Vault7: CIA Hacking Tools Revealed
Navigation: » Latest version
Owner: User #15728648
Reverse Engineering
Place guides / tips / general information on reverse engineering iOS-related binaries / protocols / etc.
Lockdownd
Overview
Lockdownd is a daemon on the device that provides services for interacting with an iOS device. Some of these services include:
Service Name | Description |
---|---|
afc |
Apple File Conduit, used by iTunes to exchange files(mostly Media, like photos and videos) between the device |
syslog_relay |
System Log Relay, used by Xcode to display the syslog from the device. You can see this in action in Xcode by going to Xcode -> Devices |
diagnostics_relay |
Retrieves device information, as well as power-related functions like sleeping, restarting, and shutdown. See https://github.com/Cykey/ios-reversed-headers/blob/master/MobileGestalt/MobileGestalt.h for various keys you can use to retrieve device information. |
In iOS 8, these services are defined in an xml file(known by Apple as a plist file) within the /usr/libexec/lockdownd binary.
It is embedded inside of a section of the binary itself, and can be extracted by doing the following:
# this will show you the sections of the MachO binary.
# as of iOS 8, the services are defined in the __TEXT Segment, __services section.
$ xcrun otool -lv lockdownd
$ xcrun segedit lockdownd -extract __TEXT __services services.plist
In iOS 7, the services were defined in a separate plist file, located in /System/Libary/Lockdown/Services.plist.
Communicating With Lockdownd
To establish a connection with lockdownd, you use the MobileDevice framework(located in /System/Library/PrivateFrameworks.framework/Versions/A/MobileDevice on OSXApple operating system). The MDF tool enables you to interface with it via Python.