gid-aes-key (group id), is shared by all iPhones and iPod Touches, and the other, the uid-aes-key (user id), is unique for each device. These keys, to minimize chances of recovery, are never used directly on data. Instead, they are used to encrypt static nonces to generate in-memory keys, that are later used to encrypt and decrypt real data. Up until firmware 1.1.2, four such keys were in use on the devices, labeled 0x835, 0x836, 0x837, and 0x838. 1.1.3 adds a fifth key to those.

Specific Keys


This is computed by the kernel at boot-time and is used only to secure Keychain items on the phone. It is computed from the uid-aes-key and is this different on each phone.

It is generated by encrypting the hex string 01010101010101010101010101010101 with the uid key.


This is computed by the kernel during a restore, but is zeroed out during a normal boot. It is also computed by the Secure Bootloader, and its only known use is to decrypt LLB in NOR. Like 0x835, it is different for each device.

It is generated by encrypting the hex string 00E5A0E6526FAE66C5C1C6D4F16D6180 with the uid key.


This is the key made famous by Zibri's cryptic leak. It is based on the uid-aes-key and is computed in iBoot, iBEC, iBSS, and by the kernel during a restore. It is used to encrypt the data in 8900 files and to “sign” the 8900 header.

It is generated by encrypting the hex string 345A2D6C5050D058780DA431F0710E15 with the gid key.


Another uid-aes-key-based key, it is used to encrypt everything but LLB in the NOR (iBoot, Device Tree, pictures).

It is generated by encrypting the hex string 8C8318A27D7F030717D2B8FC5514F8E1 with the uid key.

Using the Keys

All keys except for 0x835 are disabled during a normal boot. The two hardware keys are disabled using a function_disable-keys by the kernel at startup, as soon as the other keys have been computed from them. This is done regardless of the secure root prefix. Keys 0x836-0x838 are enabled during a recovery boot and can be used through the standard IOAESAccelerator user client.

s5l8900/encryption_keys.txt · Last modified: 2008/06/05 01:44 (external edit)
Recent changes RSS feed Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki
Part of the iPhone Dev Team Archive