This is not a tutorial, just a small guide to myself but feel free to get some infos here.
Working on an iPhone 7 running iOS 14.5.1
Jailbreak an iPhone/iPad/whatever
If necessary, you'll need to bypass Jailbreak detection for some apps with tweaks like
Get the PID of the app you want to capture traffic from with
ais for showing running apps only, you can
-Uto show all running processes instead)
Run a capture traffic tool like
tcpdump. I've used the
Airtool 2.appapp with the Capture iPhone Packet Trace feature. I find it easy to use, but
tcpdump -i rvi0is very much the same thing.
At the same time, run frida with
frida -U -p PID --codeshare AkdM/ios14-tls-keylogger -o dump.keylog
Make sure to replace
PIDwith the PID you got in
3.obviously. The codeshare I've created is based on the one from Andy Davies, but with the offset of keylog_callback pointer from iOS 14.x. I found the
0x2b8offset from the comments of his article, as I am not the best guy to use a disassembler 👀
Once you've played a little bit with the app, you should see some logs, like the following:
> frida -U -p 5107 --codeshare AkdM/ios14-tls-keylogger -o dump.keylog ____ / _ | Frida 15.0.14 - A world-class dynamic instrumentation toolkit | (_| | > _ | Commands: /_/ |_| help -> Displays the help system . . . . object? -> Display information about 'object' . . . . exit/quit -> Exit . . . . . . . . More info at https://frida.re/docs/home/ [iPhone::PID::5107]-> CLIENT_RANDOM REDACTEDb14aada3d46499f7a0d19779a5ed8b4fd0a59REDACTED REDACTED2c2ae6e52d09228f40857ee9d669e8b0c5f2b99e1a90218c7fc373740bf19fca4edREDACTED CLIENT_RANDOM fff90REDACTEDfa42cc9dece46fb2376cb3df0c24080b9REDACTED 8420f7ec9REDACTEDd669e8b0c5f2b99e1a90218c7fc373REDACTEDe956c1a1b0666593e CLIENT_RANDOM 72f2aafc3REDACTED709d18e732372960f183738fREDACTEDad02bc8 800f49REDACTEDe0bc217974e928REDACTEDf8887c2ee70ee34c8c4d7a3bafea945cffe1ab297c2c4
quit. Open up Wireshark, apply
Preferences > Protocols > TLS > (Pre)-Master-Secret log filenameof the app, import
.pcapng/.pcapand voilà, you'll get Decrypted TLS tab in some packets.
Much based on (thanks to him!) :