diff options
Diffstat (limited to 'src/lockdown.c')
| -rw-r--r-- | src/lockdown.c | 372 |
1 files changed, 372 insertions, 0 deletions
diff --git a/src/lockdown.c b/src/lockdown.c new file mode 100644 index 0000000..34a98f7 --- /dev/null +++ b/src/lockdown.c | |||
| @@ -0,0 +1,372 @@ | |||
| 1 | /* | ||
| 2 | * lockdown.c -- libiphone built-in lockdownd client | ||
| 3 | * Written by FxChiP | ||
| 4 | */ | ||
| 5 | |||
| 6 | #include "usbmux.h" | ||
| 7 | #include "iphone.h" | ||
| 8 | #include "lockdown.h" | ||
| 9 | #include <errno.h> | ||
| 10 | #include <string.h> | ||
| 11 | |||
| 12 | extern int debug; | ||
| 13 | |||
| 14 | lockdownd_client *new_lockdownd_client(iPhone *phone) { | ||
| 15 | if (!phone) return NULL; | ||
| 16 | lockdownd_client *control = (lockdownd_client*)malloc(sizeof(lockdownd_client)); | ||
| 17 | control->connection = mux_connect(phone, 0x0a00, 0xf27e); | ||
| 18 | if (!control->connection) { | ||
| 19 | free(control); | ||
| 20 | return NULL; | ||
| 21 | } | ||
| 22 | |||
| 23 | control->ssl_session = (gnutls_session_t*)malloc(sizeof(gnutls_session_t)); | ||
| 24 | control->in_SSL = 0; | ||
| 25 | control->iphone = phone; | ||
| 26 | control->gtls_buffer_hack_len = 0; | ||
| 27 | return control; | ||
| 28 | } | ||
| 29 | |||
| 30 | void lockdown_close(lockdownd_client *control) { | ||
| 31 | if (!control) return; | ||
| 32 | if (control->connection) { | ||
| 33 | mux_close_connection(control->iphone, control->connection); | ||
| 34 | } | ||
| 35 | |||
| 36 | if (control->ssl_session) free(control->ssl_session); | ||
| 37 | free(control); | ||
| 38 | } | ||
| 39 | |||
| 40 | |||
| 41 | int lockdownd_recv(lockdownd_client *control, char **dump_data) { | ||
| 42 | char *receive; | ||
| 43 | uint32 datalen = 0, bytes = 0; | ||
| 44 | |||
| 45 | if (!control->in_SSL) bytes = mux_recv(control->iphone, control->connection, &datalen, sizeof(datalen)); | ||
| 46 | else bytes = gnutls_record_recv(*control->ssl_session, &datalen, sizeof(datalen)); | ||
| 47 | datalen = ntohl(datalen); | ||
| 48 | |||
| 49 | receive = (char*)malloc(sizeof(char) * datalen); | ||
| 50 | if (!control->in_SSL) bytes = mux_recv(control->iphone, control->connection, receive, datalen); | ||
| 51 | else bytes = gnutls_record_recv(*control->ssl_session, receive, datalen); | ||
| 52 | *dump_data = receive; | ||
| 53 | return bytes; | ||
| 54 | } | ||
| 55 | |||
| 56 | int lockdownd_send(lockdownd_client *control, char *raw_data, uint32 length) { | ||
| 57 | char *real_query; | ||
| 58 | int bytes; | ||
| 59 | |||
| 60 | real_query = (char*)malloc(sizeof(char) * (length+4)); | ||
| 61 | length = htonl(length); | ||
| 62 | memcpy(real_query, &length, sizeof(length)); | ||
| 63 | memcpy(real_query+4, raw_data, ntohl(length)); | ||
| 64 | if (!control->in_SSL) bytes = mux_send(control->iphone, control->connection, real_query, ntohl(length)+sizeof(length)); | ||
| 65 | else gnutls_record_send(*control->ssl_session, real_query, ntohl(length)+sizeof(length)); | ||
| 66 | return bytes; | ||
| 67 | } | ||
| 68 | |||
| 69 | int lockdownd_hello(lockdownd_client *control) { | ||
| 70 | xmlDocPtr plist = new_plist(); | ||
| 71 | xmlNode *dict, *key; | ||
| 72 | char **dictionary; | ||
| 73 | int bytes = 0, i = 0; | ||
| 74 | |||
| 75 | dict = add_child_to_plist(plist, "dict", "\n", NULL, 0); | ||
| 76 | key = add_key_str_dict_element(plist, dict, "Request", "QueryType", 1); | ||
| 77 | char *XML_content; | ||
| 78 | uint32 length; | ||
| 79 | |||
| 80 | xmlDocDumpMemory(plist, &XML_content, &length); | ||
| 81 | |||
| 82 | bytes = lockdownd_send(control, XML_content, length); | ||
| 83 | |||
| 84 | xmlFree(XML_content); | ||
| 85 | xmlFreeDoc(plist); plist = NULL; | ||
| 86 | |||
| 87 | bytes = lockdownd_recv(control, &XML_content); | ||
| 88 | |||
| 89 | plist = xmlReadMemory(XML_content, bytes, NULL, NULL, 0); | ||
| 90 | if (!plist) return 0; | ||
| 91 | dict = xmlDocGetRootElement(plist); | ||
| 92 | for (dict = dict->children; dict; dict = dict->next) { | ||
| 93 | if (!xmlStrcmp(dict->name, "dict")) break; | ||
| 94 | } | ||
| 95 | if (!dict) return 0; | ||
| 96 | |||
| 97 | dictionary = read_dict_element_strings(dict); | ||
| 98 | xmlFreeDoc(plist); | ||
| 99 | free(XML_content); | ||
| 100 | |||
| 101 | for (i = 0; strcmp(dictionary[i], ""); i+=2) { | ||
| 102 | if (!strcmp(dictionary[i], "Result") && !strcmp(dictionary[i+1], "Success")) { | ||
| 103 | free_dictionary(dictionary); | ||
| 104 | return 1; | ||
| 105 | } | ||
| 106 | } | ||
| 107 | |||
| 108 | free_dictionary(dictionary); | ||
| 109 | return 0; | ||
| 110 | } | ||
| 111 | |||
| 112 | int lockdownd_start_SSL_session(lockdownd_client *control, const char *HostID) { | ||
| 113 | xmlDocPtr plist = new_plist(); | ||
| 114 | xmlNode *dict = add_child_to_plist(plist, "dict", "\n", NULL, 0); | ||
| 115 | xmlNode *key; | ||
| 116 | char *what2send = NULL, **dictionary = NULL; | ||
| 117 | uint32 len = 0, bytes = 0, return_me = 0, i = 0; | ||
| 118 | // end variables | ||
| 119 | |||
| 120 | key = add_key_str_dict_element(plist, dict, "HostID", HostID, 1); | ||
| 121 | if (!key) { | ||
| 122 | if (debug) printf("Couldn't add a key.\n"); | ||
| 123 | xmlFreeDoc(plist); | ||
| 124 | return 0; | ||
| 125 | } | ||
| 126 | key = add_key_str_dict_element(plist, dict, "Request", "StartSession", 1); | ||
| 127 | if (!key) { | ||
| 128 | if (debug) printf("Couldn't add a key.\n"); | ||
| 129 | xmlFreeDoc(plist); | ||
| 130 | return 0; | ||
| 131 | } | ||
| 132 | |||
| 133 | xmlDocDumpMemory(plist, &what2send, &len); | ||
| 134 | bytes = lockdownd_send(control, what2send, len); | ||
| 135 | |||
| 136 | xmlFree(what2send); | ||
| 137 | xmlFreeDoc(plist); | ||
| 138 | |||
| 139 | if (bytes > 0) { | ||
| 140 | len = lockdownd_recv(control, &what2send); | ||
| 141 | plist = xmlReadMemory(what2send, len, NULL, NULL, 0); | ||
| 142 | dict = xmlDocGetRootElement(plist); | ||
| 143 | for (dict = dict->children; dict; dict = dict->next) { | ||
| 144 | if (!xmlStrcmp(dict->name, "dict")) break; | ||
