Sep 12, 2018
OTA Episode 7: The PBZX Awakens
Since Jonathan Levin, creator of the tools to extract iOS OTA files (namely ota.c and pbxz.c), went on a hiatus on Twitter (update: he came back recently), I’m going to continue his journey with iOS OTA update files, but with a lot less technical understanding. Also, I’m keeping up his tradition of naming the articles like Star Wars movies (even though he did it only for the last two articles). See the resemblance? New trilogy, new creator? Anyways, back to topic.
Ever since Apple released the iOS 12 beta, I tried to extract the OTA files. However, Apple changed the format again. Instead of a single payload in AssetData/payloadv2, we now have payload chunks again (for example payload.000 to payload.034 in the OTA package for the just announced iPhone11,6).
For this experiment, I’m using the iOS 12 GM OTA file for the iPhone 11.6 (presumably the iPhone Xs), which you can download on ipsw.me
Now, I have an app installed on my Mac called “The Unarchiver” (no ad), and it detected the payload chunks as a RAR file for some reason. First thing to do? Let The Unarchiver extract the chunks and see what happens.
After extracting, I ended up with 2.34 GB of “data” (according to the file command). The pbzx tool included in Levin’s OTA Episode 6 didn’t want to do anything with it as it just created an empty .xz file, no matter which variation I tried from all six episodes. The ota(a) tool however actually tried to extract something, but quickly got stuck at some point, refusing to go any further.
Luckily, I still had the extraction tools from Episode 3 in my Downloads folder, so I decided to give that pbzx version a try. First, with the “extracted” payload file, which resulted in another empty .xz file and the following message:
Janiks-Mac-mini:payloadv2 janikschmidt$ /Users/janikschmidt/Downloads/pbzx/pbzx < payload > p.xz
Flags: 0x800000
Janiks-Mac-mini:payloadv2 janikschmidt$
Next, I tried a chunk file. Same message, same empty .xz file
Janiks-Mac-mini:payloadv2 janikschmidt$ /Users/janikschmidt/Downloads/pbzx/pbzx < payload.000 > p.xz
Flags: 0x800000
Janiks-Mac-mini:payloadv2 janikschmidt$
I then decided to compare the code of Episode 6’s pbzx to the current version available from Levin. Different line count. 136 lines instead of 125. So there must have been at least some change. Compiled it, ran it again with a chunk file and finally got something:
Janiks-Mac-mini:payloadv2 janikschmidt$ /Users/janikschmidt/Downloads/pbzx/pbzx2 < payload.000 > p.xz
Flags: 0x800000
Chunk #1 (flags: 463315, length: 247488 bytes)
OK! (4599808 bytes)
Janiks-Mac-mini:payloadv2 janikschmidt$
Now I looked through all OTA Episodes to see if the payload chunks have been there in a previous iOS release to find Episode 2 handling iOS 9’s OTA updates. This episode contains a bash script to automatically convert every payload chunk into compressed xz data. Here’s the command I used:
for p in payload.*; do ./pbzx2 < $p > extracted.$p.xz; done
This line selects all files containing payload. (including the seemingly unnecessary .ecc files), puts them into pbzx and converts them to .xz. At this point, we now have several extracted.payload.0xx.xz and extracted.payload.0xx.ecc.xz. We’ll ignore the latter for now.
Update: Turns out the .ecc files aren’t needed at all for the actual extraction process, and they produce errors once pbzx tries to handle them. With this in mind, we can just delete them
Janiks-Mac-mini:payloadv2 janikschmidt$ rm extracted.payload.*.ecc.xz
Since pbzx automatically converts the .xz files into a usable format for the ota tool, we can now extract the file system from all those files:
Janiks-Mac-mini:payloadv2 janikschmidt$ mkdir OTA
Janiks-Mac-mini:payloadv2 janikschmidt$ cd OTA
Janiks-Mac-mini:OTA janikschmidt$ for i in ../extracted.*; do /Users/janikschmidt/Downloads/pbzx/ota -e ‘*’ $i; done
After a while, you should have a fully extracted file system.
Now I should probably include some fancy outro here, but I’m really uncreative when it comes to writing texts. So, enjoy this not-so-fancy cursive text.
Now, about that OTA files…
I downloaded the iPhone11,6 OTA update files because they were the only ones available through ipsw.me. But looking through Apple’s iOS 12 Developer Software Update Catalog (which can be publicly accessed through this link) also contains the update files for iPhone11,2, iPhone11,4 and iPhone11,8, all of which have been announced today.
To download a OTA file, you combine the strings inside __BaseURL and __RelativePath, which results in this beauty for the iPhone11,6:
