const CharVt& PlistEntry::GetBinPlist(CharVt&& xmlBuff)
{
GuardedPlist plist;
plist_from_xml( xmlBuff.data(), xmlBuff.size(), plist.get_ptr() );
uint32_t cbBinXML = 0;
char* pBinXML{};
plist_to_bin( plist, &pBinXML, &cbBinXML );
if ( cbBinXML > 0 )
{
rawFileBuff_.assign( pBinXML, pBinXML + cbBinXML );
free( pBinXML );
}
else
{
rawFileBuff_.clear();
}
if ( rawFileBuff_.empty() )
{
contentType_ = ContentType::corrupted;
throw std::runtime_error( "error converting xml to bplist - bplist will be restored." );
}
contentType_ = ContentType::raw;
return rawFileBuff_;
}
/** Sends MobileSync data to the iPhone
*
* @note This function is low-level and should only be used if you need to send
* a new type of message.
*
* @param client The MobileSync client
* @param plist The location of the plist to send
*
* @return an error code
*/
mobilesync_error_t mobilesync_send(mobilesync_client_t client, plist_t plist)
{
if (!client || !plist)
return MOBILESYNC_E_INVALID_ARG;
char *XMLContent = NULL;
uint32_t length = 0;
plist_to_xml(plist, &XMLContent, &length);
log_dbg_msg(DBGMASK_MOBILESYNC, "%s: plist size: %i\nbuffer :\n%s\n", __func__, length, XMLContent);
free(XMLContent);
char *content = NULL;
length = 0;
plist_to_bin(plist, &content, &length);
char *real_query;
int bytes;
mobilesync_error_t ret = MOBILESYNC_E_UNKNOWN_ERROR;
real_query = (char *) malloc(sizeof(char) * (length + 4));
length = htonl(length);
memcpy(real_query, &length, sizeof(length));
memcpy(real_query + 4, content, ntohl(length));
ret = iphone_device_send(client->connection, real_query, ntohl(length) + sizeof(length), (uint32_t*)&bytes);
free(real_query);
return (ret == 0 ? MOBILESYNC_E_SUCCESS: MOBILESYNC_E_MUX_ERROR);
}
static int rproxy_send_dict(idevice_connection_t connection, plist_t dict)
{
int res = -1;
char * content = NULL;
uint32_t length = 0;
/* Convert dict to a binary plist buffer */
plist_to_bin(dict, &content, &length);
if ((NULL == content) || (0 == length)) {
goto cleanup;
}
/* Send the size of the plist buffer */
if (IDEVICE_E_SUCCESS != idevice_connection_send_all(connection, (const char *)&length, sizeof(length))) {
goto cleanup;
}
/* Send the actual buffer */
if (IDEVICE_E_SUCCESS != idevice_connection_send_all(connection, content, length)) {
goto cleanup;
}
res = 0;
cleanup:
if (content) {
plist_free_memory(content);
}
return res;
}
webinspector_error_t webinspector_send(webinspector_client_t client, plist_t plist)
{
webinspector_error_t res = WEBINSPECTOR_E_UNKNOWN_ERROR;
uint32_t offset = 0;
int is_final_message = 0;
char *packet = NULL;
uint32_t packet_length = 0;
debug_info("Sending webinspector message...");
debug_plist(plist);
/* convert plist to packet */
plist_to_bin(plist, &packet, &packet_length);
if (!packet || packet_length == 0) {
debug_info("Error converting plist to binary.");
return res;
}
do {
/* determine if we need to send partial messages */
if (packet_length < WEBINSPECTOR_PARTIAL_PACKET_CHUNK_SIZE) {
is_final_message = 1;
} else {
/* send partial packet */
is_final_message = 0;
}
plist_t outplist = plist_new_dict();
if (!is_final_message) {
/* split packet into partial chunks */
plist_dict_set_item(outplist, "WIRPartialMessageKey", plist_new_data(packet + offset, WEBINSPECTOR_PARTIAL_PACKET_CHUNK_SIZE));
offset += WEBINSPECTOR_PARTIAL_PACKET_CHUNK_SIZE;
packet_length -= WEBINSPECTOR_PARTIAL_PACKET_CHUNK_SIZE;
} else {
/* send final chunk */
plist_dict_set_item(outplist, "WIRFinalMessageKey", plist_new_data(packet + offset, packet_length));
offset += packet_length;
packet_length -= packet_length;
}
res = webinspector_error(property_list_service_send_binary_plist(client->parent, outplist));
plist_free(outplist);
outplist = NULL;
if (res != WEBINSPECTOR_E_SUCCESS) {
debug_info("Sending plist failed with error %d", res);
return res;
}
} while(packet_length > 0);
free(packet);
packet = NULL;
return res;
}
/**
* Sends a plist using the given property list service client.
* Internally used generic plist send function.
*
* @param client The property list service client to use for sending.
* @param plist plist to send
* @param binary 1 = send binary plist, 0 = send xml plist
*
* @return PROPERTY_LIST_SERVICE_E_SUCCESS on success,
* PROPERTY_LIST_SERVICE_E_INVALID_ARG when one or more parameters are
* invalid, PROPERTY_LIST_SERVICE_E_PLIST_ERROR when dict is not a valid
* plist, or PROPERTY_LIST_SERVICE_E_UNKNOWN_ERROR when an unspecified
* error occurs.
