Skip to content

Instantly share code, notes, and snippets.

@novitae

novitae/Intercept requests from iOS 12's system.md

Last active December 14, 2022 12:37
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save novitae/1a3207098959d433d0554d77590fffd3 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save novitae/1a3207098959d433d0554d77590fffd3 to your computer and use it in GitHub Desktop.
Download ZIP
Intercept requests from iOS 12's system
Raw
Intercept requests from iOS 12's system.md

How to Intercept requests from iOS 12's system

I was trying to get the requests made by apple identity's service, and i never succeed. But here's how i finally made with the help of some people from Hack Different discord server. (This is a memo for me)

Requirements

  • MacOS
  • A jailbroken iOS 12 device (for me: iphone 6, unc0ver jailbroken -- worked with checkra1n --)
  • Wireshark
  • ssh on the device (easy to install, search by yourself how to install it on jailbroken devices)
  • sslkeylog tweak on the iphone (obtainable here, intallation tutorial here (2 paragraphs after "tutorial"))
  • Xcode's command line (xcode-select --install)
  • libimobiledevice

Tutorial

  • Create the file where you're gonna store the files we'll generate. It will be unpintest for me.
    • mkdir unpintest
    • cd unpintest
  • Make sure you don't have proxy set on the iphone's wifi setting.
  • idevicepair pair -> pair the device on the device. -> note the device id that will also show up in the terminal message (for me: 292439...8f5b34 (the ... are obviously other chars in my term)).
  • rvictl -s DEVICEID (for me rvictl -s 292439...8f5b34).
  • In order to create the sslkeylog file, run ssh root@DEVICE_IP sslkeylog | tee kl.keylog.
    • DEVICE_IP for me is 192.168.1.57.
    • You can find out the local ip of your device by going to Settings -> Wifi -> click on the i of the current wifi you're on -> The number next to IP Address is what you're searching for.
  • It will ask for the ssh password, alpine by default.
  • CTRL + C to quit the keylog. Now the keylog file has been created.
  • Open wireshark
  • In the list of devices under Capture, double click on rvi0.
  • Go to Wireshark -> Preferences -> Protocols -> TLS
  • Click on Browse next to the bar under (Pre)-MasterSecret log filename and select kl.keylog in the directory you created at the first step.
  • Ok
  • Now run again ssh root@DEVICE_IP sslkeylog | tee kl.keylog.
  • Do the action you want to unpin.
  • Once done, click on the red square in Wireshark in order to stop the capture.
  • You can stop the keydump.
  • You can now try to find the requests sent by your action. The decrypted ones are the one in green.

Do not ask me for more, it took me many weeks to find how to make this, with the help of other people. I am a noob, do not comment questions, I won't answer !!! Sources:

https://andydavies.me/blog/2019/12/12/capturing-and-decrypting-https-traffic-from-ios-apps/

https://blog.nicolas17.xyz/posts/decrypting-ios-tls-traffic.html

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment