search

patjak / facetimehd-firmware

FacetimeHD firmware download and extraction tool
GNU General Public License v2.0
87 stars 29 forks source link

Disable curl silent mode, enable insecure connections #6

Closed maurolacy closed 3 years ago

maurolacy commented 3 years ago

Fix curl silently failing (outdated certs).

Support insecure connections, so firmware is downloaded anyway.

patjak commented 3 years ago

Thanks for the patch. I wonder if this will have any security implications that we care about? Perhaps we've already lost by trusting Apple with the firmware in the first place? What do you think?

maurolacy commented 3 years ago

Thanks for the patch. I wonder if this will have any security implications that we care about? Perhaps we've already lost by trusting Apple with the firmware in the first place? What do you think?

What we have to evaluate is if trusting Apple is better that trusting a malicious third party... mmm :-).

In any case, if you decide to remove the -k, please remove the -s too. Silent mode is not a good idea... it took me hours to realise there was a problem with the certs. The silent failure made me manually download the full archive using the browser, and start fiddling with the various compression and encapsulation formats... I learned a bit about Apple's twisted formats, but I must say that it wasn't a very useful or productive use of my time.

The way you managed to bypass all those silly encapsulations and just download, extract and convert the relevant part is impressive, by the way.

patjak commented 3 years ago

Thanks for the patch. I wonder if this will have any security implications that we care about? Perhaps we've already lost by trusting Apple with the firmware in the first place? What do you think?

What we have to evaluate is if trusting Apple is better that trusting a malicious third party... mmm :-).

In any case, if you decide to remove the -k, please remove the -s too. Silent mode is not a good idea... it took me hours to realise there was a problem with the certs. The silent failure made me manually download the full archive using the browser, and start fiddling with the various compression and encapsulation formats... I learned a bit about Apple's twisted formats, but I must say that it's wasn't a very useful or productive use of my time.

The way you managed to bypass all those silly encapsulations and just download, extract and convert the relevant part is impressive, by the way.

That was not my idea. I'm equally impressed :)

I'll merge this. Thanks!