Results 1 to 8 of 8
Discuss Decrypting iPhone/Yahoo IMAP Traffic at the General - Hackint0sh.org; I realize that this isn't exactly related to cracking open the iPhone, but I've been ...
  1. #1
    Newbie Array

    Join Date
    Jul 2007
    Posts
    2
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    0

    Default Decrypting iPhone/Yahoo IMAP Traffic

    I realize that this isn't exactly related to cracking open the iPhone, but I've been looking at how the iPhone communicates with Yahoo!'s IMAP servers in hopes of connecting an external client (Outlook, Mail.app) to it. I've hit a bit of a brick wall due to my lack of understanding SSL stuff, so I thought perhaps someone here could help in decrypting this traffic.

    I captured the following traffic heading to Yahoo's servers. First the iPhone sends the following GET request (contains the server's response):

    Code:
    GET /dgw/provision?imei={IMEI NUMBER GOES HERE}&c=v7RHIHswIwn&app=AppleIPhone&ygw=1.0.0&
    a=mail&src=iphone01 HTTP/1.1
    User-Agent: CFNetwork/152.4
    Accept: */*
    Accept-Language: en
    Accept-Encoding: gzip, deflate
    Cookie: Y=v=1&n=fdsbgid38jeao&l=9cff8f7ed4/o&p=m2k1mm3012000000&r=hu
    &lg=en-US&intl=us&np=1; path=/; domain=.yahoo.com; 
    T=z=uobiGBuuwiGBrxmNmZju75UMzI1BjYwMDc0MU9ONjM-
    &a=QAE&sk=DAA84XVhgK8kja&d=c2wBTkRVeUFURTNOekF6TmpnNU1UUS0BYQFRQ
    UUBenoBdW9iaUdCZ1dBAXRpcAFGaEJzZEE-; path=/; domain=.yahoo.com
    Connection: keep-alive
    Host: a1.go.yahoo.com
    
    HTTP/1.1 200 OK
    Date: Tue, 03 Jul 2007 02:58:35 GMT
    X-YSTATUS: 200
    Content-Length: 86
    Connection: close
    Content-Type: text/plain;charset=UTF-8
    
    <config><udpserver>69.147.113.224:3128</udpserver><config_id>a1.1</config_id></config>
    It sends the phone's IMEI number, a "crumb parameter", the app and its version, and the source of it. It also sends an cookie of unknown origin.

    After it receives the OK from the server, it then proceeds to authenticate to the IMAP server. Yahoo's IMAP servers don't seem to have the traditional forms of authentication, but instead have a cookie, a base64 cookie and a PKI challenge. The iPhone is using the PKI challenge. It sends two keys. I'm having trouble with the first one, which the IMAP server labels as "auth-token," the second one is the iPhone Device CA. The keys are separated by the + sign.

