Page 1 of 2

Sniff iOS11 AppStore/itunesstored/installd traffic

PostPosted: Tue Sep 19, 2017 2:33 pm
by septium
Do I have any chance to sniff the new Apple Music-like AppStore without JB? Of course SSL is pinned and fake CA cert doesn't help.

Re: Sniff iOS11 AppStore/itunesstored/installd traffic

PostPosted: Tue Sep 19, 2017 10:50 pm
by morpheus
Since iOS 11 is not publicly jailbroken, you're in a predicament. One idea that would work is to back port the app with a private DYLD shared cache (from 11) into iOS 10.x which is jailbroken, and then inject into it.

Re: Sniff iOS11 AppStore/itunesstored/installd traffic

PostPosted: Wed Sep 20, 2017 12:09 pm
by Wingzero
where can we find the cache? I am sucking on this too

Re: Sniff iOS11 AppStore/itunesstored/installd traffic

PostPosted: Wed Sep 20, 2017 1:45 pm
by Siguza
(rootFS.dmg)/System/Library/Caches/com.apple.dyld/dyld_shared_cache_arm64

Re: Sniff iOS11 AppStore/itunesstored/installd traffic

PostPosted: Wed Sep 20, 2017 10:55 pm
by Wingzero
Siguza wrote:(rootFS.dmg)/System/Library/Caches/com.apple.dyld/dyld_shared_cache_arm64

this is not published right?

Re: Sniff iOS11 AppStore/itunesstored/installd traffic

PostPosted: Thu Sep 21, 2017 11:22 am
by Siguza
Sure it is. Just grab your favourite IPSW from iOS 10 or later (or if before, make sure decryption keys exist) and the rootFS will be the largest .dmg in the IPSW (usually between 1.5 and 2.2GB). If encrypted, note that the key is not the same as a password - I suggest vfdecrypt in that case. But from iOS 10 and later you should be able to just mount it (unless it's an APFS dmg and you're on El Capitan or lower, which has no APFS support).

Alternatively, you can extract the cache from OTAs... always unencrypted and no HFS/APFS to deal with whatsoever.

Re: Sniff iOS11 AppStore/itunesstored/installd traffic

PostPosted: Thu Oct 19, 2017 2:37 am
by Wingzero
Siguza wrote:Sure it is. Just grab your favourite IPSW from iOS 10 or later (or if before, make sure decryption keys exist) and the rootFS will be the largest .dmg in the IPSW (usually between 1.5 and 2.2GB). If encrypted, note that the key is not the same as a password - I suggest vfdecrypt in that case. But from iOS 10 and later you should be able to just mount it (unless it's an APFS dmg and you're on El Capitan or lower, which has no APFS support).

Alternatively, you can extract the cache from OTAs... always unencrypted and no HFS/APFS to deal with whatsoever.

Hello there, I don't get why using the dyld cache here? Could you explain some? Or if @mopheous could help? And where to get the OTA file to download? Thanks

Re: Sniff iOS11 AppStore/itunesstored/installd traffic

PostPosted: Thu Oct 19, 2017 3:11 am
by darkknight
Wingzero wrote:
Siguza wrote:Sure it is. Just grab your favourite IPSW from iOS 10 or later (or if before, make sure decryption keys exist) and the rootFS will be the largest .dmg in the IPSW (usually between 1.5 and 2.2GB). If encrypted, note that the key is not the same as a password - I suggest vfdecrypt in that case. But from iOS 10 and later you should be able to just mount it (unless it's an APFS dmg and you're on El Capitan or lower, which has no APFS support).

Alternatively, you can extract the cache from OTAs... always unencrypted and no HFS/APFS to deal with whatsoever.

Hello there, I don't get why using the dyld cache here? Could you explain some? Or if @mopheous could help? And where to get the OTA file to download? Thanks


See the iPhone wiki -> https://www.theiphonewiki.com/wiki/Firmware
OTA -> https://ipsw.me/

Re: Sniff iOS11 AppStore/itunesstored/installd traffic

PostPosted: Thu Oct 19, 2017 12:57 pm
by Wingzero
darkknight wrote:
Wingzero wrote:
Siguza wrote:Sure it is. Just grab your favourite IPSW from iOS 10 or later (or if before, make sure decryption keys exist) and the rootFS will be the largest .dmg in the IPSW (usually between 1.5 and 2.2GB). If encrypted, note that the key is not the same as a password - I suggest vfdecrypt in that case. But from iOS 10 and later you should be able to just mount it (unless it's an APFS dmg and you're on El Capitan or lower, which has no APFS support).

Alternatively, you can extract the cache from OTAs... always unencrypted and no HFS/APFS to deal with whatsoever.

Hello there, I don't get why using the dyld cache here? Could you explain some? Or if @mopheous could help? And where to get the OTA file to download? Thanks


See the iPhone wiki -> https://www.theiphonewiki.com/wiki/Firmware
OTA -> https://ipsw.me/

Thanks so much! I have downloaded OTA of iOS 11. However, I search through it, but cannot find dyld_shared_cache?

Never mind, I found them in the full ipsw package (not signed)

Re: Sniff iOS11 AppStore/itunesstored/installd traffic

PostPosted: Thu Oct 19, 2017 2:57 pm
by Siguza
Wingzero wrote:Hello there, I don't get why using the dyld cache here?

Uhh... because?:

Wingzero wrote:where can we find the cache?