Click here to Skip to main content
Click here to Skip to main content
Go to top

Non-Standard Way to Get Inaccessible Data from iOS

, 15 Jul 2013
Rate this:
Please Sign up or sign in to vote.
Interesting ways to pick up sensitive information in iOS.

Sample Image

Introduction

In the wake of my speech at Positive Hack Days, I would like to share information I got exploring a daemon configd on iOS 6 MACH. As you know, iOS gives little information about Wi-Fi connection status. Basically, the Public API allows getting SSID, BSSID, adapter network settings, and that's all. And what about encryption mode? Signal power? You can look under the cut for more information on how to get such data without Private API and jail breaking.

Now I must apologize for posting so many source codes. To begin with, let us recall how it was earlier, in iOS 5.*. Then you could use Apple System Log facility to get the system messages that are displayed when connecting to a network. The encryption mode and signal power data appeared in the messages. And you could get them this way:

aslmsg asl, message;
aslresponse searchResult;
int i;
const char *key, *val;
NSMutableArray *result_dicts = [NSMutableArray array];

asl = asl_new(ASL_TYPE_QUERY);
if (!asl)
{
    DDLogCError(@"Failed creating ASL query");
}
asl_set_query(asl, "Sender", "kernel", ASL_QUERY_OP_EQUAL);
asl_set_query(asl, "Message", "AppleBCMWLAN Joined BSS:", 
              ASL_QUERY_OP_PREFIX|ASL_QUERY_OP_EQUAL);
searchResult = asl_search(NULL, asl);
while (NULL != (message = aslresponse_next(searchResult)))
{
    NSMutableDictionary *tmpDict = [NSMutableDictionary dictionary];
    
    for (i = 0; (NULL != (key = asl_key(message, i))); i++)
    {
        NSString *keyString = [NSString stringWithUTF8String:(char *)key];
        
        val = asl_get(message, key);
        
        NSString *string = [NSString stringWithUTF8String:val];
        [tmpDict setObject:string forKey:keyString];
    }
    [result_dicts addObject:tmpDict];
}
aslresponse_free(searchResult);
asl_free(asl);

But, as Apple usually does, the company closed access to system messages in ASL once it knew about them. So we had to find a new way to get these data. The question was stated differently: how can you get these data in Mac OS and iOS?

First of all, you can use scutil, which allows getting the system configuration data including the information we need. Testing jailbroken iPhone on iOS 6 proved that the tool works quite well. For me it was a clue, and I started to look for a way to reach SystemConfiguration on iOS.

It was as simple as pie: SystemConfiguration.framework. It allows connecting to Mac OS value storage and getting a property list, which includes wireless network data.

However, when you look at the header files of the library, you will get upset: using the required method is restricted.

CFPropertyListRef
SCDynamicStoreCopyValue			(
                    SCDynamicStoreRef		store,
                    CFStringRef			key
                    )				__OSX_AVAILABLE_STARTING(__MAC_10_1,__IPHONE_NA);

First, make sure that the method is functional.

void *handle = dlopen("/System/Library/Frameworks/SystemConfiguration.framework/SystemConfiguration", RTLD_LAZY);
CFArrayRef (*_SCDynamicStoreCopyKeyList)(int store, CFStringRef pattern) = dlsym(handle, "SCDynamicStoreCopyKeyList");

NSLog(@"Lib handle: %u", handle);



NSString *key = @"State:/Network/Global/DNS";

CFArrayRef testarrray =  _SCDynamicStoreCopyKeyList(0, CFSTR("State:/Network/Interface/en0/AirPort"));
NSLog(@"Tested array res: %@", testarrray);

Everything's fine. The result returns. So there are no blocks, only formal Apple's restrictions, which won't allow passing validation in the App Store. Anyway, why don't we write a piece of the library by our own? The source code was easy to be found: it was a part of the daemon configd. The most interesting stuff begins when reading the description of SCDynamicStoreCopyValue.

#include "config.h"		/* MiG generated file */

...

/* send the key & fetch the associated data from the server */
status = configget(storePrivate->server,
       myKeyRef,
       myKeyLen,
       &xmlDataRef,
       (int *)&xmlDataLen,
       &newInstance,
       (int *)&sc_status);

OK. A request is passed to the file generated using MACH Interface Generator. We have the description in MIG in the file located nearby.

routine configget	(	server		: mach_port_t;
                key		: xmlData;
             out	data		: xmlDataOut, dealloc;
             out	newInstance	: int;
             out	status		: int);

Now you have two options — the way of a common person and the way of the Jedi. You can run mig on the file config.defs and get the codes to be entered into the project. But unfortunately we did not discover the file during the research so we have to do some reverse engineering Smile | :) However, Dmitry Sklyarov did show his Jedi skills and managed to restore the process of sending the request to the MACH port, configd. So the method was completely restored.

