#futurerestore-help

and not much else

no i mean you should be able to build one from pallas info

I'm A11 😉

alr then

use v194 next time

you can't I don't think, the old XML's are updated on apple's servers and deleted from public view

ok I'll do that

no like the content

the content should be mostly the same as gdmf

did you ever compare the two

the asset info is almost identical

no actually

but I'll have to rebuild it from scratch?

that's awful lol

it's 25k lines long

just make one with just 14.3

wtf did i miss LOL

300+ msgs

Remember I deleted literally only one asset from 14.4.2 latest XML and iOS refused it

YO

FROGGY IS MEMPRO

POGGERS

yay ❤️

well in that case we have to figure out how it's being validated

there's no sig in the response itself so even if you find a 14.3 xml it wouldnt work

Found a way to request a specific version of iOS without delayperiod, found a way to show a specific version of iOS unsupervised without delayperiod, found a way to possibly edit what OTA is shown without jailbreak. But we're in the middle of that rn

WTF

bruh why is u0 so broken

literally wont let me

everything else works

HOLY

just gdmf is broken

whyy

THIS IS BIG STUFF

aight

and by specific I mean 14.2 literally shows up as well, we just don't have a device <14.2 to test if it's signed (probably not though lol)

WAIT WHAT

u0 is shit what u expect

HOW ABOUT 13.7

YOOOOOOOOOOOOO

I'll try it rn

yeah

why???

lol

sadly if you upgraded you cant downgrade

BUT

i mean it requires mitm tho

and also Dhinak found a way to make a mini server tool to do it for you

it may be possible to tether downgrade

13.7 is good

and then untether upgrade

wait for ipwndfu

prob safer

true

i mean its literally just like 50 lines of python lmfao

yeah it requires a MITM, so you need to get a jailbreak tweak + computer (rn, probably no computer is def possible)

@green onyx dont get too ahead of yourself, we still need to find a way to deal with tss and whatever issues arise from there

bruh u guys are definitely devs

ah i see

yea the big question here is

ngl, u guys are geniuses

is it signed

like real geniuses

does it matter?

man i cant get this shit to work

tss

@low summit

14.2 is signed or nah?

don't know

everything is signed

it should be

we don't know until dabezt can test it

11.3+ is signed?

no way, you fr?

nah not 12.4 i dont think

11.2 isnt signed i think

unless it is?

forget 11.2

if we find a way to get 14.2 installing

then 100% everything is signed

this is by ota right?

imagine

delayed software is only signed when its within 90 days lol

yes

ota

huh

not true

@lilac wren u get where im coming from right

signing ≠ accessible

we can get 14.2 from pallas

unless u could force it with ur own server

@zealous bridge does ur A9 have like 14.1 blobs?

if we somehow manage to get tss to sign 14.2

then it can sign every version

yep makes sense I think

if we get it to mdm

even if he test on 14.0.1 he cant update tho

we should have dabezt try lowest version though

so how u know if it works

because fr lol

@green onyx we're not going to officially release until April 26th I think so apple doesn't patch

ah i see

apple cant even patch upgrades i dont think

but keep me updated

because they allow mdms

yet you do this on #futurerestore-help which everyone can see lmao

That one trick Apple doesn't like!

lol

this is good we could aways update via ota

even if jb comes for 14.4

man i wish we could downgrade i miss 13

aight taurine time

theoretically charles can sniff out the tss request + response without doing anything extra if it were to download right @royal flint

lol

ya

as it's just http

ok well imma try 14.3 to 14.3 soon as well to save valid ota blobs

Just tried 13.7

lmfao

hi

hi

hi

nice nonce

wow it gave the url

doubt this would work on device tho

it's not even a real ap nonce, just a random one for this request

alright gtg

ah i see

cya

ok cya

cya

cya

you gonna mitm and check if it shows on device @lilac wren ?

