To Part 3

OTA revisited - a quick followup

A simple script to recreate the iOS filesystem on your Mac

Jonathan Levin, @Technologeeks, - 09/24/15


iOS 9 9.2 is out , and we are once more in an unbreakable window. This is very likely temporary, but AAPL has put some seriously remarkable efforts into getting things right this time. Vectors in the good ol' DYLD are all but gone, and the new "System Integrity Protection" (a.k.a "rootless") is a royal pain (though still bypassable).

Researchers trying to find faults in the system - by analyzing its binaries - can easily get the full image thanks to @Xerub's keys for the iPhone 5. This, however, only covers 32-bit. For 64-bit, there are no publicly available decryption keys. Fortunately, the OTA vector described in detail by yours truly in a previous article still works. Said article also contains a small tool - aptly named ota - to extract the payload files, once de-pbzx'ed and xz -d'ed. It also refers to the use of bxpatch for files. Fellow iPhoneWiki user npupyshev has a working sample of bxpatch in this this GitHub, which you can use. For those lazy to compile, I put it in the download.

Because I'm actively reversing iOS 9 for MOXiI 2, I wrote a small script to enable me to use an OTA zip (which you can get easily through the iPhone Wiki along with the base filesystem on a jailbroken device - in my case 8.4 9.0.2 on an iPhone 7,2 8,2 - to reconstruct the filesystem on the host. I'm attaching it here.

Dec 12 2015: Update: Just tested this on the 9.2 OTA (from 9.0.2). Works :-)
Feb 04 2016: Can use this with the jumbo OTA updates as well (9.3b3 works)
Feb 16 2016: Wait, there's more - Part Three

This is not some zero day, or really anything new - it's just applying the previous article and putting in a little recursive shell script - but it's useful. So that's why I'm putting it here. I would like to share the binaries themselves from iOS 9, but I can't do that lest I want AAPL breathing down my neck - and this method is fully reproducible, so it makes for a nice Do-It-Yourself experiment


Say you grabbed an update zip from AAPL - put it in some directory, and unzip it

Zephyr:OTA morpheus$ unzip 
  inflating: META-INF/  
  inflating: AssetData/Info.plist    
  inflating: AssetData/boot/BuildManifest.plist  
 extracting: AssetData/boot/Firmware/all_flash/all_flash.n61ap.production/DeviceTree.n61ap.im4p  
  inflating: AssetData/boot/Firmware/all_flash/all_flash.n61ap.production/DeviceTree.n61ap.im4p.plist  
 extracting: AssetData/boot/Firmware/all_flash/all_flash.n61ap.production/LLB.n61.RELEASE.im4p  
 extracting: AssetData/payloadv2/prepare_patches/usr/standalone/update/Mav10.Release.bbfw  
   creating: AssetData/payloadv2/prepare_patches/usr/standalone/update/ramdisk/
  inflating: AssetData/payloadv2/prepare_patches/usr/standalone/update/ramdisk/H7SURamDisk.dmg  
  inflating: AssetData/payloadv2/prepare_payload  
  inflating: AssetData/payloadv2/removed.txt  
  inflating: AssetData/      
  inflating: AssetData/       
  inflating: Info.plist   

Next, unpack the tar file from this link, and you will see:

Zepyhr:/tmp morpheus$ mkdir New; cd New
Zepyhr:/tmp/New morpheus$ tar xvf OTApack.tar 
x bxpatch
x liblzma.dylib   # Just in case you don't have it
x ota.c  # The source for ota, in case you want that too
x otaa

It is assumed at this point that you have A connected iOS device with the base image to which the OTA update applies. You can connect it over usbmuxd, or over WiFi - that's irrelevant, so as long as you change the lines in the script which need changing, namely:

DEFIOSDEV=root@phontifex-2 # likely root@localhost for you
DEFIOSPORT=2222  # Leave 2222 if via USBMux

UNPACKED_OTA_DIR=~/Downloads/OTA # Point at where OTA was unzipped
Do yourself a favor and add your ssh key to /var/root/.ssh/authorized_keys. This not only is more secure than root:alpine, but also saves you endless prompts when accessing your device, which this script does to retrieve the files

At any rate, you can then run the small script, like so:

Zephyr:New morpheus$ ./ sbin/launchd
Retrieving launchd from your device...
launchd                                                                 100%  267KB 266.9KB/s   00:00    
Patching sbin/launchd with patch from /Users/morpheus/Downloads/OTA/AssetData/payloadv2/patches/sbin/launchd
Zephyr:New morpheus$ ls -l sbin/launchd 
-rw-r--r--  1 morpheus  staff  290368 Sep 24 09:05 sbin/launchd
# Verify with jtool - if --sig doesn't complain, the signature is intact
Zephyr:New morpheus$ jtool --sig !$ 
jtool --sig sbin/launchd 
Blob at offset: 288432 (1936 bytes) is an embedded signature
Code Directory (1590 bytes)
		Version:     20100
		Flags:       adhoc
		CDHash:	     35577f3f4f03f37309e4df4576013c85a7d9c5ef
		# of Hashes: 71 code + 5 special
		Hashes @170 size: 20 Type: SHA-1
 Empty requirement set
Entitlements (258 bytes) (use --ent to view)
Blob Wrapper (8 bytes) (0x10000 is CMS (RFC3852) signature)

And this also works recursively (which is why I made the script in the first place!)

