JJTech0130 · February 2, 2024 04:20
diff --git a/calculate_ota_offsets.py b/calculate_ota_offsets.py
 import requests
 from rich import print
 from rich.progress import track, Progress
 from rich.prompt import Prompt
 from rich.console import Console
 from rich.table import Table
 import zipfile
 import os
 import threading
 import io
 import lzma
 import json

 APPLEDB_API = "https://api.appledb.dev/"
 APPLEDB_RAW = "https://raw.githubusercontent.com/littlebyteorg/appledb/main/"
 CACHE_PATH = "cache/"

 def download_fast(url: str) -> bytes:
    if not os.path.exists(CACHE_PATH):
        os.makedirs(CACHE_PATH)
    cache_file = CACHE_PATH + url.split("/")[-1]
    if os.path.exists(cache_file):
        with open(cache_file, "rb") as f:
            return f.read()
    else:
        # Create progress bar
        progress = Progress()

        chunk_size = 1024 * 1024 * 100
        total_size = int(requests.head(url).headers["Content-Length"])

        number_of_chunks = total_size // chunk_size + 1
        task = progress.add_task("Downloading", total=number_of_chunks)


        def download(url,start):
            if start + chunk_size > total_size:
                c = total_size - start - 1
            else:
                c = chunk_size - 1
            #print(f"Downloading {start}-{start+c} of {total_size}")
            req = requests.get(url, headers={'Range': f'bytes={start}-{start+c}'}, stream=True)
            #req = urllib2.Request('http://www.python.org/')
            #req.headers['Range'] = 'bytes=%s-%s' % (start, start+chunk_size)
            ##parts[start] = f.read()
            parts[start] = req.content
            #print(f"Finished downloading {start}-{start+c} of {total_size}")
            progress.advance(task)


        threads = []
        parts = {}

        # Initialize threads
        for i in range(0,number_of_chunks):
            t = threading.Thread(target=download, args=(url,i*chunk_size))
            t.start()
            threads.append(t)

        progress.start()

        # Join threads back (order doesn't matter, you just want them all)
        for i in threads:
            i.join()

        progress.stop()

        #print(parts)
        print(sorted(parts.keys()))

        # Sort parts and you're done
        result = b''.join(parts[i] for i in sorted(parts.keys()))

        with open(cache_file, "wb") as f:
            f.write(result)
        return result

 def main():
    console = Console()
    # Ask for desired device type
    device = Prompt.ask(":mobile_phone: Device type", console=console, default="iPhone5,1")
    # Make sure the device is a real device using the AppleDB API
    device_info = requests.get(APPLEDB_API + f"device/{device}.json")
    if device_info.status_code != 200:
        print("Device not found.")
        return

    # Get giant build list
    builds = requests.get(APPLEDB_API + "ios/iOS/main.json").json()

    # Check if [device].json exists
    if not os.path.exists(CACHE_PATH + f"{device}.json"):
        ota_builds = []
        builds = [build for build in builds if build["osType"] == "iOS" and device in build["deviceMap"]]
        for build in track(builds, description="Checking builds for OTA updates"):
            # Use raw API to check for full OTA
            build_raw_resp = requests.get(APPLEDB_RAW + f"osFiles/iOS/{build['build'][:2]}x%20-%20{build['version'].split('.')[0]}.x/{build['build']}.json")
            if build_raw_resp.status_code != 200:
                continue
            build_raw = build_raw_resp.json()
            if not "sources" in build_raw:
                continue
            ota_sources = [source for source in build_raw["sources"] if device in source["deviceMap"] and source["type"] == "ota" and "prerequisiteBuild" not in source]
            if len(ota_sources) > 0:
                link = [link for link in ota_sources[0]["links"] if link["active"] == True][0]
                ota_builds.append((build["build"], build["version"], link["url"]))
        with open(CACHE_PATH + f"{device}.json", "w") as f:
            f.write(json.dumps(ota_builds))
    else:
        with open(CACHE_PATH + f"{device}.json", "r") as f:
            ota_builds = json.loads(f.read())

    print(f"Found {len(ota_builds)} full OTA updates for {device}")
    table = Table(title="OTA Updates")
    table.add_column("Build")
    table.add_column("Version")
    table.add_column("URL")
    for build in ota_builds:
        table.add_row(*build)
    console.print(table)

