#futurerestore-help

Why after 90 days

Why not after 30 lol

because thats the maximum delayperiod

unfortunately i was mistaken

And what about in expiry date / unsigned? Does it change then as well?

if big sur pallas is any indication, the urls from like a year ago are still alive

tf apple

why do you make it this easy lmao

Apple doesn't delete firmwares right? Again, what would change and why... How do you know this other than stating the claim

i got confused with stuff from catalogs, which does get deleted

I feel like you should just communicate lol, it's a lot harder if you just say something with no reasoning

We're not even taking about signing anymore

anyways can someone please clarify what the xml is used by the device for?

all big sur versions are signed anyway

i dont think them changing the urls would make much difference

do we know for sure this happens with ios tho

lets find a random ios 11 ota

and see

The XML is downloaded from Apple to show what iOS versions are available for OTA (this is what I think). Unsupervised, we can only see 14.4.2 I think, gotta use computer tomorrow filza search is awful

bc i get a 403 from this 2019 one

that's a folder

oh right

http://updates-http.cdn-apple.com/2018/ios/091-64610-20180529-134C2002-5AD5-11E8-8D8B-547EA3E35D9E/com_apple_MobileAsset_SoftwareUpdate/9f17d4bac55dfde9cda77a3b9016d7d1d09a0cb1.zip

https://ipsw.me/download/ota/iPhone8,1/15F79?prerequisite=14D27

ipsw.me’s ones dont change

The device doesn't select tho.

hm

So how does the phone know to use 14.3 if it's not in the XML? I think it's separate xml for supervised bc I think 14.3 isn't there

because pallas giveth if you give the DelayPeriod

But we can't test until mesu stops acting up

Really, and what happens when an MDM pushes without delay period

since when

then mdm field is in the request

You sure delayperiod is necessary

Since I tested it

there might be a specific field for MDM pushes

Filed?

Pallas field?

yes

So you say delayperiod was necessary

Isn't completely true then?

And maybe 14.3 will work, supervised no delay period

how you gonna get the mdm field

And that is what I'll test tomorrow

ok hold on this is interesting

No MDM field I'll try fixing up the XML first

surely that’s signed with the mdm’s key or something

Because like i said, it literally changed what the OTA showed on the Apple TV from 13.4.6 to 13.4.5... It's not all Pallas, the XML does do something

Mesu is the "server side" but we are being the server

pallas isn’t as strict on tvos

the xml thing clearly shows that

Presenting an update, then the device requests that update (14.3) even though 14.4 is supposed to be shown, and we see what happens

<key>__BaseURL</key>
<string>http://updates-http.cdn-apple.com/2019/ios/091-24535-20190722-93574A92-9931-11E9-B99A-60D0A77C2E40/</string>
<key>__CanUseLocalCacheServer</key>
<true/>
<key>__QueuingServiceURL</key>
<string>https://ns.itunes.apple.com/nowserving</string>
<key>__RelativePath</key>
<string>com_apple_MobileAsset_SoftwareUpdate/902d4bef678d5819577812ba216d3750299f63c3.zip</string>

yeah you need to concat BaseURL and RelativePath

ok what the fuck

if you omit delayperiod but keep the other 2 keys

yh im dumb i tried to dl the parent folder lmao

you get 14.4.1

?

from pallas request

tf

You think there's an extra step where the device contacts Pallas before it shows the XML results? Doubt it, if anything it contacts Pallas after when it wants to update

if you do this with ios 12

you get 12.5.1

what why

And if you turn off enforcedSoftwareUpdateDelay

i can confirm it contacts pallas for me

i have no clue

Pretty sure you are right, from sniffin, all it does is: 1st -> get the xml, 2nd -> download the attached OTA's files

You sure? I sniffed and never saw a Pallas request when simply listing the OTA version to download

Only gdmf and mesu sometimes, also xp

what from gdmf

This

i mean url

so if we have delayperiod=0 it has no ota, and if there is no delayperiod we get 14.4.1 makes sense

gdmf.apple.com/v2/assets?

Idk I can check until tomorrow

nah delayperiod 0 is 400 bad request from pallas

yeah so no ota

in the end

o

yea i misinterpreted

but you do know gdmf is pallas right

Yes I'm making a writeup for that soon, Apple has a flaw where minimum and maximum for profiles is 0-90 instead of 1-90

Yes Tb explained it to us

ok good

Or was it in the group chat with folky

gc

There was a specific endpoint

I remember because I sniffed a Pallas earlier today

With 50 day delay

can u check?

i am 99.99% sure what you are talking about is gdmf.apple.com/v2/assets

it has to be

uh maybe in like half an hour or so its like 6am

oof

@lilac wren what were u using to sniff

Proxyman or Charles

wut

how did you bypass pinning

^

mobileassetd refused to cooperate if i didn't exclude gdmf

Nyu showed me a tweak

ios ssl killer or something?

From Julio Verne repo

Yeah that

that one doesnt work

need one from jv

dont see any others..

google repo

julioverne.github.io

the tweak itself is called SSL Killer v2 or something

yes

ok got it

Found it

Proxyman has an iOS app very handy

not working for me, what did you do after installing

oh

did i forget to turn it on

oops

You have to turn it on

?

yea although it was already on

Oh for me it came on

still getting errors

I gtg to bed but see you tomorrow!! Hopefully we can get something working

aight same

ping me tomorrow

cya! i’ll work on this too

Will do

research gang

what do you install on device then

got charles

add proxy

tf are the proxy settings on ios

uh idk

i just use a profile lmao

uhhh

wifi network settings

yea that should be it

dont see shit tbh

scroll down?

idk

just ip and dns

on Android rn

Wifi press I button then on bottom theres is proxy settings

Wont appear if you have a profile that manage proxy for u

i literally dont see it

oh

fucking mybloxx

yup

lmao

I see it

aight now put in charles

and then open safari and go to a website and check charles

whats the port

Scroll down to the HTTP Proxy setting, tap Manual. Enter the IP address of your computer running Charles in the Server field, and the port Charles is running on in the Port field (usually 8888). Leave Authentication set to Off.

8888 ig

I'll try charles tomorrow

mitmproxy is getting a little annoying

keeps dying when I download big files

ahh to much adsense

lol

i just loaded up google tf

k time to test

autocomplete suggestions go brrrr

That's so weird... Supervised device -> check for update with the beta profile, can sniff the request -> add the 90_days profile -> check for update -> no request and 14.4.2 is you latest version allowed blablabla

it's probably caches somewhere

What is cached ?

xml

that's software update docs ur looking at btw

it is sending a request to gdfm

but it's either caching or it's just not used when delay

straight away

told ya

i know i never said it didnt

gdmf.apple.com/v2/assets

The fact that my profile that I just add 2 seconds ago dont allow me to go above 14.4.2 without checking anything on apple servers ?

yup

ik lol

only checked xp and gdmf

wheres mesu

thing is tho even if it does caches if froggy is right and it is different, it has to redownload

which will overwrite

yea but we'd see it in charles

has anyone tried supervised + delay from the start, from a clean wipe

because then there's no way it's cached

if no one has I can

hello guy who gave me free jamf

how are you doing

literally only thing I have to set up after wipe on 6+ is alarm anyway

@royal flint that would be awesome if you did

dont feel anyone is in the mood to wipe today lol

lol yea I'll do it in the morning

@royal flint not work with charles’s no cache option?

no I mean the device is likely storing it, i don't think the cache headers matter

@zealous bridge hello jamf is sucks

@royal flint do i setup ssl proxying too? how do i do that

should be on automatically no

I just did ! it cant be cached right ? Would it mean that it look for the delay on device too ?

@royal flint i think u have jb u can find i filza or icleaner

i tried

showing this for me

or reboot and hit check update

look at charles preferences ig

Or maybe the big ass xml is cached somewhere, and delay just see that there's nothing new

@zealous bridge u cant maybe apple use ssl pinning

you wiped, then supervised, then installed profile, then checked for updates?

we have a tweak that should bypass

i mean normally

Nah, check for update first, so yeah the xml may be cached.. But then, y does it check on mesu for the xml every single time when i dont have the profile ? Shouldnt it use the cached version too ?

im on 14.5 b7 a14 T.T

Make no sense

hmm

modify new update check request params

after update chached xml?

wait it does?

every time?

100% affirmative

@zealous bridge looking more and more like it just doesn't download xml when delaying

also we can test the signed after expire or not theory tomorrow

Could it be that the profile add a request on boot to get the xml in cache ? no further request are made after that ?

12.5 expires on the 11th

doubtful

whos right then

Only logical option tho

mine didnt check mesu at all

this was 14.4.2

U have the delay profile ?

no

rip

what the fuck

mine didnt check without delay either

am i doing something wrong lol

Mine does without the profile, every-single-time

i dont think i am tbh

gdmf is normal

xp is normal

is it cached

you can see the gdmf request?

ye

if so then cert pinning shouldn't be an issue

so idk

@radiant mountain what ios u on

14.4.2 sadly

so both of u are on same ios

bro

can we just infiltrate apple

thanks

is that normal @royal flint

check the notes tab

SSL Proxying not enabled

tf

noob lol

theres no settings for it either

wtf is this http://mesu.apple.com//assets/com_apple_MobileAsset_SharingDeviceAssets/com_apple_MobileAsset_SharingDeviceAssets.xml

o wise one, bless us with your knowledge

why is charles ass

I believe gdmf is pinned by the kernel

i have a tweak

no

kernel pinned

accessory images? idk

how did it work for froggy

what about this ? http://mesu.apple.com/assets/com_apple_MobileAsset_AXElementVision/com_apple_MobileAsset_AXElementVision.xml

VR Casque ? 👀

Apple Glass ? 👀

literally nothing else has that message

i believe it is cert pinning rip

does text tab on discord.com look sane

where tf is discord

oh

wait what

Lemme reinstall the tweak

make sure it's enabled

and maybe you need to restart or smth

idk

resprung

disable certification validation is on

only need to respring, nvm them

oh

it says kill and restart the app you want to test

oh

so reboot and rejb?

that should sork

*work

ok

ooops I was wrong, it was requesting every-single-time the 14.5 beta .zip, not the xml, which mean the xml is cached

smh

guess im erasing then

rip

i mean it's fast

yay i can see requests

it works?

yay

maybe that's why it didn't work for me

i didn't restart

gdmf too?

https://gdmf.apple.com/v2/assets

yee, you can see the text?

should be a bunch of base64

json format

sorry base64 is response

that's good

All the mesu request I send above were done at starting, how would you know if a mobileupdate.xml is not done on starting if you dont have settled your proxy first ?

MESUUUU

oh?

oh its gone

doesn't have internet

i just saw it tf

u can activate offline remember

y did my message diseaper ? 😦

idk

Was a very dumb idea i know but still...

damn i can spy on everyone now 😎

lol

Haram

if i do get mesu to show up again

what should i look for

just save the request

and response

if it's a get save the url

if it's a post save url and data

If DhinakG is right, you wont, as the big ass xml is cached, and no further request would be made til then

well froggy is saying it's cached

were you on delay prof when this happened

internet

ok

i see mesu

but

i dont think its what im looking for

I remember seeing mesu request every single time when i didnt had the delay profile... could be wrong

Show

no

im going on it now

lol

lol

scam

but yeah

gdmf is the first thing it checks

consistently

tf it doin with mesu then

it checked the delayperiod

even before it checked mesu

if you intercept gdmf

and just don't let it respond

does it say unable to check

wdym

oh

i blocked it

and yes

it does say

unable to check

ok then that should prevent any mesu request from occuring once I erase

because it'll error out on cert pin

so uh I guess all we can do is try to get a mesu request again?

yeah ig

DhinakG did you wipe already ?

i'll try different delay profiles

i was trying to work in the other direction, reverse engineer whatever sends the request but I can't find what sends it

no

gonna sleep soon

y

If the xml is cached, shouldnt delete the beta profile erase it too ?

not guaranteed

also what beta profile

Just tried, didnt worked, isnt weird ?

beta.apple.com/profile

How would that affect it

The normal response includes beta versions

No ? beta version .xml are in assets/iOS14PublicSeed/

not assets/.

https://mesu.apple.com/assets/iOS14PublicSeed/com_apple_MobileAsset_SoftwareUpdate/com_apple_MobileAsset_SoftwareUpdate.xml

http://mesu.apple.com/assets/com_apple_MobileAsset_SoftwareUpdate/com_apple_MobileAsset_SoftwareUpdate.xml

so removing the profile should erase the cached xml

yet i dont see it

idk I'm just going off of this

lol

check the iOS version

in that case idk

too big for me to search on device

only beta in the regular asstes are 8.4.4, 9.9.14.4.2 (14.4.2 ota) and 9.9.12.5.2

there's no 14.5

hm

Thats what the profile is used for, request on assets/iOS14PublicSeed instead of assets

Earlier ive managed to show the 14.5 beta 7 update in "check for update" view without downloading the beta profile on fresh install

well

im gonna go to sleep

Didnt try to install it tho

Well me too, was fun, hopefully we can get something out of all this, 8am and still no sleep

@zealous bridge ping me with update imma sleep

gn

gn

gn, sleep welll

shipping tomorrow 3 new ip12 mini hope 14.3 applied

ooh

check the serial

@keen mica mdm can upgrade 14.3 support a14?

oops missed ping

sorrt

y

@zealous bridge

no-one’s tried it

oh

but i imagine its the same as supervised

hmm

use reincubate lookup check the serial

yeah

thx

when i got jb deeping together

alright

👍

@zealous bridge o yea now that you have charles working see if mdm makes any difference in pallas request

Oh yeah true

@zealous bridge i saw on the cfw website that you might be able to change the systemversion.plist to perhaps get mybloxxx to work

and downgrade from a version to 14.3, has anyone confirmed this?

please dont modify that file

?

Why not

Doesn’t work lol

one person did it, but everyone else (including me) failed

the SEP just refuses to generate the BCert that's required to authenticate the delayed OTA for some reason

the logs say "baa request" btw, whatever that is

6cfc7000 : Enabling managed request
6cfc7000 : AMAuthInstallHttpRequestBaaCertificate: Error creating baa request : Error Domain=com.apple.MobileActivation.ErrorDomain Code=-1 "Failed to create reference key." UserInfo={NSLocalizedDescription=Failed to create reference key., NSUnderlyingError=0x1037187a0 {Error Domain=com.apple.MobileActivation.ErrorDomain Code=-1 "Failed to create ref key." UserInfo={NSLocalizedDescription=Failed to create ref key., NSUnderlyingError=0x103713ce0 {Error Domain=NSOSStatusErrorDomain Code=-25300 "Key generation failed, error -25300" UserInfo={numberOfErrorsDeep=0, NSDescription=Key generation failed, error -25300}}}}}
6cfc7000 : AMAuthInstallHttpRequestBaaCertificate: refKey is NULL
6cfc7000 : Failed to enable managed request. Continuing personalization without managed request

interesting how it somehow seems tied to the activation servers too

I did see requests to albert.apple.com but haven't been able to decrypt it

activation server lmao

yeah

BAA is Basic Attestation Authority

oh hmm

https://support.apple.com/lv-lv/guide/security/sec1f90fbad1/web

yeah I remember seeing that in the cert

So, for instance, for “personalized” signatures, the certificate constraints will contain “ECID must exist,” and for “global” signatures, it will contain “ECID must not exist.” These constraints ensure that all Image4 files signed by a given key must conform to certain requirements to avoid erroneous signed Image4 manifest generation.

the -25300 error suggests the key was not found in the keychain, maybe it's supposed to be returned to the device by the server but it isn't?

https://developer.apple.com/forums/thread/11129

it’s stored in a database in the server yes

-25300 is errSecItemNotFound, which is a pretty standard keychain error.

Might be failure to verify the request

which could also cause the key to just not go through

The key is meant to be sent directly to SEP, ig maybe on higher seps it doesn’t recognise an older key

but a lower can recognise a higher

The Image4 verification library looks up the special certificate constraint OID from a certificate during signature evaluation and then mechanically evaluates the constraints specified in it

It’s definitely server sided, but is it because those certificate constraints just don’t get signed? It would make sense in this case, it says it “evaluates the conditions” of the device, and OTA’s are really not supposed to be used for downgrading, so this is definitely some kind of safety mechanism

honestly i think there is literally nothing we can do

I wonder if something else can be changed to trick it, or if it just asks the SEP for its firmware version?

the cert itself has a SepNonce but haven't specifically seen a version, except for target iOS version

you’re right, but i initially thought that SEP encrypted some sort of message with the UID key to prevent that sort of tampering

but i haven’t seen anything to support that theory

@celest basalt do you think removing icloud would help since it looks like it might be the activation server

I tried removing Find My iPhone, not iCloud completely

also tried with and without passcode

Other Remote Policy constraints may be specified by the device to prevent Security downgrade of the Local Policy without providing both the local authentication required to access the current OIK and remote authentication of the account to which the device is Activation Locked.
Oh wow they specifically said they have measures in place to prevent downgrades of the OIK (private key generated by SEP and then sent to BAA)

but that does beg the question

how does ipsw downgrading work then?

reflash sep and bb and send filesystem (simple terms ig)

actually

i dont think u can downgrade sep and bb

so it just flashes the latest ones

manually specifying exists

and it does work

huh

oh ye

forgot about that

so it reflashes sep and bb?

true but i assume it would have to personalise all the img4s like it does in ota, so whats so different abt that

good question, i think nobody knows

except for cryptic

cryptic literally studied the entire restore process

true

cryptic pls halp need downgrade to ios 10

ez

@zealous bridge my offsetfinder supports iOS 9 - 14 but it will freeze on PCI on that low a version

have you ever used it successfully then

nah

only messing around booting restoremode

oh

If you don't enable ssl proxying on gdmf mesu won't come up

Idk why that's the case but before mesu disappeared, that was true

Also the Apple TV reddit post mentions that as well

Which probably means there's a connection between mesu and pallas

I have it on

Ik bc it's jank and sometimes doesn't appear for some reason

Or it's cached

fakin mesu

In the request to gdmf

"ClientData": {
11
    "AllowXmlFallback": "false",
12
    "DeviceAccessClient": "softwareupdateservicesd"
13
  },

AllowXmlFallback might be something?

If mesu ever comes up again, check the gdmf request to see if this is true

ayo gang

good morning

Wait this is super weird
"Supervised": "true",
"DelayRequested": "false",
I'm using 0 day profile, no updates are appearing...

Good morning Dhinak!

Morning

so
My working theory is that the xml just isn't requested when delayed

So I'm gonna wipe, then supervise, then install profile

Before checking for updates

That way it can't hit mesu without me knowing

Hey, "TLS certificate pinning" is it bc of this that you need jailbreak tweak ? The julio one

In the gdmf response I see
"LegacyXmlUrl": ""

Ok, good luck. It would be great to know that mesu isn't jank and actually has a system lol

Yes, Apple won't let you sniff HTTPS response without that kill switch tweak

Hmm

Lol Burp Suite even have it's own "tweak" to bypass that

In the gdmf response I also see 14.4.2... So what's stopping the phone from displaying it?

Where

Assets dictionary

And what settings are you using

0 day delay profile, supervised

With 0 day what's the value of delay period

I haven't gotten the tweak to work because I think I didn't reboot

In GDMF? It doesn't show a delayperiod in the request

But imma switch to Charles today anyway

What about delayrequested

False

Hmmmmmm

Yet the phone still shows 14.3 as latest allowed by administrator

supervised: true?

^

My 14.3 I mean, it shows no OTA

Yes supervised

Hm

That explains the administrator message

but delayrequested is weird

Also

12.5 expires tomorrow

You said delayperiod0 was 400 bad request right?

No? You can be supervised without a delay period and get updates

So we can see if it's still signed and stuff

Yes

But omitting delayperiod but delayrequested true gives you 14.4.1

oh true

Phonerebel and dabezt tested it on 14.0 I think, shows same message

supervised alone wouldnt mean that

Something else is there then

Yes

That we havent looked at

It shows 14.0

is there a “managed” field in there @lilac wren

In the request?

Yes

thats tss but maybe its pallas too

Nope no managed field

hm

Also @lilac wren. Since we have interception working we can test your theory of mdm doing something else

True

I will try that after breakfast

Also congrats on mem pro @lilac wren

Ive just wipe my device, no request are made to mesu when being supervised with the 90 profile.. onyl xp, gdmf

Ah thanks ❤️

Does it occur once you remove the profile?

Did you enable ssl proxying for gdmf

Otherwise it won't show up

And even if you do it might not show up

If you can view the request in gdmf that means ssl proxying is enabled right

in json format

Yes if it's not gibberish everything working fine

ok

I cant since im not jailbroken, but I can pass through TLS negotation failure and log the request domain, and the only domain that shows up there were gdmf, xp but no mesu, meaning it didnt have been called

Idk if you can be certain though bc for some reason, mesu literally just doesn't show up as a request unless ssl is enabled for gdmf

🤷 i dont really know tbh, do some further research

I cant do much anymore since im not jailbroken

Yeah :/ which means that we probably won't be able to fake mesu on unjailbroken devices

Did apple tags come out already

I just showed my location lol

I think

Yes you did

You idiot

lmaooo

Ok I'm not on a beta though

Nvm what i was thinking abt was third party accessories gps

Yes that's the third party integrstion

Did this come out overnight

Uh I think a day or two ago

Oh wow

That's cool

Wonder if i have anything that I can use with it

Aight time to wipe this iphone again lmfao

Rip NAND flash

Let me disable icloud first so I can activate offline

Depends... on unsupervised device, it worked nicely.. Maybe if we find the good urls/xml for 14.3 or whatever it could be used in non-supervised wdyt ?

Activation lock == find my I right

Ah yes it is

Yes basically

i’d say disable icloud = disable activation lock is a better bet

just to make sure

Aii

Since the error was in activation servers

Thats only for downgrading tho

Aight time to get charles

Maybe, we'd just have to know the exact request for mesu so we can remap to our fake xml

Charles proxy + Darwin kernel = ???

Wut

What about the kernel

It was a joke about Charles Darwin nvm

Oh lmfao

any progress or still 0% closer than 12 hours ago

Well we have some things to try now

Knowledge mostly

such as?

Charles with supervised and delayed from start before doing update check

That way it can't sneakily hit mesu without us knowing

What’s Charles?

Mitm

oh man in the middle

Http proxy and packet sniffer

Alright charles is up let me just test my config before I wipe

MDM sniff

I have that essay about hating on the SAT due tomorrow

Gotta do that first lol

Why

Still?

and it works

wiping

whats this?

huh

idek, added to find my iphone

omg

i have it too

huh

I think you need a product that supports it though lol

the only product that supports it is probably airpods lol

airpods already were supported

they counted as a device

hm true

why can I hear the iPad doing stuff

It's uploading a file rn, iPad air 1

but it sounds like a very very quiet hdd

brrrrrrrr

does flash make noise?