I'm not changing my systemversion.plist, I'm A12 14.3 lol

how are you gonna spoof

im a13 bitch

and i did

like

let's wait for dabezt

6 times

lol

you are insane

Lol

true

it doesnt work anyway

u scared?

yes

u0 just doesnt let you check for updates with a ssl proxy

and taurine wont let you spoof at all

wait could my ios 12 issues be checkra1n and ssl killer not playing nice

bruh

wat I'm on Taurine doing it rn

i thought u werent spoofing

spoofing sysver

spoofing systemversion or what

yes

no i'm not

then

spoofing doesnt work anyways

it kp loops if you edit sysver.plist?

like it wont update

yea spoofing sysver ends up in kernel panic after a while, and then every time you rejb -> kp

on taurine?

yes

oh wow

have to restore rootfs

mind you

with a wrong system version O_O

i did manage to spoof on 1.0.2

actually

why lol

imma downgrade taurine

to ios 1 lol

nah

oh

nvm i see

i remember being able to spoof

14.3rc

maybe new update

but maybe its just im spoofin it too low

ig i can check

how can i restart sb from ssh

sbreload

sileo button broken

wait did i forget to install ssh

fak

just get new term

installed

if u get connection refused u did

there we go

oh i need to reboot anyway

also forgot prefloader

wait u guys got the profile for 14.2?

i have ipad on 13

why doesnt ssl kill have a dependency on prefloader

no profiles

it's not a profile, it's mitm

ooh he can test cant he

then i dont wanna risk lol

oh ok

Lol

openssh should rly be default

ikr!

I asked this like 3 weeks ago when I wanted to make another GUI tool

ok now procursus is downloading at 10KB/s

Haha get DDOSed back

Lmho

true

petty

k i spoofed to 14.3RC which 100% worked before

so if kps then i can just downgrade

do you have 14.3 blobs

real ones

downgrade taurine

no

how did you get to 14.3

waiting?

yes

ah lucky

i got this phone on 14.2

Lol why did you update

updated to 14.3 cause i thought jb was dead

LOL

lol

(when 14.1 jb news was coming out)

When I got XR on 12.1.2 i downgraded immediately to 12.1.1

so i was just like fuck this

and jb came out for 12- 12.1.2

fail

Which stinks because I always love latest jb-able

i still couldve updated to 14.4 but i cba

i got this X on ios 11

what's cba again

ok now i want taurine to kp

A cost-benefit analysis (CBA) is the process used to measure the benefits of a decision or taking action minus the costs associated with taking that action.

cant be assed

asked

how would I have known that lol

typo

gosh darn it

literally everyone does

why

i have a 14.1 6s but my mom took it

oh blocking gdmf might not work but maybe making it return no assets does

reboot userspace?

so i was spoofing too low

rip

guess i cant test shit

6s?

ye

ok trade with your mom

/s

fuk that didnt work

nah its just a spare phone for her to play games

how do you actually get it to fall back @lilac wren

she has X lol

i cannot get it to fall back

bro procursus is being ddosed rn

it doesn't even fall back, gdmf seems to be like optional. Just unsupervise and it'll use mesu

im unsupervised

turn off SSL Killer

otherwise you won't see mesu

oh my proxy

yea i did but it still died if i blocked gdmf

it errors out on the phone?

yea

hm

For me it lets me ssl on gdmf without error... it's so jank

hmpf

but I don't actually see gdmf requests

like I enable SSL on gdmf, without kill switch it looks the same, but it makes mesu come up

and then you can turn on ssl on mesu to see the XMLs

so you have proxy on for gdmf?

by it looks the same I mean I cant see request or response

yes but it doesn't actually let me see anything in gdmf/pallas. Only see mesu

yea ik

lemme retry that

ok
jbed
unsupervised
ssl killer off
proxy on for gdmf and mesu but off for everything else

unable to check

damn we need @zinc moon to test and hes gone

we'll wait for him, nw

keeps dying

that's normal, but now you should see mesu

and it should show you the update to 14.4.2

i do see mesu but it errors out on device

:/ you see mesu and the XML?

yup

where he go lol dinner?

the actual software_update xml or random ones

softwareupdate

ok i had redirect to beta one on

@royal flint @lilac wren would a device on 14.0-14.1 be helpful to your testing

try disabling / enabling ssl for mesu / gdmf

let me disable that and retry

yes

yes

if only froggy had ipad air 2

like he tho

like replacing dabezt helpful?

very yes

because i think i can provide that

definitely to see if 14.2 is signed

yeah i can provide that

you don't have to update either

YAY

its my sisters 6s

i honestly think ota is always signed

i can fr to 14.0-14.1

have the blobs

as long as u could get the download

lol your poor sister

same device i used to test gui

oh

ik that's why

@lilac wren i fixed it

i just need to appease her somehow

money

lol

true

ok so the issue was that it was returning 304

pls paypal me so i can gib

not modified

how for research

right click and enable no caching

oh wow

ok now i try remap

if only spoofing works

then we dont have to go thru trouble

oh shit

@lilac wren

azzou right

it works

yes

it really does work

YES

i see public beta 7

what did you swap with

Restore successful 14.4.2 > 14.3 on A11 😄 Thank you for your help @zealous bridge !