| 145 | } | ||
| 146 | dictionary = read_dict_element_strings(dict); | ||
| 147 | xmlFreeDoc(plist); | ||
| 148 | free(what2send); | ||
| 149 | for (i = 0; strcmp(dictionary[i], ""); i+=2) { | ||
| 150 | if (!strcmp(dictionary[i], "Result") && !strcmp(dictionary[i+1], "Success")) { | ||
| 151 | // Set up GnuTLS... | ||
| 152 | //gnutls_anon_client_credentials_t anoncred; | ||
| 153 | gnutls_certificate_credentials_t xcred; | ||
| 154 | if (debug) printf("We started the session OK, now trying GnuTLS\n"); | ||
| 155 | errno = 0; | ||
| 156 | gnutls_global_init(); | ||
| 157 | //gnutls_anon_allocate_client_credentials(&anoncred); | ||
| 158 | gnutls_certificate_allocate_credentials(&xcred); | ||
| 159 | gnutls_certificate_set_x509_trust_file(xcred, "hostcert.pem", GNUTLS_X509_FMT_PEM); | ||
| 160 | gnutls_init(control->ssl_session, GNUTLS_CLIENT); | ||
| 161 | { | ||
| 162 | int protocol_priority[16] = {GNUTLS_SSL3, 0 }; | ||
| 163 | int kx_priority[16] = { GNUTLS_KX_ANON_DH, GNUTLS_KX_RSA, 0 }; | ||
| 164 | int cipher_priority[16] = { GNUTLS_CIPHER_AES_128_CBC, GNUTLS_CIPHER_AES_256_CBC, 0 }; | ||
| 165 | int mac_priority[16] = { GNUTLS_MAC_SHA1, GNUTLS_MAC_MD5, 0 }; | ||
| 166 | int comp_priority[16] = { GNUTLS_COMP_NULL, 0 }; | ||
| 167 | |||
| 168 | gnutls_cipher_set_priority(*control->ssl_session, cipher_priority); | ||
| 169 | gnutls_compression_set_priority(*control->ssl_session, comp_priority); | ||
| 170 | gnutls_kx_set_priority(*control->ssl_session, kx_priority); | ||
| 171 | gnutls_protocol_set_priority( *control->ssl_session, protocol_priority); | ||
| 172 | gnutls_mac_set_priority(*control->ssl_session, mac_priority); | ||
| 173 | |||
| 174 | } | ||
| 175 | gnutls_credentials_set(*control->ssl_session, GNUTLS_CRD_CERTIFICATE, xcred); // this part is killing me. | ||
| 176 | |||
| 177 | if (debug) printf("GnuTLS step 1...\n"); | ||
| 178 | gnutls_transport_set_ptr(*control->ssl_session, (gnutls_transport_ptr_t) control); | ||
| 179 | if (debug) printf("GnuTLS step 2...\n"); | ||
| 180 | gnutls_transport_set_push_function(*control->ssl_session, (gnutls_push_func)&lockdownd_secuwrite); | ||
| 181 | if (debug) printf("GnuTLS step 3...\n"); | ||
| 182 | gnutls_transport_set_pull_function(*control->ssl_session, (gnutls_pull_func)&lockdownd_securead); | ||
| 183 | if (debug) printf("GnuTLS step 4 -- now handshaking...\n"); | ||
| 184 | |||
| 185 | if (errno && debug) printf("WARN: errno says %s before handshake!\n", strerror(errno)); | ||
| 186 | return_me = gnutls_handshake(*control->ssl_session); | ||
| 187 | if (debug) printf("GnuTLS handshake done...\n"); | ||
| 188 | |||
| 189 | free_dictionary(dictionary); | ||
| 190 | |||
| 191 | if (return_me != GNUTLS_E_SUCCESS) { | ||
| 192 | if (debug) printf("GnuTLS reported something wrong.\n"); | ||
| 193 | gnutls_perror(return_me); | ||
| 194 | if (debug) printf("oh.. errno says %s\n", strerror(errno)); | ||
| 195 | return 0; | ||
| 196 | } else { | ||
| 197 | control->in_SSL = 1; | ||
