Digging around the developer softwarecatalog dump for macOS Big Sur
EDIT: I was going to write a part two but working on this is extremely time consuming (considering my lack of prior experience with reverse engineering). I have spent days on this and haven’t made much progress and even went so far as to try and rewrite the ota tool to be memory-safe thinking it was a memory issue (which eventually didn’t work as that wasn’t the problem).
In seeking wisdom from the StackExchange Gods, I have posted a question on the Reverse Engineering Stack Exchange and everything I’ve written there is Part 2 to this post
Now, back to Part 1…
I’m not a member of the Apple Developer Beta Program. I don’t even have a free developer account, let alone one that needs me to submit ID and pay. But I wanted to get my hands on Big Sur and take it for a spin on my specialised macOS Install.
Can I ask another developer to send me the app bundle? Pwetty Pweeaasee! ^w^ Nope. They’re obligated not to share a developer beta. It’s not a Public Beta. But softwarecatalog gives us a way, after all, you do need to distribute it. Even if it’s theoretically under lock and key.
So two commits (here and here) made to corpnewt’s gibMacOS with contributions by dhinakg made it trivial to get a copy of Big Sur from the developer softwarecatalog.
The problem? You can’t just run BuildmacOSInstallApp.command the way you did with Catalina, Mojave and High Sierra, and expect an app bundle. The structure that eventually is modified to make the app bundle has undergone a change. Suddenly not so trivial anymore.
gibMacOS primarily needed the following files to be present.
BaseSystem.dmgBaseSystem.chunklistInstallESDDmg.pkgInstallInfo.plistAppleDiagnostics.dmgAppleDiagnostics.chunklist
They’re then shuffled around and ever-so-gently patched by BuildmacOSInstallApp.command (inspired by wolfmannight’s post on the InsanelyMac forums and improved for gibMacOS)
So, what do we get this time with Big Sur?
Info.plistInstallAssistant.pkgUpdateBrain.zipMajorOSInfo.pkgBuildManifest.plistInstallInfo.plist
InstallAssistant.pkg⌗
I’m sure every file is important but want an app bundle quickly. I was impatient. The prize seemed to somewhere in InstallAssistant.pkg (being the largest file at 9.56 GB). So, let’s open it up with Pacifist.
Notice the reported size? 8.9 GiB compressed, 19.2 MiB uncompressed. Now let’s open the same file with Hex Fiend
<string>GPT Partition Data (Backup GPT Table : 7)</string>
So we got a disk image over here. Let’s rename and mount it.
(base) iMac-Pro:~ kitty$ cd /Volumes/Shared\ Support/
(base) iMac-Pro:Shared Support kitty$ ls -l
total 1512
-rw-r--r-- 1 kitty staff 188 Jun 18 14:45 InstallInfo.plist
-rw-r--r-- 1 kitty staff 766672 Jun 18 14:45 UpdateBrain.zip
drwxr-xr-x 5 kitty staff 170 Jun 18 14:45 com_apple_MobileAsset_MacSoftwareUpdate
So we now have two files and a folder. InstallInfo.plist is pretty much empty
(base) iMac-Pro:Shared Support kitty$ cat InstallInfo.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
</dict>
</plist>
UpdateBrain.zip is the same archive that we retrieved from gibMacOS, which we can confirm with sha256sum
bf1ebf70b5a21481d980a62ccc455f1138285928e53131261f180a5c59ad90a9 [omitted]/gibMacOS/macOS Downloads/developer/001-18401-003 - 10.16 macOS Beta/UpdateBrain.zip
bf1ebf70b5a21481d980a62ccc455f1138285928e53131261f180a5c59ad90a9 /Volumes/Shared Support/UpdateBrain.zip
So, we’re left with the com_apple_MobileAsset_MacSoftwareUpdate directory
(base) iMac-Pro:Shared Support kitty$ cd com_apple_MobileAsset_MacSoftwareUpdate/
(base) iMac-Pro:com_apple_MobileAsset_MacSoftwareUpdate kitty$ ls -l
total 18651984
-rw-r--r-- 1 kitty staff 15201 Jun 18 14:45 0dc2cd535db0da2a9f559215671686ea4c055394.json
-rw-r--r-- 1 kitty staff 9549788313 Jun 18 14:45 0dc2cd535db0da2a9f559215671686ea4c055394.zip
-rw-r--r-- 1 kitty staff 6393 Jun 18 14:45 com_apple_MobileAsset_MacSoftwareUpdate.xml
0dc2cd535db0da2a9f559215671686ea4c055394.json and com_apple_MobileAsset_MacSoftwareUpdate.xml mostly contain the same information. Supported devices, build information, archive type and ticket information. I’ve included the contents of 0dc2cd535db0da2a9f559215671686ea4c055394.json and have omitted the less relevant information. the xml file contains mostly the same stuff.
(base) iMac-Pro:com_apple_MobileAsset_MacSoftwareUpdate kitty$ cat 0dc2cd535db0da2a9f559215671686ea4c055394.json
{
"ActualMinimumSystemPartition": 13156,
"AssetType": "com.apple.MobileAsset.MacSoftwareUpdate",
"BridgeVersionInfo": {
"BridgeBuildGroup": "0",
"BridgeProductBuildVersion": "18P50310o",
"BridgeVersion": "18.16.10310.5.15",
"CatalogURL": "https://swscan.apple.com/content/catalogs/others/index-10.16seed-10.16-10.15-10.14-10.13-10.12-10.11-10.10-10.9-mountainlion-lion-snowleopard-leopard.merged-1.sucatalog",
"IsSeed": "YES",
"SEPEpoch": {
"Major": 1,
"Minor": 0
}
},
"Build": "20A4299v",
"CanUseLocalCacheServer": true,
"InstallationSize": "0",
"InstallationSize-Snapshot": "5309688126",
"MinimumSystemPartition": 13208,
"OSVersion": "10.16",
"RestoreVersion": "20.1.299.4.22,0",
"RestoreVersionInfo": {
"RestoreBuildGroup": "0",
"RestoreVersion": "20.1.299.4.22"
},
"SUConvReqd": true,
"SUDocumentationID": "PreRelease",
"SUInstallTonightEnabled": true,
"SUMultiPassEnabled": true,
"SUProductSystemName": "macOS",
"SUPublisher": "Apple Inc.",
"SupportedDeviceModels": [
[omitted]
"SystemPartitionPadding": {
"1024": 1280,
"128": 1280,
"16": 160,
"256": 1280,
"32": 320,
"512": 1280,
"64": 640,
"768": 1280,
"8": 80
},
"TargetUpdateBridgeVersion": "18.16.10310.5.15,0",
"_AssetReceipt": {
[omitted]
"_CompressionAlgorithm": "zip",
"_DownloadSize": 9549788313,
"_IsZipStreamable": true,
"_MasteredVersion": "4299",
"_Measurement": "pplZqyoT6pmJ2qsHqO3cSGjOnO0=",
"_MeasurementAlgorithm": "SHA-1",
"_UnarchivedSize": 9892039680,
"__AssetDefaultGarbageCollectionBehavior": "NeverCollected",
"__RelativePath": "com_apple_MobileAsset_MacSoftwareUpdate/0dc2cd535db0da2a9f559215671686ea4c055394.zip"
}
We’re primarily interested in this 9.55 GB 0dc2cd535db0da2a9f559215671686ea4c055394.zip archive.
One unzipping later, we get this:
(base) iMac-Pro:0dc2cd535db0da2a9f559215671686ea4c055394 kitty$ ls -l
total 16
drwxr-xr-x 13 kitty staff 416 Jun 24 16:09 AssetData
-rw-r--r-- 1 kitty staff 5626 Jun 18 14:32 Info.plist
drwxr-xr-x 3 kitty access_bpf 96 Jun 18 14:32 META-INF
Info.plist has functionally the same information as com_apple_MobileAsset_MacSoftwareUpdate.xml and META-INF contains a singular com.apple.ZipMetadata.plist (hexdump on GitHub Gist) that doesn’t seem to be a normal xml plist file.
So we’re left with AssetData.
(base) iMac-Pro:0dc2cd535db0da2a9f559215671686ea4c055394 kitty$ ls -l AssetData/
total 109408
-rw-r--r-- 1 kitty staff 1456 Jun 18 14:31 Info.plist
drwxr-xr-x 4 kitty staff 128 Jun 18 14:09 Restore
drwxr-xr-x 16 kitty staff 512 Jun 24 16:10 boot
drwxr-xr-x 4 kitty staff 128 Jun 24 16:10 payload
-rw-r--r-- 1 kitty staff 220884 Jun 18 14:32 payload.bom
-rw-r--r-- 1 kitty staff 128 Jun 18 14:32 payload.bom.signature
drwxr-xr-x 102 kitty staff 3264 Jun 18 14:31 payloadv2
-rw-r--r--@ 1 kitty staff 55748514 Jun 18 14:11 post.bom
-rw-r--r-- 1 kitty staff 35046 Jun 18 14:11 pre.bom
drwxr-xr-x 4 kitty staff 128 Jun 24 16:26 usr
Let’s play find-the-disk-image.
(base) iMac-Pro:0dc2cd535db0da2a9f559215671686ea4c055394 kitty$ find . -type file -name *.dmg
./AssetData/usr/standalone/update/ramdisk/x86_64SURamDisk.dmg
./AssetData/Restore/BaseSystem.dmg
We got BaseSystem.dmg and this image called x86_64SURamDisk.dmg, they also come with their accompanying chunklist files. So, we’re good? Not by a long shot. We’ll need to come back to AssetData but we’re going to mount these disk images for now.
x86_64SURamDisk.dmg⌗
x86_64SURamDisk.dmg mounts to /Volumes/GoldenSeed20A4299v.x86_64SURamDisk/
(base) iMac-Pro:GoldenSeed20A4299v.x86_64SURamDisk kitty$ ls -l -a
total 40
drwxr-xr-x 18 kitty staff 782 Jun 24 16:28 .
drwxr-xr-x 10 root wheel 320 Jun 24 17:29 ..
-rw-r--r--@ 1 kitty staff 10244 Jun 24 17:30 .DS_Store
drwx------ 2 kitty staff 170 Jun 24 16:30 .fseventsd
drwxr-xr-x 3 kitty staff 136 Jun 24 16:28 System
drwxr-xr-x@ 2 kitty staff 272 Jun 18 13:07 bin
dr-xr-xr-x@ 2 kitty staff 68 Jun 18 13:07 dev
lrwxr-xr-x@ 1 kitty staff 11 Jun 18 13:07 etc -> private/etc
drwxr-xr-x 2 kitty staff 68 Jun 18 13:07 mnt1
drwxr-xr-x 2 kitty staff 68 Jun 18 13:07 mnt2
drwxr-xr-x 2 kitty staff 68 Jun 18 13:07 mnt3
drwxr-xr-x 2 kitty staff 68 Jun 18 13:07 mnt4
drwxr-xr-x 2 kitty staff 68 Jun 18 13:07 mnt5
drwxr-xr-x 2 kitty staff 68 Jun 18 13:07 mnt6
drwxr-xr-x 2 kitty staff 68 Jun 18 13:07 mnt7
drwxr-xr-x 2 kitty staff 68 Jun 18 13:07 mnt8
drwxr-xr-x 2 kitty staff 68 Jun 18 13:07 mnt9
drwxr-xr-x@ 4 kitty staff 136 Jun 18 13:07 private
drwxr-xr-x@ 2 kitty staff 510 Jun 18 13:07 sbin
drwxr-xr-x@ 6 kitty staff 204 Jun 18 13:07 usr
lrwxr-xr-x@ 1 kitty staff 11 Jun 18 13:07 var -> private/var
First, let’s find System.kext.
(base) iMac-Pro:GoldenSeed20A4299v.x86_64SURamDisk kitty$ ls -l /Volumes/GoldenSeed20A4299v.x86_64SURamDisk/System/Library/Extensions
total 0
drwxr-xr-x 3 kitty staff 102 Jun 18 13:07 System.kext
Now, everything else
Systemcontains critical Frameworks, KernelCollections, PrivateFrameworks, CoreServicesbinhascat,expr,ln,mkdir,mvandrm.devis empty.etchasmaster.passwdand thegroupsfolderprivatecontains folders for storing logssbinhasapfs_hfs_convert,fsck_hfs,mount,mount_tmpfs,reboot,fsck,halt,mount_apfs,newfs_apfs,fsck_apfs,launchd,mount_hfsandnewfs_hfsusrhasbinwhich has onlysed,libcontains libraries (who would’ve thought) and a few other directories
Suffice to say, System is the important directory here
BaseSystem.dmg⌗
macOS Base System⌗
Let’s begin.
(base) iMac-Pro:macOS Base System kitty$ ls -a -l
total 0
drwxr-xr-x 22 kitty staff 704 Jun 18 13:12 .
drwxr-xr-x 8 root wheel 256 Jun 24 17:46 ..
lrwxr-xr-x 1 kitty staff 36 Jun 18 13:11 .VolumeIcon.icns -> System/Volumes/Data/.VolumeIcon.icns
---------- 1 kitty staff 0 Jun 18 13:11 .file
drwxr-xr-x 2 kitty staff 64 Jun 18 13:11 .vol
lrwxr-xr-x 1 kitty staff 33 Jun 18 13:11 AppleInternal -> System/Volumes/Data/AppleInternal
drwxrwxr-x 4 kitty staff 128 Jun 18 13:12 Applications
drwxr-xr-x 3 kitty staff 96 Jun 18 13:12 Install macOS Beta.app
lrwxr-xr-x 1 kitty staff 27 Jun 18 13:12 Library -> System/Volumes/Data/Library
drwxr-xr-x@ 8 kitty staff 256 Jun 18 13:12 System
lrwxr-xr-x 1 kitty staff 25 Jun 18 13:12 Users -> System/Volumes/Data/Users
drwxr-xr-x 2 kitty staff 64 Jun 18 13:12 Volumes
drwxr-xr-x@ 34 kitty staff 1088 Jun 18 13:12 bin
lrwxr-xr-x 1 kitty staff 25 Jun 18 13:12 cores -> System/Volumes/Data/cores
dr-xr-xr-x 2 kitty staff 64 Jun 18 13:12 dev
lrwxr-xr-x@ 1 kitty staff 11 Jun 18 13:12 etc -> private/etc
lrwxr-xr-x 1 kitty staff 23 Jun 18 13:12 opt -> System/Volumes/Data/opt
lrwxr-xr-x 1 kitty staff 27 Jun 18 13:12 private -> System/Volumes/Data/private
drwxr-xr-x@ 62 kitty staff 1984 Jun 18 13:12 sbin
lrwxr-xr-x@ 1 kitty staff 11 Jun 18 13:12 tmp -> private/tmp
drwxr-xr-x@ 9 kitty staff 288 Jun 18 13:12 usr
lrwxr-xr-x@ 1 kitty staff 11 Jun 18 13:12 var -> private/var
When it comes to the kernel, here’s where all the interesting stuff lies (and some not-so-important stuff)
(base) iMac-Pro:macOS Base System kitty$ find . -name *kernel*
./usr/libexec/kernelmanagerd
./usr/lib/system/libsystem_kernel.dylib
./System/Library/Preferences/Logging/Subsystems/com.apple.kernelmanagerd.logging.plist
./System/Library/PrelinkedKernels/prelinkedkernel
./System/Library/PrelinkedKernels/immutablekernel
./System/Library/Sandbox/Profiles/com.apple.kernelmanagerd.sb
./System/Library/Frameworks/OpenCL.framework/Versions/A/Resources/cl_kernel.x86_64.pch
./System/Library/Frameworks/OpenCL.framework/Versions/A/lib/clang/3.2/include/cl_kernel.h
./System/Library/Frameworks/OpenCL.framework/Versions/A/lib/clang/3.2/include/cl_kernel_shared.h
./System/Library/Frameworks/KernelManagement.framework/Versions/A/Resources/com.apple.kernelmanagement.plist
./System/Library/LaunchDaemons/com.apple.kernelmanagerd.plist
./System/DriverKit/usr/lib/system/libsystem_kernel.dylib
(base) iMac-Pro:macOS Base System kitty$ find . -name *Kernel*
./usr/sbin/KernelEventAgent
./usr/lib/libKernelCollectionBuilder.dylib
./System/Library/SystemConfiguration/KernelEventMonitor.bundle
./System/Library/PrelinkedKernels
./System/Library/CoreServices/KernelEventAgent.bundle
./System/Library/KernelCollections
./System/Library/KernelCollections/BaseSystemKernelExtensions.kc
./System/Library/KernelCollections/BaseSystemKernelExtensions.kc.bundles
./System/Library/KernelCollections/BootKernelExtensions.kc.elides
./System/Library/KernelCollections/BaseSystemKernelExtensions.kc.elides
./System/Library/KernelCollections/BootKernelExtensions.kc
./System/Library/Extensions/IOHDIXController.kext/Contents/PlugIns/AppleDiskImagesKernelBacked.kext
./System/Library/Extensions/IOHDIXController.kext/Contents/PlugIns/AppleDiskImagesKernelBacked.kext/Contents/MacOS/AppleDiskImagesKernelBacked
./System/Library/Extensions/System.kext/PlugIns/BSDKernel.kext
./System/Library/Extensions/System.kext/PlugIns/BSDKernel.kext/BSDKernel
./System/Library/Extensions/IOFireWireFamily.kext/Contents/Resources/en.lproj/KernelPlist.strings
./System/Library/Templates/Data/Library/KernelCollections
./System/Library/Templates/Data/private/var/db/KernelExtensionManagement
./System/Library/Frameworks/KernelManagement.framework
./System/Library/Frameworks/KernelManagement.framework/KernelManagement
./System/Library/LaunchDaemons/com.apple.KernelEventAgent.plist
./System/DriverKit/Runtime/System/Library/Frameworks/Kernel.framework
Let’s find System.kext (we know it’s here but still)
(base) iMac-Pro:macOS Base System kitty$ ls -l ./System/Library/Extensions/
total 0
[omitted]
drwxr-xr-x@ 6 kitty staff 192 Jun 18 13:12 System.kext
[omitted]
But wait, they don’t have the same size (55KB vs. 407KB). It’s because GoldenSeed20A4299v.x86_64SURamDisk's System.kext only has Libkern.kext (compared to macOS Base System). It shares the same binary in Libkern.kext.
(base) iMac-Pro:macOS Base System kitty$ ls -la /Volumes/GoldenSeed20A4299v.x86_64SURamDisk/System/Library/Extensions/System.kext/PlugIns/
total 0
drwxr-xr-x 3 kitty staff 102 Jun 18 13:07 .
drwxr-xr-x 3 kitty staff 102 Jun 18 13:07 ..
drwxr-xr-x 2 kitty staff 102 Jun 18 13:07 Libkern.kext
(base) iMac-Pro:macOS Base System kitty$ ls -la /Volumes/macOS\ Base\ System/System/Library/Extensions/System.kext/PlugIns/
total 0
drwxr-xr-x 14 kitty staff 448 Jun 18 13:12 .
drwxr-xr-x@ 6 kitty staff 192 Jun 18 13:12 ..
drwxr-xr-x 5 kitty staff 160 Jun 18 13:12 AppleNMI.kext
drwxr-xr-x 5 kitty staff 160 Jun 18 13:12 ApplePlatformFamily.kext
drwxr-xr-x 6 kitty staff 192 Jun 18 13:12 BSDKernel.kext
drwxr-xr-x 6 kitty staff 192 Jun 18 13:12 IOKit.kext
drwxr-xr-x 5 kitty staff 160 Jun 18 13:12 IONVRAMFamily.kext
drwxr-xr-x 5 kitty staff 160 Jun 18 13:12 IOSystemManagement.kext
drwxr-xr-x 6 kitty staff 192 Jun 18 13:12 Kasan.kext
drwxr-xr-x 6 kitty staff 192 Jun 18 13:12 Libkern.kext
drwxr-xr-x 6 kitty staff 192 Jun 18 13:12 MACFramework.kext
drwxr-xr-x 6 kitty staff 192 Jun 18 13:12 Mach.kext
drwxr-xr-x 6 kitty staff 192 Jun 18 13:12 Private.kext
drwxr-xr-x 6 kitty staff 192 Jun 18 13:12 Unsupported.kext
(base) iMac-Pro:macOS Base System kitty$ sha256sum /Volumes/GoldenSeed20A4299v.x86_64SURamDisk/System/Library/Extensions/System.kext/PlugIns/Libkern.kext/Libkern
458c67de8210b90c279e5c50972d192b09816e9811c7d7e505739be3ee1a9f71 /Volumes/GoldenSeed20A4299v.x86_64SURamDisk/System/Library/Extensions/System.kext/PlugIns/Libkern.kext/Libkern
(base) iMac-Pro:macOS Base System kitty$ sha256sum ./System/Library/Extensions/System.kext/PlugIns/Libkern.kext/Libkern
458c67de8210b90c279e5c50972d192b09816e9811c7d7e505739be3ee1a9f71 ./System/Library/Extensions/System.kext/PlugIns/Libkern.kext/Libkern
Honestly, at least during my (admittedly very light) search throughout macOS Base System, I cannot find anything that differentiates it from any other BaseSystem disk image I’ve seen before, so we’ll conclude this section.
Preboot⌗
I don’t know enough about Preboot to say anything. So here’s a tree of the volume.
(base) iMac-Pro:Preboot kitty$ tree
.
└── 3CA070CB-E179-47AF-BF9C-CB668ABD57CE
├── Library
│ └── Preferences
│ └── SystemConfiguration
│ └── com.apple.Boot.plist
├── System
│ └── Library
│ ├── Caches
│ │ └── com.apple.corestorage
│ │ └── EncryptedRoot.plist.wipekey
│ ├── CoreServices
│ │ ├── BridgeOSActivationSupported
│ │ ├── BridgeVersion.bin
│ │ ├── BridgeVersion.plist
│ │ ├── PlatformSupport.plist
│ │ ├── SystemVersion.plist
│ │ └── boot.efi
│ └── PrelinkedKernels
│ ├── immutablekernel
│ └── prelinkedkernel
├── boot
│ └── System
│ └── Library
│ └── KernelCollections
│ └── BootKernelExtensions.kc
├── usr
│ └── standalone
│ └── i386
│ └── EfiLoginUI
│ ├── Lucida13.efires
│ ├── Lucida13White.efires
│ ├── appleLogo.efires
│ ├── battery.efires
│ ├── disk_passwordUI.efires
│ ├── flag_picker.efires
│ ├── guest_userUI.efires
│ ├── loginui.efires
│ ├── recoveryUI.efires
│ ├── recovery_user.efires
│ ├── sound.efires
│ └── unknown_userUI.efires
└── var
└── db
└── CryptoUserInfo.plist
20 directories, 24 files
Conclusion⌗
Overall, nothing really that special in BaseSystem.dmg (at least on a surface level)
0dc2cd535db0da2a9f559215671686ea4c055394.zip (AssetData)⌗
Remember I said we’re going to be back here? We’re here. Because there are a few more things to show.
(base) iMac-Pro:AssetData kitty$ ls -la payload
total 16
drwxr-xr-x 4 kitty staff 128 Jun 24 16:10 .
drwxr-xr-x 13 kitty staff 416 Jun 24 16:09 ..
-rw-r--r--@ 1 kitty staff 6148 Jun 24 17:59 .DS_Store
drwxr-xr-x 2 kitty staff 64 Jun 18 14:11 replace
(base) iMac-Pro:AssetData kitty$ ls -la payload/replace/
total 0
drwxr-xr-x 2 kitty staff 64 Jun 18 14:11 .
drwxr-xr-x 4 kitty staff 128 Jun 24 16:10 ..
Okay. That’s boring.
(base) iMac-Pro:AssetData kitty$ ls -la payloadv2/
total 16786560
drwxr-xr-x 102 kitty staff 3264 Jun 18 14:31 .
drwxr-xr-x 13 kitty staff 416 Jun 24 16:09 ..
-rw-r--r-- 1 kitty staff 12 Jun 18 14:31 data_payload
-rw-r--r--@ 1 kitty staff 1994 Jun 18 14:11 firmlinks_payload
-rw-r--r-- 1 kitty staff 2525652 Jun 18 14:31 fixup.manifest
-rw-r--r--@ 1 kitty staff 0 Jun 18 14:11 links.txt
-rw-r--r--@ 1 kitty staff 1055300 Jun 18 14:12 payload.000
-rw-r--r-- 1 kitty staff 1286296 Jun 18 14:12 payload.000.ecc
-rw-r--r-- 1 kitty staff 875516 Jun 18 14:12 payload.001
-rw-r--r-- 1 kitty staff 994772 Jun 18 14:12 payload.001.ecc
-rw-r--r-- 1 kitty staff 573853456 Jun 18 14:13 payload.002
-rw-r--r-- 1 kitty staff 4383412 Jun 18 14:14 payload.002.ecc
-rw-r--r-- 1 kitty staff 574080392 Jun 18 14:15 payload.003
-rw-r--r-- 1 kitty staff 4376404 Jun 18 14:15 payload.003.ecc
-rw-r--r-- 1 kitty staff 286951879 Jun 18 14:16 payload.004
-rw-r--r-- 1 kitty staff 582044 Jun 18 14:16 payload.004.ecc
-rw-r--r-- 1 kitty staff 307241464 Jun 18 14:16 payload.005
-rw-r--r-- 1 kitty staff 648956 Jun 18 14:16 payload.005.ecc
-rw-r--r-- 1 kitty staff 187983275 Jun 18 14:16 payload.006
-rw-r--r-- 1 kitty staff 382796 Jun 18 14:16 payload.006.ecc
-rw-r--r-- 1 kitty staff 186303822 Jun 18 14:16 payload.007
-rw-r--r-- 1 kitty staff 377288 Jun 18 14:17 payload.007.ecc
-rw-r--r-- 1 kitty staff 175425780 Jun 18 14:17 payload.008
-rw-r--r-- 1 kitty staff 417408 Jun 18 14:17 payload.008.ecc
-rw-r--r-- 1 kitty staff 130777652 Jun 18 14:17 payload.009
-rw-r--r-- 1 kitty staff 921716 Jun 18 14:17 payload.009.ecc
-rw-r--r-- 1 kitty staff 217104600 Jun 18 14:17 payload.010
-rw-r--r-- 1 kitty staff 522316 Jun 18 14:17 payload.010.ecc
-rw-r--r-- 1 kitty staff 184514372 Jun 18 14:18 payload.011
-rw-r--r-- 1 kitty staff 517909 Jun 18 14:18 payload.011.ecc
-rw-r--r-- 1 kitty staff 181656620 Jun 18 14:18 payload.012
-rw-r--r-- 1 kitty staff 519016 Jun 18 14:18 payload.012.ecc
-rw-r--r-- 1 kitty staff 238920944 Jun 18 14:18 payload.013
-rw-r--r-- 1 kitty staff 553404 Jun 18 14:18 payload.013.ecc
-rw-r--r-- 1 kitty staff 234966944 Jun 18 14:18 payload.014
-rw-r--r-- 1 kitty staff 519986 Jun 18 14:18 payload.014.ecc
-rw-r--r-- 1 kitty staff 201725196 Jun 18 14:19 payload.015
-rw-r--r-- 1 kitty staff 625204 Jun 18 14:19 payload.015.ecc
-rw-r--r-- 1 kitty staff 191572320 Jun 18 14:19 payload.016
-rw-r--r-- 1 kitty staff 551044 Jun 18 14:19 payload.016.ecc
-rw-r--r-- 1 kitty staff 232570276 Jun 18 14:19 payload.017
-rw-r--r-- 1 kitty staff 542256 Jun 18 14:19 payload.017.ecc
-rw-r--r-- 1 kitty staff 216894612 Jun 18 14:20 payload.018
-rw-r--r-- 1 kitty staff 743728 Jun 18 14:20 payload.018.ecc
-rw-r--r-- 1 kitty staff 242808516 Jun 18 14:20 payload.019
-rw-r--r-- 1 kitty staff 562636 Jun 18 14:20 payload.019.ecc
-rw-r--r-- 1 kitty staff 147138036 Jun 18 14:20 payload.020
-rw-r--r-- 1 kitty staff 930832 Jun 18 14:20 payload.020.ecc
-rw-r--r-- 1 kitty staff 190148332 Jun 18 14:21 payload.021
-rw-r--r-- 1 kitty staff 692480 Jun 18 14:21 payload.021.ecc
-rw-r--r-- 1 kitty staff 217104298 Jun 18 14:21 payload.022
-rw-r--r-- 1 kitty staff 579848 Jun 18 14:21 payload.022.ecc
-rw-r--r-- 1 kitty staff 239928524 Jun 18 14:21 payload.023
-rw-r--r-- 1 kitty staff 558276 Jun 18 14:21 payload.023.ecc
-rw-r--r-- 1 kitty staff 153293092 Jun 18 14:22 payload.024
-rw-r--r-- 1 kitty staff 850040 Jun 18 14:22 payload.024.ecc
-rw-r--r-- 1 kitty staff 189531840 Jun 18 14:22 payload.025
-rw-r--r-- 1 kitty staff 721620 Jun 18 14:22 payload.025.ecc
-rw-r--r-- 1 kitty staff 206590048 Jun 18 14:23 payload.026
-rw-r--r-- 1 kitty staff 781260 Jun 18 14:23 payload.026.ecc
-rw-r--r-- 1 kitty staff 192235168 Jun 18 14:23 payload.027
-rw-r--r-- 1 kitty staff 832848 Jun 18 14:23 payload.027.ecc
-rw-r--r-- 1 kitty staff 188192824 Jun 18 14:23 payload.028
-rw-r--r-- 1 kitty staff 813172 Jun 18 14:23 payload.028.ecc
-rw-r--r-- 1 kitty staff 199567904 Jun 18 14:24 payload.029
-rw-r--r-- 1 kitty staff 717300 Jun 18 14:24 payload.029.ecc
-rw-r--r-- 1 kitty staff 165655176 Jun 18 14:24 payload.030
-rw-r--r-- 1 kitty staff 909768 Jun 18 14:24 payload.030.ecc
-rw-r--r-- 1 kitty staff 181763720 Jun 18 14:24 payload.031
-rw-r--r-- 1 kitty staff 715808 Jun 18 14:24 payload.031.ecc
-rw-r--r-- 1 kitty staff 166298776 Jun 18 14:25 payload.032
-rw-r--r-- 1 kitty staff 639792 Jun 18 14:25 payload.032.ecc
-rw-r--r-- 1 kitty staff 165657468 Jun 18 14:25 payload.033
-rw-r--r-- 1 kitty staff 937548 Jun 18 14:25 payload.033.ecc
-rw-r--r-- 1 kitty staff 189742576 Jun 18 14:25 payload.034
-rw-r--r-- 1 kitty staff 717692 Jun 18 14:25 payload.034.ecc
-rw-r--r-- 1 kitty staff 130202724 Jun 18 14:26 payload.035
-rw-r--r-- 1 kitty staff 727680 Jun 18 14:26 payload.035.ecc
-rw-r--r-- 1 kitty staff 196248932 Jun 18 14:26 payload.036
-rw-r--r-- 1 kitty staff 746348 Jun 18 14:26 payload.036.ecc
-rw-r--r-- 1 kitty staff 152740384 Jun 18 14:26 payload.037
-rw-r--r-- 1 kitty staff 941460 Jun 18 14:26 payload.037.ecc
-rw-r--r-- 1 kitty staff 147490940 Jun 18 14:27 payload.038
-rw-r--r-- 1 kitty staff 1160904 Jun 18 14:27 payload.038.ecc
-rw-r--r-- 1 kitty staff 113575924 Jun 18 14:27 payload.039
-rw-r--r-- 1 kitty staff 1528676 Jun 18 14:27 payload.039.ecc
-rw-r--r-- 1 kitty staff 90781716 Jun 18 14:28 payload.040
-rw-r--r-- 1 kitty staff 2102396 Jun 18 14:28 payload.040.ecc
-rw-r--r-- 1 kitty staff 40060668 Jun 18 14:28 payload.041
-rw-r--r-- 1 kitty staff 3178528 Jun 18 14:29 payload.041.ecc
-rw-r--r-- 1 kitty staff 10604848 Jun 18 14:29 payload.042
-rw-r--r-- 1 kitty staff 3877276 Jun 18 14:29 payload.042.ecc
-rw-r--r-- 1 kitty staff 14617964 Jun 18 14:29 payload.043
-rw-r--r-- 1 kitty staff 3823740 Jun 18 14:29 payload.043.ecc
-rw-r--r-- 1 kitty staff 12408428 Jun 18 14:30 payload.044
-rw-r--r-- 1 kitty staff 3963200 Jun 18 14:30 payload.044.ecc
-rw-r--r-- 1 kitty staff 13121116 Jun 18 14:30 payload.045
-rw-r--r-- 1 kitty staff 3662224 Jun 18 14:30 payload.045.ecc
-rw-r--r-- 1 kitty staff 8198524 Jun 18 14:31 payload.046
-rw-r--r-- 1 kitty staff 1608660 Jun 18 14:31 payload.046.ecc
-rw-r--r-- 1 kitty staff 648 Jun 18 14:31 payload_chunks.txt
-rw-r--r-- 1 kitty staff 12 Jun 18 14:31 prepare_payload
This isn’t.
Hex Fiend, open sesame!
pbzx? Let’s grab a copy of NiklasRosenstein’s fork of pbzx, concat them all and see what happens
(base) iMac-Pro:payloadv2 kitty$ cat payload.000 payload.001 payload.002 payload.003 payload.004 payload.005 payload.006 payload.007 payload.008 payload.009 payload.010 payload.011 payload.012 payload.013 payload.014 payload.015 payload.016 payload.017 payload.018 payload.019 payload.020 payload.021 payload.022 payload.023 payload.024 payload.025 payload.026 payload.027 payload.028 payload.029 payload.030 payload.031 payload.032 payload.033 payload.034 payload.035 payload.036 payload.037 payload.038 payload.039 payload.040 payload.041 payload.042 payload.043 payload.044 payload.045 payload.046 >> payload.pbzxchunk
(base) iMac-Pro:payloadv2 kitty$ ~/pbzx -n payload.pbzxchunk | cpio -i
0 blocks
Apparently nothing. :( But now we got our 8GB worth of material!
7zip?
(base) iMac-Pro:payloadv2 kitty$ 7z x payload.pbzx
7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=utf8,Utf16=on,HugeFiles=on,64 bits,16 CPUs x64)
Scanning the drive for archives:
1 file, 8290182886 bytes (7907 MiB)
Extracting archive: payload.pbzx
ERRORS:
There are data after the end of archive
--
Path = payload.pbzx
Type = xz
ERRORS:
There are data after the end of archive
Offset = 28
Physical Size = 483560
Tail Size = 8289699298
Method = LZMA2:23
Streams = 1
Blocks = 1
ERROR: There are some data after the end of the payload data : payload
Sub items Errors: 1
Archives with Errors: 1
Open Errors: 1
Sub items Errors: 1
So this is why we don’t just blindly concat archives…
Okay, let’s try again.
(base) iMac-Pro:payloadv2 kitty$ 7z x payload.000 -o./extract
7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=utf8,Utf16=on,HugeFiles=on,64 bits,16 CPUs x64)
Scanning the drive for archives:
1 file, 1055300 bytes (1031 KiB)
Extracting archive: payload.000
ERRORS:
There are data after the end of archive
--
Path = payload.000
Type = xz
ERRORS:
There are data after the end of archive
Offset = 28
Physical Size = 483560
Tail Size = 571712
Method = LZMA2:23
Streams = 1
Blocks = 1
ERROR: There are some data after the end of the payload data : payload
Sub items Errors: 1
Archives with Errors: 1
Open Errors: 1
Sub items Errors: 1
Oh. But on the bright side, we did get a payload file in our extract directory, it’s just 8 MB. We’re getting somewhere, it’s just not helpful yet.
As a Hail Mary, I tried using The Unarchiver, the first tool I downloaded when I got into macOS. Nope, it just concatenated the payload (you can tell here as the magic number 70627A78 is being repeated and after the first, is repeating after the footer signature)
Side note, I forgot to mention that fixup.manifest is also a pbzx stream.
Read other posts