 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
|
|||||||||
|
|||||||||
|
|
||||||||
|
|||||||||
07-03-2007, 07:40 PM
|
|||
|
|||
Decrypting iPhone/Yahoo IMAP Traffic
I realize that this isn't exactly related to cracking open the iPhone, but I've been looking at how the iPhone communicates with Yahoo!'s IMAP servers in hopes of connecting an external client (Outlook, Mail.app) to it. I've hit a bit of a brick wall due to my lack of understanding SSL stuff, so I thought perhaps someone here could help in decrypting this traffic.
I captured the following traffic heading to Yahoo's servers. First the iPhone sends the following GET request (contains the server's response): Code:
GET /dgw/provision?imei={IMEI NUMBER GOES HERE}&c=v7RHIHswIwn&app=AppleIPhone&ygw=1.0.0&
a=mail&src=iphone01 HTTP/1.1
User-Agent: CFNetwork/152.4
Accept: */*
Accept-Language: en
Accept-Encoding: gzip, deflate
Cookie: Y=v=1&n=fdsbgid38jeao&l=9cff8f7ed4/o&p=m2k1mm3012000000&r=hu
&lg=en-US&intl=us&np=1; path=/; domain=.yahoo.com;
T=z=uobiGBuuwiGBrxmNmZju75UMzI1BjYwMDc0MU9ONjM-
&a=QAE&sk=DAA84XVhgK8kja&d=c2wBTkRVeUFURTNOekF6TmpnNU1UUS0BYQFRQ
UUBenoBdW9iaUdCZ1dBAXRpcAFGaEJzZEE-; path=/; domain=.yahoo.com
Connection: keep-alive
Host: a1.go.yahoo.com
HTTP/1.1 200 OK
Date: Tue, 03 Jul 2007 02:58:35 GMT
X-YSTATUS: 200
Content-Length: 86
Connection: close
Content-Type: text/plain;charset=UTF-8
<config><udpserver>69.147.113.224:3128</udpserver><config_id>a1.1</config_id></config>
After it receives the OK from the server, it then proceeds to authenticate to the IMAP server. Yahoo's IMAP servers don't seem to have the traditional forms of authentication, but instead have a cookie, a base64 cookie and a PKI challenge. The iPhone is using the PKI challenge. It sends two keys. I'm having trouble with the first one, which the IMAP server labels as "auth-token," the second one is the iPhone Device CA. The keys are separated by the + sign. Code:
* OK IMAP4rev1 server ready (3.5.13) 1 CAPABILITY * CAPABILITY IMAP4rev1 LOGIN-REFERRALS AUTH=XYMCOOKIE AUTH=XYMCOOKIEB64 AUTH=XYMPKI ID 1 OK CAPABILITY completed 2 AUTHENTICATE XYMPKI + WT12PTEmbj1mZHNiZ2lkMzhqZWFvJmw9OWNmZjhmN2VkNC9vJnA9bTJrMW1tMzAx MjAwMDAwMCZyPWh1JmxnPWVuLVVTJmludGw9dXMmbnA9MTsgVD16PXVvYmlHQnV 1d2lHQnJ4bU5tWmp1NzVVTXpJMUJqWXdNRGMwTVU5T05qTS0mYT1RQUUmc2s9REF BODRYVmhnSzhramEmZD1jMndCVGtSVmVVRlVSVE5PZWtGNlRtcG5OVTFVVVMwQllRR lJRVVVCZW5vQmRXOWlhVWRDWjFkQkFYUnBjQUZHYUVKelpFRS07IHZlcnNpb249MS4 wIHJldmlzaW9uPTFBNTQzYSBjaWQ9NDY0YjI0MDViMTU1MGUxZmMwOWRhZTcyOWNk ZjE2YmU3NWUyM2JmOSB0cz0xMTgzNDMxNTcwIHNpZz02SE1Dd09kSWRucWNoR3Vj KzRqamVlaURyT2lkMGs4bFRVays2UEVpMXlXWjhVajNkb0VySmVUOGFrVzJvU2sySjVZM jdwcnVpMGlGY2xFMDU0RERzTzFHQ2J3QnFjck9jdmdNaGh2cDRJdHRzM2p6OXpRajV5c UNJOG1pNnNPYVdTNzlNZ295a1lWNW1UZGZrV3dCZzlGOTZWcXVpckFmSC9wZWZSc1 pORTg9IHNyYz1pcGhvbmU= + MIIDPzCCAqigAwIBAgIKA+UHXZoJDAURpjANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQ GEwJVUzETMBEGA1UEChMKQXBwbGUgSW5jLjEVMBMGA1UECxMMQXBwbGUgaVBob2 5lMR8wHQYDVQQDExZBcHBsZSBpUGhvbmUgRGV2aWNlIENBMB4XDTA3MDYzMDAyMT MwOVoXDTEwMDYzMDAyMTMwOVowgYcxMTAvBgNVBAMTKDQ2NGIyNDA1YjE1NTBlM WZjMDlkYWU3MjljZGYxNmJlNzVlMjNiZjkxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTE SMBAGA1UEBxMJQ3VwZXJ0aW5vMRMwEQYDVQQKEwpBcHBsZSBJbmMuMQ8wDQYDV QQLEwZpUGhvbmUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOv69rHSDQVNU hEPNdxgo0sIJZeyrPAaWXTa+pMo5HYlLHNmkRO4pJhL/aoIAtAEjJMLh+Agox3WbB13wY B/GxQz4lRgKoYL2v2mZOPEUWMO8IGC0M8KDMHWqYXMgPu6dpAtgTWsNsz5zAdoIedb KH/KYB7jQYiATdWLhbNBNEivAgMBAAGjgd0wgdowgYIGA1UdIwR7MHmAFLL+ISNEhpV qedWBJo5zENinTI50oV6kXDBaMQswCQYDVQQGEwJVUzETMBEGA1UEChMKQXBwbGUg SW5jLjEVMBMGA1UECxMMQXBwbGUgaVBob25lMR8wHQYDVQQDExZBcHBsZSBpUGhv bmUgRGV2aWNlIENBggEBMB0GA1UdDgQWBBRfYw2Q0vlBEyGUXz8yZQ2LCja2BTAMB gNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIFoDAWBgNVHSUBAf8EDDAKBggrBgEFBQ cDATANBgkqhkiG9w0BAQsFAAOBgQBJ/vRPxFOj+upvXfaH0uwGa4FgPns84NBJriizfAs9k yS+ZHeV4Lnw9SJI0FKIffIfFtbDRpHoOcCKFYiB72ZheFtAwygIXuopxMbtXPxF2B+UfkSy Ns6HMH0og/cElxZQdW4BdgJVqEeS9TquM1QoFPi1diuZwxmCd+BG4bf/UA== 2 OK AUTHENTICATE completed Having these keys doesn't fix Mail.app's insistance on sending the IMAP command "login username password," but I would think that could be fixed with a mailBundle. Last edited by Lixivial; 07-04-2007 at 03:39 AM.         
|
|
07-07-2007, 02:04 AM
|
|||
|
|||
|
Lixivial, i am just curious, how did you get this traffic output?
I am too trying to find out more about the Yahoo->iPhone push technology. I am curious if they use SyncML or P-IMAP (Push-IMAP)? Can you give me some details on where you are with your efforts? thanks
|
|
07-07-2007, 05:50 PM
|
|||
|
|||
|
I'm also interested in this. I've looked at the conversation iPhone Mail.app has with my IMAP server and it does not use the IDLE command. I'd love to see how they are doing push with yahoo.
|
| Sponsored links Remove advertisements | |
|
|
|
|
|
07-07-2007, 06:36 PM
|
|||
|
|||
|
Lixivial,
you and i talked offline last night but i just wanted to add this info to the thread so others can read it and maybe jump in. Lixivial and I have looked at the iPhone's "push" traffic last night and so far, we have seen the following happening: * there does *NOT* seem to be any P-IMAP nor IDLE (LEMONADE) stuff going on! * iPhone makes standard IMAP calls * IAMP is always initiated by the iphone, period * watching the timing of this traffic, there *MUST* be a cellular message coming in from ATT/Yahoo immediately prior to the iPhone "suddenly" going out and making a IMAP call over WIFI we don't know if this behavior is different when the iPhone is on edge only, but i doubt it. while reseraching this, i found an intersting site which has ome very usefull info about what might be going on. while this doesn't mention the iphone or yahoo, it really matches what we have seen last night: Quote:
anyone else wanna chip in?
