Skip to main content

python implementation for libimobiledevice library

Project description

Description

pymobiledevice3 is a fork from pymobiledevice, which is a cross-platform implementation of the mobiledevice library that talks the protocols to support iPhone®, iPod Touch®, iPad® and Apple TV® devices.

This version uses more recent coding standards and adds a lot more features. Also, many of the features not present in libimobiledevice can be found here.

To understand the bits and bytes of the communication with lockdownd you are advised to take a look at this article:

https://jon-gabilondo-angulo-7635.medium.com/understanding-usbmux-and-the-ios-lockdown-service-7f2a1dfd07ae

Features

  • TCP portwarding

    • pymobiledevice3 lockdown forward src_port dst_port)
  • Screenshots

    • pymobiledevice3 screenshot screen.png
  • Live and past syslogs

    • pymobiledevice3 syslog live
    • pymobiledevice3 syslog archive syslogs.pax
  • Profile installation

    • pymobiledevice3 profile install/remove/list
  • Application management

    • pymobiledevice3 apps
  • File system management (AFC)

    • pymobiledevice3 afc
  • Crash reports management

    • pymobiledevice3 crash
  • Network sniffing

    • pymobiledevice3 pcap [out.pcap]
  • Raw shell for experimenting:

    • pymobiledevice3 lockdown service service_name
  • Mounting images

    • pymobiledevice3 mounter
  • DeveloperDiskImage features:

    • Process management
      • pymobiledevice3 developer kill/launch/....
    • Non-chrooted directory listing
      • pymobiledevice3 developer ls /
    • Raw shell for experimenting:
      • pymobiledevice3 developer shell
  • And some more 😁

Installation

git clone git@github.com:doronz88/pymobiledevice3.git
cd pymobiledevice3
python3 -m pip install --user -U -e .

Usage

Usage: pymobiledevice3 [OPTIONS] COMMAND [ARGS]...

Options:
  --help  Show this message and exit.

Commands:
  afc           FileSystem utils
  apps          application options
  crash         crash utils
  developer     developer options
  diagnostics   diagnostics options
  lockdown      lockdown options
  mounter       mounter options
  notification  API for notify_post() & notify_register_dispatch().
  pcap          sniff device traffic
  profile       profile options
  ps            show process list
  screenshot    take a screenshot in PNG format
  syslog        syslog options

Sending your own messages

Lockdown messages

Every such subcommand may wrap several relay requests underneath. If you wish to try and play with some the relays yourself, you can run:

pymobiledevice3 lockdown service <service-name>

This will start an IPython shell where you already have the connection established using the client variable and you can send & receive messages.

# This shell allows you to communicate directly with every service layer behind the lockdownd daemon.

# For example, you can do the following:
client.send_plist({"Command": "DoSomething"})

# and view the reply
print(client.recv_plist())

# or just send raw message
client.send(b"hello")

# and view the result
print(client.recv_exact(20))

Instruments messages

If you want to play with DTServiceHub which lies behind the developer options, you can also use:

pymobiledevice3 developer shell

To also get an IPython shell, which lets you call ObjC methods from the exported objects in the instruments' namespace like so:

# This shell allows you to send messages to the DVTSecureSocketProxy and receive answers easily.
# Generally speaking, each channel represents a group of actions.
# Calling actions is done using a selector and auxiliary (parameters).
# Receiving answers is done by getting a return value and seldom auxiliary (private / extra parameters).
# To see the available channels, type the following:
developer.channels

# In order to send messages, you need to create a channel:
channel = developer.make_channel('com.apple.instruments.server.services.deviceinfo')

# After creating the channel you can call allowed selectors:
channel.runningProcesses()

# If an answer is expected, you can receive it using the receive method:
processes = channel.receive()

# Sometimes the selector requires parameters, You can add them using MessageAux. For example lets kill a process:
channel = developer.make_channel('com.apple.instruments.server.services.processcontrol')
args = MessageAux().append_obj(80)  # This will kill pid 80
channel.killPid_(args, expects_reply=False)  # Killing a process doesn't require an answer.

# In some rare cases, you might want to receive the auxiliary and the selector return value.
# For that cases you can use the recv_message method.
return_value, auxiliary = developer.recv_message()

