Can't connect to Mobile Safari in iOS Simulator using Node

Question

I'm trying to emulate the message exchange between Safari & Mobile Safari when remote debugging (using Node).

I've sniffed the traffic between the two; they're exchanging binary plists over TCP. I've managed to replicated the packets up to the point where a particular tab is chosen for debugging ("socket setup"), but after this Mobile Safari ignores my plist instructions and instead sends back a listing.

Here's the raw tcpdump of the socket setup packet Safari is sending, and a JSON representation of the plist it contains:

10:36:42.318662 IP6 localhost.58028 > localhost.27753: Flags [P.], seq 1601:1930, ack 803, win 9125, options [nop,nop,TS val 69074378 ecr 69074378], length 329
0x0000:  6000 0000 0169 0640 0000 0000 0000 0000  `....i.@........
0x0010:  0000 0000 0000 0001 0000 0000 0000 0000  ................
0x0020:  0000 0000 0000 0001 e2ac 6c69 344e 2443  ..........li4N$C
0x0030:  4e32 497b 8018 23a5 0171 0000 0101 080a  N2I{..#..q......
0x0040:  041d fdca 041d fdca 6270 6c69 7374 3030  ........bplist00
0x0050:  d201 0203 0c5a 5f5f 6172 6775 6d65 6e74  .....Z__argument
0x0060:  5a5f 5f73 656c 6563 746f 72d4 0405 0607  Z__selector.....
0x0070:  0809 0a0b 5f10 1b57 4952 4170 706c 6963  ...._..WIRApplic
0x0080:  6174 696f 6e49 6465 6e74 6966 6965 724b  ationIdentifierK
0x0090:  6579 5f10 1a57 4952 436f 6e6e 6563 7469  ey_..WIRConnecti
0x00a0:  6f6e 4964 656e 7469 6669 6572 4b65 795c  onIdentifierKey\
0x00b0:  5749 5253 656e 6465 724b 6579 5f10 1457  WIRSenderKey_..W
0x00c0:  4952 5061 6765 4964 656e 7469 6669 6572  IRPageIdentifier
0x00d0:  4b65 795f 1016 636f 6d2e 6170 706c 652e  Key_..com.apple.
0x00e0:  6d6f 6269 6c65 7361 6661 7269 5f10 2441  mobilesafari_.$A
0x00f0:  3535 3134 3645 372d 3244 4544 2d34 3832  55146E7-2DED-482
0x0100:  412d 3839 3133 2d31 3033 3337 4537 4634  A-8913-10337E7F4
0x0110:  3330 465f 1024 3230 3041 3935 3146 2d30  30F_.$200A951F-0
0x0120:  3839 432d 3445 3741 2d41 3642 322d 3331  89C-4E7A-A6B2-31
0x0130:  4235 4432 3737 4341 3635 1001 5f10 185f  B5D277CA65.._.._
0x0140:  7270 635f 666f 7277 6172 6453 6f63 6b65  rpc_forwardSocke
0x0150:  7453 6574 7570 3a00 0800 0d00 1800 2300  tSetup:.......#.
0x0160:  2c00 4a00 6700 7400 8b00 a400 cb00 f200  ,.J.g.t.........
0x0170:  f400 0000 0000 0002 0100 0000 0000 0000  ................
0x0180:  0d00 0000 0000 0000 0000 0000 0000 0001  ................
0x0190:  0f                                       .

{ __argument: 
  { WIRApplicationIdentifierKey: 'com.apple.mobilesafari',
    WIRConnectionIdentifierKey: 'A55146E7-2DED-482A-8913-10337E7F430F',
    WIRSenderKey: '200A951F-089C-4E7A-A6B2-31B5D277CA65',
    WIRPageIdentifierKey: 1 },
  __selector: '_rpc_forwardSocketSetup:' }

And what I'm sending with JSON plist:

16:39:18.669088 IP6 localhost.63836 > localhost.27753: Flags [P.], seq 413:742, ack 1, win 9175, options [nop,nop,TS val 89654016 ecr 89654016], length 329
0x0000:  6000 0000 0169 0640 0000 0000 0000 0000  `....i.@........
0x0010:  0000 0000 0000 0001 0000 0000 0000 0000  ................
0x0020:  0000 0000 0000 0001 f95c 6c69 0226 fab5  .........\li.&..
0x0030:  6fff d8d3 8018 23d7 0171 0000 0101 080a  o.....#..q......
0x0040:  0558 0300 0558 0300 6270 6c69 7374 3030  .X...X..bplist00
0x0050:  d201 0203 0c5a 5f5f 6172 6775 6d65 6e74  .....Z__argument
0x0060:  5a5f 5f73 656c 6563 746f 72d4 0405 0607  Z__selector.....
0x0070:  0809 0a0b 5f10 1b57 4952 4170 706c 6963  ...._..WIRApplic
0x0080:  6174 696f 6e49 6465 6e74 6966 6965 724b  ationIdentifierK
0x0090:  6579 5f10 1a57 4952 436f 6e6e 6563 7469  ey_..WIRConnecti
0x00a0:  6f6e 4964 656e 7469 6669 6572 4b65 795c  onIdentifierKey\
0x00b0:  5749 5253 656e 6465 724b 6579 5f10 1457  WIRSenderKey_..W
0x00c0:  4952 5061 6765 4964 656e 7469 6669 6572  IRPageIdentifier
0x00d0:  4b65 795f 1016 636f 6d2e 6170 706c 652e  Key_..com.apple.
0x00e0:  6d6f 6269 6c65 7361 6661 7269 5f10 2465  mobilesafari_.$E
0x00f0:  3962 6431 6564 312d 6164 3161 2d34 6266  9BD1ED1-AD1A-4BF
0x0100:  302d 6238 3066 2d61 3331 3136 3962 6434  0-B80F-A31169BD4
0x0110:  3431 315f 1024 6630 3538 6663 3761 2d63  411_.$F058FC7A-C
0x0120:  6232 332d 3465 3339 2d61 6535 312d 3734  B23-4E39-AE51-74
0x0130:  6363 3730 6333 6262 3033 1001 5f10 185f  CC70C3BB03.._.._
0x0140:  7270 635f 666f 7277 6172 6453 6f63 6b65  rpc_forwardSocke
0x0150:  7453 6574 7570 3a00 0800 0d00 1800 2300  tSetup:.......#.
0x0160:  2c00 4a00 6700 7400 8b00 a400 cb00 f200  ,.J.g.t.........
0x0170:  f400 0000 0000 0002 0100 0000 0000 0000  ................
0x0180:  0d00 0000 0000 0000 0000 0000 0000 0001  ................
0x0190:  0f                                       .

{ __argument: 
  { WIRApplicationIdentifierKey: 'com.apple.mobilesafari',
    WIRConnectionIdentifierKey: 'E9BD1ED1-AD1A-4BF0-B80F-A31169BD4411',
    WIRSenderKey: 'F058FC7A-CB23-4E39-AE51-74CC70C3BB03',
    WIRPageIdentifierKey: 1 },
  __selector: '_rpc_forwardSocketSetup:' }

Apart from the keys (which, from my experiments, don't seem make any difference – I've tried keys that Safari's used to no avail) the two are byte-for-byte identical and produce identical plists. I can compare the traffic between Safari & Mobile Safari and my code & Mobile Safari side by side, and they only diverge at this point.

I don't know what the problem is, but there are a few possibilites as far as I can see:

• The packets aren't identical and I've spelt something wrong/screwed something else up
• The keys aren't ok (perhaps the Sender Key needs to be generated from the Connection ID Key)
• There's data being passed between the two elsewhere

Just to clear up some avenues that I've investigated:

• It's not time sensitive (another project — not mine — can successfully connect but sends all connection packets at once)
• I've checked to see if there's (tcp) data being passed over another port – there isn't as far as I can tell

What could be going wrong? Why is Mobile Safari refusing my connection?

The project is on Github.

Answer 1

Issue is line 36:

data.__argument.WIRSocketDataKey = JSON.stringify(data.__argument.WIRSocketDataKey);

bplistCreator.js treats WIRSocketDataKey as a string when it's actually data in bplist terms.

Line 36 should be:

data.__argument.WIRSocketDataKey = new Buffer(JSON.stringify(data.__argument.WIRSocketDataKey));

For this to work the version of bplistCreator.js from GH is required as the version with data support doesn't appear to be available via npm yet https://github.com/nearinfinity/node-bplist-creator

---

Have kept history below just for reference:

Done a bit more digging and watching the system.log during execution...

tail -f /var/log/system.log

And I see the following when the browser crashes

-[__NSCFString bytes]: unrecognized selector sent to instance 0xa947af0
*** Terminating app due to uncaught exception 'NSInvalidArgumentException', reason: '-[__NSCFString bytes]: unrecognized selector sent to instance 0xa947af0'
*** First throw call stack:
(0x48b012 0x1578e7e 0x5164bd 0x47abbc 0x47a94e 0x413390 0x43b763 0xb55415 0x44bf0f5 0x45080d8 0x45085f1 0x3557548 0x40ef3f 0x40e96f 0x431734 0x430f44 0x430e1b 0x3556c50 0x9026e557 0x90258cee)
com.apple.launchd.peruser.501[237] (UIKitApplication:com.apple.mobilesafari[0x10ee][59604]):     Job appears to have crashed: Abort trap: 6
backboardd[54902]: Application 'UIKitApplication:com.apple.mobilesafari[0x10ee]' exited     abnormally with signal 6: Abort trap: 6
ReportCrash[59611]: Saved crash report for MobileSafari[59604] version 1659.13 to /Users/xx/Library/Logs/DiagnosticReports/MobileSafari_2013-01-29-212042_Andy-Daviess-MacBook-Pro.crash

(I've removed times and dates from above)

EDIT:

I think the issue is that WIRSocketDataKey is being sent as a string when it should be data

Doesn't look like node-bplist-creator supports data type at the moment so that's the first thing that we need to fixup.

EDIT 2:

GH version of node-bplist-creater does support data type, but doesn't appear to be packaged (???)

EDIT 3:

Got it working will send you a pull request tomorrow!