summaryrefslogtreecommitdiffstats
path: root/src/lockdown.c
diff options
context:
space:
mode:
authorGravatar Matt Colyer2008-07-29 10:13:37 -0700
committerGravatar Matt Colyer2008-07-29 10:13:37 -0700
commit3dc130f3049e250b2d5c0b48af1995fda2fad3d4 (patch)
tree9d801459ef68e83a0d4ca038c0589d8e4c8aa2b2 /src/lockdown.c
parent6039e5bbfc36aa5210295c38f251ed178ce5adbb (diff)
downloadlibimobiledevice-3dc130f3049e250b2d5c0b48af1995fda2fad3d4.tar.gz
libimobiledevice-3dc130f3049e250b2d5c0b48af1995fda2fad3d4.tar.bz2
Autotooled the project with very basic versioning support.
Diffstat (limited to 'src/lockdown.c')
-rw-r--r--src/lockdown.c372
1 files changed, 372 insertions, 0 deletions
diff --git a/src/lockdown.c b/src/lockdown.c
new file mode 100644
index 0000000..34a98f7
--- /dev/null
+++ b/src/lockdown.c
@@ -0,0 +1,372 @@
1/*
2 * lockdown.c -- libiphone built-in lockdownd client
3 * Written by FxChiP
4 */
5
6#include "usbmux.h"
7#include "iphone.h"
8#include "lockdown.h"
9#include <errno.h>
10#include <string.h>
11
12extern int debug;
13
14lockdownd_client *new_lockdownd_client(iPhone *phone) {
15 if (!phone) return NULL;
16 lockdownd_client *control = (lockdownd_client*)malloc(sizeof(lockdownd_client));
17 control->connection = mux_connect(phone, 0x0a00, 0xf27e);
18 if (!control->connection) {
19 free(control);
20 return NULL;
21 }
22
23 control->ssl_session = (gnutls_session_t*)malloc(sizeof(gnutls_session_t));
24 control->in_SSL = 0;
25 control->iphone = phone;
26 control->gtls_buffer_hack_len = 0;
27 return control;
28}
29
30void lockdown_close(lockdownd_client *control) {
31 if (!control) return;
32 if (control->connection) {
33 mux_close_connection(control->iphone, control->connection);
34 }
35
36 if (control->ssl_session) free(control->ssl_session);
37 free(control);
38}
39
40
41int lockdownd_recv(lockdownd_client *control, char **dump_data) {
42 char *receive;
43 uint32 datalen = 0, bytes = 0;
44
45 if (!control->in_SSL) bytes = mux_recv(control->iphone, control->connection, &datalen, sizeof(datalen));
46 else bytes = gnutls_record_recv(*control->ssl_session, &datalen, sizeof(datalen));
47 datalen = ntohl(datalen);
48
49 receive = (char*)malloc(sizeof(char) * datalen);
50 if (!control->in_SSL) bytes = mux_recv(control->iphone, control->connection, receive, datalen);
51 else bytes = gnutls_record_recv(*control->ssl_session, receive, datalen);
52 *dump_data = receive;
53 return bytes;
54}
55
56int lockdownd_send(lockdownd_client *control, char *raw_data, uint32 length) {
57 char *real_query;
58 int bytes;
59
60 real_query = (char*)malloc(sizeof(char) * (length+4));
61 length = htonl(length);
62 memcpy(real_query, &length, sizeof(length));
63 memcpy(real_query+4, raw_data, ntohl(length));
64 if (!control->in_SSL) bytes = mux_send(control->iphone, control->connection, real_query, ntohl(length)+sizeof(length));
65 else gnutls_record_send(*control->ssl_session, real_query, ntohl(length)+sizeof(length));
66 return bytes;
67}
68
69int lockdownd_hello(lockdownd_client *control) {
70 xmlDocPtr plist = new_plist();
71 xmlNode *dict, *key;
72 char **dictionary;
73 int bytes = 0, i = 0;
74
75 dict = add_child_to_plist(plist, "dict", "\n", NULL, 0);
76 key = add_key_str_dict_element(plist, dict, "Request", "QueryType", 1);
77 char *XML_content;
78 uint32 length;
79
80 xmlDocDumpMemory(plist, &XML_content, &length);
81
82 bytes = lockdownd_send(control, XML_content, length);
83
84 xmlFree(XML_content);
85 xmlFreeDoc(plist); plist = NULL;
86
87 bytes = lockdownd_recv(control, &XML_content);
88
89 plist = xmlReadMemory(XML_content, bytes, NULL, NULL, 0);
90 if (!plist) return 0;
91 dict = xmlDocGetRootElement(plist);
92 for (dict = dict->children; dict; dict = dict->next) {
93 if (!xmlStrcmp(dict->name, "dict")) break;
94 }
95 if (!dict) return 0;
96
97 dictionary = read_dict_element_strings(dict);
98 xmlFreeDoc(plist);
99 free(XML_content);
100
101 for (i = 0; strcmp(dictionary[i], ""); i+=2) {
102 if (!strcmp(dictionary[i], "Result") && !strcmp(dictionary[i+1], "Success")) {
103 free_dictionary(dictionary);
104 return 1;
105 }
106 }
107
108 free_dictionary(dictionary);
109 return 0;
110}
111
112int lockdownd_start_SSL_session(lockdownd_client *control, const char *HostID) {
113 xmlDocPtr plist = new_plist();
114 xmlNode *dict = add_child_to_plist(plist, "dict", "\n", NULL, 0);
115 xmlNode *key;
116 char *what2send = NULL, **dictionary = NULL;
117 uint32 len = 0, bytes = 0, return_me = 0, i = 0;
118 // end variables
119
120 key = add_key_str_dict_element(plist, dict, "HostID", HostID, 1);
121 if (!key) {
122 if (debug) printf("Couldn't add a key.\n");
123 xmlFreeDoc(plist);
124 return 0;
125 }
126 key = add_key_str_dict_element(plist, dict, "Request", "StartSession", 1);
127 if (!key) {
128 if (debug) printf("Couldn't add a key.\n");
129 xmlFreeDoc(plist);
130 return 0;
131 }
132
133 xmlDocDumpMemory(plist, &what2send, &len);
134 bytes = lockdownd_send(control, what2send, len);
135
136 xmlFree(what2send);
137 xmlFreeDoc(plist);
138
139 if (bytes > 0) {
140 len = lockdownd_recv(control, &what2send);
141 plist = xmlReadMemory(what2send, len, NULL, NULL, 0);
142 dict = xmlDocGetRootElement(plist);
143 for (dict = dict->children; dict; dict = dict->next) {
144 if (!xmlStrcmp(dict->name, "dict")) break;
145 }
146 dictionary = read_dict_element_strings(dict);
147 xmlFreeDoc(plist);
148 free(what2send);
149 for (i = 0; strcmp(dictionary[i], ""); i+=2) {
150 if (!strcmp(dictionary[i], "Result") && !strcmp(dictionary[i+1], "Success")) {
151 // Set up GnuTLS...
152 //gnutls_anon_client_credentials_t anoncred;
153 gnutls_certificate_credentials_t xcred;
154 if (debug) printf("We started the session OK, now trying GnuTLS\n");
155 errno = 0;
156 gnutls_global_init();
157 //gnutls_anon_allocate_client_credentials(&anoncred);
158 gnutls_certificate_allocate_credentials(&xcred);
159 gnutls_certificate_set_x509_trust_file(xcred, "hostcert.pem", GNUTLS_X509_FMT_PEM);
160 gnutls_init(control->ssl_session, GNUTLS_CLIENT);
161 {
162 int protocol_priority[16] = {GNUTLS_SSL3, 0 };
163 int kx_priority[16] = { GNUTLS_KX_ANON_DH, GNUTLS_KX_RSA, 0 };
164 int cipher_priority[16] = { GNUTLS_CIPHER_AES_128_CBC, GNUTLS_CIPHER_AES_256_CBC, 0 };
165 int mac_priority[16] = { GNUTLS_MAC_SHA1, GNUTLS_MAC_MD5, 0 };
166 int comp_priority[16] = { GNUTLS_COMP_NULL, 0 };
167
168 gnutls_cipher_set_priority(*control->ssl_session, cipher_priority);
169 gnutls_compression_set_priority(*control->ssl_session, comp_priority);
170 gnutls_kx_set_priority(*control->ssl_session, kx_priority);
171 gnutls_protocol_set_priority( *control->ssl_session, protocol_priority);
172 gnutls_mac_set_priority(*control->ssl_session, mac_priority);
173
174 }
175 gnutls_credentials_set(*control->ssl_session, GNUTLS_CRD_CERTIFICATE, xcred); // this part is killing me.
