EDIT: I was going to write a part two but working on this is extremely time consuming (considering my lack of prior experience with reverse engineering). I have spent days on this and haven’t made much progress and even went so far as to try and rewrite the ota tool to be memory-safe thinking it was a memory issue (which eventually didn’t work as that wasn’t the problem).

In seeking wisdom from the StackExchange Gods, I have posted a question on the Reverse Engineering Stack Exchange and everything I’ve written there is Part 2 to this post

Now, back to Part 1…

I’m not a member of the Apple Developer Beta Program. I don’t even have a free developer account, let alone one that needs me to submit ID and pay. But I wanted to get my hands on Big Sur and take it for a spin on my specialised macOS Install.

Can I ask another developer to send me the app bundle? Pwetty Pweeaasee! ^w^ Nope. They’re obligated not to share a developer beta. It’s not a Public Beta. But softwarecatalog gives us a way, after all, you do need to distribute it. Even if it’s theoretically under lock and key.

So two commits (here and here) made to corpnewt’s gibMacOS with contributions by dhinakg made it trivial to get a copy of Big Sur from the developer softwarecatalog.

The problem? You can’t just run BuildmacOSInstallApp.command the way you did with Catalina, Mojave and High Sierra, and expect an app bundle. The structure that eventually is modified to make the app bundle has undergone a change. Suddenly not so trivial anymore.

gibMacOS primarily needed the following files to be present.

  • BaseSystem.dmg
  • BaseSystem.chunklist
  • InstallESDDmg.pkg
  • InstallInfo.plist
  • AppleDiagnostics.dmg
  • AppleDiagnostics.chunklist

They’re then shuffled around and ever-so-gently patched by BuildmacOSInstallApp.command (inspired by wolfmannight’s post on the InsanelyMac forums and improved for gibMacOS)

So, what do we get this time with Big Sur?

  • Info.plist
  • InstallAssistant.pkg
  • UpdateBrain.zip
  • MajorOSInfo.pkg
  • BuildManifest.plist
  • InstallInfo.plist

InstallAssistant.pkg

I’m sure every file is important but want an app bundle quickly. I was impatient. The prize seemed to somewhere in InstallAssistant.pkg (being the largest file at 9.56 GB). So, let’s open it up with Pacifist.

Pacifist reporting a smaller deflated size than compressed size for the package

Notice the reported size? 8.9 GiB compressed, 19.2 MiB uncompressed. Now let’s open the same file with Hex Fiend

Hex Fiend revealing that it is a mountable disk image

<string>GPT Partition Data (Backup GPT Table : 7)</string>

So we got a disk image over here. Let’s rename and mount it.

(base) iMac-Pro:~ kitty$ cd /Volumes/Shared\ Support/

(base) iMac-Pro:Shared Support kitty$ ls -l
total 1512
-rw-r--r--  1 kitty  staff     188 Jun 18 14:45 InstallInfo.plist
-rw-r--r--  1 kitty  staff  766672 Jun 18 14:45 UpdateBrain.zip
drwxr-xr-x  5 kitty  staff     170 Jun 18 14:45 com_apple_MobileAsset_MacSoftwareUpdate

So we now have two files and a folder. InstallInfo.plist is pretty much empty

(base) iMac-Pro:Shared Support kitty$ cat InstallInfo.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
</dict>
</plist>

UpdateBrain.zip is the same archive that we retrieved from gibMacOS, which we can confirm with sha256sum

bf1ebf70b5a21481d980a62ccc455f1138285928e53131261f180a5c59ad90a9  [omitted]/gibMacOS/macOS Downloads/developer/001-18401-003 - 10.16 macOS Beta/UpdateBrain.zip
bf1ebf70b5a21481d980a62ccc455f1138285928e53131261f180a5c59ad90a9  /Volumes/Shared Support/UpdateBrain.zip

So, we’re left with the com_apple_MobileAsset_MacSoftwareUpdate directory

(base) iMac-Pro:Shared Support kitty$ cd com_apple_MobileAsset_MacSoftwareUpdate/

(base) iMac-Pro:com_apple_MobileAsset_MacSoftwareUpdate kitty$ ls -l
total 18651984
-rw-r--r--  1 kitty  staff       15201 Jun 18 14:45 0dc2cd535db0da2a9f559215671686ea4c055394.json
-rw-r--r--  1 kitty  staff  9549788313 Jun 18 14:45 0dc2cd535db0da2a9f559215671686ea4c055394.zip
-rw-r--r--  1 kitty  staff        6393 Jun 18 14:45 com_apple_MobileAsset_MacSoftwareUpdate.xml

0dc2cd535db0da2a9f559215671686ea4c055394.json and com_apple_MobileAsset_MacSoftwareUpdate.xml mostly contain the same information. Supported devices, build information, archive type and ticket information. I’ve included the contents of 0dc2cd535db0da2a9f559215671686ea4c055394.json and have omitted the less relevant information. the xml file contains mostly the same stuff.

