The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information.

Difference between revisions of "Talk:OTA Updates"

From The iPhone Wiki
Jump to: navigation, search
Line 94: Line 94:
 
:I set up a fake mesu.apple.com server for testing, but it seems that even the plist is somehow signed. After changing a single letter in the plist, iOS says something about having a connection problem when trying to fetch it. --[[User:Tobi|Tobi]] 11:00, 26 November 2012 (CEST)
  
:I set up a fake mesu.apple.com server for testing, but it seems that even the plist is somehow signed. After changing a single letter in the plist, iOS says something about having a connection problem when trying to fetch it. --[[User:Tobi|Tobi]] 11:00, 26 November 2012 (CEST)
 
::The Plist contains a certificate and a signature section at the bottom - so obviously this takes care that a plist can not be modified by just anyone.--[[User:M2m|M2m]] 05:27, 26 November 2012 (MST)
  
::The Plist contains a certificate and a signature section at the bottom - so obviously this takes care that a plist can not be modified by just anyone.--[[User:M2m|M2m]] 05:27, 26 November 2012 (MST)
:::LOL, stupid me for not actually looking at the file. Although I found the source of the thing that signs these files [http://www.opensource.apple.com/source/Security/Security-55163.44/sec/Security/SecPolicyPriv.h?txt]
 +
:::LOL, stupid me for not actually looking at the file. Although I found the source of the thing that [http://www.opensource.apple.com/source/Security/Security-55163.44/sec/Security/SecPolicyPriv.h signs the files]. Look for the function called SecPolicyCreateMobileAsset --[[User:Tobi|Tobi]] 16:04, 26 November 2012 (CEST)
  +
::::A header file isn't going to do us much good. Maybe something along the lines of the [http://www.opensource.apple.com/source/Security/Security-55179.1/sec/Security/SecPolicy.c actual source itself]?
Look for the function called SecPolicyCreateMobileAsset --[[User:Tobi|Tobi]] 16:04, 26 November 2012 (CEST)
  
  +
static SecPolicyRef SecPolicyCreateAppleCertificationAuthorityPolicy(CFStringRef policyOID, CFStringRef leafName, bool honorValidity)
  +
{
  +
CFMutableDictionaryRef options = NULL;
  +
SecPolicyRef result = NULL;
  +
  +
require(options = CFDictionaryCreateMutable(kCFAllocatorDefault, 0,
  +
&kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks), errOut);
  +
  +
require(SecPolicyAddAppleCertificationAuthorityOptions(options, honorValidity), errOut);
  +
  +
CFDictionaryAddValue(options, kSecPolicyCheckSubjectCommonName, leafName);
  +
  +
require(result = SecPolicyCreate(policyOID, options),
  +
errOut);
  +
  +
errOut:
  +
CFReleaseSafe(options);
  +
return result;
  +
}
  +
SecPolicyRef SecPolicyCreateOTATasking(void)
  +
{
  +
return SecPolicyCreateAppleCertificationAuthorityPolicy(kSecPolicyOIDOTATasking, CFSTR("OTA Task Signing"), true);
  +
}
  +
SecPolicyRef SecPolicyCreateMobileAsset(void)
  +
{
  +
return SecPolicyCreateAppleCertificationAuthorityPolicy(kSecPolicyOIDMobileAsset, CFSTR("Asset Manifest Signing"), false);
  +
}
  +
::::--[[User:5urd|5urd]] 18:19, 26 November 2012 (MST)

Revision as of 01:19, 27 November 2012

Encryption

Are the updates encrypted in any way (VFDecrypt?) --5urd 18:31, 30 August 2011 (MDT)

No. Just regular Zips. --M2m 22:36, 30 August 2011 (MDT)
Only NOR payloads and RAM disks are encrypted, rest of the "asset" is unencrypted --pjakuszew 04:19, 31 August 2011 (MDT)
But if you need to update iTunes to 'decrypt' the newest firmware (as iTunes contains the 'password' to do so), then that means that the encrypted stuff has a 'password' that is somewhere on the file system. Maybe if we could access it, we could get them. (maybe disassembling iTunes could get us them also :D) --5urd 11:12, 31 August 2011 (MDT)
iTunes doesn't contain any "passwords" 5urd. Everything is done on the device and usually uses the device's built in hardware AES crypt keys. -- iH8sn0w 13:32, 31 August 2011 (EST)
Dang, but then why do we need to update iTunes to update our device? --5urd 11:35, 31 August 2011 (MDT)
Its purpose is to send out firmware files to the device, and only that. --pjakuszew 11:36, 31 August 2011 (MDT)
I still don't get the point of updating iTunes (other than avoiding an error) --5urd 11:45, 31 August 2011 (MDT)
Updating is required because of incompatibilites with newer iOS versions. I think it's about Fairplay and encryption of iPod library database. Another example is support of new hardware; how would you update a 3GS with iTunes 7.5? --pjakuszew 11:56, 31 August 2011 (MDT)
Ok, that makes sense. Thanks! --5urd 12:14, 31 August 2011 (MDT)