176
177 if (debug) printf("GnuTLS step 1...\n");
178 gnutls_transport_set_ptr(*control->ssl_session, (gnutls_transport_ptr_t) control);
179 if (debug) printf("GnuTLS step 2...\n");
180 gnutls_transport_set_push_function(*control->ssl_session, (gnutls_push_func)&lockdownd_secuwrite);
181 if (debug) printf("GnuTLS step 3...\n");
182 gnutls_transport_set_pull_function(*control->ssl_session, (gnutls_pull_func)&lockdownd_securead);
183 if (debug) printf("GnuTLS step 4 -- now handshaking...\n");
184
185 if (errno && debug) printf("WARN: errno says %s before handshake!\n", strerror(errno));
186 return_me = gnutls_handshake(*control->ssl_session);
187 if (debug) printf("GnuTLS handshake done...\n");
188
189 free_dictionary(dictionary);
190
191 if (return_me != GNUTLS_E_SUCCESS) {
192 if (debug) printf("GnuTLS reported something wrong.\n");
193 gnutls_perror(return_me);
194 if (debug) printf("oh.. errno says %s\n", strerror(errno));
195 return 0;
196 } else {
197 control->in_SSL = 1;
198 return 1;
199 }
200 }
201 }
202
203 if (debug) {
204 printf("Apparently failed negotiating with lockdownd.\n");
205 printf("Responding dictionary: \n");
206 for (i = 0; strcmp(dictionary[i], ""); i+=2) {
207 printf("\t%s: %s\n", dictionary[i], dictionary[i+1]);
208 }
209 }
210
211 free_dictionary(dictionary);
212 return 0;
213 } else {
214 if (debug) printf("Didn't get enough bytes.\n");
215 return 0;
216 }
217}
218
219ssize_t lockdownd_secuwrite(gnutls_transport_ptr_t transport, char *buffer, size_t length) {
220 int bytes = 0;
221 lockdownd_client *control;
222 control = (lockdownd_client*)transport;
223 if (debug) printf("lockdownd_secuwrite() called\n");
224 if (debug) printf("pre-send\nlength = %i\n", length);
225 bytes = mux_send(control->iphone, control->connection, buffer, length);
226 if (debug) printf("post-send\nsent %i bytes\n", bytes);
227 if (debug) {
228 FILE *my_ssl_packet = fopen("sslpacketwrite.out", "w+");
229 fwrite(buffer, 1, length, my_ssl_packet);
230 fflush(my_ssl_packet);
231 printf("Wrote SSL packet to drive, too.\n");
232 fclose(my_ssl_packet);
233 }
234
235 return bytes;
236}
237
238ssize_t lockdownd_securead(gnutls_transport_ptr_t transport, char *buffer, size_t length) {
239 int bytes = 0, pos_start_fill = 0;
240 char *hackhackhack = NULL;
241 lockdownd_client *control;
242 control = (lockdownd_client*)transport;
243 if (debug) printf("lockdownd_securead() called\nlength = %i\n", length);
244 // Buffering hack! Throw what we've got in our "buffer" into the stream first, then get more.
245 if (control->gtls_buffer_hack_len > 0) {
246 if (length > control->gtls_buffer_hack_len) { // If it's asking for more than we got
247 length -= control->gtls_buffer_hack_len; // Subtract what we have from their requested length
248 pos_start_fill = control->gtls_buffer_hack_len; // set the pos to start filling at
249 memcpy(buffer, control->gtls_buffer_hack, control->gtls_buffer_hack_len); // Fill their buffer partially
250 free(control->gtls_buffer_hack); // free our memory, it's not chained anymore
251 control->gtls_buffer_hack_len = 0; // we don't have a hack buffer anymore
252 if (debug) printf("Did a partial fill to help quench thirst for data\n");
253 } else if (length < control->gtls_buffer_hack_len) { // If it's asking for less...
254 control->gtls_buffer_hack_len -= length; // subtract what they're asking for
255 memcpy(buffer, control->gtls_buffer_hack, length); // fill their buffer
256 hackhackhack = (char*)malloc(sizeof(char) * control->gtls_buffer_hack_len); // strndup is NOT a good solution -- concatenates \0!!!! Anyway, make a new "hack" buffer.
257 memcpy(hackhackhack, control->gtls_buffer_hack+length, control->gtls_buffer_hack_len); // Move what's left into the new one
258 free(control->gtls_buffer_hack); // Free the old one
259 control->gtls_buffer_hack = hackhackhack; // And make it the new one.
260 hackhackhack = NULL;
261 if (debug) printf("Quenched the thirst for data; new hack length is %i\n", control->gtls_buffer_hack_len);
262 return length; // hand it over.
263 } else { // length == hack length
264 memcpy(buffer, control->gtls_buffer_hack, length); // copy our buffer into theirs
265 free(control->gtls_buffer_hack); // free our "obligation"
266 control->gtls_buffer_hack_len = 0; // free our "obligation"
267 if (debug) printf("Satiated the thirst for data; now we have to eventually receive again.\n");
268 return length; // hand it over
269 }
270 }
271 // End buffering hack!
272 char *recv_buffer = (char*)malloc(sizeof(char) * (length * 1000)); // ensuring nothing stupid happens
273
274 if (debug) printf("pre-read\nclient wants %i bytes\n", length);
275 bytes = mux_recv(control->iphone, control->connection, recv_buffer, (length * 1000));
276 if (debug) printf("post-read\nwe got %i bytes\n", bytes);
277 if (debug && bytes < 0) {
278 printf("lockdownd_securead(): uh oh\n");
279 printf("I believe what we have here is a failure to communicate... libusb says %s but strerror says %s\n", usb_strerror(), strerror(errno));
280 return bytes + 28; // an errno
281 }
282 if (bytes >= length) {
283 if (bytes > length) {
284 if (debug) printf("lockdownd_securead: Client deliberately read less data than was there; resorting to GnuTLS buffering hack.\n");
285 if (!control->gtls_buffer_hack_len) { // if there's no hack buffer yet
286 //control->gtls_buffer_hack = strndup(recv_buffer+length, bytes-length); // strndup is NOT a good solution!
287 control->gtls_buffer_hack_len += bytes-length;
288 control->gtls_buffer_hack = (char*)malloc(sizeof(char) * control->gtls_buffer_hack_len);
289 memcpy(control->gtls_buffer_hack, recv_buffer+length, control->gtls_buffer_hack_len);
290 } else { // if there is.
291 control->gtls_buffer_hack = realloc(control->gtls_buffer_hack, control->gtls_buffer_hack_len + (bytes - length));
292 memcpy(control->gtls_buffer_hack+control->gtls_buffer_hack_len, recv_buffer+length, bytes-length);
293 control->gtls_buffer_hack_len += bytes - length;
294 }
295 }
296 memcpy(buffer+pos_start_fill, recv_buffer, length);
297 free(recv_buffer);
298 if (bytes == length) { if (debug) printf("Returning how much we received.\n"); return bytes; }
299 else { if (debug) printf("Returning what they want to hear.\nHack length: %i\n", control->gtls_buffer_hack_len); return length; }
300 }
301 return bytes;
302}
303
304int lockdownd_start_service(lockdownd_client *control, const char *service) {
305 if (!control) return 0;
306 if (!control->in_SSL && !lockdownd_start_SSL_session(control, "29942970-207913891623273984")) return 0;
307
308 char *XML_query, **dictionary;
309 uint32 length, i = 0, port = 0;
310 uint8 result = 0;
311
312 xmlDocPtr plist = new_plist();
313 xmlNode *dict = add_child_to_plist(plist, "dict", "\n", NULL, 0);
314 xmlNode *key;
315 key = add_key_str_dict_element(plist, dict, "Request", "StartService", 1);
316 if (!key) { xmlFreeDoc(plist); return 0; }
317 key = add_key_str_dict_element(plist, dict, "Service", service, 1);
318 if (!key) { xmlFreeDoc(plist); return 0; }
319
320 xmlDocDumpMemory(plist, &XML_query, &length);
321
322 lockdownd_send(control, XML_query, length);
323 free(XML_query);
324
325 length = lockdownd_recv(control, &XML_query);
326
327 xmlFreeDoc(plist);
328
329 if (length <= 0) return 0;
330 else {
331 plist = xmlReadMemory(XML_query, length, NULL, NULL, 0);
332 if (!plist) return 0;
333 dict = xmlDocGetRootElement(plist);
334 if (!dict) return 0;
335 for (dict = dict->children; dict; dict = dict->next) {
336 if (!xmlStrcmp(dict->name, "dict")) break;
337 }
338
339 if (!dict) return 0;
340 dictionary = read_dict_element_strings(dict);
341
342 for (i = 0; strcmp(dictionary[i], ""); i+=2) {
343 if (debug) printf("lockdownd_start_service() dictionary %s: %s\n", dictionary[i], dictionary[i+1]);
344
345 if (!xmlStrcmp(dictionary[i], "Port")) {
346 port = atoi(dictionary[i+1]);
347 if (debug) printf("lockdownd_start_service() atoi'd port: %i\n", port);
348 }
349
350 if (!xmlStrcmp(dictionary[i], "Result")) {
351 if (!xmlStrcmp(dictionary[i+1], "Success")) {
352 result = 1;
353 }
354 }
355 }
356
357 if (debug) {
358 printf("lockdownd_start_service(): DATA RECEIVED:\n\n");
359 fwrite(XML_query, 1, length, stdout);
360 printf("end data received by lockdownd_start_service()\n");
361 }
362
363 free(XML_query);
364 xmlFreeDoc(plist);
365 free_dictionary(dictionary);
366 if (port && result) return port;
367 else return 0;
368 }
369
370 return 0;
371}
372