*/
static property_list_service_error_t internal_plist_send(property_list_service_client_t client, plist_t plist, int binary)
{
property_list_service_error_t res = PROPERTY_LIST_SERVICE_E_UNKNOWN_ERROR;
char *content = NULL;
uint32_t length = 0;
uint32_t nlen = 0;
int bytes = 0;
if (!client || (client && !client->parent) || !plist) {
return PROPERTY_LIST_SERVICE_E_INVALID_ARG;
}
if (binary) {
plist_to_bin(plist, &content, &length);
} else {
plist_to_xml(plist, &content, &length);
}
if (!content || length == 0) {
return PROPERTY_LIST_SERVICE_E_PLIST_ERROR;
}
nlen = htobe32(length);
debug_info("sending %d bytes", length);
service_send(client->parent, (const char*)&nlen, sizeof(nlen), (uint32_t*)&bytes);
if (bytes == sizeof(nlen)) {
service_send(client->parent, content, length, (uint32_t*)&bytes);
if (bytes > 0) {
debug_info("sent %d bytes", bytes);
debug_plist(plist);
if ((uint32_t)bytes == length) {
res = PROPERTY_LIST_SERVICE_E_SUCCESS;
} else {
debug_info("ERROR: Could not send all data (%d of %d)!", bytes, length);
}
}
}
if (bytes <= 0) {
debug_info("ERROR: sending to device failed.");
}
free(content);
return res;
}
int plist_write_to_filename(plist_t plist, const char *filename, enum plist_format_t format)
{
char *buffer = NULL;
uint32_t length;
if (!plist || !filename)
return 0;
if (format == PLIST_FORMAT_XML)
plist_to_xml(plist, &buffer, &length);
else if (format == PLIST_FORMAT_BINARY)
plist_to_bin(plist, &buffer, &length);
else
return 0;
buffer_write_to_filename(filename, buffer, length);
free(buffer);
return 1;
}
int main(int argc, char *argv[])
{
FILE *iplist = NULL;
plist_t root_node1 = NULL;
plist_t root_node2 = NULL;
char *plist_xml = NULL;
char *plist_xml2 = NULL;
char *plist_bin = NULL;
int size_in = 0;
uint32_t size_out = 0;
uint32_t size_out2 = 0;
char *file_in = NULL;
char *file_out = NULL;
struct stat *filestats = (struct stat *) malloc(sizeof(struct stat));
if (argc != 3)
{
printf("Wrong input\n");
return 1;
}
file_in = argv[1];
file_out = argv[2];
//read input file
iplist = fopen(file_in, "rb");
if (!iplist)
{
printf("File does not exists\n");
return 2;
}
printf("File %s is open\n", file_in);
stat(file_in, filestats);
size_in = filestats->st_size;
plist_xml = (char *) malloc(sizeof(char) * (size_in + 1));
fread(plist_xml, sizeof(char), size_in, iplist);
fclose(iplist);
//convert one format to another
plist_from_xml(plist_xml, size_in, &root_node1);
if (!root_node1)
{
printf("PList XML parsing failed\n");
return 3;
}
else
printf("PList XML parsing succeeded\n");
plist_to_bin(root_node1, &plist_bin, &size_out);
if (!plist_bin)
{
printf("PList BIN writing failed\n");
return 4;
}
else
printf("PList BIN writing succeeded\n");
plist_from_bin(plist_bin, size_out, &root_node2);
if (!root_node2)
{
printf("PList BIN parsing failed\n");
return 5;
}
else
printf("PList BIN parsing succeeded\n");
plist_to_xml(root_node2, &plist_xml2, &size_out2);
if (!plist_xml2)
{
printf("PList XML writing failed\n");
return 8;
}
else
printf("PList XML writing succeeded\n");
if (plist_xml2)
{
FILE *oplist = NULL;
oplist = fopen(file_out, "wb");
fwrite(plist_xml2, size_out2, sizeof(char), oplist);
fclose(oplist);
}
plist_free(root_node1);
plist_free(root_node2);
free(plist_bin);
free(plist_xml);
free(plist_xml2);
free(filestats);
if ((uint32_t)size_in != size_out2)
{
printf("Size of input and output is different\n");
printf("Input size : %i\n", size_in);
printf("Output size : %i\n", size_out2);
}
//success
return 0;
}
/*
WIRFinalMessageKey
__selector
__argument
*/
wi_status wi_send_plist(wi_t self, plist_t rpc_dict) {
wi_private_t my = self->private_state;
char *rpc_bin = NULL;
uint32_t rpc_len = 0;
plist_to_bin(rpc_dict, &rpc_bin, &rpc_len);
// if our message is <8k, we'll send a single final_msg,
// otherwise we'll send <8k partial_msg "chunks" then a final_msg "chunk"
wi_status ret = WI_ERROR;
uint32_t i;
for (i = 0; ; i += MAX_RPC_LEN) {
bool is_partial = false;
char *data = NULL;
uint32_t data_len = 0;
if (my->is_sim) {
data = rpc_bin;
data_len = rpc_len;
rpc_bin = NULL;
} else {
is_partial = (rpc_len - i > MAX_RPC_LEN);
plist_t wi_dict = plist_new_dict();
plist_t wi_rpc = plist_new_data(rpc_bin + i,
(is_partial ? MAX_RPC_LEN : rpc_len - i));
plist_dict_set_item(wi_dict,
(is_partial ? "WIRPartialMessageKey" : "WIRFinalMessageKey"), wi_rpc);
plist_to_bin(wi_dict, &data, &data_len);
plist_free(wi_dict);
wi_dict = NULL;
wi_rpc = NULL; // freed by wi_dict
if (!data) {
break;
}
}
size_t length = data_len + 4;
char *out_head = (char*)malloc(length * sizeof(char));
if (!out_head) {
if (!my->is_sim) {
free(data);
}
break;
}
char *out_tail = out_head;
// write big-endian int
*out_tail++ = ((data_len >> 24) & 0xFF);
*out_tail++ = ((data_len >> 16) & 0xFF);
*out_tail++ = ((data_len >> 8) & 0xFF);
*out_tail++ = (data_len & 0xFF);
// write data
memcpy(out_tail, data, data_len);
free(data);
wi_on_debug(self, "wi.send_packet", out_head, length);
wi_status not_sent = self->send_packet(self, out_head, length);
free(out_head);
if (not_sent) {
break;
}
if (!is_partial) {
ret = WI_SUCCESS;
break;
}
}
free(rpc_bin);
return ret;
}
int idevicerestore_start(struct idevicerestore_client_t* client)
{
int tss_enabled = 0;
int result = 0;
if (!client) {
return -1;
}
if ((client->flags & FLAG_LATEST) && (client->flags & FLAG_CUSTOM)) {
error("ERROR: FLAG_LATEST cannot be used with FLAG_CUSTOM.\n");
return -1;
}
if (!client->ipsw && !(client->flags & FLAG_PWN) && !(client->flags & FLAG_LATEST)) {
error("ERROR: no ipsw file given\n");
return -1;
}
if (client->flags & FLAG_DEBUG) {
idevice_set_debug_level(1);
irecv_set_debug_level(1);
idevicerestore_debug = 1;
}
idevicerestore_progress(client, RESTORE_STEP_DETECT, 0.0);
// update version data (from cache, or apple if too old)
load_version_data(client);
// check which mode the device is currently in so we know where to start
if (check_mode(client) < 0 || client->mode->index == MODE_UNKNOWN) {