No

why would it make noise lmao

no mobile device has a fan

idk I wonder what the iPad is doing then

probably speakers?

no

Cpu ticks lmao

it's satisfying imo

oh no

💣 📱

Imagine it does?

i did the stupid so wiping again

wait what'd you do lol

i forgot to restore SystemVersion.plist and then i forgot restore rootFS lmao

luckily checkra1n

rip

so sshed in, fixed it, activated it, restored rootFS

ayy preparing actually worked properly this time

so what’s the goal of mitm’ing with this again? Save blobs or something else?

no

update to 14.3 after 26th April

without blobs

how

how would mitm’ing help us?

XML fuckery

By then watch 14.4 jb comes out

True

Then we Ota to 14.4 lol

Is there any success? Getting past the 90 days?

Sniffed MDM!

GDMF:
"RequestedProductVersion": "14.4",

"DelayRequested": "false",

(I pushed 14.4)

so theres nothing specific

search managed or mdm

or something like that

this

right?

when else do you ever see requestedproductversion

on supervised?

i saw it when i did it

i thought you see delay period? you don't see a specific requested version

No mdm just delay

Nah i 100% remember

ill look rn

nope, no requestedproduct with delay

theres no way im buggin out

i clearly remember

you probably saw "ProductVersion": "14.3",

which is your current version

Might be in the response

I had a couple asset files

it wasnt in the first one

damn it charles

Froggy u still need testing for restoring?

dont proxy my computer

want me to test requestedproduct = 14.2

yes please

if im buggin out damn i must be on some LSD or smth

yes pls, mind if we talk in that DM

Not now lol gtg soon

Just asking

ah nw

well yes

oh wait i might have had an mdm profile installed

holy shit

it works

you found mesu?

no

requestedproduct = 14.2 works

charles

LOL

so

is it signed?

how do i check

oh shit

uh

can you make your phone request 14.2 or no

you just did it manually?

i did it from my script

tss response should come before the verifying error right?

you can check if its signed or not

i didnt test on device

this is still my method 1/2 though, not making progress on the XML lol

but neat that it works

14.2 restore XS Max #818879231772983357 message

So manually requesting 14.2 pulls 14.2 but we need someone to test if 14.2 works

i dont think you can check if its signed on a pc lol @royal flint

yea unfortunately

Cause no way for the tss request to get out

Unless you manually get BCert

back to charles i go

@royal flint can you send me the full response for 14.2

actually wait

let me just do my own request bc I think it's specific to phone or something right

it's not specific to device

it's specific to identifier and board id + current version

"ProductType": "iPhone11,8",

if you don't have a XR I don't think I can map your response lol

so much commented out lmfao

HWModelStr?

aka board

and current build, and what requested version

my code can pretend to be anything really

there aren't any unique identifiers sent to pallas

wait what's useragent header

nvm got it

well there's the nonce and pallasnonce but i think that's just random

but yea, give me board ID, current build, and requested version and i can get you the response

@royal flint so this is still useless itself unless we can update through this?

Since the 14.3 OTA trick doesn't work on futurerestored devices because they use newer SEP, what would happen if you triggered a remote iCloud wipe on the device? Does it keep the 14.4 SEP?

Actually now that I think of it it probably would since it's not changing OS versions

well yea this is useless if you're not jailbroken or the target version is not signed

requesting 14.4 works but 14.2 gives me

{
  "Nonce": "DA90776C-20EC-44FA-AA1F-5E1EF967181A",
  "PallasNonce": "3AC6D3E4-988B-4601-8A1B-67FB4E5A1B31",
  "SessionId": "FEACD238-67E7-405F-BA0D-1DBECA6E454E",
  "LegacyXmlUrl": "",
  "PostingDate": "1970-01-01",
  "Transformations": {
    "_Measurement": "data",
    "SEPDigest": "data",
    "RSEPDigest": "data"
  },
  "Assets": []
}

So once you have new sep u can't Ota?