Example

Lockdown services

Support Service Process Description
DONE com.apple.afc /usr/libexec/afcd --xpc -d /private/var/mobile/Media File access for /var/mobile/Media
DONE com.apple.crashreportcopymobile /usr/libexec/afcd --xpc--service-name com.apple.crashreportcopymobile -d /private/var/mobile/Library/Logs/CrashReporter File access for /var/mobile/Library/Logs/CrashReports
DONE com.apple.pcapd /usr/libexec/pcapd Sniff device's network traffic
DONE com.apple.syslog_relay /usr/libexec/diagnosticd Just streams syslog lines as raw strings
DONE com.apple.os_trace_relay /usr/libexec/diagnosticd More extensive syslog monitoring
DONE com.apple.mobile.diagnostics_relay com.apple.mobile.diagnostics_relay General diagnostic tools
DONE com.apple.mobile.notification_proxy /usr/libexec/notification_proxy API wrapper for notify_post() & notify_register_dispatch()
DONE com.apple.crashreportmover /usr/libexec/crash_mover Just trigger crash_mover to move all crash reports into crash directory
DONE com.apple.mobile.MCInstall /usr/libexec/mc_mobile_tunnel Profile management
DONE com.apple.mobile.screenshotr /Developer/Library/PrivateFrameworks/DVTInstrumentsFoundation.framework/XPCServices/com.apple.dt.DTScreenshotService.xpc/com.apple.dt.DTScreenshotService Take screenshot into a PNG format
DONE com.apple.instruments.remoteserver.DVTSecureSocketProxy /Developer/Library/PrivateFrameworks/DVTInstrumentsFoundation.framework/DTServiceHub Developer instrumentation service
DONE com.apple.mobile.mobile_image_mounter /usr/libexec/mobile_storage_proxy
DONE com.apple.mobile.house_arrest /usr/libexec/mobile_house_arrest Get AFC utils (file management per application bundle)
DONE com.apple.mobile.installation_proxy /usr/libexec/mobile_installation_proxy Application managementNot yet
Not yet com.apple.atc /usr/libexec/atc AirTraffic related
Not yet com.apple.mobile.assertion_agent /usr/libexec/mobile_assertion_agent Create power assertion to prevent different kinds of sleep
Not yet com.apple.ait.aitd /usr/libexec/atc AirTraffic related
Not yet com.apple.misagent /usr/libexec/misagent Profile related
Not yet com.apple.mobile.file_relay /usr/libexec/mobile_file_relay File access for iOS <= 8
Not yet com.apple.mobile.heartbeat /usr/libexec/lockdownd
Not yet com.apple.mobile.insecure_notification_proxy /usr/libexec/notification_proxy -i API wrapper for notify_post() & notify_register_dispatch() from whitelist
Not yet com.apple.mobilebackup /usr/libexec/BackupAgent --lockdown
Not yet com.apple.mobilebackup2 /usr/libexec/BackupAgent2 --lockdown
Not yet com.apple.mobilesync /usr/libexec/SyncAgent --lockdown --oneshot -v
Not yet com.apple.purpletestr /usr/libexec/PurpleTestr --lockdown --oneshot
Not yet com.apple.radios.wirelesstester.mobile /usr/local/bin/WirelessTester -l 1 -o /var/mobile/WirelessTester_mobile.log
Not yet com.apple.radios.wirelesstester.root /usr/local/bin/WirelessTester -l 1 -o /var/mobile/WirelessTester_mobile.log
Not yet com.apple.springboardservices /usr/libexec/springboardservicesrelay
Not yet com.apple.thermalmonitor.thermtgraphrelay /usr/libexec/thermtgraphrelay
Not yet com.apple.webinspector /usr/libexec/webinspectord
BUG com.apple.iosdiagnostics.relay /usr/libexec/ios_diagnostics_relay Failed to connect to it from some reason

com.apple.instruments.remoteserver.DVTSecureSocketProxy

Exports several ObjC objects and allows calling their respective selectors. The /Developer/Library/PrivateFrameworks/DVTInstrumentsFoundation.framework/DTServiceHub service reads the configuration stored from [[NSUserDefaults standardUserDefaults] boolForKey:@"DTXConnectionTracer"] If the value is true, then /tmp/DTServiceHub[PID].DTXConnection.RANDOM.log is created and can be used to debug the transport protocol.

For example:

root@iPhone (/var/root)# tail -f /tmp/DTServiceHub[369].DTXConnection.qNjM2U.log
170.887982 x4 resuming [c0]: <DTXConnection 0x100d20670 : x4>
170.889120 x4   sent   [c0]: < DTXMessage 0x100d52b10 : i2.0 c0 dispatch:[_notifyOfPublishedCapabilities:<NSDictionary 0x100d0e1b0 | 92 key/value pairs>] >
170.889547 x4 received [c0]: < DTXMessage 0x100d0a550 : i1.0 c0 dispatch:[_notifyOfPublishedCapabilities:<NSDictionary 0x100d16a40 | 2 key/value pairs>] >
170.892101 x4 received [c0]: < DTXMessage 0x100d0a550 : i3.0e c0 dispatch:[_requestChannelWithCode:[1]identifier :"com.apple.instruments.server.services.deviceinfo"] >
170.892238 x4   sent   [c0]: < DTXMessage 0x100d61830 : i3.1 c0 >
170.892973 x4 received [c1f]: < DTXMessage 0x100d0a550 : i4.0e c1 dispatch:[runningProcesses] >
171.204957 x4   sent   [c1f]: < DTXMessage 0x100c557a0 : i4.1 c1 object:(__NSArrayM*)<NSArray 0x100c199d0 | 245 objects> { <NSDictionary 0x100c167c0 | 5 key/value pairs>, <NSDictionary 0x100d17970 | 5 key/value pairs>, <NSDictionary 0x100d17f40 | 5 key/value pairs>, <NSDictionary 0x100d61750 | 5 key/value pairs>, <NSDictionary 0x100c16760 | 5 key/value pairs>, ...  } >
171.213326 x4 received [c0]: < DTXMessage : kDTXInterruptionMessage >
171.213424 x4  handler [c0]: < DTXMessage : i1 kDTXInterruptionMessage >
171.213477 x4 received [c1f]: < DTXMessage : kDTXInterruptionMessage >

