Ideas, Improvement, etc.

[alexhulbert]

Put dat stuff here :)

[GautamAgrawal]

Is there any online tool to parse protobufs. I am getting response which is not readable.

[alexhulbert]

If you want, I can sent you a C++ file that you can import into your project and use to decrypt the protobufs. Here is how they work:

1. use protoc --decode_raw to get the structure of the protobuf file
2. recreate that structure (with variable names) and put it into a .proto file
3. use protoc again to automatically create a Java, C++, etc. source file
4. import that file and use it to parse the protobufs

I can do steps 1-3 for you, but the closest thing I know to C++ is C#, so you're on your own for that part. I'm using Java, so I can tell you what I'm doing: I'm using the "parseFrom" method from DeviceUDIDS on those bytes. From there, you can use the other classes (Backup, etc) on the other URLs. The "listFiles," so you might have some trouble when you get there.

[GautamAgrawal]

Thank you @Triforce1 for your help. you are a nice person .I did the same , you suggested but I am getting some linker errors. I will resolve them. Are you able to download the backup which contains call and sms history. actually I want to get my calls and sms from iCloud. As far as I know first we have to download the backup then we have to convert it from itune format. so the first step to download them. Are you able to download ?

[alexhulbert]

Unfortunately, I haven't been able to get the files. All I can get are these "chunk" names. I think I have to put them into "authorizeGet" to get some "authorization token" (No clue what that is). Then I have to somehow use "getFiles" to get the url for the file. Then after I downloaded it, I have to use the output from "getKeys" to decrypt it. Then I'm done. We've both got a lot of work on out hands :)

[GautamAgrawal]

Hi @Triforce1 . I able to get the backup ids (https://p03-mobilebackup.icloud.com/mbs/1435706334 ) but it is giving response like

It seems like these are encrypted. Please suggest the solution for this.

[alexhulbert]

Thats the protobuf! Your on the right track. I'll upload a C++ file to include in your project. But the first thing you should do is remove that message. It contains your DsPrsID and mmeAuthToken, which can be used to get all of your contacts, data, etc. I don't think you can decode parts of that hex as they are now (because of encoding), but if someone put enough time into it, they could easily hack your account. On a much lighter note, I should have that css file uploaded to the "code" directory by the end of the day [EST]

[GautamAgrawal]

Yeah, That would be helpful for me. In that protobuf two backup ids were decoded . Could you please tell me the process how they are doing?

[alexhulbert]

Here's a handy table of what I've been able to do so far:

Step #	Method	URL	Headers	Response	Comments
1	GET	https://setup.icloud.com/setup/authenticate/<iCloudUserName>	Authorization "basic " + base64(iCloudUserName + ":" + iCloudPassword)	DsPrsID and mmeAuthToken	These values will be used for authentication in the next step
2	GET	https://setup.icloud.com/setup/get_account_settings	Authorization "basic " + base64(DsPrsID + ":" + mmeAuthToken)	Info about the user	This will return a NEW AND DIFFERENT MMEAUTHTOKEN. Use this new one instead of the one from /authenticate. It will also tell you what number should come after the "p" (partition #?) in the next urls.
3	GET	https://p##-mobilebackup.icloud.com/mbs/<DsPrsID>/	Authorization "X‑MobileMe‑AuthToken " + base64(DsPrsID + ":" + mmeAuthToken) A list of BackupUDIDS Each "BackupUDID" represents a device linked with the account. Parse with "DeviceUDIDs" class. Note: I will finish the Table tomorrow GautamAgrawal commented 10 years ago @Triforce1 Hi, I checked the backup ids. Now I am able to get them. Before downloading the backup from amazon or another cloud, One request is being sent to "https://p##-content.icloud.com/#######/authorizeGet " using POST. Could you please tell me what data is sent using that request. It is returning the amazon cloud path and signature to download the data. alexhulbert commented 10 years ago Here's the structure for authorizeGet: x-apple-mmcs-auth: x-apple-mmcs-dataclass: com.apple.Dataclass.Backup x-apple-mmcs-proto-version: 3.3 x-apple-mme-dsid: x-apple-request-uuid: x-mme-client-info: Unfortunately, neither Jurriaan or I know where the value of "x-apple-mmcs-auth" comes from. However, I think it must come from somewhere in the depths of the getFiles protobufs. You'd be better off trying to those first. All conversations can be continued here, since Jurriaan and I are both at the same point in iCloud decryption. As for the table, I wasn't able to finish it with Thanksgiving and all, but I will complete it and add it to README.md on the main repo. GautamAgrawal commented 10 years ago Yes this is header format. But I want to know about the data which is being passed in this request since it is POST request. alexhulbert commented 10 years ago I have put all that I know onto ICLOUD.md in my repo. As for authorizeGet, you probably won't need that yet since you don't even have the File auth tokens (which is where I'm stuck). EDIT: I'll get the actual body of the request and add that to the chart. GautamAgrawal commented 10 years ago I got stuck here : x-apple-mmcs-auth: I got the from getFiles . But from where I can get ? alexhulbert commented 10 years ago But I want to know about the data which is being passed in this request since it is POST request. For this you need to actually generate a protobuf yourself and POST that to the authorizeGet URL. This is how it should look: message authChunk { required bytes chunkID = 1; required string authToken = 2; } Use that to create a protobuf and send that in the POST request. I got stuck here : x-apple-mmcs-auth: You're also going to need some headers to POST. "x-apple-mmcs-auth" should be in the following format: the chunkID, followed by a space, and then the authToken This will return a protobuf containing all the info you need to make one final HTTP request (url, headers, etc) which will download the file you need. You might be wondering how to get the chunkID and authToken. These are given back from making a request to p##-mobilebackup.icloud.com/mbs///getFiles. You have to specify which file you want by using the output from "listFiles." In return, you should get the chunkID and authToken. Unfortunately, I cannot reverse engineer getFiles until I get a new iPod Touch. This may take a week or two. I would reccomend that you try to get "listFiles" working first, since you need info from that to make a request to getFiles and consequently authorizeGet. EDIT: I see you for got to escape you < and > :) Now you're message makes more sense. Be sure to add a backslash before greater than and less than signs like \<this> Also, HOW DID YOU GET THE GETFILES?!?! I can't figure out how to get it. Could you elaborate on the method you used? You got it before you even got listFiles too, thats amazing! Anyway, I think the ChunkID is directly from listFiles. It should be listed somewhere in the .proto file EDIT 2: No wonder you were confused, protobuf.proto hasn't been updated on the repo. I'll update that as soon as I can. alexhulbert commented 10 years ago Sorry it took me so long. I renamed the repo from "iCEW1ND" to "Icew1nd" a little while ago and I forgot to rename it in .git/config on my local machine, so none of my commits were accually getting pushed. I should be alright now, and you can see how to use authorizeGet and listFiles. I have one question, though: how on earth did you manage to figure out how to use getFiles? Also, how did you figure out that the second part of authorizeGet came from getFiles without even knowing how listFiles worked? PythEch commented 10 years ago I remember that you had a problem with libimobiledevice wrapper, have you fixed that? Also I'm unsure that that app backup script creates signed ipas. alexhulbert commented 10 years ago I was able to get the wrapper working on ubuntu and an old Hackintosh, but I can't seem to compile the required libraries into dll files. Is this wrapper even windows-compatible? I was thinking about taking the easy way out and just compiling ideviceinstaller into an exe and linux/mac executable, but then I wouldn't be able to mount the "Documents" folders of each app. Any ideas on what to do? I was going to delete that old app backup script since I figured out about libimobiledevice, but I never pushed the changes. You must be the first person who actually understands how this part of the project works :) EDIT: Actually, I also need to be able to backup (but not restore) ipas through SSH. How can I do that without unsigning the ipa? GautamAgrawal commented 10 years ago I downloaded the sms db but it is encrypted. How can I decrypt that ? Is there any key I get to decrypt in any request ? alexhulbert commented 10 years ago Wait... How on earth did you do that?!?! Anyway, the keys can be retrieved by making a GET request to p##-mobilebackup.icloud.com/mbs///getKeys (I think) They seem to be a "Keybag." I'm just wondering, though: How did you manage to figure out getFiles? GautamAgrawal commented 10 years ago I downloaded the backup in which I ma getting the 3 AESKeys to decrypt the data. Like if Data is 28672 bytes long and 3 AES keys are coming then need to format the chunks from that. Can you please tell me how to that? alexhulbert commented 10 years ago I'm still trying to figure out how to get the file Authentication Tokens. Until I do that, I can't test anything out. I can't help you at the moment, but as soon as I figure out what to POST to http://p##-mobilebackup.icloud.com/mbs///getKeys, I can download the encrypted chunks. Then, I can reverse engineer and pick apart the response from getKeys. That's the final step. How did you download the backup? Did you do it with Phone Password Breaker, or did you just capture them using fiddler? PythEch commented 10 years ago Ok so fine, if I get it working on one of my favorite languages, I'll tell how to do it, it shouldn't be too hard. Chinese people even found multiple holes to install cracked apps to stock iOS. So why can't we install signed apps? Let's celebrate evasi0n 7! vipinbeni commented 10 years ago @GautamAgrawal I want to do same thing(download icloud backup file and convert in itunes backup format) in c++ could you help me please how can you do please tell me the process how we can do in c++. alexhulbert commented 10 years ago Most of the people involved with Icew1nd in one way or another are watching all the issues on this repo. Please try not to put the same comment on multiple issues. It's a pet peeve of mine. :3. (See my response on issue #3) © Githubissues. Githubissues is a development platform for aggregating issues.

