/* * idevicerestore.c * Restore device firmware and filesystem * * Copyright (c) 2010 Joshua Hill. All Rights Reserved. * * This library is free software; you can redistribute it and/or * modify it under the terms of the GNU Lesser General Public * License as published by the Free Software Foundation; either * version 2.1 of the License, or (at your option) any later version. * * This library is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU * Lesser General Public License for more details. * * You should have received a copy of the GNU Lesser General Public * License along with this library; if not, write to the Free Software * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA */ #include #include #include #include #include #include #include "dfu.h" #include "tss.h" #include "img3.h" #include "ipsw.h" #include "common.h" #include "normal.h" #include "restore.h" #include "recovery.h" #include "idevicerestore.h" static struct option longopts[] = { { "uuid", required_argument, NULL, 'u' }, { "debug", no_argument, NULL, 'd' }, { "help", no_argument, NULL, 'h' }, { "erase", no_argument, NULL, 'e' }, { "custom", no_argument, NULL, 'c' }, { "exclude", no_argument, NULL, 'x' }, { NULL, 0, NULL, 0 } }; void usage(int argc, char* argv[]) { char *name = strrchr(argv[0], '/'); printf("Usage: %s [OPTIONS] FILE\n", (name ? name + 1 : argv[0])); printf("Restore/upgrade IPSW firmware FILE to an iPhone/iPod Touch.\n"); printf(" -u, --uuid UUID\ttarget specific device by its 40-digit device UUID\n"); printf(" -d, --debug\t\tenable communication debugging\n"); printf(" -h, --help\t\tprints usage information\n"); printf(" -e, --erase\t\tperform a full restore, erasing all data\n"); printf(" -c, --custom\t\trestore with a custom firmware\n"); printf(" -x, --exclude\t\texclude nor/baseband upgrade\n"); printf("\n"); } int main(int argc, char* argv[]) { int opt = 0; int optindex = 0; char* ipsw = NULL; char* uuid = NULL; uint64_t ecid = 0; // create an instance of our context struct idevicerestore_client_t* client = (struct idevicerestore_client_t*) malloc(sizeof(struct idevicerestore_client_t)); if (client == NULL) { error("ERROR: Out of memory\n"); return -1; } memset(client, '\0', sizeof(struct idevicerestore_client_t)); while ((opt = getopt_long(argc, argv, "dhcexu:", longopts, &optindex)) > 0) { switch (opt) { case 'h': usage(argc, argv); break; case 'd': client->flags &= FLAG_DEBUG; break; case 'e': client->flags &= FLAG_ERASE; break; case 'c': client->flags &= FLAG_CUSTOM; break; case 'x': client->flags &= FLAG_EXCLUDE; break; case 'u': uuid = optarg; break; default: usage(argc, argv); return -1; } } argc -= optind; argv += optind; if (argc == 1) { ipsw = argv[0]; } else { usage(argc, argv); return -1; } if (client->flags & FLAG_DEBUG) { idevice_set_debug_level(1); irecv_set_debug_level(1); } client->uuid = uuid; client->ipsw = ipsw; // check which mode the device is currently in so we know where to start if (check_mode(client) < 0 || client->mode->index == MODE_UNKNOWN) { error("ERROR: Unable to discover current device state\n"); return -1; } info("Found device in %s mode\n", client->mode->string); // discover the device type if (check_device(client) < 0 || client->device->index == DEVICE_UNKNOWN) { error("ERROR: Unable to discover device type\n"); return -1; } info("Identified device as %s\n", client->device->product); if (client->mode->index == MODE_RESTORE) { if (restore_reboot(client) < 0) { error("ERROR: Unable to exit restore mode\n"); return -1; } } // extract buildmanifest plist_t buildmanifest = NULL; info("Extracting BuildManifest from IPSW\n"); if (extract_buildmanifest(client, ipsw, &buildmanifest) < 0) { error("ERROR: Unable to extract BuildManifest from %s\n", ipsw); return -1; } // devices are listed in order from oldest to newest // so we'll need their ECID if (client->device->index > DEVICE_IPOD2G) { debug("Creating TSS request\n"); // fetch the device's ECID for the TSS request if (get_ecid(client, &client->ecid) < 0) { error("ERROR: Unable