Patch ASR

What we are insterested in now is patching ASR. Iphonewiki says that asr "works by writing the rootfs image to the actual system drive (ASR RESTORE), then checksums it. (ASR VERIFY)". So now our task is to patch it.

First thing we're goint ot do is extract ASR from restore ramdisk, check the name of restore ramdisk for your device and correct version on iphonewiki:

  • Decrypting ramdisk: ./img4 -i pathToRestoreRamdisk PathToSaveDecryptedRamdisk

  • Double click at ramdisk to monunt it and copy asr from /usr/sbin/ to your working location. Patching asr was the first think where I had to think for a little longer, although there may be different ways for solving this puzzle, this is the way that worked for me: Everything done in hopper, but IDA should work in simmilar way

  • Find string "Image failed" and reference to it

  • We see 3 lines, the that we are insterested in is the third one. Follow it to where it's comming from.

  • Change the view to see it's addres.

  • We need to calculate the difference between adress of this instruction and adress of function "Image passed" string

  • Now all we need to do is modify the original instuction with our modified one and save new binary.

  • You can confirm that everything is correct by following green line. It's time to put binary back, let's resize ramdisk a little bit to make it fit.

  • Resizing ramdisk: hdiutil resize -size 50m ./rd.dmg Now for the sake of god we need to resign new binary with original entitlements:

  • Extract original entitlements: ldid2 -e ASR > asr.xml

  • Replace original binary with patched one and sign it back: ldid2 -S -ASR.xml asr