For editing the configuration we can simply add the respected key into: /var/mobile/Library/Preferences/.GlobalPreferences.plist and kill cfprefsd

The valid selectors for triggering can be found using the following Frida script the same way Roy Bowman used for iterating all classes which implement the protocol DTXAllowedRPC:

frida -U DTServiceHub
for (var name in ObjC.protocols) {
  var protocol = ObjC.protocols[name]
  if ('DTXAllowedRPC' in protocol.protocols) {
    console.log('@protocol', name)
    console.log('  ' + Object.keys(protocol.methods).join('\n  '))
  }
}

The complete list for the following XCode versions can be found in:

com.apple.os_trace_relay

Provides API for the following operations:

  • Show process list (process name and pid)
  • Stream syslog lines in binary form with optional filtering by pid.
  • Get old stored syslog archive in PAX format (can be extracted using pax -r < filename).
    • Archive contain the contents are the /var/db/diagnostics directory

com.apple.mobile.diagnostics_relay

Provides an API to:

  • Query MobileGestalt & IORegistry keys.
  • Reboot, shutdown or put the device in sleep mode.

com.apple.mobile.file_relay

On older iOS versions, this was the main relay used for file operations, which was later replaced with AFC.

com.apple.pcapd

Starting iOS 5, apple added a remote virtual interface (RVI) facility that allows mirroring networks trafic from an iOS device. On Mac OSX the virtual interface can be enabled with the rvictl command. This script allows to use this service on other systems.

Project details


Release history Release notifications | RSS feed

This version

1.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

pymobiledevice3-1.0.tar.gz (44.8 kB view details)

Uploaded Source

Built Distributions

pymobiledevice3-1.0.0-py3-none-any.whl (869.0 kB view details)

Uploaded Python 3

pymobiledevice3-1.0-py3-none-any.whl (51.1 kB view details)

Uploaded Python 3

File details

Details for the file pymobiledevice3-1.0.tar.gz.

File metadata

  • Download URL: pymobiledevice3-1.0.tar.gz
  • Upload date:
  • Size: 44.8 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/3.4.1 importlib_metadata/3.10.1 pkginfo/1.7.0 requests/2.25.1 requests-toolbelt/0.9.1 tqdm/4.60.0 CPython/3.9.4

File hashes

Hashes for pymobiledevice3-1.0.tar.gz
Algorithm Hash digest
SHA256 e7f5f6399e6bf89c7d6aa98e606017d29afd301b6fae806759c27e6607506e73
MD5 2e4ebdd2bda261e6026963057de0a9cc
BLAKE2b-256 6f3f8fe8cddfa1b86a728a3960e23770b44d77a4ee2882c31010049e9d1e348b

See more details on using hashes here.

File details

Details for the file pymobiledevice3-1.0.0-py3-none-any.whl.

File metadata

File hashes

Hashes for pymobiledevice3-1.0.0-py3-none-any.whl
Algorithm Hash digest
SHA256 2e56a0e490776e8ba2b324da30b2e79c089d03d2cca9aeacb398e79a1b8e415a
MD5 deb8c6700af39cac773d1a32cefd81db
BLAKE2b-256 ec69c4dc7a406324872d1f22854ddb7b615fac4c85eca1ce824f96a33341c0f7

See more details on using hashes here.

File details

Details for the file pymobiledevice3-1.0-py3-none-any.whl.

File metadata

  • Download URL: pymobiledevice3-1.0-py3-none-any.whl
  • Upload date:
  • Size: 51.1 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/3.4.1 importlib_metadata/3.10.1 pkginfo/1.7.0 requests/2.25.1 requests-toolbelt/0.9.1 tqdm/4.60.0 CPython/3.9.4

File hashes

Hashes for pymobiledevice3-1.0-py3-none-any.whl
Algorithm Hash digest
SHA256 2b07b917cc4ca612a56dee7293f0ffea47d55e0beb6d4f4e5cfc701a2b9b1eb5
MD5 9a49436e85a42fdfdf70bccc7f23f11d
BLAKE2b-256 e58e0de162661542f1866797102b98c267c5cfad1b686f68c417596c66143a73

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page