to find device ECID\n"); return -1; } debug("Found ECID %llu\n", client->ecid); } // choose whether this is an upgrade or a restore (default to upgrade) plist_t tss = NULL; plist_t build_identity = NULL; if (client->flags & FLAG_ERASE) { build_identity = get_build_identity(client, buildmanifest, 0); if (build_identity == NULL) { error("ERROR: Unable to find build any identities\n"); plist_free(buildmanifest); return -1; } } else { // loop through all build identities in the build manifest // and list the valid ones int i = 0; int valid_builds = 0; int build_count = get_build_count(buildmanifest); for (i = 0; i < build_count; i++) { if (client->device->index > DEVICE_IPOD2G) { build_identity = get_build_identity(client, buildmanifest, i); if (get_shsh_blobs(client, ecid, build_identity, &tss) < 0) { // if this fails then no SHSH blobs have been saved // for this build identity, so check the next one continue; } info("[%d] %s\n", i, get_build_name(buildmanifest, i)); valid_builds++; } } } // Extract filesystem from IPSW and return its name char* filesystem = NULL; if (extract_filesystem(client, ipsw, build_identity, &filesystem) < 0) { error("ERROR: Unable to extract filesystem from IPSW\n"); if (tss) plist_free(tss); plist_free(buildmanifest); return -1; } // if the device is in normal mode, place device into recovery mode if (client->mode->index == MODE_NORMAL) { info("Entering recovery mode...\n"); if (normal_enter_recovery(client) < 0) { error("ERROR: Unable to place device into recovery mode\n"); if (tss) plist_free(tss); plist_free(buildmanifest); return -1; } } // if the device is in DFU mode, place device into recovery mode if (client->mode->index == MODE_DFU) { if (dfu_enter_recovery(client) < 0) { error("ERROR: Unable to place device into recovery mode\n"); plist_free(buildmanifest); if (tss) plist_free(tss); return -1; } } // if the device is in recovery mode, place device into restore mode if (client->mode->index == MODE_RECOVERY) { if (recovery_enter_restore(uuid, ipsw, tss) < 0) { error("ERROR: Unable to place device into restore mode\n"); plist_free(buildmanifest); if (tss) plist_free(tss); return -1; } } // device is finally in restore mode, let's do this if (client->mode->index == MODE_RESTORE) { info("Restoring device... \n"); if (restore_device(client, uuid, ipsw, tss, filesystem) < 0) { error("ERROR: Unable to restore device\n"); return -1; } } // device has finished restoring, lets see if we need to activate if (client->mode->index == MODE_NORMAL) { info("Checking activation status\n"); int activation = activate_check_status(uuid); if (activation < 0) { error("ERROR: Unable to check activation status\n"); return -1; } if (activation == 0) { info("Activating device... \n"); if (activate_device(uuid) < 0) { error("ERROR: Unable to activate device\n"); return -1; } } } info("Cleaning up...\n"); if (filesystem) unlink(filesystem); info("DONE\n"); return 0; } int check_mode(struct idevicerestore_client_t* client) { int mode = MODE_UNKNOWN; if (recovery_check_mode() == 0) { info("Found device in recovery mode\n"); mode = MODE_RECOVERY; } else if (dfu_check_mode() == 0) { info("Found device in DFU mode\n"); mode = MODE_DFU; } else if (normal_check_mode(client->uuid) == 0) { info("Found device in normal mode\n"); mode = MODE_NORMAL; } else if (restore_check_mode(client->uuid) == 0) { info("Found device in restore mode\n"); mode = MODE_RESTORE; } client->mode = &idevicerestore_modes[mode]; return mode; } int check_device(struct idevicerestore_client_t* client) { int device = DEVICE_UNKNOWN; uint32_t bdid = 0; uint32_t cpid = 0; switch (client->mode->index) { case MODE_RESTORE: device = restore_check_device(client->uuid); if (device < 0) { device = DEVICE_UNKNOWN; } break; case MODE_NORMAL: device = normal_check_device(client->uuid); if (device < 0) { device = DEVICE_UNKNOWN; } break; case MODE_DFU: case MODE_RECOVERY: if (get_cpid(client, &cpid) < 0) { error("ERROR: Unable to get device CPID\n"); break; } switch (cpid) { case CPID_IPHONE2G: // iPhone1,1 iPhone1,2 and iPod1,1 all share the same ChipID // so we need to check the BoardID if (get_bdid(client, &bdid) < 0) { error("ERROR: Unable to get device BDID\n"); break; } switch (bdid) { case BDID_IPHONE2G: device = DEVICE_IPHONE2G; break; case BDID_IPHONE3G: device = DEVICE_IPHONE3G; break; case BDID_IPOD1G: device = DEVICE_IPOD1G; break; default: device = DEVICE_UNKNOWN; break; } break; case CPID_IPHONE3GS: device = DEVICE_IPHONE3GS; break; case CPID_IPOD2G: device = DEVICE_IPOD2G; break; case CPID_IPOD3G: device = DEVICE_IPOD3G; break; case CPID_IPAD1G: device = DEVICE_IPAD1G; break; default: device = DEVICE_UNKNOWN; break; } break; default: device = DEVICE_UNKNOWN; break; } client->device = &idevicerestore_devices[device]; return device; } int get_bdid(struct idevicerestore_client_t* client, uint32_t* bdid) { switch (client->mode->index) { case MODE_NORMAL: if (normal_get_bdid(client->uuid, &client->device->board_id) < 0) { client->device->board_id = -1; return -1; } break; case MODE_DFU: case MODE_RECOVERY: if (recovery_get_bdid(client, &client->device->board_id) < 0) { client->device->board_id = -1; return -1; } break; default: error("ERROR: Device is in an invalid state\n"); return -1; } return 0; } int get_cpid(struct idevicerestore_client_t* client, uint32_t* cpid) { switch (client->mode->index) { case MODE_NORMAL: if (normal_get_cpid(client->uuid, &client->device->chip_id) < 0) { client->device->chip_id = -1; return -1; } break; case MODE_DFU: case MODE_RECOVERY: if (recovery_get_cpid(client, &client->device->chip_id) < 0) { client->device->chip_id = -1; return -1; } break; default: error("ERROR: Device is in an invalid state\n"); return -1; } return 0; } int get_ecid(struct idevicerestore_client_t* client, uint64_t* ecid) { if(client->device->index <= DEVICE_IPOD2G) { *ecid = 0; return 0; } switch (client->mode->index) { case MODE_NORMAL: if (normal_get_ecid(client->uuid, ecid) < 0) { *ecid = 0; return -1; } break; case MODE_DFU: case MODE_RECOVERY: if (recovery_get_ecid(client, ecid) < 0) { *ecid = 0; return -1; } break; default: error("ERROR: Device is in an invalid state\n"); return -1; } return 0; } int extract_buildmanifest(struct idevicerestore_client_t* client, const char* ipsw, plist_t* buildmanifest) { int size = 0; char* data = NULL; int device = client->device->index; if (device >= DEVICE_IPHONE2G && device <= DEVICE_IPOD2G) { // Older devices that don't require personalized firmwares use BuildManifesto.plist if (ipsw_extract_to_memory(ipsw, "BuildManifesto.plist", &data, &size) < 0) { return -1; } } else if (device >= DEVICE_IPHONE3GS && device <= DEVICE_IPAD1G) { // Whereas newer devices that do require personalized firmwares use BuildManifest.plist if (ipsw_extract_to_memory(ipsw, "BuildManifest.plist", &data, &size) < 0) { return -1; } } else { return -1; } plist_from_xml(data, size, buildmanifest); return 0; } plist_t get_build_identity(struct idevicerestore_client_t* client, plist_t buildmanifest, uint32_t identity) { // fetch build identities array from BuildManifest plist_t build_identities_array = plist_dict_get_item(buildmanifest, "BuildIdentities"); if (!build_identities_array || plist_get_node_type(build_identities_array) != PLIST_ARRAY) { error("ERROR: Unable to find build identities node\n"); return NULL; } // check and make sure this identity exists in buildmanifest if (identity >= plist_array_get_size(build_identities_array)) { return NULL; } plist_t build_identity = plist_array_get_item(build_identities_array, identity); if (!build_identity || plist_get_node_type(build_identity) != PLIST_DICT) { error("ERROR: Unable to find build identities node\n"); return NULL; } return plist_copy(build_identity); } int get_shsh_blobs(struct idevicerestore_client_t* client, uint64_t ecid, plist_t build_identity, plist_t* tss) { plist_t request = NULL; plist_t response = NULL; *tss = NULL; request = tss_create_request(build_identity, ecid); if (request == NULL) { error("ERROR: Unable to create TSS request\n"); return -1; } info("Sending TSS request\n"); response = tss_send_request(request); if (response == NULL) { plist_free(request); return -1; } plist_free(request); *tss = response; return 0; } int get_build_count(plist_t buildmanifest) { // fetch build identities array from BuildManifest plist_t build_identities_array = plist_dict_get_item(buildmanifest, "BuildIdentities"); if (!build_identities_array || plist_get_node_type(build_identities_array) != PLIST_ARRAY) { error("ERROR: Unable to find build identities node\n"); return -1; } // check and make sure this identity exists in buildmanifest return plist_array_get_size(build_identities_array); } const char* get_build_name(plist_t build_identity, int identity) { plist_t manifest_node = plist_dict_get_item(build_identity, "Manifest"); if (!manifest_node || plist_get_node_type(manifest_node) != PLIST_DICT) { error("ERROR: Unable to find restore manifest\n"); return NULL; } plist_t filesystem_info_node = plist_dict_get_item(manifest_node, "Info"); if (!filesystem_info_node || plist_get_node_type(filesystem_info_node) != PLIST_DICT) { error("ERROR: Unable to find filesystem info node\n"); return NULL; } return NULL; } int extract_filesystem(struct idevicerestore_client_t* client, const char* ipsw, plist_t build_identity, char** filesystem) { char* filename = NULL; plist_t manifest_node = plist_dict_get_item(build_identity, "Manifest"); if (!manifest_node || plist_get_node_type(manifest_node) != PLIST_DICT) { error("ERROR: Unable to find manifest node\n"); return -1; } plist_t filesystem_node = plist_dict_get_item(manifest_node, "OS"); if (!filesystem_node || plist_get_node_type(filesystem_node) != PLIST_DICT) { error("ERROR: Unable to find filesystem node\n"); return -1; } plist_t filesystem_info_node = plist_dict_get_item(filesystem_node, "Info"); if (!filesystem_info_node || plist_get_node_type(filesystem_info_node) != PLIST_DICT) { error("ERROR: Unable to find filesystem info node\n"); return -1; } plist_t filesystem_info_path_node = plist_dict_get_item(filesystem_info_node, "Path"); if (!filesystem_info_path_node || plist_get_node_type(filesystem_info_path_node) != PLIST_STRING) { error("ERROR: Unable to find filesystem info path node\n"); return -1; } plist_get_string_val(filesystem_info_path_node, &filename); info("Extracting filesystem from IPSW\n"); if (ipsw_extract_to_file(ipsw, filename, filename) < 0) { error("ERROR: Unable to extract filesystem\n"); return -1; } *filesystem = filename; return 0; } int get_signed_component(struct idevicerestore_client_t* client, const char* ipsw, plist_t tss, const char* path, char** data, uint32_t* size) { img3_file* img3 = NULL; uint32_t component_size = 0; char* component_data = NULL; char* component_blob = NULL; char* component_name = NULL; component_name = strrchr(path, '/'); if (component_name != NULL) component_name++; else component_name = (char*) path; info("Extracting %s\n", component_name); if (ipsw_extract_to_memory(ipsw, path, &component_data, &component_size) < 0) { error("ERROR: Unable to extract %s from %s\n", component_name, ipsw); return -1; } img3 = img3_parse_file(component_data, component_size); if (img3 == NULL) { error("ERROR: Unable to parse IMG3: %s\n", component_name); free(component_data); return -1; } free(component_data); if (tss_get_blob_by_path(tss, path, &component_blob) < 0) { error("ERROR: Unable to get SHSH blob for TSS %s entry\n", component_name); img3_free(img3); return -1; } if (client->device->index > DEVICE_IPOD2G && (client->flags & FLAG_CUSTOM) == 0) { if (img3_replace_signature(img3, component_blob) < 0) { error("ERROR: Unable to replace IMG3 signature\n"); free(component_blob); img3_free(img3); return -1; } } free(component_blob); if (img3_get_data(img3, &component_data, &component_size) < 0) { error("ERROR: Unable to reconstruct IMG3\n"); img3_free(img3); return -1; } img3_free(img3); if (client->flags & FLAG_DEBUG) { write_file(component_name, component_data, component_size); } *data = component_data; *size = component_size; return 0; }