The iPhone Wiki - User contributions [en]

Evasi0n

2013-02-05T10:18:36Z

Tobi:

{{lowercase}}
'''evasi0n''' is a [[jailbreak]] tool that can be used to [[jailbreak]] ([[untethered jailbreak|untethered]]) [[iOS]] 6.0-6.1 on all [[#Supported Devices|supported devices]], excluding the [[j33ap|Apple TV 3G]]. It was releasd on Februrary 4, 2013, and supports Windows, OS X, and Linux (x86/x86_64).

== Userland Exploit Analysis ==
[http://blog.accuvantlabs.com/blog/bthomas/evasi0n-jailbreaks-userland-component Evasi0n Jailbreak's Userland Component]

== Supported Devices ==
All devices that support iOS 6.0-6.1, excluding the Apple TV 3G are supported. The reasoning behind this is unknown at the moment.

== Version History ==
* 1.0
** Initial release

== Download ==
{| class="wikitable" style="text-align:center;"
! Version
! Release Date
! OS
! SHA-1 Hash
! colspan="3" | Download
|-
| rowspan="3" | 1.0
| rowspan="3" | 4 Februrary 2013
| Linux
| <code>c9e4b15a161b89f0e412721f471c5f8559b6054f</code>
| [https://evad3rs.box.com/shared/static/5dped2c9ejnk5r6ahfpg.lzma box.com]
| [https://mega.co.nz/#!0kUkXBLC!Q8e53kQZpLbGL7PquHWgQFhMU9Ru3WJWxBuzEdkiMJo Mega]
| [http://rapidshare.com/files/2561828874/evasi0n-linux-1.0-3c53ba10e2448d311b0f4157f2d7eb568f106c4f-release.tar.lzma RapidShare]
|-
| OS X
| <code>23f99a0d65e71fd79ff072b227f0ecb176f0ffa8</code>
| [https://evad3rs.box.com/shared/static/du66n0g9wl1j4ta57hpx.dmg box.com]
| [https://mega.co.nz/#!5h0BwQoa!KdRLFwNJ3OjMS-7Zs2YGQnsvPxAKEsaAjabY__8pNtY Mega]
| [http://rapidshare.com/files/3010870584/evasi0n-mac-1.0-3c53ba10e2448d311b0f4157f2d7eb568f106c4f-release.dmg RapidShare]
|-
| Windows
| <code>2ff288e1798b4711020e9dd7f26480e57704d8b2</code>
| [https://evad3rs.box.com/shared/static/tg1t0cz7oakvq7hsv0bd.zip box.com]
| [https://mega.co.nz/#!d9ciUApQ!AkwevVU1OtUrEUU7U4fE-V8qqM9aINTAGgjkukShihE Mega]
| [http://rapidshare.com/files/3503186483/evasi0n-win-1.0-3c53ba10e2448d311b0f4157f2d7eb568f106c4f-release.zip RapidShare]
|}

{{stub|jailbreaking}}
[[Category:Jailbreaks]]

Talk:WTF

2013-01-15T14:25:25Z

Tobi:

==Meaning==
Does WTF mean what I think it means...? --[[User:Rdqronos|rdqronos]] 22:32, 1 May 2011 (UTC)
:We don't know what its abbreviation means at the moment; otherwise, it'd be mentioned in the article. ;) And please, please, PLEASE sign your talk page entries! --[[User:Dialexio|<span style="color:#C20; font-weight:normal;">Dialexio</span>]] 00:54, 19 April 2011 (UTC)
:There I signed it :) --[[User:Rdqronos|rdqronos]] 22:32, 1 May 2011 (UTC)

==Source==
The source code WTF is available here: [http://opensource.apple.com/source/WTFEmbedded/], tar available here [http://opensource.apple.com/tarballs/WTFEmbedded/WTFEmbedded-20.tar.gz] --[[User:Tobi|Tobi]] ([[User talk:Tobi|talk]]) 14:25, 15 January 2013 (UTC)

Talk:WTF

2013-01-15T14:25:04Z

Tobi: /* Meaning */

==Meaning==
Does WTF mean what I think it means...? --[[User:Rdqronos|rdqronos]] 22:32, 1 May 2011 (UTC)
:We don't know what its abbreviation means at the moment; otherwise, it'd be mentioned in the article. ;) And please, please, PLEASE sign your talk page entries! --[[User:Dialexio|<span style="color:#C20; font-weight:normal;">Dialexio</span>]] 00:54, 19 April 2011 (UTC)
:There I signed it :) --[[User:Rdqronos|rdqronos]] 22:32, 1 May 2011 (UTC)

