OTA Updates

OTA Updates (Over-the-Air Updates, also know as wireless updates) were introduced with iOS 5. This allows a user of a device to go into Settings > General > Software Update and download and install the latest iOS software on-device, without the need for iTunes. The device checks an XML-based PLIST file on mesu.apple.com for updates. The updates are delivered in plain unencrypted ZIP files.

OTA Update contents
We now know three versions of OTA updates. OTA update bundle contains an Info.plist file and two folders: META-INF and AssetData. META-INF has only one file com.apple.ZipMetadata.plist which describes bundle contents.

AssetData contains three Bill-Of-Materials files (they can be viewed with lsbom and created with mkbom). pre.bom states filesystem before update, post.bom - after and payload.bom describes the patches to be applied during update process. It also contains boot folder where bootchain-related files are stored (iBoot, kernelcache, etc.), payloadv2 or payload (depends on PackageVersion value of AssetData/Info.plist file) and Info.plist file which describes the update. Info.plist file from AssetData folder contains PackageVersion field which can be 1.0, 2.0 or 3.0.

Format 1.0
These updates do not contain payload.bom file and are deprecated. These updates do not contain any .bom files.
 * archive.cpio.gz - the actual cpio patch archive (encrypted). Contains a list of BSDIFF40 patches and baseband firmware updates, if available, with the associated flashing tools (bbupdater/imeisv).
 * Info.plist.signature - asymmetric signature of Info.plist validated against /System/Library/Lockdown/iPhoneSoftwareUpdate.pem.
 * libupdate_brain.dylib - stage 2 update process library (encrypted).

Format 2.0
All updates with 2.0 package version have payload folder inside AssetData instead of archive.cpio.gz file from 1.0 updates. It contains only two folders: added folder with unencrypted files which are to be added during update process and patches folder. patches folder is used to store BSDIFF40 patches that are applied to files during update process. They can be easily applied manually with bsdiff utility. patches folder file hierarchy is similar to devices root file system (ex. patch for /sbin/launchctl will be found at AssetData/payload/patches/sbin/launchctl). AssetData also contains payload.bom.signature that replaces Info.plist.signature. payload.bom.signature is used to check payload.bom which contains CRC32 of all files inside AssetData folder.

Format 3.0
There are quite a number of changes to note between format 2.0 and 3.0. In particular, the filesystem contents are now stored in a large, proprietary archive.


 * The added folder no longer exists.
 * links.txt is just a list of strings. Strings that begin with '=' are symlink targets and following strings that begin with '+' are places where symlinks should be created.
 * patches no longer use the BSDIFF40 format; they use a modified version dubbed BXDIFF41.
 * payload and prepare_payload hold the filesystem contents in a proprietary format. As the name implies, prepare_payload is extracted first.
 * The payloadv2 folder replaces the payload folder in updates packaged in format 3.0.
 * removed.txt contains a list of files that should be removed before update starts.
 * payload.bom now contains SHA1 hashes of all files in the AssetData folder.

iOS 10.3
With iOS 10.3, Apple began to use the same "delta" package for multiple firmware versions (e.g. iOS 7.1 through 7.1.2 receive the same ZIP file).


 * An additional key called  is included in the Info.plist, which is an array of dictionaries containing information for supported versions.
 * The  and   keys of Info.plist are still strings. However, the string may contain multiple versions and build numbers, separated with semicolons.

It is otherwise the same as before.

iOS 11
iOS 11 introduced more changes to Format 3.0. (A  of 3.0 continues to be listed.)


 * The new app_patches folder handles patching of removable stock apps, such as Mail.app and iTunes Store.app.
 * patches now uses the BXDIFF50 format.

Conflicts With Jailbreaking
OTA Updates are often known to cause issues when jailbreaking a device. This became evident with evasi0n7, because most devices that were updated OTA, had to be restored with iTunes first, since the jailbreak would often fail if it was not.

While jailbroken, a device cannot install OTA updates successfully. If you try, it is likely that your device will either be stuck in a boot loop, or certain things will not work correctly. Newer jailbreaks such as evasi0n and evasi0n7 disable the OTA search daemon, which prevents the device from searching for an update (it will just stay indefinitely at "Checking for Update..."). This can also be done manually on any jailbreak, by deleting or moving /System/Library/LaunchDaemons/com.apple.mobile.softwareupdated.plist and /System/Library/LaunchDaemons/com.apple.softwareupdateservicesd.plist from your device. It can also be done with tools such as iCleaner Pro.

Accessories

 * Apple Pencil
 * Smart Keyboard

Software Update XMLs

 * Apple TV (for releases prior to iOS 6.0)
 * audioOS
 * iOS (documentation) (includes Apple TV (2nd generation) and Apple TV (3rd generation) releases after iOS 6.0)
 * tvOS
 * watchOS (documentation)
 * Accessory Software Update XMLs:
 * AirPods
 * Apple Pencil
 * Siri Remote (old)
 * Smart Keyboard
 * Other XMLs with unknown uses
 * UpdateBrain
 * IOAccessoryManager