feat: 🆕 img4 dec cmd

Author: blacktop

.gitignore

@@ -28,7 +28,8 @@ dyld_shared_cache*
 System
 usr
 *.xz
-
+*.bin
+*.s
 .DS_Store
 
 # Repo
@@ -45,3 +46,4 @@ checksums.txt.sha1
 public
 
 *.unstripped
+*.bndb

cmd/ipsw/cmd/img4.go

@@ -0,0 +1,40 @@
+/*
+Copyright © 2020 blacktop
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.
+*/
+package cmd
+
+import (
+	"github.com/spf13/cobra"
+)
+
+// img4Cmd represents the img4 command
+var img4Cmd = &cobra.Command{
+	Use:   "img4",
+	Short: "Parse Img4",
+	Args:  cobra.NoArgs,
+	Run: func(cmd *cobra.Command, args []string) {
+		cmd.Help()
+	},
+}
+
+func init() {
+	rootCmd.AddCommand(img4Cmd)
+}

cmd/ipsw/cmd/img4_dec.go

@@ -0,0 +1,103 @@
+/*
+Copyright © 2020 blacktop
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.
+*/
+package cmd
+
+import (
+	"crypto/aes"
+	"crypto/cipher"
+	"encoding/hex"
+	"fmt"
+	"io/ioutil"
+	"os"
+
+	"github.com/apex/log"
+	lzfse "github.com/blacktop/go-lzfse"
+	"github.com/blacktop/ipsw/internal/utils"
+	"github.com/blacktop/ipsw/pkg/img4"
+	"github.com/pkg/errors"
+	"github.com/spf13/cobra"
+)
+
+func init() {
+	img4Cmd.AddCommand(decImg4Cmd)
+
+	decImg4Cmd.PersistentFlags().StringP("iv-key", "k", "", "AES key")
+}
+
+// decCmd represents the dec command
+var decImg4Cmd = &cobra.Command{
+	Use:   "dec",
+	Short: "List kernel extentions",
+	Args:  cobra.MinimumNArgs(1),
+	RunE: func(cmd *cobra.Command, args []string) error {
+
+		if Verbose {
+			log.SetLevel(log.DebugLevel)
+		}
+
+		ivkeyStr, _ := cmd.Flags().GetString("iv-key")
+		ivkey, _ := hex.DecodeString(ivkeyStr)
+		iv := ivkey[:aes.BlockSize]
+		key := ivkey[aes.BlockSize:]
+
+		f, err := os.Open(args[0])
+		if err != nil {
+			return errors.Wrapf(err, "unabled to open file: %s", args[0])
+		}
+
+		i, err := img4.ParseIm4p(f)
+		if err != nil {
+			return errors.Wrap(err, "unabled to parse Im4p")
+		}
+
+		block, err := aes.NewCipher(key)
+		if err != nil {
+			return errors.Wrap(err, "failed to create new AES cipher")
+		}
+
+		// The IV needs to be unique, but not secure. Therefore it's common to
+		// include it at the beginning of the ciphertext.
+		if len(i.Data) < aes.BlockSize {
+			return errors.Errorf("Im4p data too short")
+		}
+
+		// CBC mode always works in whole blocks.
+		if len(i.Data)%aes.BlockSize != 0 {
+			return errors.Errorf("Im4p data is not a multiple of the block size")
+		}
+
+		mode := cipher.NewCBCDecrypter(block, iv)
+
+		// CryptBlocks can work in-place if the two arguments are the same.
+		mode.CryptBlocks(i.Data, i.Data)
+
+		decData := lzfse.DecodeBuffer(i.Data)
+
+		utils.Indent(log.Info, 2)(fmt.Sprintf("Decrypting file to %s", args[0]+".dec"))
+		err = ioutil.WriteFile(args[0]+".dec", decData, 0644)
+		if err != nil {
+			return errors.Wrap(err, "unabled decrypt Img4")
+		}
+
+		return nil
+	},
+}

docs/content/docs/commands/img4.md

@@ -0,0 +1,37 @@
+---
+title: "Img4"
+date: 2020-03-30T17:48:08-04:00
+draft: false
+weight: 16
+summary: Parse Img4 files.
+---
+
+## **img4 dec**
+
+### Decrypt an `Im4p` file
+
+Download _just_ iBoot
+
+```bash
+$ ipsw download pattern -v 13.4 -d iPhone12,3 iBoot
+```
+
+Decrypt it with things from tweets 😏
+
+```bash
+$ ipsw img4 dec --iv-key <IVKEY> iPhone12,3_D421AP_17E255/iBoot.d421.RELEASE.im4p
+   • Parsing Im4p
+      • Decrypting file to iPhone12,3_D421AP_17E255/iBoot.d421.RELEASE.im4p.dec
+```
+
+It's a thing of beauty 😍
+
+```bash
+$ hexdump -C -s 512 -n 80 iPhone12,3_D421AP_17E255/iBoot.d421.RELEASE.im4p.dec
+
+00000200  69 42 6f 6f 74 20 66 6f  72 20 64 34 32 31 2c 20  |iBoot for d421, |
+00000210  43 6f 70 79 72 69 67 68  74 20 32 30 30 37 2d 32  |Copyright 2007-2|
+00000220  30 31 39 2c 20 41 70 70  6c 65 20 49 6e 63 2e 00  |019, Apple Inc..|
+00000230  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
+00000240  52 45 4c 45 41 53 45 00  00 00 00 00 00 00 00 00  |RELEASE.........|
+```

docs/content/docs/roadmap/index.md

@@ -19,7 +19,7 @@ My main goal is to create a mantainable _dyld_shared_cache_ splitter
 - [ ] pure Go lzfse
 - [x] OTA support
 - [ ] APFS/HFS parsing to pull dyld without mounting
-- [ ] create offline copy of ipsw.me API
+- [ ] watch for new IPSW files with https://github.com/radovskyb/watcher
 - [ ] https://github.com/xerub/img4lib and https://github.com/tihmstar/img4tool
 - [ ] devicetree read/write
 - [ ] add 💄https://github.com/muesli/termenv

pkg/img4/img4.go

@@ -307,3 +307,19 @@ func Parse(r io.Reader) (*Img4, error) {
 		},
 	}, nil
 }
+
+func ParseIm4p(r io.Reader) (*im4p, error) {
+	utils.Indent(log.Info, 1)("Parsing Im4p")
+
+	data := new(bytes.Buffer)
+	data.ReadFrom(r)
+
+	var i im4p
+
+	_, err := asn1.Unmarshal(data.Bytes(), &i)
+	if err != nil {
+		return nil, errors.Wrap(err, "failed to ASN.1 parse Im4p")
+	}
+
+	return &i, nil
+}

pkg/kernelcache/kernelcache.go

@@ -69,8 +69,9 @@ type CompressedCache struct {
 func ParseImg4Data(data []byte) (*CompressedCache, error) {
 	utils.Indent(log.Info, 2)("Parsing Kernelcache IMG4")
 
+	// NOTE: openssl asn1parse -i -inform DER -in kernelcache.iphone10 | less (to get offset)
+	//       openssl asn1parse -i -inform DER -in kernelcache.iphone10 -strparse OFFSET -noout -out lzfse.bin
 	var i Img4
-	// NOTE: openssl asn1parse -i -inform DER -in kernelcache.iphone10
 	if _, err := asn1.Unmarshal(data, &i); err != nil {
 		return nil, errors.Wrap(err, "failed to ASN.1 parse Kernelcache")
 	}

pkg/macho/types/codesign.go

@@ -0,0 +1,120 @@
+package types
+
+const (
+	// Magic numbers used by Code Signing
+	CSMAGIC_REQUIREMENT        = 0xfade0c00 // single Requirement blob
+	CSMAGIC_REQUIREMENTS       = 0xfade0c01 // Requirements vector (internal requirements)
+	CSMAGIC_CODEDIRECTORY      = 0xfade0c02 // CodeDirectory blob
+	CSMAGIC_EMBEDDED_SIGNATURE = 0xfade0cc0 // embedded form of signature data
+	CSMAGIC_DETACHED_SIGNATURE = 0xfade0cc1 // multi-arch collection of embedded signatures
+	CSMAGIC_BLOBWRAPPER        = 0xfade0b01 // used for the cms blob
+)
+
+const (
+	CS_PAGE_SIZE = 4096
+
+	CS_HASHTYPE_SHA1             = 1
+	CS_HASHTYPE_SHA256           = 2
+	CS_HASHTYPE_SHA256_TRUNCATED = 3
+	CS_HASHTYPE_SHA384           = 4
+
+	CS_HASH_SIZE_SHA1             = 20
+	CS_HASH_SIZE_SHA256           = 32
+	CS_HASH_SIZE_SHA256_TRUNCATED = 20
+
+	CSSLOT_CODEDIRECTORY                 = 0
+	CSSLOT_INFOSLOT                      = 1
+	CSSLOT_REQUIREMENTS                  = 2
+	CSSLOT_RESOURCEDIR                   = 3
+	CSSLOT_APPLICATION                   = 4
+	CSSLOT_ENTITLEMENTS                  = 5
+	CSSLOT_ALTERNATE_CODEDIRECTORIES     = 0x1000
+	CSSLOT_ALTERNATE_CODEDIRECTORY_MAX   = 5
+	CSSLOT_ALTERNATE_CODEDIRECTORY_LIMIT = CSSLOT_ALTERNATE_CODEDIRECTORIES + CSSLOT_ALTERNATE_CODEDIRECTORY_MAX
+	CSSLOT_CMS_SIGNATURE                 = 0x10000
+
+	kSecCodeSignatureAdhoc = 2
+)
+
+const CS_REQUIRE_LV = 0x0002000 // require library validation
+
+// Structure of a SuperBlob
+type CsBlobIndex struct {
+	Type   uint32 // type of entry
+	Offset uint32 // offset of entry
+}
+
+type CsSuperBlob struct {
+	Magic  uint32 // magic number
+	Length uint32 // total length of SuperBlob
+	Count  uint32 // number of index entries following
+	// Index  []CsBlobIndex // (count) entries
+	// followed by Blobs in no particular order as indicated by offsets in index
+}
+
+// type CsSuperBlob struct {
+// 	Magic  uint32        // magic number
+// 	Length uint32        // total length of SuperBlob
+// 	Count  uint32        // number of index entries following
+// 	Index  []CsBlobIndex // (count) entries
+// 	// followed by Blobs in no particular order as indicated by offsets in index
+// }
+
+// C form of a CodeDirectory.
+type CsCodeDirectory struct {
+	Magic         uint32 // magic number (CSMAGIC_CODEDIRECTORY) */
+	Length        uint32 // total length of CodeDirectory blob
+	Version       uint32 // compatibility version
+	Flags         uint32 // setup and mode flags
+	HashOffset    uint32 // offset of hash slot element at index zero
+	IdentOffset   uint32 // offset of identifier string
+	NSpecialSlots uint32 // number of special hash slots
+	NCodeSlots    uint32 // number of ordinary (code) hash slots
+	CodeLimit     uint32 // limit to main image signature range
+	HashSize      uint8  // size of each hash in bytes
+	HashType      uint8  // type of hash (cdHashType* constants)
+	Platform      uint8  // platform identifier zero if not platform binary
+	PageSize      uint8  // log2(page size in bytes) 0 => infinite
+	Spare2        uint32 // unused (must be zero)
+
+	EndEarliest [0]uint8
+
+	/* Version 0x20100 */
+	ScatterOffset  uint32 /* offset of optional scatter vector */
+	EndWithScatter [0]uint8
+
+	/* Version 0x20200 */
+	TeamOffset  uint32 /* offset of optional team identifier */
+	EndWithTeam [0]uint8
+
+	/* Version 0x20300 */
+	Spare3             uint32 /* unused (must be zero) */
+	CodeLimit64        uint64 /* limit to main image signature range, 64 bits */
+	EndWithCodeLimit64 [0]uint8
+
+	/* Version 0x20400 */
+	ExecSegBase    uint64 /* offset of executable segment */
+	ExecSegLimit   uint64 /* limit of executable segment */
+	ExecSegFlags   uint64 /* exec segment flags */
+	EndWithExecSeg [0]uint8
+
+	/* followed by dynamic content as located by offset fields above */
+}
+
+type CsBlob struct {
+	Magic  uint32 // magic number
+	Length uint32 // total length of blob
+}
+
+type CsRequirementsBlob struct {
+	Magic  uint32 // magic number
+	Length uint32 // total length of blob
+	Data   uint32 // zero for dyld shared cache
+}
+
+type CsScatter struct {
+	Count        uint32 // number of pages zero for sentinel (only)
+	Base         uint32 // first page number
+	TargetOffset uint64 // byte offset in target
+	Spare        uint64 // reserved (must be zero)
+}