    # # Ask for desired build
    build_name = Prompt.ask(":package: Build", console=console, choices=[build[0] for build in ota_builds], default=ota_builds[0][0], show_choices=False)
    #build_name = "test"
    build_url = [build for build in ota_builds if build[0] == build_name][0][2]
    #build_url = "https://secure-appldnld.apple.com/ios10.2/031-94086-20161207-F7C9D786-BBFA-11E6-9985-663182FDB0CC/com_apple_MobileAsset_SoftwareUpdate/b78bd2674b358c518f8b0703df9047c88ff7218a.zip"
    build_file = download_fast(build_url)
    
    z = zipfile.ZipFile(io.BytesIO(build_file))
    
    if "AssetData/payloadv2/payload" in z.namelist():
        print("Found payloadv2")
        print("Payload offset in ZIP: " + hex(z.getinfo("AssetData/payloadv2/payload").header_offset + len(z.getinfo("AssetData/payloadv2/payload").FileHeader()) + 4)) # Not sure what the 4 is for but it makes it line up
        payload = z.read("AssetData/payloadv2/payload")
        #print(payload[:10])
        payload = io.BytesIO(payload)

        # Parse pbzx header
        assert payload.read(4) == b"pbzx"
        chunk_size = int.from_bytes(payload.read(8), "big")
        #print(f"Chunk size: {hex(chunk_size)}")

        chunks = []

        # Parse the chunks
        while True:
            offset = payload.tell()
            decompressed_length = int.from_bytes(payload.read(8), "big")
            if decompressed_length == 0:
                break
            length = int.from_bytes(payload.read(8), "big")
            payload.read(length) # Skip the compressed data
            chunks.append((offset, length))

        # Check if we have cached the decompressed archive
        cache_file = CACHE_PATH + build_url.split("/")[-1] + ".decompressed"
        if os.path.exists(cache_file):
            with open(cache_file, "rb") as f:
                archive = f.read()
        else:
            archive = b""

            for (offset, length) in track(chunks, description="Decompressing chunks"):
                payload.seek(offset + 16) # Skip the header (16 bytes)
                chunk = lzma.decompress(payload.read(length))
                archive += chunk

            with open(cache_file, "wb") as f:
                f.write(archive)

        print(archive[:10])

        archive = io.BytesIO(archive)

        # Parse the files
        files = []
        while True:
            archive.read(6)
            length = int.from_bytes(archive.read(4), "big")
            #print(f"File offset: {hex(offset)}")
            #print(f"File length: {hex(length)}")
            archive.read(12)
            name_length = int.from_bytes(archive.read(2), "big")
            archive.read(6)
            name = archive.read(name_length).decode()
            #print(f"File name: {name}")
            offset = archive.tell()

            archive.read(length)

            files.append((name, offset, length))

            if archive.tell() == archive.getbuffer().nbytes:
                break

        # Ask if we should write available files to disk
        from rich.prompt import Confirm
        if Confirm.ask("Write list of files to disk?", default=False):
            with open(f"{build_name}_files.txt", "w") as f:
                for (name, offset, length) in files:
                    f.write(f"{name} @ {hex(offset)} : {hex(length)}\n")

        # Ask for desired file
        file_name = Prompt.ask(":open_file_folder: File", console=console, choices=[file[0] for file in files], default="System/Library/PrivateFrameworks/IDS.framework/identityservicesd.app/identityservicesd", show_choices=False)
        file = [file for file in files if file[0] == file_name][0]
        print(file)

