void releaseDictionary(Dictionary* myself) {
DictValue* next;
DictValue* toRelease;
free(myself->dValue.key);
next = myself->values;
while(next != NULL) {
toRelease = next;
next = next->next;
switch(toRelease->type) {
case DictionaryType:
releaseDictionary((Dictionary*) toRelease);
break;
case ArrayType:
releaseArray((ArrayValue*) toRelease);
break;
case StringType:
free(((StringValue*)(toRelease))->value);
case IntegerType:
case BoolType:
free(toRelease->key);
free(toRelease);
break;
}
}
free(myself);
}
void removeKey(Dictionary * dict, char *key)
{
DictValue *next;
DictValue *toRelease;
next = dict->values;
while (next != NULL) {
if (strcmp(next->key, key) == 0) {
toRelease = next;
if (toRelease->prev) {
toRelease->prev->next = toRelease->next;
} else {
dict->values = toRelease->next;
}
if (toRelease->next) {
toRelease->next->prev = toRelease->prev;
}
switch (toRelease->type) {
case DictionaryType:
releaseDictionary((Dictionary *) toRelease);
break;
case ArrayType:
releaseArray((ArrayValue *) toRelease);
break;
case StringType:
free(((StringValue *) (toRelease))->value);
free(toRelease->key);
free(toRelease);
break;
case DataType:
free(((DataValue *) (toRelease))->value);
free(toRelease->key);
free(toRelease);
break;
case IntegerType:
case BoolType:
free(toRelease->key);
free(toRelease);
break;
}
return;
}
next = next->next;
}
return;
}
void fixupBootNeuterArgs(Volume* volume, char unlockBaseband, char selfDestruct, char use39, char use46) {
const char bootNeuterPlist[] = "/System/Library/LaunchDaemons/com.devteam.bootneuter.auto.plist";
AbstractFile* plistFile;
char* plist;
Dictionary* info;
size_t bufferSize;
ArrayValue* arguments;
XLOG(0, "fixing up BootNeuter arguments...\n");
plist = malloc(1);
bufferSize = 0;
plistFile = createAbstractFileFromMemoryFile((void**)&plist, &bufferSize);
get_hfs(volume, bootNeuterPlist, plistFile);
plistFile->close(plistFile);
info = createRoot(plist);
free(plist);
arguments = (ArrayValue*) getValueByKey(info, "ProgramArguments");
addStringToArray(arguments, "-autoMode");
addStringToArray(arguments, "YES");
addStringToArray(arguments, "-RegisterForSystemEvents");
addStringToArray(arguments, "YES");
if(unlockBaseband) {
addStringToArray(arguments, "-unlockBaseband");
addStringToArray(arguments, "YES");
}
if(selfDestruct) {
addStringToArray(arguments, "-selfDestruct");
addStringToArray(arguments, "YES");
}
if(use39) {
addStringToArray(arguments, "-bootLoader");
addStringToArray(arguments, "3.9");
} else if(use46) {
addStringToArray(arguments, "-bootLoader");
addStringToArray(arguments, "4.6");
}
plist = getXmlFromRoot(info);
releaseDictionary(info);
plistFile = createAbstractFileFromMemory((void**)&plist, sizeof(char) * strlen(plist));
add_hfs(volume, plistFile, bootNeuterPlist);
free(plist);
}
void createRestoreOptions(Volume* volume, const char *optionsPlist, int SystemPartitionSize, int UpdateBaseband) {
AbstractFile* plistFile;
Dictionary* info;
char* plist;
HFSPlusCatalogRecord* record;
info = NULL;
record = getRecordFromPath(optionsPlist, volume, NULL, NULL);
if(record != NULL && record->recordType == kHFSPlusFileRecord) {
HFSPlusCatalogFile* file = (HFSPlusCatalogFile*)record;
size_t bufferSize = 512;
plist = malloc(bufferSize);
