Talk:OTA Updates

2012-12-13T08:00:25Z

KhaosT: /* Exploits */

== Encryption ==
Are the updates encrypted in any way ([[VFDecrypt]]?) --[[User:5urd|5urd]] 18:31, 30 August 2011 (MDT)
:No. Just regular Zips. --[[User:M2m|M2m]] 22:36, 30 August 2011 (MDT)
:Only NOR payloads and RAM disks are encrypted, rest of the "asset" is unencrypted --pjakuszew 04:19, 31 August 2011 (MDT)

== Tracker ==
Anyone into making a watchguard that tracks mesu.apple.com for changes (and records them)? --[[User:M2m|M2m]] 00:55, 12 November 2011 (MST)
:I did a [http://cole.freehostingcloud.com/scripts/Apple%20OTA%20Update%20Checker.php crude one]. It works by comparing against a list of already done URLs in an array --[[User:5urd|5urd]] 13:16, 12 November 2011 (MST)
:::I would just curl --user-agent="softwareupdateservicesd (unknown version) CFNetwork/539 Darwin/11.0.0" http://mesu.apple.com/assets/com_apple_MobileAsset_SoftwareUpdate/com_apple_MobileAsset_SoftwareUpdate.xml -o OTA.xml and pipe it into shasum. In case shasum change, save as new version with date and time (and display)... --[[User:M2m|M2m]] 19:00, 12 November 2011 (MST)
::::One problem with that is that I can't test it on my computer here at my house as I am on windows. To test it with curl I would need to upload it to my website. What I did was open a connection with fsockopen(), sent some request headers, then read the response to a string. After that, I parsed the [[PLIST File Format|plist]] to an array. Unfortunately, the parser leaves some artifacts on the hash as it is a compressed hash. So I decided to use the file location instead. It still works pretty well. I had to remove the URL form area as it messed with the array in unwanted ways. I am working on moving it from an array to just line by line URLs preventing the failure as I just append the line to it. When I finish it, I will post the code on [http://cole.freehostinglcoud.com/cms/Scripts:PHP/Apple_OTA_Update_Checker my website]. --[[User:5urd|5urd]] 21:43, 12 November 2011 (MST)
::::: curl is avialable for windows[http://curl.haxx.se/download.html] --[[User:M2m|M2m]] 04:43, 13 November 2011 (MST)
:::::: doesn't matter, it already works and spits out a nice table. --[[User:5urd|5urd]] 16:05, 13 November 2011 (MST)
::::::: So is your tracker available online already ? --[[User:M2m|M2m]] 19:59, 26 November 2011 (MST)
:::::::: Yes. When you add a link to the wiki, you can add it to the textbox one per line and click submit and it wont show up again. --[[User:5urd|5urd]] 13:37, 27 November 2011 (MST)
:::::::: [http://pastie.org/2930838 Spammers]. It doesn't work because it works like this:
for (
$i = 0;
$i < sizeof(array_keys($plist['Assets']));
$i++)
{
if (
!in_array(
$plist['Assets'][$i]['__BaseURL'] . $plist['Assets'][$i]['__RelativePath'],
$usedurls)
)
{
// Output table
}
}
:::::::: --[[User:5urd|5urd]] 17:34, 27 November 2011 (MST)
::::::::: Should do the trick to make a backup of OTA.xml's whenever there is a change
#!/bin/bash
SHA_OLD=1
while true; do
SHA_CUR=$(curl --user-agent 'softwareupdateservicesd (unknown version) CFNetwork/539 Darwin/11.0.0' http://mesu.apple.com/assets/com_apple_MobileAsset_SoftwareUpdate/com_apple_MobileAsset_SoftwareUpdate.xml | shasum)

if [ "$SHA_OLD" = "$SHA_CUR" ]; then
echo nothing to do
else
NOW=$(date +"%F")
NOWT=$(date +"%T")
echo download
curl --user-agent 'softwareupdateservicesd (unknown version) CFNetwork/539 Darwin/11.0.0' http://mesu.apple.com/assets/com_apple_MobileAsset_SoftwareUpdate/com_apple_MobileAsset_SoftwareUpdate.xml -o OTA_$NOW-$NOWT.xml

SHA_OLD=$(curl --user-agent 'softwareupdateservicesd (unknown version) CFNetwork/539 Darwin/11.0.0' http://mesu.apple.com/assets/com_apple_MobileAsset_SoftwareUpdate/com_apple_MobileAsset_SoftwareUpdate.xml | shasum)
fi
sleep 600
done
:::::::::--[[User:M2m|M2m]] 08:33, 24 March 2012 (MDT)

== Carrier Beta ==
What is a carrier beta? --[[User:5urd|5urd]] 18:33, 9 January 2012 (MST)
:Most likely a beta for carrier provisions. --[[User:Rdqronos|rdqronos]] 16:19, 26 March 2012 (MDT)
:: <code>-_-</code> --[[User:5urd|5urd]] 14:33, 21 July 2012 (MDT)