[GautamAgrawal]

@Triforce1 Hi, I checked the backup ids. Now I am able to get them. Before downloading the backup from amazon or another cloud, One request is being sent to "https://p##-content.icloud.com/#######/authorizeGet " using POST. Could you please tell me what data is sent using that request. It is returning the amazon cloud path and signature to download the data.

[alexhulbert]

Here's the structure for authorizeGet: x-apple-mmcs-auth: x-apple-mmcs-dataclass: com.apple.Dataclass.Backup x-apple-mmcs-proto-version: 3.3 x-apple-mme-dsid: x-apple-request-uuid: x-mme-client-info:

Unfortunately, neither Jurriaan or I know where the value of "x-apple-mmcs-auth" comes from. However, I think it must come from somewhere in the depths of the getFiles protobufs. You'd be better off trying to those first. All conversations can be continued here, since Jurriaan and I are both at the same point in iCloud decryption.

As for the table, I wasn't able to finish it with Thanksgiving and all, but I will complete it and add it to README.md on the main repo.

[GautamAgrawal]

Yes this is header format. But I want to know about the data which is being passed in this request since it is POST request.

[alexhulbert]

I have put all that I know onto ICLOUD.md in my repo. As for authorizeGet, you probably won't need that yet since you don't even have the File auth tokens (which is where I'm stuck).

EDIT: I'll get the actual body of the request and add that to the chart.

[GautamAgrawal]

I got stuck here : x-apple-mmcs-auth:

I got the from getFiles . But from where I can get ?

[alexhulbert]

But I want to know about the data which is being passed in this request since it is POST request.

For this you need to actually generate a protobuf yourself and POST that to the authorizeGet URL. This is how it should look:

message authChunk {
    required bytes chunkID = 1;
    required string authToken = 2;
}

Use that to create a protobuf and send that in the POST request.

---

I got stuck here : x-apple-mmcs-auth:

You're also going to need some headers to POST. "x-apple-mmcs-auth" should be in the following format:

the chunkID, followed by a space, and then the authToken

---

This will return a protobuf containing all the info you need to make one final HTTP request (url, headers, etc) which will download the file you need.

