|
The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Difference between revisions of "Talk:OTA Updates"
| Line 3: | Line 3: | ||
:No. Just regular Zips. --[[User:M2m|M2m]] 22:36, 30 August 2011 (MDT) |
:No. Just regular Zips. --[[User:M2m|M2m]] 22:36, 30 August 2011 (MDT) |
||
:Only NOR payloads and RAM disks are encrypted, rest of the "asset" is unencrypted --pjakuszew 04:19, 31 August 2011 (MDT) |
:Only NOR payloads and RAM disks are encrypted, rest of the "asset" is unencrypted --pjakuszew 04:19, 31 August 2011 (MDT) |
||
| − | ::But if you need to update iTunes to 'decrypt' the newest firmware (as iTunes contains the 'password' to do so), then that means that the encrypted stuff has a 'password' that is somewhere on the file system. Maybe if we could access it, we could get them. (maybe disassembling iTunes could get us them also :D) --[[User:5urd|5urd]] 11:12, 31 August 2011 (MDT) |
||
| − | :::iTunes doesn't contain any "passwords" 5urd. Everything is done on the device and usually uses the device's built in hardware AES crypt keys. -- [[User:iH8sn0w|iH8sn0w]] 13:32, 31 August 2011 (EST) |
||
| − | ::::Dang, but then why do we need to update iTunes to update our device? --[[User:5urd|5urd]] 11:35, 31 August 2011 (MDT) |
||
| − | :::::Its purpose is to send out firmware files to the device, and only that. --pjakuszew 11:36, 31 August 2011 (MDT) |
||
| − | ::::::I still don't get the point of updating iTunes (other than avoiding an error) --[[User:5urd|5urd]] 11:45, 31 August 2011 (MDT) |
||
| − | :::::::Updating is required because of incompatibilites with newer iOS versions. I think it's about Fairplay and encryption of iPod library database. Another example is support of new hardware; how would you update a 3GS with iTunes 7.5? --pjakuszew 11:56, 31 August 2011 (MDT) |
||
| − | ::::::::Ok, that makes sense. Thanks! --[[User:5urd|5urd]] 12:14, 31 August 2011 (MDT) |
||
== Tracker == |
== Tracker == |
||
| Line 96: | Line 89: | ||
:::LOL, stupid me for not actually looking at the file. Although I found the source of the thing that [http://www.opensource.apple.com/source/Security/Security-55163.44/sec/Security/SecPolicyPriv.h signs the files]. Look for the function called SecPolicyCreateMobileAsset --[[User:Tobi|Tobi]] 16:04, 26 November 2012 (CEST) |
:::LOL, stupid me for not actually looking at the file. Although I found the source of the thing that [http://www.opensource.apple.com/source/Security/Security-55163.44/sec/Security/SecPolicyPriv.h signs the files]. Look for the function called SecPolicyCreateMobileAsset --[[User:Tobi|Tobi]] 16:04, 26 November 2012 (CEST) |
||
::::A header file isn't going to do us much good. Maybe something along the lines of the [http://www.opensource.apple.com/source/Security/Security-55179.1/sec/Security/SecPolicy.c actual source itself]? |
::::A header file isn't going to do us much good. Maybe something along the lines of the [http://www.opensource.apple.com/source/Security/Security-55179.1/sec/Security/SecPolicy.c actual source itself]? |
||
| + | SecPolicyRef SecPolicyCreate(CFStringRef oid, CFDictionaryRef options) { |
||
| + | SecPolicyRef result = NULL; |
||
| + | |||
| + | require(oid, errOut); |
||
| + | require(options, errOut); |
||
| + | require(result = |
||
| + | (SecPolicyRef)_CFRuntimeCreateInstance(kCFAllocatorDefault, |
||
| + | SecPolicyGetTypeID(), |
||
| + | sizeof(struct __SecPolicy) - sizeof(CFRuntimeBase), 0), errOut); |
||
| + | |||
| + | CFRetain(oid); |
||
| + | result->_oid = oid; |
||
| + | CFRetain(options); |
||
| + | result->_options = options; |
||
| + | |||
| + | errOut: |
||
| + | return result; |
||
| + | } |
||
| + | static bool SecPolicyAddAppleCertificationAuthorityOptions(CFMutableDictionaryRef options, bool honorValidity) |
||
