Latest update:
"06 07 2A 86 48 86 F7 14 04"= "Microsoft file formats";
"06 08 2A 86 48 86 F7 14 04 02"= "Microsoft Word";
"06 08 2A 86 48 86 F7 14 04 03"= "Microsoft Excel";
"06 08 2A 86 48 86 F7 14 04 04"= "Microsoft Project";
"06 08 2A 86 48 86 F7 14 04 05"= "Microsoft PowerPoint";
"06 08 2A 86 48 86 F7 14 04 06"= "Microsoft Works";
ok overview of what we can actually do...
we can start services with AMDeviceStartService
and access values with AMDeviceCopyValue
we can get full access to files in the chroot jail
we can download activation plists to the phone
so far we still have no idea how to run programs
or modify files other then the ones in the chroot jail
i see four things to do right now
1. modify and reencrypt dmg
+we know its doable
+it'll get files on the device
-it may be signed or checksummed
-we aren't sure if itunes dls to the big dmg
2. disasm lockdown and see how the activation plists are validated
+plist generator
-we aren't sure lockdown validates them
-crypto may be really complicated
3. Fetch the activation-record from activated phone
+May just be a call to AMDeviceCopyValue
-May not be saved
+Didn't someone know the dir where the activation.plist goes
4. Try to make fake update .pkg
-We don't know where these go
-They are probably signed
here is what we can and can't do
we can start services on the phone
we can access values
we can access files in the chroot jail
we don't yet have any idea of how to run programs
we have some good ideas on how to get access to the phone e.g. via tty or ssh
we have four angles we're working right now, we'll let you know when one turns out
