This article discusses software internally used by Apple.
Acquiring a copy without Apple's consent is illegal and may result in being scammed.
|Original author(s)||Apple Inc.|
(latest known version)
|Size||21,498,474 bytes (83)|
PurpleSNIFF is a tool made by Apple to read identification and diagnostic information from the device. The tool is used by Apple engineers as well as factory workers at Foxconn/Pegatron. It's included in the RestoreTools or Home Diagnostics package.
PurpleSNIFF displays the value of all keys accessible by liblockdown and mobilegestaltd. Data is broken into categories:
- SNIFF: Report date and host machine configuration
- Battery: Battery charge state
- Debug: Lockdown and CLTM (thermal) extended logging.
- Developer: "Development" if has installed XCode developer diskimage.
- Device Mode: "OS Mode", "Recovery", "DFU", and possibly other internal modes.
- Diagnostic Data: Includes device test data from different factory stations, including their timestamps. There are over 300 testing stations devices can be tested on. Each device will usually pass through about 6 testing stations before shipping. The diagnostic platform is called iPCB.
- Disk Usage: Stats for both System and Data partitions
- General: Activation info, baseband identifiers and state, current carrier bundle, device certificate, public key, name, device color, ECID, MAC addresses, UDID, Serial Number, Hardware Model, Fusing Status, platform, architecture, IMEI/IMSI/ICCID, NVRAM data, OS Build/Version, passcode lock-state, proximity sensor calibration, region code, Security Fusing (secure or insecure), Production Mode (Production or Development), SIM card status, presence of Springboard/lockdown, and many more.
- Internal: isInternal and isCarrierBuild, isUIBuild, raw hex dump of SysCfg and DIAGS blocks.
- Localization: Language
- Mobile iTunes: Fairplay related parameters (e.g. certificate)
- Restore From Backup: If it has been restored from a backup
- Setup Assistant: YES/NO listing of which screens have been presented.
- Software Behavior: A bitmask that is decoded into the following boolean properties: China Brick, Google Mail, No VOIP, No Wi Fi, NTSC, Shutter Click, Valid, and Volume Limit.
- Sync: Device support for clearing data and encrypted backups, as well as mail accounts connected.
- Sync Backup: iCloud sync information.
- SysCfg: Device hardware information such as sensor calibration data, device color, NAND size, and serial numbers. This block is read-write for AppleInternal tool that must run on the device, so that Apple can refurbish devices and give them a new serial number.
- Wireless: Bonjour service name, Wifi support, Wifi-sync support.
"Request White List Authorization" composes a new email to firstname.lastname@example.org. This email address is only reachable if you have an @apple.com email account. The address does not accept outside (external) senders. This feature allows a factory worker or Apple engineer to request that the device be SIM-unlocked for use on certain carriers.
TO: email@example.com SUBJECT: White-list Request Please whitelist the following device device: n41ap-prodfuse imei: 00...[redacted]...0 carriers: justification:
"Request Personalized Install Authorization" composes a new email to firstname.lastname@example.org. As with White List, this email address is only reachable if you have an @apple.com email account. This feature allows a factory worker or Apple engineer to request special firmware personalization for their device. This is useful because Apple could order prototypes of unreleased iPhones but refuse to sign any firmware for them. This way, if the devices are lost/leaked into the wild for some reason, the device is bricked. When prototype phones arrive safely/securely to Cupertino, engineers can have them activated for firmware personalization through this mechanism. It is not known the requests are to permit firmware signing on the public or internal (VPN-only) TSS server.
TO: email@example.com SUBJECT: Authorization List Request Please authorize the following device device: n41ap-prodfuse ecid: 0[redacted]0 bbsn: 0x0[redacted]0 audience: restore tool: justification:
The other main tabs of the application reveal the live Syslog and the IORegistry hierarchy. Menu options include commands to enable extra logging, reboot devices (with optional prompt), obliterate and reset them, read diagnostic data from GasGauge, WIFI, and NAND, query MobileGestalt directly, enter and exit recovery, and "Lookup Device" in PDCA. It can also pull logs off of the device, as well as content in var/mobile/library . The log archive can be huge because it includes data like the SMS database and all MMS attachments).
PurpleSNIFF also tracks location, maybe for some sort of monitoring where and how the tool is used. Be careful with this, it may land you in trouble.