OTA Updates (Over-the-Air Updates, also know as wireless updates) were introduced with iOS 5. This allows a user of a device to go into Settings > General > Software Update and download and install the latest iOS software on-device, without the need for iTunes. The device checks an XML-based PLIST file on mesu.apple.com for updates. The updates are delivered in plain unencrypted ZIP files.
OTA Update contents
We now know three versions of OTA updates. OTA update bundle contains an Info.plist file and two folders: META-INF and AssetData. META-INF has only one file com.apple.ZipMetadata.plist which describes bundle contents.
AssetData contains three Bill-Of-Materials files (they can be viewed with lsbom and created with mkbom). pre.bom states filesystem before update, post.bom - after and payload.bom describes the patches to be applied during update process. It also contains boot folder where bootchain-related files are stored (iBoot, kernelcache, etc.), payloadv2 or payload (depends on PackageVersion value of AssetData/Info.plist file) and Info.plist file which describes the update. Info.plist file from AssetData folder contains PackageVersion field which can be 1.0, 2.0 or 3.0.
These updates do not contain payload.bom file and are deprecated. These updates do not contain any .bom files.
- archive.cpio.gz - the actual cpio patch archive (encrypted). Contains a list of BSDIFF40 patches and baseband firmware updates, if available, with the associated flashing tools (bbupdater/imeisv).
- Info.plist.signature - asymmetric signature of Info.plist validated against /System/Library/Lockdown/iPhoneSoftwareUpdate.pem.
- libupdate_brain.dylib - stage 2 update process library (encrypted).
All updates with 2.0 package version have payload folder inside AssetData instead of archive.cpio.gz file from 1.0 updates. It contains only two folders: added folder with unencrypted files which are to be added during update process and patches folder. patches folder is used to store BSDIFF40 patches that are applied to files during update process. They can be easily applied manually with bsdiff utility. patches folder file hierarchy is similar to devices root file system (ex. patch for /sbin/launchctl will be found at AssetData/payload/patches/sbin/launchctl). AssetData also contains payload.bom.signature that replaces Info.plist.signature. payload.bom.signature is used to check payload.bom which contains CRC32 of all files inside AssetData folder.
payloadv2 folder replaced payload folder in updates with package version 3.0. It has no added folder anymore, but instead contains links.txt file which describes symlinks that should be created during update, removed.txt which is actually a list of files to delete before (!) update, prepare_patches which might contain patches that are to be applied before update (update ramdisk patch), payload and prepare_payload files which might store new files (files that did not exist in previous iOS version), but files from prepare_payload are extracted before files from payload, and patches folder which has the same file hierarchy as in pre-8.1.2 updates, but contains patches in BXDIFF41 format (they can be extracted with bxpatch utility from there). I'll describe almost each file's structure.
- links.txt is just a list of strings. Strings that begin with '=' are symlink targets and following strings that begin with '+' are places where symlinks should be created.
- removed.txt contains a list of files that should be removed before update starts.
- payload and prepare_payload are files in some proprietary format. More details about them and a tool to extract them can be found here "Taking apart iOS OTA Updates: Peeking into Over-The-Air Update bundles in iOS" - by Jonathan Levin. A script built over that tool which will automatically retrieve a binary from a device and patch it with the OTA update can be found in the "followup article".
Issues With Jailbreaking
- OTA Updates are often known to cause issues when jailbreaking a device. This became evident with evasi0n7, because most devices that were updated OTA, had to be restored with iTunes first, since the jailbreak would often fail if it was not.
- You cannot update OTA, when jailbroken. If you try, it is likely that your device will either be stuck in a boot loop, or certain things will not work correctly. Newer jailbreaks such as evasi0n and evasi0n7 disable the OTA search daemon, which prevents the device from searching for an update (it will just stay indefinitely at "Checking for Update..."). This can also be done manually on any jailbreak, by deleting or moving /System/Library/LaunchDaemons/com.apple.mobile.softwareupdated.plist and /System/Library/LaunchDaemons/com.apple.softwareupdateservicesd.plist from your device. It can also be done with tools such as iCleaner Pro.