np! congrats

ah wow

just make sure to enable no caching

lol i tho he meant ota

congrats

wow

so what does this prove

we can just swap xmls

nothing much u could change firmwares

well we need xml mods to work first but this is a great first step

and w/o jailbreaking or supervision

i am testing xml mods now

lets hope it works

we can just upgrade like that

🤞

so ota without supervision?

cmon no xml nonce bs

🤞

FutureRestore lol

fr yes

oh

lmao

i got confused too

this is #futurerestore-help

ikr this channel is basically #ota-research

true

should call it just ota and fr

i got map local beta to work, another step forward

true lol

its literally ota research

that was a quick return

eh

not really

what was the issue

i have to do a bunch of stuff rn lol

idek lol

<key>Signature</key>
    <data>
    a7iR/hN6j9NC2QxVFhEK8sSRqVsDdIbW1o2uaVemuLulPU0qB0H3fE1Q5ma57LYPKz1K
    fvzZE0OfBPF/k7whuFAhGQuDalwuQS7zknxZ251IbK6B/Myo7xQ4w5+6dF6dG7XRHKK9
    P1kduiZLTCHZY7kBS1R5V2KsJGJ9vxDcQzWg15xwTGte/PvUnFU5veSF8YLh2b6/joNJ
    7VJclsohFTR8RfYYon9C6jp8/ElTXa3TB7Cxm6Y2RCUumN2ABrGwhotjj6xfH7xPTsBp
    owFGPgkyuH8+Q0ku7vAgD7okw6fTsG7NlAnxiNhHimS0iV8YKZFDPGP6D0WaAwkIx7IU
    Eg==
    </data>

:/

are u going back to 13.7 when ipwndfu comes?

We'll have to sign our own XML's

in the xml?

which I don't think we can

oh fuck

noooooo

ik

fuk

that's a dead end I think

who tf signs xmls

that's why beta worked bc it's also signed

tss?

nah

fuck this shit

ghidra time

can we not just find a way to connect to mesu

lol

and backup an xml

dang

this!! If we were able to fetch one from 14.3

i am probably going to crash and burn in 2 minutes but hey

it's deleted now though we need someone who has it cached

no one has it cached lmao

I'll start today

no one has thought of this

same

i already have a bot caching stuff for macOS otas and normal updates

but even then

i can just download this too

would the signatures be device specific?

no, the sig is for the file

oh ok

^

again the only ones I could find online were 13.4.5 and ios 6

does anyone have a class dump for mobileasset

https://www.theiphonewiki.com/wiki/Talk:OTA_Updates#Tracker

can i downgrade with any tool without jailbroken ?

no

can we still use the 6s @lilac wren

yes

to try 14.2

alr

jailbroken only though

yes

futurerestore need to be jailbroken right ?

yes

and there are other tools ?

unless u could set nonce another way

no

there isnt

this whole time we were allowing non-jb upgrades but i just realised wtf is the point of that

every single ios below 14.4 is jailbreakable

exactly lol

exactly

complete L

literally no reason

most people are jailbroken too

if it was for downgrades thatd be one thing

downgrades dont work we already established

so its not useful

maybe there are some uses we havent discovered yet

In other news got 14.3 to work

spoofed 14.3 RC?

Yep

and MITM change preferredversion or whatever it was called?

tbf 14.0-14.3RC all have known bugs

someone wants to go from rc to stable lol

14.3

yep

fair point

but doesnt rly matter for some ppl

@lilac wren @zealous bridge

now where the fuck is this DownloadManager

one sec

i think its an ios daemon

it's not giving you a very clear error

where tf are ios daemons again

i'm a dumbass

icleaner

oh true

[[icleaner pro]]

well it aint there

rip

/System/Library/Daemons or something

no

ayyyyy

/System/Library/LaunchDaemons?

mobileassetd from ios is useless

but mobileassetd from big sur is not

pref files

also

mobileassetd is located in /usr/libexec

btw

ofc it is

damn

Can I tetheret downgrade my 14.4 device with Divisé to 14.3?

