Difference between revisions of "MobileInstallation"

From The iPhone Wiki
Jump to: navigation, search
(Signature Check: Rewritten. "unsigned applications (and consequently, pirated applications)" sounds like assuming everyone is doing this for warez)
Line 2: Line 2:
   
 
== Signature Check ==
 
== Signature Check ==
There is a check in place to make sure that only applications signed by Apple '''can even be put on the device''', let alone run (the kernel decides whether the application can run or not). There has been a patch put out by an anonymous hacker that makes it so unsigned applications (and consequently, pirated applications) can be put on the device. We do not endorse any kind of piracy at The iPhone Wiki, but then again, the codesigning patches to the [[kernel]] via a [[jailbreak]] are in the same nature as this, only this allows loading a custom [[IPA]] from iTunes. The aforementioned kernel patch will allow the application to actually execute.
+
There is a check in place to make sure that only applications signed by Apple '''can even be put on the device''', let alone run (the kernel decides whether the application can run or not). Over different iOS releases (since 2.2.1?), various hackers have patched out the signature verification so that unsigned applications can be put on the device.
  +
  +
The difference between [[MobileInstallation]] and [[kernel]] patches is that the former will allow unsigned [[IPAs|IPA]] to be installed through iTunes, the later will allow the application to actually execute.
  +
''(Please note that piracy-related discussions are not allowed at The iPhone Wiki.)''
   
 
== 3GS 3.0 patch to build and go ==
 
== 3GS 3.0 patch to build and go ==

Revision as of 12:53, 6 August 2011

This is the framework that takes care of installing AppStore applications.

Signature Check

There is a check in place to make sure that only applications signed by Apple can even be put on the device, let alone run (the kernel decides whether the application can run or not). Over different iOS releases (since 2.2.1?), various hackers have patched out the signature verification so that unsigned applications can be put on the device.

The difference between MobileInstallation and kernel patches is that the former will allow unsigned IPA to be installed through iTunes, the later will allow the application to actually execute. (Please note that piracy-related discussions are not allowed at The iPhone Wiki.)

3GS 3.0 patch to build and go

0x4562 -- 02 46 -> 00 20
0x856E -- 05 46 -> 00 20

Disassembly of patch

__text:33244E70             loc_33244E70                            ; CODE XREF:  _MobileInstallationInstall+C84�j
__text:33244E70 00 10 A0 E3                 MOV     R1, #0          ; Rd = Op2
__text:33244E74 D1 26 01 EB                 BL      _MISValidateSignature ; Branch with Link
__text:33244E78 00 20 50 E2                 SUBS    R2, R0, #0      ; Rd = Op1 - Op2
__text:33244E7C 02 40 A0 01                 MOVEQ   R4, R2          ; Rd = Op2
__text:33244E80 05 00 00 0A                 BEQ     loc_33244E9C    ; Signature is valid :D
__text:33244E80                                                     ; Let us go on our merry way!
__text:33244E84 F0 04 9F E5                 LDR     R0, =(___FUNCTION__.14568 - 0x33244E94) ; Load from Memory
__text:33244E88 F0 14 9F E5                 LDR     R1, =(aCouldNotValida - 0x33244E98) ; Load from Memory
__text:33244E8C 00 00 8F E0                 ADD     R0, PC, R0      ; "verify_executable"
__text:33244E90 01 10 8F E0                 ADD     R1, PC, R1      ; "Could not validate signature: %x"
__text:33244E94 34 E6 FF EB                 BL      _installlog     ; Branch with Link
__text:33244E98 00 40 E0 E3                 MVN     R4, #0          ; Uh oh. This will put -1 in R4.
__text:33244E98                                                     ; This will surely impact us later on.
__text:33244E98                                                     ;
__text:33244E98                                                     ; As a side note, you can easily make R4 = 0.
__text:33244E98                                                     ; Simply change this MVN to MOV!
__text:33244E98                                                     ;
__text:33244E98                                                     ; Patch in hex:
__text:33244E98                                                     ; 00 40 E0 E3 (Before)
__text:33244E98                                                     ; - changed to -
__text:33244E98                                                     ; 00 40 EA E3 (After)
__text:33244E98                                                     ;
__text:33244E98                                                     ; So basically, this is what we now have:
__text:33244E98                                                     ; Valid signature - R4=0
__text:33244E98                                                     ; Invalid signature - R4=-1
__text:33244E98                                                     ; Invalid signature w/ MOV patch - R4=0
__text:33244E9C
__text:33244E9C             loc_33244E9C                            ; CODE XREF:  _MobileInstallationInstall+D44�j
__text:33244E9C 05 00 A0 E1                 MOV     R0, R5          ; Rd = Op2
__text:33244EA0 6E 26 01 EB                 BL      _CFRelease      ; Branch with Link
__text:33244EA4 00 00 54 E3                 CMP     R4, #0          ; ohai. is R4 = 0?
__text:33244EA4                                                     ; If the sig is valid, then it should be.
__text:33244EA4                                                     ; If it is invalid, then it should not.
__text:33244EA4                                                     ; If the above MVN is patched to MOV, then it should be
__text:33244EA8 1B 04 00 0A                 BEQ     loc_33245F1C    ; Is the signature valid?
__text:33244EA8                                                     ; Or to make more sense in our case:
__text:33244EA8                                                     ; Is R4 really = 0?
__text:33244EA8                                                     ;
__text:33244EA8                                                     ; If the MVN > MOV patch is done,
__text:33244EA8                                                     ; R4 will be equal to 0.
__text:33244EA8                                                     ;
__text:33244EA8                                                     ; So basically, what we just patched made it pass the test,
__text:33244EA8                                                     ; even though the signature is not valid :P