Open acheong08 opened 1 month ago
edit: nope, Apple is crazy and uses different encodings for each API
message PbcWifiEntry {
string bssid = 1;
int32 channel = 2;
int32 rssi = 3;
optional PbcWlocLocation location = 4;
// Source: https://github.com/cgerro/ios-location-trace-study
int32 unknown_varint7 = 7;
double timestamp = 8;
int32 unknown_varint9 = 9;
}
message PbcWlocRequest {
DeviceType device_info = 163;
repeated PbcWifiEntry wifi_entries = 3;
}
message MotionActivity {
enum type {
unknown = 0;
stationary = 1;
walking = 2;
running = 3;
automotive = 4;
cycling = 5;
}
uint32 confidence = 1;
type activity = 2;
}
message PbcWlocLocation {
optional double latitude = 1;
optional double longitude = 2;
optional float horizontal_accuracy = 3;
optional float altitude = 5;
optional float vertical_accuracy = 6;
optional float speed = 7;
optional float course = 8;
optional double timestamp = 9;
optional int32 provider = 13; // Only shows up if your phone is tied to a cell provider
optional int32 motion_vehicle_connected_state_changed = 16;
optional int32 motion_vehicle_connected = 17;
optional MotionActivity raw_motion_activity = 18;
optional MotionActivity motion_activity = 19;
optional MotionActivity dominant_motion_activity = 20;
optional float course_accuracy = 21;
optional float speed_accuracy = 22;
}
I've been doing something similar for a while here and it seems we could share some info.
For example, the values for
https://github.com/cgerro/ios-location-trace-study/blob/90f60ac797c2fc541a6b6dcf8ef1c43f669e05d9/proto-files/request_pbcwloc.proto#L54-L71
can be found by decompiling CoreLocationProtobuf (You can find a sample here: https://github.com/acheong08/apple-corelocation-experiments/blob/3243a0c2c6fb99cc52808f6a598fff705531c757/CoreLocationProtobuf.c)
And you can find the field names here: https://github.com/acheong08/apple-corelocation-experiments/blob/1027ca875c4fd8a16e234bd48d1b5de32fad5779/pb/BSSIDApple.proto#L40-L76
It seems you've figured out how to upload data into the API. May I ask how you found 'https://gsp10-ssl.ls.apple.com/hvr/aploc' and 'https://gsp10-ssl.apple.com/hcy/pbcwloc'. I've been running MITM for a while but haven't been able to catch a request, presumably due to privacy settings. Not sure which one though