        # Calculate chunk number and offset
        start_chunk = file[1] // chunk_size # Chunk number, file may start partway into chunk due to floor division
        # Look up the offset for that chunk
        chunk_offset = chunks[start_chunk][0]
        # Calculate the offset into the chunk
        file_offset = file[1] % chunk_size
        # Check if the file is split across multiple chunks
        if file_offset + file[2] > chunk_size:
            print("File is split across multiple chunks")
        print(f"Chunk number: {start_chunk}")
        print(f"Chunk offset: {hex(chunk_offset + 16)}") # Remove the 16 byte header
        print(f"Chunk length: {hex(chunks[start_chunk][1])}") # Note header is not removed, I think this overreads?
        print(f"File offset: {hex(file_offset)}")
        print(f"File length: {hex(file[2])}")

        archive.seek(file[1])
        print(f"file sanity check: {archive.read(10)}")

 if __name__ == "__main__":
    main()
diff --git a/download_with_offsets.py b/download_with_offsets.py
 import lzma
 import sys

 import requests

 session = requests.Session()

 URL = "http://appldnld.apple.com/ios10.3.3/091-23111-20170719-B3106482-697B-11E7-BDE5-4C9500BA0AE3/com_apple_MobileAsset_SoftwareUpdate/9e1777da1d4a8d6917de9cfa115f253aab6098c7.zip"

 PBZ_IN_ZIP_OFFSET = 0x5a408fa
 PBZ_CHUNK_OFFSET  = 0x3fe01da4
 PBZ_CHUNK_LENGTH  = 0x35fa94
 FILE_IN_CHUNK_OFFSET = 0x15110f
 FILE_LENGTH          = 0x5c3940

 req_begin = PBZ_IN_ZIP_OFFSET + PBZ_CHUNK_OFFSET
 req_end = req_begin + PBZ_CHUNK_LENGTH
 resp = requests.get(URL, headers={
    "Range": f"bytes={req_begin}-{req_end-1}"
 }, stream=True)

 if resp.status_code != 206:
    print("Request failed")
    sys.exit(1)

 # this reads the whole chunk into memory,
 # but it's only 16MB so meh
 raw_chunk = lzma.decompress(resp.content, lzma.FORMAT_XZ)
 with open("identityservicesd", "wb") as fp:
    fp.write(raw_chunk[FILE_IN_CHUNK_OFFSET : FILE_IN_CHUNK_OFFSET+FILE_LENGTH])
	import requests
	from rich import print
	from rich.progress import track, Progress
	from rich.prompt import Prompt
	from rich.console import Console
	from rich.table import Table
	import zipfile
	import os
	import threading
	import io
	import lzma
	import json

	APPLEDB_API = "https://api.appledb.dev/"
	APPLEDB_RAW = "https://raw.githubusercontent.com/littlebyteorg/appledb/main/"
	CACHE_PATH = "cache/"

	def download_fast(url: str) -> bytes:
	if not os.path.exists(CACHE_PATH):
	os.makedirs(CACHE_PATH)
	cache_file = CACHE_PATH + url.split("/")[-1]
	if os.path.exists(cache_file):
	with open(cache_file, "rb") as f:
	return f.read()
	else:
	# Create progress bar
	progress = Progress()

	chunk_size = 1024 * 1024 * 100
	total_size = int(requests.head(url).headers["Content-Length"])

	number_of_chunks = total_size // chunk_size + 1
	task = progress.add_task("Downloading", total=number_of_chunks)


	def download(url,start):
	if start + chunk_size > total_size:
	c = total_size - start - 1
	else:
	c = chunk_size - 1
	#print(f"Downloading {start}-{start+c} of {total_size}")
	req = requests.get(url, headers={'Range': f'bytes={start}-{start+c}'}, stream=True)
	#req = urllib2.Request('http://www.python.org/')
	#req.headers['Range'] = 'bytes=%s-%s' % (start, start+chunk_size)
	##parts[start] = f.read()
	parts[start] = req.content
	#print(f"Finished downloading {start}-{start+c} of {total_size}")
	progress.advance(task)


	threads = []
	parts = {}

	# Initialize threads
	for i in range(0,number_of_chunks):
	t = threading.Thread(target=download, args=(url,i*chunk_size))
	t.start()
	threads.append(t)

	progress.start()

