Metadata-Version: 2.1
Name: pymobiledevice
Version: 2.0.0
Summary: python implementation for libimobiledevice library
Home-page: https://github.com/doronz88/pymobiledevice
Author: DoronZ
Project-URL: pymobiledevice Documentation, https://github.com/iOSForensics/pymobiledevice
Classifier: Programming Language :: Python :: 3.7
Classifier: Programming Language :: Python :: 3.8
Classifier: Programming Language :: Python :: 3.9
Description-Content-Type: text/markdown
License-File: LICENSE.txt
Requires-Dist: M2Crypto
Requires-Dist: construct>=2.9.29
Requires-Dist: pyasn1
Requires-Dist: termcolor
Requires-Dist: click
Requires-Dist: coloredlogs
Requires-Dist: IPython
Requires-Dist: bpylist2
Requires-Dist: pygments

# Description

[![GitHub license](https://img.shields.io/cran/l/devtools.svg)](LICENSE)

`pymobiledevice3` is a fork from `pymobiledevice`, which is a cross-platform implementation of the mobiledevice library
that talks the protocols to support iPhone®, iPod Touch®, iPad® and Apple TV® devices.

This version uses more recent coding standards.

# Installation

```shell
git clone git@github.com:doronz88/pymobiledevice3.git
cd pymobiledevice3
python3 -m pip install --user -U -e .
```

# Usage

```
Usage: pymobiledevice3 [OPTIONS] COMMAND [ARGS]...

Options:
  --help  Show this message and exit.

Commands:
  afc           FileSystem utils
  config        configuration options
  crash         crash utils
  diagnostics   diagnostics options
  lockdown      lockdown options
  notification  API for notify_post() & notify_register_dispatch().
  pcap          sniff device traffic
  ps            show process list
  screenshot    take a screenshot in TIFF format
  syslog        syslog options
  developer     Developer options
```

![](example.gif)

# Lockdown services

Support | Service | Process | Description
--------|---------|---------|----------------------
DONE |  `com.apple.afc` | `/usr/libexec/afcd --xpc -d /private/var/mobile/Media` | File access for `/var/mobile/Media`
DONE | `com.apple.crashreportcopymobile` | `/usr/libexec/afcd --xpc--service-name com.apple.crashreportcopymobile -d /private/var/mobile/Library/Logs/CrashReporter` | File access for `/var/mobile/Library/Logs/CrashReports`
DONE | `com.apple.pcapd` | `/usr/libexec/pcapd` | Sniff device's network traffic
DONE | `com.apple.mobile.screenshotr` | | Take screenshot in TIFF format
DONE | `com.apple.syslog_relay` | `/usr/libexec/diagnosticd` | Just streams syslog lines as raw strings
DONE | `com.apple.os_trace_relay` | `/usr/libexec/diagnosticd` | More extensive syslog monitoring
DONE | `com.apple.mobile.diagnostics_relay` | `com.apple.mobile.diagnostics_relay` | General diagnostic tools
DONE | `com.apple.mobile.notification_proxy` | `/usr/libexec/notification_proxy` | API wrapper for `notify_post()` & `notify_register_dispatch()`
DONE | `com.apple.crashreportmover` | `/usr/libexec/crash_mover` | Just trigger `crash_mover` to move all crash reports into crash directory
DONE | `com.apple.mobile.MCInstall` | `/usr/libexec/mc_mobile_tunnel` | Profile management
In Progress | `com.apple.instruments.remoteserver.DVTSecureSocketProxy` | `/Developer/Library/PrivateFrameworks/DVTInstrumentsFoundation.framework/DTServiceHub` | Developer instrumentation service
Not yet | `com.apple.atc` | `/usr/libexec/atc` | Profile management related
Not yet | `com.apple.mobile.assertion_agent` | `/usr/libexec/mobile_assertion_agent` | Create power assertion to prevent different kinds of sleep
Not yet | `com.apple.ait.aitd` | `/usr/libexec/atc`
Not yet | `com.apple.hpd.mobile` | `/usr/libexec//usr/libexec/hpd --lockdown -d /var/mobile/Media/HighlandPark -u mobile`
Not yet | `com.apple.iosdiagnostics.relay` | `/usr/libexec/ios_diagnostics_relay`
Not yet | `com.apple.misagent` | `/usr/libexec/misagent`
Not yet | `com.apple.mobile.MDMService` | `/usr/libexec/MDMService`
Not yet | `com.apple.mobile.debug_image_mount` | `/usr/libexec/debug_image_mount`
Not yet | `com.apple.mobile.file_relay` | `/usr/libexec/mobile_file_relay` | File access for iOS <= 8
Not yet | `com.apple.mobile.heartbeat` | `/usr/libexec/lockdownd`
Not yet | `com.apple.mobile.house_arrest` | `/usr/libexec/mobile_house_arrest`
Not yet | `com.apple.mobile.insecure_notification_proxy` | `/usr/libexec/notification_proxy -i` | API wrapper for `notify_post()` & `notify_register_dispatch()` from whitelist
Not yet | `com.apple.mobile.installation_proxy` | `/usr/libexec/mobile_installation_proxy`
Not yet | `com.apple.mobile.mobile_image_mounter` | `/usr/libexec/mobile_storage_proxy`
Not yet | `com.apple.mobilebackup` | `/usr/libexec/BackupAgent --lockdown`
Not yet | `com.apple.mobilebackup2` | `/usr/libexec/BackupAgent2 --lockdown`
Not yet | `com.apple.mobilesync` | `/usr/libexec/SyncAgent --lockdown --oneshot -v`
Not yet | `com.apple.purpletestr` | `/usr/libexec/PurpleTestr --lockdown --oneshot`
Not yet | `com.apple.radios.wirelesstester.mobile` | `/usr/local/bin/WirelessTester -l 1 -o /var/mobile/WirelessTester_mobile.log`
Not yet | `com.apple.radios.wirelesstester.root` | `/usr/local/bin/WirelessTester -l 1 -o /var/mobile/WirelessTester_mobile.log`
Not yet | `com.apple.rasd` | `/usr/libexec/rasd`
Not yet | `com.apple.springboardservices` | `/usr/libexec/springboardservicesrelay`
Not yet | `com.apple.thermalmonitor.thermtgraphrelay` | `/usr/libexec/thermtgraphrelay`
Not yet | `com.apple.webinspector` | `/usr/libexec/webinspectord`

