Talk:OTA Updates

From The iPhone Wiki
Revision as of 18:50, 13 December 2014 by Haifisch (talk | contribs) (There are inferno logs in one of the OTA updates.)
Jump to: navigation, search
Archives
 • 2012 • 2013 •

Encryption

Are the updates encrypted in any way (VFDecrypt?) --5urd 18:31, 30 August 2011 (MDT)

No. Just regular Zips. --M2m 22:36, 30 August 2011 (MDT)
Only NOR payloads and RAM disks are encrypted, rest of the "asset" is unencrypted --pjakuszew 04:19, 31 August 2011 (MDT)
The Kernel and bootloaders ARE encrypted, They are the exact same files as bundled with the .ipsw file --Itsme (talk) 16:04, 7 February 2013 (UTC)
Exactly as in same code, but different key/IV pair, or same code, and same key/IV pair? --5urd (talk) 16:15, 7 February 2013 (UTC)
the same key/IV pair, the encrypted binaries are identical. --Itsme (talk) 21:49, 7 February 2013 (UTC)
Most of the update consists of binary patchfiles, which can be processed using bspatch --Itsme (talk) 00:14, 9 February 2013 (UTC)

Tracker

Anyone into making a watchguard that tracks mesu.apple.com for changes (and records them)? --M2m 00:55, 12 November 2011 (MST)

I did a crude one. It works by comparing against a list of already done URLs in an array --5urd 13:16, 12 November 2011 (MST)
I would just curl --user-agent="softwareupdateservicesd (unknown version) CFNetwork/539 Darwin/11.0.0" http://mesu.apple.com/assets/com_apple_MobileAsset_SoftwareUpdate/com_apple_MobileAsset_SoftwareUpdate.xml -o OTA.xml and pipe it into shasum. In case shasum change, save as new version with date and time (and display)... --M2m 19:00, 12 November 2011 (MST)
One problem with that is that I can't test it on my computer here at my house as I am on windows. To test it with curl I would need to upload it to my website. What I did was open a connection with fsockopen(), sent some request headers, then read the response to a string. After that, I parsed the plist to an array. Unfortunately, the parser leaves some artifacts on the hash as it is a compressed hash. So I decided to use the file location instead. It still works pretty well. I had to remove the URL form area as it messed with the array in unwanted ways. I am working on moving it from an array to just line by line URLs preventing the failure as I just append the line to it. When I finish it, I will post the code on my website. --5urd 21:43, 12 November 2011 (MST)
curl is avialable for windows[1] --M2m 04:43, 13 November 2011 (MST)
doesn't matter, it already works and spits out a nice table. --5urd 16:05, 13 November 2011 (MST)
So is your tracker available online already ? --M2m 19:59, 26 November 2011 (MST)
Yes. When you add a link to the wiki, you can add it to the textbox one per line and click submict and it wont show up again. --5urd 13:37, 27 November 2011 (MST)
Spammers. It doesn't work because it works like this:
for (
  $i = 0;
  $i < sizeof(array_keys($plist['Assets']));
  $i++)
{
  if (
    !in_array(
      $plist['Assets'][$i]['__BaseURL'] . $plist['Assets'][$i]['__RelativePath'],
      $usedurls)
    )
  {
    // Output table
  }
}
--5urd 17:34, 27 November 2011 (MST)
Should do the trick to make a backup of OTA.xml's whenever there is a change
#!/bin/bash
SHA_OLD=1
while true; do
SHA_CUR=$(curl --user-agent 'softwareupdateservicesd (unknown version) CFNetwork/539 Darwin/11.0.0' http://mesu.apple.com/assets/com_apple_MobileAsset_SoftwareUpdate/com_apple_MobileAsset_SoftwareUpdate.xml | shasum)

if [ "$SHA_OLD" = "$SHA_CUR" ]; then
	echo nothing to do
else
	NOW=$(date +"%F")
	NOWT=$(date +"%T")
echo download
	curl --user-agent 'softwareupdateservicesd (unknown version) CFNetwork/539 Darwin/11.0.0' http://mesu.apple.com/assets/com_apple_MobileAsset_SoftwareUpdate/com_apple_MobileAsset_SoftwareUpdate.xml -o OTA_$NOW-$NOWT.xml

	SHA_OLD=$(curl --user-agent 'softwareupdateservicesd (unknown version) CFNetwork/539 Darwin/11.0.0' http://mesu.apple.com/assets/com_apple_MobileAsset_SoftwareUpdate/com_apple_MobileAsset_SoftwareUpdate.xml | shasum)
fi
sleep 600
done
--M2m 08:33, 24 March 2012 (MDT)

Carrier Beta

What is a carrier beta? --5urd 18:33, 9 January 2012 (MST)

Most likely a beta for carrier provisions. --rdqronos 16:19, 26 March 2012 (MDT)
-_- --5urd 14:33, 21 July 2012 (MDT)

Applying .patch files from OTA updates

Hey guys, has anyone successfully "patched" a file with a .patch file from the "patches" folder of an OTA update? I am trying to do this and can't get it to work. I have tried on OS X, iOS, and Linux, with multiple different patches, and always get the same error:

patch: **** Only garbage was found in the patch input.