==Source==
The source code WTF is available here: [http://opensource.apple.com/source/WTFEmbedded/], tar available here [http://opensource.apple.com/tarballs/WTFEmbedded/WTFEmbedded-20.tar.gz]--[[User:Tobi|Tobi]] ([[User talk:Tobi|talk]]) 14:25, 15 January 2013 (UTC)

Talk:/Developer

2013-01-14T12:36:02Z

Tobi:

Has anyone patched the code? These "iOS Developer jailbreaks", Im thinking, is just that. --[[User:Haifisch|Haifisch]] ([[User talk:Haifisch|talk]]) 05:48, 10 January 2013 (UTC)

: Nope, that doesn't really work, already tried that. iMessage? (tobias@tim.pe) --[[User:Tobi|Tobi]] ([[User talk:Tobi|talk]]) 11:43, 10 January 2013 (UTC)
: According to the comments by Will Strafach on [http://code.google.com/p/chronicdev/wiki/DeveloperDiskImage here], this isn't exploitable. Even though the entry is old, I think this still applies. Of course I'd like him to be proven wrong. [[User:Martepato|--martepato]] ([[User talk:Martepato|talk]]) 13:24, 11 January 2013 (UTC)
:: Hmm I was just theorizing, It can add prefrencebundles and other files (Not to the FS). --[[User:Haifisch|Haifisch]] ([[User talk:Haifisch|talk]]) 22:24, 11 January 2013 (UTC)
:::Since the image is signed (look, there's a .signature in the folder), it can't be modified. It is getting mounted rw though afaik --[[User:Tobi|Tobi]] ([[User talk:Tobi|talk]]) 12:36, 14 January 2013 (UTC)

PurpleRestore

2013-01-11T14:51:29Z

Tobi: version fix, it said 782.11.80 before

{{Infobox software
| name = PurpleRestore
| title =
| logo = [[File:PurpleRestore logo.png]]
| screenshot = [[File:PurpleRestore.jpg|300px]]
| caption = PurpleRestore 783.11.80
| collapsible =
| author = Apple Inc.
| developer = Apple Inc.
| released =
| discontinued =
| latest release version = 783.12<br /><small>(latest ''known'' version)</small>
| latest release date =
| latest preview version =
| latest preview date =
| programming language =
| operating system = [[wikipedia:OS X|OS X]]
| platform =
| size = 3,397,535 bytes [APP] <small>(783.12)</small>
| language = [[wikipedia:English language|English]]
| status =
| genre = ?
| license = [[wikipedia:Proprietary software|Closed source]]
| website =
}}
{{float toc|left}}
'''PurpleRestore''' is a tool made by Apple and is used for flashing [[iDevices]]. Barely anything is known about it except that it provides far more customization than [[iTunes]]. PurpleRestore-783.12 is the latest known version, which can handle restores up to firmware 5.1.1.

Like [[iTunes]], [[PurpleRestore]] communicates with iDevices using a [[usbmux]] connection.

== Restore Bundles==
Unlike iTunes, PurpleRestore doesn't use [[IPSW File Format|IPSW]] files to restore devices. It uses "Restore Bundles" which can be obtained from <code>afp://fieldgoal.apple.com/RestoreImages/</code> and <code>afp://endzone.apple.com/OldRestoreImages/</code>. Unfortunately, the <code>afp</code> protocol can only be accessed through Apple's internal VPN.

However, you can create your own bundles by extracting an IPSW into a folder. The downside is that you don't get access to any internal/debugging stuff since it is a public firmware.

== Restore Components ==
Restore Components has several options:
* '''Restore Bundle''': Specify the bundle to use in restoring
* '''Firmware Directory''': Specify the folder where the [[LLB]], [[iBoot]], etc. [[IMG3 File Format|IMG3]] files are located.
* '''Ramdisk Image''': Specify a [[ramdisk]] to be used (i.e. [[Restore Ramdisk|restore]] or [[Update Ramdisk|update]] ramdisk)
* '''DFU''': Specify what tools to upload based on a selection of "Debug", "Development", or "Release". A specific file can also be selected.

== Restore Operations ==
Restore Operations contains the most options to configure. These may also be the most useful ones.