    Code:
    * OK IMAP4rev1 server ready (3.5.13)
    1 CAPABILITY
    * CAPABILITY IMAP4rev1 LOGIN-REFERRALS AUTH=XYMCOOKIE AUTH=XYMCOOKIEB64 AUTH=XYMPKI ID
    1 OK CAPABILITY completed
    2 AUTHENTICATE XYMPKI
    + 
    WT12PTEmbj1mZHNiZ2lkMzhqZWFvJmw9OWNmZjhmN2VkNC9vJnA9bTJrMW1tMzAx
    MjAwMDAwMCZyPWh1JmxnPWVuLVVTJmludGw9dXMmbnA9MTsgVD16PXVvYmlHQnV
    1d2lHQnJ4bU5tWmp1NzVVTXpJMUJqWXdNRGMwTVU5T05qTS0mYT1RQUUmc2s9REF
    BODRYVmhnSzhramEmZD1jMndCVGtSVmVVRlVSVE5PZWtGNlRtcG5OVTFVVVMwQllRR
    lJRVVVCZW5vQmRXOWlhVWRDWjFkQkFYUnBjQUZHYUVKelpFRS07IHZlcnNpb249MS4
    wIHJldmlzaW9uPTFBNTQzYSBjaWQ9NDY0YjI0MDViMTU1MGUxZmMwOWRhZTcyOWNk
    ZjE2YmU3NWUyM2JmOSB0cz0xMTgzNDMxNTcwIHNpZz02SE1Dd09kSWRucWNoR3Vj
    KzRqamVlaURyT2lkMGs4bFRVays2UEVpMXlXWjhVajNkb0VySmVUOGFrVzJvU2sySjVZM
    jdwcnVpMGlGY2xFMDU0RERzTzFHQ2J3QnFjck9jdmdNaGh2cDRJdHRzM2p6OXpRajV5c
    UNJOG1pNnNPYVdTNzlNZ295a1lWNW1UZGZrV3dCZzlGOTZWcXVpckFmSC9wZWZSc1
    pORTg9IHNyYz1pcGhvbmU=
    + 
    MIIDPzCCAqigAwIBAgIKA+UHXZoJDAURpjANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQ
    GEwJVUzETMBEGA1UEChMKQXBwbGUgSW5jLjEVMBMGA1UECxMMQXBwbGUgaVBob2
    5lMR8wHQYDVQQDExZBcHBsZSBpUGhvbmUgRGV2aWNlIENBMB4XDTA3MDYzMDAyMT
    MwOVoXDTEwMDYzMDAyMTMwOVowgYcxMTAvBgNVBAMTKDQ2NGIyNDA1YjE1NTBlM
    WZjMDlkYWU3MjljZGYxNmJlNzVlMjNiZjkxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTE
    SMBAGA1UEBxMJQ3VwZXJ0aW5vMRMwEQYDVQQKEwpBcHBsZSBJbmMuMQ8wDQYDV
    QQLEwZpUGhvbmUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOv69rHSDQVNU
    hEPNdxgo0sIJZeyrPAaWXTa+pMo5HYlLHNmkRO4pJhL/aoIAtAEjJMLh+Agox3WbB13wY
    B/GxQz4lRgKoYL2v2mZOPEUWMO8IGC0M8KDMHWqYXMgPu6dpAtgTWsNsz5zAdoIedb
    KH/KYB7jQYiATdWLhbNBNEivAgMBAAGjgd0wgdowgYIGA1UdIwR7MHmAFLL+ISNEhpV
    qedWBJo5zENinTI50oV6kXDBaMQswCQYDVQQGEwJVUzETMBEGA1UEChMKQXBwbGUg
    SW5jLjEVMBMGA1UECxMMQXBwbGUgaVBob25lMR8wHQYDVQQDExZBcHBsZSBpUGhv
    bmUgRGV2aWNlIENBggEBMB0GA1UdDgQWBBRfYw2Q0vlBEyGUXz8yZQ2LCja2BTAMB
    gNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIFoDAWBgNVHSUBAf8EDDAKBggrBgEFBQ
    cDATANBgkqhkiG9w0BAQsFAAOBgQBJ/vRPxFOj+upvXfaH0uwGa4FgPns84NBJriizfAs9k
    yS+ZHeV4Lnw9SJI0FKIffIfFtbDRpHoOcCKFYiB72ZheFtAwygIXuopxMbtXPxF2B+UfkSy
    Ns6HMH0og/cElxZQdW4BdgJVqEeS9TquM1QoFPi1diuZwxmCd+BG4bf/UA==
    2 OK AUTHENTICATE completed
    The second one I can import into Mac OS X's Keychain with ease and it is labeled as the iPhone Root Device CA. The first one, however, I have no idea where it comes from.

    Having these keys doesn't fix Mail.app's insistance on sending the IMAP command "login username password," but I would think that could be fixed with a mailBundle.
    Last edited by Lixivial; 07-04-2007 at 03:39 AM.



  2. #2
    Rookie Array

    Join Date
    Jul 2007
    Posts
    10
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    0

    Default

    Lixivial, i am just curious, how did you get this traffic output?

    I am too trying to find out more about the Yahoo->iPhone push technology. I am curious if they use SyncML or P-IMAP (Push-IMAP)?

    Can you give me some details on where you are with your efforts?


    thanks

  3. #3
    Newbie Array

    Join Date
    Jul 2007
    Posts
    1
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    0

    Default

    I'm also interested in this. I've looked at the conversation iPhone Mail.app has with my IMAP server and it does not use the IDLE command. I'd love to see how they are doing push with yahoo.

  4. #4
    Rookie Array

    Join Date
    Jul 2007
    Posts
    10
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    0

    Default

    Lixivial,

    you and i talked offline last night but i just wanted to add this info to the thread so others can read it and maybe jump in.

    Lixivial and I have looked at the iPhone's "push" traffic last night and so far, we have seen the following happening:

    * there does *NOT* seem to be any P-IMAP nor IDLE (LEMONADE) stuff going on!
    * iPhone makes standard IMAP calls
    * IAMP is always initiated by the iphone, period
    * watching the timing of this traffic, there *MUST* be a cellular message coming in from ATT/Yahoo immediately prior to the iPhone "suddenly" going out and making a IMAP call over WIFI

    we don't know if this behavior is different when the iPhone is on edge only, but i doubt it. while reseraching this, i found an intersting site which has ome very usefull info about what might be going on. while this doesn't mention the iphone or yahoo, it really matches what we have seen last night:

    IMAP Idle is an extension of the IMAP protocol enabling the server to notify the client of a new message. Unlike SyncML push, IMAP push does not require SMS notification; it is basically an endless session between the client and server where the server can notify the client. The IDLE command deals with the situation when the client has no more requests to make. The server responds to the IDLE command when there is a new message to indicate to the client that there is new data available. The basic network use of the IDLE command is very small, and so it makes very efficient use of bandwidth.
    http://www.synchronica.com/products/...facturers.html

    anyone else wanna chip in?

  5. #5
    Rookie Array

    Join Date
    Jul 2007
    Posts
    10
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    0

    Default

    Here is a follow up to my last message. Today i "monitored" the cellular traffic coming to and from the iPhone. Well, not really, i wrapped my speaker cable around the iphone to pick up cellular RF :-) ... it sort of gives you an idea... there was pretty much no traffic, aka pulse noise in the speaker until i sent a mail to my yahoo account. then, immediately there was cell traffic and immediately after, the iphone sent of a IMAP call via WIFI.

    So i think this, while not very scientific, confirms that the yahoo "push" to the iPhone involves cellular data rather than P-IMAP or IDLE.

    :-(

    anyone here know of a what to programatically send data over cellular?


  6. #6
    Newbie Array

    Join Date
    Jul 2007
    Posts
    2
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    0

    Default

    Haven't been looking at these forums for awhile, until iphonejoe notified me of updating the thread. Yeah, here's the proof that the Yahoo IMAP server is not using traditional IDLE at all. This should have been obvious in the output of the CAPABILITY string, but I completely overlooked it as I was running under the assumption that it was using it. I didn't even test the IDLE command last time.

    Code:
    MacBook:~ Jesse$ telnet imap.apple.mail.yahoo.com 143
    Trying 68.142.207.40...
    Connected to imap.mail.yahoo.com.
    Escape character is '^]'.
    * OK IMAP4rev1 server ready (3.5.13)
    1 AUTHENTICATE XYMPKI
    + 
    { auth-token, yah }
    + 
    { iphone device CA, yah} 
    1 OK AUTHENTICATE completed
    2 SELECT INBOX
    * 16 EXISTS
    * 0 RECENT
    * OK [UNSEEN 2] Message 2 is first unseen
    * OK [UIDVALIDITY 1] UIDs valid
    * OK [UIDNEXT 22] Predicted next UID
    * FLAGS (\Answered \Flagged \Deleted \Seen \Draft)
    * OK [PERMANENTFLAGS (\Answered \Flagged \Deleted \Seen \Draft)] Permanent flags
    2 OK [READ-WRITE] SELECT  completed; now in selected state
    3 CLOSE
    3 OK CLOSE completed, now in authenticated state
    4 IDLE
    4 BAD Unknown command
    5 LOGOUT
    * BYE IMAP4rev1 Server logging out
    5 OK LOGOUT completed
    iphonejoe's findings of cellular notification really fall in line with the reasoning that the phone is sending out its IMEI number in a request to a yahoo API server. It also is probably the reason push email doesn't work for those who've activated their phone without AT&T.

    The standard IMAP client in Mail.app (Mac OS X or the iPhone) does not support IMAP-IDLE, as evidenced by fastmail.fm -- its imap server *does* support IDLE, but the phone doesn't get emails pushed to it.

    I also can tell where the auth-token is coming from and who's generating it. It looks as though iPhone's Mail.app is making a call out to https://mobile-us.login.yahoo8.akadns.net/, which probably generates the token off username/password or some such. I'm still investigating, but being that this is SSL traffic, I don't yet know exactly what's being sent to mobile-us.login.yahoo8.akadns.net but I'm looking into it.
    Last edited by Lixivial; 07-08-2007 at 08:42 AM.

  7. #7
    Lyagushkka
    Guest

    Default Who knows where to download XRumer 5.0 Palladium?

    Who knows where to download XRumer 5.0 Palladium?
    Help, please. All recommend this program to effectively advertise on the Internet, this is the best program!

  8. #8
    Lyagushkka
    Guest

    Default Who knows where to download XRumer 5.0 Palladium?

    Who knows where to download XRumer 5.0 Palladium?
    Help, please. All recommend this program to effectively advertise on the Internet, this is the best program!

 

 

Similar Threads

  1. MacNN: Yahoo fixes IMAP mail for iPhone, Windows Phone 7 users
    By hackint0sh in forum Latest Headlines
    Replies: 0
    Last Post: 03-11-2011, 12:30 AM
  2. Yahoo iPhone IMAP on Leopard Mail?
    By jowo in forum General
    Replies: 4
    Last Post: 12-05-2008, 06:56 PM
  3. Push Mail (own IMAP-server, not yahoo-mail)
    By michaeljk in forum General
    Replies: 4
    Last Post: 10-24-2007, 09:25 PM
  4. Yahoo IMAP Push Mail - EDGE / WiFi
    By Hr.Kaiser in forum General
    Replies: 3
    Last Post: 10-10-2007, 06:08 PM
  5. Yahoo IMAP Path Setting
    By Kadra in forum General
    Replies: 0
    Last Post: 09-06-2007, 05:26 AM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
Powered by vBulletin®
Copyright © 2014 vBulletin Solutions, Inc. All rights reserved.
Search Engine Friendly URLs by vBSEO
(c) 2006-2012 Hackint0sh.org
All times are GMT +2. The time now is 01:57 AM.
twitter, follow us!