With --verbose option:

Hmm... I can't seem to find a patch in there anywhere.

I understand from some research that common .patch files have a certain syntax to them, bu I have looked inside these .patch files (using a text editor) and they never contain any readable text (even a .txt.patch file). This leads me to believe that iOS uses a specific and exclusively designed version of Patch. If so, how would I make use of that?
Ideally I would patch the files on-device via SSH, as I am developing something yet-to-be-announced which would need to do so automatically. If needed, it could alternatively be done using Mac OS X or Linux.
I would greatly appreciate any help, --ValleyForge 23:12, 28 June 2012 (MDT)

I'd like to help, but I need to learn :P --Haifisch 21:49, 5 July 2012 (MDT)
I actually figured it out, you have to use the bspatch command which is available on iOS, Mac OS X, Linux, and Windows :) --ValleyForge 22:59, 5 July 2012 (MDT)
Fancy wanna iMessage me and we can brain storm what good can come out of this. Maybe a jailbreak technique ;) --Haifisch 10:21, 6 July 2012 (MDT)
Quick note: all OTA updates are signed with a private key owned by Apple. Unless you get into that department of Apple, you can't sign them without brute force. --5urd 12:09, 6 July 2012 (MDT)

File Names

Does anyone have the slightest on how Apple names their files? It looks like a hash that is 20 bytes long (40 hex chars/160 bits). From this list, there are a few like that, but none that I have heard of. --5urd 14:32, 21 July 2012 (MDT)

Should be the SHA-1 of the file.--M2m 21:14, 21 July 2012 (MDT)

Resequence? and deleting files?

  1. In most updates there are "added", "patches", and "replace" folders in the payload folder. In the iOS 6.0 updates, there is a folder among those named "resequence". What does this do? Currently the only file contained in the resequence folder is the dyld cache.
  2. How do OTA updates control which/whether files are deleted? Where is it specified which files are deleted, or do they delete files at all?

--ValleyForge 23:55, 29 September 2012 (MDT)

Documentation

Someone should make a page with the documentation links, here's the XML: http://mesu.apple.com/assets/com_apple_MobileAsset_SoftwareUpdateDocumentation/com_apple_MobileAsset_SoftwareUpdateDocumentation.xml --Srb21103 20:16, 20 November 2012 (MST)

I was wondering where the documentation was retrieved from… I don't think it needs a new page, but I think it can be easily added onto this page as a new column. --Dialexio 20:04, 24 November 2012 (MST)

Exploits

I'm interested in this stuff also. I have a sense there's an exploit here somewhere, but I haven't had time to look into it --posixninja 17:18, 22 November 2012 (MST)

Their would definitely be an exploit, but it'd be fairly easily patched by Apple. You're best looking for a bootrom exploit. --Srb21103 19:48, 22 November 2012 (MST)
Removing the signing checks would be a big achievement because we could have jail broken OTA Updates by patching out the kernel and some files in the package. --5urd 20:32, 22 November 2012 (MST)
I've been examining the Settings app, kernel, and appropriate frameworks, but I haven't found anything. It is however obvious that the package contents are signed. --5urd 20:32, 22 November 2012 (MST)
I set up a fake mesu.apple.com server for testing, but it seems that even the plist is somehow signed. After changing a single letter in the plist, iOS says something about having a connection problem when trying to fetch it. --Tobi 11:00, 26 November 2012 (CEST)
The Plist contains a certificate and a signature section at the bottom - so obviously this takes care that a plist can not be modified by just anyone.--M2m 05:27, 26 November 2012 (MST)
LOL, stupid me for not actually looking at the file. Although I found the source of the thing that signs the files. Look for the function called SecPolicyCreateMobileAsset --Tobi 16:04, 26 November 2012 (CEST)
A header file isn't going to do us much good. Maybe something along the lines of the actual source itself?
SecPolicyRef SecPolicyCreate(CFStringRef oid, CFDictionaryRef options) {
	SecPolicyRef result = NULL;

	require(oid, errOut);
	require(options, errOut);
    require(result =
		(SecPolicyRef)_CFRuntimeCreateInstance(kCFAllocatorDefault,
		SecPolicyGetTypeID(),
		sizeof(struct __SecPolicy) - sizeof(CFRuntimeBase), 0), errOut);