== Applying .patch files from OTA updates ==
Hey guys, has anyone successfully "patched" a file with a .patch file from the "patches" folder of an OTA update? I am trying to do this and can't get it to work. I have tried on OS X, iOS, and Linux, with multiple different patches, and always get the same error: 
patch: **** Only garbage was found in the patch input.
With --verbose option:
Hmm... I can't seem to find a patch in there anywhere.
I understand from some research that common .patch files have a certain syntax to them, bu I have looked inside these .patch files (using a text editor) and they never contain any readable text (even a .txt.patch file). This leads me to believe that iOS uses a specific and exclusively designed version of Patch. If so, how would I make use of that? 
Ideally I would patch the files on-device via SSH, as I am developing something yet-to-be-announced which would need to do so automatically. If needed, it could alternatively be done using Mac OS X or Linux. 
I would greatly appreciate any help, --[[User:ValleyForge|ValleyForge]] 23:12, 28 June 2012 (MDT)
:I'd like to help, but I need to learn :P --[[User:Dylan Laws|Haifisch]] 21:49, 5 July 2012 (MDT)
::I actually figured it out, you have to use the bspatch command which is available on iOS, Mac OS X, Linux, and Windows :) --[[User:ValleyForge|ValleyForge]] 22:59, 5 July 2012 (MDT)
:::Fancy wanna iMessage me and we can brain storm what good can come out of this. Maybe a jailbreak technique ;) --[[User:Dylan Laws|Haifisch]] 10:21, 6 July 2012 (MDT)
::::Quick note: all OTA updates are signed with a private key owned by Apple. Unless you get into that department of Apple, you can't sign them without brute force. --[[User:5urd|5urd]] 12:09, 6 July 2012 (MDT)

== File Names ==
Does anyone have the slightest on how Apple names their files? It looks like a hash that is 20 bytes long (40 hex chars/160 bits). From [[wikipedia:List of hash functions|this list]], there are a few like that, but none that I have heard of. --[[User:5urd|5urd]] 14:32, 21 July 2012 (MDT)
: Should be the SHA-1 of the file.--[[User:M2m|M2m]] 21:14, 21 July 2012 (MDT)

== Resequence? and deleting files? ==
# In most updates there are "added", "patches", and "replace" folders in the payload folder. In the iOS 6.0 updates, there is a folder among those named "resequence". What does this do? Currently the only file contained in the resequence folder is the dyld cache.
# How do OTA updates control which/whether files are deleted? Where is it specified which files are deleted, or do they delete files at all?
--[[User:ValleyForge|ValleyForge]] 23:55, 29 September 2012 (MDT)

== Documentation ==
Someone should make a page with the documentation links, here's the XML: http://mesu.apple.com/assets/com_apple_MobileAsset_SoftwareUpdateDocumentation/com_apple_MobileAsset_SoftwareUpdateDocumentation.xml --[[User:Srb21103|Srb21103]] 20:16, 20 November 2012 (MST)
:I was wondering where the documentation was retrieved from… I don't think it needs a new page, but I think it can be easily added onto this page as a new column. --[[User:Dialexio|Dialexio]] 20:04, 24 November 2012 (MST)

== Exploits ==
I'm interested in this stuff also. I have a sense there's an exploit here somewhere, but I haven't had time to look into it --[[User:Posixninja|posixninja]] 17:18, 22 November 2012 (MST)
:Their would definitely be an exploit, but it'd be fairly easily patched by Apple. You're best looking for a bootrom exploit. --[[User:Srb21103|Srb21103]] 19:48, 22 November 2012 (MST)
::Removing the signing checks would be a big achievement because we could have jail broken OTA Updates by patching out the kernel and some files in the package. --[[User:5urd|5urd]] 20:32, 22 November 2012 (MST)
:I've been examining the Settings app, kernel, and appropriate frameworks, but I haven't found anything. It is however obvious that the package contents are signed. --[[User:5urd|5urd]] 20:32, 22 November 2012 (MST)
:I set up a fake mesu.apple.com server for testing, but it seems that even the plist is somehow signed. After changing a single letter in the plist, iOS says something about having a connection problem when trying to fetch it. --[[User:Tobi|Tobi]] 11:00, 26 November 2012 (CEST)
::The Plist contains a certificate and a signature section at the bottom - so obviously this takes care that a plist can not be modified by just anyone.--[[User:M2m|M2m]] 05:27, 26 November 2012 (MST)
:::LOL, stupid me for not actually looking at the file. Although I found the source of the thing that [http://www.opensource.apple.com/source/Security/Security-55163.44/sec/Security/SecPolicyPriv.h signs the files]. Look for the function called SecPolicyCreateMobileAsset --[[User:Tobi|Tobi]] 16:04, 26 November 2012 (CEST)
::::A header file isn't going to do us much good. Maybe something along the lines of the [http://www.opensource.apple.com/source/Security/Security-55179.1/sec/Security/SecPolicy.c actual source itself]?
SecPolicyRef SecPolicyCreate(CFStringRef oid, CFDictionaryRef options) {
SecPolicyRef result = NULL;

require(oid, errOut);
require(options, errOut);
require(result =
(SecPolicyRef)_CFRuntimeCreateInstance(kCFAllocatorDefault,
SecPolicyGetTypeID(),
sizeof(struct __SecPolicy) - sizeof(CFRuntimeBase), 0), errOut);