what device

A11

i think so

but

it'll be a dualboot config

not an actual downgrade

yeah it would be a dualboot, and pretty useless for jailbreaking purposes since it would be tethered

you would still need a computer to JB and still unable to use SEP features

Ok i try dualboot

only time it's useful is if you're a developer who needs to test something specifically on 14.3 that's different on 14.4 tbh

@celest basalt what about this

yeah you can do that, but then it won't boot without a computer at all

so that's basically a lose-lose situation unless you really need some specific 14.3 thing that doesn't work on 14.4

with dualboot, the main 14.4 OS would boot without a computer (but no semi-untethered JB for 14.4), and 14.3 would boot with a computer

@royal flint @lilac wren just realised, if i futurerestore on the 6s imma have latest sep, so can’t use that

We could still try getting 14.2 to appear

True

Wait have you FRed on it or no

yes

Ah ok

well

Obv

he tested gui on it

You saw me do it

Lol

froggy ur an L

I thought ota upgrades worked with latest sep, or no?

no

lol

no...

Wasn't it just downgrades

lmao

no

it was upgrades too

Wow I'm ootl

u cant downgrade sep

yeah

like at all

because ur on latest sep

froggy L

i could still try pwning sep with blackbird but idk how to do that

Is it the same error for upgrade OTA / downgrade attempt

ota 14.3 still has 14.3 sep

Yes

and latest cant go back to 14.3 sep

thats why @zinc moon cant ota

the thing I don't get is that 14.4 and 14.4.2 SEP supposedly is the same, but 14.4->14.4 OTA also failed

I already said this but yeah

this is confusing

fails also?

i guess theyre not the same lol

how sep functions might be different in ota vs ipsw

^^true

im bad at ida

Probably apple can't verify sep from ipsw

If u fr

I can log ota via debug serial if u guys want

yes please

that’d be very very helpful

I have a 6s on 14.2

thanks!

you have like a million other test devices as well tbh

havent u used fr on that tho

or is that the whole point

And DEV iBoots

oh

well debug error of failed to verify would be nice

Any type of debug would give some answers to how Ota works

I mean we already have console ota

But maybe debug can tell us more

Ota works via obliteration flag + bootnonce var

bootnonce var?

what’s that

that’s how we setnonce

We stole the idea from ota

oh i thought you meant var as in /private/var

nvm

Var variable lol

Yeah lol

I also have a DCSD if that helps, though at this point I can probably only record failed attempts

any debug is useful at this point

Back for good this time

Whats new ?

idk but I tried the downgrade from 14.4.2 OTA, 14.4.2 IPSW (iTunes) and 14.4 IPSW with 14.4.2 SEP (FR)

I think dhinak got it

So ur all good

Restore successful 14.4.2 > 14.3 on A11 😄 Thank you for your help
Thats real ?

Amazing

Futurerestore

Not OTA

Oh ok, with blobs then ?

yes

Still cool

I still don't fully understand how the 14.3->14.3 OTA only worked when spoofing 18C65, because even when I spoof to 14.0 or 14.2 it fails to verify the delta (checksum, not TSS) so it downloads full OTA anyway

Damn we rly forgot what fr was

oh i had that too

it must have been some filesystem check

once it realised it couldnt install deltas it just went why not lets install full ota

yea i am now crashing and burning

restore.log should tell you more

can someone who actually knows how to reverse engineer do this pls

yep, the logs definitely show a FS mismatch in the delta

but I don't fully understand it still

supposedly others had success with it when their delta failed but then full OTA went through

Need logs to know for sure

I don't think I have those logs anymore, but I know they said "Failed to enable managed request"

for me, 14.3->14.3 only worked if I forced a full OTA from the beginning with 18C65 (successfully did it twice)

but 14.4/14.4.2 to 14.3/14.4 doesn't want to work no matter what

14.3RC doesnt have a delta to 14.3

yes, I know

So it will always get a full OTA

but like I said it always falls backs to full OTA anyway so I don't understand why only that worked

@lilac wren @zealous bridge what if we could bypass pallas verification

How

tweak

Also TSS would give us problems im pretty sure

Hm

someone said that the delta failing and forcing a full OTA was usually a good sign and the update succeeded for other people with that

Thats def possible ig

but that should only happen if you are downgrading or if you didn't restore rootfs

the delta should not mismatch for a legit clean rootfs update

Yeah true

I only got the delta thing when i was spoofing sysversion

so yeah

Told ya im a genius

however we can't edit mesu

that is also signed

btw, I'm keeping my eyes on this thing, I have a saved TSS request that I replay once in a while with tsschecker to make sure it still returns a successful response

Now, what if, instead of hitting iOS14Seeds, we could just modify the response, add some bullshit .XML with a fake <key>version</key><string>14.9</string>, then add the payload we want ?

in case Apple unsigns the managed 14.3 update early

Oh...