plistFile = createAbstractFileFromMemory((void**)&plist, bufferSize);
if (plistFile) {
char zero = 0;
writeToFile(file, plistFile, volume);
plistFile->write(plistFile, &zero, sizeof(zero));
plistFile->close(plistFile);
info = createRoot(plist);
removeKey(info, "CreateFilesystemPartitions");
removeKey(info, "SystemPartitionSize");
removeKey(info, "UpdateBaseband");
removeKey(info, "MinimumSystemPartition");
addIntegerToDictionary(info, "MinimumSystemPartition", SystemPartitionSize);
XLOG(0, "got %s from ramdisk\n", optionsPlist);
}
free(plist);
}
XLOG(0, "start create restore options\n");
if (!info) info = createRoot("<dict></dict>");
addBoolToDictionary(info, "CreateFilesystemPartitions", TRUE);
addIntegerToDictionary(info, "SystemPartitionSize", SystemPartitionSize);
addBoolToDictionary(info, "UpdateBaseband", UpdateBaseband);
plist = getXmlFromRoot(info);
releaseDictionary(info);
XLOG(0, "%s", plist);
plistFile = createAbstractFileFromMemory((void**)&plist, sizeof(char) * strlen(plist));
add_hfs(volume, plistFile, optionsPlist);
free(plist);
}
void releaseArray(ArrayValue * myself)
{
int i;
free(myself->dValue.key);
for (i = 0; i < myself->size; i++) {
switch (myself->values[i]->type) {
case DictionaryType:
releaseDictionary((Dictionary *) myself->values[i]);
break;
case ArrayType:
releaseArray((ArrayValue *) myself->values[i]);
break;
case StringType:
free(((StringValue *) (myself->values[i]))->value);
free(myself->values[i]->key);
free(myself->values[i]);
break;
case DataType:
free(((DataValue *) (myself->values[i]))->value);
free(myself->values[i]->key);
free(myself->values[i]);
break;
case BoolType:
case IntegerType:
free(myself->values[i]->key);
free(myself->values[i]);
break;
}
}
free(myself->values);
free(myself);
}
int main(int argc, char* argv[]) {
init_libxpwn();
Dictionary* info;
Dictionary* firmwarePatches;
Dictionary* patchDict;
ArrayValue* patchArray;
void* buffer;
StringValue* actionValue;
StringValue* pathValue;
StringValue* fileValue;
StringValue* patchValue;
char* patchPath;
char* rootFSPathInIPSW;
io_func* rootFS;
Volume* rootVolume;
size_t rootSize;
size_t preferredRootSize = 0;
size_t minimumRootSize = 0;
char* ramdiskFSPathInIPSW;
unsigned int ramdiskKey[16];
unsigned int ramdiskIV[16];
unsigned int* pRamdiskKey = NULL;
unsigned int* pRamdiskIV = NULL;
io_func* ramdiskFS;
Volume* ramdiskVolume;
char* updateRamdiskFSPathInIPSW = NULL;
int i;
OutputState* outputState;
char* bundlePath;
char* bundleRoot = "FirmwareBundles/";
int mergePaths;
char* outputIPSW;
void* imageBuffer;
size_t imageSize;
AbstractFile* bootloader39 = NULL;
AbstractFile* bootloader46 = NULL;
AbstractFile* applelogo = NULL;
AbstractFile* recoverymode = NULL;
char noWipe = FALSE;
char unlockBaseband = FALSE;
char selfDestruct = FALSE;
char use39 = FALSE;
char use46 = FALSE;
char doBootNeuter = FALSE;
char updateBB = FALSE;
char useMemory = FALSE;
unsigned int key[16];
unsigned int iv[16];
unsigned int* pKey = NULL;
unsigned int* pIV = NULL;
if(argc < 3) {
XLOG(0, "usage %s <input.ipsw> <target.ipsw> [-b <bootimage.png>] [-r <recoveryimage.png>] [-s <system partition size>] [-memory] [-bbupdate] [-nowipe] [-e \"<action to exclude>\"] [[-unlock] [-use39] [-use46] [-cleanup] -3 <bootloader 3.9 file> -4 <bootloader 4.6 file>] <package1.tar> <package2.tar>...\n", argv[0]);
return 0;
}
outputIPSW = argv[2];
int* toRemove = NULL;
int numToRemove = 0;
for(i = 3; i < argc; i++) {
if(argv[i][0] != '-') {
break;
}
if(strcmp(argv[i], "-memory") == 0) {
useMemory = TRUE;
continue;
}
if(strcmp(argv[i], "-s") == 0) {
int size;
sscanf(argv[i + 1], "%d", &size);
preferredRootSize = size;
i++;
continue;
}
if(strcmp(argv[i], "-nowipe") == 0) {
noWipe = TRUE;
continue;
}
if(strcmp(argv[i], "-bbupdate") == 0) {
updateBB = TRUE;
continue;
}
if(strcmp(argv[i], "-e") == 0) {
numToRemove++;
toRemove = realloc(toRemove, numToRemove * sizeof(int));
toRemove[numToRemove - 1] = i + 1;
i++;
continue;
}
if(strcmp(argv[i], "-unlock") == 0) {
unlockBaseband = TRUE;
continue;
}
if(strcmp(argv[i], "-cleanup") == 0) {
selfDestruct = TRUE;
continue;
}
if(strcmp(argv[i], "-use39") == 0) {
if(use46) {
XLOG(0, "error: select only one of -use39 and -use46\n");
exit(1);
}
use39 = TRUE;
continue;
}
if(strcmp(argv[i], "-use46") == 0) {
if(use39) {
XLOG(0, "error: select only one of -use39 and -use46\n");
exit(1);
}
use46 = TRUE;
continue;
}
if(strcmp(argv[i], "-b") == 0) {
applelogo = createAbstractFileFromFile(fopen(argv[i + 1], "rb"));
if(!applelogo) {
XLOG(0, "cannot open %s\n", argv[i + 1]);
exit(1);
}
i++;
continue;
}
if(strcmp(argv[i], "-r") == 0) {
recoverymode = createAbstractFileFromFile(fopen(argv[i + 1], "rb"));
if(!recoverymode) {
XLOG(0, "cannot open %s\n", argv[i + 1]);
exit(1);
}
i++;
continue;
}
if(strcmp(argv[i], "-3") == 0) {
bootloader39 = createAbstractFileFromFile(fopen(argv[i + 1], "rb"));
if(!bootloader39) {
XLOG(0, "cannot open %s\n", argv[i + 1]);
exit(1);
}
i++;
continue;
}
if(strcmp(argv[i], "-4") == 0) {
bootloader46 = createAbstractFileFromFile(fopen(argv[i + 1], "rb"));
if(!bootloader46) {
XLOG(0, "cannot open %s\n", argv[i + 1]);
exit(1);
}
i++;
continue;
}
}
mergePaths = i;
if(use39 || use46 || unlockBaseband || selfDestruct || bootloader39 || bootloader46) {
if(!(bootloader39) || !(bootloader46)) {
XLOG(0, "error: you must specify both bootloader files.\n");
exit(1);
} else {
doBootNeuter = TRUE;
}
}
info = parseIPSW2(argv[1], bundleRoot, &bundlePath, &outputState, useMemory);
if(info == NULL) {
XLOG(0, "error: Could not load IPSW\n");
exit(1);
}
firmwarePatches = (Dictionary*)getValueByKey(info, "FilesystemPatches");
int j;
for(j = 0; j < numToRemove; j++) {
removeKey(firmwarePatches, argv[toRemove[j]]);
}
free(toRemove);
firmwarePatches = (Dictionary*)getValueByKey(info, "FirmwarePatches");
patchDict = (Dictionary*) firmwarePatches->values;
while(patchDict != NULL) {
fileValue = (StringValue*) getValueByKey(patchDict, "File");
StringValue* keyValue = (StringValue*) getValueByKey(patchDict, "Key");
StringValue* ivValue = (StringValue*) getValueByKey(patchDict, "IV");
pKey = NULL;
pIV = NULL;
if(keyValue) {
sscanf(keyValue->value, "%2x%2x%2x%2x%2x%2x%2x%2x%2x%2x%2x%2x%2x%2x%2x%2x",
&key[0], &key[1], &key[2], &key[3], &key[4], &key[5], &key[6], &key[7], &key[8],
&key[9], &key[10], &key[11], &key[12], &key[13], &key[14], &key[15]);
pKey = key;
}
if(ivValue) {
sscanf(ivValue->value, "%2x%2x%2x%2x%2x%2x%2x%2x%2x%2x%2x%2x%2x%2x%2x%2x",
&iv[0], &iv[1], &iv[2], &iv[3], &iv[4], &iv[5], &iv[6], &iv[7], &iv[8],