| 198 | return 1; | ||
| 199 | } | ||
| 200 | } | ||
| 201 | } | ||
| 202 | |||
| 203 | if (debug) { | ||
| 204 | printf("Apparently failed negotiating with lockdownd.\n"); | ||
| 205 | printf("Responding dictionary: \n"); | ||
| 206 | for (i = 0; strcmp(dictionary[i], ""); i+=2) { | ||
| 207 | printf("\t%s: %s\n", dictionary[i], dictionary[i+1]); | ||
| 208 | } | ||
| 209 | } | ||
| 210 | |||
| 211 | free_dictionary(dictionary); | ||
| 212 | return 0; | ||
| 213 | } else { | ||
| 214 | if (debug) printf("Didn't get enough bytes.\n"); | ||
| 215 | return 0; | ||
| 216 | } | ||
| 217 | } | ||
| 218 | |||
| 219 | ssize_t lockdownd_secuwrite(gnutls_transport_ptr_t transport, char *buffer, size_t length) { | ||
| 220 | int bytes = 0; | ||
| 221 | lockdownd_client *control; | ||
| 222 | control = (lockdownd_client*)transport; | ||
| 223 | if (debug) printf("lockdownd_secuwrite() called\n"); | ||
| 224 | if (debug) printf("pre-send\nlength = %i\n", length); | ||
| 225 | bytes = mux_send(control->iphone, control->connection, buffer, length); | ||
| 226 | if (debug) printf("post-send\nsent %i bytes\n", bytes); | ||
| 227 | if (debug) { | ||
| 228 | FILE *my_ssl_packet = fopen("sslpacketwrite.out", "w+"); | ||
| 229 | fwrite(buffer, 1, length, my_ssl_packet); | ||
| 230 | fflush(my_ssl_packet); | ||
| 231 | printf("Wrote SSL packet to drive, too.\n"); | ||
| 232 | fclose(my_ssl_packet); | ||
| 233 | } | ||
| 234 | |||
| 235 | return bytes; | ||
| 236 | } | ||
| 237 | |||
| 238 | ssize_t lockdownd_securead(gnutls_transport_ptr_t transport, char *buffer, size_t length) { | ||
| 239 | int bytes = 0, pos_start_fill = 0; | ||
| 240 | char *hackhackhack = NULL; | ||
| 241 | lockdownd_client *control; | ||
| 242 | control = (lockdownd_client*)transport; | ||
| 243 | if (debug) printf("lockdownd_securead() called\nlength = %i\n", length); | ||
| 244 | // Buffering hack! Throw what we've got in our "buffer" into the stream first, then get more. | ||
| 245 | if (control->gtls_buffer_hack_len > 0) { | ||
| 246 | if (length > control->gtls_buffer_hack_len) { // If it's asking for more than we got | ||
| 247 | length -= control->gtls_buffer_hack_len; // Subtract what we have from their requested length | ||
| 248 | pos_start_fill = control->gtls_buffer_hack_len; // set the pos to start filling at | ||
| 249 | memcpy(buffer, control->gtls_buffer_hack, control->gtls_buffer_hack_len); // Fill their buffer partially | ||
| 250 | free(control->gtls_buffer_hack); // free our memory, it's not chained anymore | ||
| 251 | control->gtls_buffer_hack_len = 0; // we don't have a hack buffer anymore | ||
| 252 | if (debug) printf("Did a partial fill to help quench thirst for data\n"); | ||
| 253 | } else if (length < control->gtls_buffer_hack_len) { // If it's asking for less... | ||
| 254 | control->gtls_buffer_hack_len -= length; // subtract what they're asking for | ||
| 255 | memcpy(buffer, control->gtls_buffer_hack, length); // fill their buffer | ||
