Saturday, March 30, 2013

TiVo App - Extracting p12 passwords

Given the obfuscation used in SecurityUtils."dateTransform:other"(), we must take a different approach

Finding a way to extract the P12 Passwords


Given the high amount of logging in the application, I figured I could divert the key that is extract from the DateTransform method to a NSLog command and view the password via the "iPhone Configuration Utility".

Looking at the "extractClientCertInfo_withDateInfo_withSecIdentity_withClientCerts__" method, I see that there is an NSLog for an error case: "Client certification identity extraction error %d"


Now we simply need to divert the decrypted key to the NSLog...

Patching the application to output the cdata.p12 password...


NOTE: TCPConnection.UseSSL() uses cdata and it has its own cdata.p12 file with its own crypto info
; ISSUE: cdata.p12 uses a passphrase determined by SUtils."dateTransform:other:"("\x02\\|X\x02u\x1B\x06\x14O{c","a$+5")
; Advanced encryption algorithm used in dateTransform:other, need to find a way to dump it in a debugger or in log
; The key is passed into extractClientCertInfo_withDateInfo_withSecIdentity_withClientCerts__ is a good spot
; R2 = "cdata";
; R3 = Passphrase, put into R10, then into R0 before calling sub_1104C4
; Need to make later log "Client certification identity extraction error %d" output this data
Step 1: Open Quicksilver in hex editor
Step 2: Find ASCII Text "Client certification identity extraction error %d" and change the "%d" to "%@"
Step 3: Find the "MOV R0, R10" (0x10F5EC) that sends the passphrase into sub_1104c4, change it to "MOV R4, R10"
Find:
0x10F5EC MOV R0, R10 0x5046 (reverse endian)
; MOV from R8-15 to R0-7 is MOV Rd, Hs, Op=10, H1=0, H2=1
Hi Register Opartions OP H1  H2 R10 (relative to R8) R0 (relative to R0)
-------------------------------------------------------------------------------------
010001 10 0 1 010 000 EXISTING
46    |   50
-------------------------------------------------------------------------------------
010001 10 0 1 010 100 NEW
46    |   54
-------------------------------------------------------------------------------------
Replace with:
0x10F5EC MOV R4, R10 0x5446 (reverse endian)
Step 4: Find the "BL sub_1104c4 [10F4C4]" (10F5F2) [-302] and change it to "BL 10F610"
Find:
0x10F5F2 BL sub_1104c4 0xFFF7 67FF
F7FF = 11110 11111111111 = High offset of 111111111111 000000000000
FF67 = 11111 11101100111 = Low offset of  000000000000 111011001110
Combining them = 111111111111 111011001110 = -306
The branch offset must take account of the prefetch operation, which causes the PC
to be 1 word (4 bytes) ahead of the current instruction
; Long branch with link - 1111, 2 instructions will be made, the first with the higher half of the offset
;         the second with the lower half. The lowest bit of 0 is assumed to be 0
|  KEY  | Low Offset | Half of Offset
-------------------------------------------------------------------------------------
  1111 | 0 | 11111111111 EXISTING
  1111 | 1 | 11101100111 EXISTING
-------------------------------------------------------------------------------------
  1111 | 0 | 00000000000 NEW
  1111 | 1 | 00000001101 NEW
-------------------------------------------------------------------------------------

Replace with:
Current pointer = 10F5F2
Desired Pointer = 10F610
Offset = 0x1E (d30)
Subtract 4 because of prefetch = 1A
Binary representation = 11010
High Offset = 00000000000
Low Offset  = 00000001101
First Jump = 1111 0 00000000000 = 0xF000
Second Jump = 1111 1 00000001101 = 0xF80D
0x10F5F2 BL 10F610 0x00F0 0DF8
Step 5: Run program, try to connect to Tivo on local network.  Once it fails, look through NSLog for our key
Output: "Client certification identity extraction error cxWmcQ03ukPV"
WE HAVE OUR KEY!  This will unlock cdata.p12 which can be used to communicate with the Tivos!
What was inside cdata.p12?
- Tivo Mind Sub CA issued by Tivo Inc. CA
- Tivo Inc. CA issued by Tivo Inc. CA
- 00000003976 issued by Tivo Mind Sub CA (marked for Client Authentication)
- Apple iPhone Device CA issued by Apple iPhone Device CA