|
|
07-07-2007, 08:19 PM
|
|||
|
|||
|
Here is a follow up to my last message. Today i "monitored" the cellular traffic coming to and from the iPhone. Well, not really, i wrapped my speaker cable around the iphone to pick up cellular RF :-) ... it sort of gives you an idea... there was pretty much no traffic, aka pulse noise in the speaker until i sent a mail to my yahoo account. then, immediately there was cell traffic and immediately after, the iphone sent of a IMAP call via WIFI.
So i think this, while not very scientific, confirms that the yahoo "push" to the iPhone involves cellular data rather than P-IMAP or IDLE. :-( anyone here know of a what to programatically send data over cellular?
|
|
07-08-2007, 08:36 AM
|
|||
|
|||
|
Haven't been looking at these forums for awhile, until iphonejoe notified me of updating the thread. Yeah, here's the proof that the Yahoo IMAP server is not using traditional IDLE at all. This should have been obvious in the output of the CAPABILITY string, but I completely overlooked it as I was running under the assumption that it was using it. I didn't even test the IDLE command last time.
Code:
MacBook:~ Jesse$ telnet imap.apple.mail.yahoo.com 143
Trying 68.142.207.40...
Connected to imap.mail.yahoo.com.
Escape character is '^]'.
* OK IMAP4rev1 server ready (3.5.13)
1 AUTHENTICATE XYMPKI
+
{ auth-token, yah }
+
{ iphone device CA, yah}
1 OK AUTHENTICATE completed
2 SELECT INBOX
* 16 EXISTS
* 0 RECENT
* OK [UNSEEN 2] Message 2 is first unseen
* OK [UIDVALIDITY 1] UIDs valid
* OK [UIDNEXT 22] Predicted next UID
* FLAGS (\Answered \Flagged \Deleted \Seen \Draft)
* OK [PERMANENTFLAGS (\Answered \Flagged \Deleted \Seen \Draft)] Permanent flags
2 OK [READ-WRITE] SELECT completed; now in selected state
3 CLOSE
3 OK CLOSE completed, now in authenticated state
4 IDLE
4 BAD Unknown command
5 LOGOUT
* BYE IMAP4rev1 Server logging out
5 OK LOGOUT completed
The standard IMAP client in Mail.app (Mac OS X or the iPhone) does not support IMAP-IDLE, as evidenced by fastmail.fm -- its imap server *does* support IDLE, but the phone doesn't get emails pushed to it. I also can tell where the auth-token is coming from and who's generating it. It looks as though iPhone's Mail.app is making a call out to https://mobile-us.login.yahoo8.akadns.net/, which probably generates the token off username/password or some such. I'm still investigating, but being that this is SSL traffic, I don't yet know exactly what's being sent to mobile-us.login.yahoo8.akadns.net but I'm looking into it. Last edited by Lixivial; 07-08-2007 at 08:42 AM.
|
| Sponsored links Remove advertisements | |
|
|
|
|
 |
| Bookmarks |
| Thread Tools | |
| Display Modes | |
|
|
Similar Threads
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| [Req] IMAP IDLE monitor/notifier? | rcgabriel | Free Toolchain Software | 171 | 04-17-2009 01:12 AM |
| [Req] Network traffic meter | raptorjr | Free Toolchain Software | 4 | 07-01-2008 12:42 AM |
| Email Imap attachments | Nelson0000 | General | 0 | 02-19-2008 05:35 PM |
| IMAP functionality on iPhone | mattlach | General | 0 | 11-02-2007 07:32 PM |
| Local IMAP Server + Fetchmail + Script = Push Email? | -cj- | Free Toolchain Software | 0 | 09-01-2007 08:51 AM |
|
|
Linear Mode
