Hi Volkspost, you seem to be a real expert in the carrier bundles

I wonder if you had a chance to look into the carrier updates via iTunes that many people are seeing?
Carrier updates are just small zip files with .ipcc extension, and they seem to contain exactly the same files that your carrier bundle generator produces.
All the URLs are listed in http://itunes.com/version (just search for "ipcc").

What is interesting though, how are they installed on non-jailbroken iPhones, since the partition they reside on is read-only?
I think there must be a secondary location for the carrier bundles somewhere in /private/var/.

I tried to create my own ipcc file, keeping the same directory structure as the originals (/Payload/my_carrier.bundle), and then installing it in iTunes by shift-update. However, after restarting the phone, the bundle was not installed, but the whole Payload directory ended up unpacked somewhere into ~/Media/.

I hope we will discover a way to install carrier bundles via iTunes, because it's so much easier than ssh or re-pwning :hack:

P.S. May I suggest a 3rd format for your bundle generator - .tar files compatible with XPwn? Tar files preserve access rights and symlinks, so startup script is not necessary.

Originally Posted by blackboxxx

Hi Volkspost, you seem to be a real expert in the carrier bundles

I wonder if you had a chance to look into the carrier updates via iTunes that many people are seeing?
Carrier updates are just small zip files with .ipcc extension, and they seem to contain exactly the same files that your carrier bundle generator produces.
All the URLs are listed in http://itunes.com/version (just search for "ipcc").

What is interesting though, how are they installed on non-jailbroken iPhones, since the partition they reside on is read-only?
I think there must be a secondary location for the carrier bundles somewhere in /private/var/.

I tried to create my own ipcc file, keeping the same directory structure as the originals (/Payload/my_carrier.bundle), and then installing it in iTunes by shift-update. However, after restarting the phone, the bundle was not installed, but the whole Payload directory ended up unpacked somewhere into ~/Media/.

I hope we will discover a way to install carrier bundles via iTunes, because it's so much easier than ssh or re-pwning :hack:

P.S. May I suggest a 3rd format for your bundle generator - .tar files compatible with XPwn? Tar files preserve access rights and symlinks, so startup script is not necessary.

Hi blackboxxx!
Thx for your post. I have been seeing this format before, Apple is using it since FW 2.0. The ones you are referring to a next version to the ones we use now (just some different values). They are slightly different than the acualonce.

I am investigating the mechanism for a few days now, dont understand it completely for now. installation must be a 2-way process. Besides getting the carrier bundle on the iPhone a symlink with the MCC/MNC has to be created. I do this with the script you are referring to. I still dont know how Apple does this with the bundles.

Last not least: I tried to - fist manually - create custom carrier bundles as tar archives for use with Winpwn. Thats no problem so far. But same situation: i need to execute a script to check if the symlink is already there (for users of one of Apples partner carriers but on a non-iPhone plan), rename if there and create a new one.

The Dev Team integrated a great mechanism into pwnageTool for Mac, I used a combination of a LaunchDaemon and a scrit. As far as I understand, that aint work on Windows.

There is still a way to go. I really appreciate beeing pointed to that issue, will let you know as soon as I find out how Apple mamages to get this done.

best,
volkspost

Actually I was able to create my own tar package for use with xpwn in windows. The tar needs to be created with correct permissions set on the files, when you create a tar on windows directly it doesnt run the LaunchDemon script at all because the permission are set to 777 instead of 775. So what I did was create a tar file directly on my iPhone. That way all the files had correct permissions. 775 for the script and 644 for all other files. Then feed that tar to xpwn and it worked like a charm. I am sure winpwn uses the same tars as xpwn.

Great work on the Custom Carrier Bundle by the way. Highly appreciated.

Originally Posted by nathulal

Actually I was able to create my own tar package for use with xpwn in windows. The tar needs to be created with correct permissions set on the files, when you create a tar on windows directly it doesnt run the LaunchDemon script at all because the permission are set to 777 instead of 775. So what I did was create a tar file directly on my iPhone. That way all the files had correct permissions. 775 for the script and 644 for all other files. Then feed that tar to xpwn and it worked like a charm. I am sure winpwn uses the same tars as xpwn.

Great work on the Custom Carrier Bundle by the way. Highly appreciated.

Thanks for the hint I will give it a shot the next days!

Originally Posted by volkspost

Hi blackboxxx!
Thx for your post. I have been seeing this format before, Apple is using it since FW 2.0. The ones you are referring to a next version to the ones we use now (just some different values). They are slightly different than the acualonce.

I am investigating the mechanism for a few days now, dont understand it completely for now. installation must be a 2-way process. Besides getting the carrier bundle on the iPhone a symlink with the MCC/MNC has to be created. I do this with the script you are referring to. I still dont know how Apple does this with the bundles.

Last not least: I tried to - fist manually - create custom carrier bundles as tar archives for use with Winpwn. Thats no problem so far. But same situation: i need to execute a script to check if the symlink is already there (for users of one of Apples partner carriers but on a non-iPhone plan), rename if there and create a new one.

The Dev Team integrated a great mechanism into pwnageTool for Mac, I used a combination of a LaunchDaemon and a scrit. As far as I understand, that aint work on Windows.

There is still a way to go. I really appreciate beeing pointed to that issue, will let you know as soon as I find out how Apple mamages to get this done.

best,
volkspost

Thanks for your prompt reply!
Just to clarify my suggestion about tar files, I think that once we use a tar bundle in the pwnage process, it becomes a "permanent" part of the firmware, so backing up previous symlink is not really needed. Besides, carrier bundles are not something that you change really often
But then it's probably only my opinion because my carrier is not one of the supported (and probably will never be - it's Cytamobile-Vodafone Cyprus ). Anyway, even if the symlink already exists, it will be simply overwritten. For those people who use this method on one of the official carrier bundles you could simply display a big red warning that their original symlink will be replaced.

As for the method of ipcc files installation, I think it happens pretty much the same way as the AppStore apps - i.e., with the help of a service running on the phone. I found some references to CarrierBundleInfo and PhoneCarrierBundleDownloadInstallAgent in iTunesMobileDevice.dll and iTunes.exe respectively, but no specific function responsible for the installation. Maybe someone from the Dev Team could have a look into this?

Originally Posted by nathulal

Actually I was able to create my own tar package for use with xpwn in windows. The tar needs to be created with correct permissions set on the files, when you create a tar on windows directly it doesnt run the LaunchDemon script at all because the permission are set to 777 instead of 775. So what I did was create a tar file directly on my iPhone. That way all the files had correct permissions. 775 for the script and 644 for all other files. Then feed that tar to xpwn and it worked like a charm. I am sure winpwn uses the same tars as xpwn.

Nathulal, LaunchDaemon script is not really necessary.
I successfully created and applied a tar file with my carrier bundle, symlink and a custom phone number template - all without even jailbreaking the phone!
The only downside is that you can only do this on Linux or a Mac, as none of the tar programs on Windows seem to support symlinks, and they all set permissions to 777 which is not good.

Originally Posted by blackboxxx

Thanks for your prompt reply!
Nathulal, LaunchDaemon script is not really necessary.
I successfully created and applied a tar file with my carrier bundle, symlink and a custom phone number template - all without even jailbreaking the phone!
The only downside is that you can only do this on Linux or a Mac, as none of the tar programs on Windows seem to support symlinks, and they all set permissions to 777 which is not good.

Hmm, thats interesting, I was aware that windows tar programs set the permissions to 777 (that is why I created my tar on the iPhone itself to preserve the permissions), but I wasnt aware that you can add symlinks to a tar as well and that it will preserve it. Thats great to know. Since xpwn and winpwn support tar custom package I can just create a tar that includes the symlink and get rid of the launchdeamon. Thats great, I am going to try that. Thanks for the sharing you knowledge.

On more careful reading I realized you mentioning you did it without jailbreaking. How did you do that? I thought you would need to jailbreak to get any kind of write access to the system partition.

Originally Posted by nathulal

On more careful reading I realized you mentioning you did it without jailbreaking. How did you do that? I thought you would need to jailbreak to get any kind of write access to the system partition.

Jailbreak is needed to modify system partition on the phone. Nothing prevents you from modifying the filesystem image and flashing it (except for signature checking of course, but pwnage takes care of that ).
Ipsw tool (part of XPwn) with an -e option skips certain steps of the pwnage process; -e "Filesystem Jailbreak" does not apply fstab and Services.plist patches, so the system partition remains read-only.
Other filesystem modifications still occur, including activation, patching kernel etc.
So in the end phone is pwned and activated, but not jailbroken.

Originally Posted by blackboxxx

Jailbreak is needed to modify system partition on the phone. Nothing prevents you from modifying the filesystem image and flashing it (except for signature checking of course, but pwnage takes care of that ).
Ipsw tool (part of XPwn) with an -e option skips certain steps of the pwnage process; -e "Filesystem Jailbreak" does not apply fstab and Services.plist patches, so the system partition remains read-only.
Other filesystem modifications still occur, including activation, patching kernel etc.
So in the end phone is pwned and activated, but not jailbroken.

Ahh didnt think it through. Thanks for pointing it out. Makes sense once you explained it ;-)

One last comment on the tar generation. I do generate the complete bundle including the scripts, LaunchDaemen on the webserver. On my first tests I aswell got the tar working, the permissions "inside" keep clean.
All of the installation work (on the automatic pwnage-use) is done on the iPhone by the iPhone-OS on the first start. The needed files are "in place" on the iPhone, the LaunchDeamon I create gets executed it starts a script that is sitting inside the bundle. The script creates the symlink then for the custom bundle already sitting in /System/Library/Carrier Bundles. If it's one of Apple's partner carriers, the existing symlink gets renamed to old_. I did this on request cause one user wanted to make sure an easy way back to factory setting.
Last step the script does is deleting the LaunchDaemon and then self terminte.
I looked into the way the dev team installs BootNeuter back at Pwnage for 1.1.4, it's pretty much the same way.
Will try to get the Winpwn version working on weekend - will let you know.

any changes required for the bundles to work with 2.0.2?