MobileInstallation

This is the framework that takes care of installing AppStore applications.

Signature Check
There is a check in place to make sure that only applications signed by Apple can even be put on the device, let alone run (the kernel decides whether the application can run or not). Over different iOS releases (since 2.2.1?), various hackers have patched out the signature verification so that unsigned applications can be put on the device.

The difference between MobileInstallation and kernel patches is that the former will allow unsigned IPA to be installed through iTunes, the latter will allow the application to actually execute. (Please note that piracy-related discussions are not allowed at The Apple Wiki)

3GS 3.0 patch to build and go
0x4562 -- 02 46 -> 00 20 0x856E -- 05 46 -> 00 20

Disassembly of patch
__text:33244E70            loc_33244E70                            ; CODE XREF:  _MobileInstallationInstall+C84�j __text:33244E70 00 10 A0 E3                MOV     R1, #0          ; Rd = Op2 __text:33244E74 D1 26 01 EB                BL      _MISValidateSignature ; Branch with Link __text:33244E78 00 20 50 E2                SUBS    R2, R0, #0      ; Rd = Op1 - Op2 __text:33244E7C 02 40 A0 01                MOVEQ   R4, R2          ; Rd = Op2 __text:33244E80 05 00 00 0A                BEQ     loc_33244E9C    ; Signature is valid :D __text:33244E80                                                    ; Let us go on our merry way! __text:33244E84 F0 04 9F E5                LDR     R0, =(___FUNCTION__.14568 - 0x33244E94) ; Load from Memory __text:33244E88 F0 14 9F E5                LDR     R1, =(aCouldNotValida - 0x33244E98) ; Load from Memory __text:33244E8C 00 00 8F E0                ADD     R0, PC, R0      ; "verify_executable" __text:33244E90 01 10 8F E0                ADD     R1, PC, R1      ; "Could not validate signature: %x" __text:33244E94 34 E6 FF EB                BL      _installlog     ; Branch with Link __text:33244E98 00 40 E0 E3                MVN     R4, #0          ; Uh oh. This will put -1 in R4. __text:33244E98                                                    ; This will surely impact us later on. __text:33244E98                                                    ; __text:33244E98                                                    ; As a side note, you can easily make R4 = 0. __text:33244E98                                                    ; Simply change this MVN to MOV! __text:33244E98                                                    ; __text:33244E98                                                    ; Patch in hex: __text:33244E98                                                    ; 00 40 E0 E3 (Before) __text:33244E98                                                    ; - changed to - __text:33244E98                                                    ; 00 40 EA E3 (After) __text:33244E98                                                    ; __text:33244E98                                                    ; So basically, this is what we now have: __text:33244E98                                                    ; Valid signature - R4=0 __text:33244E98                                                    ; Invalid signature - R4=-1 __text:33244E98                                                    ; Invalid signature w/ MOV patch - R4=0 __text:33244E9C __text:33244E9C            loc_33244E9C                            ; CODE XREF:  _MobileInstallationInstall+D44�j __text:33244E9C 05 00 A0 E1                MOV     R0, R5          ; Rd = Op2 __text:33244EA0 6E 26 01 EB                BL      _CFRelease      ; Branch with Link __text:33244EA4 00 00 54 E3                CMP     R4, #0          ; ohai. is R4 = 0? __text:33244EA4                                                    ; If the sig is valid, then it should be. __text:33244EA4                                                    ; If it is invalid, then it should not. __text:33244EA4                                                    ; If the above MVN is patched to MOV, then it should be __text:33244EA8 1B 04 00 0A                 BEQ     loc_33245F1C    ; Is the signature valid? __text:33244EA8                                                    ; Or to make more sense in our case: __text:33244EA8                                                    ; Is R4 really = 0? __text:33244EA8                                                    ; __text:33244EA8                                                    ; If the MVN > MOV patch is done, __text:33244EA8                                                    ; R4 will be equal to 0. __text:33244EA8                                                    ; __text:33244EA8                                                    ; So basically, what we just patched made it pass the test, __text:33244EA8                                                    ; even though the signature is not valid :P