You might be wondering how to get the chunkID and authToken. These are given back from making a request to p##-mobilebackup.icloud.com/mbs///getFiles. You have to specify which file you want by using the output from "listFiles." In return, you should get the chunkID and authToken.

Unfortunately, I cannot reverse engineer getFiles until I get a new iPod Touch. This may take a week or two. I would reccomend that you try to get "listFiles" working first, since you need info from that to make a request to getFiles and consequently authorizeGet.

---

EDIT: I see you for got to escape you < and > :) Now you're message makes more sense. Be sure to add a backslash before greater than and less than signs like \<this> Also, HOW DID YOU GET THE GETFILES?!?! I can't figure out how to get it. Could you elaborate on the method you used? You got it before you even got listFiles too, thats amazing! Anyway, I think the ChunkID is directly from listFiles. It should be listed somewhere in the .proto file

EDIT 2: No wonder you were confused, protobuf.proto hasn't been updated on the repo. I'll update that as soon as I can.

[alexhulbert]

Sorry it took me so long. I renamed the repo from "iCEW1ND" to "Icew1nd" a little while ago and I forgot to rename it in .git/config on my local machine, so none of my commits were accually getting pushed. I should be alright now, and you can see how to use authorizeGet and listFiles. I have one question, though: how on earth did you manage to figure out how to use getFiles? Also, how did you figure out that the second part of authorizeGet came from getFiles without even knowing how listFiles worked?

[PythEch]

I remember that you had a problem with libimobiledevice wrapper, have you fixed that? Also I'm unsure that that app backup script creates signed ipas.

[alexhulbert]

I was able to get the wrapper working on ubuntu and an old Hackintosh, but I can't seem to compile the required libraries into dll files. Is this wrapper even windows-compatible? I was thinking about taking the easy way out and just compiling ideviceinstaller into an exe and linux/mac executable, but then I wouldn't be able to mount the "Documents" folders of each app. Any ideas on what to do? I was going to delete that old app backup script since I figured out about libimobiledevice, but I never pushed the changes. You must be the first person who actually understands how this part of the project works :)

EDIT: Actually, I also need to be able to backup (but not restore) ipas through SSH. How can I do that without unsigning the ipa?

[GautamAgrawal]

I downloaded the sms db but it is encrypted. How can I decrypt that ? Is there any key I get to decrypt in any request ?

[alexhulbert]

Wait... How on earth did you do that?!?! Anyway, the keys can be retrieved by making a GET request to p##-mobilebackup.icloud.com/mbs///getKeys (I think) They seem to be a "Keybag." I'm just wondering, though: How did you manage to figure out getFiles?

[GautamAgrawal]

I downloaded the backup in which I ma getting the 3 AESKeys to decrypt the data. Like if Data is 28672 bytes long and 3 AES keys are coming then need to format the chunks from that. Can you please tell me how to that?

[alexhulbert]

I'm still trying to figure out how to get the file Authentication Tokens. Until I do that, I can't test anything out. I can't help you at the moment, but as soon as I figure out what to POST to http://p##-mobilebackup.icloud.com/mbs///getKeys, I can download the encrypted chunks. Then, I can reverse engineer and pick apart the response from getKeys. That's the final step. How did you download the backup? Did you do it with Phone Password Breaker, or did you just capture them using fiddler?

[PythEch]

Ok so fine, if I get it working on one of my favorite languages, I'll tell how to do it, it shouldn't be too hard. Chinese people even found multiple holes to install cracked apps to stock iOS. So why can't we install signed apps?

Let's celebrate evasi0n 7!

[vipinbeni]

@GautamAgrawal I want to do same thing(download icloud backup file and convert in itunes backup format) in c++ could you help me please how can you do please tell me the process how we can do in c++.

[alexhulbert]

Most of the people involved with Icew1nd in one way or another are watching all the issues on this repo. Please try not to put the same comment on multiple issues. It's a pet peeve of mine. :3.

(See my response on issue #3)