OTA: Episode IX : The Rise of YAA
Support for YAA. And all the other good stuff you've come to know and love
Jonathan Levin, (@Morpheus______), http://newosxbook.com/ - 10/19/2021
About
Trying to unpack an iOS 15 OTA I encountered the mysterious YAA. Which broke the my ota tool. That was unacceptable.
The YAA format (presumably, Yet Another Archiver?) is not documented, but has been around for quite a bit (don't blame me, I quit Darwin!). Basically, although the format can support multiple compression types, in OTA it's already PBZXed, making it *really* simple.
000000d0 00 4d 54 4d 53 11 56 5e 61 00 00 00 00 59 41 41 |.MTMS.V^a....YAA| 000000e0 31 42 00 54 59 50 31 44 50 41 54 50 0c 00 41 70 |1B.TYP1DPATP..Ap| 000000f0 70 6c 69 63 61 74 69 6f 6e 73 55 49 44 31 00 47 |plicationsUID1.G| 00000100 49 44 31 50 4d 4f 44 32 fd 01 46 4c 47 31 00 4d |ID1PMOD2..FLG1.M| 00000110 54 4d 54 64 6d 5e 61 00 00 00 00 cc 78 fd 3a 59 |TMTdm^a.....x.:Y| 00000120 41 41 31 56 00 54 59 50 31 44 50 41 54 50 20 00 |AA1V.TYP1DPATP .| 00000130 41 70 70 6c 69 63 61 74 69 6f 6e 73 2f 41 41 55 |Applications/AAU| 00000140 49 56 69 65 77 53 65 72 76 69 63 65 2e 61 70 70 |IViewService.app| 00000150 55 49 44 31 00 47 49 44 31 50 4d 4f 44 32 fd 01 |UID1.GID1PMOD2..| 00000160 46 4c 47 31 00 4d 54 4d 54 37 6d 5e 61 00 00 00 |FLG1.MTMT7m^a...| 00000170 00 8d b1 64 20 59 41 41 31 68 00 54 59 50 31 46 |...d YAA1h.TYP1F| 00000180 50 41 54 50 2b 00 41 70 70 6c 69 63 61 74 69 6f |PATP+.Applicatio| 00000190 6e 73 2f 41 41 55 49 56 69 65 77 53 65 72 76 69 |ns/AAUIViewServi| 000001a0 63 65 2e 61 70 70 2f 49 6e 66 6f 2e 70 6c 69 73 |ce.app/Info.plis| 000001b0 74 55 49 44 31 00 47 49 44 31 50 4d 4f 44 32 b4 |tUID1.GID1PMOD2.| 000001c0 01 46 4c 47 31 20 4d 54 4d 53 11 56 5e 61 00 00 |.FLG1 MTMS.V^a..| 000001d0 00 00 44 41 54 41 7c 05 41 46 54 31 09 62 70 6c |..DATA|.AFT1.bpl| 000001e0 69 73 74 30 30 df 10 1f 01 02 03 04 05 06 07 08 |ist00...........| 000001f0 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 16 17 18 |................| 00000200 19 1a 1b 1c 1d 1e 1f 20 21 22 23 24 21 27 29 21 |....... !"#$!')!| 00000210 2b 2c 2d 2e 30 31 32 33 35 20 36 37 39 3a 3b 39 |+,-.01235 679:;9| 00000220 3d 21 3f 41 43 29 5c 43 46 42 75 6e 64 6c 65 4e |=!?AC)\CFBundleN| ... 00000750 00 00 00 00 00 00 00 04 ce 59 41 41 31 5e 00 54 |.........YAA1^.T| 00000760 59 50 31 44 50 41 54 50 28 00 41 70 70 6c 69 63 |YP1DPATP(.Applic| 00000770 61 74 69 6f 6e 73 2f 41 41 55 49 56 69 65 77 53 |ations/AAUIViewS|
- Marker is
YAA
followed by an integer character specifying IN ASCII length of header length field (usually, 1) - Header length follows (usually 1 byte, though variable)
- Attributes follow. These include:
Attribute Length Specifies TYP
1 (0x31) 'D'
irectory or'F'
ilePATP
short PATtern (filename) MOD
1 (0x31) or 2 (0x32) chmod(2)
settingsUID
1 (0x31) chown(2)
GID
1 (0x31) chgrp(2)
FLG
1 (0x31) or 2 (0x32) Flags. Probably for
chflags(1)
MTM
'S' (8) or 'T' (12) Modification time LNKP
short Link name (to PAT) DATA
short Payload (contents) immediate after YAA header DATB
long AFT
1 (0x31) or 2 (0x32) Padding after file
The format is really simple to reverse - and list -v -i _file
really helps, too.
The ota
tool will now work on YAA payloads inside PBZX. As before, it automatically decompresses the PBZX encapsulation (to /tmp/out, if you want to check YAA out for YAAself). All other switches work exactly the same way (I refactored processFile to a processFileInner, as you can see in the open source).
root@Qilin (/.../15.0.2) #ota AssetData/payloadv2/payload.000 | head -10 18:01 Processing AssetData/payloadv2/payload.000 EXTRACTED: 0x7fa2a681c010, size: 0x51df774 POS 0x0000: TYP: D UID: 0 GID: 0 MOD: 0755 FLG: 0 PAT: (0 bytes) POS 0x0036: TYP: D UID: 0 GID: 0 MOD: 0700 FLG: 0 PAT: .ba (0 bytes) POS 0x006b: TYP: F UID: 0 GID: 80 MOD: 00 FLG: 0 PAT: .file (0 bytes) POS 0x00a8: TYP: D UID: 0 GID: 0 MOD: 0700 FLG: 0 PAT: .mb (0 bytes) POS 0x00dd: TYP: D UID: 0 GID: 80 MOD: 0775 FLG: 0 PAT: Applications (0 bytes) POS 0x011f: TYP: D UID: 0 GID: 80 MOD: 0775 FLG: 0 PAT: Applications/AAUIViewService.app (0 bytes) POS 0x0175: TYP: F UID: 0 GID: 80 MOD: 0664 FLG: 32 PAT: Applications/AAUIViewService.app/Info.plist (1404 bytes) POS 0x0759: TYP: D UID: 0 GID: 80 MOD: 0775 FLG: 0 PAT: Applications/AAUIViewService.app/Library (0 bytes) POS 0x07b7: TYP: D UID: 0 GID: 80 MOD: 0775 FLG: 0 PAT: Applications/AAUIViewService.app/Library/SharedWebCredentials (0 bytes) root@Qilin (/.../15.0.2) #ota -s task_for_pid AssetData/payloadv2/payload.02? Processing AssetData/payloadv2/payload.022 EXTRACTED: 0x7ff97dd39010, size: 0x1dc4bcac Found in Entry: System/Library/CoreServices/ReportCrash, relative offset: 0x2e738 (Absolute: 2e7a6) Found in Entry: System/Library/CoreServices/ReportCrash, relative offset: 0x4551c (Absolute: 4558a) Found in Entry: System/Library/CoreServices/ReportCrash, relative offset: 0x49351 (Absolute: 493bf) Found in Entry: System/Library/CoreServices/osanalyticshelper, relative offset: 0x1f235 (Absolute: 1f2a9) Found in Entry: System/Library/CoreServices/osanalyticshelper, relative offset: 0x23533 (Absolute: 235a7) Found in Entry: System/Library/CoreServices/osanalyticshelper, relative offset: 0x311de (Absolute: 31252) Found in Entry: System/Library/CoreServices/osanalyticshelper, relative offset: 0x34f63 (Absolute: 34fd7) Processing AssetData/payloadv2/payload.023 EXTRACTED: 0x7ff920d36010, size: 0x232ef80d Found in Entry: usr/share/misc/trace.codes, relative offset: 0x1cf4 (Absolute: 1d53) Processing AssetData/payloadv2/payload.024 EXTRACTED: 0x7ff968d38010, size: 0xf525bd5 Found in Entry: System/DriverKit/Runtime/usr/include/mach/task_access.defs, relative offset: 0x5f3 (Absolute: 670)
Other articles in series
III
III
Episode IV
Episode V
Episode VI
Episode VII
Episode VIII