Tracker

Anyone into making a watchguard that tracks mesu.apple.com for changes (and records them)? --M2m 00:55, 12 November 2011 (MST)

I did a crude one. It works by comparing against a list of already done URLs in an array --5urd 13:16, 12 November 2011 (MST)
I would just curl --user-agent="softwareupdateservicesd (unknown version) CFNetwork/539 Darwin/11.0.0" http://mesu.apple.com/assets/com_apple_MobileAsset_SoftwareUpdate/com_apple_MobileAsset_SoftwareUpdate.xml -o OTA.xml and pipe it into shasum. In case shasum change, save as new version with date and time (and display)... --M2m 19:00, 12 November 2011 (MST)
One problem with that is that I can't test it on my computer here at my house as I am on windows. To test it with curl I would need to upload it to my website. What I did was open a connection with fsockopen(), sent some request headers, then read the response to a string. After that, I parsed the plist to an array. Unfortunately, the parser leaves some artifacts on the hash as it is a compressed hash. So I decided to use the file location instead. It still works pretty well. I had to remove the URL form area as it messed with the array in unwanted ways. I am working on moving it from an array to just line by line URLs preventing the failure as I just append the line to it. When I finish it, I will post the code on my website. --5urd 21:43, 12 November 2011 (MST)
curl is avialable for windows[1] --M2m 04:43, 13 November 2011 (MST)
doesn't matter, it already works and spits out a nice table. --5urd 16:05, 13 November 2011 (MST)
So is your tracker available online already ? --M2m 19:59, 26 November 2011 (MST)
Yes. When you add a link to the wiki, you can add it to the textbox one per line and click submit and it wont show up again. --5urd 13:37, 27 November 2011 (MST)
Spammers. It doesn't work because it works like this:
for (
  $i = 0;
  $i < sizeof(array_keys($plist['Assets']));
  $i++)
{
  if (
    !in_array(
      $plist['Assets'][$i]['__BaseURL'] . $plist['Assets'][$i]['__RelativePath'],
      $usedurls)
    )
  {
    // Output table
  }
}
--5urd 17:34, 27 November 2011 (MST)
Should do the trick to make a backup of OTA.xml's whenever there is a change
#!/bin/bash
SHA_OLD=1
while true; do
SHA_CUR=$(curl --user-agent 'softwareupdateservicesd (unknown version) CFNetwork/539 Darwin/11.0.0' http://mesu.apple.com/assets/com_apple_MobileAsset_SoftwareUpdate/com_apple_MobileAsset_SoftwareUpdate.xml | shasum)

if [ "$SHA_OLD" = "$SHA_CUR" ]; then
	echo nothing to do
else
	NOW=$(date +"%F")
	NOWT=$(date +"%T")
echo download
	curl --user-agent 'softwareupdateservicesd (unknown version) CFNetwork/539 Darwin/11.0.0' http://mesu.apple.com/assets/com_apple_MobileAsset_SoftwareUpdate/com_apple_MobileAsset_SoftwareUpdate.xml -o OTA_$NOW-$NOWT.xml

	SHA_OLD=$(curl --user-agent 'softwareupdateservicesd (unknown version) CFNetwork/539 Darwin/11.0.0' http://mesu.apple.com/assets/com_apple_MobileAsset_SoftwareUpdate/com_apple_MobileAsset_SoftwareUpdate.xml | shasum)
fi
sleep 600
done
--M2m 08:33, 24 March 2012 (MDT)

Carrier Beta

What is a carrier beta? --5urd 18:33, 9 January 2012 (MST)

Most likely a beta for carrier provisions. --rdqronos 16:19, 26 March 2012 (MDT)
-_- --5urd 14:33, 21 July 2012 (MDT)

Applying .patch files from OTA updates

Hey guys, has anyone successfully "patched" a file with a .patch file from the "patches" folder of an OTA update? I am trying to do this and can't get it to work. I have tried on OS X, iOS, and Linux, with multiple different patches, and always get the same error:

patch: **** Only garbage was found in the patch input.

With --verbose option: 

Hmm... I can't seem to find a patch in there anywhere.