| 256 | hackhackhack = (char*)malloc(sizeof(char) * control->gtls_buffer_hack_len); // strndup is NOT a good solution -- concatenates \0!!!! Anyway, make a new "hack" buffer. | ||
| 257 | memcpy(hackhackhack, control->gtls_buffer_hack+length, control->gtls_buffer_hack_len); // Move what's left into the new one | ||
| 258 | free(control->gtls_buffer_hack); // Free the old one | ||
| 259 | control->gtls_buffer_hack = hackhackhack; // And make it the new one. | ||
| 260 | hackhackhack = NULL; | ||
| 261 | if (debug) printf("Quenched the thirst for data; new hack length is %i\n", control->gtls_buffer_hack_len); | ||
| 262 | return length; // hand it over. | ||
| 263 | } else { // length == hack length | ||
| 264 | memcpy(buffer, control->gtls_buffer_hack, length); // copy our buffer into theirs | ||
| 265 | free(control->gtls_buffer_hack); // free our "obligation" | ||
| 266 | control->gtls_buffer_hack_len = 0; // free our "obligation" | ||
| 267 | if (debug) printf("Satiated the thirst for data; now we have to eventually receive again.\n"); | ||
| 268 | return length; // hand it over | ||
| 269 | } | ||
| 270 | } | ||
| 271 | // End buffering hack! | ||
| 272 | char *recv_buffer = (char*)malloc(sizeof(char) * (length * 1000)); // ensuring nothing stupid happens | ||
| 273 | |||
| 274 | if (debug) printf("pre-read\nclient wants %i bytes\n", length); | ||
| 275 | bytes = mux_recv(control->iphone, control->connection, recv_buffer, (length * 1000)); | ||
| 276 | if (debug) printf("post-read\nwe got %i bytes\n", bytes); | ||
| 277 | if (debug && bytes < 0) { | ||
| 278 | printf("lockdownd_securead(): uh oh\n"); | ||
| 279 | printf("I believe what we have here is a failure to communicate... libusb says %s but strerror says %s\n", usb_strerror(), strerror(errno)); | ||
| 280 | return bytes + 28; // an errno | ||
| 281 | } | ||
| 282 | if (bytes >= length) { | ||
| 283 | if (bytes > length) { | ||
| 284 | if (debug) printf("lockdownd_securead: Client deliberately read less data than was there; resorting to GnuTLS buffering hack.\n"); | ||
| 285 | if (!control->gtls_buffer_hack_len) { // if there's no hack buffer yet | ||
| 286 | //control->gtls_buffer_hack = strndup(recv_buffer+length, bytes-length); // strndup is NOT a good solution! | ||
| 287 | control->gtls_buffer_hack_len += bytes-length; | ||
| 288 | control->gtls_buffer_hack = (char*)malloc(sizeof(char) * control->gtls_buffer_hack_len); | ||
| 289 | memcpy(control->gtls_buffer_hack, recv_buffer+length, control->gtls_buffer_hack_len); | ||
| 290 | } else { // if there is. | ||
| 291 | control->gtls_buffer_hack = realloc(control->gtls_buffer_hack, control->gtls_buffer_hack_len + (bytes - length)); | ||
| 292 | memcpy(control->gtls_buffer_hack+control->gtls_buffer_hack_len, recv_buffer+length, bytes-length); | ||
| 293 | control->gtls_buffer_hack_len += bytes - length; | ||
| 294 | } | ||
| 295 | } | ||
| 296 | memcpy(buffer+pos_start_fill, recv_buffer, length); | ||
| 297 | free(recv_buffer); | ||