CFRetain(oid);
result->_oid = oid;
CFRetain(options);
result->_options = options;

errOut:
return result;
}
static bool SecPolicyAddAppleCertificationAuthorityOptions(CFMutableDictionaryRef options, bool honorValidity)
{
bool success = false;

if (honorValidity)
SecPolicyAddBasicX509Options(options);
else
SecPolicyAddBasicCertOptions(options);

#if 0
CFDictionaryAddValue(options, kSecPolicyCheckKeyUsage,
kCFBooleanTrue);
CFDictionaryAddValue(options, kSecPolicyCheckExtendedKeyUsage,
kCFBooleanTrue);
#endif

/* Basic X.509 policy with the additional requirements that the chain
length is 3, it's anchored at the AppleCA and the leaf certificate
has issuer "Apple iPhone Certification Authority". */
CFDictionaryAddValue(options, kSecPolicyCheckIssuerCommonName,
CFSTR("Apple iPhone Certification Authority"));

require(SecPolicyAddChainLengthOptions(options, 3), errOut);
require(SecPolicyAddAppleAnchorOptions(options), errOut);

success = true;

errOut:
return success;
}
static SecPolicyRef SecPolicyCreateAppleCertificationAuthorityPolicy(CFStringRef policyOID, CFStringRef leafName, bool honorValidity)
{
CFMutableDictionaryRef options = NULL;
SecPolicyRef result = NULL;

require(options = CFDictionaryCreateMutable(kCFAllocatorDefault, 0,
&kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks), errOut);

require(SecPolicyAddAppleCertificationAuthorityOptions(options, honorValidity), errOut);

CFDictionaryAddValue(options, kSecPolicyCheckSubjectCommonName, leafName);

require(result = SecPolicyCreate(policyOID, options),
errOut);

errOut:
CFReleaseSafe(options);
return result;
}
SecPolicyRef SecPolicyCreateOTATasking(void)
{
return SecPolicyCreateAppleCertificationAuthorityPolicy(kSecPolicyOIDOTATasking, CFSTR("OTA Task Signing"), true);
}
SecPolicyRef SecPolicyCreateMobileAsset(void)
{
return SecPolicyCreateAppleCertificationAuthorityPolicy(kSecPolicyOIDMobileAsset, CFSTR("Asset Manifest Signing"), false);
}
::::--[[User:5urd|5urd]] 18:19, 26 November 2012 (MST)
Anyone noticed that Apple's iOS Updater seems can modify files under "/" [http://appldnld.apple.com/iOS6/041-8518.20121029.CCrt9/iOSUpdater.ipa IPA File] ? --[[User:KhaosT|khaost]] 15:59, 13 December 2012 (CST)

== Apple TV ==
I don't really know how to add these to the wiki. [http://appldnld.apple.com/AppleTV/041-7282.20121128.Hfam1/com_apple_MobileAsset_SoftwareUpdate/2fed502c1d4b10b75997f0be421546195f60d3c5.zip 2G] [http://appldnld.apple.com/AppleTV/041-7280.20121128.QwPi9/com_apple_MobileAsset_SoftwareUpdate/f25fe546fe5356dce272420621f278b7ed15b0fb.zip 3G] They're mentioned in the mesu.apple.com XML, but are a bit different from the other OTA updates. (Notably, considering the file size, it looks like it contains an image to restore an Apple TV.) Any ideas?

Speaking of the Apple TV, it seems like Apple wants to keep the version numbers confusing. I think that we should add a new column for the "marketing version" for this page as well. --[[User:Dialexio|Dialexio]] 18:57, 2 December 2012 (MST)

== OTA Beta download url. ==
I would like to say I feel that adding the download url for the OTA on beta iOS leads to more piracy. Please can we delete this and add a blank cell for beta? If so I am fully willing to do this myself. --[[User:Adaminsull|Adaminsull]] 15:26, 3 December 2012 (MST)
:Whut... I'm pretty sure the OTA ZIP cannot be installed by the user without Apple's update code blah blah blah; No reason to, no piracy. --[[User:Haifisch|Haifisch]] 18:30, 3 December 2012 (MST)
:It wouldn't matter since it won't activate if you are not registered under the developer program {{unsigned|phyrrus9|01:52, 4 December 2012 (MST)}}
:What? If apple public ally puts the download URLs up on their site, it's not piracy. Plus to update. You need a beta installed in the first place. To do that, you need a dev account. Piracy is not an issue. Learn more before stating something like this. --[[User:5urd|5urd]] 22:08, 3 December 2012 (MST)
:: OK. --[[User:Adaminsull|Adaminsull]] 01:53, 4 December 2012 (MST)

The iPhone Wiki - User contributions [en]

Talk:OTA Updates