Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How to make the in-wifi cache service take effect #1

Open
deadash opened this issue Apr 12, 2022 · 3 comments
Open

How to make the in-wifi cache service take effect #1

deadash opened this issue Apr 12, 2022 · 3 comments

Comments

@deadash
Copy link

deadash commented Apr 12, 2022

When I use the cache service now, only the USB connection to share the wifi can take effect, and other devices under the same network cannot take effect.

The frida interception always makes errors and fails to register the local device. Is it stable when you use it?

I can help with some reverse engineering.
@deadash
Copy link
Author

deadash commented May 13, 2022

With some hard work in reverse, I've managed to register the device on linux.

The idea is roughly as follows:

  1. Find the session and register functions,
  2. Among them, the session will obtain some system information of the mac, and the fixed string can be returned directly through the patch, and then the byte content of cert.cer is passed in to execute the session generation function to obtain bytes of size 0x152 (partly generated by arc4random), and a Class-like pointer.
  3. After sending the above bytes to apple through base64, return the cookie, then generate the json of the device information to be registered plus the cookie, pass it into the register function, including the above pointer (the first parameter), it will return after the signature The byte stream can be registered successfully by sending it to apple through base64.

@deadash deadash closed this as completed May 13, 2022
@deadash deadash reopened this Oct 25, 2023
@deadash
Copy link
Author

deadash commented Oct 25, 2023

After giving it some thought, I've decided to publicly release the related signature algorithms. As you mentioned, they were reverse-engineered to implement Methods 1, 2, and 3. I've successfully implemented Method 1 and 2, meaning you can call them natively or through emulation (suitable for any architecture and environment). You can find the repository at the following address:
https://github.com/deadash/apple_cache

In the future, the focus may shift towards converting the algorithms to LLVM-IR through emulation to obtain the complete algorithms. While I don't currently have the bandwidth to undertake this, thanks to the plethora of LLVM IR plugins available in Rust, it should be fairly straightforward to accomplish in the future.

@azenla
Copy link
Owner

azenla commented Oct 25, 2023

That's awesome! I've been very busy the last few years, so I haven't had a chance to take a look at this issue before now.

Thanks for continuing the work!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@azenla @deadash