(base) iMac-Pro:com_apple_MobileAsset_MacSoftwareUpdate kitty$ cat 0dc2cd535db0da2a9f559215671686ea4c055394.json
{
  "ActualMinimumSystemPartition": 13156,
  "AssetType": "com.apple.MobileAsset.MacSoftwareUpdate",
  "BridgeVersionInfo": {
    "BridgeBuildGroup": "0",
    "BridgeProductBuildVersion": "18P50310o",
    "BridgeVersion": "18.16.10310.5.15",
    "CatalogURL": "https://swscan.apple.com/content/catalogs/others/index-10.16seed-10.16-10.15-10.14-10.13-10.12-10.11-10.10-10.9-mountainlion-lion-snowleopard-leopard.merged-1.sucatalog",
    "IsSeed": "YES",
    "SEPEpoch": {
      "Major": 1,
      "Minor": 0
    }
  },
  "Build": "20A4299v",
  "CanUseLocalCacheServer": true,
  "InstallationSize": "0",
  "InstallationSize-Snapshot": "5309688126",
  "MinimumSystemPartition": 13208,
  "OSVersion": "10.16",
  "RestoreVersion": "20.1.299.4.22,0",
  "RestoreVersionInfo": {
    "RestoreBuildGroup": "0",
    "RestoreVersion": "20.1.299.4.22"
  },
  "SUConvReqd": true,
  "SUDocumentationID": "PreRelease",
  "SUInstallTonightEnabled": true,
  "SUMultiPassEnabled": true,
  "SUProductSystemName": "macOS",
  "SUPublisher": "Apple Inc.",
  "SupportedDeviceModels": [
  [omitted]
  "SystemPartitionPadding": {
  "1024": 1280,
  "128": 1280,
  "16": 160,
  "256": 1280,
  "32": 320,
  "512": 1280,
  "64": 640,
  "768": 1280,
  "8": 80
},
  "TargetUpdateBridgeVersion": "18.16.10310.5.15,0",
  "_AssetReceipt": {
    [omitted]
    "_CompressionAlgorithm": "zip",
    "_DownloadSize": 9549788313,
    "_IsZipStreamable": true,
    "_MasteredVersion": "4299",
    "_Measurement": "pplZqyoT6pmJ2qsHqO3cSGjOnO0=",
    "_MeasurementAlgorithm": "SHA-1",
    "_UnarchivedSize": 9892039680,
    "__AssetDefaultGarbageCollectionBehavior": "NeverCollected",
    "__RelativePath": "com_apple_MobileAsset_MacSoftwareUpdate/0dc2cd535db0da2a9f559215671686ea4c055394.zip"
  }

We’re primarily interested in this 9.55 GB 0dc2cd535db0da2a9f559215671686ea4c055394.zip archive.

Directory structure of com_apple_MobileAsset_MacSoftwareUpdate

One unzipping later, we get this:

(base) iMac-Pro:0dc2cd535db0da2a9f559215671686ea4c055394 kitty$ ls -l
total 16
drwxr-xr-x  13 kitty  staff        416 Jun 24 16:09 AssetData
-rw-r--r--   1 kitty  staff       5626 Jun 18 14:32 Info.plist
drwxr-xr-x   3 kitty  access_bpf    96 Jun 18 14:32 META-INF

Info.plist has functionally the same information as com_apple_MobileAsset_MacSoftwareUpdate.xml and META-INF contains a singular com.apple.ZipMetadata.plist (hexdump on GitHub Gist) that doesn’t seem to be a normal xml plist file.

So we’re left with AssetData.

(base) iMac-Pro:0dc2cd535db0da2a9f559215671686ea4c055394 kitty$ ls -l AssetData/
total 109408
-rw-r--r--    1 kitty  staff      1456 Jun 18 14:31 Info.plist
drwxr-xr-x    4 kitty  staff       128 Jun 18 14:09 Restore
drwxr-xr-x   16 kitty  staff       512 Jun 24 16:10 boot
drwxr-xr-x    4 kitty  staff       128 Jun 24 16:10 payload
-rw-r--r--    1 kitty  staff    220884 Jun 18 14:32 payload.bom
-rw-r--r--    1 kitty  staff       128 Jun 18 14:32 payload.bom.signature
drwxr-xr-x  102 kitty  staff      3264 Jun 18 14:31 payloadv2
[email protected]   1 kitty  staff  55748514 Jun 18 14:11 post.bom
-rw-r--r--    1 kitty  staff     35046 Jun 18 14:11 pre.bom
drwxr-xr-x    4 kitty  staff       128 Jun 24 16:26 usr

Let’s play find-the-disk-image.

(base) iMac-Pro:0dc2cd535db0da2a9f559215671686ea4c055394 kitty$ find . -type file -name *.dmg
./AssetData/usr/standalone/update/ramdisk/x86_64SURamDisk.dmg
./AssetData/Restore/BaseSystem.dmg

We got BaseSystem.dmg and this image called x86_64SURamDisk.dmg, they also come with their accompanying chunklist files. So, we’re good? Not by a long shot. We’ll need to come back to AssetData but we’re going to mount these disk images for now.

x86_64SURamDisk.dmg

x86_64SURamDisk.dmg mounts to /Volumes/GoldenSeed20A4299v.x86_64SURamDisk/

(base) iMac-Pro:GoldenSeed20A4299v.x86_64SURamDisk kitty$ ls -l -a
total 40
drwxr-xr-x  18 kitty  staff    782 Jun 24 16:28 .
drwxr-xr-x  10 root      wheel    320 Jun 24 17:29 ..
[email protected]  1 kitty  staff  10244 Jun 24 17:30 .DS_Store
drwx------   2 kitty  staff    170 Jun 24 16:30 .fseventsd
drwxr-xr-x   3 kitty  staff    136 Jun 24 16:28 System
[email protected]  2 kitty  staff    272 Jun 18 13:07 bin
[email protected]  2 kitty  staff     68 Jun 18 13:07 dev
[email protected]  1 kitty  staff     11 Jun 18 13:07 etc -> private/etc
drwxr-xr-x   2 kitty  staff     68 Jun 18 13:07 mnt1
drwxr-xr-x   2 kitty  staff     68 Jun 18 13:07 mnt2
drwxr-xr-x   2 kitty  staff     68 Jun 18 13:07 mnt3
drwxr-xr-x   2 kitty  staff     68 Jun 18 13:07 mnt4
drwxr-xr-x   2 kitty  staff     68 Jun 18 13:07 mnt5
drwxr-xr-x   2 kitty  staff     68 Jun 18 13:07 mnt6
drwxr-xr-x   2 kitty  staff     68 Jun 18 13:07 mnt7
drwxr-xr-x   2 kitty  staff     68 Jun 18 13:07 mnt8
drwxr-xr-x   2 kitty  staff     68 Jun 18 13:07 mnt9
[email protected]  4 kitty  staff    136 Jun 18 13:07 private
[email protected]  2 kitty  staff    510 Jun 18 13:07 sbin
[email protected]  6 kitty  staff    204 Jun 18 13:07 usr
[email protected]  1 kitty  staff     11 Jun 18 13:07 var -> private/var

First, let’s find System.kext.

(base) iMac-Pro:GoldenSeed20A4299v.x86_64SURamDisk kitty$ ls -l /Volumes/GoldenSeed20A4299v.x86_64SURamDisk/System/Library/Extensions
total 0
drwxr-xr-x  3 kitty  staff  102 Jun 18 13:07 System.kext

Now, everything else

  • System contains critical Frameworks, KernelCollections, PrivateFrameworks, CoreServices
  • bin has cat, expr, ln, mkdir, mv and rm.
  • dev is empty.
  • etc has master.passwd and the groups folder
  • private contains folders for storing logs
  • sbin has apfs_hfs_convert, fsck_hfs, mount, mount_tmpfs, reboot, fsck, halt, mount_apfs, newfs_apfs, fsck_apfs, launchd, mount_hfs and newfs_hfs
  • usr has bin which has only sed, lib contains libraries (who would’ve thought) and a few other directories

Suffice to say, System is the important directory here

BaseSystem.dmg

macOS Base System

Let’s begin.

(base) iMac-Pro:macOS Base System kitty$ ls -a -l
total 0
drwxr-xr-x  22 kitty  staff   704 Jun 18 13:12 .
drwxr-xr-x   8 root      wheel   256 Jun 24 17:46 ..
lrwxr-xr-x   1 kitty  staff    36 Jun 18 13:11 .VolumeIcon.icns -> System/Volumes/Data/.VolumeIcon.icns
----------   1 kitty  staff     0 Jun 18 13:11 .file
drwxr-xr-x   2 kitty  staff    64 Jun 18 13:11 .vol
lrwxr-xr-x   1 kitty  staff    33 Jun 18 13:11 AppleInternal -> System/Volumes/Data/AppleInternal
drwxrwxr-x   4 kitty  staff   128 Jun 18 13:12 Applications
drwxr-xr-x   3 kitty  staff    96 Jun 18 13:12 Install macOS Beta.app
lrwxr-xr-x   1 kitty  staff    27 Jun 18 13:12 Library -> System/Volumes/Data/Library
[email protected]  8 kitty  staff   256 Jun 18 13:12 System
lrwxr-xr-x   1 kitty  staff    25 Jun 18 13:12 Users -> System/Volumes/Data/Users
drwxr-xr-x   2 kitty  staff    64 Jun 18 13:12 Volumes
[email protected] 34 kitty  staff  1088 Jun 18 13:12 bin
lrwxr-xr-x   1 kitty  staff    25 Jun 18 13:12 cores -> System/Volumes/Data/cores
dr-xr-xr-x   2 kitty  staff    64 Jun 18 13:12 dev
[email protected]  1 kitty  staff    11 Jun 18 13:12 etc -> private/etc
lrwxr-xr-x   1 kitty  staff    23 Jun 18 13:12 opt -> System/Volumes/Data/opt
lrwxr-xr-x   1 kitty  staff    27 Jun 18 13:12 private -> System/Volumes/Data/private
[email protected] 62 kitty  staff  1984 Jun 18 13:12 sbin
[email protected]  1 kitty  staff    11 Jun 18 13:12 tmp -> private/tmp
[email protected]  9 kitty  staff   288 Jun 18 13:12 usr
[email protected]  1 kitty  staff    11 Jun 18 13:12 var -> private/var

When it comes to the kernel, here’s where all the interesting stuff lies (and some not-so-important stuff)

(base) iMac-Pro:macOS Base System kitty$ find . -name *kernel*
./usr/libexec/kernelmanagerd
./usr/lib/system/libsystem_kernel.dylib
./System/Library/Preferences/Logging/Subsystems/com.apple.kernelmanagerd.logging.plist
./System/Library/PrelinkedKernels/prelinkedkernel
./System/Library/PrelinkedKernels/immutablekernel
./System/Library/Sandbox/Profiles/com.apple.kernelmanagerd.sb
./System/Library/Frameworks/OpenCL.framework/Versions/A/Resources/cl_kernel.x86_64.pch
./System/Library/Frameworks/OpenCL.framework/Versions/A/lib/clang/3.2/include/cl_kernel.h
./System/Library/Frameworks/OpenCL.framework/Versions/A/lib/clang/3.2/include/cl_kernel_shared.h
./System/Library/Frameworks/KernelManagement.framework/Versions/A/Resources/com.apple.kernelmanagement.plist
./System/Library/LaunchDaemons/com.apple.kernelmanagerd.plist
./System/DriverKit/usr/lib/system/libsystem_kernel.dylib

(base) iMac-Pro:macOS Base System kitty$ find . -name *Kernel*
./usr/sbin/KernelEventAgent
./usr/lib/libKernelCollectionBuilder.dylib
./System/Library/SystemConfiguration/KernelEventMonitor.bundle
./System/Library/PrelinkedKernels
./System/Library/CoreServices/KernelEventAgent.bundle
./System/Library/KernelCollections
./System/Library/KernelCollections/BaseSystemKernelExtensions.kc
./System/Library/KernelCollections/BaseSystemKernelExtensions.kc.bundles
./System/Library/KernelCollections/BootKernelExtensions.kc.elides
./System/Library/KernelCollections/BaseSystemKernelExtensions.kc.elides
./System/Library/KernelCollections/BootKernelExtensions.kc
./System/Library/Extensions/IOHDIXController.kext/Contents/PlugIns/AppleDiskImagesKernelBacked.kext
./System/Library/Extensions/IOHDIXController.kext/Contents/PlugIns/AppleDiskImagesKernelBacked.kext/Contents/MacOS/AppleDiskImagesKernelBacked
./System/Library/Extensions/System.kext/PlugIns/BSDKernel.kext
./System/Library/Extensions/System.kext/PlugIns/BSDKernel.kext/BSDKernel
./System/Library/Extensions/IOFireWireFamily.kext/Contents/Resources/en.lproj/KernelPlist.strings
./System/Library/Templates/Data/Library/KernelCollections
./System/Library/Templates/Data/private/var/db/KernelExtensionManagement
./System/Library/Frameworks/KernelManagement.framework
./System/Library/Frameworks/KernelManagement.framework/KernelManagement
./System/Library/LaunchDaemons/com.apple.KernelEventAgent.plist
./System/DriverKit/Runtime/System/Library/Frameworks/Kernel.framework

Let’s find System.kext (we know it’s here but still)

(base) iMac-Pro:macOS Base System kitty$ ls -l ./System/Library/Extensions/
total 0
[omitted]
[email protected] 6 kitty  staff  192 Jun 18 13:12 System.kext
[omitted]

But wait, they don’t have the same size (55KB vs. 407KB). It’s because GoldenSeed20A4299v.x86_64SURamDisk's System.kext only has Libkern.kext (compared to macOS Base System). It shares the same binary in Libkern.kext.

(base) iMac-Pro:macOS Base System kitty$ ls -la /Volumes/GoldenSeed20A4299v.x86_64SURamDisk/System/Library/Extensions/System.kext/PlugIns/
total 0
drwxr-xr-x  3 kitty  staff  102 Jun 18 13:07 .
drwxr-xr-x  3 kitty  staff  102 Jun 18 13:07 ..
drwxr-xr-x  2 kitty  staff  102 Jun 18 13:07 Libkern.kext

(base) iMac-Pro:macOS Base System kitty$ ls -la /Volumes/macOS\ Base\ System/System/Library/Extensions/System.kext/PlugIns/
total 0
drwxr-xr-x  14 kitty  staff  448 Jun 18 13:12 .
[email protected]  6 kitty  staff  192 Jun 18 13:12 ..
drwxr-xr-x   5 kitty  staff  160 Jun 18 13:12 AppleNMI.kext
drwxr-xr-x   5 kitty  staff  160 Jun 18 13:12 ApplePlatformFamily.kext
drwxr-xr-x   6 kitty  staff  192 Jun 18 13:12 BSDKernel.kext
drwxr-xr-x   6 kitty  staff  192 Jun 18 13:12 IOKit.kext
drwxr-xr-x   5 kitty  staff  160 Jun 18 13:12 IONVRAMFamily.kext
drwxr-xr-x   5 kitty  staff  160 Jun 18 13:12 IOSystemManagement.kext
drwxr-xr-x   6 kitty  staff  192 Jun 18 13:12 Kasan.kext
drwxr-xr-x   6 kitty  staff  192 Jun 18 13:12 Libkern.kext
drwxr-xr-x   6 kitty  staff  192 Jun 18 13:12 MACFramework.kext
drwxr-xr-x   6 kitty  staff  192 Jun 18 13:12 Mach.kext
drwxr-xr-x   6 kitty  staff  192 Jun 18 13:12 Private.kext
drwxr-xr-x   6 kitty  staff  192 Jun 18 13:12 Unsupported.kext

(base) iMac-Pro:macOS Base System kitty$ sha256sum /Volumes/GoldenSeed20A4299v.x86_64SURamDisk/System/Library/Extensions/System.kext/PlugIns/Libkern.kext/Libkern
458c67de8210b90c279e5c50972d192b09816e9811c7d7e505739be3ee1a9f71  /Volumes/GoldenSeed20A4299v.x86_64SURamDisk/System/Library/Extensions/System.kext/PlugIns/Libkern.kext/Libkern

(base) iMac-Pro:macOS Base System kitty$ sha256sum ./System/Library/Extensions/System.kext/PlugIns/Libkern.kext/Libkern
458c67de8210b90c279e5c50972d192b09816e9811c7d7e505739be3ee1a9f71  ./System/Library/Extensions/System.kext/PlugIns/Libkern.kext/Libkern

Honestly, at least during my (admittedly very light) search throughout macOS Base System, I cannot find anything that differentiates it from any other BaseSystem disk image I’ve seen before, so we’ll conclude this section.

Preboot

I don’t know enough about Preboot to say anything. So here’s a tree of the volume.

(base) iMac-Pro:Preboot kitty$ tree
.
└── 3CA070CB-E179-47AF-BF9C-CB668ABD57CE
    ├── Library
    │   └── Preferences
    │       └── SystemConfiguration
    │           └── com.apple.Boot.plist
    ├── System
    │   └── Library
    │       ├── Caches
    │       │   └── com.apple.corestorage
    │       │       └── EncryptedRoot.plist.wipekey
    │       ├── CoreServices
    │       │   ├── BridgeOSActivationSupported
    │       │   ├── BridgeVersion.bin
    │       │   ├── BridgeVersion.plist
    │       │   ├── PlatformSupport.plist
    │       │   ├── SystemVersion.plist
    │       │   └── boot.efi
    │       └── PrelinkedKernels
    │           ├── immutablekernel
    │           └── prelinkedkernel
    ├── boot
    │   └── System
    │       └── Library
    │           └── KernelCollections
    │               └── BootKernelExtensions.kc
    ├── usr
    │   └── standalone
    │       └── i386
    │           └── EfiLoginUI
    │               ├── Lucida13.efires
    │               ├── Lucida13White.efires
    │               ├── appleLogo.efires
    │               ├── battery.efires
    │               ├── disk_passwordUI.efires
    │               ├── flag_picker.efires
    │               ├── guest_userUI.efires
    │               ├── loginui.efires
    │               ├── recoveryUI.efires
    │               ├── recovery_user.efires
    │               ├── sound.efires
    │               └── unknown_userUI.efires
    └── var
        └── db
            └── CryptoUserInfo.plist

20 directories, 24 files

Conclusion

Overall, nothing really that special in BaseSystem.dmg (at least on a surface level)

0dc2cd535db0da2a9f559215671686ea4c055394.zip (AssetData)

Remember I said we’re going to be back here? We’re here. Because there are a few more things to show.

(base) iMac-Pro:AssetData kitty$ ls -la payload
total 16
drwxr-xr-x   4 kitty  staff   128 Jun 24 16:10 .
drwxr-xr-x  13 kitty  staff   416 Jun 24 16:09 ..
[email protected]  1 kitty  staff  6148 Jun 24 17:59 .DS_Store
drwxr-xr-x   2 kitty  staff    64 Jun 18 14:11 replace
(base) iMac-Pro:AssetData kitty$ ls -la payload/replace/
total 0
drwxr-xr-x  2 kitty  staff   64 Jun 18 14:11 .
drwxr-xr-x  4 kitty  staff  128 Jun 24 16:10 ..

Okay. That’s boring.

(base) iMac-Pro:AssetData kitty$ ls -la payloadv2/
total 16786560
drwxr-xr-x  102 kitty  staff       3264 Jun 18 14:31 .
drwxr-xr-x   13 kitty  staff        416 Jun 24 16:09 ..
-rw-r--r--    1 kitty  staff         12 Jun 18 14:31 data_payload
[email protected]   1 kitty  staff       1994 Jun 18 14:11 firmlinks_payload
-rw-r--r--    1 kitty  staff    2525652 Jun 18 14:31 fixup.manifest
[email protected]   1 kitty  staff          0 Jun 18 14:11 links.txt
[email protected]   1 kitty  staff    1055300 Jun 18 14:12 payload.000
-rw-r--r--    1 kitty  staff    1286296 Jun 18 14:12 payload.000.ecc
-rw-r--r--    1 kitty  staff     875516 Jun 18 14:12 payload.001
-rw-r--r--    1 kitty  staff     994772 Jun 18 14:12 payload.001.ecc
-rw-r--r--    1 kitty  staff  573853456 Jun 18 14:13 payload.002
-rw-r--r--    1 kitty  staff    4383412 Jun 18 14:14 payload.002.ecc
-rw-r--r--    1 kitty  staff  574080392 Jun 18 14:15 payload.003
-rw-r--r--    1 kitty  staff    4376404 Jun 18 14:15 payload.003.ecc
-rw-r--r--    1 kitty  staff  286951879 Jun 18 14:16 payload.004
-rw-r--r--    1 kitty  staff     582044 Jun 18 14:16 payload.004.ecc
-rw-r--r--    1 kitty  staff  307241464 Jun 18 14:16 payload.005
-rw-r--r--    1 kitty  staff     648956 Jun 18 14:16 payload.005.ecc
-rw-r--r--    1 kitty  staff  187983275 Jun 18 14:16 payload.006
-rw-r--r--    1 kitty  staff     382796 Jun 18 14:16 payload.006.ecc
-rw-r--r--    1 kitty  staff  186303822 Jun 18 14:16 payload.007
-rw-r--r--    1 kitty  staff     377288 Jun 18 14:17 payload.007.ecc
-rw-r--r--    1 kitty  staff  175425780 Jun 18 14:17 payload.008
-rw-r--r--    1 kitty  staff     417408 Jun 18 14:17 payload.008.ecc
-rw-r--r--    1 kitty  staff  130777652 Jun 18 14:17 payload.009
-rw-r--r--    1 kitty  staff     921716 Jun 18 14:17 payload.009.ecc
-rw-r--r--    1 kitty  staff  217104600 Jun 18 14:17 payload.010
-rw-r--r--    1 kitty  staff     522316 Jun 18 14:17 payload.010.ecc
-rw-r--r--    1 kitty  staff  184514372 Jun 18 14:18 payload.011
-rw-r--r--    1 kitty  staff     517909 Jun 18 14:18 payload.011.ecc
-rw-r--r--    1 kitty  staff  181656620 Jun 18 14:18 payload.012
-rw-r--r--    1 kitty  staff     519016 Jun 18 14:18 payload.012.ecc
-rw-r--r--    1 kitty  staff  238920944 Jun 18 14:18 payload.013
-rw-r--r--    1 kitty  staff     553404 Jun 18 14:18 payload.013.ecc
-rw-r--r--    1 kitty  staff  234966944 Jun 18 14:18 payload.014
-rw-r--r--    1 kitty  staff     519986 Jun 18 14:18 payload.014.ecc
-rw-r--r--    1 kitty  staff  201725196 Jun 18 14:19 payload.015
-rw-r--r--    1 kitty  staff     625204 Jun 18 14:19 payload.015.ecc
-rw-r--r--    1 kitty  staff  191572320 Jun 18 14:19 payload.016
-rw-r--r--    1 kitty  staff     551044 Jun 18 14:19 payload.016.ecc
-rw-r--r--    1 kitty  staff  232570276 Jun 18 14:19 payload.017
-rw-r--r--    1 kitty  staff     542256 Jun 18 14:19 payload.017.ecc
-rw-r--r--    1 kitty  staff  216894612 Jun 18 14:20 payload.018
-rw-r--r--    1 kitty  staff     743728 Jun 18 14:20 payload.018.ecc
-rw-r--r--    1 kitty  staff  242808516 Jun 18 14:20 payload.019
-rw-r--r--    1 kitty  staff     562636 Jun 18 14:20 payload.019.ecc
-rw-r--r--    1 kitty  staff  147138036 Jun 18 14:20 payload.020
-rw-r--r--    1 kitty  staff     930832 Jun 18 14:20 payload.020.ecc
-rw-r--r--    1 kitty  staff  190148332 Jun 18 14:21 payload.021
-rw-r--r--    1 kitty  staff     692480 Jun 18 14:21 payload.021.ecc
-rw-r--r--    1 kitty  staff  217104298 Jun 18 14:21 payload.022
-rw-r--r--    1 kitty  staff     579848 Jun 18 14:21 payload.022.ecc
-rw-r--r--    1 kitty  staff  239928524 Jun 18 14:21 payload.023
-rw-r--r--    1 kitty  staff     558276 Jun 18 14:21 payload.023.ecc
-rw-r--r--    1 kitty  staff  153293092 Jun 18 14:22 payload.024
-rw-r--r--    1 kitty  staff     850040 Jun 18 14:22 payload.024.ecc
-rw-r--r--    1 kitty  staff  189531840 Jun 18 14:22 payload.025
-rw-r--r--    1 kitty  staff     721620 Jun 18 14:22 payload.025.ecc
-rw-r--r--    1 kitty  staff  206590048 Jun 18 14:23 payload.026
-rw-r--r--    1 kitty  staff     781260 Jun 18 14:23 payload.026.ecc
-rw-r--r--    1 kitty  staff  192235168 Jun 18 14:23 payload.027
-rw-r--r--    1 kitty  staff     832848 Jun 18 14:23 payload.027.ecc
-rw-r--r--    1 kitty  staff  188192824 Jun 18 14:23 payload.028
-rw-r--r--    1 kitty  staff     813172 Jun 18 14:23 payload.028.ecc
-rw-r--r--    1 kitty  staff  199567904 Jun 18 14:24 payload.029
-rw-r--r--    1 kitty  staff     717300 Jun 18 14:24 payload.029.ecc
-rw-r--r--    1 kitty  staff  165655176 Jun 18 14:24 payload.030
-rw-r--r--    1 kitty  staff     909768 Jun 18 14:24 payload.030.ecc
-rw-r--r--    1 kitty  staff  181763720 Jun 18 14:24 payload.031
-rw-r--r--    1 kitty  staff     715808 Jun 18 14:24 payload.031.ecc
-rw-r--r--    1 kitty  staff  166298776 Jun 18 14:25 payload.032
-rw-r--r--    1 kitty  staff     639792 Jun 18 14:25 payload.032.ecc
-rw-r--r--    1 kitty  staff  165657468 Jun 18 14:25 payload.033
-rw-r--r--    1 kitty  staff     937548 Jun 18 14:25 payload.033.ecc
-rw-r--r--    1 kitty  staff  189742576 Jun 18 14:25 payload.034
-rw-r--r--    1 kitty  staff     717692 Jun 18 14:25 payload.034.ecc
-rw-r--r--    1 kitty  staff  130202724 Jun 18 14:26 payload.035
-rw-r--r--    1 kitty  staff     727680 Jun 18 14:26 payload.035.ecc
-rw-r--r--    1 kitty  staff  196248932 Jun 18 14:26 payload.036
-rw-r--r--    1 kitty  staff     746348 Jun 18 14:26 payload.036.ecc
-rw-r--r--    1 kitty  staff  152740384 Jun 18 14:26 payload.037
-rw-r--r--    1 kitty  staff     941460 Jun 18 14:26 payload.037.ecc
-rw-r--r--    1 kitty  staff  147490940 Jun 18 14:27 payload.038
-rw-r--r--    1 kitty  staff    1160904 Jun 18 14:27 payload.038.ecc
-rw-r--r--    1 kitty  staff  113575924 Jun 18 14:27 payload.039
-rw-r--r--    1 kitty  staff    1528676 Jun 18 14:27 payload.039.ecc
-rw-r--r--    1 kitty  staff   90781716 Jun 18 14:28 payload.040
-rw-r--r--    1 kitty  staff    2102396 Jun 18 14:28 payload.040.ecc
-rw-r--r--    1 kitty  staff   40060668 Jun 18 14:28 payload.041
-rw-r--r--    1 kitty  staff    3178528 Jun 18 14:29 payload.041.ecc
-rw-r--r--    1 kitty  staff   10604848 Jun 18 14:29 payload.042
-rw-r--r--    1 kitty  staff    3877276 Jun 18 14:29 payload.042.ecc
-rw-r--r--    1 kitty  staff   14617964 Jun 18 14:29 payload.043
-rw-r--r--    1 kitty  staff    3823740 Jun 18 14:29 payload.043.ecc
-rw-r--r--    1 kitty  staff   12408428 Jun 18 14:30 payload.044
-rw-r--r--    1 kitty  staff    3963200 Jun 18 14:30 payload.044.ecc
-rw-r--r--    1 kitty  staff   13121116 Jun 18 14:30 payload.045
-rw-r--r--    1 kitty  staff    3662224 Jun 18 14:30 payload.045.ecc
-rw-r--r--    1 kitty  staff    8198524 Jun 18 14:31 payload.046
-rw-r--r--    1 kitty  staff    1608660 Jun 18 14:31 payload.046.ecc
-rw-r--r--    1 kitty  staff        648 Jun 18 14:31 payload_chunks.txt
-rw-r--r--    1 kitty  staff         12 Jun 18 14:31 prepare_payload

This isn’t.

Hex Fiend, open sesame!

Hex Fiend tells us that the payload files are are a pbzx stream

Hex Fiend tells us that the payload.ecc files are a pbzx stream

pbzx? Let’s grab a copy of NiklasRosenstein’s fork of pbzx, concat them all and see what happens

(base) iMac-Pro:payloadv2 kitty$ cat payload.000 payload.001 payload.002 payload.003 payload.004 payload.005 payload.006 payload.007 payload.008 payload.009 payload.010 payload.011 payload.012 payload.013 payload.014 payload.015 payload.016 payload.017 payload.018 payload.019 payload.020 payload.021 payload.022 payload.023 payload.024 payload.025 payload.026 payload.027 payload.028 payload.029 payload.030 payload.031 payload.032 payload.033 payload.034 payload.035 payload.036 payload.037 payload.038 payload.039 payload.040 payload.041 payload.042 payload.043 payload.044 payload.045 payload.046 >> payload.pbzxchunk

(base) iMac-Pro:payloadv2 kitty$ ~/pbzx -n payload.pbzxchunk | cpio -i
0 blocks

Apparently nothing. :( But now we got our 8GB worth of material!

Our concat of the payload is around 8.29 GB

7zip?

(base) iMac-Pro:payloadv2 kitty$ 7z x payload.pbzx

7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=utf8,Utf16=on,HugeFiles=on,64 bits,16 CPUs x64)

Scanning the drive for archives:
1 file, 8290182886 bytes (7907 MiB)

Extracting archive: payload.pbzx

ERRORS:
There are data after the end of archive

--
Path = payload.pbzx
Type = xz
ERRORS:
There are data after the end of archive
Offset = 28
Physical Size = 483560
Tail Size = 8289699298
Method = LZMA2:23
Streams = 1
Blocks = 1

ERROR: There are some data after the end of the payload data : payload

Sub items Errors: 1

Archives with Errors: 1

Open Errors: 1

Sub items Errors: 1

So this is why we don’t just blindly concat archives…

Okay, let’s try again.

(base) iMac-Pro:payloadv2 kitty$ 7z x payload.000 -o./extract

7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=utf8,Utf16=on,HugeFiles=on,64 bits,16 CPUs x64)

Scanning the drive for archives:
1 file, 1055300 bytes (1031 KiB)

Extracting archive: payload.000

ERRORS:
There are data after the end of archive

--
Path = payload.000
Type = xz
ERRORS:
There are data after the end of archive
Offset = 28
Physical Size = 483560
Tail Size = 571712
Method = LZMA2:23
Streams = 1
Blocks = 1

ERROR: There are some data after the end of the payload data : payload

Sub items Errors: 1

Archives with Errors: 1

Open Errors: 1

Sub items Errors: 1

Oh. But on the bright side, we did get a payload file in our extract directory, it’s just 8 MB. We’re getting somewhere, it’s just not helpful yet.

As a Hail Mary, I tried using The Unarchiver, the first tool I downloaded when I got into macOS. Nope, it just concatenated the payload (you can tell here as the magic number 70627A78 is being repeated and after the first, is repeating after the footer signature)

Side note, I forgot to mention that fixup.manifest is also a pbzx stream.