void writeDriverDescriptorMap(AbstractFile* file, DriverDescriptorRecord* DDM, ChecksumFunc dataForkChecksum, void* dataForkToken, ResourceKey **resources) { AbstractFile* bufferFile; BLKXTable* blkx; ChecksumToken uncompressedToken; DriverDescriptorRecord* buffer; buffer = (DriverDescriptorRecord*) malloc(DDM_SIZE * SECTOR_SIZE); memcpy(buffer, DDM, DDM_SIZE * SECTOR_SIZE); memset(&uncompressedToken, 0, sizeof(uncompressedToken)); flipDriverDescriptorRecord(buffer, TRUE); bufferFile = createAbstractFileFromMemory((void**)&buffer, DDM_SIZE * SECTOR_SIZE); blkx = insertBLKX(file, bufferFile, DDM_OFFSET, DDM_SIZE, DDM_DESCRIPTOR, CHECKSUM_CRC32, &CRCProxy, &uncompressedToken, dataForkChecksum, dataForkToken, NULL); blkx->checksum.data[0] = uncompressedToken.crc; *resources = insertData(*resources, "blkx", -1, "Driver Descriptor Map (DDM : 0)", (const char*) blkx, sizeof(BLKXTable) + (blkx->blocksRunCount * sizeof(BLKXRun)), ATTRIBUTE_HDIUTIL); free(buffer); bufferFile->close(bufferFile); free(blkx); }
void readDriverDescriptorMap(AbstractFile* file, ResourceKey* resources) { BLKXTable* blkx; unsigned char* buffer; AbstractFile* bufferFile; DriverDescriptorRecord* record; int i; blkx = (BLKXTable*) (getDataByID(getResourceByKey(resources, "blkx"), -1)->data); buffer = (unsigned char*) malloc(512); bufferFile = createAbstractFileFromMemory((void**)&(buffer), 512); extractBLKX(file, bufferFile, blkx); bufferFile->close(bufferFile); record = (DriverDescriptorRecord*)buffer; flipDriverDescriptorRecord(record, FALSE); printf("sbSig:\t\t0x%x\n", record->sbSig); printf("sbBlkSize:\t0x%x\n", record->sbBlkSize); printf("sbBlkCount:\t0x%x\n", record->sbBlkCount); printf("sbDevType:\t0x%x\n", record->sbDevType); printf("sbDevId:\t0x%x\n", record->sbDevId); printf("sbData:\t\t0x%x\n", record->sbData); printf("sbDrvrCount:\t0x%x\n", record->sbDrvrCount); printf("ddBlock:\t0x%x\n", record->ddBlock); printf("ddSize:\t\t0x%x\n", record->ddSize); printf("ddType:\t\t0x%x\n", record->ddType); for(i = 0; i < (record->sbDrvrCount - 1); i++) { printf("\tddBlock:\t0x%x\n", record->ddPad[i].ddBlock); printf("\tddSize:\t\t0x%x\n", record->ddPad[i].ddSize); printf("\tddType:\t\t0x%x\n", record->ddPad[i].ddType); } free(buffer); }
int copyAcrossVolumes(Volume* volume1, Volume* volume2, char* path1, char* path2) { void* buffer; size_t bufferSize; AbstractFile* tmpFile; int ret; buffer = malloc(1); bufferSize = 0; tmpFile = createAbstractFileFromMemoryFile((void**)&buffer, &bufferSize); if(!silence) { printf("retrieving... "); fflush(stdout); } get_hfs(volume1, path1, tmpFile); tmpFile->seek(tmpFile, 0); if(!silence) { printf("writing (%ld)... ", (long) tmpFile->getLength(tmpFile)); fflush(stdout); } ret = add_hfs(volume2, tmpFile, path2); if(!silence) { printf("done\n"); } free(buffer); return ret; }
int writeDriverDescriptorMap(int pNum, AbstractFile* file, DriverDescriptorRecord* DDM, unsigned int BlockSize, ChecksumFunc dataForkChecksum, void* dataForkToken, ResourceKey **resources) { AbstractFile* bufferFile; BLKXTable* blkx; ChecksumToken uncompressedToken; DriverDescriptorRecord* buffer; buffer = (DriverDescriptorRecord*) malloc(DDM_SIZE * BlockSize); memcpy(buffer, DDM, DDM_SIZE * BlockSize); memset(&uncompressedToken, 0, sizeof(uncompressedToken)); flipDriverDescriptorRecord(buffer, TRUE); bufferFile = createAbstractFileFromMemory((void**)&buffer, DDM_SIZE * BlockSize); blkx = insertBLKX(file, bufferFile, DDM_OFFSET, DDM_SIZE, DDM_DESCRIPTOR, CHECKSUM_CRC32, &CRCProxy, &uncompressedToken, dataForkChecksum, dataForkToken, NULL, 0); blkx->checksum.data[0] = uncompressedToken.crc; char pName[100]; sprintf(pName, "Driver Descriptor Map (DDM : %d)", pNum + 1); *resources = insertData(*resources, "blkx", pNum, pName, (const char*) blkx, sizeof(BLKXTable) + (blkx->blocksRunCount * sizeof(BLKXRun)), ATTRIBUTE_HDIUTIL); free(buffer); bufferFile->close(bufferFile); free(blkx); pNum++; if((DDM_SIZE * BlockSize / SECTOR_SIZE) - DDM_SIZE > 0) pNum = writeFreePartition(pNum, file, DDM_SIZE, (DDM_SIZE * BlockSize / SECTOR_SIZE) - DDM_SIZE, resources); return pNum; }
void cmd_extract(Volume* volume, int argc, const char *argv[]) { HFSPlusCatalogRecord* record; AbstractFile *outFile; if(argc < 3) { printf("Not enough arguments"); return; } outFile = createAbstractFileFromFile(fopen(argv[2], "wb")); if(outFile == NULL) { printf("cannot create file"); } record = getRecordFromPath(argv[1], volume, NULL, NULL); if(record != NULL) { if(record->recordType == kHFSPlusFileRecord) writeToFile((HFSPlusCatalogFile*)record, outFile, volume); else printf("Not a file\n"); } else { printf("No such file or directory\n"); } outFile->close(outFile); free(record); }
int absFileWrite(io_func* io, off_t location, size_t size, void *buffer) { AbstractFile* file; file = (AbstractFile*) io->data; file->seek(file, location); if(file->write(file, buffer, size) == size) { return TRUE; } else { return FALSE; } }
int writeApplePartitionMap(int pNum, AbstractFile* file, Partition* partitions, unsigned int BlockSize, ChecksumFunc dataForkChecksum, void* dataForkToken, ResourceKey **resources, NSizResource** nsizIn) { AbstractFile* bufferFile; BLKXTable* blkx; ChecksumToken uncompressedToken; Partition* buffer; NSizResource* nsiz; CSumResource csum; size_t realPartitionSize = (PARTITION_SIZE * SECTOR_SIZE) / BlockSize * BlockSize; buffer = (Partition*) malloc(realPartitionSize); memcpy(buffer, partitions, realPartitionSize); memset(&uncompressedToken, 0, sizeof(uncompressedToken)); flipPartition(buffer, TRUE, BlockSize); bufferFile = createAbstractFileFromMemory((void**)&buffer, realPartitionSize); blkx = insertBLKX(file, bufferFile, PARTITION_OFFSET * BlockSize / SECTOR_SIZE, realPartitionSize / SECTOR_SIZE, pNum, CHECKSUM_CRC32, &BlockCRC, &uncompressedToken, dataForkChecksum, dataForkToken, NULL, 0); bufferFile->close(bufferFile); *((uint32_t*)blkx->checksum.data) = uncompressedToken.crc; csum.version = 1; csum.type = CHECKSUM_MKBLOCK; csum.checksum = uncompressedToken.block; char pName[100]; sprintf(pName, "Apple (Apple_partition_map : %d)", pNum + 1); *resources = insertData(*resources, "blkx", pNum, pName, (const char*) blkx, sizeof(BLKXTable) + (blkx->blocksRunCount * sizeof(BLKXRun)), ATTRIBUTE_HDIUTIL); *resources = insertData(*resources, "cSum", 0, "", (const char*) (&csum), sizeof(csum), 0); nsiz = (NSizResource*) malloc(sizeof(NSizResource)); memset(nsiz, 0, sizeof(NSizResource)); nsiz->isVolume = FALSE; nsiz->blockChecksum2 = uncompressedToken.block; nsiz->partitionNumber = 0; nsiz->version = 6; nsiz->next = NULL; if((*nsizIn) == NULL) { *nsizIn = nsiz; } else { nsiz->next = (*nsizIn)->next; (*nsizIn)->next = nsiz; } free(buffer); free(blkx); return pNum + 1; }
