Once you have decrypted the KBAG, decryption using the keys in it is the same as above. This makes obtaining the keys for this version dead simple. A discussion on extracting those files is available on the talk page. This results in some zero sized files in the disk image if you don't use Snow Leopard or newer. If input was a ramdisk, output will be a mountable HFS filesystem. Once decrypted, you will be left with either a raw binary blob. In order to decrypt an IMG3 file, open a console and run one of the commands depending on your program choice. His code was later implemented into xpwntool. To decrypt, open up a console and run openssl 1. Once the header is stripped, you need to do the actual decryption. The decryption key wasn't obscured however, and a simple analysis of iBoot by Zibri revealed the 0x key.

You can do this with either a hex editor, or open up a console and run dd 1. With the release of the iPhonethe IMG2 files weren't encrypted. This section details the decryption of the ramdisks in an IPSW file.

A decrypted ramdisk is required to obtain the key for the root filesystem, but not to simply decrypt it with an existing key. This page details how to remove the encryption wrapper around each file in the IPSW file.