We may have a way to get around that

Stay tuned

What does pallas verify? Doesn't it just device what ios version is available + to show in the OTA menu for supervised?

It sends the URL too

Also @zealous bridge have we saved these new supervised (like 14.3 OTA) blobs

Hey, for sonething not ota related. Do any of you know if problems with using —upgrade while downgrading from 14.4 to 14.3 on a10 could be resolved.

(For supervised)

we need to actually update to save these ota blobs

I believe it does that, so intercepting the response, adding a fake <dict> to a fake <version> like 14.9 will gave us a valid signature from Pallas, and allows in this <dict> to put the URL we want

verifying the signed response from pallas

all of them can

I've done it for Sloopie, but that was only necessary because they hacked together a 14.2 tether boot and it successfully verified but failed to install

Awesome I'm sure there are a lot of people updating? We can just ask someone to plug into a MITM and enable ssl?

Uh

if you successfully updated just dump onboard blobs with System Info

Blobs are device specific remember

Yeah but the request

Oh something about a bcert right

the BCert is tied to a device too

request will also be device specific

BCert

We don't know how to create the bcert?

No

Oh ok

nope, probably SEP does it

It’s prob from the UID key

Which you know

is unobtainable

Why? We can already access all iOS versions right? I tried 13.7

the other way is to MITM the TSS request and get the BCert and SepNonce and plug that in to a tsschecker request with a manually specified apnonce so you know the generator and can reuse the blobs later

SepNonce would change wont it

Is BCert specific to the ios version you're going to as well + specific to a nonce/ that restore?

Version specific to

SEPNonce specific too

Ah hm

yes, that prevents you from replaying it on-device to update but doesn't prevent you from replaying the request to save blobs and pair up the SepNonce inside the BCert with the one outside

but again these OTA blobs are only useful for A11- in pwndfu mode

The blobs would be useless tho wouldnt they

Why don't they work for A12+

for A12+ they're useless

Since SEPNonce would have to match

Or is that just for BCert

Good, because I only have enough time to let futurerestore do it’s thing. But not enough to restore from a backup aftwerwards. Do you know if they’re being worked on currently?

it doesn't have to, because you would not be downgrading the SEP

you would use signed SEP

Oh SEPNonce doesnt work like APnonce does it

If whats being worked on currently

well, futurerestore can ignore BB/SEP nonces beacuse we always just use a signed SEP instead

True

—upgrade flag while downgrading.

It’s a bad idea

because it won't accept OTA tickets in regular recovery mode, it will fail at entering restore mode

Yeah just use the --downgrade flag

Jk

And no I don’t think it’s being worked on since theres no issue

need to get into pwndfu and then pwnrecovery which requires a bootrom exploit

and from there you can use OTA blobs as well

@celest basalt any luck with ipwndfu btw

not yet

waiting for Cryptic at this point bc I tried a few things but it keeps failing

is it always langid?

no, ipwndfu itself succeeds (even if it shows the langid error), the problem is with futurerestore

also doesn't always show langid

sometimes it just says successfully exploited

Oh so you can enter pwndfu

yeah

thats fine then ig

problem so far is: checkm8-nonce-setter goes from pwndfu -> pwnrecovery -> recovery, but normal recovery won't accept OTA tickets

if I make it stop at pwnrecovery, FR says "device APNonce does not match APTicket nonce"

Have you tried rmvsigchecks.py?

checkm8-nonce-setter uses that for older devices but it uses ipwndfu for A11

i think u still need it to use fr

on any chip

https://mobile.twitter.com/opa334dev/status/1379041130411606017

well, if I'm reading the script right then ipwndfu is the sigcheck patch but idk

@proper helm it’s not supposed to be used in that way

so it’s not an issue

I mean you can probably just erase the device to fix it but then you lose data

ok

i figured out where mesu is verified

the question is how to hook it

pwndfu is a device state where you can remove the signature checks

the sigchecks are a different .py

why does it still need blobs to downgrade then on pwndfu

to verify the restore?

@lilac wren well i figured out where to bypass mesu sig checks at least

so we can swap xmls now?

still need tss to verify?

Ooh that's actually great , how'd you do it

ida

the question is

how

ye

i don't know tweak dev

...do you need to be jailbroken

¯_(ツ)_/¯

Then there's no point

The point of xml was that you could be unjben

whats the point tho if 14.3 and below all have jbs

thats broken and prolly no longer updated

I mean it'd be fun to do nonetheless, another method of getting 14.2 to appear

Or 14.3 after April 26th

updated 8 days ago

yea rip

tf

unless we could do downgrade we're not actually helping ppl lol

well that's just a binary update

last "real" update was Oct 2020

this is literally just research purposes

do you know how to hook it tho

https://github.com/MatthewPierson/ipwndfuA11

oh the fork thats linked on fr is different

so idk

ipwndfu still needs fr to restore or itunes?

fr

ok

What do you want to hook? I could try it later

itunes restore is never gonna be possible with blobs?

it used to be possible years ago on older devices

saurik ran his own TSS server

-[DownloadManager massageXmlAndPersist:from:to:with:postedDate:]
it calls a function to verify the response, i don't know its name

bypassing pallas verfification is easier, just make -[PallasResponseVerifier verifyResponse:signature:error:] and -[PallasResponseVerifier verifyCerts:error:] return true

Cydia used to save blobs for you too

yea i remember those good old days

sep wasnt a thing back then

If what you said is correct, then I still have hope that those verification method can be abused with a rightly formatted fake .xml... Just need to find a way to "inject" that in the response

just

wat

how are you gonna inject a signature

without being able to sign it

Gonna steal apple’s private key

aight we breaking into apple's pki room lets go

work for apple tanbeer

and hack tss

True

How does the 14.3 do then ? It have to be signed too...

why does copying a 1 MB file into an ipsw take forever

Needs to rebuild the ipsw

14.3 is signed but only for supervised devices that make a special managed request to Apple's servers

Yes, but the beta XML was available publicly, no-one can find the 14.3 XML

has anyone tried actually using am MDM for the delayed updates yet?

Therefore no-one can find the right signature

I tried that the day after the method got found out

lmao

I thought that DhinakG managed to sniff mesu on supervised device, you could get the .xml from there

I did try adding an MDM profile but Jamf Now can at most push the delayed OTA profile to the device and not force a specific update

For 14.4.2

I got access to a Jamf Pro account

nice

they work

but only for the delayed versions

have you tried it for a downgrade

yes

doesnt work

what does the log say, same thing?

Carbon copy

Ive a friend on 13.5 A13, ill try to sniff every request while he does the OTA technic to go to 14.3 and see if there's something useful

alright, remember we just need the one .xml then it will work

Sound like a plan

All we need is that annoying ass signature

damn Ubuntu 21.04 has not only irecovery but idevicerestore too

makes things a lot easier

that won't work

supervised devices do not allow mesu as a fallback

that's why we never saw mesu

13.5 can be jailbroken and install the SSL tweak isnt ?

and we have already validated that mesu doesn't change

so there's no way to get mesu from 14.3 was latest unless someone saved it back then

Hmm...

If we consider that, without the beta profile, you can still go to 14.5 beta 7, then maybe, without supervised, we can go to 14.3 ? There, the mesu request could be intercepted and modified the same way ?

14.3 isnt signed

If going to 14.2 works

That means that we can literally ota upgrade to all versions without blobs right?

all available OTA versions

and only if you are on 11.3 and up

Awesome

well the 11.3 and up might be different if we do mitm

but let's just assume 11.3 and up for now

nvm it would still be 11.3 and up as you need support on iOS

For supervised, it is. But hear me out, with modifying the mesu response on unsupervised, we could simulate that maybe

again

you cannot modify the mesu response

all you can do is replace it with another mesu response

we don't have a mesu response from when 14.3 was latest

ooh you mean xml cant be swapped/modified bc of this ?

