Can we download Mavericks directly from Apple's servers?

[Wowfunhappy]

@Wowfunhappy Could you check if the Internet Recovery works after you log in? I tried patching out the call that starts the App Store purchase, but the download just gets stuck on "Retrieving 1 packages (4.709 GB)".

...I can't get in.

This is my normal Apple ID which I use for everything, it's a full account as far as I know. This also means I can't monitor requests like the emailer suggested.

I was able to download the 2012 MacBook Air's dmg through a custom python script that replicated the request conditions, but I realized that it provided a 10.7 Lion InstallESD for some reason, which I'm assuming is why it threw up "A required download is missing" (061-34076 is for Lion, 031-10295 is for Mavericks). Super strange...

No that tracks! The 2012 MBA was released a couple of months before Mountain Lion; it shipped with Lion and would download Lion in Network Recovery. (I owned one of these at the time.)

 

[Jazzzny]

For future reference, attached is the patched IA (replaces /Install OS X Mavericks.app/Contents/PlugIns/IA.bundle/Contents/MacOS/IA).

If someone were to burn the Internet Recovery image to a writable drive using something like Carbon Copy Cloner and add this patched file, I believe this would allow you to download Mavericks directly from Apple's servers without an "2014-authorized" Apple ID, albeit only on machines that shipped with Mavericks preinstalled.

Ugh, what a mess from Apple...

 

[Wowfunhappy]

For future reference, attached is the patched IA (replaces /Install OS X Mavericks.app/Contents/PlugIns/IA.bundle/Contents/MacOS/IA).

If someone were to burn the Internet Recovery image to a writable drive using something like Carbon Copy Cloner and add this patched file, I believe this would allow you to download Mavericks directly from Apple's servers without an "2014-authorized" Apple ID, albeit only on machines that shipped with Mavericks preinstalled.

Ugh, what a mess from Apple...

If someone doesn't beat me to it, I'll try this at some point on my 2014 MBA. (I'd do it now, but I just realized I don't have a working thumb drive...)

Eventually, it would be great if someone with a semi-broken Mac of this vintage that they're not using could donate their CID for public use. There's some small chance Apple could ban it, but I think they probably won't...

 

[MitzEclipse]

Wow - I have this exact same issue on an older iMac I am trying to revive!

https://forums.macrumors.com/threads/cannot-proceed-with-macos-install-cannot-log-into-mac-app-store-in-recovery-mode.2444385/

What is the way forward? I have an old USB thumbdrive - is it possible to install the installer on there and boot from there? I am stuck at the appleID login as well...

 

[Wowfunhappy]

Wow - I have this exact same issue on an older iMac I am trying to revive!

What is the way forward? I have an old USB thumbdrive - is it possible to install the installer on there and boot from there? I am stuck at the appleID login as well...

The easiest actual solution today is to grab a copy of Mavericks from a third party source like the Internet Archive. I'm hesitant to point to a specific image because I can't personally vouch for them, but they're probably all fine. (Or, anyone can PM or email me if they'd like the image I personally use.)

If you want to experiment with us, you could try downloading the Mavericks recovery DMG by running the python script in the first post of this thread, writing the resulting DMG to a flash drive via Disk Utility, and replacing /Install OS X Mavericks.app/Contents/PlugIns/IA.bundle/Contents/MacOS/IA on the flash drive with the file Jazzzny attached in his most recent post. Then, boot from the USB drive, try to install Mavericks and let us know what happens.

 

[MitzEclipse]

thanks @Wowfunhappy I'm happy to experiment. I downloaded the DMG. How do I create a bootable disk with a MBA M1 for the older iMac? I understand running Terminal/createinstallmedia will not work. What are my options? I also have an older intel MBP with Monterey I could use?

 

[Jazzzny]

How do I create a bootable disk with a MBA M1 for the older iMac?

You can use the Carbon Copy Cloner application. Ignore the warnings about not being able to create bootable copies of macOS Catalina and older, creating the basic install media still works fine.

 

[Adora]

...I can't get in.

View attachment 2457621

This is my normal Apple ID which I use for everything, it's a full account as far as I know. This also means I can't monitor requests like the emailer suggested.