## `com.apple.instruments.remoteserver.DVTSecureSocketProxy`

Exports several ObjC objects and allows calling their respective selectors.
The `/Developer/Library/PrivateFrameworks/DVTInstrumentsFoundation.framework/DTServiceHub` service reads the
configuration stored from `[[NSUserDefaults standardUserDefaults] boolForKey:@"DTXConnectionTracer"]`
If the value is true, then `/tmp/DTServiceHub[PID].DTXConnection.RANDOM.log` is created and can be used to debug the
transport protocol.

For example:

```
root@iPhone (/var/root)# tail -f /tmp/DTServiceHub[369].DTXConnection.qNjM2U.log
170.887982 x4 resuming [c0]: <DTXConnection 0x100d20670 : x4>
170.889120 x4   sent   [c0]: < DTXMessage 0x100d52b10 : i2.0 c0 dispatch:[_notifyOfPublishedCapabilities:<NSDictionary 0x100d0e1b0 | 92 key/value pairs>] >
170.889547 x4 received [c0]: < DTXMessage 0x100d0a550 : i1.0 c0 dispatch:[_notifyOfPublishedCapabilities:<NSDictionary 0x100d16a40 | 2 key/value pairs>] >
170.892101 x4 received [c0]: < DTXMessage 0x100d0a550 : i3.0e c0 dispatch:[_requestChannelWithCode:[1]identifier :"com.apple.instruments.server.services.deviceinfo"] >
170.892238 x4   sent   [c0]: < DTXMessage 0x100d61830 : i3.1 c0 >
170.892973 x4 received [c1f]: < DTXMessage 0x100d0a550 : i4.0e c1 dispatch:[runningProcesses] >
171.204957 x4   sent   [c1f]: < DTXMessage 0x100c557a0 : i4.1 c1 object:(__NSArrayM*)<NSArray 0x100c199d0 | 245 objects> { <NSDictionary 0x100c167c0 | 5 key/value pairs>, <NSDictionary 0x100d17970 | 5 key/value pairs>, <NSDictionary 0x100d17f40 | 5 key/value pairs>, <NSDictionary 0x100d61750 | 5 key/value pairs>, <NSDictionary 0x100c16760 | 5 key/value pairs>, ...  } >
171.213326 x4 received [c0]: < DTXMessage : kDTXInterruptionMessage >
171.213424 x4  handler [c0]: < DTXMessage : i1 kDTXInterruptionMessage >
171.213477 x4 received [c1f]: < DTXMessage : kDTXInterruptionMessage >
```

For editing the configuration we can simply add the respected key into:
`/var/mobile/Library/Preferences/.GlobalPreferences.plist` and kill `cfprefsd`

The valid selectors for triggering can be found using the following Frida
script the same way Roy Bowman used for iterating all classes which implement
the protocol `DTXAllowedRPC`:

```shell
frida -U DTServiceHub
```

```javascript
for (var name in ObjC.protocols) {
  var protocol = ObjC.protocols[name]
  if ('DTXAllowedRPC' in protocol.protocols) {
    console.log('@protocol', name)
    console.log('  ' + Object.keys(protocol.methods).join('\n  '))
  }
}
```

The complete list for the following XCode versions can be found in:
* [12.4](./DTServices-12.4.txt)

## `com.apple.os_trace_relay`

Provides API for the following operations:
* Show process list (process name and pid)
* Stream syslog lines in binary form with optional filtering by pid.
* Get old stored syslog archive in PAX format (can be extracted using `pax -r < filename`).
    * Archive contain the contents are the `/var/db/diagnostics` directory

## `com.apple.mobile.diagnostics_relay`

Provides an API to:
* Query MobileGestalt & IORegistry keys.
* Reboot, shutdown or put the device in sleep mode. 

## `com.apple.mobile.file_relay`

On older iOS versions, this was the main relay used for file operations, which was
later replaced with AFC.

## `com.apple.pcapd`

Starting iOS 5, apple added a remote virtual interface (RVI) facility that allows mirroring networks trafic from an iOS
device. On Mac OSX the virtual interface can be enabled with the rvictl command. This script allows to use this service
on other systems.