&iv[9], &iv[10], &iv[11], &iv[12], &iv[13], &iv[14], &iv[15]);
pIV = iv;
}
if(strcmp(patchDict->dValue.key, "Restore Ramdisk") == 0) {
ramdiskFSPathInIPSW = fileValue->value;
if(pKey) {
memcpy(ramdiskKey, key, sizeof(key));
memcpy(ramdiskIV, iv, sizeof(iv));
pRamdiskKey = ramdiskKey;
pRamdiskIV = ramdiskIV;
} else {
pRamdiskKey = NULL;
pRamdiskIV = NULL;
}
}
if(strcmp(patchDict->dValue.key, "Update Ramdisk") == 0) {
updateRamdiskFSPathInIPSW = fileValue->value;
}
patchValue = (StringValue*) getValueByKey(patchDict, "Patch2");
if(patchValue) {
if(noWipe) {
XLOG(0, "%s: ", patchDict->dValue.key);
fflush(stdout);
doPatch(patchValue, fileValue, bundlePath, &outputState, pKey, pIV, useMemory);
patchDict = (Dictionary*) patchDict->dValue.next;
continue; /* skip over the normal Patch */
}
}
patchValue = (StringValue*) getValueByKey(patchDict, "Patch");
if(patchValue) {
XLOG(0, "%s: ", patchDict->dValue.key);
fflush(stdout);
doPatch(patchValue, fileValue, bundlePath, &outputState, pKey, pIV, useMemory);
}
if(strcmp(patchDict->dValue.key, "AppleLogo") == 0 && applelogo) {
XLOG(0, "replacing %s\n", fileValue->value);
fflush(stdout);
ASSERT((imageBuffer = replaceBootImage(getFileFromOutputState(&outputState, fileValue->value), pKey, pIV, applelogo, &imageSize)) != NULL, "failed to use new image");
addToOutput(&outputState, fileValue->value, imageBuffer, imageSize);
}
if(strcmp(patchDict->dValue.key, "RecoveryMode") == 0 && recoverymode) {
XLOG(0, "replacing %s\n", fileValue->value);
fflush(stdout);
ASSERT((imageBuffer = replaceBootImage(getFileFromOutputState(&outputState, fileValue->value), pKey, pIV, recoverymode, &imageSize)) != NULL, "failed to use new image");
addToOutput(&outputState, fileValue->value, imageBuffer, imageSize);
}
patchDict = (Dictionary*) patchDict->dValue.next;
}
fileValue = (StringValue*) getValueByKey(info, "RootFilesystem");
rootFSPathInIPSW = fileValue->value;
size_t defaultRootSize = ((IntegerValue*) getValueByKey(info, "RootFilesystemSize"))->value;
minimumRootSize = defaultRootSize * 1000 * 1000;
minimumRootSize -= minimumRootSize % 512;
if(preferredRootSize == 0) {
preferredRootSize = defaultRootSize;
}
rootSize = preferredRootSize * 1000 * 1000;
rootSize -= rootSize % 512;
if(useMemory) {
buffer = malloc(rootSize);
} else {
buffer = NULL;
}
if(buffer == NULL) {
XLOG(2, "using filesystem backed temporary storage\n");
}
extractDmg(
createAbstractFileFromFileVault(getFileFromOutputState(&outputState, rootFSPathInIPSW), ((StringValue*)getValueByKey(info, "RootFilesystemKey"))->value),
openRoot((void**)&buffer, &rootSize), -1);
rootFS = IOFuncFromAbstractFile(openRoot((void**)&buffer, &rootSize));
rootVolume = openVolume(rootFS);
XLOG(0, "Growing root to minimum: %ld\n", (long) defaultRootSize);
fflush(stdout);
grow_hfs(rootVolume, minimumRootSize);
if(rootSize > minimumRootSize) {
XLOG(0, "Growing root: %ld\n", (long) preferredRootSize);
fflush(stdout);
grow_hfs(rootVolume, rootSize);
}
firmwarePatches = (Dictionary*)getValueByKey(info, "FilesystemPatches");
patchArray = (ArrayValue*) firmwarePatches->values;
while(patchArray != NULL) {
for(i = 0; i < patchArray->size; i++) {
patchDict = (Dictionary*) patchArray->values[i];
fileValue = (StringValue*) getValueByKey(patchDict, "File");
actionValue = (StringValue*) getValueByKey(patchDict, "Action");
if(strcmp(actionValue->value, "ReplaceKernel") == 0) {
pathValue = (StringValue*) getValueByKey(patchDict, "Path");
XLOG(0, "replacing kernel... %s -> %s\n", fileValue->value, pathValue->value);
fflush(stdout);
add_hfs(rootVolume, getFileFromOutputState(&outputState, fileValue->value), pathValue->value);
}
if(strcmp(actionValue->value, "Patch") == 0) {
patchValue = (StringValue*) getValueByKey(patchDict, "Patch");
patchPath = (char*) malloc(sizeof(char) * (strlen(bundlePath) + strlen(patchValue->value) + 2));
strcpy(patchPath, bundlePath);
strcat(patchPath, "/");
strcat(patchPath, patchValue->value);
XLOG(0, "patching %s (%s)... ", fileValue->value, patchPath);
doPatchInPlace(rootVolume, fileValue->value, patchPath);
free(patchPath);
}
}
patchArray = (ArrayValue*) patchArray->dValue.next;
}
for(; mergePaths < argc; mergePaths++) {
XLOG(0, "merging %s\n", argv[mergePaths]);
AbstractFile* tarFile = createAbstractFileFromFile(fopen(argv[mergePaths], "rb"));
if(tarFile == NULL) {
XLOG(1, "cannot find %s, make sure your slashes are in the right direction\n", argv[mergePaths]);
releaseOutput(&outputState);
closeRoot(buffer);
exit(0);
}
hfs_untar(rootVolume, tarFile);
tarFile->close(tarFile);
}
if(pRamdiskKey) {
ramdiskFS = IOFuncFromAbstractFile(openAbstractFile2(getFileFromOutputStateForOverwrite(&outputState, ramdiskFSPathInIPSW), pRamdiskKey, pRamdiskIV));
} else {
XLOG(0, "unencrypted ramdisk\n");
ramdiskFS = IOFuncFromAbstractFile(openAbstractFile(getFileFromOutputStateForOverwrite(&outputState, ramdiskFSPathInIPSW)));
}
ramdiskVolume = openVolume(ramdiskFS);
XLOG(0, "growing ramdisk: %d -> %d\n", ramdiskVolume->volumeHeader->totalBlocks * ramdiskVolume->volumeHeader->blockSize, (ramdiskVolume->volumeHeader->totalBlocks + 4) * ramdiskVolume->volumeHeader->blockSize);
grow_hfs(ramdiskVolume, (ramdiskVolume->volumeHeader->totalBlocks + 4) * ramdiskVolume->volumeHeader->blockSize);
if(doBootNeuter) {
firmwarePatches = (Dictionary*)getValueByKey(info, "BasebandPatches");
if(firmwarePatches != NULL) {
patchDict = (Dictionary*) firmwarePatches->values;
while(patchDict != NULL) {
pathValue = (StringValue*) getValueByKey(patchDict, "Path");
fileValue = (StringValue*) getValueByKey(patchDict, "File");
if(fileValue) {
XLOG(0, "copying %s -> %s... ", fileValue->value, pathValue->value);
fflush(stdout);
if(copyAcrossVolumes(ramdiskVolume, rootVolume, fileValue->value, pathValue->value)) {
patchValue = (StringValue*) getValueByKey(patchDict, "Patch");
if(patchValue) {
patchPath = malloc(sizeof(char) * (strlen(bundlePath) + strlen(patchValue->value) + 2));
strcpy(patchPath, bundlePath);
strcat(patchPath, "/");
strcat(patchPath, patchValue->value);
XLOG(0, "patching %s (%s)... ", pathValue->value, patchPath);
fflush(stdout);
doPatchInPlace(rootVolume, pathValue->value, patchPath);
free(patchPath);
}
}
}
if(strcmp(patchDict->dValue.key, "Bootloader 3.9") == 0 && bootloader39 != NULL) {
add_hfs(rootVolume, bootloader39, pathValue->value);
}
if(strcmp(patchDict->dValue.key, "Bootloader 4.6") == 0 && bootloader46 != NULL) {
add_hfs(rootVolume, bootloader46, pathValue->value);
}
patchDict = (Dictionary*) patchDict->dValue.next;
}
}
