[HOW-TO] Be a Firmware Fraud ;)

[Drakenza]

Hey all,
I had a little free time and was rooting through my iPhone's folders with WinSCP and I came across a fun little plist.

With said plist and a little hackery, the following can be achieved:

A fake, albeit convincing, restore image:


Fooling iTunes:


Real iPhone Snapshots:

I promise you, none of the above have been doctored in any way other than to remove sensitive information.
This is extremely easy to do:

1. Making the fake firmware file:
All you need to do is take any large file and zip it, then name the zip file to "ipsw." For my screenshot I took the 1.1.1 ipsw, renamed it to zip, unzipped it, then rezipped the new file with a lower compression in order to obtain a larger file size, and finally renamed it.

2. Modifying the plist on your iPhone:
SSH into your iPhone and navigate to "/System/Library/CoreServices"
In this folder, there's a file called "SystemVersion.plist" which is what we edit. That plist looks something like this:

Code:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>BasedOn</key>
	<string>Whatever It's based on</string>
	<key>ProductBuildVersion</key>
	<string>Your Firmware's build number</string>
	<key>ProductCopyright</key>
	<string>1983-2007 Apple Inc.</string>
	<key>ProductName</key>
	<string>OS X</string>
	<key>ProductVersion</key>
	<string>Your firmware's version</string>
</dict>
</plist>

The two bold values are what you need to edit. Apple iPhone firmware numbers typically follow this sort of format: #X###x ("#" being a number and "X" and "x" being upper- and lower-case letters). For example, 3A109a is 1.1.1's build number.

3. Taking fake screenshots and distributing them:
Reboot your iPhone and plug it into iTunes, which will see it as whatever firmware you set it as. Now you can take screenshots of iTunes, of your fake ipsw, and of your iPhone using the snap utility by Erica Sadun. Now all you have to do is send a few emails, and you're world famous for having cracked Apple's databases, stolen partially-developed firmware, and jailbreaking it And when everyone starts yelling that you Photoshopped the images, you can honestly say that they're completely real.

Have fun
I'll go back to working on iDemocracy now

-- Drakenza

Disclaimer:
Don't really try to get famous by faking screenshots of a new firmware. This tutorial is just for fun... If you get sued by Apple or hated by the MMi community or whatever, you can't hold me responsible.

[jimmytim]

You...are...cool!
I wonder if this stops itunes from doing auto firmware updates.

[Tomer]

hah, can u edit the # of firmware with letters?

[ReVan]

Yes, this stop iTunes from Updates. Can be risky when you need to restore your phone during a phone crash. Chances are that it might not detect or perform the right measures during the DFU mode.

[Drakenza]

you can put anything in for the firmware, it's just a string.

And it will stop autoupdates (which could be a blessing in disguise) but doesn't mess with DFU and is totally reversible as far as I've tested.

[King Chronic]

Yeah I found this a little while ago too - You got me all excited there though because I thought you found a way to recompress a doctored iPhone firmware

[Drakenza]

@King Chronic: No, but interestingly enough I've been trying with doctored firmware images. I hit a hard stop at one "error 6". I'm thinking iTunes obviously checksums or looks for a signature or something which gets blown away due to de-/re-compressing the ipsw file. One approach would be to just disassemble iTunes and patch the checker but I'm thinking that's illegal

[redcard]

You...are...cool!
I wonder if this stops itunes from doing auto firmware updates.

But itunes doesnt do 'auto' firmware upgrades

[pingwhen]

Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha

[theone77]

Great ONE!!! can i have a build number of 1.1.2?

im using 1.1.1 but now im using 1.1.2 accdg to my itunes/about..LOL

[Imahottguy]

Pre-modded f/w would be awesome. This way, n00bs couldn't screw up that bad

Nice find btw!

[King Chronic]

@King Chronic: No, but interestingly enough I've been trying with doctored firmware images. I hit a hard stop at one "error 6". I'm thinking iTunes obviously checksums or looks for a signature or something which gets blown away due to de-/re-compressing the ipsw file. One approach would be to just disassemble iTunes and patch the checker but I'm thinking that's illegal

True, but who would know you patched it?

Perhaps Apple compressed it in a certain way that it is readable by Stuffit/WinRAR (Whether you are on Mac/Win respectively), but also in a way that cannot be reproduced by the above programs

[Drakenza]

True, but who would know you patched it?

Perhaps Apple compressed it in a certain way that it is readable by Stuffit/WinRAR (Whether you are on Mac/Win respectively), but also in a way that cannot be reproduced by the above programs

If Apple wrote their own compression algorithm I doubt they would make it readable by anything other than iTunes. The fact that WinZip, WinRAR, Stuffit, and all the various other programs can extract ipsw files indicates that they're standard ZIPs. However, the degree of compression is not known.
I'm going to try to get the MD5 hash of a clean IPSW, unzip it, rezip it on various compressions, and compare hashes.
It's also very possible that iTunes doesn't care at all about the MD5 and rather, during that extraction phase, it goes through the file list and looks for non-Apple files.

[King Chronic]

I was looking around in the dev wiki today and appearently people have been trying to do this, but the only problem is, iTunes doesn't like the fact that the modded DMG wasn't re-encrypted. It looks like it sort of came to a halt at that point...

[Kyle Matthews]

Yah, while this is just a fun joke, being able to distribute (non-officially, of course ) pre-modded firmwares would be a fun, although dangerous (imagine the n00bs trying and getting jacked up stuff on folks phones) hack. Reminiscent of the PSP modding scene.

[Drakenza]

Pre-modded firmwares would not only be fun, they'd be ridiculously useful Imagine if you could just download a file, restore it with iTunes, and that's it. You're jailbroken, ready for unlocking, ringtones, whatever.
If we could use the same protocols to restore the image automatically as well, that would be the ultimate one-click solution. I suppose if someone really has the time and the experience they could reverse-engineer iTunes' algorithm... but I doubt anyone is really that good at ASM...

Of course, that's all wishful thinking I guess.

[Kyle Matthews]

Exactly.

[theone77]

mine is originally 1.1.2 now and im happy for this firmware coz its stable than 1.1.3 but i did this fraud now and im on 1.1.3 (fake)