	CFRetain(oid);
	result->_oid = oid;
	CFRetain(options);
	result->_options = options;

errOut:
    return result;
}
static bool SecPolicyAddAppleCertificationAuthorityOptions(CFMutableDictionaryRef options, bool honorValidity)
{
    bool success = false;

    if (honorValidity)
        SecPolicyAddBasicX509Options(options);
    else
        SecPolicyAddBasicCertOptions(options);

#if 0
    CFDictionaryAddValue(options, kSecPolicyCheckKeyUsage,
                         kCFBooleanTrue);
    CFDictionaryAddValue(options, kSecPolicyCheckExtendedKeyUsage,
                         kCFBooleanTrue);
#endif

    /* Basic X.509 policy with the additional requirements that the chain
     length is 3, it's anchored at the AppleCA and the leaf certificate
     has issuer "Apple iPhone Certification Authority". */
    CFDictionaryAddValue(options, kSecPolicyCheckIssuerCommonName,
                         CFSTR("Apple iPhone Certification Authority"));

    require(SecPolicyAddChainLengthOptions(options, 3), errOut);
    require(SecPolicyAddAppleAnchorOptions(options), errOut);

    success = true;

errOut:
    return success;
}
static SecPolicyRef SecPolicyCreateAppleCertificationAuthorityPolicy(CFStringRef policyOID, CFStringRef leafName, bool honorValidity)
{
    CFMutableDictionaryRef options = NULL;
    SecPolicyRef result = NULL;

    require(options = CFDictionaryCreateMutable(kCFAllocatorDefault, 0,
                                                &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks), errOut);

    require(SecPolicyAddAppleCertificationAuthorityOptions(options, honorValidity), errOut);

    CFDictionaryAddValue(options, kSecPolicyCheckSubjectCommonName, leafName);

    require(result = SecPolicyCreate(policyOID, options),
            errOut);

errOut:
    CFReleaseSafe(options);
    return result;
}
SecPolicyRef SecPolicyCreateOTATasking(void)
{
    return SecPolicyCreateAppleCertificationAuthorityPolicy(kSecPolicyOIDOTATasking, CFSTR("OTA Task Signing"), true);
}
SecPolicyRef SecPolicyCreateMobileAsset(void)
{
    return SecPolicyCreateAppleCertificationAuthorityPolicy(kSecPolicyOIDMobileAsset, CFSTR("Asset Manifest Signing"), false);
}
--5urd 18:19, 26 November 2012 (MST)

Anyone noticed that Apple's iOS Updater seems can modify files under "/" IPA File ? --khaost 15:59, 13 December 2012 (CST)

Yes, please look here: Trampoline --Srb21103 15:24, 13 December 2012 (MST)

Apple TV

I don't really know how to add these to the wiki. 2G 3G They're mentioned in the mesu.apple.com XML, but are a bit different from the other OTA updates. (Notably, considering the file size, it looks like it contains an image to restore an Apple TV.) Any ideas?

Speaking of the Apple TV, it seems like Apple wants to keep the version numbers confusing. I think that we should add a new column for the "marketing version" for this page as well. --Dialexio 18:57, 2 December 2012 (MST)

I agree that we should list the internal version too. --iAdam1n (talk) 22:43, 27 June 2013 (UTC)

ios8

I just noticed that around 19:30 ( CET ) the appldnld.apple.com domain was removed, but the webserver at ipaddress 17.253.2.226 is still serving the OTA updates. So if you add the appldnld domain in your /etc/hosts file, you can still download. I guess apple did this because of the ios8 update. So they can test if everything is allright before opening everything up to the public. Itsme (talk) 17:44, 17 September 2014 (UTC)

There are inferno logs in one of the OTA updates.

Download 5.0b5 for the iPod touch 4G here. Then, unzip it, go to AssetData -> payload -> added -> private -> var -> logs -> Inferno -> Plists -> N81. Weird, right? I wonder if most OTA beta updates are like that. --Awesomebing1 (talk) 13:52, 11 December 2014 (UTC)

Ok, looked at another OTA. They even went as far to patch those files. Weird. Don't they want to keep this type of stuff secret? --Awesomebing1 (talk) 13:57, 11 December 2014 (UTC)
There's been a few cases in which Apple did not strip all internal data off of both OTA packages and IPSWs, this is a little interesting cause it's all of Inferno's test plists. --Haifisch (talk) 18:50, 13 December 2014 (UTC)