While looking at traffic generated by iOS 8, I noticed that the request iOS uses to figure out if the current WLAN network it is connected to the internet had changed, I remembered it looked like this:
GET /library/test/success.html Host: www.apple.com Connection: close User-Agent: CaptiveNetworkSupport-209.39 wispr
But now i noticed different requests, like
GET /PNLQhvxZ/xuysvIAF/UlBMhXpM/96j7W4OI.html Host: www.itools.info Connection: close User-Agent: CaptiveNetworkSupport-305 wispr
The response still looked the same:
Content-Type: text/html Content-Length: 68 Date: Sun, 19 Oct 2014 19:25:07 GMT Connection: close <HTML><HEAD><TITLE>Success</TITLE></HEAD><BODY>Success</BODY></HTML>
What i noticed:
- a different hostname
- a completely different URL.
- that URL looks like something is encoded in it.
Experimenting some more, shows the URLS can vary in size:
So i look for the binary which has the User-Agent
CaptiveNetworkSupport string in it, in an unpacked ios8 rom.
I start by unzipping an OTA update for iOS8.0 for the
iPhone5,2, this con be found in 93525b725ad90a65cd43f93d298fccdce3e3d1bc.zip, as noted below.
Unzipping this file and searching where i would find the
CaptiveNetworkSupport string, i ended up with these possible targets:
dyld_shared_cache file is really large, too large for IDA to handle, and needs to be split in its constituents.
There is a tool named dyld_decache which can do this for you.
Inside the dyld file we find this file:
CaptiveNetworkSupport seemed most interesting.
One thing that stood out, is that at some point handling
wispr_login_async, the following form fields are used
at some point:
OriginatingServer=http://copyfight.corante.com/ button=Login FNAME=0
Hmm ... googling copyfight and corante, these guys don't exactly seem to be on friendly terms with apple. Then why is apple using their URL when loggin in to wifi hotspots?
Capturing the request
Capturing plaintext requests like this is easy:
* open SystemPreferences -> Sharing
* configure InternetSharing to share your ethernet connecting with people using WiFi.
* set a password and network name in
* run tcpdump ( or wireshark) either on your wifi or your ethernet interface.
* connect your phone to your new wifi network.
Obtaining iOS 8 binaries
Apple releases iOS software in two formats:
Full upgrade, as .ipsw files, These contain the full operating system, but are unfortunately encrypted. Links to the ipsw files can be found in http://itunes.com/version
OTA upgrade, as .zip files. These often contain only patches, but occasionally, probably when the diff is too large, contain a full unencrypted image of the operating system. Links to the OTA files can be found in com_apple_MobileAsset_SoftwareUpdate.xml. Theiphonewiki keeps track of changes to this file.
For this article i use the iOS8.0 OTA update for the iPhone5,2, as found in 93525b725ad90a65cd43f93d298fccdce3e3d1bc.zip.