Back to home / software / itunes.
Last Update: 20 April, 2004.
PLEASE NOTE: This page is no longer relevant. iTMS has changed many times, and it is highly unlikely it still works as described on this page. This page stuff was relevant in April 2004. That's a long time ago.
With the recent release of iTMS-4-ALL we now are able to decrypt the iTunes Music Store packets and know how to request them.
However, as it stands at the moment, this can only be used for browsing the store and downloading free previews, not all that much use.
After a bit of contact with the author, Jason Rohrer, I found out that he is for some reason unable to login to iTMS anyhow, and hence is unable to figure out how they do stuff with their authentication.
So now I come along, mostly out of curiousity, and start hacking. It turns out iTunes uses HTTPS as soon as you try to do anything that requires an account. This created a bit of a problem, as one can't sniff HTTPS directly (its strongly encrypted). So I attempted to do a basic monkey-in-the-middle attack, with one of my computers pretending to be phobos.apple.com (the iTMS server).
Alas, I ran into yet another problem. iTunes didn't like dealing with any SSL certificate that wasn't signed by a CA (Certificate Authority) that it knew about. No problem though, after a bit of poking around I located Apples CA listing, its located (on OS X anyhow) in /System/Library/Keychains/X509Anchors.
So, finally after creating a custom CA using OpenSSL, adding that CA to the list of accepted CA's on my Mac, create an appropriate certificate for my monkey-in-the-middle I was on my way.
So finally I was able to get some data out of my attack. Yay. Using the decryption stuff that comes with Jasons perl script (iTMS-4-ALL, linked above) I was able to see what on earth they are doing. Results are below.
A short asside: Just because it might be a more 'correct' way to generate the MD5 sum used for decryption: it looks like the decryption key given to the AES algorithm in Jasons stuff is actually just one of the 256 outputs that I use for my DAAP stuff. Apple may be able to index these things, so its probably also more future-proof to use my authentication stuff. For more information on that, check out my DAAP authentication page.
Ok, back to the iTMS authentication reversing. So far I have:
For now thats all I'm going to be able to do, as I don't have a US credit card. I think I'd like to skip all the creating an account / first login stuff anyhow. (I'd rather concentrate on a successful login / buying music). So, I guess I should take this opportunity to mention that if anyone out there has a iTMS account that they would like to loan me, hey I wouldn't mind :).
Thats all for now.
Apple and iTunes are registered trademarks of Apple Computer, Inc.