<key>Certificate</key>
<data> MIID7TCCAtWgAwIBAgIBLTANBgkqhkiG9w0BAQUFADB5MQswCQYDVQQGEwJVUzETMBEG A1UEChMKQXBwbGUgSW5jLjEmMCQGA1UECxMdQXBwbGUgQ2VydGlmaWNhdGlvbiBBdXRo b3JpdHkxLTArBgNVBAMTJEFwcGxlIGlQaG9uZSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0 eTAeFw0xMTA3MTQyMjMyNDhaFw0xODA3MTQyMjMyNDhaMGYxCzAJBgNVBAYTAlVTMRMw EQYDVQQKEwpBcHBsZSBJbmMuMSEwHwYDVQQLExhBcHBsZSBpT1MgQXNzZXQgTWFuaWZl c3QxHzAdBgNVBAMTFkFzc2V0IE1hbmlmZXN0IFNpZ25pbmcwggEiMA0GCSqGSIb3DQEB AQUAA4IBDwAwggEKAoIBAQC1y4D4VYBPHLwnHk1qfi1F49E3Ml675ElYYAFghqpAiKOq eagLVZU8zKuPw650NHACvNJbjKBjMsWdWaFMj/7c2TB5IkJwi61Y6B+uVK78W9u9I/hF AK0pWcM9Y5KbKMvz4wEwt64EXfS8eVBRmqh/29ygxN9NtBbHEiGiGQ8vxIV3U6FomNdm xKPM7VZmsyFIxQ5HsxgHb0skxlDIdePtYsHLmpK9PX43K3sBT3lHN0Uxtit8HTrdwiNq 13cI0TINT+lsbXKLp3/gPJVpfxkQ3MTt40KG/DTMsqKOygDombsFSqA+RPSv68YtJ/kA aGaoH6gZfRrwX7GJozzQ8KTZAgMBAAGjgZIwgY8wDgYDVR0PAQH/BAQDAgeAMAkGA1Ud EwQCMAAwHQYDVR0OBBYEFGNQxP6y1Ao4Hrhid6BcMLwcrB3BMDgGA1UdHwQxMC8wLaAr oCmGJ2h0dHA6Ly93d3cuYXBwbGUuY29tL2FwcGxlY2EvaXBob25lLmNybDAZBgNVHSAB Af8EDzANMAsGCSqGSIb3Y2QFCDANBgkqhkiG9w0BAQUFAAOCAQEAn6Cj4XjlScRIh1wP F8BLCz/dl6CskbTsJXz24tCDm3gcvb1Ovc+sBeg1JyvHiy2C4NxEGDYsVYHvUbucXrGd ul6kKauOYcEzpogk56BIRenKHivAqQQtNJpVmqrElgqDntI/az2Gsw32TLWyDXVw8rWi vchZE+VOv1mT4a7LHsdxMWbEOIrkvkZUOoxZlQhjPCc22mp0Yy5rwcf+3/IwJGOhJSXO VrcxuOwmweNrK1Eajn+HS2IlnMBwQDkH/d74KUXGvuNX0LsXv9cCQMB8tcjFlr1u+Szo XCHD1SJkU4ex3auhnukYSoiag78twmDRk726aYmxNIfYYpDs0hS7Mw== </data>
<key>FormatVersion</key>
<integer>1</integer>
<key>Signature</key>
<data> aBeolCS5aM72aTPyxMK7McakOkZmKfSdwfAAr33oxliqOScZjrQI6Q2FzoPoQ0VO+hiY oIlC8T93ZMD1uXRGTXt9ad7iCkpuPC3JvdFueQn0oLm1ftAKuRR2egghtKYJBAcy4nLw xKkA8O3GZ3St6hrXrugif/QHuudsASyzxO//9pgK0pv7gKARNWfWrJHbehgDO6t0ekfA cJzh5oKL2GR5bSunI4eYi6WNqB5MyBTtRU+K8UsD+5V24nWPQT6xco+MGz1Qx1nRMuic HvcljOtxqWr6/pzctxD00tZ3wHD+lnosisa4Ak8DLcxBCUA/YuIjuODfMCJb8fsE/yFD vw== </data>
<key>SigningKey</key>

yes

break the encryption pls eta wen ?

literally never

What's certificate vs signature?

