-
Notifications
You must be signed in to change notification settings - Fork 17
iCloud
The iCloud portion of Icew1nd is for decrypting, downloading (and possibly uploading) iCloud backups. To do this, the iCloud protocol must be reverse-engineered. Surprisingly, only one company has managed to do this, and they're selling their product for $200. The program is called Elcomsoft Phone Password Breaker. Luckily, they we're nice enough to explain how most of it worked at a reverse engineering convention.
iCloud works by making multiple HTTP(S) GET and POST request to various places in the iCloud servers. First, the username and password supplied as headers via HTTP GET to get an authentication token for the user. Next, information about the user will be gathered including the user's name. Among that information will be a new authentication token, called "mmeAuthToken." This information is used to get a list of devices. All responses from this point will be encoded in Google's protobuf format. The user will select a device via Icewind's GUI . Another GET request will be made containing the id of the device to retrieve a list of backups. Once the user chooses a backup, a request will be made to get a list of files associated with that backup. This will be split into multiple protobufs with varints. A POST request will then be made for each file to get its authentication key. This information can be used to make yet another POST request. This time, the response will contain the framework for creating another request. Executing this request will return the file needed for backup. However, most files will be encrypted. Another request must be sent to get a keybag for decrypting each file. Decrypting each file using the keybag will yield the fully decrypted iCloud Backup.