show your request

{
  "TrainName" : "AzulC",
  "SessionId" : "FEACD238-67E7-405F-BA0D-1DBECA6E454E",
  "ProductType" : "iPhone11,8",
  "AssetType" : "com.apple.MobileAsset.SoftwareUpdate",
  "ProductVersion" : "14.3",
  "DeviceClass" : 1,
  "DeviceVariant" : "A",
  "SigningFuse" : "true",
  "ClientData" : {
    "AllowXmlFallback" : "false",
    "DeviceAccessClient" : "softwareupdateservicesd"
  },
  "Nonce" : "DA90776C-20EC-44FA-AA1F-5E1EF967181A",
  "Supervised" : "true",
  "RequestedProductVersion": "14.2",
  "ProductName" : "iPhone OS",
  "NoFallback" : "true",
  "BaseUrl" : "https:\/\/mesu.apple.com\/assets\/",
  "AssetAudience" : "01c1d682-6e8f-4908-b724-5501fe3f5e5c",
  "BuildVersion" : "18C66",
  "ClientVersion" : 2,
  "InternalBuild" : "false",
  "AllowSameBuildVersion" : "false",
  "BuildID" : "238D3D4C-3940-11EB-8D33-A61B81E77CB1",
  "IsUIBuild" : "true",
  "HWModelStr" : "N841AP",
  "DeviceOSData" : {
    "SystemImageID" : "5AD8BD31-B8BD-4FD6-9C4C-90645CA26AE1",
    "BuildVersion" : "18C66",
    "DeviceVariant" : "A",
    "ProductType" : "iPhone11,8",
    "BuildID" : "238D3D4C-3940-11EB-8D33-A61B81E77CB1",
    "HWModelStr" : "N841AP",
    "DeviceName" : "iPhone",
    "ProductName" : "iPhone OS",
    "ProductVersion" : "14.3"
  },
  "SystemImageID" : "5AD8BD31-B8BD-4FD6-9C4C-90645CA26AE1",
  "DelayRequested" : "false",
  "DeviceCheck" : "Foreground",
  "CertIssuanceDay" : "2020-09-29",
  "DeviceName" : "iPhone"
}

Will ipwndfu fix that?

14.3 same message, 14.4 gives me a real response

14.4.1 real response

OH

because I said my current version was 14.3

I'm dumb

you're on 14.3 that's why

will change the request

hi guys, is it recommended to use FR on mac or on PC ?

mac

okay 👍

is talking about dualboot allowed?

there we go got iOS 14 OTA response now

nice

Pc for life

my pc runs macOS 😎

Nice

Is it easier now?

Hackitosh

yes

y'all

have you added a repo and installed a tweak over ssh before

@royal flint dumb question: why couldn’t we request 13.x through Charles?

i think i might have to do this before activation

wdym

we can edit the request yea

would 13.7 worked if we marked our current version to say 13.5.1 or something

But it won't update

how do we necessarily know if that was to work?

we can try

i'm focusing on something else rn tho

Downgrading wouldn’t work yes

Lol apple

Focus on that first yeah

Is there a way to bypass sep check

so anyone know how to add repo and install tweak over ssh

What tweak

ssl killer

U need the deb

To install via ssh

@lilac wren can you grab deb for me?

currently wiping again

it seems to be making requests really early

deb for ssl killer 2?

ye

thank

apt add-repository [repository url]
apt update
apt install [tweak identifier]

thank

oh

nvm

uh whats a good temp location to scp it to

New term works too correct @zealous bridge

yes

but

it will say

“apt does not have a stable cli interface”

oh just realized deb is useless as i need dependencies

rip

Lol

and then display nothing

Rip

Any know where are the ota updates stored in the system?

/private/var/MobileSoftwareUpdate I think

thanks

@lilac wren @zealous bridge

finally

can you get it consistently?

let's see

yes

supervised or no

i'm supervised and on 90 day

yes nice

save that XML for sure

only problem is uh

it's a normal get request

no url parameters

yay

save it

and in the XML, does it show 14.3 or anything specific?

well 12.4.9-12.5.1 for me

but no

hm

it shows multiple versions?

no

just 12.5.2

by 12.4.9-12.5.1 i meant that's what it should show

but it is identical to a request from the browser

dhinak@Dhinaks-Mac-Pro ~ % shasum /Users/dhinak/Downloads/frombrowser.xml /Users/dhinak/Downloads/fromdevice.xml
1fad3c289f60bb57df43e80f00fb6b3dff6ebb48  /Users/dhinak/Downloads/frombrowser.xml
1fad3c289f60bb57df43e80f00fb6b3dff6ebb48  /Users/dhinak/Downloads/fromdevice.xml

and if you go to /var/MobileSoftwareUpdates/MobileAsset/AssetsV2/com\_apple\_MobileAsset\_SoftwareUpdate/ and open that XML, is it the same

shouldn't 90 day be something else though

no i meant in the xml

it has 12.5.2

it shows up to date on device for me

what version is the device on

12.5

/var/MobileAsset/AssetsV2/com_apple_MobileAsset_SoftwareUpdate/com_apple_MobileAsset_SoftwareUpdate.xml for me, /var/MobileSoftwareUpdates/ doesn't have the MobileAsset folder

strange

can you search for .xml in MobileSoftwareUpdates/

Why is it Updates for you guys

?