fixupBootNeuterArgs(rootVolume, unlockBaseband, selfDestruct, use39, use46);
}
createRestoreOptions(ramdiskVolume, preferredRootSize, updateBB);
closeVolume(ramdiskVolume);
CLOSE(ramdiskFS);
if(updateRamdiskFSPathInIPSW)
removeFileFromOutputState(&outputState, updateRamdiskFSPathInIPSW);
closeVolume(rootVolume);
CLOSE(rootFS);
buildDmg(openRoot((void**)&buffer, &rootSize), getFileFromOutputStateForReplace(&outputState, rootFSPathInIPSW));
closeRoot(buffer);
writeOutput(&outputState, outputIPSW);
releaseDictionary(info);
free(bundlePath);
return 0;
}
int mergeIdentities(Dictionary* manifest, AbstractFile *idFile) {
char *disk = NULL;
Dictionary *dict;
StringValue *path;
StringValue *mainBuildVersion, *buildVersion;
mainBuildVersion = (StringValue *)getValueByKey(manifest, "ProductBuildVersion");
if (!mainBuildVersion) {
return -1;
}
ArrayValue *buildIdentities = (ArrayValue *)getValueByKey(manifest, "BuildIdentities");
if (buildIdentities && buildIdentities->size) {
dict = (Dictionary *)buildIdentities->values[0];
if (!dict) return -1;
dict = (Dictionary *)getValueByKey(dict, "Manifest");
if (!dict) return -1;
dict = (Dictionary *)getValueByKey(dict, "RestoreRamDisk");
if (!dict) return -1;
dict = (Dictionary *)getValueByKey(dict, "Info");
if (!dict) return -1;
path = (StringValue *)getValueByKey(dict, "Path");
if (!path) return -1;
disk = strdup(path->value);
}
if (!disk) {
return -1;
}
Dictionary* id = NULL;
size_t fileLength = idFile->getLength(idFile);
char *plist = malloc(fileLength);
idFile->read(idFile, plist, fileLength);
id = createRoot(plist);
free(plist);
buildVersion = (StringValue *)getValueByKey(manifest, "ProductBuildVersion");
if (!buildVersion || strcmp(mainBuildVersion->value, buildVersion->value)) {
return -1;
}
ArrayValue *newIdentities = (ArrayValue *)getValueByKey(id, "BuildIdentities");
if (newIdentities && newIdentities->size) {
dict = (Dictionary *)newIdentities->values[0];
if (!dict) return -1;
dict = (Dictionary *)getValueByKey(dict, "Manifest");
if (!dict) return -1;
dict = (Dictionary *)getValueByKey(dict, "RestoreRamDisk");
if (!dict) return -1;
dict = (Dictionary *)getValueByKey(dict, "Info");
if (!dict) return -1;
path = (StringValue *)getValueByKey(dict, "Path");
if (!path) return -1;
free(path->value);
path->value = disk;
prependToArray(buildIdentities, newIdentities->values[0]);
unlinkValueFromDictionary(id, (DictValue *)newIdentities);
releaseDictionary(id);
releaseArrayEx(newIdentities, 0);
return 0;
}
return -1;
}
Dictionary* parseIPSW2(const char* inputIPSW, const char* bundleRoot, char** bundlePath, OutputState** state, int useMemory) {
Dictionary* info;
char* infoPath;
AbstractFile* plistFile;
char* plist;
FILE* inputIPSWFile;
SHA_CTX sha1_ctx;
char* buffer;
int read;
unsigned char hash[20];
DIR* dir;
struct dirent* ent;
StringValue* plistSHA1String;
unsigned int plistHash[20];
int i;
*bundlePath = NULL;
inputIPSWFile = fopen(inputIPSW, "rb");
if(!inputIPSWFile) {
return NULL;
}
XLOG(0, "Hashing IPSW...\n");
buffer = malloc(BUFFERSIZE);
SHA1_Init(&sha1_ctx);
while(!feof(inputIPSWFile)) {
read = fread(buffer, 1, BUFFERSIZE, inputIPSWFile);
SHA1_Update(&sha1_ctx, buffer, read);
}
SHA1_Final(hash, &sha1_ctx);
free(buffer);
fclose(inputIPSWFile);