I understand from some research that common .patch files have a certain syntax to them, bu I have looked inside these .patch files (using a text editor) and they never contain any readable text (even a .txt.patch file). This leads me to believe that iOS uses a specific and exclusively designed version of Patch. If so, how would I make use of that?
Ideally I would patch the files on-device via SSH, as I am developing something yet-to-be-announced which would need to do so automatically. If needed, it could alternatively be done using Mac OS X or Linux.
I would greatly appreciate any help, --ValleyForge 23:12, 28 June 2012 (MDT)

I'd like to help, but I need to learn :P --Haifisch 21:49, 5 July 2012 (MDT)
I actually figured it out, you have to use the bspatch command which is available on iOS, Mac OS X, Linux, and Windows :) --ValleyForge 22:59, 5 July 2012 (MDT)
Fancy wanna iMessage me and we can brain storm what good can come out of this. Maybe a jailbreak technique ;) --Haifisch 10:21, 6 July 2012 (MDT)
Quick note: all OTA updates are signed with a private key owned by Apple. Unless you get into that department of Apple, you can't sign them without brute force. --5urd 12:09, 6 July 2012 (MDT)

File Names

Does anyone have the slightest on how Apple names their files? It looks like a hash that is 20 bytes long (40 hex chars/160 bits). From this list, there are a few like that, but none that I have heard of. --5urd 14:32, 21 July 2012 (MDT)

Should be the SHA-1 of the file.--M2m 21:14, 21 July 2012 (MDT)

Resequence? and deleting files?

  1. In most updates there are "added", "patches", and "replace" folders in the payload folder. In the iOS 6.0 updates, there is a folder among those named "resequence". What does this do? Currently the only file contained in the resequence folder is the dyld cache.
  2. How do OTA updates control which/whether files are deleted? Where is it specified which files are deleted, or do they delete files at all?

--ValleyForge 23:55, 29 September 2012 (MDT)

Documentation

Someone should make a page with the documentation links, here's the XML: http://mesu.apple.com/assets/com_apple_MobileAsset_SoftwareUpdateDocumentation/com_apple_MobileAsset_SoftwareUpdateDocumentation.xml --Srb21103 20:16, 20 November 2012 (MST)

I was wondering where the documentation was retrieved from… I don't think it needs a new page, but I think it can be easily added onto this page as a new column. --Dialexio 20:04, 24 November 2012 (MST)

Exploits

I'm interested in this stuff also. I have a sense there's an exploit here somewhere, but I haven't had time to look into it --posixninja 17:18, 22 November 2012 (MST)

Their would definitely be an exploit, but it'd be fairly easily patched by Apple. You're best looking for a bootrom exploit. --Srb21103 19:48, 22 November 2012 (MST)
Removing the signing checks would be a big achievement because we could have jail broken OTA Updates by patching out the kernel and some files in the package. --5urd 20:32, 22 November 2012 (MST)
I've been examining the Settings app, kernel, and appropriate frameworks, but I haven't found anything. It is however obvious that the package contents are signed. --5urd 20:32, 22 November 2012 (MST)
I set up a fake mesu.apple.com server for testing, but it seems that even the plist is somehow signed. After changing a single letter in the plist, iOS says something about having a connection problem when trying to fetch it. --Tobi 11:00, 26 November 2012 (CEST)
The Plist contains a certificate and a signature section at the bottom - so obviously this takes care that a plist can not be modified by just anyone.--M2m 05:27, 26 November 2012 (MST)
LOL, stupid me for not actually looking at the file. Although I found the source of the thing that signs the files. Look for the function called SecPolicyCreateMobileAsset --Tobi 16:04, 26 November 2012 (CEST)
A header file isn't going to do us much good. Maybe something along the lines of the actual source itself?
static SecPolicyRef SecPolicyCreateAppleCertificationAuthorityPolicy(CFStringRef policyOID, CFStringRef leafName, bool honorValidity)
{
    CFMutableDictionaryRef options = NULL;
    SecPolicyRef result = NULL;

    require(options = CFDictionaryCreateMutable(kCFAllocatorDefault, 0,
                                                &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks), errOut);

    require(SecPolicyAddAppleCertificationAuthorityOptions(options, honorValidity), errOut);

    CFDictionaryAddValue(options, kSecPolicyCheckSubjectCommonName, leafName);

    require(result = SecPolicyCreate(policyOID, options),
            errOut);

errOut:
    CFReleaseSafe(options);
    return result;
}
SecPolicyRef SecPolicyCreateOTATasking(void)
{
    return SecPolicyCreateAppleCertificationAuthorityPolicy(kSecPolicyOIDOTATasking, CFSTR("OTA Task Signing"), true);
}
SecPolicyRef SecPolicyCreateMobileAsset(void)
{
    return SecPolicyCreateAppleCertificationAuthorityPolicy(kSecPolicyOIDMobileAsset, CFSTR("Asset Manifest Signing"), false);
}
--5urd 18:19, 26 November 2012 (MST)
Retrieved from "https://www.theiphonewiki.com/w/index.php?title=Talk:OTA_Updates&oldid=28275"