#define kMachPortConfigd "com.apple.SystemConfiguration.configd"

-(NSDictionary *)getSCdata:(NSString *)key
{
 
    if(SYSTEM_VERSION_LESS_THAN(@"6.0"))
    {
        // It does not work on iOS 5.*
        return nil;
    }
    
    struct send_body {mach_msg_header_t header; int count; UInt8 *addr; CFIndex size0; 
      int flags; NDR_record_t ndr; CFIndex size; int retB; int rcB; int f24; int f28;};

    mach_port_t bootstrapport = MACH_PORT_NULL;
    mach_port_t configport = MACH_PORT_NULL;
    mach_msg_header_t *msg;
    mach_msg_return_t msg_return;
    struct send_body send_msg;
    // Make request
    CFDataRef  extRepr;
    extRepr = CFStringCreateExternalRepresentation(NULL, 
      (__bridge CFStringRef)(key), kCFStringEncodingUTF8, 0);
    
    // Connect to Mach MIG port of configd
    task_get_bootstrap_port(mach_task_self(), &bootstrapport);
    bootstrap_look_up2(bootstrapport, kMachPortConfigd, &configport, 0, 8LL);
    // Make request
    
    send_msg.count = 1;
    send_msg.addr = (UInt8*)CFDataGetBytePtr(extRepr);
    send_msg.size0 = CFDataGetLength(extRepr);
    send_msg.size = CFDataGetLength(extRepr);
    send_msg.flags = 0x1000100u;
    send_msg.ndr = NDR_record;
     
    // Make message header
    
    msg = &(send_msg.header);
    msg->msgh_bits = 0x80001513u;
    msg->msgh_remote_port = configport;
    msg->msgh_local_port = mig_get_reply_port();
    msg->msgh_id = 20010;
    // Request server
    msg_return = mach_msg(msg, 3, 0x34u, 0x44u, msg->msgh_local_port, 0, 0);
    if(msg_return)
    {
        if (msg_return - 0x10000002u >= 2 && msg_return != 0x10000010 )
        {
            mig_dealloc_reply_port(msg->msgh_local_port);
        }
        else
        {
            mig_put_reply_port(msg->msgh_local_port);
        }
    }
    else if ( msg->msgh_id != 71 && msg->msgh_id == 20110 && msg->msgh_bits <= -1 )
    {
        if ((send_msg.flags & 0xFF000000) == 0x1000000)
        {
            CFDataRef deserializedData = CFDataCreateWithBytesNoCopy(kCFAllocatorDefault, 
              send_msg.addr,send_msg.size0, kCFAllocatorNull);
            CFPropertyListRef proplist = CFPropertyListCreateWithData(kCFAllocatorDefault, 
              deserializedData, kCFPropertyListImmutable, NULL, NULL);
            mig_dealloc_reply_port(msg->msgh_local_port);
            mach_port_deallocate(mach_task_self(), bootstrapport);
            mach_port_deallocate(mach_task_self(), configport);
            mach_msg_destroy(msg);
            NSDictionary *property_list = (__bridge NSDictionary*)proplist;
            if(proplist)
                CFRelease(proplist);
            CFRelease(deserializedData);
            CFRelease(extRepr);
            return property_list;
        }
    }
    mig_dealloc_reply_port(msg->msgh_local_port);
    mach_port_deallocate(mach_task_self(), bootstrapport);
    mach_port_deallocate(mach_task_self(), configport);
    mach_msg_destroy(msg);
    CFRelease(extRepr);
    return nil;
}

The data we needed was located in the key @«Setup:/Network/Interface/en0/AirPort».

So we have implemented the part SystemConfiguration.framework on our own and got the data without jail-breaking and the illegal use of libraries. The interesting thing is that there are more than 100 open MACH ports with various names in iOS 6. I guess it sets the stage for researches. Unfortunately, for the time being I cannot say whether such code can be used in the App Store, but it is worth trying anyway.

Thanks for your attention.

License

This article, along with any associated source code and files, is licensed under The GNU General Public License (GPLv3)

Share

About the Author

Kirill Ermakov

United States United States
No Biography provided

Comments and Discussions

 
GeneralMy vote of 5 PinmemberMember 884486025-Jul-13 0:54 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.

| Advertise | Privacy | Mobile
Web01 | 2.8.140916.1 | Last Updated 15 Jul 2013
Article Copyright 2013 by Kirill Ermakov
Everything else Copyright © CodeProject, 1999-2014
Terms of Service
Layout: fixed | fluid