/* * dfu.c * Functions for handling idevices in DFU mode * * Copyright (c) 2010-2013 Martin Szulecki. All Rights Reserved. * Copyright (c) 2012-2015 Nikias Bassen. All Rights Reserved. * Copyright (c) 2010 Joshua Hill. All Rights Reserved. * * This library is free software; you can redistribute it and/or * modify it under the terms of the GNU Lesser General Public * License as published by the Free Software Foundation; either * version 2.1 of the License, or (at your option) any later version. * * This library is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU * Lesser General Public License for more details. * * You should have received a copy of the GNU Lesser General Public * License along with this library; if not, write to the Free Software * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA */ #include #include #include #include #include #include "dfu.h" #include "tss.h" #include "recovery.h" #include "idevicerestore.h" #include "common.h" int dfu_progress_callback(irecv_client_t client, const irecv_event_t* event) { if (event->type == IRECV_PROGRESS) { print_progress_bar(event->progress); } return 0; } int dfu_client_new(struct idevicerestore_client_t* client) { int i = 0; int attempts = 10; irecv_client_t dfu = NULL; if (client->dfu == NULL) { client->dfu = (struct dfu_client_t*)malloc(sizeof(struct dfu_client_t)); memset(client->dfu, 0, sizeof(struct dfu_client_t)); if (client->dfu == NULL) { error("ERROR: Out of memory\n"); return -1; } } for (i = 1; i <= attempts; i++) { if (irecv_open_with_ecid(&dfu, client->ecid) == IRECV_E_SUCCESS) { break; } if (i >= attempts) { error("ERROR: Unable to connect to device in DFU mode\n"); return -1; } sleep(1); debug("Retrying connection...\n"); } irecv_event_subscribe(dfu, IRECV_PROGRESS, &dfu_progress_callback, NULL); client->dfu->client = dfu; return 0; } void dfu_client_free(struct idevicerestore_client_t* client) { if(client != NULL) { if (client->dfu != NULL) { if(client->dfu->client != NULL) { irecv_close(client->dfu->client); client->dfu->client = NULL; } free(client->dfu); } client->dfu = NULL; } } int dfu_check_mode(struct idevicerestore_client_t* client, int* mode) { irecv_client_t dfu = NULL; int probe_mode = -1; irecv_init(); if (irecv_open_with_ecid(&dfu, client->ecid) != IRECV_E_SUCCESS) { return -1; } irecv_get_mode(dfu, &probe_mode); if ((probe_mode != IRECV_K_DFU_MODE) && (probe_mode != IRECV_K_WTF_MODE)) { irecv_close(dfu); return -1; } *mode = (probe_mode == IRECV_K_WTF_MODE) ? MODE_WTF : MODE_DFU; irecv_close(dfu); return 0; } irecv_device_t dfu_get_irecv_device(struct idevicerestore_client_t* client) { irecv_client_t dfu = NULL; irecv_error_t dfu_error = IRECV_E_SUCCESS; irecv_device_t device = NULL; irecv_init(); if (irecv_open_with_ecid(&dfu, client->ecid) != IRECV_E_SUCCESS) { return NULL; } dfu_error = irecv_devices_get_device_by_client(dfu, &device); irecv_close(dfu); if (dfu_error != IRECV_E_SUCCESS) { return NULL; } return device; } int dfu_send_buffer(struct idevicerestore_client_t* client, unsigned char* buffer, unsigned int size) { irecv_error_t err = 0; info("Sending data (%d bytes)...\n", size); err = irecv_send_buffer(client->dfu->client, buffer, size, 1); if (err != IRECV_E_SUCCESS) { error("ERROR: Unable to send data: %s\n", irecv_strerror(err)); return -1; } return 0; } int dfu_send_component(struct idevicerestore_client_t* client, plist_t build_identity, const char* component) { char* path = NULL; if (client->tss) { if (tss_response_get_path_by_entry(client->tss, component, &path) < 0) { debug("NOTE: No path for component %s in TSS, will fetch from build_identity\n", component); } } if (!path) { if (build_identity_get_component_path(build_identity, component, &path) < 0) { error("ERROR: Unable to get path for component '%s'\n", component); free(path); return -1; } } unsigned char* component_data = NULL; unsigned int component_size = 0; if (extract_component(client->ipsw, path, &component_data, &component_size) < 0) { error("ERROR: Unable to extract component: %s\n", component); free(path); return -1; } free(path); path = NULL; unsigned char* data = NULL; uint32_t size = 0; if (personalize_component(component, component_data, component_size, client->tss, &data, &size) < 0) { error("ERROR: Unable to get personalized component: %s\n", component); free(component_data); return -1; } free(component_data); component_data = NULL; if (!client->image4supported && client->build_major > 8 && !(client->flags & FLAG_CUSTOM) && !strcmp(component, "iBEC")) { unsigned char* ticket = NULL; unsigned int tsize = 0; if (tss_response_get_ap_ticket(client->tss, &ticket, &tsize) < 0) { error("ERROR: Unable to get ApTicket from TSS request\n"); return -1; } uint32_t fillsize = 0; if (tsize % 64 != 0) { fillsize = ((tsize / 64) + 1) * 64; } debug("ticket size = %d\nfillsize = %d\n", tsize, fillsize); unsigned char* newdata = (unsigned char*)malloc(size + fillsize); memcpy(newdata, ticket, tsize); memset(newdata + tsize, '\xFF', fillsize - tsize); memcpy(newdata + fillsize, data, size); free(data); data = newdata; size += fillsize; } info("Sending %s (%d bytes)...\n", component, size); // FIXME: Did I do this right???? irecv_error_t err = irecv_send_buffer(client->dfu->client, data, size, 1); if (err != IRECV_E_SUCCESS) { error("ERROR: Unable to send %s component: %s\n", component, irecv_strerror(err)); free(data); return -1; } free(data); return 0; } int dfu_get_cpid(struct idevicerestore_client_t* client, unsigned int* cpid) { if(client->dfu == NULL) { if (dfu_client_new(client) < 0) { return -1; } } const struct irecv_device_info *device_info = irecv_get_device_info(client->dfu->client); if (!device_info) { return -1; } *cpid = device_info->cpid; return 0; } int dfu_get_ecid(struct idevicerestore_client_t* client, uint64_t* ecid) { if(client->dfu == NULL) { if (dfu_client_new(client) < 0) { return -1; } } const struct irecv_device_info *device_info = irecv_get_device_info(client->dfu->client); if (!device_info) { return -1; } *ecid = device_info->ecid; return 0; } int dfu_is_image4_supported(struct idevicerestore_client_t* client) { if(client->dfu == NULL) { if (dfu_client_new(client) < 0) { return 0; } } const struct irecv_device_info *device_info = irecv_get_device_info(client->dfu->client); if (!device_info) { return 0; } return (device_info->ibfl & IBOOT_FLAG_IMAGE4_AWARE); } int dfu_get_ap_nonce(struct idevicerestore_client_t* client, unsigned char** nonce, int* nonce_size) { if(client->dfu == NULL) { if (dfu_client_new(client) < 0) { return -1; } } const struct irecv_device_info *device_info = irecv_get_device_info(client->dfu->client); if (!device_info) { return -1; } if (device_info->ap_nonce && device_info->ap_nonce_size > 0) { *nonce = (unsigned char*)malloc(device_info->ap_nonce_size); if (!*nonce) { return -1; } *nonce_size = device_info->ap_nonce_size; memcpy(*nonce, device_info->ap_nonce, *nonce_size); } return 0; } int dfu_get_sep_nonce(struct idevicerestore_client_t* client, unsigned char** nonce, int* nonce_size) { if(client->dfu == NULL) { if (dfu_client_new(client) < 0) { return -1; } } const struct irecv_device_info *device_info = irecv_get_device_info(client->dfu->client); if (!device_info) { return -1; } if (device_info->sep_nonce && device_info->sep_nonce_size > 0) { *nonce = (unsigned char*)malloc(device_info->sep_nonce_size); if (!*nonce) { return -1; } *nonce_size = device_info->sep_nonce_size; memcpy(*nonce, device_info->sep_nonce, *nonce_size); } return 0; } int dfu_enter_recovery(struct idevicerestore_client_t* client, plist_t build_identity) { int mode = 0; if (dfu_client_new(client) < 0) { error("ERROR: Unable to connect to DFU device\n"); return -1; } irecv_get_mode(client->dfu->client, &mode); if (mode != IRECV_K_DFU_MODE) { info("NOTE: device is not in DFU mode, assuming recovery mode.\n"); client->mode = &idevicerestore_modes[MODE_RECOVERY]; return 0; } if (dfu_send_component(client, build_identity, "iBSS") < 0) { error("ERROR: Unable to send iBSS to device\n"); irecv_close(client->dfu->client); client->dfu->client = NULL; return -1; } if (client->build_major > 8) { /* reconnect */ dfu_client_free(client); sleep(2); dfu_client_new(client); /* get nonce */ unsigned char* nonce = NULL; int nonce_size = 0; int nonce_changed = 0; if (dfu_get_ap_nonce(client, &nonce, &nonce_size) < 0) { error("ERROR: Unable to get ApNonce from device!\n"); return -1; } if (!client->nonce || (nonce_size != client->nonce_size) || (memcmp(nonce, client->nonce, nonce_size) != 0)) { nonce_changed = 1; if (client->nonce) { free(client->nonce); } client->nonce = nonce; client->nonce_size = nonce_size; } else { free(nonce); } info("Nonce: "); int i; for (i = 0; i < client->nonce_size; i++) { info("%02x ", client->nonce[i]); } info("\n"); if (nonce_changed && !(client->flags & FLAG_CUSTOM)) { // Welcome iOS5. We have to re-request the TSS with our nonce. plist_free(client->tss); if (get_tss_response(client, build_identity, &client->tss) < 0) { error("ERROR: Unable to get SHSH blobs for this device\n"); return -1; } if (!client->tss) { error("ERROR: can't continue without TSS\n"); return -1; } fixup_tss(client->tss); } if (irecv_usb_set_configuration(client->dfu->client, 1) < 0) { error("ERROR: set configuration failed\n"); } /* send iBEC */ if (dfu_send_component(client, build_identity, "iBEC") < 0) { error("ERROR: Unable to send iBEC to device\n"); irecv_close(client->dfu->client); client->dfu->client = NULL; return -1; } } dfu_client_free(client); sleep(7); // Reconnect to device, but this time make sure we're not still in DFU mode if (recovery_client_new(client) < 0) { error("ERROR: Unable to connect to recovery device\n"); if (client->recovery->client) { irecv_close(client->recovery->client); client->recovery->client = NULL; } return -1; } irecv_get_mode(client->recovery->client, &mode); if (mode == IRECV_K_DFU_MODE) { error("ERROR: Unable to connect to recovery device\n"); if (client->recovery->client) { irecv_close(client->recovery->client); client->recovery->client = NULL; } return -1; } return 0; }