Zephyr:New morpheus$ ./ usr
Directory mode usr
recursing /Users/morpheus/Downloads/OTA/AssetData/payloadv2/patches/usr/bin
Directory mode usr/bin
Retrieving DumpBasebandCrash from your device...
DumpBasebandCrash                                                                                                    100%   36KB  36.1KB/s   00:00    
Patching usr/bin/DumpBasebandCrash with patch from /Users/morpheus/Downloads/OTA/AssetData/payloadv2/patches/usr/bin/DumpBasebandCrash
Retrieving brctl from your device...
brctl                                                                                                                100%  148KB 148.1KB/s   00:00    
Patching usr/libexec/wifiFirmwareLoader with patch from /Users/morpheus/Downloads/OTA/AssetData/payloadv2/patches/usr/libexec/wifiFirmwareLoader
Retrieving xpcproxy from your device...
xpcproxy                                                                                                             100%   40KB  40.1KB/s   00:00    
Patching usr/libexec/xpcproxy with patch from /Users/morpheus/Downloads/OTA/AssetData/payloadv2/patches/usr/libexec/xpcproxy
recursing /Users/morpheus/Downloads/OTA/AssetData/payloadv2/patches/usr/sbin
Directory mode usr/sbin
Retrieving coreos-oscar2.image from your device...
coreos-oscar2.image                                                                                                  100%  113KB 113.5KB/s   00:00    
Patching usr/standalone/firmware/oscar/coreos-oscar2.image with patch from /Users/morpheus/Downloads/OTA/AssetData/payloadv2/patches/usr/standalone/firmware/oscar/coreos-oscar2.image
# Examine:
Zephyr:New morpheus$ ls -R usr
bin		lib		libexec		sbin		share		standalone

DumpBasebandCrash	brctl			powerlogd		simulatecrash

usr/lib: # the perennial favorite, dyld..
StandardDMCFiles	dyld			system			xpc


usr/libexec: # Where the wild things are
BackupAgent			biometrickitd			misagent			ptpd
BackupAgent2			bootpd				misd				resourcegrabberd
CrashHousekeeping		bulletindistributord		mobile_assertion_agent		rolld
DuetHeuristic-BM		cc_fips_test			mobile_diagnostics_relay	routined
FSTaskScheduler			configd				mobile_file_relay		rtcreportingd
FinishRestoreFromBackup		corecaptured			mobile_house_arrest		screenshotsyncd
MobileGestaltHelper		crash_mover			mobile_installation_proxy	securityd
NANDTaskScheduler		demod				mobile_obliterator		seputil
OTAPKIAssetTool			dhcpd				mobile_storage_proxy		sharingd
OTATaskingAgent			diagnosticd			mobileassetd			splashboardd
PreboardService			eventkitsyncd			mtmergeprops			springboardservicesrelay
ProxiedCrashCopier		fmfd				nanomediaremotelinkagent	streaming_zip_conduit
PurpleReverseProxy		fseventsd			nanoregistrylaunchd		swcd
SafariCloudHistoryPushAgent	ftp-proxy			nehelper			syslog_relay
SyncAgent			gamecontrollerd			networkd_privileged		timed
UserEventAgent			hangtracerd			nlcd				tipsd
addressbooksyncd		hostapd				notification_proxy		transitd
afcd				ios_diagnostics_relay		nptocompaniond			tursd
aitd				keybagd				nsurlsessiond			tzd
amfid				languageassetd			nsurlstoraged			tzinit
aosnotifyd			limitadtrackingd		oscard				tzlinkd
assertiond			lockbot				pcapd				wapic
atc				lockdownd			pfd				webinspectord
atwakeup			lsd				pkd				wifiFirmwareLoader
backboardd			mc_mobile_tunnel		pkreporter			xpcproxy

BTAvrcp			BlueTool		filecoordinationd	notifyd			scselect
BTLEServer		addNetworkInterface	ipconfig		nvram			scutil
BTMap			aslmanager		mDNSResponder		pppd			syslogd
BTPbap			cfprefsd		mDNSResponderHelper	racoon			wifid
BTServer		distnoted		mediaserverd		rtadvd			wirelessproxd

firmware		mecabra			misc			tokenizer		zoneinfo.default

multitouch	wifi

.. which is the next best thing to having the decrypted DMG at your disposal.