The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
MobileInstallation
This is the framework that takes care of installing AppStore applications.
Signature Check
There is a check in place to make sure that only applications signed by Apple can even be put on the device, let alone run (the kernel decides whether the application can run or not). Over different iOS releases (since 2.2.1?), various hackers have patched out the signature verification so that unsigned applications can be put on the device.
The difference between MobileInstallation and kernel patches is that the former will allow unsigned IPA to be installed through iTunes, the later will allow the application to actually execute. (Please note that piracy-related discussions are not allowed at The iPhone Wiki.)
3GS 3.0 patch to build and go
0x4562 -- 02 46 -> 00 20 0x856E -- 05 46 -> 00 20
Disassembly of patch
__text:33244E70 loc_33244E70 ; CODE XREF: _MobileInstallationInstall+C84�j __text:33244E70 00 10 A0 E3 MOV R1, #0 ; Rd = Op2 __text:33244E74 D1 26 01 EB BL _MISValidateSignature ; Branch with Link __text:33244E78 00 20 50 E2 SUBS R2, R0, #0 ; Rd = Op1 - Op2 __text:33244E7C 02 40 A0 01 MOVEQ R4, R2 ; Rd = Op2 __text:33244E80 05 00 00 0A BEQ loc_33244E9C ; Signature is valid :D __text:33244E80 ; Let us go on our merry way! __text:33244E84 F0 04 9F E5 LDR R0, =(___FUNCTION__.14568 - 0x33244E94) ; Load from Memory __text:33244E88 F0 14 9F E5 LDR R1, =(aCouldNotValida - 0x33244E98) ; Load from Memory __text:33244E8C 00 00 8F E0 ADD R0, PC, R0 ; "verify_executable" __text:33244E90 01 10 8F E0 ADD R1, PC, R1 ; "Could not validate signature: %x" __text:33244E94 34 E6 FF EB BL _installlog ; Branch with Link __text:33244E98 00 40 E0 E3 MVN R4, #0 ; Uh oh. This will put -1 in R4. __text:33244E98 ; This will surely impact us later on. __text:33244E98 ; __text:33244E98 ; As a side note, you can easily make R4 = 0. __text:33244E98 ; Simply change this MVN to MOV! __text:33244E98 ; __text:33244E98 ; Patch in hex: __text:33244E98 ; 00 40 E0 E3 (Before) __text:33244E98 ; - changed to - __text:33244E98 ; 00 40 EA E3 (After) __text:33244E98 ; __text:33244E98 ; So basically, this is what we now have: __text:33244E98 ; Valid signature - R4=0 __text:33244E98 ; Invalid signature - R4=-1 __text:33244E98 ; Invalid signature w/ MOV patch - R4=0 __text:33244E9C __text:33244E9C loc_33244E9C ; CODE XREF: _MobileInstallationInstall+D44�j __text:33244E9C 05 00 A0 E1 MOV R0, R5 ; Rd = Op2 __text:33244EA0 6E 26 01 EB BL _CFRelease ; Branch with Link __text:33244EA4 00 00 54 E3 CMP R4, #0 ; ohai. is R4 = 0? __text:33244EA4 ; If the sig is valid, then it should be. __text:33244EA4 ; If it is invalid, then it should not. __text:33244EA4 ; If the above MVN is patched to MOV, then it should be __text:33244EA8 1B 04 00 0A BEQ loc_33245F1C ; Is the signature valid? __text:33244EA8 ; Or to make more sense in our case: __text:33244EA8 ; Is R4 really = 0? __text:33244EA8 ; __text:33244EA8 ; If the MVN > MOV patch is done, __text:33244EA8 ; R4 will be equal to 0. __text:33244EA8 ; __text:33244EA8 ; So basically, what we just patched made it pass the test, __text:33244EA8 ; even though the signature is not valid :P