oh nvm

mine shows MobileSoftwareUpdate but you probably mean that

ah ok

i tried cding to it and it didnt exist

lol

dhinak@Dhinaks-Mac-Pro ~ % shasum ~/Downloads/from*xml   
1fad3c289f60bb57df43e80f00fb6b3dff6ebb48  /Users/dhinak/Downloads/frombrowser.xml
1fad3c289f60bb57df43e80f00fb6b3dff6ebb48  /Users/dhinak/Downloads/fromcharles.xml
533d78200ee64d4668bfba041247dcd4a932ec99  /Users/dhinak/Downloads/fromdevice2.xml

hmmm

still trying to remap the gdmf response, phone is rejecting it. There's a Date field in header which also has time, hope it doesn't have to do with that. also Charles adds an extra header, I could try getting rid of it but idk if it changes anything

guess it's just adding some stuff before saving

but otherwise identical

ah ok

ugh I think I know

the gdmf Nonce changes every request it seems, so I have to have an appropriate response for that

with the same nonce

what on device changes the gdfm nonce anyway lmfao

the device probably requests a new apnonce every time?

no iirc the gdmf nonce is just random

idk if it's ap nonce, just a nonce for this request

yea

probably doesn't have to do with anything else

well usually when you do igetnonce in normal mode the apnonce doesn't change until a reboot, but the sepnonce changes on every request

yeah dont think the processor has anything to do with this

^

But now I have to write some program to base64 encode some JSON with the requested nonce

probably an api nonce so apple dont get spammed or smth

yea nonce has no bearing

Breakpoints Tool
The Breakpoints tool lets you intercept requests and responses before they are passed through Charles. You can examine and edit the request or response and then decide whether to allow it to proceed or to block it.

nice

i just did block list and it stopped it

i sent applepie to pallas and it gave me back applepie

but ig that works too

lmaooo

u can use charles’s rewrite or make middle server is helpful

nah we're trying to rewrite the response

LOL as the nonce?

yup

that's hilarious

meanwhile here trying to get my device back to 14.3 from pwndfu but I keep failing lol

but yea, XML is the exact same so

i can do this!! timeout seems to be long so I can edit the nonce live

RSEP is the restore sep protocol right? or is it something else

use rewrite response body

yep

idk why does mine keep changing

weird

i have the same sep

i’ll make some ota cache server when i got jbable phone

NO IM TOO SLOW

ugh

lmao

you are a 🐸 tbh

because apple gdmf takes like an hour to respond

use this? https://www.charlesproxy.com/documentation/tools/rewrite/

regex replace supported

oh ty

hmm wtf

or write simple web server and forward ur requests and change response

i can't see gdmf requests

but i can see mesu requests

lol what

includes headers

enable ssl proxying

it is enabled

on gdmf

that right click menu was on gdmf

oh

the connection is still going maybe?

nop

it's not a 200 ok, just 200 established

Mine show 200 OK

nah it's been like that for over 5 min

hm

ill test on se

i had to do some thing where i added * to the list of ssl proxying enabled websites to make it work @royal flint

did that already

issue is I have to b64 encode the json response that I send to the device

also it might be signed

not sure

ah

but there's some kind of cert thing in the first b64 chunk

yeah true

I haven't checked if it changed with different resps

Honestly might be easier to just make my own request with the nonce simultaneously

but i'm too slow lol

lol

Nah, just get the response manually, then edit it as you wish, then b64 encode, then paste it in when you need to rewrite

u can use this

https://www.charlesproxy.com/documentation/tools/map-local/

emulate response to local file

Gonna come back to this later, need to finish essay and eat

I'll start messing with this on my SE

blocking TSS should prevent any update from actually happening tho right?

because I don't wanna boot loop lmao

Thanks, but that's what I'm doing right now and I'm too slow to get the request, add the request 14.2 Param, request to gdmf myself, then put it into a file and map local

yeah

just block gs.apple.com

But you don't need to redo getting the request every time, you can cache it and just change nonce as necessary

I thought it was signed?

well have we confirmed that

im not 100% sure if it is

Right now I'm literally trying to fake the normal response and can't even do that lol

i think if u try only test change response part.
u need only 1 real response then u save the file and change contents emulating.

Issue is the nonce changes every request

wrf

wtf..

ok try first. after fail u need forward server

and set charles’s map remote to ur local forward server

@fickle kettle is there a way to make charles automatically call an external program for the response

That way we can automate part of it

https://www.charlesproxy.com/documentation/tools/map-remote/