Well, kindof at least…
Since Apple’s iPhone is basically a stripped down MacosX and it has some nice toys to play with, I thought I’d give the provided python port a try and fire up the OSSIM agent. As expected everything worked like a charm and getting ossim up & running was very easy. Here is the rest of it.
Next thing was the logs. By default syslog isn’t logging on the device, so you have to enable it manually. A bit of googling did the job and I quickly were able to find how to do this:
- Copy /etc/syslogd.conf from any mac
- Break /System/Library/LaunchDaemons/apple.com.syslogd with random text so it doesn’t get loaded
- Restart the phone (just killing syslog should work too) and run /usr/sbin/syslogd -bsd_out 1 &
Voila, syslog up & running.
Now the fun part. Looking at what kind of events the iphone generated I thought maybe this little toy may deserve a plugin on it’s own. So after some poking around I came up with a small list of interesting events:
- Dec 1 17:33:03 localhost /usr/sbin/mediaserverd: In H264 decode frame thread the first time
- Dec 1 17:36:19 localhost YouTube[189]: clearing out queue
- Dec 1 17:37:26 localhost crashdump[199]: Creating crash report for process vi[192]
- Dec 1 17:40:25 localhost MobileSMS[219]: SummerBoardLoader: SummerBoardService available.
- Dec 1 17:47:32 localhost MobileCal[235]: SummerBoardLoader: SummerBoardService available.
- Dec 1 17:51:29 localhost SpringBoard[15]: Memory level is urgent (10), but there are no apps to warn!
- Dec 1 17:54:14 localhost MobileMusicPlayer[50]: initializeMainUI, Role = 2 (MediaPlayer)
- Dec 1 17:55:23 localhost Installer[51]: ATInstaller: Initializing…
- Dec 1 17:55:29 localhost Installer[51]: ATPackageManager: Refreshing source: http://conceitedsoftware.com/iphone/
- Dec 1 17:56:30 localhost Installer[51]: ATPackageManager: Perfoming operation “Install” on package “Tapp”...
- Dec 1 18:25:02 localhost Installer[58]: ATPackageManager: Queued package “Tapp” for operation “Uninstall”.
- Dec 1 17:56:30 localhost Installer[51]: ATUnpacker: Extracting folder: Tapp.app/ >> /Applications/Tapp.app
- Dec 1 17:56:31 localhost Installer[51]: ATUnpacker: Extracting file: Tapp.app/TableApp >> /Applications/Tapp.app/TableApp
- Dec 1 18:25:02 localhost Installer[58]: Executing script instruction: RemovePath with arguments (”/Applications/Tapp.app”)
- Dec 1 17:58:47 localhost MobileBluetooth[12]: Session::attach “com.apple.mobilephone1014721381”
So, after a rainy afternoon I had my fully working iphone plugin.
See it in action on the following screens:
(image removed, broken link, I'm very sorry. DK.)
Could have some interesting big brother uses… and the good thing is, if the agent has no connection to the server it will queue up the events and send them the next time it can reach it.
And for the end, a quick proof of concept screenshot
2007-12-01 19:03:29,366 Conn [DEBUG]: event type="detector" date="2007-12-01 17:58:34" sensor="127.0.0.1"
interface="any" plugin_id="4006" plugin_sid="4" protocol="tcp" src_ip="127.0.0.1" userdata1="MobilePhone"
userdata2="55" log="Dec 1 17:58:34 localhost MobilePhone[55]: SummerBoardLoader: SummerBoardService
available."
^C2007-12-01 19:03:31,192 Agent [WARNING]: Kill signal received, exiting..
2007-12-01 19:03:31,200 Conn [INFO]: Closing server connection..
2007-12-01 19:03:31,210 Stats [INFO]:
-------------------------
Agent execution summary:
+ Startup date: Sat Dec 1 19:03:10 2007
+ Shutdown date: Sat Dec 1 19:03:31 2007
+ Total events: 66 (Detector: 66, Monitor: 0)
- plugin_id 4006: 66
+ Apps restarted by watchdog: 0
+ Server reconnection attempts: 0
-------------------------
2007-12-01 19:03:31,224 Stats [INFO]: Agent statistics written in /var/log/ossim/agent_stats.log
zsh: killed ./ossim-agent -v
# uname -a
Darwin iPhone 9.0.0d1 Darwin Kernel Version 9.0.0d1: Wed Sep 19 00:08:43 PDT 2007;
root:xnu-933.0.0.203.obj~21/RELEASE_ARM_S5L8900XRB iPhone1,1 Darwin
#