error("ERROR: Unable to discover device mode. Please make sure a device is attached.\n");
return -1;
}
idevicerestore_progress(client, RESTORE_STEP_DETECT, 0.1);
info("Found device in %s mode\n", client->mode->string);
if (client->mode->index == MODE_WTF) {
unsigned int cpid = 0;
if (dfu_client_new(client) != 0) {
error("ERROR: Could not open device in WTF mode\n");
return -1;
}
if ((dfu_get_cpid(client, &cpid) < 0) || (cpid == 0)) {
error("ERROR: Could not get CPID for WTF mode device\n");
dfu_client_free(client);
return -1;
}
char wtfname[256];
sprintf(wtfname, "Firmware/dfu/WTF.s5l%04xxall.RELEASE.dfu", cpid);
unsigned char* wtftmp = NULL;
unsigned int wtfsize = 0;
// Prefer to get WTF file from the restore IPSW
ipsw_extract_to_memory(client->ipsw, wtfname, &wtftmp, &wtfsize);
if (!wtftmp) {
// Download WTF IPSW
char* s_wtfurl = NULL;
plist_t wtfurl = plist_access_path(client->version_data, 7, "MobileDeviceSoftwareVersionsByVersion", "5", "RecoverySoftwareVersions", "WTF", "304218112", "5", "FirmwareURL");
if (wtfurl && (plist_get_node_type(wtfurl) == PLIST_STRING)) {
plist_get_string_val(wtfurl, &s_wtfurl);
}
if (!s_wtfurl) {
info("Using hardcoded x12220000_5_Recovery.ipsw URL\n");
s_wtfurl = strdup("http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-6618.20090617.Xse7Y/x12220000_5_Recovery.ipsw");
}
// make a local file name
char* fnpart = strrchr(s_wtfurl, '/');
if (!fnpart) {
fnpart = "x12220000_5_Recovery.ipsw";
} else {
fnpart++;
}
struct stat fst;
char wtfipsw[1024];
if (client->cache_dir) {
if (stat(client->cache_dir, &fst) < 0) {
mkdir_with_parents(client->cache_dir, 0755);
}
strcpy(wtfipsw, client->cache_dir);
strcat(wtfipsw, "/");
strcat(wtfipsw, fnpart);
} else {
strcpy(wtfipsw, fnpart);
}
if (stat(wtfipsw, &fst) != 0) {
download_to_file(s_wtfurl, wtfipsw, 0);
}
ipsw_extract_to_memory(wtfipsw, wtfname, &wtftmp, &wtfsize);
if (!wtftmp) {
error("ERROR: Could not extract WTF\n");
}
}
if (wtftmp) {
if (dfu_send_buffer(client, wtftmp, wtfsize) != 0) {
error("ERROR: Could not send WTF...\n");
}
}
dfu_client_free(client);
sleep(1);
free(wtftmp);
client->mode = &idevicerestore_modes[MODE_DFU];
}
// discover the device type
if (check_product_type(client) == NULL || client->device == NULL) {
error("ERROR: Unable to discover device type\n");
return -1;
}
idevicerestore_progress(client, RESTORE_STEP_DETECT, 0.2);
info("Identified device as %s\n", client->device->product_type);
if ((client->flags & FLAG_PWN) && (client->mode->index != MODE_DFU)) {
error("ERROR: you need to put your device into DFU mode to pwn it.\n");
return -1;
}
if (client->flags & FLAG_PWN) {
recovery_client_free(client);
info("connecting to DFU\n");
if (dfu_client_new(client) < 0) {
return -1;
}
info("exploiting with limera1n...\n");
// TODO: check for non-limera1n device and fail
if (limera1n_exploit(client->device, &client->dfu->client) != 0) {
error("ERROR: limera1n exploit failed\n");
dfu_client_free(client);
return -1;
}
dfu_client_free(client);
info("Device should be in pwned DFU state now.\n");
return 0;
}
if (client->flags & FLAG_LATEST) {
char* ipsw = NULL;
int res = ipsw_download_latest_fw(client->version_data, client->device->product_type, "cache", &ipsw);
if (res != 0) {
if (ipsw) {
free(ipsw);
}
return res;
} else {
client->ipsw = ipsw;
}
}
idevicerestore_progress(client, RESTORE_STEP_DETECT, 0.6);
if (client->flags & FLAG_NOACTION) {
return 0;
}
if (client->mode->index == MODE_RESTORE) {
if (restore_reboot(client) < 0) {
error("ERROR: Unable to exit restore mode\n");
return -2;
}
// we need to refresh the current mode again
check_mode(client);
info("Found device in %s mode\n", client->mode->string);
}
// verify if ipsw file exists
if (access(client->ipsw, F_OK) < 0) {
error("ERROR: Firmware file %s does not exist.\n", client->ipsw);
return -1;
}
// extract buildmanifest
plist_t buildmanifest = NULL;
if (client->flags & FLAG_CUSTOM) {
info("Extracting Restore.plist from IPSW\n");
if (ipsw_extract_restore_plist(client->ipsw, &buildmanifest) < 0) {
error("ERROR: Unable to extract Restore.plist from %s. Firmware file might be corrupt.\n", client->ipsw);
return -1;
}
} else {
info("Extracting BuildManifest from IPSW\n");
if (ipsw_extract_build_manifest(client->ipsw, &buildmanifest, &tss_enabled) < 0) {
error("ERROR: Unable to extract BuildManifest from %s. Firmware file might be corrupt.\n", client->ipsw);
return -1;
}
}
idevicerestore_progress(client, RESTORE_STEP_DETECT, 0.8);
/* check if device type is supported by the given build manifest */
if (build_manifest_check_compatibility(buildmanifest, client->device->product_type) < 0) {
error("ERROR: Could not make sure this firmware is suitable for the current device. Refusing to continue.\n");
return -1;
}
/* print iOS information from the manifest */
build_manifest_get_version_information(buildmanifest, client);
info("Product Version: %s\n", client->version);
info("Product Build: %s Major: %d\n", client->build, client->build_major);
if (client->flags & FLAG_CUSTOM) {
/* prevent signing custom firmware */
tss_enabled = 0;
info("Custom firmware requested. Disabled TSS request.\n");
}
// choose whether this is an upgrade or a restore (default to upgrade)
client->tss = NULL;
plist_t build_identity = NULL;
if (client->flags & FLAG_CUSTOM) {
build_identity = plist_new_dict();
{
plist_t node;
plist_t comp;
plist_t inf;
plist_t manifest;
char tmpstr[256];
char p_all_flash[128];
char lcmodel[8];
strcpy(lcmodel, client->device->hardware_model);
int x = 0;
while (lcmodel[x]) {
lcmodel[x] = tolower(lcmodel[x]);
x++;
}
sprintf(p_all_flash, "Firmware/all_flash/all_flash.%s.%s", lcmodel, "production");
strcpy(tmpstr, p_all_flash);
strcat(tmpstr, "/manifest");
// get all_flash file manifest
char *files[16];
char *fmanifest = NULL;
uint32_t msize = 0;
if (ipsw_extract_to_memory(client->ipsw, tmpstr, (unsigned char**)&fmanifest, &msize) < 0) {
error("ERROR: could not extract %s from IPSW\n", tmpstr);
return -1;
}
char *tok = strtok(fmanifest, "\r\n");
int fc = 0;
while (tok) {
files[fc++] = strdup(tok);
if (fc >= 16) {
break;
}
tok = strtok(NULL, "\r\n");
}
free(fmanifest);
manifest = plist_new_dict();
for (x = 0; x < fc; x++) {
inf = plist_new_dict();
strcpy(tmpstr, p_all_flash);
strcat(tmpstr, "/");
strcat(tmpstr, files[x]);
plist_dict_insert_item(inf, "Path", plist_new_string(tmpstr));
comp = plist_new_dict();
plist_dict_insert_item(comp, "Info", inf);
const char* compname = get_component_name(files[x]);
if (compname) {
plist_dict_insert_item(manifest, compname, comp);
if (!strncmp(files[x], "DeviceTree", 10)) {
plist_dict_insert_item(manifest, "RestoreDeviceTree", plist_copy(comp));
}
} else {
error("WARNING: unhandled component %s\n", files[x]);
plist_free(comp);
}
free(files[x]);
files[x] = NULL;
}
// add iBSS
sprintf(tmpstr, "Firmware/dfu/iBSS.%s.%s.dfu", lcmodel, "RELEASE");
inf = plist_new_dict();
plist_dict_insert_item(inf, "Path", plist_new_string(tmpstr));
comp = plist_new_dict();
plist_dict_insert_item(comp, "Info", inf);
plist_dict_insert_item(manifest, "iBSS", comp);
// add iBEC
sprintf(tmpstr, "Firmware/dfu/iBEC.%s.%s.dfu", lcmodel, "RELEASE");
inf = plist_new_dict();
plist_dict_insert_item(inf, "Path", plist_new_string(tmpstr));
comp = plist_new_dict();
plist_dict_insert_item(comp, "Info", inf);
plist_dict_insert_item(manifest, "iBEC", comp);
// add kernel cache
plist_t kdict = NULL;
node = plist_dict_get_item(buildmanifest, "KernelCachesByTarget");
if (node && (plist_get_node_type(node) == PLIST_DICT)) {
char tt[4];
strncpy(tt, lcmodel, 3);
tt[3] = 0;
kdict = plist_dict_get_item(node, tt);
} else {
// Populated in older iOS IPSWs
kdict = plist_dict_get_item(buildmanifest, "RestoreKernelCaches");
}
if (kdict && (plist_get_node_type(kdict) == PLIST_DICT)) {
plist_t kc = plist_dict_get_item(kdict, "Release");
if (kc && (plist_get_node_type(kc) == PLIST_STRING)) {
inf = plist_new_dict();
plist_dict_insert_item(inf, "Path", plist_copy(kc));
comp = plist_new_dict();
plist_dict_insert_item(comp, "Info", inf);
plist_dict_insert_item(manifest, "KernelCache", comp);
plist_dict_insert_item(manifest, "RestoreKernelCache", plist_copy(comp));
}
}
// add ramdisk
node = plist_dict_get_item(buildmanifest, "RestoreRamDisks");
if (node && (plist_get_node_type(node) == PLIST_DICT)) {
plist_t rd = plist_dict_get_item(node, (client->flags & FLAG_ERASE) ? "User" : "Update");
// if no "Update" ram disk entry is found try "User" ram disk instead
if (!rd && !(client->flags & FLAG_ERASE)) {
rd = plist_dict_get_item(node, "User");
// also, set the ERASE flag since we actually change the restore variant
client->flags |= FLAG_ERASE;
}
if (rd && (plist_get_node_type(rd) == PLIST_STRING)) {
inf = plist_new_dict();
plist_dict_insert_item(inf, "Path", plist_copy(rd));
comp = plist_new_dict();
plist_dict_insert_item(comp, "Info", inf);
plist_dict_insert_item(manifest, "RestoreRamDisk", comp);
}
}
// add OS filesystem
node = plist_dict_get_item(buildmanifest, "SystemRestoreImages");
if (!node) {
error("ERROR: missing SystemRestoreImages in Restore.plist\n");
}
plist_t os = plist_dict_get_item(node, "User");
if (!os) {
error("ERROR: missing filesystem in Restore.plist\n");
} else {
inf = plist_new_dict();
plist_dict_insert_item(inf, "Path", plist_copy(os));
comp = plist_new_dict();
plist_dict_insert_item(comp, "Info", inf);
plist_dict_insert_item(manifest, "OS", comp);
}
// add info
inf = plist_new_dict();
plist_dict_insert_item(inf, "RestoreBehavior", plist_new_string((client->flags & FLAG_ERASE) ? "Erase" : "Update"));
plist_dict_insert_item(inf, "Variant", plist_new_string((client->flags & FLAG_ERASE) ? "Customer Erase Install (IPSW)" : "Customer Upgrade Install (IPSW)"));
plist_dict_insert_item(build_identity, "Info", inf);
// finally add manifest
plist_dict_insert_item(build_identity, "Manifest", manifest);
}
} else if (client->flags & FLAG_ERASE) {
build_identity = build_manifest_get_build_identity(buildmanifest, 0);
if (build_identity == NULL) {
error("ERROR: Unable to find any build identities\n");
plist_free(buildmanifest);
return -1;
}
} else {
// loop through all build identities in the build manifest
// and list the valid ones
int i = 0;
int valid_builds = 0;
int build_count = build_manifest_get_identity_count(buildmanifest);
for (i = 0; i < build_count; i++) {
build_identity = build_manifest_get_build_identity(buildmanifest, i);
valid_builds++;
}
}
/* print information about current build identity */
build_identity_print_information(build_identity);
idevicerestore_progress(client, RESTORE_STEP_PREPARE, 0.0);
/* retrieve shsh blobs if required */
if (tss_enabled) {
debug("Getting device's ECID for TSS request\n");
/* fetch the device's ECID for the TSS request */
if (get_ecid(client, &client->ecid) < 0) {
error("ERROR: Unable to find device ECID\n");
return -1;
}
info("Found ECID " FMT_qu "\n", (long long unsigned int)client->ecid);
if (client->build_major > 8) {
unsigned char* nonce = NULL;
int nonce_size = 0;
int nonce_changed = 0;
if (get_nonce(client, &nonce, &nonce_size) < 0) {
/* the first nonce request with older firmware releases can fail and it's OK */
info("NOTE: Unable to get nonce from device\n");
}
if (!client->nonce || (nonce_size != client->nonce_size) || (memcmp(nonce, client->nonce, nonce_size) != 0)) {
nonce_changed = 1;
if (client->nonce) {
free(client->nonce);
}
client->nonce = nonce;
client->nonce_size = nonce_size;
} else {
free(nonce);
}
}
if (get_shsh_blobs(client, client->ecid, client->nonce, client->nonce_size, build_identity, &client->tss) < 0) {
error("ERROR: Unable to get SHSH blobs for this device\n");
return -1;
}
}
if (client->flags & FLAG_SHSHONLY) {
if (!tss_enabled) {
info("This device does not require a TSS record");
return 0;
}
if (!client->tss) {
error("ERROR: could not fetch TSS record");
plist_free(buildmanifest);
return -1;
} else {
char *bin = NULL;
uint32_t blen = 0;