| + | { |
||
| + | bool success = false; |
||
| + | |||
| + | if (honorValidity) |
||
| + | SecPolicyAddBasicX509Options(options); |
||
| + | else |
||
| + | SecPolicyAddBasicCertOptions(options); |
||
| + | |||
| + | #if 0 |
||
| + | CFDictionaryAddValue(options, kSecPolicyCheckKeyUsage, |
||
| + | kCFBooleanTrue); |
||
| + | CFDictionaryAddValue(options, kSecPolicyCheckExtendedKeyUsage, |
||
| + | kCFBooleanTrue); |
||
| + | #endif |
||
| + | |||
| + | /* Basic X.509 policy with the additional requirements that the chain |
||
| + | length is 3, it's anchored at the AppleCA and the leaf certificate |
||
| + | has issuer "Apple iPhone Certification Authority". */ |
||
| + | CFDictionaryAddValue(options, kSecPolicyCheckIssuerCommonName, |
||
| + | CFSTR("Apple iPhone Certification Authority")); |
||
| + | |||
| + | require(SecPolicyAddChainLengthOptions(options, 3), errOut); |
||
| + | require(SecPolicyAddAppleAnchorOptions(options), errOut); |
||
| + | |||
| + | success = true; |
||
| + | |||
| + | errOut: |
||
| + | return success; |
||
| + | } |
||
static SecPolicyRef SecPolicyCreateAppleCertificationAuthorityPolicy(CFStringRef policyOID, CFStringRef leafName, bool honorValidity) |
static SecPolicyRef SecPolicyCreateAppleCertificationAuthorityPolicy(CFStringRef policyOID, CFStringRef leafName, bool honorValidity) |
||
{ |
{ |
||
Revision as of 01:29, 27 November 2012
Contents
Encryption
Are the updates encrypted in any way (VFDecrypt?) --5urd 18:31, 30 August 2011 (MDT)
- No. Just regular Zips. --M2m 22:36, 30 August 2011 (MDT)
- Only NOR payloads and RAM disks are encrypted, rest of the "asset" is unencrypted --pjakuszew 04:19, 31 August 2011 (MDT)
Tracker
Anyone into making a watchguard that tracks mesu.apple.com for changes (and records them)? --M2m 00:55, 12 November 2011 (MST)
- I did a crude one. It works by comparing against a list of already done URLs in an array --5urd 13:16, 12 November 2011 (MST)
- I would just curl --user-agent="softwareupdateservicesd (unknown version) CFNetwork/539 Darwin/11.0.0" http://mesu.apple.com/assets/com_apple_MobileAsset_SoftwareUpdate/com_apple_MobileAsset_SoftwareUpdate.xml -o OTA.xml and pipe it into shasum. In case shasum change, save as new version with date and time (and display)... --M2m 19:00, 12 November 2011 (MST)
- One problem with that is that I can't test it on my computer here at my house as I am on windows. To test it with curl I would need to upload it to my website. What I did was open a connection with fsockopen(), sent some request headers, then read the response to a string. After that, I parsed the plist to an array. Unfortunately, the parser leaves some artifacts on the hash as it is a compressed hash. So I decided to use the file location instead. It still works pretty well. I had to remove the URL form area as it messed with the array in unwanted ways. I am working on moving it from an array to just line by line URLs preventing the failure as I just append the line to it. When I finish it, I will post the code on my website. --5urd 21:43, 12 November 2011 (MST)
- I would just curl --user-agent="softwareupdateservicesd (unknown version) CFNetwork/539 Darwin/11.0.0" http://mesu.apple.com/assets/com_apple_MobileAsset_SoftwareUpdate/com_apple_MobileAsset_SoftwareUpdate.xml -o OTA.xml and pipe it into shasum. In case shasum change, save as new version with date and time (and display)... --M2m 19:00, 12 November 2011 (MST)
for (
$i = 0;
$i < sizeof(array_keys($plist['Assets']));
$i++)
{
if (
!in_array(
$plist['Assets'][$i]['__BaseURL'] . $plist['Assets'][$i]['__RelativePath'],
$usedurls)
)
{
// Output table
}
}
- --5urd 17:34, 27 November 2011 (MST)
- Should do the trick to make a backup of OTA.xml's whenever there is a change
- --5urd 17:34, 27 November 2011 (MST)