XLOG(0, "Matching IPSW in %s... (%02x%02x%02x%02x...)\n", bundleRoot, (int) hash[0], (int) hash[1], (int) hash[2], (int) hash[3]);
dir = opendir(bundleRoot);
if(dir == NULL) {
XLOG(1, "Bundles directory not found\n");
return NULL;
}
while((ent = readdir(dir)) != NULL) {
if(ent->d_name[0] == '.' && (ent->d_name[1] == '\0' || (ent->d_name[1] == '.' && ent->d_name[2] == '\0'))) {
continue;
}
infoPath = (char*) malloc(sizeof(char) * (strlen(bundleRoot) + sizeof(PATH_SEPARATOR) + strlen(ent->d_name) + sizeof(PATH_SEPARATOR "Info.plist")));
sprintf(infoPath, "%s" PATH_SEPARATOR "%s" PATH_SEPARATOR "Info.plist", bundleRoot, ent->d_name);
XLOG(0, "checking: %s\n", infoPath);
if((plistFile = createAbstractFileFromFile(fopen(infoPath, "rb"))) != NULL) {
plist = (char*) malloc(plistFile->getLength(plistFile));
plistFile->read(plistFile, plist, plistFile->getLength(plistFile));
plistFile->close(plistFile);
info = createRoot(plist);
free(plist);
plistSHA1String = (StringValue*)getValueByKey(info, "SHA1");
if(plistSHA1String) {
sscanf(plistSHA1String->value, "%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x",
&plistHash[0], &plistHash[1], &plistHash[2], &plistHash[3], &plistHash[4],
&plistHash[5], &plistHash[6], &plistHash[7], &plistHash[8], &plistHash[9],
&plistHash[10], &plistHash[11], &plistHash[12], &plistHash[13], &plistHash[14],
&plistHash[15], &plistHash[16], &plistHash[17], &plistHash[18], &plistHash[19]);
for(i = 0; i < 20; i++) {
if(plistHash[i] != hash[i]) {
break;
}
}
if(i == 20) {
*bundlePath = (char*) malloc(sizeof(char) * (strlen(bundleRoot) + sizeof(PATH_SEPARATOR) + strlen(ent->d_name)));
sprintf(*bundlePath, "%s" PATH_SEPARATOR "%s", bundleRoot, ent->d_name);
free(infoPath);
break;
}
}
releaseDictionary(info);
}
free(infoPath);
}
closedir(dir);
if(*bundlePath == NULL) {
return NULL;
}
*state = loadZip2(inputIPSW, useMemory);
return info;
}
int main(int argc, char* argv[]) {
init_libxpwn(&argc, argv);
OutputState *outputState;
size_t fileLength;
AbstractFile *signFile;
Dictionary *signDict = NULL;
DataValue *ticket;
Dictionary *dict;
AbstractFile *manifestFile;
Dictionary* manifest;
struct component_t *array;
char *plist;
int i, j, n;
int rv, error = 0;
X509 *x0, *y1, *y2;
uint64_t savecid = 0;
const unsigned char *p;
int verbose = FALSE;
int fromzip = FALSE;
if (argc < 3) {
XLOG(0, "usage %s file.shsh BuildManifest.plist [-v] [-z]\n", argv[0]);
return 0;
}
for (i = 3; i < argc; i++) {
if (!strcmp(argv[i], "-v")) {
verbose = TRUE;
continue;
}
if (!strcmp(argv[i], "-z")) {
fromzip = TRUE;
continue;
}
}
// XXX handle gzip/bplist files
signFile = createAbstractFileFromFile(fopen(argv[1], "rb"));
if (!signFile) {
XLOG(0, "FATAL: cannot open %s\n", argv[1]);
exit(1);
}
fileLength = signFile->getLength(signFile);
plist = malloc(fileLength);
signFile->read(signFile, plist, fileLength);
signFile->close(signFile);
signDict = createRoot(plist);
free(plist);
if (!signDict) {
XLOG(0, "FATAL: cannot parse %s\n", argv[1]);
exit(1);
}
MaxLoadZipSize = 128 * 1024;
if (fromzip) {
outputState = loadZip2(argv[2], TRUE); // XXX ASSERT
manifestFile = getFileFromOutputState(&outputState, "BuildManifest.plist");
} else {
outputState = NULL;
manifestFile = createAbstractFileFromFile(fopen(argv[2], "rb"));
}
if (!manifestFile) {