	# Join threads back (order doesn't matter, you just want them all)
	for i in threads:
	i.join()

	progress.stop()

	#print(parts)
	print(sorted(parts.keys()))

	# Sort parts and you're done
	result = b''.join(parts[i] for i in sorted(parts.keys()))

	with open(cache_file, "wb") as f:
	f.write(result)
	return result

	def main():
	console = Console()
	# Ask for desired device type
	device = Prompt.ask(":mobile_phone: Device type", console=console, default="iPhone5,1")
	# Make sure the device is a real device using the AppleDB API
	device_info = requests.get(APPLEDB_API + f"device/{device}.json")
	if device_info.status_code != 200:
	print("Device not found.")
	return

	# Get giant build list
	builds = requests.get(APPLEDB_API + "ios/iOS/main.json").json()

	# Check if [device].json exists
	if not os.path.exists(CACHE_PATH + f"{device}.json"):
	ota_builds = []
	builds = [build for build in builds if build["osType"] == "iOS" and device in build["deviceMap"]]
	for build in track(builds, description="Checking builds for OTA updates"):
	# Use raw API to check for full OTA
	build_raw_resp = requests.get(APPLEDB_RAW + f"osFiles/iOS/{build['build'][:2]}x%20-%20{build['version'].split('.')[0]}.x/{build['build']}.json")
	if build_raw_resp.status_code != 200:
	continue
	build_raw = build_raw_resp.json()
	if not "sources" in build_raw:
	continue
	ota_sources = [source for source in build_raw["sources"] if device in source["deviceMap"] and source["type"] == "ota" and "prerequisiteBuild" not in source]
	if len(ota_sources) > 0:
	link = [link for link in ota_sources[0]["links"] if link["active"] == True][0]
	ota_builds.append((build["build"], build["version"], link["url"]))
	with open(CACHE_PATH + f"{device}.json", "w") as f:
	f.write(json.dumps(ota_builds))
	else:
	with open(CACHE_PATH + f"{device}.json", "r") as f:
	ota_builds = json.loads(f.read())

	print(f"Found {len(ota_builds)} full OTA updates for {device}")
	table = Table(title="OTA Updates")
	table.add_column("Build")
	table.add_column("Version")
	table.add_column("URL")
	for build in ota_builds:
	table.add_row(*build)
	console.print(table)

	# # Ask for desired build
	build_name = Prompt.ask(":package: Build", console=console, choices=[build[0] for build in ota_builds], default=ota_builds[0][0], show_choices=False)
	#build_name = "test"
	build_url = [build for build in ota_builds if build[0] == build_name][0][2]
	#build_url = "https://secure-appldnld.apple.com/ios10.2/031-94086-20161207-F7C9D786-BBFA-11E6-9985-663182FDB0CC/com_apple_MobileAsset_SoftwareUpdate/b78bd2674b358c518f8b0703df9047c88ff7218a.zip"
	build_file = download_fast(build_url)

	z = zipfile.ZipFile(io.BytesIO(build_file))

	if "AssetData/payloadv2/payload" in z.namelist():
	print("Found payloadv2")
	print("Payload offset in ZIP: " + hex(z.getinfo("AssetData/payloadv2/payload").header_offset + len(z.getinfo("AssetData/payloadv2/payload").FileHeader()) + 4)) # Not sure what the 4 is for but it makes it line up
	payload = z.read("AssetData/payloadv2/payload")
	#print(payload[:10])
	payload = io.BytesIO(payload)

	# Parse pbzx header
	assert payload.read(4) == b"pbzx"
	chunk_size = int.from_bytes(payload.read(8), "big")
	#print(f"Chunk size: {hex(chunk_size)}")

	chunks = []

	# Parse the chunks
	while True:
	offset = payload.tell()
	decompressed_length = int.from_bytes(payload.read(8), "big")
	if decompressed_length == 0:
	break
	length = int.from_bytes(payload.read(8), "big")
	payload.read(length) # Skip the compressed data
	chunks.append((offset, length))

	# Check if we have cached the decompressed archive
	cache_file = CACHE_PATH + build_url.split("/")[-1] + ".decompressed"
	if os.path.exists(cache_file):
	with open(cache_file, "rb") as f:
	archive = f.read()
	else:
	archive = b""

	for (offset, length) in track(chunks, description="Decompressing chunks"):
	payload.seek(offset + 16) # Skip the header (16 bytes)
	chunk = lzma.decompress(payload.read(length))
	archive += chunk

	with open(cache_file, "wb") as f:
	f.write(archive)

	print(archive[:10])

	archive = io.BytesIO(archive)

	# Parse the files
	files = []
	while True:
	archive.read(6)
	length = int.from_bytes(archive.read(4), "big")
	#print(f"File offset: {hex(offset)}")
	#print(f"File length: {hex(length)}")
	archive.read(12)
	name_length = int.from_bytes(archive.read(2), "big")
	archive.read(6)
	name = archive.read(name_length).decode()
	#print(f"File name: {name}")
	offset = archive.tell()

	archive.read(length)

	files.append((name, offset, length))

	if archive.tell() == archive.getbuffer().nbytes:
	break

	# Ask if we should write available files to disk
	from rich.prompt import Confirm
	if Confirm.ask("Write list of files to disk?", default=False):
	with open(f"{build_name}_files.txt", "w") as f:
	for (name, offset, length) in files:
	f.write(f"{name} @ {hex(offset)} : {hex(length)}\n")

	# Ask for desired file
	file_name = Prompt.ask(":open_file_folder: File", console=console, choices=[file[0] for file in files], default="System/Library/PrivateFrameworks/IDS.framework/identityservicesd.app/identityservicesd", show_choices=False)
	file = [file for file in files if file[0] == file_name][0]
	print(file)

	# Calculate chunk number and offset
	start_chunk = file[1] // chunk_size # Chunk number, file may start partway into chunk due to floor division
	# Look up the offset for that chunk
	chunk_offset = chunks[start_chunk][0]
	# Calculate the offset into the chunk
	file_offset = file[1] % chunk_size
	# Check if the file is split across multiple chunks
	if file_offset + file[2] > chunk_size:
	print("File is split across multiple chunks")
	print(f"Chunk number: {start_chunk}")
	print(f"Chunk offset: {hex(chunk_offset + 16)}") # Remove the 16 byte header
	print(f"Chunk length: {hex(chunks[start_chunk][1])}") # Note header is not removed, I think this overreads?
	print(f"File offset: {hex(file_offset)}")
	print(f"File length: {hex(file[2])}")

	archive.seek(file[1])
	print(f"file sanity check: {archive.read(10)}")

	if __name__ == "__main__":
	main()
	import lzma
	import sys

	import requests

	session = requests.Session()

	URL = "http://appldnld.apple.com/ios10.3.3/091-23111-20170719-B3106482-697B-11E7-BDE5-4C9500BA0AE3/com_apple_MobileAsset_SoftwareUpdate/9e1777da1d4a8d6917de9cfa115f253aab6098c7.zip"

	PBZ_IN_ZIP_OFFSET = 0x5a408fa
	PBZ_CHUNK_OFFSET = 0x3fe01da4
	PBZ_CHUNK_LENGTH = 0x35fa94
	FILE_IN_CHUNK_OFFSET = 0x15110f
	FILE_LENGTH = 0x5c3940

	req_begin = PBZ_IN_ZIP_OFFSET + PBZ_CHUNK_OFFSET
	req_end = req_begin + PBZ_CHUNK_LENGTH
	resp = requests.get(URL, headers={
	"Range": f"bytes={req_begin}-{req_end-1}"
	}, stream=True)

	if resp.status_code != 206:
	print("Request failed")
	sys.exit(1)

	# this reads the whole chunk into memory,
	# but it's only 16MB so meh
	raw_chunk = lzma.decompress(resp.content, lzma.FORMAT_XZ)
	with open("identityservicesd", "wb") as fp:
	fp.write(raw_chunk[FILE_IN_CHUNK_OFFSET : FILE_IN_CHUNK_OFFSET+FILE_LENGTH])