Thread: Decrypting iPhone/Yahoo IMAP Traffic
View Single Post
  #1 (permalink)  
Old 07-03-2007, 07:40 PM
Lixivial
Status: Offline
Junior Member
  
Join Date: Jul 2007
Posts: 2
Rep Power: 0
Lixivial is on a distinguished road
Default Decrypting iPhone/Yahoo IMAP Traffic
I realize that this isn't exactly related to cracking open the iPhone, but I've been looking at how the iPhone communicates with Yahoo!'s IMAP servers in hopes of connecting an external client (Outlook, Mail.app) to it. I've hit a bit of a brick wall due to my lack of understanding SSL stuff, so I thought perhaps someone here could help in decrypting this traffic.

I captured the following traffic heading to Yahoo's servers. First the iPhone sends the following GET request (contains the server's response):

Code:
GET /dgw/provision?imei={IMEI NUMBER GOES HERE}&c=v7RHIHswIwn&app=AppleIPhone&ygw=1.0.0&
a=mail&src=iphone01 HTTP/1.1
User-Agent: CFNetwork/152.4
Accept: */*
Accept-Language: en
Accept-Encoding: gzip, deflate
Cookie: Y=v=1&n=fdsbgid38jeao&l=9cff8f7ed4/o&p=m2k1mm3012000000&r=hu
&lg=en-US&intl=us&np=1; path=/; domain=.yahoo.com; 
T=z=uobiGBuuwiGBrxmNmZju75UMzI1BjYwMDc0MU9ONjM-
&a=QAE&sk=DAA84XVhgK8kja&d=c2wBTkRVeUFURTNOekF6TmpnNU1UUS0BYQFRQ
UUBenoBdW9iaUdCZ1dBAXRpcAFGaEJzZEE-; path=/; domain=.yahoo.com
Connection: keep-alive
Host: a1.go.yahoo.com

HTTP/1.1 200 OK
Date: Tue, 03 Jul 2007 02:58:35 GMT
X-YSTATUS: 200
Content-Length: 86
Connection: close
Content-Type: text/plain;charset=UTF-8

<config><udpserver>69.147.113.224:3128</udpserver><config_id>a1.1</config_id></config>
It sends the phone's IMEI number, a "crumb parameter", the app and its version, and the source of it. It also sends an cookie of unknown origin.

After it receives the OK from the server, it then proceeds to authenticate to the IMAP server. Yahoo's IMAP servers don't seem to have the traditional forms of authentication, but instead have a cookie, a base64 cookie and a PKI challenge. The iPhone is using the PKI challenge. It sends two keys. I'm having trouble with the first one, which the IMAP server labels as "auth-token," the second one is the iPhone Device CA. The keys are separated by the + sign.

Code:
* OK IMAP4rev1 server ready (3.5.13)
1 CAPABILITY
* CAPABILITY IMAP4rev1 LOGIN-REFERRALS AUTH=XYMCOOKIE AUTH=XYMCOOKIEB64 AUTH=XYMPKI ID
1 OK CAPABILITY completed
2 AUTHENTICATE XYMPKI
+ 
WT12PTEmbj1mZHNiZ2lkMzhqZWFvJmw9OWNmZjhmN2VkNC9vJnA9bTJrMW1tMzAx
MjAwMDAwMCZyPWh1JmxnPWVuLVVTJmludGw9dXMmbnA9MTsgVD16PXVvYmlHQnV
1d2lHQnJ4bU5tWmp1NzVVTXpJMUJqWXdNRGMwTVU5T05qTS0mYT1RQUUmc2s9REF
BODRYVmhnSzhramEmZD1jMndCVGtSVmVVRlVSVE5PZWtGNlRtcG5OVTFVVVMwQllRR
lJRVVVCZW5vQmRXOWlhVWRDWjFkQkFYUnBjQUZHYUVKelpFRS07IHZlcnNpb249MS4
wIHJldmlzaW9uPTFBNTQzYSBjaWQ9NDY0YjI0MDViMTU1MGUxZmMwOWRhZTcyOWNk
ZjE2YmU3NWUyM2JmOSB0cz0xMTgzNDMxNTcwIHNpZz02SE1Dd09kSWRucWNoR3Vj
KzRqamVlaURyT2lkMGs4bFRVays2UEVpMXlXWjhVajNkb0VySmVUOGFrVzJvU2sySjVZM
jdwcnVpMGlGY2xFMDU0RERzTzFHQ2J3QnFjck9jdmdNaGh2cDRJdHRzM2p6OXpRajV5c
UNJOG1pNnNPYVdTNzlNZ295a1lWNW1UZGZrV3dCZzlGOTZWcXVpckFmSC9wZWZSc1
pORTg9IHNyYz1pcGhvbmU=
+ 
MIIDPzCCAqigAwIBAgIKA+UHXZoJDAURpjANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQ
GEwJVUzETMBEGA1UEChMKQXBwbGUgSW5jLjEVMBMGA1UECxMMQXBwbGUgaVBob2
5lMR8wHQYDVQQDExZBcHBsZSBpUGhvbmUgRGV2aWNlIENBMB4XDTA3MDYzMDAyMT
MwOVoXDTEwMDYzMDAyMTMwOVowgYcxMTAvBgNVBAMTKDQ2NGIyNDA1YjE1NTBlM
WZjMDlkYWU3MjljZGYxNmJlNzVlMjNiZjkxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTE
SMBAGA1UEBxMJQ3VwZXJ0aW5vMRMwEQYDVQQKEwpBcHBsZSBJbmMuMQ8wDQYDV
QQLEwZpUGhvbmUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOv69rHSDQVNU
hEPNdxgo0sIJZeyrPAaWXTa+pMo5HYlLHNmkRO4pJhL/aoIAtAEjJMLh+Agox3WbB13wY
B/GxQz4lRgKoYL2v2mZOPEUWMO8IGC0M8KDMHWqYXMgPu6dpAtgTWsNsz5zAdoIedb
KH/KYB7jQYiATdWLhbNBNEivAgMBAAGjgd0wgdowgYIGA1UdIwR7MHmAFLL+ISNEhpV
qedWBJo5zENinTI50oV6kXDBaMQswCQYDVQQGEwJVUzETMBEGA1UEChMKQXBwbGUg
SW5jLjEVMBMGA1UECxMMQXBwbGUgaVBob25lMR8wHQYDVQQDExZBcHBsZSBpUGhv
bmUgRGV2aWNlIENBggEBMB0GA1UdDgQWBBRfYw2Q0vlBEyGUXz8yZQ2LCja2BTAMB
gNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIFoDAWBgNVHSUBAf8EDDAKBggrBgEFBQ
cDATANBgkqhkiG9w0BAQsFAAOBgQBJ/vRPxFOj+upvXfaH0uwGa4FgPns84NBJriizfAs9k
yS+ZHeV4Lnw9SJI0FKIffIfFtbDRpHoOcCKFYiB72ZheFtAwygIXuopxMbtXPxF2B+UfkSy
Ns6HMH0og/cElxZQdW4BdgJVqEeS9TquM1QoFPi1diuZwxmCd+BG4bf/UA==
2 OK AUTHENTICATE completed
The second one I can import into Mac OS X's Keychain with ease and it is labeled as the iPhone Root Device CA. The first one, however, I have no idea where it comes from.

Having these keys doesn't fix Mail.app's insistance on sending the IMAP command "login username password," but I would think that could be fixed with a mailBundle.
Last edited by Lixivial; 07-04-2007 at 03:39 AM.
Reply With Quote