Bundle creation walkthrough

Styden edited this page Jun 22, 2015 · 6 revisions
  • Fill in the Info.plist file (in newbundle/Info.plist)
    • All info except the name of the root volume, you'll get that after you decrypt it.
  • Extract ipsw contents to a folder called 'zip'.
    • Use whatever base directory you think is convenient; further commands assume your current directory is that base directory that has this git repo cloned/unzipped to.
  • Create the 'work' folder
    • Again, in the base working dir.
  • Extract the files: ipsw.py --bundle newbundle --ipsw zip --out work
    • This will run xpwntool on all img3 files mentioned in the Info.plist and unpack files like asr and lockdownd that are mentioned in Info.plist in Patches section. Decrypted img3 files will be appended with '.dec' suffix and placed in the 'work' directory. Files that need patching are just copied to the 'work' directory as is, because they are not encrypted.
  • Patch asr: tools_bin/fuzzy_patcher --patch --fuzz 80 --delta patches/armv7/asr_42.patch.json --orig work/asr --patched work/asr_tosign
    • This patch makes asr ignore rootfs signature mismatch. Patch details
  • Fix asr hashes: cp work/asr_tosign work/asr.ap ; ldid -s work/asr.ap
    • You can also use codesign with a self-signed certificate. codesign -fs <certificate_name> asr.ap
  • Extract the kernelcache (since it's absent from Info.plist, it won't be extracted automatically by ipsw.py): xpwntool zip/kernelcache.release._CPU_ work/kernelcache.release._CPU_.dec -iv .. -k ..
    • CPU means your device's CPU name: 3GS: n88, iPad: k48 iPhone4: n90
  • Apply the kernel patch: tools_bin/fuzzy_patcher --patch --fuzz 80 --delta patches/armv7/kernelcache_armv7.patch.json --orig work/kernelcache.release._CPU_.dec --patched work/kernelcache.release._CPU_.dec.ap
    • This disables code signing enforcement, allows w+x pages and disables sandboxing for all apps except those in /User/Applications.
  • Apply the nor patch to iBSS: tools_bin/fuzzy_patcher --patch --fuzz 80 --delta patches/armv7/nor.patch.json --orig work/iBSS._CPU_.RELEASE.dfu.dec --patched work/iBSS._CPU_.RELEASE.dfu.dec.ap_pre
    • This disables signature checking in iBSS, allowing it to load unsigned/patched ramdisks
  • Embed kernel patches into iBSS: tools_src/ibss_kpatch/ibss_patcher.py work/iBSS._CPU_.RELEASE.dfu.dec.ap_pre work/iBSS._CPU_.RELEASE.dfu.dec.ap work/kernelcache.release._CPU_.dec work/kernelcache.release._CPU_.dec.ap tools_bin/ibss_patchproc.bin
    • This will diff original and patched kernelcache files and embed those differences into iBSS file so that iBSS will patch kernelcache on load. That's how kernel patches will get applied during restore and tethered boot.
  • Run ipsw.py --create --bundle newbundle --ipsw zip --out work to create bsdiff patches in newbundle dir.
    • This will create .patch files in the bundle directory from all <file> / <file>.ap pairs: bsdiff <file> <file>.ap <file>.patch