| 298 | if (bytes == length) { if (debug) printf("Returning how much we received.\n"); return bytes; } | ||
| 299 | else { if (debug) printf("Returning what they want to hear.\nHack length: %i\n", control->gtls_buffer_hack_len); return length; } | ||
| 300 | } | ||
| 301 | return bytes; | ||
| 302 | } | ||
| 303 | |||
| 304 | int lockdownd_start_service(lockdownd_client *control, const char *service) { | ||
| 305 | if (!control) return 0; | ||
| 306 | if (!control->in_SSL && !lockdownd_start_SSL_session(control, "29942970-207913891623273984")) return 0; | ||
| 307 | |||
| 308 | char *XML_query, **dictionary; | ||
| 309 | uint32 length, i = 0, port = 0; | ||
| 310 | uint8 result = 0; | ||
| 311 | |||
| 312 | xmlDocPtr plist = new_plist(); | ||
| 313 | xmlNode *dict = add_child_to_plist(plist, "dict", "\n", NULL, 0); | ||
| 314 | xmlNode *key; | ||
| 315 | key = add_key_str_dict_element(plist, dict, "Request", "StartService", 1); | ||
| 316 | if (!key) { xmlFreeDoc(plist); return 0; } | ||
| 317 | key = add_key_str_dict_element(plist, dict, "Service", service, 1); | ||
| 318 | if (!key) { xmlFreeDoc(plist); return 0; } | ||
| 319 | |||
| 320 | xmlDocDumpMemory(plist, &XML_query, &length); | ||
| 321 | |||
| 322 | lockdownd_send(control, XML_query, length); | ||
| 323 | free(XML_query); | ||
| 324 | |||
| 325 | length = lockdownd_recv(control, &XML_query); | ||
| 326 | |||
| 327 | xmlFreeDoc(plist); | ||
| 328 | |||
| 329 | if (length <= 0) return 0; | ||
| 330 | else { | ||
| 331 | plist = xmlReadMemory(XML_query, length, NULL, NULL, 0); | ||
| 332 | if (!plist) return 0; | ||
| 333 | dict = xmlDocGetRootElement(plist); | ||
| 334 | if (!dict) return 0; | ||
| 335 | for (dict = dict->children; dict; dict = dict->next) { | ||
| 336 | if (!xmlStrcmp(dict->name, "dict")) break; | ||
| 337 | } | ||
| 338 | |||
| 339 | if (!dict) return 0; | ||
| 340 | dictionary = read_dict_element_strings(dict); | ||
| 341 | |||
| 342 | for (i = 0; strcmp(dictionary[i], ""); i+=2) { | ||
| 343 | if (debug) printf("lockdownd_start_service() dictionary %s: %s\n", dictionary[i], dictionary[i+1]); | ||
| 344 | |||
| 345 | if (!xmlStrcmp(dictionary[i], "Port")) { | ||
| 346 | port = atoi(dictionary[i+1]); | ||
| 347 | if (debug) printf("lockdownd_start_service() atoi'd port: %i\n", port); | ||
| 348 | } | ||
| 349 | |||
| 350 | if (!xmlStrcmp(dictionary[i], "Result")) { | ||
| 351 | if (!xmlStrcmp(dictionary[i+1], "Success")) { | ||
| 352 | result = 1; | ||
| 353 | } | ||
| 354 | } | ||
| 355 | } | ||
| 356 | |||
| 357 | if (debug) { | ||
| 358 | printf("lockdownd_start_service(): DATA RECEIVED:\n\n"); | ||
| 359 | fwrite(XML_query, 1, length, stdout); | ||
| 360 | printf("end data received by lockdownd_start_service()\n"); | ||
| 361 | } | ||
| 362 | |||
| 363 | free(XML_query); | ||
| 364 | xmlFreeDoc(plist); | ||
| 365 | free_dictionary(dictionary); | ||
| 366 | if (port && result) return port; | ||
| 367 | else return 0; | ||
| 368 | } | ||
| 369 | |||
| 370 | return 0; | ||
| 371 | } | ||
| 372 | |||