plist_to_bin(client->tss, &bin, &blen);
if (bin) {
char zfn[1024];
if (client->cache_dir) {
strcpy(zfn, client->cache_dir);
strcat(zfn, "/shsh");
} else {
strcpy(zfn, "shsh");
}
mkdir_with_parents(zfn, 0755);
sprintf(zfn+strlen(zfn), "/" FMT_qu "-%s-%s.shsh", (long long int)client->ecid, client->device->product_type, client->version);
struct stat fst;
if (stat(zfn, &fst) != 0) {
gzFile zf = gzopen(zfn, "wb");
gzwrite(zf, bin, blen);
gzclose(zf);
info("SHSH saved to '%s'\n", zfn);
} else {
info("SHSH '%s' already present.\n", zfn);
}
free(bin);
} else {
error("ERROR: could not get TSS record data\n");
}
plist_free(client->tss);
plist_free(buildmanifest);
return 0;
}
}
/* verify if we have tss records if required */
if ((tss_enabled) && (client->tss == NULL)) {
error("ERROR: Unable to proceed without a TSS record.\n");
plist_free(buildmanifest);
return -1;
}
if ((tss_enabled) && client->tss) {
/* fix empty dicts */
fixup_tss(client->tss);
}
idevicerestore_progress(client, RESTORE_STEP_PREPARE, 0.1);
// if the device is in normal mode, place device into recovery mode
if (client->mode->index == MODE_NORMAL) {
info("Entering recovery mode...\n");
if (normal_enter_recovery(client) < 0) {
error("ERROR: Unable to place device into recovery mode from %s mode\n", client->mode->string);
if (client->tss)
plist_free(client->tss);
plist_free(buildmanifest);
return -5;
}
}
// Get filesystem name from build identity
char* fsname = NULL;
if (build_identity_get_component_path(build_identity, "OS", &fsname) < 0) {
error("ERROR: Unable get path for filesystem component\n");
return -1;
}
// check if we already have an extracted filesystem
int delete_fs = 0;
char* filesystem = NULL;
struct stat st;
memset(&st, '\0', sizeof(struct stat));
char tmpf[1024];
if (client->cache_dir) {
if (stat(client->cache_dir, &st) < 0) {
mkdir_with_parents(client->cache_dir, 0755);
}
strcpy(tmpf, client->cache_dir);
strcat(tmpf, "/");
char *ipswtmp = strdup(client->ipsw);
strcat(tmpf, basename(ipswtmp));
free(ipswtmp);
} else {
strcpy(tmpf, client->ipsw);
}
char* p = strrchr((const char*)tmpf, '.');
if (p) {
*p = '\0';
}
if (stat(tmpf, &st) < 0) {
__mkdir(tmpf, 0755);
}
strcat(tmpf, "/");
strcat(tmpf, fsname);
memset(&st, '\0', sizeof(struct stat));
if (stat(tmpf, &st) == 0) {
off_t fssize = 0;
ipsw_get_file_size(client->ipsw, fsname, &fssize);
if ((fssize > 0) && (st.st_size == fssize)) {
info("Using cached filesystem from '%s'\n", tmpf);
filesystem = strdup(tmpf);
}
}
if (!filesystem) {
char extfn[1024];
strcpy(extfn, tmpf);
strcat(extfn, ".extract");
char lockfn[1024];
strcpy(lockfn, tmpf);
strcat(lockfn, ".lock");
lock_info_t li;
lock_file(lockfn, &li);
FILE* extf = NULL;
if (access(extfn, F_OK) != 0) {
extf = fopen(extfn, "w");
}
unlock_file(&li);
if (!extf) {
// use temp filename
filesystem = tempnam(NULL, "ipsw_");
if (!filesystem) {
error("WARNING: Could not get temporary filename, using '%s' in current directory\n", fsname);
filesystem = strdup(fsname);
}
delete_fs = 1;
} else {
// use <fsname>.extract as filename
filesystem = strdup(extfn);
fclose(extf);
}
remove(lockfn);
// Extract filesystem from IPSW
info("Extracting filesystem from IPSW\n");
if (ipsw_extract_to_file(client->ipsw, fsname, filesystem) < 0) {
error("ERROR: Unable to extract filesystem from IPSW\n");
if (client->tss)
plist_free(client->tss);
plist_free(buildmanifest);
return -1;
}
if (strstr(filesystem, ".extract")) {
// rename <fsname>.extract to <fsname>
rename(filesystem, tmpf);
free(filesystem);
filesystem = strdup(tmpf);
}
}
idevicerestore_progress(client, RESTORE_STEP_PREPARE, 0.3);
// if the device is in DFU mode, place device into recovery mode
if (client->mode->index == MODE_DFU) {
recovery_client_free(client);
if ((client->flags & FLAG_CUSTOM) && limera1n_is_supported(client->device)) {
info("connecting to DFU\n");
if (dfu_client_new(client) < 0) {
if (delete_fs && filesystem)
unlink(filesystem);
return -1;
}
info("exploiting with limera1n\n");
// TODO: check for non-limera1n device and fail
if (limera1n_exploit(client->device, &client->dfu->client) != 0) {
error("ERROR: limera1n exploit failed\n");
dfu_client_free(client);
if (delete_fs && filesystem)
unlink(filesystem);
return -1;
}
dfu_client_free(client);
info("exploited\n");
}
if (dfu_enter_recovery(client, build_identity) < 0) {
error("ERROR: Unable to place device into recovery mode from %s mode\n", client->mode->string);
plist_free(buildmanifest);
if (client->tss)
plist_free(client->tss);
if (delete_fs && filesystem)
unlink(filesystem);
return -2;
}
}
if (client->mode->index == MODE_DFU) {
client->mode = &idevicerestore_modes[MODE_RECOVERY];
} else {
if ((client->build_major > 8) && !(client->flags & FLAG_CUSTOM)) {
/* send ApTicket */
if (recovery_send_ticket(client) < 0) {
error("WARNING: Unable to send APTicket\n");
}
}
/* now we load the iBEC */
if (recovery_send_ibec(client, build_identity) < 0) {
error("ERROR: Unable to send iBEC\n");
if (delete_fs && filesystem)
unlink(filesystem);
return -2;
}
recovery_client_free(client);
/* this must be long enough to allow the device to run the iBEC */
/* FIXME: Probably better to detect if the device is back then */
sleep(7);
}
idevicerestore_progress(client, RESTORE_STEP_PREPARE, 0.5);
if (client->build_major > 8) {
// we need another tss request with nonce.
unsigned char* nonce = NULL;
int nonce_size = 0;
int nonce_changed = 0;
if (get_nonce(client, &nonce, &nonce_size) < 0) {
error("ERROR: Unable to get nonce from device!\n");
recovery_send_reset(client);
if (delete_fs && filesystem)
unlink(filesystem);
return -2;
}
if (!client->nonce || (nonce_size != client->nonce_size) || (memcmp(nonce, client->nonce, nonce_size) != 0)) {
nonce_changed = 1;
if (client->nonce) {
free(client->nonce);
}
client->nonce = nonce;
client->nonce_size = nonce_size;
} else {
free(nonce);
}
if (nonce_changed && !(client->flags & FLAG_CUSTOM)) {
// Welcome iOS5. We have to re-request the TSS with our nonce.
