iOS 9 9.2 is out , and we are once more in an unbreakable window. This is very likely temporary, but AAPL has put some seriously remarkable efforts into getting things right this time. Vectors in the good ol' DYLD are all but gone, and the new "System Integrity Protection" (a.k.a "rootless") is a royal pain (though still bypassable).
Researchers trying to find faults in the system - by analyzing its binaries - can easily get the full image thanks to @Xerub's keys for the iPhone 5. This, however, only covers 32-bit. For 64-bit, there are no publicly available decryption keys. Fortunately, the OTA vector described in detail by yours truly in a previous article still works. Said article also contains a small tool - aptly named ota - to extract the payload files, once de-pbzx'ed and xz -d'ed. It also refers to the use of bxpatch for files. Fellow iPhoneWiki user npupyshev has a working sample of bxpatch in this this GitHub, which you can use. For those lazy to compile, I put it in the download.
Because I'm actively reversing iOS 9 for MOXiI 2, I wrote a small script to enable me to use an OTA zip (which you can get easily through the iPhone Wiki along with the base filesystem on a jailbroken device - in my case 8.4 9.0.2 on an iPhone 7,2 8,2 - to reconstruct the filesystem on the host. I'm attaching it here.
Dec 12 2015: Update: Just tested this on the 9.2 OTA (from 9.0.2). Works :-) Feb 04 2016: Can use this with the jumbo OTA updates as well (9.3b3 works) Feb 16 2016: Wait, there's more - Part Three
This is not some zero day, or really anything new - it's just applying the previous article and putting in a little recursive shell script - but it's useful. So that's why I'm putting it here. I would like to share the binaries themselves from iOS 9, but I can't do that lest I want AAPL breathing down my neck - and this method is fully reproducible, so it makes for a nice Do-It-Yourself experiment
Say you grabbed an update zip from AAPL - put it in some directory, and unzip it
Next, unpack the tar file from this link, and you will see:
It is assumed at this point that you have A connected iOS device with the base image to which the OTA update applies. You can connect it over usbmuxd, or over WiFi - that's irrelevant, so as long as you change the lines in the script which need changing, namely:
Do yourself a favor and add your ssh key to /var/root/.ssh/authorized_keys. This not only is more secure than root:alpine, but also saves you endless prompts when accessing your device, which this script does to retrieve the files
At any rate, you can then run the small applyota.sh script, like so:
And this also works recursively (which is why I made the script in the first place!)
.. which is the next best thing to having the decrypted DMG at your disposal.
Where are all the rest of the files?
This script handles only patches. Those files which are in full are in the payload.00[0-8] files. Following the last article to the letter with the attached ota tool will get you all of the files. This will look something like:
What about the shared library cache?
Good question. I haven't figured out the .dydiff format yet, but apparently I don't need to - connect an iOS 9 device to XCode, and it will suck all the libraries + full symbols automatically, and shove them in ~/Library/Developer/Xcode somewhere. Why? I don't know. Yet another case of AAPL shutting doors and opening windows.
I'm getting weird errors/jtool complains/etc - You're probably using an incorrect OTA zip for your iOS device. Make sure the iPhone/iPod/iPad model number is right. I tested this on my iPhone 6 (7,2), and it worked splendidly well.
I want this for Linux! - Well this is a shell script, so it should work - if you compile the binaries for ELF.. ota.c is ANSI C, and should compile neatly for Linux. npupyshev's code will likely also compile for Linux, though I can't say I've tried. The script flow would be exactly the same
Where do I say thanks/complain/bitch/comment/flame?Right here.