OutputState* loadZip(const char* ipsw) {
return loadZip2(ipsw, FALSE);
}
Dictionary* parseIPSW2(const char* inputIPSW, const char* bundleRoot, char** bundlePath, OutputState** state, int useMemory) {
Dictionary* info;
char* infoPath;
AbstractFile* plistFile;
char* plist;
FILE* inputIPSWFile;
SHA_CTX sha1_ctx;
char* buffer;
int read;
unsigned char hash[20];
DIR* dir;
struct dirent* ent;
StringValue* plistSHA1String;
unsigned int plistHash[20];
int i;
*bundlePath = NULL;
inputIPSWFile = fopen(inputIPSW, "rb");
if(!inputIPSWFile) {
return NULL;
}
XLOG(0, "Hashing IPSW...\n");
buffer = malloc(BUFFERSIZE);
SHA1_Init(&sha1_ctx);
while(!feof(inputIPSWFile)) {
read = fread(buffer, 1, BUFFERSIZE, inputIPSWFile);
SHA1_Update(&sha1_ctx, buffer, read);
}
SHA1_Final(hash, &sha1_ctx);
free(buffer);
fclose(inputIPSWFile);
XLOG(0, "Matching IPSW in %s... (%02x%02x%02x%02x...)\n", bundleRoot, (int) hash[0], (int) hash[1], (int) hash[2], (int) hash[3]);
dir = opendir(bundleRoot);
if(dir == NULL) {
XLOG(1, "Bundles directory not found\n");
return NULL;
}
while((ent = readdir(dir)) != NULL) {
if(ent->d_name[0] == '.' && (ent->d_name[1] == '\0' || (ent->d_name[1] == '.' && ent->d_name[2] == '\0'))) {
continue;
}
infoPath = (char*) malloc(sizeof(char) * (strlen(bundleRoot) + sizeof(PATH_SEPARATOR) + strlen(ent->d_name) + sizeof(PATH_SEPARATOR "Info.plist")));
sprintf(infoPath, "%s" PATH_SEPARATOR "%s" PATH_SEPARATOR "Info.plist", bundleRoot, ent->d_name);
XLOG(0, "checking: %s\n", infoPath);
if((plistFile = createAbstractFileFromFile(fopen(infoPath, "rb"))) != NULL) {
plist = (char*) malloc(plistFile->getLength(plistFile));
plistFile->read(plistFile, plist, plistFile->getLength(plistFile));
plistFile->close(plistFile);
info = createRoot(plist);
free(plist);
plistSHA1String = (StringValue*)getValueByKey(info, "SHA1");
if(plistSHA1String) {
sscanf(plistSHA1String->value, "%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x",
&plistHash[0], &plistHash[1], &plistHash[2], &plistHash[3], &plistHash[4],
&plistHash[5], &plistHash[6], &plistHash[7], &plistHash[8], &plistHash[9],
&plistHash[10], &plistHash[11], &plistHash[12], &plistHash[13], &plistHash[14],
&plistHash[15], &plistHash[16], &plistHash[17], &plistHash[18], &plistHash[19]);
for(i = 0; i < 20; i++) {
if(plistHash[i] != hash[i]) {
break;
}
}
if(i == 20) {
*bundlePath = (char*) malloc(sizeof(char) * (strlen(bundleRoot) + sizeof(PATH_SEPARATOR) + strlen(ent->d_name)));
sprintf(*bundlePath, "%s" PATH_SEPARATOR "%s", bundleRoot, ent->d_name);
free(infoPath);
break;
}
}
releaseDictionary(info);
}
free(infoPath);
}
closedir(dir);
if(*bundlePath == NULL) {
return NULL;
}
*state = loadZip2(inputIPSW, useMemory);
return info;
}
int main(int argc, char* argv[]) {
init_libxpwn(&argc, argv);
OutputState *outputState;
size_t fileLength;
AbstractFile *signFile;
Dictionary *signDict = NULL;
DataValue *ticket;
Dictionary *dict;
AbstractFile *manifestFile;
Dictionary* manifest;
struct component_t *array;
char *plist;
int i, j, n;
int rv, error = 0;
X509 *x0, *y1, *y2;
uint64_t savecid = 0;
const unsigned char *p;
int verbose = FALSE;
int fromzip = FALSE;
if (argc < 3) {
XLOG(0, "usage %s file.shsh BuildManifest.plist [-v] [-z]\n", argv[0]);
return 0;
}
for (i = 3; i < argc; i++) {
if (!strcmp(argv[i], "-v")) {
verbose = TRUE;
continue;
}
if (!strcmp(argv[i], "-z")) {
fromzip = TRUE;
continue;
}
}
// XXX handle gzip/bplist files
signFile = createAbstractFileFromFile(fopen(argv[1], "rb"));
if (!signFile) {
XLOG(0, "FATAL: cannot open %s\n", argv[1]);
exit(1);
}
fileLength = signFile->getLength(signFile);
plist = malloc(fileLength);
signFile->read(signFile, plist, fileLength);