* '''Hardware Readiness'''
** '''Minimum Battery Charge (mV)''': This value controls the minimum charge level at which the restore will be allowed to continue. Below this threshold, we either wait to charge (if we're charging) or fail (if we're not charging). If this option is not specified, a default value is used (currently 3.8V). Setting this option to 0 bypasses all battery level checks.
** '''Wait for Minimum Charge''': If the current voltage is below the minimum level, then the default behavior is to let the device charge and then continue. This option overrides that behavior when false.
** '''Wait for Storage Device''': Controls whether the restore waits for the storage device /dev/disk0 to be available before the restore is initiated.
** '''Allow Untethered Restore''': Permit the restore to run untethered (not connected to a host). The result of specifying this option when the restore needs data from the host (for instance, when flashing NOR) is undefined (but probably bad). If this option is specified and the device remains tethered, things should proceed as usual.
* '''Storage Media'''
** '''Use LwVM''': Controls whether the device is formatted for LwVM (if supported).
** '''Repartition''': Controls whether a new partition map is created on the device.
** '''System Partition Size (MiB)''': Specifies the size (in mebibytes) that is desired for the system partition. Because the partition size can only be changed when creating a new partition map, this option is only relevant when used in conjunction with repartition. A size of 0 indicates that the restore library should choose a suitable size for you, based on the specific restore bundle and image being used if possible.
** '''Content Protection Type''': Controls the type of data protection used on the device.
** '''Low-Level Erase''': Do a low level erase (wipe with null or random data) of the entire storage device prior to restoring.
* '''Restore System Partition'''
** '''System Image''': Determines which type of system image to restore, or which file to use for the system image.
** '''Kernel Cache Type''': This option controls the kernel cache that gets installed on the device.
* '''Baseband'''
** '''Update Baseband''': Controls whether the [[baseband]] and baseband bootloader are updated as part of the restore.
** '''Force Update''': The baseband update is skipped when the existing firmware matches the available firmware. In some cases, it is desirable to force the firmware update to occur, regardless of what is currently on there. This option, when set to true, forces the update to be attempted.

== Restore OS ==
Restore OS options allow you to specify the following:
* '''Restore Boot-Args''': Boot-Args used when the Restore OS is loaded. By default those arguments are used: "debug=0x14e serial=3 rd=md0 nand-enable-reformat=1 -progress"
* '''Firmware Type:''' Specify the firmware which should be flashed when restoring. This can either be "Debug", "Factory FA", "Factory SA", "Firmware Development" or "Production".
* '''Boot Image Type:''' Can be "Internal", "User or Internal", "User" or "Update".
* '''Boot Kernel Cache:''' Specify whether the "Production" or "Development" kernel cache should be used.

== Restore Settings ==
By default, PurpleRestore comes with two pre-made restore settings. "Erase Install" and "Update Install". Those restore settings are [[PLIST File Format|plist]] files that define the options PurpleRestore will use when restoring a device.
* '''Erase Install''': Repartition the media and erase all data before restoring. Includes all internal development tools and updates flash and the baseband by default.
* '''Update Install''': Includes all internal development tools and updates flash and the baseband by default.

== Reverse Engineering ==
This specific code is from [[iTunes]] for OS X<sup>{{man|VERSION}}<sup>[what function?]</sup>. It detects if PurpleRestore is running so that it does not interfere with any operations that PurpleRestore is performing.

Off Virt Adr Instruction AT&T Syntax Intel Syntax Comment

+354 003d7808 c70424bc01d700 movl $0x00d701bc, (%esp) mov [esp], 0x00d701bc ; "com.apple.PurpleRestore"
+361 003d780f e80c65c3ff calll 0x10000dd20 call 0x10000dd20 ; is specified bundle running
+366 003d7814 84c0 testb %al,%al test al, al
+368 003d7816 7409 jz 0x003d7821 jz short 0x003d7821 ; if so, PurpleRestore is running
+370 003d7818 c704246c8ba400 movl $0x00a48b6c, (%esp) mov [esp], 0x00a48b6c ; so ignore device,
+377 003d781f ebd3 jmp 0x003d77f4 jmp short 0x003d77f4 ; and jump back above loop for next device
+379 003d7821 8d5de0 leal 0xe0(%ebp), %ebx lea ebx, [ebp + 0xe0]
+382 003d7824 895c2404 movl %ebx, 0x04(%esp) mov [esp + 4], ebx

[[Category:Software]]

Talk:/Developer

2013-01-10T11:43:49Z

Tobi:

/private/etc/hosts

2013-01-09T10:17:59Z

Tobi: Created page with "The hosts file (normally found at /etc/hosts on *nix systems) is responsible for locally overwriting DNS resolution. This can be useful when you're trying to e.g. block specif..."

