search

azenla / AppleCache

Apple Content Cache Reverse Engineering
MIT License
123 stars 15 forks source link

How to make the in-wifi cache service take effect #1

Open deadash opened 2 years ago

deadash commented 2 years ago

When I use the cache service now, only the USB connection to share the wifi can take effect, and other devices under the same network cannot take effect.

The frida interception always makes errors and fails to register the local device. Is it stable when you use it?

I can help with some reverse engineering.

deadash commented 2 years ago

With some hard work in reverse, I've managed to register the device on linux.

The idea is roughly as follows:

  1. Find the session and register functions,
  2. Among them, the session will obtain some system information of the mac, and the fixed string can be returned directly through the patch, and then the byte content of cert.cer is passed in to execute the session generation function to obtain bytes of size 0x152 (partly generated by arc4random), and a Class-like pointer.
  3. After sending the above bytes to apple through base64, return the cookie, then generate the json of the device information to be registered plus the cookie, pass it into the register function, including the above pointer (the first parameter), it will return after the signature The byte stream can be registered successfully by sending it to apple through base64.
deadash commented 11 months ago

After giving it some thought, I've decided to publicly release the related signature algorithms. As you mentioned, they were reverse-engineered to implement Methods 1, 2, and 3. I've successfully implemented Method 1 and 2, meaning you can call them natively or through emulation (suitable for any architecture and environment). You can find the repository at the following address: https://github.com/deadash/apple_cache

In the future, the focus may shift towards converting the algorithms to LLVM-IR through emulation to obtain the complete algorithms. While I don't currently have the bandwidth to undertake this, thanks to the plethora of LLVM IR plugins available in Rust, it should be fairly straightforward to accomplish in the future.

azenla commented 11 months ago

That's awesome! I've been very busy the last few years, so I haven't had a chance to take a look at this issue before now.

Thanks for continuing the work!