🤷

certificate allows a connection, a signature verifies it

Connection to what, this is an XML file

tf is <data> ?

you can substitute connection for whatever the target is

Yeah but for this XML, what is it used for

but most commonly its used for connection

It's the signature/cert itself

It's like saying
[Key: Signature, Value: XXXXXX]

look up X. 509 ig

uhhhh

so the code removed the cert and signature part

then

From what ive understand it is used in some device frameworks to see if the xml is valid, so a tweak could bypass it, that why it need to be jailbroken only

uh calls SecKeyRawVerify on it using an extracted public key from the certificate

What verifies the signature? Is there only one ios private key from bootrom, and that's what it uses?

no

the xml is signed using the public key from the certificate

the certificate is validated to be connected to some Apple iPhone CA certificate

It's signed using the certificate already in the file?

ok
so you have the XML without the sig and cert and stuff
you take the public key from the cert
and then you get a signature for the XML
then you put the signature and the cert into XML

the verification code will make sure the cert is trusted

and then get the public key from the cert, strip the cert and sig from xml, and then check the sig

the signature is encrypted using public keys and decrypted using private keys, im guessing the private keys on the servers

"Take the public key from the cert" where is this cert? Apple's servers?

the cert embedded in the XML

idk where it comes from

Then why can't we just sign our own with any cert we create

because

the cert is validated to be trusted

any random cert we create is not going to be signed by Apple iPhone CA

Does this require an internet connection

no it appears to be local

But it's signed by the cert in the file? So how does it know Apple iPhone CA create it

chain of trust

same as how website SSL certs work

So if we modify the response, not entierly but just change some value in it, replacing a dict by another one lets say, the cert/sign value would still be valid and the .xml would be accepted ?

So is any part of this certificate on device or is it all downloaded at the time of getting the XML

if you changed some parts of it the signature would be invalid and it would fail to verify

No if you change anything at all I'm pretty sure the signature is invalid

Like a hash

‘tis the magic of encryption

it should be all download at the time of dling the xml if I understand how SSL works

no, the entire xml is sigchecked

The cert used for the signature is not on device
However the direct CA is

I don't understand how it knows it's from Apple then (sorry I'm dumb with this). Can't you fake it from the root part of the chain all the way to the XML?

it looks embedded in mobileasset

Ah ok makes more sense

The direct CA is used to verify the cert that comes in the XML

the cert in the XML

time to hijack mobileasset

Isnt that cert expired ?

Idk shit about cert

yea idk about that lol

intermediary cert

managed to extract it

yup

@lilac wren this cert: #futurerestore-help message
verifies against this cert: #futurerestore-help message, which is hardcoded into mobileassetd

the child cert is generated with the root cert's private key and stuff

Seems unbypassable to me.. You have an idea ?

you need a jailbreak to bypass

at that point just mitm, install ssl killer, and use the pallas method

No jailbreak would require a valid apple signed xml right ? But those for 14.3 are unfindable ?

Now that makes a lot more sense, thanks so much for teaching me

np

@lilac wren @zealous bridge so how many currently (looking) viable methods do we have rn? i believe 1?

yeah just the one, we can’t rule out the xml thing out completely but the outlook isn’t too good

aight

imma go play some games then

lmao

alright

have fun

if i can test 14.2 tonight then i will

feel a bit tired tho

Do you guys know what ess stand for ?

In what context

init.ess.apple.com

What can this be used for

thats the facetime server

lmao

On booting, device make a request there then get that in response

Oh ok nevermind then

on ur main?

6s

ah

makes sense

it wont work bc latest sep

but hopefully i can get 14.2 to at least show up

then get a real tester to test it

hm

sad that otas cant downgrade sep and bb

@zealous bridge found a potential tester

14.1 although a14, but that shouldn't matter this early

we had 3, and now only 1 :(

f in peace

apple man

clickbaiting us

why can't you download OTA from JB'en state

the a8-a10 pwned sep downgrade is still gonna be possible

its the jailbreak tools themselves

they just block it

oh wow

luckily we will have another for iOS 14.4.2+

yup

whats that

let's DM?

ok...

You sure about that?

-_-

pls halp

@radiant mountain pls accept FR

Lol FR = For real, FutureRestore, Friend Request

true

Done

Ima go play some rocket league tho

Will be back in 1 hour

ok

Ping me if I can help tho

👍

boi-

what is wrong ?

redownload ipsw

Put it on your C: Drive

even it's unsigned ?

i'm on A13

14.4.1

You need a jailbreak to use futurerestore

huh

did you not understand what i said

you need to be jailbroken to use futurerestore

yesss i understood don't worry 🙂

it need to be jailbroken for what ?

Set nonce

oohh thanks

i'll wait for a jailbreak

will it be released closer ?

no idea

going to sleep y’all, gn @lilac wren @royal flint

good night!

no eta