The hosts file (normally found at /etc/hosts on *nix systems) is responsible for locally overwriting DNS resolution. This can be useful when you're trying to e.g. block specific hosts (ad-delivery servers) or for development and experimentation (Siri proxys, etc.).
It's also used to define the localhost DNS name for the local device.

== Parents ==
{{parent|private|etc}}

[[Category:Filesystem]]

/private/etc

2013-01-09T09:05:56Z

Tobi: Added hosts and (master.)passwd files

Limera1n

2013-01-03T14:47:28Z

Tobi: /* External Links */

{{lowercase}}
[[Image:Ra1ndrop.png|right]]
''' limera1n''' is [[User:Geohot|geohot]]'s [[jailbreak]] utility. It uses an undisclosed bootrom exploit and [[User:Comex|comex]]'s [[Packet Filter Kernel Exploit]] to achieve an [[untethered jailbreak]] on newer devices. The following devices are supported:
* [[n88ap|iPhone 3GS]]
* [[n90ap|iPhone 4 (GSM)]]
* [[n18ap|iPod touch 3G]]
* [[n81ap|iPod touch 4G]]
* [[k48ap|iPad 1G]]
* [[k66ap|Apple TV 2G]] (creates a bare-bones jailbreak by mounting '/' as read/write in /etc/fstab)
limera1n has been demonstrated multiple times by [[User:Geohot|geohot]], using blog posts on his now private blog. [[User:Geohot|Geohot]] showed off a high-res picture of [http://1.bp.blogspot.com/_NJ4JFBfr1tY/TDgkAsTQEmI/AAAAAAAAAcw/ZNHDxMNNL4Y/s1600/iphone4.png Cydia on an iPhone 4]. He displayed an [http://www.youtube.com/watch?v=__TR86PLiHw iPod touch 3G with an untethered jailbreak] that met [[User:MuscleNerd|MuscleNerd]]'s requirements for a good video. In addition, he took a picture of [http://4.bp.blogspot.com/_NJ4JFBfr1tY/S7_OvGMqJMI/AAAAAAAAAcE/R5WLrCizGw0/s1600/ipad_jb.jpg Cydia and blackra1n icons on an iPad].

* '''Release Date:''' [[Timeline#October|October 9, 2010]]
* '''Supported OS's:''' Mac OS X, Windows
* '''Supported Operations:''' [[hacktivation]], [[jailbreak]]ing
* '''Supported iOS: 3.2.2-4.1

== Release text ==
<div style="text-align: center">limera1n, 6 months in the making<br />
iPhone 3GS, iPod Touch 3G, iPad, iPhone 4, iPod Touch 4G<br />
4.0-4.1 and beyond+++<br />
limera1n is unpatchable<br />
untethered thanks to jailbreakme star '''comex'''<br />
brought to you by '''geohot'''<br />
hacktivates<br />
Mac coming in 7 years<br />
donations keep support alive<br />
zero pictures of my face</div>

== Credit ==
* '''[[User:Geohot|geohot]]''' - The program itself, and the bootrom exploit.
* '''[[User:Comex|comex]]''' - The userland exploit that allows limera1n to run [[untethered jailbreak|untethered]].

== Changelog ==
{| class="wikitable"
|-
| <div style="text-align: center">'''Version'''</div>
| <div style="text-align: center">'''Release time'''</div>
| <div style="text-align: center">'''MD5 Hash'''</div>
| <div style="text-align: center">'''Change comment'''</div>
|-
| BETA 1
| 9 Oct 2010 XX:XX GMT
| 2f2b09a6ed5c5613d5361d8a9d0696b6
| First release.
|-
| BETA 2
| 10 Oct 2010 XX:XX GMT
| a70dccb3dfc0e505687424184dc3d1ce
| Fixed kernel patching magic. Rerun BETA2+ over BETA1.
|-
| BETA 3
| 10 Oct 2010 XX:XX GMT
| 81730090f7de1576268ee8c2407c3d35
| Fixed an issue with [[N88ap|iPhone 3GS]] ([[Bootrom 359.3.2|new bootrom]])
|-
| BETA 4
| 10 Oct 2010 XX:XX GMT
| d901c4b3a544983f095b0d03eb94e4db
| Uninstall fixed, respring fixed
|-
| RC1
| 11 Oct 2010 XX:XX GMT
| 0622d99ffe4c25f75c720a689853845f
| out of beta! afc2, reliability improvements, no reboot for cydia, 2kb smaller
|-
| RC1b
| 11 Oct 2010 XX:XX GMT
| fc6f7d696a57c3baede49bdff8a7f43f
| addresses an install issue, mainly with iPads
|-
| Final
| 11 Oct 2010 23:XX GMT
| fc6f7d696a57c3baede49bdff8a7f43f
| (same as RC1b)
|}

== Technical Information ==
=== Basics ===
* limera1n has nothing to do with [[SHA-1 Image Segment Overflow|SHAtter]] at all.
* limera1n uses a [[bootrom]] exploit to achieve the [[tethered jailbreak]] and unsigned code execution.
* limera1n uses a [[userland]] exploit to make it [[untethered]], which was developed by [[User:Comex|comex]].
* limera1n uses a hacktivation dylib to perform [[hacktivation]].

=== Exploits ===
limera1n reuses the [[Usb_control_msg(0x21,_2)_Exploit|usb_control_msg(0x21,2)]] but exploits a different vulnerability (see [[Limera1n Exploit]]).

=== Process ===
The jailbreak appears to execute something like the following (in no particular order):
* In recovery1,
"setenv debug-uarts 1
setenv auto-boot false
saveenv"
* In [[DFU Mode]], it uploads a [[payload]].
* In recovery2, it uploads another [[payload]] and its [[ramdisk]].
"setenv auto-boot true
reset
geohot done"

=== Interesting Messages ===
"geohot black is the new purple"

"blackra1n start: %d current IRQ mask is %8.8X
usb irq disabled...shhh
fxns found @ %8.8X %8.8X
found iBoot @ %8.8X
i'm back from IRQland...
3g detected, kicking nor
nor kicked
memcpy done
iBoot restored!!!
found command table @ %8.8X
cmd_geohot added
time to pray...%8.8X"

"2.2X send command(%d): %s
send exploit!!!
sent data to copy: %X
sent shellcode: %X has real length %X
never freed: %X
sent fake data to timeout: %X
sent exploit to heap overflow: %X
sending file with length: 0x%X Mingw runtime failure:
VirtualQuery failed for %d bytes at address %p Unknown pseudo relocation protocol version %d.
Unknown pseudo relocation bit size %d."

== Controversy ==
The release of this jailbreak was specifically designed to pressure [[Chronic Dev (team)]] into not releasing [[SHA-1 Image Segment Overflow|SHAtter]], but to instead implement the limera1n exploit into [[Greenpois0n (jailbreak)|greenpois0n]]; after releasing limera1n, releasing [[SHA-1 Image Segment Overflow|SHAtter]] would uselessly disclose another bootrom exploit to Apple.

[[User:Geohot|Geohot]]'s rationale is that Apple already discovered, through internal testing, the limera1n exploit, making it very likely that it will be fixed in the next bootrom revision. Because [[iBoot]] code is present both in the bootrom and firmware, and because firmware is refreshed much more often than bootrom code, any fix in this code branch would appear first in firmware. [[User:Geohot|Geohot]] observed his limera1n exploit was closed in firmware and concluded that it would almost certainly be fixed in the next bootrom revision, whereas [[SHA-1 Image Segment Overflow|SHAtter]] still has a chance of remaining useful for an indefinite amount of time. In the [[iPad 2]], the exploit is indeed fixed, and the limera1n exploit is not present. It was fixed before the release of limera1n according to the build number. This has been confirmed by [[User:posixninja|p0sixninja]].

limera1n's [[Untethered jailbreak|untethered]] userland exploit for iOS 4.0 and 4.1 was obtained by [[User:Geohot|geohot]] under questionable circumstances from [[User:Comex|comex]]. [[User:Comex|Comex]] did end up fixing the kernel patching code by beta2, so as to not break users' devices.

== Hacktivation ==
limera1n will copy hacktivation.dylib to [[:/usr/lib]] and change entries to com.apple.mobile.lockdown.plist, whether it has been activated using iTunes or not. This, while helpful to many, can also be harmful to legitimate activators. For a guide on how to remove this hacktivation on iTunes activated devices, see the link below.

== External Links ==
* [http://limera1n.com/ Official domain]
* [http://theiphonewiki.com/limera1n The iPhone Wiki Mirror]
* [http://www.mediafire.com/?5sovoo41rbcdspw Limera1n RC Beta2 Dump on Mediafire provided by iH8sn0w.]
* [http://www.pastie.org/1210054 Veeence's explanation for release]
* [http://www.hackint0sh.org/blackra1n-3g-s-jailbreak-220/how-removing-blackra1n-limera1n-hacktivation-130992.htm Hacktivation removal guide.]

[[Category:Hacking Software]]
[[Category:Jailbreaks]]

Talk:Switchboard (App Store)

2012-11-27T23:15:52Z

Tobi: fixed 5urd's typo

== Token ==
I'm guessing nobody has access to a token? Anyway to get one, besides getting a job at apple. --[[User:Dylan Laws|Dylan Laws]] 18:57, 5 April 2012 (MDT)
:Probably not. --[[User:JonathanSeals|JonathanSeals]] 19:20, 5 April 2012 (MDT)
:: Lol Jon, look at your formatting! --[[User:Dylan Laws|Dylan Laws]] 19:52, 5 April 2012 (MDT)

== Download ==
Please, has anyone got the Switchboard app? I would like it, but the App Store link doesn't word anymore... Anyway, could I use it on my device with my normal Apple Developer Account, or do I have to be an Apple Employee? Thanks a lot! --[[User:Jaggions|Jaggions]] 08:37, 9 August 2012 (MDT)
:I downloaded it from the AppStore a while ago and have a copy, if you want it. --[[User:Srb21103|Srb21103]]
::That would require an app that will not be named to remove the Code Signing on it. --[[User:5urd|5urd]] 17:34, 9 August 2012 (MDT)
:::What do you mean? --[[User:Jaggions|Jaggions]] 09:35, 27 November 2012 (MST)
::::Apps are signed to the account they were purchased from (even free ones), so just giving him the IPA won't do him any good until he authorizes his computer with your account. He could also go the AppSync way, but we do not condone any piracy acts or apps/tweaks associated with piracy, excluding generic stuff including, but not limited to, [[Cydia.app|Cydia]]. --[[User:5urd|5urd]] 12:34, 27 November 2012 (MST)
:::::Or I can simply install it by iPhone Configuration Utility without any piracy :) --[[User:Jaggions|Jaggions]] 13:18, 27 November 2012 (MST)

Talk:OTA Updates

2012-11-26T15:05:02Z

Tobi:

== Encryption ==
Are the updates encrypted in any way ([[VFDecrypt]]?) --[[User:5urd|5urd]] 18:31, 30 August 2011 (MDT)
:No. Just regular Zips. --[[User:M2m|M2m]] 22:36, 30 August 2011 (MDT)
:Only NOR payloads and RAM disks are encrypted, rest of the "asset" is unencrypted --pjakuszew 04:19, 31 August 2011 (MDT)
::But if you need to update iTunes to 'decrypt' the newest firmware (as iTunes contains the 'password' to do so), then that means that the encrypted stuff has a 'password' that is somewhere on the file system. Maybe if we could access it, we could get them. (maybe disassembling iTunes could get us them also :D) --[[User:5urd|5urd]] 11:12, 31 August 2011 (MDT)
:::iTunes doesn't contain any "passwords" 5urd. Everything is done on the device and usually uses the device's built in hardware AES crypt keys. -- [[User:iH8sn0w|iH8sn0w]] 13:32, 31 August 2011 (EST)
::::Dang, but then why do we need to update iTunes to update our device? --[[User:5urd|5urd]] 11:35, 31 August 2011 (MDT)
:::::Its purpose is to send out firmware files to the device, and only that. --pjakuszew 11:36, 31 August 2011 (MDT)
::::::I still don't get the point of updating iTunes (other than avoiding an error) --[[User:5urd|5urd]] 11:45, 31 August 2011 (MDT)
:::::::Updating is required because of incompatibilites with newer iOS versions. I think it's about Fairplay and encryption of iPod library database. Another example is support of new hardware; how would you update a 3GS with iTunes 7.5? --pjakuszew 11:56, 31 August 2011 (MDT)
::::::::Ok, that makes sense. Thanks! --[[User:5urd|5urd]] 12:14, 31 August 2011 (MDT)

== Tracker ==
Anyone into making a watchguard that tracks mesu.apple.com for changes (and records them)? --[[User:M2m|M2m]] 00:55, 12 November 2011 (MST)
:I did a [http://cole.freehostingcloud.com/scripts/Apple%20OTA%20Update%20Checker.php crude one]. It works by comparing against a list of already done URLs in an array --[[User:5urd|5urd]] 13:16, 12 November 2011 (MST)
:::I would just curl --user-agent="softwareupdateservicesd (unknown version) CFNetwork/539 Darwin/11.0.0" http://mesu.apple.com/assets/com_apple_MobileAsset_SoftwareUpdate/com_apple_MobileAsset_SoftwareUpdate.xml -o OTA.xml and pipe it into shasum. In case shasum change, save as new version with date and time (and display)... --[[User:M2m|M2m]] 19:00, 12 November 2011 (MST)
::::One problem with that is that I can't test it on my computer here at my house as I am on windows. To test it with curl I would need to upload it to my website. What I did was open a connection with fsockopen(), sent some request headers, then read the response to a string. After that, I parsed the [[PLIST File Format|plist]] to an array. Unfortunately, the parser leaves some artifacts on the hash as it is a compressed hash. So I decided to use the file location instead. It still works pretty well. I had to remove the URL form area as it messed with the array in unwanted ways. I am working on moving it from an array to just line by line URLs preventing the failure as I just append the line to it. When I finish it, I will post the code on [http://cole.freehostinglcoud.com/cms/Scripts:PHP/Apple_OTA_Update_Checker my website]. --[[User:5urd|5urd]] 21:43, 12 November 2011 (MST)
::::: curl is avialable for windows[http://curl.haxx.se/download.html] --[[User:M2m|M2m]] 04:43, 13 November 2011 (MST)
:::::: doesn't matter, it already works and spits out a nice table. --[[User:5urd|5urd]] 16:05, 13 November 2011 (MST)
::::::: So is your tracker available online already ? --[[User:M2m|M2m]] 19:59, 26 November 2011 (MST)
:::::::: Yes. When you add a link to the wiki, you can add it to the textbox one per line and click submit and it wont show up again. --[[User:5urd|5urd]] 13:37, 27 November 2011 (MST)
:::::::: [http://pastie.org/2930838 Spammers]. It doesn't work because it works like this:
for (
$i = 0;
$i < sizeof(array_keys($plist['Assets']));
$i++)
{
if (
!in_array(
$plist['Assets'][$i]['__BaseURL'] . $plist['Assets'][$i]['__RelativePath'],
$usedurls)
)
{
// Output table
}
}
:::::::: --[[User:5urd|5urd]] 17:34, 27 November 2011 (MST)
::::::::: Should do the trick to make a backup of OTA.xml's whenever there is a change
#!/bin/bash
SHA_OLD=1
while true; do
SHA_CUR=$(curl --user-agent 'softwareupdateservicesd (unknown version) CFNetwork/539 Darwin/11.0.0' http://mesu.apple.com/assets/com_apple_MobileAsset_SoftwareUpdate/com_apple_MobileAsset_SoftwareUpdate.xml | shasum)

if [ "$SHA_OLD" = "$SHA_CUR" ]; then
echo nothing to do
else
NOW=$(date +"%F")
NOWT=$(date +"%T")
echo download
curl --user-agent 'softwareupdateservicesd (unknown version) CFNetwork/539 Darwin/11.0.0' http://mesu.apple.com/assets/com_apple_MobileAsset_SoftwareUpdate/com_apple_MobileAsset_SoftwareUpdate.xml -o OTA_$NOW-$NOWT.xml

SHA_OLD=$(curl --user-agent 'softwareupdateservicesd (unknown version) CFNetwork/539 Darwin/11.0.0' http://mesu.apple.com/assets/com_apple_MobileAsset_SoftwareUpdate/com_apple_MobileAsset_SoftwareUpdate.xml | shasum)
fi
sleep 600
done
:::::::::--[[User:M2m|M2m]] 08:33, 24 March 2012 (MDT)

== Carrier Beta ==
What is a carrier beta? --[[User:5urd|5urd]] 18:33, 9 January 2012 (MST)
:Most likely a beta for carrier provisions. --[[User:Rdqronos|rdqronos]] 16:19, 26 March 2012 (MDT)
:: <code>-_-</code> --[[User:5urd|5urd]] 14:33, 21 July 2012 (MDT)

== Applying .patch files from OTA updates ==
Hey guys, has anyone successfully "patched" a file with a .patch file from the "patches" folder of an OTA update? I am trying to do this and can't get it to work. I have tried on OS X, iOS, and Linux, with multiple different patches, and always get the same error:<br />
patch: **** Only garbage was found in the patch input.
With --verbose option:
Hmm... I can't seem to find a patch in there anywhere.
I understand from some research that common .patch files have a certain syntax to them, bu I have looked inside these .patch files (using a text editor) and they never contain any readable text (even a .txt.patch file). This leads me to believe that iOS uses a specific and exclusively designed version of Patch. If so, how would I make use of that?<br />
Ideally I would patch the files on-device via SSH, as I am developing something yet-to-be-announced which would need to do so automatically. If needed, it could alternatively be done using Mac OS X or Linux.<br />
I would greatly appreciate any help, --[[User:ValleyForge|ValleyForge]] 23:12, 28 June 2012 (MDT)
:I'd like to help, but I need to learn :P --[[User:Dylan Laws|Haifisch]] 21:49, 5 July 2012 (MDT)
::I actually figured it out, you have to use the bspatch command which is available on iOS, Mac OS X, Linux, and Windows :) --[[User:ValleyForge|ValleyForge]] 22:59, 5 July 2012 (MDT)
:::Fancy wanna iMessage me and we can brain storm what good can come out of this. Maybe a jailbreak technique ;) --[[User:Dylan Laws|Haifisch]] 10:21, 6 July 2012 (MDT)
::::Quick note: all OTA updates are signed with a private key owned by Apple. Unless you get into that department of Apple, you can't sign them without brute force. --[[User:5urd|5urd]] 12:09, 6 July 2012 (MDT)