#!/bin/bash SHA_OLD=1 while true; do SHA_CUR=$(curl --user-agent 'softwareupdateservicesd (unknown version) CFNetwork/539 Darwin/11.0.0' http://mesu.apple.com/assets/com_apple_MobileAsset_SoftwareUpdate/com_apple_MobileAsset_SoftwareUpdate.xml | shasum) if [ "$SHA_OLD" = "$SHA_CUR" ]; then echo nothing to do else NOW=$(date +"%F") NOWT=$(date +"%T") echo download curl --user-agent 'softwareupdateservicesd (unknown version) CFNetwork/539 Darwin/11.0.0' http://mesu.apple.com/assets/com_apple_MobileAsset_SoftwareUpdate/com_apple_MobileAsset_SoftwareUpdate.xml -o OTA_$NOW-$NOWT.xml SHA_OLD=$(curl --user-agent 'softwareupdateservicesd (unknown version) CFNetwork/539 Darwin/11.0.0' http://mesu.apple.com/assets/com_apple_MobileAsset_SoftwareUpdate/com_apple_MobileAsset_SoftwareUpdate.xml | shasum) fi sleep 600 done
- --M2m 08:33, 24 March 2012 (MDT)
Carrier Beta
What is a carrier beta? --5urd 18:33, 9 January 2012 (MST)
- Most likely a beta for carrier provisions. --rdqronos 16:19, 26 March 2012 (MDT)
-_---5urd 14:33, 21 July 2012 (MDT)
Applying .patch files from OTA updates
Hey guys, has anyone successfully "patched" a file with a .patch file from the "patches" folder of an OTA update? I am trying to do this and can't get it to work. I have tried on OS X, iOS, and Linux, with multiple different patches, and always get the same error:
patch: **** Only garbage was found in the patch input.
With --verbose option:
Hmm... I can't seem to find a patch in there anywhere.
I understand from some research that common .patch files have a certain syntax to them, bu I have looked inside these .patch files (using a text editor) and they never contain any readable text (even a .txt.patch file). This leads me to believe that iOS uses a specific and exclusively designed version of Patch. If so, how would I make use of that?
Ideally I would patch the files on-device via SSH, as I am developing something yet-to-be-announced which would need to do so automatically. If needed, it could alternatively be done using Mac OS X or Linux.
I would greatly appreciate any help, --ValleyForge 23:12, 28 June 2012 (MDT)
- I'd like to help, but I need to learn :P --Haifisch 21:49, 5 July 2012 (MDT)
- I actually figured it out, you have to use the bspatch command which is available on iOS, Mac OS X, Linux, and Windows :) --ValleyForge 22:59, 5 July 2012 (MDT)
- Fancy wanna iMessage me and we can brain storm what good can come out of this. Maybe a jailbreak technique ;) --Haifisch 10:21, 6 July 2012 (MDT)
- Quick note: all OTA updates are signed with a private key owned by Apple. Unless you get into that department of Apple, you can't sign them without brute force. --5urd 12:09, 6 July 2012 (MDT)
- Fancy wanna iMessage me and we can brain storm what good can come out of this. Maybe a jailbreak technique ;) --Haifisch 10:21, 6 July 2012 (MDT)
- I actually figured it out, you have to use the bspatch command which is available on iOS, Mac OS X, Linux, and Windows :) --ValleyForge 22:59, 5 July 2012 (MDT)
File Names
Does anyone have the slightest on how Apple names their files? It looks like a hash that is 20 bytes long (40 hex chars/160 bits). From this list, there are a few like that, but none that I have heard of. --5urd 14:32, 21 July 2012 (MDT)
- Should be the SHA-1 of the file.--M2m 21:14, 21 July 2012 (MDT)
Resequence? and deleting files?
- In most updates there are "added", "patches", and "replace" folders in the payload folder. In the iOS 6.0 updates, there is a folder among those named "resequence". What does this do? Currently the only file contained in the resequence folder is the dyld cache.
- How do OTA updates control which/whether files are deleted? Where is it specified which files are deleted, or do they delete files at all?