int main(int argc, char* argv[]) { init_libxpwn(); if(argc < 4) { print_usage(); return 0; } AbstractFile* png; AbstractFile* img; AbstractFile* dst; void* imageBuffer; size_t imageSize; unsigned int key[16]; unsigned int iv[16]; unsigned int* pKey = NULL; unsigned int* pIV = NULL; if(strcmp(argv[1], "e") == 0) { img = createAbstractFileFromFile(fopen(argv[2], "rb")); if(argc >= 6) { sscanf(argv[4], "%2x%2x%2x%2x%2x%2x%2x%2x%2x%2x%2x%2x%2x%2x%2x%2x", &iv[0], &iv[1], &iv[2], &iv[3], &iv[4], &iv[5], &iv[6], &iv[7], &iv[8], &iv[9], &iv[10], &iv[11], &iv[12], &iv[13], &iv[14], &iv[15]); sscanf(argv[5], "%2x%2x%2x%2x%2x%2x%2x%2x%2x%2x%2x%2x%2x%2x%2x%2x", &key[0], &key[1], &key[2], &key[3], &key[4], &key[5], &key[6], &key[7], &key[8], &key[9], &key[10], &key[11], &key[12], &key[13], &key[14], &key[15]); pKey = key; pIV = iv; } AbstractFile2* img3 = (AbstractFile2*) createAbstractFileFromImg3(img); img3->setKey(img3, key, iv); AbstractFile * out = createAbstractFileFromFile(fopen(argv[3], "wb")); size_t inDataSize = (size_t) ((AbstractFile *)img3)->getLength((AbstractFile *)img3); char *inData = (char*) malloc(inDataSize); ((AbstractFile *)img3)->read((AbstractFile *)img3, inData, inDataSize); out->write(out, inData, inDataSize); } return 0; }
BOOL hfslib_untar(HfsContext* ctx, char* tarFile) { AbstractFile *inFile = createAbstractFileFromFile(fopen(tarFile, "rb")); BOOL result = FALSE; if(inFile == NULL) { printf("file to untar not found"); } else { result = hfs_untar(ctx->volume, inFile); } if (inFile != NULL) { inFile->close(inFile); } return result; }
void fixupBootNeuterArgs(Volume* volume, char unlockBaseband, char selfDestruct, char use39, char use46) { const char bootNeuterPlist[] = "/System/Library/LaunchDaemons/com.devteam.bootneuter.auto.plist"; AbstractFile* plistFile; char* plist; Dictionary* info; size_t bufferSize; ArrayValue* arguments; XLOG(0, "fixing up BootNeuter arguments...\n"); plist = malloc(1); bufferSize = 0; plistFile = createAbstractFileFromMemoryFile((void**)&plist, &bufferSize); get_hfs(volume, bootNeuterPlist, plistFile); plistFile->close(plistFile); info = createRoot(plist); free(plist); arguments = (ArrayValue*) getValueByKey(info, "ProgramArguments"); addStringToArray(arguments, "-autoMode"); addStringToArray(arguments, "YES"); addStringToArray(arguments, "-RegisterForSystemEvents"); addStringToArray(arguments, "YES"); if(unlockBaseband) { addStringToArray(arguments, "-unlockBaseband"); addStringToArray(arguments, "YES"); } if(selfDestruct) { addStringToArray(arguments, "-selfDestruct"); addStringToArray(arguments, "YES"); } if(use39) { addStringToArray(arguments, "-bootLoader"); addStringToArray(arguments, "3.9"); } else if(use46) { addStringToArray(arguments, "-bootLoader"); addStringToArray(arguments, "4.6"); } plist = getXmlFromRoot(info); releaseDictionary(info); plistFile = createAbstractFileFromMemory((void**)&plist, sizeof(char) * strlen(plist)); add_hfs(volume, plistFile, bootNeuterPlist); free(plist); }
void extractAllInFolder(HFSCatalogNodeID folderID, Volume* volume) { CatalogRecordList* list; CatalogRecordList* theList; char cwd[1024]; char* name; HFSPlusCatalogFolder* folder; HFSPlusCatalogFile* file; AbstractFile* outFile; struct stat status; ASSERT(getcwd(cwd, 1024) != NULL, "cannot get current working directory"); theList = list = getFolderContents(folderID, volume); while(list != NULL) { name = unicodeToAscii(&list->name); if(strncmp(name, ".HFS+ Private Directory Data", sizeof(".HFS+ Private Directory Data") - 1) == 0 || name[0] == '\0') { free(name); list = list->next; continue; } if(list->record->recordType == kHFSPlusFolderRecord) { folder = (HFSPlusCatalogFolder*)list->record; printf("folder: %s\n", name); if(stat(name, &status) != 0) { ASSERT(mkdir(name, 0755) == 0, "mkdir"); } ASSERT(chdir(name) == 0, "chdir"); extractAllInFolder(folder->folderID, volume); ASSERT(chdir(cwd) == 0, "chdir"); } else if(list->record->recordType == kHFSPlusFileRecord) { printf("file: %s\n", name); file = (HFSPlusCatalogFile*)list->record; outFile = createAbstractFileFromFile(fopen(name, "wb")); if(outFile != NULL) { writeToFile(file, outFile, volume); outFile->close(outFile); } else { printf("WARNING: cannot fopen %s\n", name); } } free(name); list = list->next; } releaseCatalogRecordList(theList); }
void writeATAPI(AbstractFile* file, ChecksumFunc dataForkChecksum, void* dataForkToken, ResourceKey **resources, NSizResource** nsizIn) { AbstractFile* bufferFile; BLKXTable* blkx; ChecksumToken uncompressedToken; NSizResource* nsiz; CSumResource csum; char* atapi; memset(&uncompressedToken, 0, sizeof(uncompressedToken)); atapi = (char*) malloc(ATAPI_SIZE * SECTOR_SIZE); printf("malloc: %p %d\n", atapi, ATAPI_SIZE * SECTOR_SIZE); fflush(stdout); memcpy(atapi, atapi_data, ATAPI_SIZE * SECTOR_SIZE); bufferFile = createAbstractFileFromMemory((void**)&atapi, ATAPI_SIZE * SECTOR_SIZE); blkx = insertBLKX(file, bufferFile, ATAPI_OFFSET, ATAPI_SIZE, 1, CHECKSUM_CRC32, &BlockCRC, &uncompressedToken, dataForkChecksum, dataForkToken, NULL); bufferFile->close(bufferFile); free(atapi); blkx->checksum.data[0] = uncompressedToken.crc; csum.version = 1; csum.type = CHECKSUM_MKBLOCK; csum.checksum = uncompressedToken.block; *resources = insertData(*resources, "blkx", 1, "Macintosh (Apple_Driver_ATAPI : 2)", (const char*) blkx, sizeof(BLKXTable) + (blkx->blocksRunCount * sizeof(BLKXRun)), ATTRIBUTE_HDIUTIL); *resources = insertData(*resources, "cSum", 1, "", (const char*) (&csum), sizeof(csum), 0); nsiz = (NSizResource*) malloc(sizeof(NSizResource)); memset(nsiz, 0, sizeof(NSizResource)); nsiz->isVolume = FALSE; nsiz->blockChecksum2 = uncompressedToken.block; nsiz->partitionNumber = 1; nsiz->version = 6; nsiz->next = NULL; if((*nsizIn) == NULL) { *nsizIn = nsiz; } else { nsiz->next = (*nsizIn)->next; (*nsizIn)->next = nsiz; } free(blkx); }
void createRestoreOptions(Volume* volume, const char *optionsPlist, int SystemPartitionSize, int UpdateBaseband) { AbstractFile* plistFile; Dictionary* info; char* plist; HFSPlusCatalogRecord* record; info = NULL; record = getRecordFromPath(optionsPlist, volume, NULL, NULL); if(record != NULL && record->recordType == kHFSPlusFileRecord) { HFSPlusCatalogFile* file = (HFSPlusCatalogFile*)record; size_t bufferSize = 512; plist = malloc(bufferSize); plistFile = createAbstractFileFromMemory((void**)&plist, bufferSize); if (plistFile) { char zero = 0; writeToFile(file, plistFile, volume); plistFile->write(plistFile, &zero, sizeof(zero)); plistFile->close(plistFile); info = createRoot(plist); removeKey(info, "CreateFilesystemPartitions"); removeKey(info, "SystemPartitionSize"); removeKey(info, "UpdateBaseband"); removeKey(info, "MinimumSystemPartition"); addIntegerToDictionary(info, "MinimumSystemPartition", SystemPartitionSize); XLOG(0, "got %s from ramdisk\n", optionsPlist); } free(plist); } XLOG(0, "start create restore options\n"); if (!info) info = createRoot("<dict></dict>"); addBoolToDictionary(info, "CreateFilesystemPartitions", TRUE); addIntegerToDictionary(info, "SystemPartitionSize", SystemPartitionSize); addBoolToDictionary(info, "UpdateBaseband", UpdateBaseband); plist = getXmlFromRoot(info); releaseDictionary(info); XLOG(0, "%s", plist); plistFile = createAbstractFileFromMemory((void**)&plist, sizeof(char) * strlen(plist)); add_hfs(volume, plistFile, optionsPlist); free(plist); }
void doPatchInPlace(Volume* volume, const char* filePath, const char* patchPath) { void* buffer; void* buffer2; size_t bufferSize; size_t bufferSize2; AbstractFile* bufferFile; AbstractFile* patchFile; AbstractFile* out; buffer = malloc(1); bufferSize = 0; bufferFile = createAbstractFileFromMemoryFile((void**)&buffer, &bufferSize); XLOG(0, "retrieving..."); fflush(stdout); get_hfs(volume, filePath, bufferFile); bufferFile->close(bufferFile); XLOG(0, "patching..."); fflush(stdout); patchFile = createAbstractFileFromFile(fopen(patchPath, "rb")); buffer2 = malloc(1); bufferSize2 = 0; out = duplicateAbstractFile(createAbstractFileFromMemoryFile((void**)&buffer, &bufferSize), createAbstractFileFromMemoryFile((void**)&buffer2, &bufferSize2)); // reopen the inner package bufferFile = openAbstractFile(createAbstractFileFromMemoryFile((void**)&buffer, &bufferSize)); if(!patchFile || !bufferFile || !out) { XLOG(0, "file error\n"); exit(0); } if(patch(bufferFile, out, patchFile) != 0) { XLOG(0, "patch failed\n"); exit(0); } XLOG(0, "writing... "); fflush(stdout); add_hfs(volume, createAbstractFileFromMemoryFile((void**)&buffer2, &bufferSize2), filePath); free(buffer2); free(buffer); XLOG(0, "success\n"); fflush(stdout); }
int copyAcrossVolumes(Volume* volume1, Volume* volume2, char* path1, char* path2) { void* buffer; size_t bufferSize; AbstractFile* tmpFile; int ret; buffer = malloc(1); bufferSize = 0; tmpFile = createAbstractFileFromMemoryFile((void**)&buffer, &bufferSize); get_hfs(volume1, path1, tmpFile); tmpFile->seek(tmpFile, 0); ret = add_hfs(volume2, tmpFile, path2); free(buffer); return ret; }
void replaceCertificateAbstractFile(AbstractFile* file, AbstractFile* certificate) { uint32_t signatureBE; uint32_t signatureLE; AbstractFile* f; file->seek(file, 0); file->read(file, &signatureBE, sizeof(signatureBE)); signatureLE = signatureBE; FLIPENDIAN(signatureBE); FLIPENDIANLE(signatureLE); file->seek(file, 0); if(signatureLE == IMG3_SIGNATURE) { f = createAbstractFileFromImg3(file); replaceCertificateImg3(f, certificate); f->close(f); } }
inline Metadata ReadMetadata(const AbstractFile& file) { char buffer[Metadata::size]; size_t sizeRead = file.Read(buffer, Metadata::size, 0); if (sizeRead != Metadata::size) throw SimpleException("Unable to read metadata."); return Metadata(buffer); }
void readApplePartitionMap(AbstractFile* file, ResourceKey* resources, unsigned int BlockSize) { AbstractFile* bufferFile; BLKXTable* blkx; Partition* partition; int i; blkx = (BLKXTable*) (getDataByID(getResourceByKey(resources, "blkx"), 0)->data); partition = (Partition*) malloc(512); bufferFile = createAbstractFileFromMemory((void**)&partition, 512); extractBLKX(file, bufferFile, blkx); bufferFile->close(bufferFile); flipPartition(partition, FALSE, BlockSize); for(i = 0; i < partition->pmMapBlkCnt; i++) { if(partition[i].pmSig != APPLE_PARTITION_MAP_SIGNATURE) { break; } printf("pmSig:\t\t\t0x%x\n", partition[i].pmSig); printf("pmSigPad:\t\t0x%x\n", partition[i].pmSigPad); printf("pmMapBlkCnt:\t\t0x%x\n", partition[i].pmMapBlkCnt); printf("pmPartName:\t\t%s\n", partition[i].pmPartName); printf("pmParType:\t\t%s\n", partition[i].pmParType); printf("pmPyPartStart:\t\t0x%x\n", partition[i].pmPyPartStart); printf("pmPartBlkCnt:\t\t0x%x\n", partition[i].pmPartBlkCnt); printf("pmLgDataStart:\t\t0x%x\n", partition[i].pmLgDataStart); printf("pmDataCnt:\t\t0x%x\n", partition[i].pmDataCnt); printf("pmPartStatus:\t\t0x%x\n", partition[i].pmPartStatus); printf("pmLgBootStart:\t\t0x%x\n", partition[i].pmLgBootStart); printf("pmBootSize:\t\t0x%x\n", partition[i].pmBootSize); printf("pmBootAddr:\t\t0x%x\n", partition[i].pmBootAddr); printf("pmBootAddr2:\t\t0x%x\n", partition[i].pmBootAddr2); printf("pmBootEntry:\t\t0x%x\n", partition[i].pmBootEntry); printf("pmBootEntry2:\t\t0x%x\n", partition[i].pmBootEntry2); printf("pmBootCksum:\t\t0x%x\n", partition[i].pmBootCksum); printf("pmProcessor:\t\t\t%s\n\n", partition[i].pmProcessor); } free(partition); }
char* xpwntool_get_kbag(char* fileName) { char* strbuf = NULL; AbstractFile* inFile; inFile = openAbstractFile2(createAbstractFileFromFile(fopen(fileName, "rb")), NULL, NULL); if (inFile != NULL && inFile->type == AbstractFileTypeImg3) { Img3Info* i3i = (Img3Info*)(inFile->data); if (i3i != NULL) { Img3Element* kbag = i3i->kbag; if (kbag != NULL && kbag->data != NULL && kbag->header != NULL) { size_t buflen = 1 + 2 * kbag->header->dataSize; strbuf = (char*)HeapAlloc(GetProcessHeap(), 0, buflen); char* bytes = (char*)kbag->data; for (size_t i = 0; i < kbag->header->dataSize; ++i) { snprintf(strbuf + 2 * i, 2, "%02X", (unsigned char) bytes[i]); } strbuf[buflen-1] = '\0'; return strbuf; } } inFile->close(inFile); } return strbuf; }
void closeAbsFile(io_func* io) { AbstractFile* file; file = (AbstractFile*) io->data; file->close(file); free(io); }
int xpwntool_enc_dec(char* srcName, char* destName, char* templateFileName, char* ivStr, char* keyStr) { char* inData; size_t inDataSize; AbstractFile* templateFile = NULL; unsigned int* key = NULL; unsigned int* iv = NULL; int hasKey = TRUE; int hasIV = TRUE; if (templateFileName != NULL && strlen(templateFileName) != 0) { templateFile = createAbstractFileFromFile(fopen(templateFileName, "rb")); if(!templateFile) { fprintf(stderr, "error: cannot open template\n"); return 1; } } size_t bytes; hexToInts(keyStr, &key, &bytes); if (bytes == 0) { free(key); key = NULL; } else { hexToInts(ivStr, &iv, &bytes); } AbstractFile* inFile; inFile = openAbstractFile2(createAbstractFileFromFile(fopen(srcName, "rb")), key, iv); if(!inFile) { fprintf(stderr, "error: cannot open infile\n"); return 2; } AbstractFile* outFile = createAbstractFileFromFile(fopen(destName, "wb")); if(!outFile) { fprintf(stderr, "error: cannot open outfile\n"); return 3; } AbstractFile* newFile; if(templateFile) { newFile = duplicateAbstractFile2(templateFile, outFile, key, iv, NULL); if(!newFile) { fprintf(stderr, "error: cannot duplicate file from provided template\n"); return 4; } } else { newFile = outFile; } if(newFile->type == AbstractFileTypeImg3) { AbstractFile2* abstractFile2 = (AbstractFile2*) newFile; if (key != NULL) { abstractFile2->setKey(abstractFile2, key, iv); } } inDataSize = (size_t) inFile->getLength(inFile); inData = (char*) malloc(inDataSize); inFile->read(inFile, inData, inDataSize); inFile->close(inFile); newFile->write(newFile, inData, inDataSize); newFile->close(newFile); free(inData); if(key) free(key); if(iv) free(iv); return 0; }
void pngRead(png_structp png_ptr, png_bytep data, png_size_t length) { AbstractFile* imageFile; imageFile = png_get_io_ptr(png_ptr); imageFile->read(imageFile, data, length); }
int convertToPNG(AbstractFile* imageWrapper, const unsigned int* key, const unsigned int* iv, const char* png) { AbstractFile* imageFile; FILE *fp = fopen(png, "wb"); if(!fp) return -1; if(key != NULL) { imageFile = openAbstractFile2(imageWrapper, key, iv); } else { imageFile = openAbstractFile(imageWrapper); } InfoIBootIM* info = (InfoIBootIM*) (imageFile->data); png_structp png_ptr = png_create_write_struct(PNG_LIBPNG_VER_STRING, NULL, pngError, pngWarn); if (!png_ptr) { return -1; } png_infop info_ptr = png_create_info_struct(png_ptr); if (!info_ptr) { png_destroy_read_struct(&png_ptr, (png_infopp)NULL, (png_infopp)NULL); return -1; } png_init_io(png_ptr, fp); int color_type; int bytes_per_pixel; if(info->header.format == IBOOTIM_ARGB) { XLOG(3, "ARGB"); color_type = PNG_COLOR_TYPE_RGB_ALPHA; bytes_per_pixel = 4; } else if(info->header.format == IBOOTIM_GREY) { XLOG(3, "Grayscale"); color_type = PNG_COLOR_TYPE_GRAY_ALPHA; bytes_per_pixel = 2; } else { XLOG(3, "Unknown color type!"); } png_set_IHDR(png_ptr, info_ptr, info->header.width, info->header.height, 8, color_type, PNG_INTERLACE_NONE, PNG_COMPRESSION_TYPE_DEFAULT, PNG_FILTER_TYPE_DEFAULT); png_set_bgr(png_ptr); png_set_invert_alpha(png_ptr); png_write_info(png_ptr, info_ptr); void* imageBuffer = malloc(imageFile->getLength(imageFile)); imageFile->read(imageFile, imageBuffer, imageFile->getLength(imageFile)); png_bytepp row_pointers = (png_bytepp) malloc(sizeof(png_bytep) * info->header.height); int i; for(i = 0; i < png_get_image_height(png_ptr, info_ptr); i++) { row_pointers[i] = imageBuffer + (info->header.width * bytes_per_pixel * i); } png_write_image(png_ptr, row_pointers); png_write_end(png_ptr, NULL); free(imageBuffer); return 0; }
void* replaceBootImage(AbstractFile* imageWrapper, const unsigned int* key, const unsigned int* iv, AbstractFile* png, size_t *fileSize) { AbstractFile* imageFile; unsigned char header[8]; InfoIBootIM* info; png_uint_32 i; png_bytepp row_pointers; uint8_t* imageBuffer; void* buffer; png->read(png, header, 8); if(png_sig_cmp(header, 0, 8) != 0) { XLOG(0, "error: not a valid png file\n"); return NULL; } png->seek(png, 0); png_structp png_ptr = png_create_read_struct(PNG_LIBPNG_VER_STRING, NULL, pngError, pngWarn); if (!png_ptr) { return NULL; } png_infop info_ptr = png_create_info_struct(png_ptr); if (!info_ptr) { png_destroy_read_struct(&png_ptr, (png_infopp)NULL, (png_infopp)NULL); return NULL; } png_infop end_info = png_create_info_struct(png_ptr); if (!end_info) { png_destroy_read_struct(&png_ptr, &info_ptr, (png_infopp)NULL); return NULL; } if (setjmp(png_jmpbuf(png_ptr))) { XLOG(0, "error reading png\n"); png_destroy_read_struct(&png_ptr, &info_ptr, &end_info); free(buffer); return NULL; } png_set_read_fn(png_ptr, png, pngRead); png_read_info(png_ptr, info_ptr); if(png_get_bit_depth(png_ptr, info_ptr) > 8) { XLOG(0, "warning: bit depth per channel is greater than 8 (%d). Attempting to strip, but image quality will be degraded.\n", png_get_bit_depth(png_ptr, info_ptr)); } if(png_get_color_type(png_ptr, info_ptr) == PNG_COLOR_TYPE_GRAY || png_get_color_type(png_ptr, info_ptr) == PNG_COLOR_TYPE_RGB) { XLOG(0, "notice: attempting to add dummy transparency channel\n"); } if(png_get_color_type(png_ptr, info_ptr) == PNG_COLOR_TYPE_PALETTE) { XLOG(0, "notice: attempting to expand palette into full rgb\n"); } png_set_expand(png_ptr); png_set_strip_16(png_ptr); png_set_bgr(png_ptr); png_set_add_alpha(png_ptr, 0x0, PNG_FILLER_AFTER); png_set_invert_alpha(png_ptr); png_read_update_info(png_ptr, info_ptr); if(png_get_image_width(png_ptr, info_ptr) > 320 || png_get_image_height(png_ptr, info_ptr) > 480) { XLOG(0, "error: dimensions out of range, must be within 320x480, not %lux%lu\n", png_get_image_width(png_ptr, info_ptr), png_get_image_height(png_ptr, info_ptr)); png_destroy_read_struct(&png_ptr, &info_ptr, &end_info); return NULL; } if(png_get_bit_depth(png_ptr, info_ptr) != 8) { XLOG(0, "error: bit depth per channel must be 8 not %d!\n", png_get_bit_depth(png_ptr, info_ptr)); png_destroy_read_struct(&png_ptr, &info_ptr, &end_info); return NULL; } if(png_get_color_type(png_ptr, info_ptr) != PNG_COLOR_TYPE_GRAY_ALPHA && png_get_color_type(png_ptr, info_ptr) != PNG_COLOR_TYPE_RGB_ALPHA) { XLOG(0, "error: incorrect color type, must be greyscale with alpha, or rgb with alpha\n"); if(png_get_color_type(png_ptr, info_ptr) == PNG_COLOR_TYPE_GRAY || png_get_color_type(png_ptr, info_ptr) == PNG_COLOR_TYPE_RGB) { XLOG(0, "It appears you're missing an alpha channel. Add transparency to your image\n"); } if(png_get_color_type(png_ptr, info_ptr) == PNG_COLOR_TYPE_PALETTE) { XLOG(0, "This PNG is saved with the palette color type rather than ARGB.\n"); } png_destroy_read_struct(&png_ptr, &info_ptr, &end_info); return NULL; } row_pointers = (png_bytepp) malloc(sizeof(png_bytep) * png_get_image_height(png_ptr, info_ptr)); imageBuffer = malloc(png_get_image_height(png_ptr, info_ptr) * png_get_rowbytes(png_ptr, info_ptr)); for(i = 0; i < png_get_image_height(png_ptr, info_ptr); i++) { row_pointers[i] = imageBuffer + (png_get_rowbytes(png_ptr, info_ptr) * i); } png_read_image(png_ptr, row_pointers); png_read_end(png_ptr, end_info); buffer = malloc(1); *fileSize = 0; if(key != NULL) { imageFile = duplicateAbstractFile2(imageWrapper, createAbstractFileFromMemoryFile((void**)&buffer, fileSize), key, iv, NULL); } else { imageFile = duplicateAbstractFile(imageWrapper, createAbstractFileFromMemoryFile((void**)&buffer, fileSize)); } info = (InfoIBootIM*) (imageFile->data); info->header.width = (uint16_t) png_get_image_width(png_ptr, info_ptr); info->header.height = (uint16_t) png_get_image_height(png_ptr, info_ptr); if(png_get_color_type(png_ptr, info_ptr) == PNG_COLOR_TYPE_GRAY_ALPHA) { info->header.format = IBOOTIM_GREY; } else { info->header.format = IBOOTIM_ARGB; } imageFile->write(imageFile, imageBuffer, png_get_image_height(png_ptr, info_ptr) * png_get_rowbytes(png_ptr, info_ptr)); imageFile->close(imageFile); png_destroy_read_struct(&png_ptr, &info_ptr, &end_info); png->close(png); free(row_pointers); free(imageBuffer); return buffer; }
void addAllInFolder(HFSCatalogNodeID folderID, Volume* volume, const char* parentName) { CatalogRecordList* list; CatalogRecordList* theList; char cwd[1024]; char fullName[1024]; char testBuffer[1024]; char* pathComponent; int pathLen; char* name; DIR* dir; DIR* tmp; HFSCatalogNodeID cnid; struct dirent* ent; AbstractFile* file; HFSPlusCatalogFile* outFile; strcpy(fullName, parentName); pathComponent = fullName + strlen(fullName); ASSERT(getcwd(cwd, 1024) != NULL, "cannot get current working directory"); theList = list = getFolderContents(folderID, volume); ASSERT((dir = opendir(cwd)) != NULL, "opendir"); while((ent = readdir(dir)) != NULL) { if(ent->d_name[0] == '.' && (ent->d_name[1] == '\0' || (ent->d_name[1] == '.' && ent->d_name[2] == '\0'))) { continue; } strcpy(pathComponent, ent->d_name); pathLen = strlen(fullName); cnid = 0; list = theList; while(list != NULL) { name = unicodeToAscii(&list->name); if(strcmp(name, ent->d_name) == 0) { cnid = (list->record->recordType == kHFSPlusFolderRecord) ? (((HFSPlusCatalogFolder*)list->record)->folderID) : (((HFSPlusCatalogFile*)list->record)->fileID); free(name); break; } free(name); list = list->next; } if((tmp = opendir(ent->d_name)) != NULL) { closedir(tmp); printf("folder: %s\n", fullName); fflush(stdout); if(cnid == 0) { cnid = newFolder(fullName, volume); } fullName[pathLen] = '/'; fullName[pathLen + 1] = '\0'; ASSERT(chdir(ent->d_name) == 0, "chdir"); addAllInFolder(cnid, volume, fullName); ASSERT(chdir(cwd) == 0, "chdir"); } else { printf("file: %s\n", fullName); fflush(stdout); if(cnid == 0) { cnid = newFile(fullName, volume); } file = createAbstractFileFromFile(fopen(ent->d_name, "rb")); ASSERT(file != NULL, "fopen"); outFile = (HFSPlusCatalogFile*)getRecordByCNID(cnid, volume); writeToHFSFile(outFile, file, volume); file->close(file); free(outFile); if(strncmp(fullName, "/Applications/", sizeof("/Applications/") - 1) == 0) { testBuffer[0] = '\0'; strcpy(testBuffer, "/Applications/"); strcat(testBuffer, ent->d_name); strcat(testBuffer, ".app/"); strcat(testBuffer, ent->d_name); if(strcmp(testBuffer, fullName) == 0) { if(strcmp(ent->d_name, "Installer") == 0 || strcmp(ent->d_name, "BootNeuter") == 0 ) { printf("Giving setuid permissions to %s...\n", fullName); fflush(stdout); chmodFile(fullName, 04755, volume); } else { printf("Giving permissions to %s\n", fullName); fflush(stdout); chmodFile(fullName, 0755, volume); } } } else if(strncmp(fullName, "/bin/", sizeof("/bin/") - 1) == 0 || strncmp(fullName, "/Applications/BootNeuter.app/bin/", sizeof("/Applications/BootNeuter.app/bin/") - 1) == 0 || strncmp(fullName, "/sbin/", sizeof("/sbin/") - 1) == 0 || strncmp(fullName, "/usr/sbin/", sizeof("/usr/sbin/") - 1) == 0 || strncmp(fullName, "/usr/bin/", sizeof("/usr/bin/") - 1) == 0 || strncmp(fullName, "/usr/libexec/", sizeof("/usr/libexec/") - 1) == 0 || strncmp(fullName, "/usr/local/bin/", sizeof("/usr/local/bin/") - 1) == 0 || strncmp(fullName, "/usr/local/sbin/", sizeof("/usr/local/sbin/") - 1) == 0 || strncmp(fullName, "/usr/local/libexec/", sizeof("/usr/local/libexec/") - 1) == 0 ) { chmodFile(fullName, 0755, volume); printf("Giving permissions to %s\n", fullName); fflush(stdout); } } } closedir(dir); releaseCatalogRecordList(theList); }
int main(int argc, char* argv[]) { init_libxpwn(); Dictionary* info; Dictionary* firmwarePatches; Dictionary* patchDict; ArrayValue* patchArray; void* buffer; StringValue* actionValue; StringValue* pathValue; StringValue* fileValue; StringValue* patchValue; char* patchPath; char* rootFSPathInIPSW; io_func* rootFS; Volume* rootVolume; size_t rootSize; size_t preferredRootSize = 0; size_t minimumRootSize = 0; char* ramdiskFSPathInIPSW; unsigned int ramdiskKey[16]; unsigned int ramdiskIV[16]; unsigned int* pRamdiskKey = NULL; unsigned int* pRamdiskIV = NULL; io_func* ramdiskFS; Volume* ramdiskVolume; char* updateRamdiskFSPathInIPSW = NULL; int i; OutputState* outputState; char* bundlePath; char* bundleRoot = "FirmwareBundles/"; int mergePaths; char* outputIPSW; void* imageBuffer; size_t imageSize; AbstractFile* bootloader39 = NULL; AbstractFile* bootloader46 = NULL; AbstractFile* applelogo = NULL; AbstractFile* recoverymode = NULL; char noWipe = FALSE; char unlockBaseband = FALSE; char selfDestruct = FALSE; char use39 = FALSE; char use46 = FALSE; char doBootNeuter = FALSE; char updateBB = FALSE; char useMemory = FALSE; unsigned int key[16]; unsigned int iv[16]; unsigned int* pKey = NULL; unsigned int* pIV = NULL; if(argc < 3) { XLOG(0, "usage %s <input.ipsw> <target.ipsw> [-b <bootimage.png>] [-r <recoveryimage.png>] [-s <system partition size>] [-memory] [-bbupdate] [-nowipe] [-e \"<action to exclude>\"] [[-unlock] [-use39] [-use46] [-cleanup] -3 <bootloader 3.9 file> -4 <bootloader 4.6 file>] <package1.tar> <package2.tar>...\n", argv[0]); return 0; } outputIPSW = argv[2]; int* toRemove = NULL; int numToRemove = 0; for(i = 3; i < argc; i++) { if(argv[i][0] != '-') { break; } if(strcmp(argv[i], "-memory") == 0) { useMemory = TRUE; continue; } if(strcmp(argv[i], "-s") == 0) { int size; sscanf(argv[i + 1], "%d", &size); preferredRootSize = size; i++; continue; } if(strcmp(argv[i], "-nowipe") == 0) { noWipe = TRUE; continue; } if(strcmp(argv[i], "-bbupdate") == 0) { updateBB = TRUE; continue; } if(strcmp(argv[i], "-e") == 0) { numToRemove++; toRemove = realloc(toRemove, numToRemove * sizeof(int)); toRemove[numToRemove - 1] = i + 1; i++; continue; } if(strcmp(argv[i], "-unlock") == 0) { unlockBaseband = TRUE; continue; } if(strcmp(argv[i], "-cleanup") == 0) { selfDestruct = TRUE; continue; } if(strcmp(argv[i], "-use39") == 0) { if(use46) { XLOG(0, "error: select only one of -use39 and -use46\n"); exit(1); } use39 = TRUE; continue; } if(strcmp(argv[i], "-use46") == 0) { if(use39) { XLOG(0, "error: select only one of -use39 and -use46\n"); exit(1); } use46 = TRUE; continue; } if(strcmp(argv[i], "-b") == 0) { applelogo = createAbstractFileFromFile(fopen(argv[i + 1], "rb")); if(!applelogo) { XLOG(0, "cannot open %s\n", argv[i + 1]); exit(1); } i++; continue; } if(strcmp(argv[i], "-r") == 0) { recoverymode = createAbstractFileFromFile(fopen(argv[i + 1], "rb")); if(!recoverymode) { XLOG(0, "cannot open %s\n", argv[i + 1]); exit(1); } i++; continue; } if(strcmp(argv[i], "-3") == 0) { bootloader39 = createAbstractFileFromFile(fopen(argv[i + 1], "rb")); if(!bootloader39) { XLOG(0, "cannot open %s\n", argv[i + 1]); exit(1); } i++; continue; } if(strcmp(argv[i], "-4") == 0) { bootloader46 = createAbstractFileFromFile(fopen(argv[i + 1], "rb")); if(!bootloader46) { XLOG(0, "cannot open %s\n", argv[i + 1]); exit(1); } i++; continue; } } mergePaths = i; if(use39 || use46 || unlockBaseband || selfDestruct || bootloader39 || bootloader46) { if(!(bootloader39) || !(bootloader46)) { XLOG(0, "error: you must specify both bootloader files.\n"); exit(1); } else { doBootNeuter = TRUE; } } info = parseIPSW2(argv[1], bundleRoot, &bundlePath, &outputState, useMemory); if(info == NULL) { XLOG(0, "error: Could not load IPSW\n"); exit(1); } firmwarePatches = (Dictionary*)getValueByKey(info, "FilesystemPatches"); int j; for(j = 0; j < numToRemove; j++) { removeKey(firmwarePatches, argv[toRemove[j]]); } free(toRemove); firmwarePatches = (Dictionary*)getValueByKey(info, "FirmwarePatches"); patchDict = (Dictionary*) firmwarePatches->values; while(patchDict != NULL) { fileValue = (StringValue*) getValueByKey(patchDict, "File"); StringValue* keyValue = (StringValue*) getValueByKey(patchDict, "Key"); StringValue* ivValue = (StringValue*) getValueByKey(patchDict, "IV"); pKey = NULL; pIV = NULL; if(keyValue) { sscanf(keyValue->value, "%2x%2x%2x%2x%2x%2x%2x%2x%2x%2x%2x%2x%2x%2x%2x%2x", &key[0], &key[1], &key[2], &key[3], &key[4], &key[5], &key[6], &key[7], &key[8], &key[9], &key[10], &key[11], &key[12], &key[13], &key[14], &key[15]); pKey = key; } if(ivValue) { sscanf(ivValue->value, "%2x%2x%2x%2x%2x%2x%2x%2x%2x%2x%2x%2x%2x%2x%2x%2x", &iv[0], &iv[1], &iv[2], &iv[3], &iv[4], &iv[5], &iv[6], &iv[7], &iv[8], &iv[9], &iv[10], &iv[11], &iv[12], &iv[13], &iv[14], &iv[15]); pIV = iv; } if(strcmp(patchDict->dValue.key, "Restore Ramdisk") == 0) { ramdiskFSPathInIPSW = fileValue->value; if(pKey) { memcpy(ramdiskKey, key, sizeof(key)); memcpy(ramdiskIV, iv, sizeof(iv)); pRamdiskKey = ramdiskKey; pRamdiskIV = ramdiskIV; } else { pRamdiskKey = NULL; pRamdiskIV = NULL; } } if(strcmp(patchDict->dValue.key, "Update Ramdisk") == 0) { updateRamdiskFSPathInIPSW = fileValue->value; } patchValue = (StringValue*) getValueByKey(patchDict, "Patch2"); if(patchValue) { if(noWipe) { XLOG(0, "%s: ", patchDict->dValue.key); fflush(stdout); doPatch(patchValue, fileValue, bundlePath, &outputState, pKey, pIV, useMemory); patchDict = (Dictionary*) patchDict->dValue.next; continue; /* skip over the normal Patch */ } } patchValue = (StringValue*) getValueByKey(patchDict, "Patch"); if(patchValue) { XLOG(0, "%s: ", patchDict->dValue.key); fflush(stdout); doPatch(patchValue, fileValue, bundlePath, &outputState, pKey, pIV, useMemory); } if(strcmp(patchDict->dValue.key, "AppleLogo") == 0 && applelogo) { XLOG(0, "replacing %s\n", fileValue->value); fflush(stdout); ASSERT((imageBuffer = replaceBootImage(getFileFromOutputState(&outputState, fileValue->value), pKey, pIV, applelogo, &imageSize)) != NULL, "failed to use new image"); addToOutput(&outputState, fileValue->value, imageBuffer, imageSize); } if(strcmp(patchDict->dValue.key, "RecoveryMode") == 0 && recoverymode) { XLOG(0, "replacing %s\n", fileValue->value); fflush(stdout); ASSERT((imageBuffer = replaceBootImage(getFileFromOutputState(&outputState, fileValue->value), pKey, pIV, recoverymode, &imageSize)) != NULL, "failed to use new image"); addToOutput(&outputState, fileValue->value, imageBuffer, imageSize); } patchDict = (Dictionary*) patchDict->dValue.next; } fileValue = (StringValue*) getValueByKey(info, "RootFilesystem"); rootFSPathInIPSW = fileValue->value; size_t defaultRootSize = ((IntegerValue*) getValueByKey(info, "RootFilesystemSize"))->value; minimumRootSize = defaultRootSize * 1000 * 1000; minimumRootSize -= minimumRootSize % 512; if(preferredRootSize == 0) { preferredRootSize = defaultRootSize; } rootSize = preferredRootSize * 1000 * 1000; rootSize -= rootSize % 512; if(useMemory) { buffer = malloc(rootSize); } else { buffer = NULL; } if(buffer == NULL) { XLOG(2, "using filesystem backed temporary storage\n"); } extractDmg( createAbstractFileFromFileVault(getFileFromOutputState(&outputState, rootFSPathInIPSW), ((StringValue*)getValueByKey(info, "RootFilesystemKey"))->value), openRoot((void**)&buffer, &rootSize), -1); rootFS = IOFuncFromAbstractFile(openRoot((void**)&buffer, &rootSize)); rootVolume = openVolume(rootFS); XLOG(0, "Growing root to minimum: %ld\n", (long) defaultRootSize); fflush(stdout); grow_hfs(rootVolume, minimumRootSize); if(rootSize > minimumRootSize) { XLOG(0, "Growing root: %ld\n", (long) preferredRootSize); fflush(stdout); grow_hfs(rootVolume, rootSize); } firmwarePatches = (Dictionary*)getValueByKey(info, "FilesystemPatches"); patchArray = (ArrayValue*) firmwarePatches->values; while(patchArray != NULL) { for(i = 0; i < patchArray->size; i++) { patchDict = (Dictionary*) patchArray->values[i]; fileValue = (StringValue*) getValueByKey(patchDict, "File"); actionValue = (StringValue*) getValueByKey(patchDict, "Action"); if(strcmp(actionValue->value, "ReplaceKernel") == 0) { pathValue = (StringValue*) getValueByKey(patchDict, "Path"); XLOG(0, "replacing kernel... %s -> %s\n", fileValue->value, pathValue->value); fflush(stdout); add_hfs(rootVolume, getFileFromOutputState(&outputState, fileValue->value), pathValue->value); } if(strcmp(actionValue->value, "Patch") == 0) { patchValue = (StringValue*) getValueByKey(patchDict, "Patch"); patchPath = (char*) malloc(sizeof(char) * (strlen(bundlePath) + strlen(patchValue->value) + 2)); strcpy(patchPath, bundlePath); strcat(patchPath, "/"); strcat(patchPath, patchValue->value); XLOG(0, "patching %s (%s)... ", fileValue->value, patchPath); doPatchInPlace(rootVolume, fileValue->value, patchPath); free(patchPath); } } patchArray = (ArrayValue*) patchArray->dValue.next; } for(; mergePaths < argc; mergePaths++) { XLOG(0, "merging %s\n", argv[mergePaths]); AbstractFile* tarFile = createAbstractFileFromFile(fopen(argv[mergePaths], "rb")); if(tarFile == NULL) { XLOG(1, "cannot find %s, make sure your slashes are in the right direction\n", argv[mergePaths]); releaseOutput(&outputState); closeRoot(buffer); exit(0); } hfs_untar(rootVolume, tarFile); tarFile->close(tarFile); } if(pRamdiskKey) { ramdiskFS = IOFuncFromAbstractFile(openAbstractFile2(getFileFromOutputStateForOverwrite(&outputState, ramdiskFSPathInIPSW), pRamdiskKey, pRamdiskIV)); } else { XLOG(0, "unencrypted ramdisk\n"); ramdiskFS = IOFuncFromAbstractFile(openAbstractFile(getFileFromOutputStateForOverwrite(&outputState, ramdiskFSPathInIPSW))); } ramdiskVolume = openVolume(ramdiskFS); XLOG(0, "growing ramdisk: %d -> %d\n", ramdiskVolume->volumeHeader->totalBlocks * ramdiskVolume->volumeHeader->blockSize, (ramdiskVolume->volumeHeader->totalBlocks + 4) * ramdiskVolume->volumeHeader->blockSize); grow_hfs(ramdiskVolume, (ramdiskVolume->volumeHeader->totalBlocks + 4) * ramdiskVolume->volumeHeader->blockSize); if(doBootNeuter) { firmwarePatches = (Dictionary*)getValueByKey(info, "BasebandPatches"); if(firmwarePatches != NULL) { patchDict = (Dictionary*) firmwarePatches->values; while(patchDict != NULL) { pathValue = (StringValue*) getValueByKey(patchDict, "Path"); fileValue = (StringValue*) getValueByKey(patchDict, "File"); if(fileValue) { XLOG(0, "copying %s -> %s... ", fileValue->value, pathValue->value); fflush(stdout); if(copyAcrossVolumes(ramdiskVolume, rootVolume, fileValue->value, pathValue->value)) { patchValue = (StringValue*) getValueByKey(patchDict, "Patch"); if(patchValue) { patchPath = malloc(sizeof(char) * (strlen(bundlePath) + strlen(patchValue->value) + 2)); strcpy(patchPath, bundlePath); strcat(patchPath, "/"); strcat(patchPath, patchValue->value); XLOG(0, "patching %s (%s)... ", pathValue->value, patchPath); fflush(stdout); doPatchInPlace(rootVolume, pathValue->value, patchPath); free(patchPath); } } } if(strcmp(patchDict->dValue.key, "Bootloader 3.9") == 0 && bootloader39 != NULL) { add_hfs(rootVolume, bootloader39, pathValue->value); } if(strcmp(patchDict->dValue.key, "Bootloader 4.6") == 0 && bootloader46 != NULL) { add_hfs(rootVolume, bootloader46, pathValue->value); } patchDict = (Dictionary*) patchDict->dValue.next; } } fixupBootNeuterArgs(rootVolume, unlockBaseband, selfDestruct, use39, use46); } createRestoreOptions(ramdiskVolume, preferredRootSize, updateBB); closeVolume(ramdiskVolume); CLOSE(ramdiskFS); if(updateRamdiskFSPathInIPSW) removeFileFromOutputState(&outputState, updateRamdiskFSPathInIPSW); closeVolume(rootVolume); CLOSE(rootFS); buildDmg(openRoot((void**)&buffer, &rootSize), getFileFromOutputStateForReplace(&outputState, rootFSPathInIPSW)); closeRoot(buffer); writeOutput(&outputState, outputIPSW); releaseDictionary(info); free(bundlePath); return 0; }
int main(int argc, char* argv[]) { init_libxpwn(&argc, argv); if(argc < 4) { print_usage(); return 0; } AbstractFile* png; AbstractFile* img; AbstractFile* dst; void* imageBuffer; size_t imageSize; unsigned int key[32]; unsigned int iv[16]; unsigned int* pKey = NULL; unsigned int* pIV = NULL; if(strcmp(argv[1], "inject") == 0) { if(argc < 5) { print_usage(); return 0; } png = createAbstractFileFromFile(fopen(argv[2], "rb")); img = createAbstractFileFromFile(fopen(argv[4], "rb")); dst = createAbstractFileFromFile(fopen(argv[3], "wb")); if(argc >= 7) { sscanf(argv[5], "%2x%2x%2x%2x%2x%2x%2x%2x%2x%2x%2x%2x%2x%2x%2x%2x", &iv[0], &iv[1], &iv[2], &iv[3], &iv[4], &iv[5], &iv[6], &iv[7], &iv[8], &iv[9], &iv[10], &iv[11], &iv[12], &iv[13], &iv[14], &iv[15]); sscanf(argv[6], "%2x%2x%2x%2x%2x%2x%2x%2x%2x%2x%2x%2x%2x%2x%2x%2x%2x%2x%2x%2x%2x%2x%2x%2x%2x%2x%2x%2x%2x%2x%2x%2x", &key[0], &key[1], &key[2], &key[3], &key[4], &key[5], &key[6], &key[7], &key[8], &key[9], &key[10], &key[11], &key[12], &key[13], &key[14], &key[15], &key[16], &key[17], &key[18], &key[19], &key[20], &key[21], &key[22], &key[23], &key[24], &key[25], &key[26], &key[27], &key[28], &key[29], &key[30], &key[31]); pKey = key; pIV = iv; } imageBuffer = replaceBootImage(img, pKey, pIV, png, &imageSize); dst->write(dst, imageBuffer, imageSize); dst->close(dst); } else if(strcmp(argv[1], "extract") == 0) { img = createAbstractFileFromFile(fopen(argv[2], "rb")); if(argc >= 6) { sscanf(argv[4], "%2x%2x%2x%2x%2x%2x%2x%2x%2x%2x%2x%2x%2x%2x%2x%2x", &iv[0], &iv[1], &iv[2], &iv[3], &iv[4], &iv[5], &iv[6], &iv[7], &iv[8], &iv[9], &iv[10], &iv[11], &iv[12], &iv[13], &iv[14], &iv[15]); sscanf(argv[5], "%2x%2x%2x%2x%2x%2x%2x%2x%2x%2x%2x%2x%2x%2x%2x%2x%2x%2x%2x%2x%2x%2x%2x%2x%2x%2x%2x%2x%2x%2x%2x%2x", &key[0], &key[1], &key[2], &key[3], &key[4], &key[5], &key[6], &key[7], &key[8], &key[9], &key[10], &key[11], &key[12], &key[13], &key[14], &key[15], &key[16], &key[17], &key[18], &key[19], &key[20], &key[21], &key[22], &key[23], &key[24], &key[25], &key[26], &key[27], &key[28], &key[29], &key[30], &key[31]); pKey = key; pIV = iv; } if(convertToPNG(img, pKey, pIV, argv[3]) < 0) { XLOG(1, "error converting img to png"); } } return 0; }
int doPatch(StringValue* patchValue, StringValue* fileValue, const char* bundlePath, OutputState** state, unsigned int* key, unsigned int* iv, int useMemory, int isPlain) { char* patchPath; size_t bufferSize; void* buffer; AbstractFile* patchFile; AbstractFile* file; AbstractFile* out; AbstractFile* outRaw; char* tmpFileName; if(useMemory) { bufferSize = 0; buffer = malloc(1); outRaw = createAbstractFileFromMemoryFile((void**)&buffer, &bufferSize); } else { tmpFileName = createTempFile(); outRaw = createAbstractFileFromFile(fopen(tmpFileName, "wb")); } patchPath = malloc(sizeof(char) * (strlen(bundlePath) + strlen(patchValue->value) + 2)); strcpy(patchPath, bundlePath); strcat(patchPath, "/"); strcat(patchPath, patchValue->value); XLOG(0, "%s (%s)... ", fileValue->value, patchPath); fflush(stdout); patchFile = createAbstractFileFromFile(fopen(patchPath, "rb")); if (isPlain) { out = outRaw; file = getFileFromOutputState(state, fileValue->value); } else { if(key != NULL) { XLOG(0, "encrypted input... "); out = duplicateAbstractFile2(getFileFromOutputState(state, fileValue->value), outRaw, key, iv, NULL); } else { out = duplicateAbstractFile(getFileFromOutputState(state, fileValue->value), outRaw); } if(key != NULL) { XLOG(0, "encrypted output... "); file = openAbstractFile2(getFileFromOutputState(state, fileValue->value), key, iv); } else { file = openAbstractFile(getFileFromOutputState(state, fileValue->value)); } } if(!patchFile || !file || !out) { XLOG(0, "file error\n"); exit(0); } if(patch(file, out, patchFile) != 0) { XLOG(0, "patch failed\n"); exit(0); } if(strstr(fileValue->value, "WTF.s5l8900xall.RELEASE")) { XLOG(0, "Exploiting 8900 vulnerability... ;)\n"); AbstractFile* exploited; if(useMemory) { exploited = createAbstractFileFrom8900(createAbstractFileFromMemoryFile((void**)&buffer, &bufferSize)); } else { exploited = createAbstractFileFrom8900(createAbstractFileFromFile(fopen(tmpFileName, "r+b"))); } exploit8900(exploited); exploited->close(exploited); } XLOG(0, "writing... "); fflush(stdout); if(useMemory) { addToOutput(state, fileValue->value, buffer, bufferSize); } else { outRaw = createAbstractFileFromFile(fopen(tmpFileName, "rb")); size_t length = outRaw->getLength(outRaw); outRaw->close(outRaw); addToOutput2(state, fileValue->value, NULL, length, tmpFileName); } XLOG(0, "success\n"); fflush(stdout); free(patchPath); return 0; }
Dictionary* parseIPSW2(const char* inputIPSW, const char* bundleRoot, char** bundlePath, OutputState** state, int useMemory) { Dictionary* info; char* infoPath; AbstractFile* plistFile; char* plist; FILE* inputIPSWFile; SHA_CTX sha1_ctx; char* buffer; int read; unsigned char hash[20]; DIR* dir; struct dirent* ent; StringValue* plistSHA1String; unsigned int plistHash[20]; int i; *bundlePath = NULL; inputIPSWFile = fopen(inputIPSW, "rb"); if(!inputIPSWFile) { return NULL; } XLOG(0, "Hashing IPSW...\n"); buffer = malloc(BUFFERSIZE); SHA1_Init(&sha1_ctx); while(!feof(inputIPSWFile)) { read = fread(buffer, 1, BUFFERSIZE, inputIPSWFile); SHA1_Update(&sha1_ctx, buffer, read); } SHA1_Final(hash, &sha1_ctx); free(buffer); fclose(inputIPSWFile); XLOG(0, "Matching IPSW in %s... (%02x%02x%02x%02x...)\n", bundleRoot, (int) hash[0], (int) hash[1], (int) hash[2], (int) hash[3]); dir = opendir(bundleRoot); if(dir == NULL) { XLOG(1, "Bundles directory not found\n"); return NULL; } while((ent = readdir(dir)) != NULL) { if(ent->d_name[0] == '.' && (ent->d_name[1] == '\0' || (ent->d_name[1] == '.' && ent->d_name[2] == '\0'))) { continue; } infoPath = (char*) malloc(sizeof(char) * (strlen(bundleRoot) + sizeof(PATH_SEPARATOR) + strlen(ent->d_name) + sizeof(PATH_SEPARATOR "Info.plist"))); sprintf(infoPath, "%s" PATH_SEPARATOR "%s" PATH_SEPARATOR "Info.plist", bundleRoot, ent->d_name); XLOG(0, "checking: %s\n", infoPath); if((plistFile = createAbstractFileFromFile(fopen(infoPath, "rb"))) != NULL) { plist = (char*) malloc(plistFile->getLength(plistFile)); plistFile->read(plistFile, plist, plistFile->getLength(plistFile)); plistFile->close(plistFile); info = createRoot(plist); free(plist); plistSHA1String = (StringValue*)getValueByKey(info, "SHA1"); if(plistSHA1String) { sscanf(plistSHA1String->value, "%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x", &plistHash[0], &plistHash[1], &plistHash[2], &plistHash[3], &plistHash[4], &plistHash[5], &plistHash[6], &plistHash[7], &plistHash[8], &plistHash[9], &plistHash[10], &plistHash[11], &plistHash[12], &plistHash[13], &plistHash[14], &plistHash[15], &plistHash[16], &plistHash[17], &plistHash[18], &plistHash[19]); for(i = 0; i < 20; i++) { if(plistHash[i] != hash[i]) { break; } } if(i == 20) { *bundlePath = (char*) malloc(sizeof(char) * (strlen(bundleRoot) + sizeof(PATH_SEPARATOR) + strlen(ent->d_name))); sprintf(*bundlePath, "%s" PATH_SEPARATOR "%s", bundleRoot, ent->d_name); free(infoPath); break; } } releaseDictionary(info); } free(infoPath); } closedir(dir); if(*bundlePath == NULL) { return NULL; } *state = loadZip2(inputIPSW, useMemory); return info; }
int doDecrypt(StringValue* decryptValue, StringValue* fileValue, const char* bundlePath, OutputState** state, unsigned int* key, unsigned int* iv, int useMemory) { size_t bufferSize; void* buffer; AbstractFile* file; AbstractFile* out; AbstractFile* outRaw; char* tmpFileName; if(useMemory) { bufferSize = 0; buffer = malloc(1); outRaw = createAbstractFileFromMemoryFile((void**)&buffer, &bufferSize); } else { tmpFileName = createTempFile(); outRaw = createAbstractFileFromFile(fopen(tmpFileName, "wb")); } out = duplicateAbstractFile(getFileFromOutputState(state, fileValue->value), outRaw); file = openAbstractFile3(getFileFromOutputState(state, fileValue->value), key, iv, 0); if(!file || !out) { XLOG(0, "file error\n"); exit(0); } char *buf = malloc(1024 * 1024); off_t inDataSize = file->getLength(file); while (inDataSize > 0) { off_t avail, chunk = 1024 * 1024; if (chunk > inDataSize) { chunk = inDataSize; } if (chunk < 0) { XLOG(0, "decrypt failed\n"); exit(0); } avail = file->read(file, buf, chunk); out->write(out, buf, avail); if (avail < chunk) { break; } inDataSize -= chunk; } out->close(out); file->close(file); free(buf); XLOG(0, "writing... "); fflush(stdout); if (decryptValue) { fileValue = decryptValue; } if(useMemory) { addToOutput(state, fileValue->value, buffer, bufferSize); } else { outRaw = createAbstractFileFromFile(fopen(tmpFileName, "rb")); size_t length = outRaw->getLength(outRaw); outRaw->close(outRaw); addToOutput2(state, fileValue->value, NULL, length, tmpFileName); } XLOG(0, "success\n"); fflush(stdout); return 0; }