signFile->close(signFile);
signDict = createRoot(plist);
free(plist);
if (!signDict) {
XLOG(0, "FATAL: cannot parse %s\n", argv[1]);
exit(1);
}
MaxLoadZipSize = 128 * 1024;
if (fromzip) {
outputState = loadZip2(argv[2], TRUE); // XXX ASSERT
manifestFile = getFileFromOutputState(&outputState, "BuildManifest.plist");
} else {
outputState = NULL;
manifestFile = createAbstractFileFromFile(fopen(argv[2], "rb"));
}
if (!manifestFile) {
XLOG(0, "FATAL: cannot open %s\n", argv[2]);
exit(1);
}
fileLength = manifestFile->getLength(manifestFile);
plist = malloc(fileLength);
manifestFile->read(manifestFile, plist, fileLength);
manifestFile->close(manifestFile);
manifest = createRoot(plist);
free(plist);
if (!manifest) {
XLOG(0, "FATAL: cannot parse %s\n", argv[2]);
exit(1);
}
releaseOutput(&outputState);
array = parseManifest(manifest, &n);
if (!array) {
XLOG(0, "FATAL: cannot parse manifest\n");
exit(1);
}
OPENSSL_add_all_algorithms_noconf();
p = cerb;
x0 = d2i_X509(NULL, &p, cerb_len);
if (!x0) {
XLOG(0, "FATAL: cannot load root CA\n");
exit(1);
}
ticket = (DataValue *)getValueByKey(signDict, "APTicket");
if (ticket) {
p = ticket->value;
rv = asn1_parse2(&p, ticket->len, 0, 0);
if (!rv || !apcert.value || !rsasig.value || !theset.value) {
XLOG(0, "FATAL: cannot parse ticket\n");
exit(1);
}
if (clen > 0 && contarray->len == 8) {
savecid = getECID(contarray->value);
}
if (!savecid) {
printf("ERROR: bad, bad ECID\n");
error = 1;
}
rv = extract2Certs(apcert.value, apcert.len, &y1, &y2);
if (rv == 0) {
rv = cryptoMagic(x0, y1, y2, theset.value, theset.len, (unsigned char *)rsasig.value, rsasig.len, NULL);
X509_free(y1);
X509_free(y2);
}
if (rv) {
printf("ERROR: APTicket failed crypto\n");
error = 1;
}
} else {
VERBOSE("WARNING: cannot find ticket in %s\n", argv[1]);
}
dict = (Dictionary *)signDict->values;
while (dict) {
DataValue *blob = NULL;
DataValue *partialDigest = NULL;
if (dict->dValue.type == DictionaryType) {
blob = (DataValue *)getValueByKey(dict, "Blob");
partialDigest = (DataValue *)getValueByKey(dict, "PartialDigest");
}
if (blob && partialDigest) {
const char *diag = checkBlob(x0, blob, partialDigest, &savecid);
if (diag) {
printf("ERROR: Blob for %s is invalid (%s)\n", dict->dValue.key, diag);
error = 1;
} else {
for (i = 0; i < n; i++) {
struct component_t *centry = array + i;
if (centry->partial &&
partialDigest->len == centry->partial->len &&
!memcmp(partialDigest->value, centry->partial->value, partialDigest->len)) {
array[i].blob = blob;
}
}
}
}
dict = (Dictionary *)dict->dValue.next;
}
if (!ticket && !savecid) {
printf("ERROR: bad, bad ECID\n");
error = 1;
}
for (i = 0; i < n; i++) {
struct component_t *centry = array + i;
int found = FALSE;
for (j = 0; j < clen; j++) {
struct tuple_t *tentry = contarray + j;
if (tentry->len == centry->digest->len && !memcmp(tentry->value, centry->digest->value, tentry->len)) {
found = TRUE;
}
}
if (!found) {
if (centry->blob) {
VERBOSE("WARNING: no digest for %s (%s), but it has blob\n", centry->key, centry->path);
} else if (!centry->required) {
VERBOSE("WARNING: no digest for %s (%s), but it is not critical\n", centry->key, centry->path);
} else {
printf("ERROR: no digest for %s (%s) and no blob found\n", centry->key, centry->path);
error = 1;
}
} else {
VERBOSE("INFO: %s (%s) is signed by APTicket%s\n", centry->key, centry->path, centry->blob ? " and blob" : "");
}
}
free(array);
free(contarray);
releaseDictionary(manifest);
releaseDictionary(signDict);
if (error) {
printf("%s is BROKEN\n", argv[1]);
} else {
printf("%s seems usable for ECID 0x%016llX\n", argv[1], savecid);
}
X509_free(x0);
EVP_cleanup();
ERR_remove_state(0);
CRYPTO_cleanup_all_ex_data();
return error;
}