XLOG(0, "FATAL: cannot open %s\n", argv[2]);
exit(1);
}
fileLength = manifestFile->getLength(manifestFile);
plist = malloc(fileLength);
manifestFile->read(manifestFile, plist, fileLength);
manifestFile->close(manifestFile);
manifest = createRoot(plist);
free(plist);
if (!manifest) {
XLOG(0, "FATAL: cannot parse %s\n", argv[2]);
exit(1);
}
releaseOutput(&outputState);
array = parseManifest(manifest, &n);
if (!array) {
XLOG(0, "FATAL: cannot parse manifest\n");
exit(1);
}
OPENSSL_add_all_algorithms_noconf();
p = cerb;
x0 = d2i_X509(NULL, &p, cerb_len);
if (!x0) {
XLOG(0, "FATAL: cannot load root CA\n");
exit(1);
}
ticket = (DataValue *)getValueByKey(signDict, "APTicket");
if (ticket) {
p = ticket->value;
rv = asn1_parse2(&p, ticket->len, 0, 0);
if (!rv || !apcert.value || !rsasig.value || !theset.value) {
XLOG(0, "FATAL: cannot parse ticket\n");
exit(1);
}
if (clen > 0 && contarray->len == 8) {
savecid = getECID(contarray->value);
}
if (!savecid) {
printf("ERROR: bad, bad ECID\n");
error = 1;
}
rv = extract2Certs(apcert.value, apcert.len, &y1, &y2);
if (rv == 0) {
rv = cryptoMagic(x0, y1, y2, theset.value, theset.len, (unsigned char *)rsasig.value, rsasig.len, NULL);
X509_free(y1);
X509_free(y2);
}
if (rv) {
printf("ERROR: APTicket failed crypto\n");
error = 1;
}
} else {
VERBOSE("WARNING: cannot find ticket in %s\n", argv[1]);
}
dict = (Dictionary *)signDict->values;
while (dict) {
DataValue *blob = NULL;
DataValue *partialDigest = NULL;
if (dict->dValue.type == DictionaryType) {
blob = (DataValue *)getValueByKey(dict, "Blob");
partialDigest = (DataValue *)getValueByKey(dict, "PartialDigest");
}
if (blob && partialDigest) {
const char *diag = checkBlob(x0, blob, partialDigest, &savecid);
if (diag) {
printf("ERROR: Blob for %s is invalid (%s)\n", dict->dValue.key, diag);
error = 1;
} else {
for (i = 0; i < n; i++) {
struct component_t *centry = array + i;
if (centry->partial &&
partialDigest->len == centry->partial->len &&
!memcmp(partialDigest->value, centry->partial->value, partialDigest->len)) {
array[i].blob = blob;
}
}
}
}
dict = (Dictionary *)dict->dValue.next;
}
if (!ticket && !savecid) {
printf("ERROR: bad, bad ECID\n");
error = 1;
}
for (i = 0; i < n; i++) {
struct component_t *centry = array + i;
int found = FALSE;
for (j = 0; j < clen; j++) {
struct tuple_t *tentry = contarray + j;
if (tentry->len == centry->digest->len && !memcmp(tentry->value, centry->digest->value, tentry->len)) {
found = TRUE;
}
}
if (!found) {
if (centry->blob) {
VERBOSE("WARNING: no digest for %s (%s), but it has blob\n", centry->key, centry->path);
} else if (!centry->required) {
VERBOSE("WARNING: no digest for %s (%s), but it is not critical\n", centry->key, centry->path);
} else {
printf("ERROR: no digest for %s (%s) and no blob found\n", centry->key, centry->path);
error = 1;
}
} else {
VERBOSE("INFO: %s (%s) is signed by APTicket%s\n", centry->key, centry->path, centry->blob ? " and blob" : "");
}
}
free(array);
free(contarray);
releaseDictionary(manifest);
releaseDictionary(signDict);
if (error) {
printf("%s is BROKEN\n", argv[1]);
} else {
printf("%s seems usable for ECID 0x%016llX\n", argv[1], savecid);
}
X509_free(x0);
EVP_cleanup();
ERR_remove_state(0);
CRYPTO_cleanup_all_ex_data();
return error;
}