Patching Application to retrieve the ssdata.p12 password


NOTE: Transcoder.didReceiveAuthenticationChallenge() uses ssdata and it has its own ssdata.p12 file with its own crypto info
; ISSUE: ssdata.p12 uses a passphrase determined by SUtils."dateTransform:other:"(""/MyW3}O aoG"","x$+2")
Arg1 is stored in 0x3C58E3, pointer to this data at 0x590238
Arg1 is stored in 0x3C58F0, pointer to this data at 0x590248
; Override these MOV commands to point to the pointers for our data arguments listed above
MOV             R3, (off_4B2078 - 0x27AE6) ; off_4B2078 ; Arg2
MOV             R2, (off_4B2074 - 0x27AE8) ; off_4B2074 ; Arg1
MOVW            R1, #0x8082
ADD             R3, PC ; off_4B2078 ; Arg2
ADD             R2, PC ; off_4B2074 ; Arg1
MOVT.W          R1, #0x50
MOV             R6, (classRef_SUtils - 0x27AFC) ; classRef_SUtils
LDR             R3, [R3] ; off_59E13C ; Arg2
LDR             R2, [R2] ; off_59E10C ; Arg1
ADD             R1, PC ; selRef_dateTransform_other_
ADD             R6, PC ; classRef_SUtils
STR             R0, [SP,#0x24+var_18]
LDR             R1, [R1] ; "dateTransform:other:"
LDR             R2, [R2] ; Arg1
LDR             R0, [R6] ; _OBJC_CLASS_$_SUtils
LDR             R3, [R3] ; Arg2
BLX             _objc_msgSend
MOVW            R1, #0x8062
Step1: Using existing CDATA changes...
Step2: Override data at cfstr_A5 (0x58CA08) reference to aA5 (0x3AE773) ["a$+5"] to aX2 (0x3C58F0) ["x$+2"]
Existing:
off_4B2078 = *off_59E13C = *cfstr_A5 = String Reference aA5 (length 4) @ 0x3AE773 = a$+5
New:
String Reference aX2 (length 4) @ 0x3C58F0
Change value @ 0x3AE773 from  61  24  2B  35  00
  to 78  24  2B  32  00
Step3: Override data at stru_58D948 (0x58C948) reference to aXUOC (0x3AE6D3) ["\x02\\|X\x02u\x1B\x06\x14O{c"] to aMyw3O (0x3C58E3) ["/MyW3}O aoG"]
Existing:
off_4B2074 = *off_59E10C = *stru_58D948 = String reference aXUOC (length 0xC) @ 0x3AE6D3 = "\x02\\|X\x02u\x1B\x06\x14O{c"
New:
String Reference aMyw3O (length 0xC) @ 0x3C58E3 = "/MyW3}O aoG"
Change value @ 0x3AE6D3 from  02  5C  7C  58  02  75  1B  06  14  4F  7B  63  00
  to 2F  4D  79  57  33  7D  4F  04  1A  61  6F  47  00  (2F4D7957337D4F041A616F4700)

Step 4: Run program, try to connect to Tivo on local network.  Once it fails, look through NSLog for our key
Output: "Client certification identity extraction error WiReKYd6bEDu"
WE HAVE OUR KEY!  This will unlock ssdata.p12 which can be used to communicate with the Tivos!
What was inside ssdata.p12?
- 00000004063 issued by Tivo Mind Sub CA (marked for Client Authentication)




Now that we have these passkeys, let's find some useful ways to use them...
Posted by at

1 comment:

  1. Jay MargolisDecember 19, 2013 at 3:46 PM

    This certificate expires in a few weeks. There is a new one in the current app. Have you considered applying this logic to the new cert?

    ReplyDelete

Subscribe to: Post Comments (Atom)