plist_free(client->tss);
if (get_shsh_blobs(client, client->ecid, client->nonce, client->nonce_size, build_identity, &client->tss) < 0) {
error("ERROR: Unable to get SHSH blobs for this device\n");
if (delete_fs && filesystem)
unlink(filesystem);
return -1;
}
if (!client->tss) {
error("ERROR: can't continue without TSS\n");
if (delete_fs && filesystem)
unlink(filesystem);
return -1;
}
fixup_tss(client->tss);
}
}
idevicerestore_progress(client, RESTORE_STEP_PREPARE, 0.7);
// now finally do the magic to put the device into restore mode
if (client->mode->index == MODE_RECOVERY) {
if (client->srnm == NULL) {
error("ERROR: could not retrieve device serial number. Can't continue.\n");
if (delete_fs && filesystem)
unlink(filesystem);
return -1;
}
if (recovery_enter_restore(client, build_identity) < 0) {
error("ERROR: Unable to place device into restore mode\n");
plist_free(buildmanifest);
if (client->tss)
plist_free(client->tss);
if (delete_fs && filesystem)
unlink(filesystem);
return -2;
}
recovery_client_free(client);
}
idevicerestore_progress(client, RESTORE_STEP_PREPARE, 0.9);
// device is finally in restore mode, let's do this
if (client->mode->index == MODE_RESTORE) {
info("About to restore device... \n");
result = restore_device(client, build_identity, filesystem);
if (result < 0) {
error("ERROR: Unable to restore device\n");
if (delete_fs && filesystem)
unlink(filesystem);
return result;
}
}
info("Cleaning up...\n");
if (delete_fs && filesystem)
unlink(filesystem);
/* special handling of AppleTVs */
if (strncmp(client->device->product_type, "AppleTV", 7) == 0) {
if (recovery_client_new(client) == 0) {
if (recovery_set_autoboot(client, 1) == 0) {
recovery_send_reset(client);
} else {
error("Setting auto-boot failed?!\n");
}
} else {
error("Could not connect to device in recovery mode.\n");
}
}
info("DONE\n");
if (result == 0) {
idevicerestore_progress(client, RESTORE_NUM_STEPS-1, 1.0);
}
return result;
}
int main(int argc, char* argv[]) {
int opt = 0;
int optindex = 0;
char* ipsw = NULL;
char* uuid = NULL;
int tss_enabled = 0;
int shsh_only = 0;
char* shsh_dir = NULL;
use_apple_server=1;
// create an instance of our context
struct idevicerestore_client_t* client = (struct idevicerestore_client_t*) malloc(sizeof(struct idevicerestore_client_t));
if (client == NULL) {
error("ERROR: Out of memory\n");
return -1;
}
memset(client, '\0', sizeof(struct idevicerestore_client_t));
while ((opt = getopt_long(argc, argv, "dhcesxtpi:u:", longopts, &optindex)) > 0) {
switch (opt) {
case 'h':
usage(argc, argv);
return 0;
case 'd':
client->flags |= FLAG_DEBUG;
idevicerestore_debug = 1;
break;
case 'e':
client->flags |= FLAG_ERASE;
break;
case 'c':
client->flags |= FLAG_CUSTOM;
break;
case 's':
use_apple_server=0;
break;
case 'x':
client->flags |= FLAG_EXCLUDE;
break;
case 'i':
if (optarg) {
char* tail = NULL;
client->ecid = strtoull(optarg, &tail, 16);
if (tail && (tail[0] != '\0')) {
client->ecid = 0;
}
if (client->ecid == 0) {
error("ERROR: Could not parse ECID from '%s'\n", optarg);
return -1;
}
}
break;
case 'u':
uuid = optarg;
break;
case 't':
shsh_only = 1;
break;
case 'p':
client->flags |= FLAG_PWN;
break;
default:
usage(argc, argv);
return -1;
}
}
if (((argc-optind) == 1) || (client->flags & FLAG_PWN)) {
argc -= optind;
argv += optind;
ipsw = argv[0];
} else {
usage(argc, argv);
return -1;
}
if (client->flags & FLAG_DEBUG) {
idevice_set_debug_level(1);
irecv_set_debug_level(1);
}
client->uuid = uuid;
client->ipsw = ipsw;
// update version data (from cache, or apple if too old)
load_version_data(client);
// check which mode the device is currently in so we know where to start
if (check_mode(client) < 0 || client->mode->index == MODE_UNKNOWN) {
error("ERROR: Unable to discover device mode. Please make sure a device is attached.\n");
return -1;
}
info("Found device in %s mode\n", client->mode->string);
if (client->mode->index == MODE_WTF) {
int cpid = 0;
if (dfu_client_new(client) != 0) {
error("ERROR: Could not open device in WTF mode\n");
return -1;
}
if ((dfu_get_cpid(client, &cpid) < 0) || (cpid == 0)) {
error("ERROR: Could not get CPID for WTF mode device\n");
dfu_client_free(client);
return -1;
}
char* s_wtfurl = NULL;
plist_t wtfurl = plist_access_path(client->version_data, 7, "MobileDeviceSoftwareVersionsByVersion", "5", "RecoverySoftwareVersions", "WTF", "304218112", "5", "FirmwareURL");
if (wtfurl && (plist_get_node_type(wtfurl) == PLIST_STRING)) {
plist_get_string_val(wtfurl, &s_wtfurl);
}
if (!s_wtfurl) {
info("Using hardcoded x12220000_5_Recovery.ipsw URL\n");
s_wtfurl = strdup("http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-6618.20090617.Xse7Y/x12220000_5_Recovery.ipsw");
}
// make a local file name
char* fnpart = strrchr(s_wtfurl, '/');
if (!fnpart) {
fnpart = "x12220000_5_Recovery.ipsw";
} else {
fnpart++;
}
struct stat fst;
char wtfipsw[256];
sprintf(wtfipsw, "cache/%s", fnpart);
if (stat(wtfipsw, &fst) != 0) {
__mkdir("cache", 0755);
download_to_file(s_wtfurl, wtfipsw);
}
char wtfname[256];
sprintf(wtfname, "Firmware/dfu/WTF.s5l%04xxall.RELEASE.dfu", cpid);
char* wtftmp = NULL;
uint32_t wtfsize = 0;
ipsw_extract_to_memory(wtfipsw, wtfname, &wtftmp, &wtfsize);
if (!wtftmp) {
error("ERROR: Could not extract WTF\n");
} else {
if (dfu_send_buffer(client, wtftmp, wtfsize) != 0) {
error("ERROR: Could not send WTF...\n");
}
}
dfu_client_free(client);
sleep(1);
free(wtftmp);
client->mode = &idevicerestore_modes[MODE_DFU];
}
// discover the device type
if (check_device(client) < 0 || client->device->index == DEVICE_UNKNOWN) {
error("ERROR: Unable to discover device type\n");
return -1;
}
info("Identified device as %s\n", client->device->product);
if ((client->flags & FLAG_PWN) && (client->mode->index != MODE_DFU)) {
error("ERROR: you need to put your device into DFU mode to pwn it.\n");
return -1;
}
if (client->flags & FLAG_PWN) {
recovery_client_free(client);
info("connecting to DFU\n");