--ValleyForge 23:55, 29 September 2012 (MDT)
Documentation
Someone should make a page with the documentation links, here's the XML: http://mesu.apple.com/assets/com_apple_MobileAsset_SoftwareUpdateDocumentation/com_apple_MobileAsset_SoftwareUpdateDocumentation.xml --Srb21103 20:16, 20 November 2012 (MST)
- I was wondering where the documentation was retrieved from… I don't think it needs a new page, but I think it can be easily added onto this page as a new column. --Dialexio 20:04, 24 November 2012 (MST)
Exploits
I'm interested in this stuff also. I have a sense there's an exploit here somewhere, but I haven't had time to look into it --posixninja 17:18, 22 November 2012 (MST)
- Their would definitely be an exploit, but it'd be fairly easily patched by Apple. You're best looking for a bootrom exploit. --Srb21103 19:48, 22 November 2012 (MST)
- Removing the signing checks would be a big achievement because we could have jail broken OTA Updates by patching out the kernel and some files in the package. --5urd 20:32, 22 November 2012 (MST)
- I've been examining the Settings app, kernel, and appropriate frameworks, but I haven't found anything. It is however obvious that the package contents are signed. --5urd 20:32, 22 November 2012 (MST)
- I set up a fake mesu.apple.com server for testing, but it seems that even the plist is somehow signed. After changing a single letter in the plist, iOS says something about having a connection problem when trying to fetch it. --Tobi 11:00, 26 November 2012 (CEST)
- The Plist contains a certificate and a signature section at the bottom - so obviously this takes care that a plist can not be modified by just anyone.--M2m 05:27, 26 November 2012 (MST)
- LOL, stupid me for not actually looking at the file. Although I found the source of the thing that signs the files. Look for the function called SecPolicyCreateMobileAsset --Tobi 16:04, 26 November 2012 (CEST)
- A header file isn't going to do us much good. Maybe something along the lines of the actual source itself?
- LOL, stupid me for not actually looking at the file. Although I found the source of the thing that signs the files. Look for the function called SecPolicyCreateMobileAsset --Tobi 16:04, 26 November 2012 (CEST)
- The Plist contains a certificate and a signature section at the bottom - so obviously this takes care that a plist can not be modified by just anyone.--M2m 05:27, 26 November 2012 (MST)
SecPolicyRef SecPolicyCreate(CFStringRef oid, CFDictionaryRef options) {
SecPolicyRef result = NULL;
require(oid, errOut);
require(options, errOut);
require(result =
(SecPolicyRef)_CFRuntimeCreateInstance(kCFAllocatorDefault,
SecPolicyGetTypeID(),
sizeof(struct __SecPolicy) - sizeof(CFRuntimeBase), 0), errOut);
CFRetain(oid);
result->_oid = oid;
CFRetain(options);
result->_options = options;
errOut:
return result;
}
static bool SecPolicyAddAppleCertificationAuthorityOptions(CFMutableDictionaryRef options, bool honorValidity)
{
bool success = false;
if (honorValidity)
SecPolicyAddBasicX509Options(options);
else
SecPolicyAddBasicCertOptions(options);
#if 0
CFDictionaryAddValue(options, kSecPolicyCheckKeyUsage,
kCFBooleanTrue);
CFDictionaryAddValue(options, kSecPolicyCheckExtendedKeyUsage,
kCFBooleanTrue);
#endif
/* Basic X.509 policy with the additional requirements that the chain
length is 3, it's anchored at the AppleCA and the leaf certificate
has issuer "Apple iPhone Certification Authority". */
CFDictionaryAddValue(options, kSecPolicyCheckIssuerCommonName,
CFSTR("Apple iPhone Certification Authority"));
require(SecPolicyAddChainLengthOptions(options, 3), errOut);
require(SecPolicyAddAppleAnchorOptions(options), errOut);
success = true;
errOut:
return success;
}
static SecPolicyRef SecPolicyCreateAppleCertificationAuthorityPolicy(CFStringRef policyOID, CFStringRef leafName, bool honorValidity)
{
CFMutableDictionaryRef options = NULL;
SecPolicyRef result = NULL;
require(options = CFDictionaryCreateMutable(kCFAllocatorDefault, 0,
&kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks), errOut);
require(SecPolicyAddAppleCertificationAuthorityOptions(options, honorValidity), errOut);
CFDictionaryAddValue(options, kSecPolicyCheckSubjectCommonName, leafName);
require(result = SecPolicyCreate(policyOID, options),
errOut);
errOut:
CFReleaseSafe(options);
return result;
}
SecPolicyRef SecPolicyCreateOTATasking(void)
{
return SecPolicyCreateAppleCertificationAuthorityPolicy(kSecPolicyOIDOTATasking, CFSTR("OTA Task Signing"), true);
}
SecPolicyRef SecPolicyCreateMobileAsset(void)
{
return SecPolicyCreateAppleCertificationAuthorityPolicy(kSecPolicyOIDMobileAsset, CFSTR("Asset Manifest Signing"), false);
}
- --5urd 18:19, 26 November 2012 (MST)
