While looking at traffic generated by iOS 8, I noticed that the request iOS uses to figure out if the current WLAN network it is connected to the internet had changed.
I remembered it looked like this:
GET /library/test/success.html
Host: www.apple.com
Connection: close
User-Agent: CaptiveNetworkSupport-209.39 wispr
But now I noticed different requests, like
GET /PNLQhvxZ/xuysvIAF/UlBMhXpM/96j7W4OI.html
Host: www.itools.info
Connection: close
User-Agent: CaptiveNetworkSupport-305 wispr
The response still looked the same:
Content-Type: text/html
Content-Length: 68
Date: Sun, 19 Oct 2014 19:25:07 GMT
Connection: close
<HTML><HEAD><TITLE>Success</TITLE></HEAD><BODY>Success</BODY></HTML>
What I noticed:
- a different hostname
- a completely different URL.
- that URL looks like something is encoded in it.
Experimenting some more, shows the URLS can vary in size:
- http://www.appleiphonecell.com/FE4wVnGTi2/30ev47IPHa/qtuSz4qyEI/1beCBLubOk/6mx7wEuwWu.html
- http://www.itools.info/pyvurkyw66kGkxv/JlP1AFh6NWlGmpZ/j5zaznQRiEOmLwI/lDon4e4tyMHFq4G/f4F6JosojEbdgIP.html
- http://www.thinkdifferent.us/5L0tz1uQdrOVw/O49xGuWJm2Nbs/9YE97WN6LvlcJ/GcWCBwrllfhgF.html
- http://www.thinkdifferent.us/ZyXweLwP5qj/gorlJSJPHq7/9WuiyO2xMjP.html
- http://www.thinkdifferent.us/btszR5bVqi/PXZzhbyy4u.html
- http://www.thinkdifferent.us/wMIv3CYrmP9GaP2/mHe77eYERri8O5h/NZ57XszWkZ0UM6B/leyDEyX21DQGRDe/6LHJqcf1lAOUPB1.html
So I look for the binary which has the User-Agent CaptiveNetworkSupport
string in it, in an unpacked ios8 rom.
I start by unzipping an OTA update for iOS8.0 for the iPhone5,2
, this con be found in 93525b725ad90a65cd43f93d298fccdce3e3d1bc.zip, as noted below.
Unzipping this file and searching where I would find the CaptiveNetworkSupport
string, I ended up with these possible targets:
- AssetData/payload/replace/System/Library/Caches/com.apple.dyld/dyld_shared_cache_armv7s
- AssetData/payload/replace/System/Library/SystemConfiguration/CaptiveNetworkSupport.bundle/CaptiveNetworkSupport
- AssetData/payload/replace/usr/libexec/configd
The dyld_shared_cache
file is really large, too large for IDA to handle, and needs to be split in its constituents.
There is a tool named dyld_decache which can do this for you.
Inside the dyld file we find this file:
- System/Library/PrivateFrameworks/CaptiveNetwork.framework/CaptiveNetwork
CaptiveNetworkSupport
CaptiveNetworkSupport
seemed most interesting.
One thing that stood out, is that at some point handling wispr_login_async
, the following form fields are used
at some point:
OriginatingServer=http://copyfight.corante.com/
button=Login
FNAME=0
Hmm … googling copyfight and corante, these guys don’t exactly seem to be on friendly terms with apple. Then why is apple using their URL when loggin in to wifi hotspots?
Capturing the request
Capturing plaintext requests like this is easy:
- open SystemPreferences -> Sharing
- configure InternetSharing to share your ethernet connecting with people using WiFi.
- set a password and network name in
Wifi-Options
- enable
- run tcpdump ( or wireshark) either on your wifi or your ethernet interface.
- connect your phone to your new wifi network.
Obtaining iOS 8 binaries
Apple releases iOS software in two formats:
Full upgrade, as .ipsw files, These contain the full operating system, but are unfortunately encrypted. Links to the ipsw files can be found in http://itunes.com/version
OTA upgrade, as .zip files. These often contain only patches, but occasionally, probably when the diff is too large, contain a full unencrypted image of the operating system. Links to the OTA files can be found in com_apple_MobileAsset_SoftwareUpdate.xml. Theiphonewiki keeps track of changes to this file.
For this article I use the iOS8.0 OTA update for the iPhone5,2, as found in 93525b725ad90a65cd43f93d298fccdce3e3d1bc.zip.