if (dfu_client_new(client) < 0) {
return -1;
}
info("exploiting with limera1n...\n");
// TODO: check for non-limera1n device and fail
if (limera1n_exploit(client->device, client->dfu->client) != 0) {
error("ERROR: limera1n exploit failed\n");
dfu_client_free(client);
return -1;
}
dfu_client_free(client);
info("Device should be in pwned DFU state now.\n");
return 0;
}
if (client->mode->index == MODE_RESTORE) {
if (restore_reboot(client) < 0) {
error("ERROR: Unable to exit restore mode\n");
return -1;
}
}
// extract buildmanifest
plist_t buildmanifest = NULL;
if (client->flags & FLAG_CUSTOM) {
info("Extracting Restore.plist from IPSW\n");
if (ipsw_extract_restore_plist(ipsw, &buildmanifest) < 0) {
error("ERROR: Unable to extract Restore.plist from %s\n", ipsw);
return -1;
}
} else {
info("Extracting BuildManifest from IPSW\n");
if (ipsw_extract_build_manifest(ipsw, &buildmanifest, &tss_enabled) < 0) {
error("ERROR: Unable to extract BuildManifest from %s\n", ipsw);
return -1;
}
}
/* check if device type is supported by the given build manifest */
if (build_manifest_check_compatibility(buildmanifest, client->device->product) < 0) {
error("ERROR: could not make sure this firmware is suitable for the current device. refusing to continue.\n");
return -1;
}
/* print iOS information from the manifest */
build_manifest_get_version_information(buildmanifest, &client->version, &client->build);
info("Product Version: %s\n", client->version);
info("Product Build: %s\n", client->build);
if (client->flags & FLAG_CUSTOM) {
/* prevent signing custom firmware */
tss_enabled = 0;
info("Custom firmware requested. Disabled TSS request.\n");
}
// choose whether this is an upgrade or a restore (default to upgrade)
client->tss = NULL;
plist_t build_identity = NULL;
if (client->flags & FLAG_CUSTOM) {
build_identity = plist_new_dict();
{
plist_t node;
plist_t comp;
plist_t info;
plist_t manifest;
info = plist_new_dict();
plist_dict_insert_item(info, "RestoreBehavior", plist_new_string((client->flags & FLAG_ERASE) ? "Erase" : "Update"));
plist_dict_insert_item(info, "Variant", plist_new_string((client->flags & FLAG_ERASE) ? "Customer Erase Install (IPSW)" : "Customer Upgrade Install (IPSW)"));
plist_dict_insert_item(build_identity, "Info", info);
manifest = plist_new_dict();
char tmpstr[256];
char p_all_flash[128];
char lcmodel[8];
strcpy(lcmodel, client->device->model);
int x = 0;
while (lcmodel[x]) {
lcmodel[x] = tolower(lcmodel[x]);
x++;
}
sprintf(p_all_flash, "Firmware/all_flash/all_flash.%s.%s", lcmodel, "production");
strcpy(tmpstr, p_all_flash);
strcat(tmpstr, "/manifest");
// get all_flash file manifest
char *files[16];
char *fmanifest = NULL;
uint32_t msize = 0;
if (ipsw_extract_to_memory(ipsw, tmpstr, &fmanifest, &msize) < 0) {
error("ERROR: could not extract %s from IPSW\n", tmpstr);
return -1;
}
char *tok = strtok(fmanifest, "\r\n");
int fc = 0;
while (tok) {
files[fc++] = strdup(tok);
if (fc >= 16) {
break;
}
tok = strtok(NULL, "\r\n");
}
free(fmanifest);
for (x = 0; x < fc; x++) {
info = plist_new_dict();
strcpy(tmpstr, p_all_flash);
strcat(tmpstr, "/");
strcat(tmpstr, files[x]);
plist_dict_insert_item(info, "Path", plist_new_string(tmpstr));
comp = plist_new_dict();
plist_dict_insert_item(comp, "Info", info);
const char* compname = get_component_name(files[x]);
if (compname) {
plist_dict_insert_item(manifest, compname, comp);
if (!strncmp(files[x], "DeviceTree", 10)) {
plist_dict_insert_item(manifest, "RestoreDeviceTree", plist_copy(comp));
}
} else {
error("WARNING: unhandled component %s\n", files[x]);
plist_free(comp);
}
free(files[x]);
files[x] = NULL;
}
// add iBSS
sprintf(tmpstr, "Firmware/dfu/iBSS.%s.%s.dfu", lcmodel, "RELEASE");
info = plist_new_dict();
plist_dict_insert_item(info, "Path", plist_new_string(tmpstr));
comp = plist_new_dict();
plist_dict_insert_item(comp, "Info", info);
plist_dict_insert_item(manifest, "iBSS", comp);
// add iBEC
sprintf(tmpstr, "Firmware/dfu/iBEC.%s.%s.dfu", lcmodel, "RELEASE");
info = plist_new_dict();
plist_dict_insert_item(info, "Path", plist_new_string(tmpstr));
comp = plist_new_dict();
plist_dict_insert_item(comp, "Info", info);
plist_dict_insert_item(manifest, "iBEC", comp);
// add kernel cache
node = plist_dict_get_item(buildmanifest, "KernelCachesByTarget");
if (node && (plist_get_node_type(node) == PLIST_DICT)) {
char tt[4];
strncpy(tt, lcmodel, 3);
tt[3] = 0;
plist_t kdict = plist_dict_get_item(node, tt);
if (kdict && (plist_get_node_type(kdict) == PLIST_DICT)) {
plist_t kc = plist_dict_get_item(kdict, "Release");
if (kc && (plist_get_node_type(kc) == PLIST_STRING)) {
info = plist_new_dict();
plist_dict_insert_item(info, "Path", plist_copy(kc));
comp = plist_new_dict();
plist_dict_insert_item(comp, "Info", info);
plist_dict_insert_item(manifest, "KernelCache", comp);
plist_dict_insert_item(manifest, "RestoreKernelCache", plist_copy(comp));
}
}
}
// add ramdisk
node = plist_dict_get_item(buildmanifest, "RestoreRamDisks");
if (node && (plist_get_node_type(node) == PLIST_DICT)) {
plist_t rd = plist_dict_get_item(node, (client->flags & FLAG_ERASE) ? "User" : "Update");
if (rd && (plist_get_node_type(rd) == PLIST_STRING)) {
info = plist_new_dict();
plist_dict_insert_item(info, "Path", plist_copy(rd));
comp = plist_new_dict();
plist_dict_insert_item(comp, "Info", info);
plist_dict_insert_item(manifest, "RestoreRamDisk", comp);
}
}
// add OS filesystem
node = plist_dict_get_item(buildmanifest, "SystemRestoreImages");
if (!node) {
error("ERROR: missing SystemRestoreImages in Restore.plist\n");
}
plist_t os = plist_dict_get_item(node, "User");
if (!os) {
error("ERROR: missing filesystem in Restore.plist\n");
} else {
info = plist_new_dict();
plist_dict_insert_item(info, "Path", plist_copy(os));
comp = plist_new_dict();
plist_dict_insert_item(comp, "Info", info);
plist_dict_insert_item(manifest, "OS", comp);
}
// finally add manifest
plist_dict_insert_item(build_identity, "Manifest", manifest);
}
} else if (client->flags & FLAG_ERASE) {
build_identity = build_manifest_get_build_identity(buildmanifest, 0);
if (build_identity == NULL) {
error("ERROR: Unable to find any build identities\n");
plist_free(buildmanifest);
return -1;
}
} else {
// loop through all build identities in the build manifest
// and list the valid ones
int i = 0;
int valid_builds = 0;
int build_count = build_manifest_get_identity_count(buildmanifest);
for (i = 0; i < build_count; i++) {
build_identity = build_manifest_get_build_identity(buildmanifest, i);
valid_builds++;
}
}
/* print information about current build identity */
build_identity_print_information(build_identity);
/* retrieve shsh blobs if required */
if (tss_enabled) {
debug("Getting device's ECID for TSS request\n");
/* fetch the device's ECID for the TSS request */
if (get_ecid(client, &client->ecid) < 0) {
error("ERROR: Unable to find device ECID\n");
return -1;
}
info("Found ECID " FMT_qu "\n", (long long unsigned int)client->ecid);
if (get_shsh_blobs(client, client->ecid, NULL, 0, build_identity, &client->tss) < 0) {
error("ERROR: Unable to get SHSH blobs for this device\n");
return -1;
}
}
if (shsh_only) {
if (!tss_enabled) {
info("This device does not require a TSS record");
return 0;
}
if (!client->tss) {
error("ERROR: could not fetch TSS record");
plist_free(buildmanifest);
return -1;
} else {
char *bin = NULL;
uint32_t blen = 0;
plist_to_bin(client->tss, &bin, &blen);
if (bin) {
char zfn[512];
sprintf(zfn, "shsh/" FMT_qu "-%s-%s.shsh", (long long int)client->ecid, client->device->product, client->version);
__mkdir("shsh", 0755);
struct stat fst;
if (stat(zfn, &fst) != 0) {
gzFile zf = gzopen(zfn, "wb");
gzwrite(zf, bin, blen);
gzclose(zf);
info("SHSH saved to '%s'\n", zfn);
} else {
info("SHSH '%s' already present.\n", zfn);
}
free(bin);
} else {
error("ERROR: could not get TSS record data\n");
}
plist_free(client->tss);
plist_free(buildmanifest);
return 0;
}
}
/* verify if we have tss records if required */
if ((tss_enabled) && (client->tss == NULL)) {
error("ERROR: Unable to proceed without a TSS record.\n");
plist_free(buildmanifest);
return -1;
}
if ((tss_enabled) && client->tss) {
/* fix empty dicts */
fixup_tss(client->tss);
}
// Extract filesystem from IPSW and return its name
char* filesystem = NULL;
if (ipsw_extract_filesystem(client->ipsw, build_identity, &filesystem) < 0) {
error("ERROR: Unable to extract filesystem from IPSW\n");
if (client->tss)
plist_free(client->tss);
plist_free(buildmanifest);
return -1;
}
// if the device is in normal mode, place device into recovery mode
if (client->mode->index == MODE_NORMAL) {
info("Entering recovery mode...\n");
if (normal_enter_recovery(client) < 0) {
error("ERROR: Unable to place device into recovery mode\n");
if (client->tss)
plist_free(client->tss);
plist_free(buildmanifest);
return -1;
}
}
// if the device is in DFU mode, place device into recovery mode
if (client->mode->index == MODE_DFU) {
recovery_client_free(client);
if (client->flags & FLAG_CUSTOM) {
info("connecting to DFU\n");
if (dfu_client_new(client) < 0) {
return -1;
}
info("exploiting with limera1n\n");
// TODO: check for non-limera1n device and fail
if (limera1n_exploit(client->device, client->dfu->client) != 0) {
error("ERROR: limera1n exploit failed\n");
dfu_client_free(client);
return -1;
}
dfu_client_free(client);
info("exploited\n");
}
if (dfu_enter_recovery(client, build_identity) < 0) {
error("ERROR: Unable to place device into recovery mode\n");
plist_free(buildmanifest);
if (client->tss)
plist_free(client->tss);
return -1;
}
}
if (client->mode->index == MODE_DFU) {
client->mode = &idevicerestore_modes[MODE_RECOVERY];
} else {
/* now we load the iBEC */
if (recovery_send_ibec(client, build_identity) < 0) {
error("ERROR: Unable to send iBEC\n");
return -1;
}
recovery_client_free(client);
/* this must be long enough to allow the device to run the iBEC */
/* FIXME: Probably better to detect if the device is back then */
sleep(7);
}
if (client->build[0] > '8') {
// we need another tss request with nonce.
unsigned char* nonce = NULL;
int nonce_size = 0;
int nonce_changed = 0;
if (get_nonce(client, &nonce, &nonce_size) < 0) {
error("ERROR: Unable to get nonce from device!\n");
recovery_send_reset(client);
return -1;
}
if (!client->nonce || (nonce_size != client->nonce_size) || (memcmp(nonce, client->nonce, nonce_size) != 0)) {
nonce_changed = 1;
if (client->nonce) {
free(client->nonce);
}
client->nonce = nonce;
client->nonce_size = nonce_size;
} else {
free(nonce);
}
info("Nonce: ");
int i;
for (i = 0; i < client->nonce_size; i++) {
info("%02x ", client->nonce[i]);
}
info("\n");
if (nonce_changed && !(client->flags & FLAG_CUSTOM)) {
// Welcome iOS5. We have to re-request the TSS with our nonce.
plist_free(client->tss);
if (get_shsh_blobs(client, client->ecid, client->nonce, client->nonce_size, build_identity, &client->tss) < 0) {
error("ERROR: Unable to get SHSH blobs for this device\n");
return -1;
}
if (!client->tss) {
error("ERROR: can't continue without TSS\n");
return -1;
}
fixup_tss(client->tss);
}
}
// now finally do the magic to put the device into restore mode
if (client->mode->index == MODE_RECOVERY) {
if (client->srnm == NULL) {
error("ERROR: could not retrieve device serial number. Can't continue.\n");
return -1;
}
if (recovery_enter_restore(client, build_identity) < 0) {
error("ERROR: Unable to place device into restore mode\n");
plist_free(buildmanifest);
if (client->tss)
plist_free(client->tss);
return -1;
}
}
// device is finally in restore mode, let's do this
if (client->mode->index == MODE_RESTORE) {
info("About to restore device... \n");
if (restore_device(client, build_identity, filesystem) < 0) {
error("ERROR: Unable to restore device\n");
return -1;
}
}
info("Cleaning up...\n");
if (filesystem)
unlink(filesystem);
info("DONE\n");
return 0;
}