== File Names ==
Does anyone have the slightest on how Apple names their files? It looks like a hash that is 20 bytes long (40 hex chars/160 bits). From [[wikipedia:List of hash functions|this list]], there are a few like that, but none that I have heard of. --[[User:5urd|5urd]] 14:32, 21 July 2012 (MDT)
: Should be the SHA-1 of the file.--[[User:M2m|M2m]] 21:14, 21 July 2012 (MDT)

== Resequence? and deleting files? ==
# In most updates there are "added", "patches", and "replace" folders in the payload folder. In the iOS 6.0 updates, there is a folder among those named "resequence". What does this do? Currently the only file contained in the resequence folder is the dyld cache.
# How do OTA updates control which/whether files are deleted? Where is it specified which files are deleted, or do they delete files at all?
--[[User:ValleyForge|ValleyForge]] 23:55, 29 September 2012 (MDT)

== Documentation ==
Someone should make a page with the documentation links, here's the XML: http://mesu.apple.com/assets/com_apple_MobileAsset_SoftwareUpdateDocumentation/com_apple_MobileAsset_SoftwareUpdateDocumentation.xml --[[User:Srb21103|Srb21103]] 20:16, 20 November 2012 (MST)
:I was wondering where the documentation was retrieved from… I don't think it needs a new page, but I think it can be easily added onto this page as a new column. --[[User:Dialexio|<span style="color:#C20; font-weight:normal;">Dialexio</span>]] 20:04, 24 November 2012 (MST)

== Exploits ==
I'm interested in this stuff also. I have a sense there's an exploit here somewhere, but I haven't had time to look into it --[[User:Posixninja|posixninja]] 17:18, 22 November 2012 (MST)
:Their would definitely be an exploit, but it'd be fairly easily patched by Apple. You're best looking for a bootrom exploit. --[[User:Srb21103|Srb21103]] 19:48, 22 November 2012 (MST)
::Removing the signing checks would be a big achievement because we could have jail broken OTA Updates by patching out the kernel and some files in the package. --[[User:5urd|5urd]] 20:32, 22 November 2012 (MST)
:I've been examining the Settings app, kernel, and appropriate frameworks, but I haven't found anything. It is however obvious that the package contents are signed. --[[User:5urd|5urd]] 20:32, 22 November 2012 (MST)
:I set up a fake mesu.apple.com server for testing, but it seems that even the plist is somehow signed. After changing a single letter in the plist, iOS says something about having a connection problem when trying to fetch it. --[[User:Tobi|Tobi]] 11:00, 26 November 2012 (CEST)
::The Plist contains a certificate and a signature section at the bottom - so obviously this takes care that a plist can not be modified by just anyone.--[[User:M2m|M2m]] 05:27, 26 November 2012 (MST)
:::LOL, stupid me for not actually looking at the file. Although I found the source of the thing that signs these files [http://www.opensource.apple.com/source/Security/Security-55163.44/sec/Security/SecPolicyPriv.h?txt]
Look for the function called SecPolicyCreateMobileAsset --[[User:Tobi|Tobi]] 16:04, 26 November 2012 (CEST)

User:Tobi

2012-11-26T10:06:12Z

Tobi: Created page with "iOS hacker / web dev == Links == [http://twitter.com/tt @tt on Twitter]<br> [http://facebook.com/tobiastimpe Facebook]<br><br> [http://tobiastimpe,de Everything else | contact ..."

iOS hacker / web dev

== Links ==

[http://twitter.com/tt @tt on Twitter]<br>
[http://facebook.com/tobiastimpe Facebook]<br><br>
[http://tobiastimpe,de Everything else | contact info]

Talk:OTA Updates

2012-11-26T10:00:57Z

Tobi: