#futurerestore-help

after I jailbreak again

You can’t rn so just restore it

oh no ik

Don’t worry

Well taurine sets a default nonce

yea but I don't think my blob matches it

or whatever

Is it the same as the one tssaver sets?

That's what I want to know

I think it's different on iPhone 11

like custom

not really sure ?

@zinc moon

?

^

Ah you're right, I'm thinking before A12

I also cracked my screen today

first crack

so it's a bad day

Yeah damn man

1yr no cracks and on the day I lose my jb it cracks

with a case on too

seems like a sign I need that new iPhone 12 glass lol

Well since you have to update you could trade it in for a 12

You'll be on the latest either way

true

@celest basalt 0xbd34a880be0b53f3

Alright thank you

@zealous bridge ipwndfu is new tech?

no

yes

well new? no

ipwndfu is checkm8

pog? yes

what is the intented purpose? downgrading or just pwn dfu

ipwndfu was released when checkm8 was announced

what does it do downgrade?

its inital creation was nothing to do with downgrading

but from pwndfu you can remove sep signature checks

lol for the infamous bypass?

which is why its required for downgrading with odysseus

does it work with onboard blobs

to downgrade

yes

so it keeps the sep and bb in the firmware

?

It loads the sep from the firnmware

But its not checked for signatures

—latest-baseband is used

ah and ipwndfu literally slaps it and tells it to load?

yup

so if anything goes wrong will it bootloop u?

Yes

ye but u have blobs lol and ur A11-

then sep and bb ignore is kinda scary then

nah

what if the sep is not compatible with the ios lol

it just skips then it fks with stuff

doesnt matter

it wont break anything

Sep is sep

so u can use latest sep on 13.5 lets say

if u have the blobs

Not latest sep

sep from the ipsw?

yes

13.5 sep

ok

very pog

thats cool tech then

i honestly might stay on 14.3 tbh

same lol just asking

taurine is more stable than odyssey

it works for onboard too tho

i will definitely use ipwndfu

lol

A13

so in case ppl update accidentally

mhm

true

but onboards is fucked rn

like img4tool sucks ass

i saved my shsh2 for 14.3 when I used odyssey on 13.7

good

what device?

no they arent

but it always shows an error

onboards are fine

its correct

screenshot

they work perfectly

not rn

hm

why?

you just need to have ipsw updated

i have 14.3

to the version ur on

ipsw

it is valid

ok?

and

whats the error

i need to know the error

when i do -wait it always shows the same nonce

in the ipsw

dont use -w

but it doesnt restore

why are you using wait

lol

yes because its not working

@fathom fox what device and ios version is it on?

i saved generator and shsh2 properly

dont use -w

so?

its an a12 iphone xs

what ios version?

fr without -w

14.4

you cant use fr

^

teh blobs work

so?

u cant set generator

need a jailbreak to use futurerestore

i set generator

no u cant

when i was jbed

yes, when u jbed

doesnt mean shit

@fathom fox you can’t use futurerestore

u have to set the generator RIGHT NOW if u want to use the blobs

oh ok

so no fr

yes

no fr

no fr

i need jb for fr? i can just probably pwn it

yes u need jb for it

yeah gl pwning a12

wtf

someone needs to make nonce for non jb

u cant pwn it lol

is that possible

no

nope

well fk

lol

wen pwnd dfu a12

no

never

it might

wait like 10 years

iphone x vuln came out in just 2 years

no

it didnt

lmao

but it would be device specific bootrom exploit lol

it came out 2 years ago

but from limera1n to checkra1n

no more shit like checkm8

what if pwned dfu mode worked on a12

it was like 6 years

it wont

well shit

why does apple do this

im switching to android

ok

K bye

bai

android

couldnt be me lol

jk

im gonna wait for next jb

probably 1000 years

im switching to iphone 7

i need a home button

k

they dont even have real home buttons

true

the last phone to have a real one is the 6s/6s+

also last ones to have headphone jack

Isn't that bad honestly

Learn to use airpods

im broke

Lol

Same

Still use airpods 2

everything i use is wired

i dont even have airpods

my mouse is wired

my charging is wired

Bruh

my earbuds are wired

What's ur main

relying on battery fucking sucks ass

wdym, phone?

Yes

my X

bruh same lmao

i fucking hate batteries

i like outlet better

Can someone explain me why it’s so complicated or even impossible to downgrade SEP when it’s done easily from beta version to signed version ?

its honestly not that bad tho

it lasts like 3 hrs on one charge

u just charge at night thats it

you don’t downgrade via ota

Maybe dumb question but what is futurerestore

downgrading with blobs

a tool

a tool that lets you restore to unsigned versions with blobs

Thanks

So SEP can be easily downgraded but only from restore through Finder/iTunes ? And those have to be signed right ?

sep doesn’t really change from stable to beta

@green onyx @zealous bridge if you see that annoying guy asking about fdr again let me know

the 14.2 guy?

but yes you are correct

ok sure

Hmm ok. Is there a particular reason for OTA to not be able to downgrade SEP ? I know there’s 2 type of OTA, delta and full. I understand that delta is just a patch, but shouldn’t the full OTA be able to achieve that ? I’m really wondering as I found this subject interesting

@lilac wren u as well

👍

@radiant mountain good question, i’m also wondering the same thing, but a lot of this is just guess work. my theory is that it may have been possible to downgrade sep via ota because it did work for one person, but apple patched ota to not downgrade sep as soon as they realised that that was possible

but again all of this is guess work

Hmm ok ok thx for clarifying things out. Kinda odd that Apple would have patched that so quickly, and after only one reported successfully downgrade tho

There was an error that meant apple didn't sign it right?

true, but i can’t think of anything else

which error

Unable to personalize right

And I’m not trying to see if that could work for me as I’m on A13 and it will require editing system.plist, just wondering, that’s interesting

Denied to personalize for this device

In console

On OTA it just says connect to internet or something

that means unable to downgrade sep probably

Yeah but we spoofed device firmware

So why does apple refuse to sign?

It doesn't know we're downgrading

Remember how apple isn’t signing 14.3 rose, etc for a13 a14 @lilac wren

Oh I didn't learn this lol

This is the exact reason futurerestore was broken for so long

On a13

So A12 can downgrade through OTA?

Maybe system.plist isn’t enough ? You should sniff all device request to see what apple get from the device and what apple’s servers sends back ?

Yes a12 can unless sep is an issue

And how come they can still upgrade to 14.3 just not downgrade

A13 a14 will need hacks to use 14.4.2 firmware updater components

it wont work if sep is too high

Yep

Correct

I can't find any info on what rose is, can you link anything

No idea

it’s a firmware

Oh

don’t know much more than that

It’s an a13/a14 and t2 Mac feature but SE2 does not have rose despite being a13

@lilac wren

Oh hm

Just check my commits

I fixed it by falling back to latest if 14.3 tss fails

aight

hes gonna come in the morning again

didnt u yell at him already @green onyx

which

fdr

guy

hes gone

for now

this morning? i think so

watch him come back tmr

#futurerestore-help message

this guy?

yea lol

there are multiple ppl that beg for fdr

tf he pinged cryptic

ye lol

i think cryptic was talking about him

probably lol

there was another dumbass on github like last week

begging for fdr smh

was pretty funny ngl

i remember it was the morning guy lol

he came 2 days in a row

thats true

but what i said this morning shouldve been enough lol

ngl, nowdays, nobody is using fr

ull be surprised bro

ppl dont give up

ppl who do are on 14.4+ A12 or dont have blobs

because ota is a thing

lol

still cant believe im on 14.3

why couldnt they discover this sooner lol

2 years late to dark mode lmao

Oh that's right

Wow why did you not go to iOS 13

activation error lol

i was afraid

now i feel like a dumbass lol

Maybe not in this channel but logs have been active as ever lol

And nowadays = past 2 days only? Lol

99% are exit recovery

and like the 1% is like martin

They're really not

lol ik

its an exaggeration

I'll do an audit if you want lol

lol froggy not even member pro

I'm 29 ok

sad

Just gotta keep talking

ur almost there

Fine you know what

I'll get developer

And be orange

:(

wow betraying us like that

I see how it is

O_O

When was the last signed jb

13.4?

Or 13.5 right?

13.5 was the last 0day yes

Untrue

I made a 0 day

0 day delay profile 😎

Froggy should just get promoted to dev or something

Lol

Lol in reality idc about the dev role

As long as I'm helping others

What is the :fr: emote from

I thought it was Mike Wazowski face swap

what

What is it

This ^

Is it a tennis ball with a face

Or a sesame street puppet

froggy has a point

Fr. noun [ before noun ] written abbreviation for Father when used as a title of a Christian priest, especially a Roman Catholic or Orthodox priest: Fr.

https://youtu.be/d_rongCrYOE @lilac wren its from here

froggy has 400xp to go

🐸

How many messages is that lol

40

Oh ok

1

40-400

2

anywhere from there

3

Jk jk

Were you joking

I just watched the whole thing

And didn't see it

yes

You were

Wow

I feel dumb lol

300xp for froggy

Froggy for dev

true

froggy ford ev

froggy and tanbeer forge nius

Froggy Mustang Mach e

Tanbeer needs advanced dev tag

Tf is an advanced dev

idk but it exists

hayden has it

CS and uroboro have it

Tanbeer definitely advanced lol

true

Binger has it too

JTV too

Really?

Genius surpassed advanced?

Prob

@void rapids should be owner

TRUE

actually facts

@void rapids

whos this apple

we both pinged the wrong guy

Idk lol

@split torrent this is the real apple

Where the other one

omg

the pfp isnt even centered

lol

@split torrent lol

Fr

Oh shit it isnt

Oh shit apple

apple really be slacking

yes

lol

LMAO

wait

JTV exposed

I own ur mom

Lol wait how

wait what

apple deleted their msg

Wow

what tag?

@lilac wren

!t fwjson

oops

i thought u were froggy lol

what=getting keys failed with error: 13697039 (failed to get FirmwareJson from Server). Are keys publicly available?

I saved to /tmp/firmwares.json but it still says this

dont use windows

bruh this is Linux

since when does Windows have /tmp

/tmp/futurerestore/firmwares.json

ah

fix tag lol

yes because im a genius

also thats for windows

lol u should be genius

didnt add the linux one

is it just Temp on Windows or Temp\futurerestore

just temp afaik

^

blame futurerestore for the inconsistency

Yes

Quality of a tool always depends on the nature of the user

Does checkra1n work on this iPad

A5-A11 right?

Or is that really off

right

I've never used it before

but checkra1n is 12.3+

Oh ok it's good then

Any other checkm8 jailbreaks?

Not odysseyra1n

Fugu?

Oh that's cool

I like open source

Tf is the point

Anyone have success downgrading from 14.4.2 to 14.0.1 on A13 or a similar downgrade? Trying to rectify a shitty situation but I’m not looking to waste a few hours to just have to restore my iPhone if there’s no shot of it working

not possible, you would need a jailbreak to even modify the SystemVersion.plist but even then thr SEP seems to reject downgrades

has editing the systemversion.plist been confirmed working?

not working

Is it possible to futurerestore from 14.4.2 to 14.0-14.4

what device

11 pro

you need a jailbreak to use futurerestore

so no

i lost my jailbreak due bootloop 😦 im dying here

rip

now i need to wait again for new jailbreak

just dont upgrade

no i will stick with 14.4.2

ok good

who knows it can take along time for it to be released

14.14.3 is still new

14.14.3 yes

14.4.2 maybe after summer

what did i miss

ah

nvm

what happened?

Could it be possible to achieve that without editing SystemVersion.plist but rather modifying the request/response made when going on "Check for update" ?

Modifying the request had allow me to get the 14.5 beta 7 OTA to download, without having the Apple beta profile. I know downgrading is a step above tho', but those .xml you got could perhaps be manipulated to obtain some positive result

Probably restore backup with a made while jailbroken one after the OTA update

afaik that one of the only case where you can bootloop after following the steps in annoucements

good question, the problem is if we can't even reliably downgrade A11 by modifying the plist then there's even less chance for A12+

You were able to modify the response? What proxy did you use (if any) and is there an XML format you have? I've tried to get the response myself but it seems that the phone recognizes that I'm sniffing and stops.

Didn't managed to get the response, only switch the request url, yeah the response seems obfuscated, but I believe it just get all the mesu/assets/... then the device parse it to know what to do depending on the said .xml

Im using Burp Suite to do that, that's the only sniffer i know lol probably not the best for iOS stuff idk

Yeah ofc, was just saying.. Downgrading is indeed something else than just spoofing some strings. Do you know if any tests have been made on other proc than A11 for downgrading ? It may be A11 related only ? 🤷

you swapped out the XML file from this URL, right

https://mesu.apple.com/assets/com_apple_MobileAsset_SoftwareUpdate/com_apple_MobileAsset_SoftwareUpdate.xml

14.3 devices on A11 have 14.4+ sep?

From what I've understand, there's no "response" as the get seems to be 'as it is'. When you go on 'Check for update', a GET/ is made, retrieving a big ass XML containing all OTA possibilities for every device, then the device parse it to know if there something for itself. If thats the case, it does a 2nd GET/ to get OTA's files. So what I did is switching mesu/assets/... to mesu/assets/iOS14PublicSeed then my device (supposedly) parsed the xml, saw that there was indeed an upgarde available, then device made a 2nd GET/ request on http://updates-http.cdn-apple.com/..., that maybe could be modified to get whatever OTA files ?

ye the xml is the index

the one froggy linked is the xml file it retrieves

i know

Big ass xml

true

Made my browser load for 5 minutes

lol

What im saying is, there's probably no xml in the response bc it got the whole xml, then parse it on device

thanks so much! How did you know that iOS14PublicSeed was a valid URL?

By installing the profile in the first place and did the same manipulation

ah makes sense

I saw that instead of looking in assets it was doing in assets/iOSetc

azzou big brain

iOS13PublicSeed is a thing too

#Azzou forge nius

And im curious to see where does it look for while being supervised with the differed profile 🤔

Didnt bother myself for another data wipe on my device to test it out...

What I want to try is:
1st request: tell device to look in iOS14PublicSeed -> it get a OK for update and proceed the 2nd request
2nd request would download the OTA files -> swap the orignal iOS14PublicSeed request by the one made when ur supervised with deferred profile to maybe got the 14.3 OTA ?

why not just change 1st request to an XML file with iOS 14.3 OTA

And for the record im far from being a genius.. Im a dev, use to jailbreak my device since limera1n, and still managed to bootloop with the OTA method, while all kids in the world are enjoying Taurine

still smarter than 99% of the members of this server

Because I believe (not sure) that the parsing is made on device. So it will compare that XML with the ios version (probably in SystemVersion.plist) and won't proceed in the 2nd request since it's not an upgarde

the managed/supervised update request includes a BCert generated by the SEP which is tied to the device and the version you're updating to

this is something that isn't needed with regular non-delayed updates

Those request are probably made in different function or something ? Like version is checking if there's an update, 2nd one is get that update. I guess if you get/ on http://updates-http.cdn-apple.com (wheres ota files comes from) on the 1st request, you will end up with some error message like "Unable to retrieve update, try later". Didnt tried it tho

How does Apple servers know if the BCert is valid or not ?

I'm trying right now and... it doesn't seem like mesu even comes up while supervised... maybe I'm doing something wrong

it's only gdmf

Time to wipe my device, ill try too

👍

Fresh install bc of the bootloop so np

ah lol

I don't know if the server verifies it against some Apple key, but the cert also includes a SepNonce which changes on every request so that basically prevents a full OTA replay attack

you can replay the request to save OTA blobs that can be used on A11 and lower in PwnDFU (useless on A12 and above), and pair it with a signed SEP in futurerestore, but the actual OTA process itself cannot be simply replayed on-device since we can't set the SepNonce

Yeah, my thought are that, maybe just maybe if the .xml are manipulated correctly, there will be no need for blobs or whatever since Apple would allow the upgrade/downgrade

I can't get mesu software update xml url to retrigger, I'm unsupervised now as well...

Cant sniff while being supervised ? That's weird..

!t joe

I can sniff just mesu not appearing in the list anymore

unsupervised myself as well

Noob

yeah I think mesu is over HTTPS, actual OTA zip download and TSS is cleartext

love you too cryptic

Ez fix

Burp can sniff https

but clearly mesu is possible to MITM because people have done it on Apple TV

i managed to get that XML though even if it was over https?

oh because i did it from

nvm

im dumb

some of the requests cannot be decrypted even with SSL Kill Switch, but some can

i just saw the request url and did it on my computer, don't think I actually received the XML

but I can't see that request anymore

Btw Froggy you are the one behind the discovery of that OTA method ?

if you see the full URL with HTTPS and not just the hostname then it is decrypted

eh one of the three, everyone who has 90 Day Delay profile installed doxxed me bc my computer name is on there -_-

oh oops lol

Lol that was my fault

dont go looking

yeah I saw it

wow

anyway odysseyra1n gang until I get futurerestore pwndfu downgrade to 14.3 working

Thats really cool to see new unconventional technics like that, you guys are true big brains to think different like this lol

I’ve https sniffed every part of iOS some urls are ssl pinned by the kernel mesu is not pinned by kernel only daemon pinned @lilac wren

gonna sleep now though

Lol poor Apple

I actually see mesu again with a different client, but it's very empty

CONNECT mesu.apple.com:443 HTTP/1.1
Host: mesu.apple.com
User-Agent: nsurlsessiond/1209 CFNetwork/1209 Darwin/20.2.0
Connection: keep-alive
Proxy-Connection: keep-alive

and doing that request through cURL doesn't work

that's just the CONNECT, it's not decrypted

I can't simulate this request?

no because you don't have all the details, only the hostname

It’s pinned by the daemon @lilac wren

you can try [[ios ssl kill switch]] I don't remember if it works for mesu

oh wow

there is a v2 on julioverne's repo

how did I just get this url before though

unrelated: I tried to re-enable OTA updates on a Corellium device just for fun but no luck so far

Corellium devices have OTA default disabled or wdym

yes

are they real or just super well emulated?

the daemons are disabled and mesu etc are blocked in the hosts file

oh wow

the latter

I figured out how to get the mesu request again

enable ssl proxying for gdmf

sometimes it works sometimes it kicks you out it seems?

time to get the xml for supervised

also enabled ssl for mesu

it also gave me this url

https://mesu.apple.com/assets/com_apple_MobileAsset_SoftwareUpdateDocumentation/com_apple_MobileAsset_SoftwareUpdateDocumentation.xml

goes down as low as 13.1.2

ah I think I figured it out? maybe? Supervised = no seeing SSL; Non-supervised = able to see those requests?

doubt it

ok it's jank then

will try the kill switch

@lilac wren disable ssl pinning in the daemon

yes kill switch should work fine with ssl proxy profile

idk how to do that manually? So i'll try this kill switch bc I'm dumb

just use the tweak

I use charles proxy it lets me install a profile on my iPhone

then I trust it in general > about > certs

kill switch works fine

yep using charles

There's a lot of URL like this requested just by looking for an update..
http://mesu.apple.com//assets/com_apple_MobileAsset_SecureElementServiceAssets/com_apple_MobileAsset_SecureElementServiceAssets.xml
http://mesu.apple.com/assets/com_apple_MobileAsset_EmbeddedSpeech/com_apple_MobileAsset_EmbeddedSpeech.xml
http://configuration.ls.apple.com/config/defaults?os=ios&os_version=14.3&hardware=iPhone12,3

No idea of what they are used for tho

OTA's file are then downloaded from there
~~http://updates-http.cdn-apple.com/2021WinterSeed/mobileassets/001-87156/EF769EC2-3A75-442D-9E58-3075CC35963B/com_apple_MobileAsset_SoftwareUpdateDocumentation/b28342f521dd6aca84791f77372a24c7e65f7666.zip~~ that one is not valid, ill get the valid one

That's the Beta 7 if im not wrong

Im wondering if they are tied to a device like does '001-87156' or 'EF769EC2-3A75-442D-9E58-3075CC35963B' are device specific or just general path

Looks like just file udids

the .zip name at the end are probably the same as the one on ipsw.me

mesu is gone again... on both proxies this time

I wonder if it caches the XML available updates or something?

It’s probably cached lol @lilac wren

ok will reboot userspace

Hmm thats weird... Without having the deffered profile, I can't sniff anything while being supervised...

Even tho all restrictions are disabled

if you have the deferring profile it lets you sniff SSL without the kill switch tweak?

"Impossible to check for update", even without the proxy

I think it's just jank lol

this is probably the proxy though

and i still can't get mesu

what is this https://gdmf.apple.com/v2/assets

it's just a jumble of text

oh it's b64

Look like a JWT

bc of the 2 dots

it is base64 separated by dots

and what you will end up decoding it to is invalid request method

what are you trying to do, maybe I can help

I've screwed with pallas a bit

lmao what you got is just the JWT, saying acces denied

nothing specifically, I just want mesu back so I can see what a deferred request looks like and map that into an unsupervised

deferred request for ota links?

well the mesu XML

ive got the regular one now just need the deferred

because the mesu xml is not what gives ios the links to deltas

someone did it with a TV

so i'm just going to recreate it for iOS

gtg shower but I'll work on it after or tomorrow

http://updates-http.cdn-apple.com/ is the link to the deltas right ?

yes but the key link y'all are missing here is pallas

pallas ?

gdmf.apple.com

nah pallas unnecessary

I'm going to be happy if this works bc the last trace of it I see was from iOS 13

so the mesu request is switching between http and https?

Currently have 2 different methods for getting iOS 14.3 after April 26th, this is the second. Will release then if it works

Nah mesu just doesn't request sometimes it seems lol

ah

assuming it's https then

Ah ok found the mesu cache

This should work but I'll test after I shower, it's about to be 10 pm lol

HEY I'M PINK

YAy

east coast gang

nice

Nice me you and phonerebel

I cant manage to sniff any settings request while being supervised, even tho im doing the exact same thing that when i wasnt.. Safari request are sniffed as normal, but not the check for update..

aight here we go again

Now that you here, what do you think of this ? #futurerestore-help message

what I miss

@lilac wren

Nothing I went to shower but did find the mesu cache

Apple services will fail any connection that uses HTTPS Interception (SSL Inspection). If the HTTPS traffic traverses a web proxy, disable HTTPS Interception for the hosts listed in this article.

If you jailbreak you can bypass this

someone gave me a bizarre idea may fix fdr

i forgot you could do this

Don't say it out loud O_o you never know what eta kids will be watching

wasn't planning on saying how

But why does that only applies to supervised and not unsupervised ?

I think it applies to all? Or can you confirm it's only supervised? Bc I think it's just being very janky sometimes

my cable has the stupid, nice

Yeah yeah, I was sniffing through https, thats how I found about iOS14Seeds etc

But after I wipe then supervise my device, i cant sniff shit

what tweak to bypass cert pin again

Im using a trusted certificat like DhinakG shown in his screenshot, that allow https sniffing. It works on every request made by safari, http and https, but not the one made in the settings app

Yes bc of what I just sent up above

Try unsupervising and sniffing, see if you can

This

mesu.apple.com is an apple service

If you jailbreak you can bypass this
but how

also where is mesu cache

I tried that, it worked fine. I wanted to sniff while being supervised, to see the get url

Guess i cant if not jailbroken ? Or maybe there a param i need to modify in the proxy

Ik same happened with my, I unsupervised and sniffed and it continued to not work. Which is why I'm saying it's jank and not based on supervision. You should try it though

Either try messing around with it or jailbreak and use kill switch

A13 14.4.2

found cache location

already was found lol

i asked and you didn't tell smh

then you need to just see if you get lucky IG, do some more control tests

where did you ask

^

oh i see here

Hi, can someone confirm that if I have my blobs saved that I can update my phone to 14.3 - i have an iphone 12

what version are you on rn

14.2.1

and you have valid blobs? I don't think you can

when did you save them

urgh

28/02/21

were you jailbroken when you saved blobs

yes i believe so

they are valid, i checked

with what

i think i was still on u0

at that time

to confirm, it's located in /private/var/MobileSoftwareUpdate/MobileAsset/AssetsV2?

yes and then the one with the list is at com_apple_MobileAsset_SoftwareUpdate

i restore rootfs so that i could use the ota method and then realised it doesnt work on A14

iOS 14.3 blobs you saved in February? Wasn't it unsigned

wait nvm

im actually gonna go and cry

Ok

:(

i realised what I was doing wrong

Finally I can change my nickname

IG im just stuck on 14.2.1

Lol how did you even get that blob

Could be worse IG

What tool

https://verify.shsh.host/

No to get the blob

This thing

Rip

blobsaver

Blobsaver needs some better warnings

14.4 works though

@lilac wren the dir's being recreated but i see 0 requests in my mitm

oh assets are empty

yeah it still won't make a request to mesu for me :/

i wonder where it's getting the xml from then

wait

could this just be a difference of supervision

we can try that

I'll unsupervise

oop

remember kids, don't cat a binary

lol

lol

ok unsupervised

time to try

no mesu

hmmmmmm

hit every mesu but the one we want

lol

lol

@zealous bridge r u here

I am

ok then cryptic

do you know how to get mesu to fetch a new xml

Will look soon

Might take a nap

love you

probably stupid but has anyone thought about reversing

Already have

Never looked at the actual request side tho

I should probably go to bed

I'll figure it out tomorrow I guess

pussy

wow

lmao

:P

lol why does rejailbreaking move my xcode previews outside a folder every time

it's literally just that app

no custom springboard layout or folder tweaks either

no icon layout or flashback or whatever

Froggy do you believe that the host may be swaped while sniffing a request ?

Like... could a request be redirected to another host instead of mesu ?

If so, we could give to the device some bullshit .xml that will allow us to do whatever we want with it

Anything I miss

Doubt it

Oh wait I see what you mean

Yes this is exactly what we're trying to do... Lol

Like I said it's been done before with an Apple TV to some ios 13 version so I'm trying to replicate it on iOS

But we need the phone to fetch from mesu to get our own xml file

If it uses some cache then it's not going to ever fetch mesu / our xml

Are ppl future restoring again?

Eh kinda

Lol shouldnt you go sleep or something ? U crazy madlad

I miss helping ppl with fr lol

(its 5am for me tho)

I'm about to haha, in bed on Discord mobile :P

Ur in the UK?

Lol why are you awake, stayed up late or woke up early

Tanbeer lol

Same shit

@zealous bridge just so you're not confused I was gonna ask if you could ask that group chat / siguza if there's a way to force devices to fetch from mesu... But that's probably a dumb question for them lol so nvm

late late

Rip

About the supervised issue where you can't sniff, maybe it's related to https://support.apple.com/en-us/HT210176 ?

It's only 11 not too late

I just posted it twice remember

Here

Charles and proxyman both have fine certs

Idk what you're using but it's probably fine too

https://support.apple.com/en-us/HT210060

Mine seems not valid in fact...

Above the 825 days limites

Nevermind, it should be good

Oh lol

I recommend proxyman btw if you have a mac

Im use to Burp Suite, used it time by time in the past

Additionally, all TLS server certificates issued after July 1, 2019 (as indicated in the NotBefore
So mine is valid since it's have been issued before

do we know what exactly is making the request to mesu

What do you mean ? in iOS ?

yes

Entering the "Check for Update" View will make a call to mesu, fetch the whole .xml, then on device, proceed to some parsing to know if there is a valid .dict to upgrade to, and if so, create a request as specified in the parsed .xml to fetch OTA's patch/full

nah that's not specific enough

So I guess the request is creating somewhere here https://developer.limneos.net/index.php?ios=13.1.3&framework=SoftwareUpdateCore.framework&header=SoftwareUpdateCore.h

i'm looking for frameworks in the dyld cache

o

haven't looked at that framework yet

Worth a try 🤷 You can look at every headers with SoftwareUpdate or SU in the name

nope nothing with mesu.apple.com nor MobileAsset_SoftwareUpdate in there

I don't think that those value will be in plain text

would that even work

Just like the request for OTA files is not, it's created by fetching the XML

since the firmware needs to be signed by tss

for the device to even load it

Does it ? How can we upgrade to 14.3 then ? 🤔

because apple is signing it

Then if the firmware is signed, what the problem ?

it’s only signed for supervised and managed devices

in the extracted frameworks they would

And every device could be supervised, no big deal

Not if he got those value from a method like "parse_some_xml_in_cache()" ?

If those value are gotten at runtime, they wont appear in the framework right ? You the big brain you tell me

yea, that's also why i've been grepping the fs

if they're in a plist or plain text file, even in a binary plist, it'll show up in grep

Hmm... I guess those value aren't in this framework.. There's a lot with SU or SoftwareUpgrade tho, might check the others

i really don’t get how this would work if we can’t get the firmware to be signed by tss

@royal flint can you explain

SoftwareUpdateCore could only be the manipulation stuff

blobs dont expire correct?

they dont, theyre just backups of signatures

Because it is signed

i dont know exactly either but i'm guessing you could use this as a replay - get tss response, fail the update, and then update at a later date

then why would we need a bs .xml file

To specify 14.3

we can do that normally can’t we

i'm still not convinced mesu xml does stuff

April 26th

ohhh i see

why dont you just backup the .xml that you get now instead

Like I said it worked for someone on apple TV so

¯_(ツ)_/¯

Because I get only 14.4.2 non supervised

bro what the hell is downloading this file

i cannot find it

yet apple tv doesnt have bcert

There's no mention of bcert in the file

i'm literally just extracting every framework at this point

so supervise and spoof?

bcert will tie the signature to that version so it becomes harder to manipulate

Yeah but issue is device isn't making any requests to mesu anymore, even unsupervised now. Super jank

This has nothing to do with signatures

It only works if it's signed

Could be in no frameworks too... From sniffing earlier, I believe that I remember some GET/ on some .xml or whatever when device is booting and connected to wifi/network, could be in those ?

Thats not my point, it does have to be signed, but you can’t manipulate the version without having some signature to even load it

which apple tv doesnt require iirc

what ur saying may be possible tho

I mean maybe but all we're doing is removing 14.4 14.4.1 and 14.4.2 from the xml

I don't see how that would mess with signatures

So you also need your delayed OTA blobs for this?

No blobs

It's signed

Not after 26th April

It's still signed after 26 April

I don't believe you even need to do that, easier would be a fake .xml that would have key to a beta version or a fake ass 14.4.99 version, and then specify a 14.3 OTA's file urls in the correct key of the said .xml. Device will parse it, see that 14.4.2 < 14.4.99, then create a request to download the OTA files, that are signed if device is managed.

Just not accessible

the DelayPeriod field inside pallas request will make sure that it’s not reaching tss

Ah that's a smart idea too

Don't think we need a delay period either

yes you do

don't need a delayperiod for what

Like I said, most of the work is probably done on device, so manipulate the .xml could be very powerful

getting stuff from pallas?

pallas request

you need a delayperiod

And what you're saying apple TV has no delay period

you also cant have one above 90

bruh idk anything about apple tv

Fine then no delay period, just supervised

no apple tv doesn’t require the signature, you can just edit .xml

again, how would you get 14.3?

without delayperiod

It's signed and would show up in the xml

Again we can't really test until mesu decides to work again

we wouldn’t be able to get it signed without delayperiod lmao

DelayPeriod isn't necessary to do OTA

^

if you want to get the URLs from pallas you need a delayperiod

Idk maybe you do in Pallas but you don't for what I'm doing

Again 1/2 methods work, this is the second that I'm testing

ok, but if you get the xml files, how tf are you gonna get it to sign without the response from pallas?

I'm pretty sure the XML just tells you what iOS versions are available that's literally it

so how is this helpful to us?

After April 26

We can still go to 14.3

So long as it's signed

ok so if the XML tells you what iOS versions are available
then what's done with this info
because it's certainly not sent to pallas

no pallas = no tss

isn't pallas watchos?

it’s an ota api

I'm not deleting Pallas lol

it might be watchos lol

ios, tvos, watchos, audios, and big sur

not deleting it, you’re just making it impossible to use

Let me just do my thing, we'll see if it works or not and if mesu will ever freaking show up

alright no-one’s stopping you

just tryna get info as to how you think this is gonna work

lmao

@valid adder what exactly is this mesu plist used for

pallas

yeh ota script

s1guza moment

It literally doesn't touch Pallas or signing

My modification

if it leaves pallas be then how are you getting the OTA URLs after 90 days

The actual ota will use Pallas I think

how are you gonna load a fimware without signing it tf, i understand what you’re saying as to ur gonna get the .xml files but wtf are you gonna do with them

It's going to sign lol

source: trust me lol

Idk if I'm too tired or explaining it wrong but do you know what the XML does

Because you think it has to do with signing

It literally doesn't touch signing, all Pallas and signing is normal

It doesn't leave Pallas, it leaves Pallas alone. It's normal not modified

Not deleted

No-one’s deleting pallas

if you leave pallas alone. how are you getting 14.3 OTA URLs after 90 days

it’s not gonna be in the .xml’s

if you don’t have a delayperiod

We may need to save those URLs while they are public, but after 90 days, they will still be there, just not on the public .XML, but If we managed to inject whatever xml, then there's no problem

I gtg to sleep but we'll just see on April 26th... Can't really test anything for sure beforehand

pallas rejects it after 90 days

so no

This doesn't use DelayPeriod either

you can’t inject it because it’s all server-sided

the files get deleted

This is where you don't get it

We are the server

We provide the xml

To the phone

You can still download every OTA since ever, signed or not

where are you gonna get the urls from

So long as 14.3 is still being signed, even after 90 days, we make it an option and do it like normal

without pallas

Those files are still up in http://updates-http.cdn-apple.com/ somewhere

xml’s wont have them

u want to bruteforce every folder and file in their cnn?

ok, sure, but where tf are you getting the url

make it an option fine

the device will recognise that

but you gotta tell it where to download from

the device can’t do that by itself

hencewhy pallas is required