No that tracks! The 2012 MBA was released a couple of months before Mountain Lion; it shipped with Lion and would download Lion in Network Recovery. (I owned one of these at the time.)

Wasn't there something like putting the two factor code behind the password when logging in to older App Stores? Or you might even need to create an app-specific password nowadays. At least you couldn't just login already many years ago.

If iCloud "Advanced Data Protection" is on for newer devices, that account can't be used for the App Store anymore too on an unsupported OS. Although the iCloud and AppStore accounts are normally independent from each other.


The last and only macOS I see in my purchases in a recent macOS is "OS X El Capitan GM Candidate". It seems something changed after that also for downloading installers. That's the only one I could download from the App Store in Sequoia.

 

[Wowfunhappy]

Wasn't there something like putting the two factor code behind the password when logging in to older App Stores?

Yes, as a Mavericks user I use this all the time. This isn't that—among other things, I'm not recieving a two factor code. App passwords are only for (and only work with) third party apps, never Apple software.

If iCloud "Advanced Data Protection" is on for newer devices, that account can't be used for the App Store anymore too on an unsupported OS.

It's turned off.

The last and only macOS I see in my purchases in a recent macOS is "OS X El Capitan GM Candidate". It seems something changed after that also for downloading installers. That's the only one I could download from the App Store in Sequoia.

Mavericks only appears in your purchase history if you "purchased" it when it was current, circa 2014-ish.

To be clear I am actively logged into the App Store in Mavericks right now, I just can't get in within the recovery environment. Even if I could that probably wouldn't help us, since anyone with Mavericks in their purchase history could already download it from the App Store. We're trying to find a "public" way for anyone to download Mavericks directly from Apple's servers, because that is (or at least feels) more trustworthy than grabbing it from some random third party source.

 

[startergo]

albeit only on machines that shipped with Mavericks preinstalled.

Are you sure about this? My understanding is that only the individuals who have the app in the "purchased items" can download Mavericks. I am pretty sure the machines shipped with Mavericks and have internet recovery can't download Mavericks, but Yosemite form the servers.

 

[startergo]

We're trying to find a "public" way for anyone to download Mavericks directly from Apple's servers

Well, there is your link:

http://osxapps.itunes.apple.com/apple-assets-us-std-000001/Purple49/v4/a5/ef/b4/a5efb468-7f48-1395-d8e4-2194ba4d688a/encrypted5063122388219779779.pkg

But it is encrypted.

• Launch Terminal on your Mac from Launchpad or Applications list.
• Type in the following command:

sudo nano /etc/hosts

• Provide the System Password (if required). The hosts file is now open in editable mode within the Terminal window. Append the following line to the end of the file: “127.0.0.1 osxapps.itunes.apple.com”. Press control + X (^X), then Y and hit return to save the file and return to Terminal prompt. Now, whenever any request is generated from your computer to the root domain (osxapps.itunes.apple.com), it will point to your localhost.

Note:​

Sometimes, you might need to flush the DNS cache for the changes to take effect. To flush DNS cache, type the following in the command line and hit return:

sudo killall -HUP mDNSResponder

• Place the downloaded packages (.pkg and .pfpkg files) in a certain relative path (directory structure) on your Mac, as indicated by the structure of their respective download URLs. In this example, we will create a folder named “macos_local” on Desktop, and replicate the directory structure of the two package URLs under the same. Once the relative path has been created, we’ll configure the localhost server to point to the macos_local directory on Desktop and run it. Follow the steps below to achieve the same:

cd Desktop
mkdir macos_local
cd macos_local
sudo mkdir -p ./apple-assets-us-std-000001/Purple69/v4/a6/b2/66/a6b26643-7d56-d42f-1b0f-e605e094c8fa/
Password:
sudo mkdir -p ./apple-assets-us-std-000001/Purple49/v4/a5/ef/b4/a5efb468-7f48-1395-d8e4-2194ba4d688a/
sudo python -m http.server 80
Password:
Serving HTTP on :: port 80 (http://[::]:80/) ...

• Copy the raw files from the MAS with Jdownloader or another download manager:
• pfpkg in the folder:

~/Desktop/macos_local/apple-assets-us-std-000001/Purple69/v4/a6/b2/66/a6b26643-7d56-d42f-1b0f-e605e094c8fa

http://osxapps.itunes.apple.com/apple-assets-us-std-000001/Purple69/v4/a6/b2/66/a6b26643-7d56-d42f-1b0f-e605e094c8fa/encrypted1094904501970168333.pfpkg

• Or with Curl:

curl -L -o "~/Desktop/macos_local/apple-assets-us-std-000001/Purple69/v4/a6/b2/66/a6b26643-7d56-d42f-1b0f-e605e094c8fa/encrypted1094904501970168333.pfpkg" "http://osxapps.itunes.apple.com/app...05e094c8fa/encrypted1094904501970168333.pfpkg"

• And the pkg file in the folder:

~/Desktop/macos_local/apple-assets-us-std-000001/Purple49/v4/a5/ef/b4/a5efb468-7f48-1395-d8e4-2194ba4d688a

http://osxapps.itunes.apple.com/apple-assets-us-std-000001/Purple49/v4/a5/ef/b4/a5efb468-7f48-1395-d8e4-2194ba4d688a/encrypted5063122388219779779.pkg

Or with Curl:

curl -L -o "~/Desktop/macos_local/apple-assets-us-std-000001/Purple49/v4/a5/ef/b4/a5efb468-7f48-1395-d8e4-2194ba4d688a/encrypted5063122388219779779.pkg" "http://osxapps.itunes.apple.com/app...2194ba4d688a/encrypted5063122388219779779.pkg"

• Open the macOS Mavericks MAS link:

https://itunes.apple.com/app/id675248567?mt=12

Someone can see if this works.

 

[startergo]

Oh for goodness sakes!

Here is what happens when you boot the DMG downloaded via macrecovery.py and try to install OS X:

So this is a dead end...

On a macmini3,1 I was able to download and install, by logging to that screen. From my research there are 2 requirements from recovery: supported machine and Mavericks in the "purchased apps". To download from MAS you only need the "purchased apps" condition.

 

[Jazzzny]

Are you sure about this? My understanding is that only the individuals who have the app in the "purchased items" can download Mavericks. I am pretty sure the machines shipped with Mavericks and have internet recovery can't download Mavericks, but Yosemite form the servers.

Yes, I am sure. I came to this conclusion by putting the binary responsible for the installer into a disassembler and proxying/inspecting all internet traffic that came out of the Internet Recovery environment.

The App Store login in the recovery is not related to the actual download at all, all downloads are from a different URL (osrecovery.apple.com). This is why the download can be started by simply patching out the call that shows the App Store login prompt.

 

[startergo]

The App Store login in the recovery is not related to the actual download at all, all downloads are from a different URL (osrecovery.apple.com).

That may be true, but without logging in you can’t proceed forward. After logging in there is a hardware check performed by the installer. So with the patched binary any machine can download the full installer from recovery?

 

[Jazzzny]

That may be true, but without logging in you can’t proceed forward. After logging in there is a hardware check performed by the installer. So with the patched binary any machine can download the full installer from recovery?

Yes, see my posts above for my analysis.

 

[startergo]

This script performs external manipulation in the recovery console. It acts as if you sit in front of the machine and perform various tasks in recovery console to install macOS. It is designed for virtual box, but can be adapted or at least used to do a live patch of the installer during the installation process.

GitHub - myspaghetti/macos-virtualbox: Push-button installer of macOS Catalina, Mojave, and High Sierra guests in Virtualbox on x86 CPUs for Windows, Linux, and macOS

Push-button installer of macOS Catalina, Mojave, and High Sierra guests in Virtualbox on x86 CPUs for Windows, Linux, and macOS - myspaghetti/macos-virtualbox

github.com

 

[Grumpus]

Could anyone out there with a downloaded-from-the-app-store Mavericks installer please post the sha 256 checksum for the dmg /usr/bin/shasum -a 256 InstallMacOSX.dmg along with the patch level (i.e. 10.9.5) for it? There are lots of places from which to download installers but verifying the validity is really the ultimate goal.

 

[startergo]

Could anyone out there with a downloaded-from-the-app-store Mavericks installer please post the sha 256 checksum for the dmg /usr/bin/shasum -a 256 InstallMacOSX.dmg along with the patch level (i.e. 10.9.5) for it? There are lots of places from which to download installers but verifying the validity is really the ultimate goal.

There are at least 2 versions of the installer. Back in 2013 the installer shipped with the DMG packed correctly and you could use creatinstallmedia to create a USB installer. At some point Apple started packing all legacy installer DMG's downloaded directly from the MAS inside packages. These InstallMacOSX.dmg's can't be used directly without some manipulation. See here for more details:

App Store links and mas-cli Id's for macOS Installers from Lion to Ventura

Yes best of all one should avoid the regular createinstallmedia on older macOS's due to various issues. Instead use the method below. This was in response to the error when reinstalling macOS Sierra from internet recovery: osishelperd[547]: mountDiskImageWithPath: /Volumes/Untitled/macOS...

forums.macrumors.com

 

[Wowfunhappy]

After logging in there is a hardware check performed by the installer.

If we get far enough, we can eventually feed the server whatever hardware identifiers we want, we just need someone with the right hardware to share the correct strings. Ideally this should be someone with a semi-broken computer they aren't going to use, because there is some chance that Apple will ban the identifier—but I honestly don't think they're going to bother, all the evidence suggests they simply don't care about this at all.

 

[startergo]

If we get far enough, we can eventually feed the server whatever hardware identifiers we want, we just need someone with the right hardware to share the correct strings. Ideally this should be someone with a semi-broken computer they aren't going to use, because there is some chance that Apple will ban the identifier—but I honestly don't think they're going to bother, all the evidence suggests they simply don't care about this at all.

Macmini3,1 costs nowadays less than a bottle of good Scotch.

 

[Wowfunhappy]

Well, there is your link:
http://osxapps.itunes.apple.com/apple-assets-us-std-000001/Purple49/v4/a5/ef/b4/a5efb468-7f48-1395-d8e4-2194ba4d688a/encrypted5063122388219779779.pkg
But it is encrypted.

Wait. What?!

If your quote is true and it's normally decrypted by the App Store... the key must be in the app store binary...

 

[startergo]

the key must be in the app store binary

This is great. So how do we get it?

 

[f54da]

>Key must be in the app store binary
Or returned via HTTP response as part of download metadata.

Need to snoop "storeagent" somehow? I see -[DecryptOperation initWithLocalFilePath]

Seems like since the key is apparently fixed it should definitely be possible. Tampering with signature of StoreAgent (to e.g. insert a dylib) might cause grumbles from the OS, and I don't know if you can simbl inject into it since it's not a bundle application. mach_inject based techniques would work of course (what mysimbl switched to for 10.10+) but don't know if there's a drop-in version for 10.9. Decryption uses fairplay btw as is well noted. https://nicolo.dev/en/blog/fairplay-apple-obfuscation/

 

[f54da]

There's also cases where decryption can be done on the fly "-[HashedDownloadProvider _decryptAndHashBufferWithDownloadFinished:]"

Btw good info @ page 63

https://media.defcon.org/DEF%20CON%2029/DEF%20CON%2029%20presentations/Zhipeng%20Huo%20Yuebin%20Sun%20Chuanda%20Ding%20-%20Caught%20you%20-%20reveal%20and%20exploit%20IPC%20logic%20bugs%20inside%20Apple.pdf

 

[Wowfunhappy]

Going back to the original method:

For future reference, attached is the patched IA (replaces /Install OS X Mavericks.app/Contents/PlugIns/IA.bundle/Contents/MacOS/IA).

If someone were to burn the Internet Recovery image to a writable drive using something like Carbon Copy Cloner and add this patched file, I believe this would allow you to download Mavericks directly from Apple's servers without an "2014-authorized" Apple ID, albeit only on machines that shipped with Mavericks preinstalled.

Ugh, what a mess from Apple...

I can confirm this works on my 2014 Macbook Air!

I also successfully attached mitmproxy using the Terminal as outlined in the email. I don't want to post the output publicly since it contains my Mac's serial number, CID, and key. (As I said, eventually I'm hoping we can get someone to "donate" values from an unwanted Mac, but as I use my Macbook Air constantly it is not a good candidate!) That said, if anyone would like to have a copy of mitm's complete output to study, please PM me!