iMessage Overview (Original)

My project right now is reverse engineering iMessage. And I don’t mean like a half usable POC that only works with Macs. I mean the real thing: a fully open demo that can run on any computer.

Sounds far-fetched? It really isn’t. When you get down to it, iMessage isn’t that complex. I should be able to get it working soon! knocks on wood

First and foremost, here’s the repo where I’m experimenting and the Hack Different Discord where I’m working on this in real-time.

Prior Art

Everyone knows what iMessage is, but not many know how it works. A few people have done research on this before, and I’ve heavily borrowed from them. Here’s an incomplete list:

• IMFreedom Knowledge Base
• M. Frister
• Nicolás
• QuarkSlab
• Garman et al.
• NowSecure
• Elcomsoft
• Eric Rabil
• The Apple Wiki
• There’s probably others too. If I forgot you, leave a comment.

Construction

So, the iMessage protocol. Here’s what happens when a device is first setting up:

1. The device asks Albert for a “push certificate”. Basically, it uses a key obfuscated in the binary itself to prove to Albert that this is “legitimate Apple software”. I defeated this about 2 weeks ago.
2. The device connects to Apple Push Notification Service using the aforementioned push certificate. It receives a “push token” which allows notifications to be routed to it.
3. The device uses Grand Slam Authentication to authenticate the user’s Apple ID and receives a “Password Equivalent Token (PET)”. I wrote something for this last year.
4. The device makes a request to the iCloud Setup server to exchange the PET for an IDS “authentication token”.
5. The device uses the IDS “authentication token” to receive an “authentication certificate” for the user’s account.
6. The device sends a registration request to IDS (signed by both the “authentication certificate” and the “push certificate”) containing its new public keys and other public information. In exchange, it receives an “IDS certificate” which it can then use to perform lookup requests. Additionally, this information is public and can be looked up by other users.

This is a new way of writing blog posts, where I slowly add to them over time. Hopefully it means that even if I get distracted, it’s still useful for others.