Patch Over Network

From AwkwardTV

Jump to: navigation, search

Contents

Project Goal

An alternative approach to "hacking" the appletv without opening the case. This method would use the build in Apple software updater to install custom hacks and patches.
Even when the USB method is successful (and that would still be awesome), this method may be better because it would allow server based updates on an on going basis without creating a whole new updating system.

Making this a reality with DNS/HOSTS, IIS/Apache

Furthermore, deployment and scalability can be incorporated and images can be deployed very simply.

We can trick the Apple TV to download our patched image by using the HOSTS file or a DNS server which redirects mesu.apple.com to an IP on our LAN or an update server. This would be done by creating an A record.

The advantage of using DNS over HOSTS is that the Apple TV unit does not need a modified hosts file, which requires SSH or hard drive access. Therefore, it is easier for the end user.

Therefore, we can install the Windows DNS server on a box, and add IIS. We can create a new website, setting our host header value to http://mesu.apple.com (not required, but if you're running multiple sites on one IP).

Next we will need to add to our website, a version.xml file and a modified update in the form of a DMG. To gain an insight into the structure of these two files, see the known info which is listed below.

Once this is done, the user can change the DNS Settings IP Addresss to that of the nameserver, which is probably hosting the update on a webserver too.

We're a couple of points off though:

- We need to gain a more comprehensive form of the version.xml structure. - We need to be able to create a custom DMG file that has a patch.

We also need to consider how realistic this is. It is realistic if we have a hosted DNS server downloading the DMG off of a server, but not if the home-user is expected to manage this on their lan.

--Sam 17:30, 18 June 2009 (CEST)

Known Info

When "Update Software" is selected from the settings menu, this file is requested: http://mesu.apple.com/version.xml .

From 2007-04-03 until 2007-06-19 there were no software updates and the file contained the following...

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
</dict>
</plist>

By adding mesu.apple.com to the hosts file to point to a local web server, we are able to modify this file and make the AppleTV unit download the modified file.

When downloading this file, the following is recorded by syslog...

Apr  3 20:38:47 appletv.local AppleTV FrontRow[113]: T:[0x193fa00] UPD: update check starting
Apr  3 20:38:47 appletv.local AppleTV FrontRow[113]: UPD: checking version info at http://mesu.apple.com/version.xml.
Apr  3 20:38:48 appletv.local AppleTV FrontRow[113]: T:[0x193fa00] downloading file http://mesu.apple.com/version.xml
Apr  3 20:38:48 appletv.local AppleTV FrontRow[113]: finished downloading file http://mesu.apple.com/version.xml
Apr  3 20:38:48 appletv.local AppleTV FrontRow[113]: VERS: comparing OS 10.4.7 with (null)
Apr  3 20:38:49 appletv.local AppleTV FrontRow[113]: VERS: comparing OS build 8N5107 with (null)
Apr  3 20:38:49 appletv.local AppleTV FrontRow[113]: UPD: versions available: OS:(null)/(null) EFI:(null) IR:(null) SI:(null)/(null) valid:1
Apr  3 20:38:49 appletv.local AppleTV FrontRow[113]: T:[0x193fa00] UPD: updating check complete

It seems to be looking for OS, build, EFI, IR, and SI version numbers in the xml file. If it can be determined the format of this xml file, it would be possible to have the AppleTV unit download and install patched versions of the OS automatically.


On 2007-06-20 Apple rolled out their first software update to add the YouTube functionality. The file at http://mesu.apple.com/version.xml now contains:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>OS</key>
	<dict>
		<key>BuildVersion</key>
		<string>8N5239</string>
		<key>UpdateURL</key>
		<string>http://mesu.apple.com/data/OS/061-2988.20070620.bHy75/2Z694-5248-45.dmg</string>
		<key>Version</key>
		<string>10.4.7</string>
	</dict>
</dict>
</plist>

We can see that the update is keyed with "OS", presumably because it is a general Operating System update. It also details the BuildVersion, Version and most importantly the UpdateURL which points to a disk image .dmg file. The file in question appears to be 179MB and presumably is the only file the AppleTV needs to update itself with the new functionality. I have made no attempt analyse the disk image.

Attempting to point a web browser to http://mesu.apple.com/data/OS/061-2988.20070620.bHy75/2Z694-5248-45.dmg results in a Service Unavailable message. However, the disk image may be downloaded to be analyzed using CURL: "curl http://mesu.apple.com/data/OS/061-2988.20070620.bHy75/2Z694-5248-45.dmg > atv.dmg". (Update: IE6 on Windows XP is able to download the image too. Update 2: the Safari Beta 3.0.2 on Mac OSX 10.4.10 can download the image by just clicking the link too) At first glance, this image seems to contain a slimmed down OS install to boot and patch the Apple TV.

From the syslog above we see:

Apr  3 20:38:48 appletv.local AppleTV FrontRow[113]: VERS: comparing OS 10.4.7 with (null)
Apr  3 20:38:49 appletv.local AppleTV FrontRow[113]: VERS: comparing OS build 8N5107 with (null)

The first line is comparing "10.4.7" with "null". We can see in the new version.xml file that the key "Version" has the string "10.4.7".

The second line is comparing "8N5107" with "null". Again, from the version.xml we see that the key "BuildVersion" has the string "8N5239".

It appears that in the syslog we are seeing the output of a check to ensure the update applied is a later version than the current system.

Prior to downloading the disk image, AppleTV downloads a signature file (http://mesu.apple.com/data/OS/061-2988.20070620.bHy75/2Z694-5248-45.dmg.signature for the 20 June 2007 update). Next, the disk image is downloaded and presumably it's signature is compared with the downloaded one.

The next step is to record the syslog when someone applies this software update to their AppleTV.

Software Update in MacOS X

"Real" Mac OS X connects to swscan.apple.com

wget http://swscan.apple.com/content/catalogs/index-1.sucatalog

(It seems that modifying user-agent is not necessary)

It is possible that AppleTV software update expects a similar xml catalogue.

Personal tools