Home/ Questions/Q 9231963
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-18T06:11:59+00:00

I’m trying to emulate the message exchange between Safari & Mobile Safari when remote

  • 0

I’m trying to emulate the message exchange between Safari & Mobile Safari when remote debugging (using Node).

I’ve sniffed the traffic between the two; they’re exchanging binary plists over TCP. I’ve managed to replicated the packets up to the point where a particular tab is chosen for debugging (“socket setup”), but after this Mobile Safari ignores my plist instructions and instead sends back a listing.

Here’s the raw tcpdump of the socket setup packet Safari is sending, and a JSON representation of the plist it contains:

10:36:42.318662 IP6 localhost.58028 > localhost.27753: Flags [P.], seq 1601:1930, ack 803, win 9125, options [nop,nop,TS val 69074378 ecr 69074378], length 329
0x0000:  6000 0000 0169 0640 0000 0000 0000 0000  `....i.@........
0x0010:  0000 0000 0000 0001 0000 0000 0000 0000  ................
0x0020:  0000 0000 0000 0001 e2ac 6c69 344e 2443  ..........li4N$C
0x0030:  4e32 497b 8018 23a5 0171 0000 0101 080a  N2I{..#..q......
0x0040:  041d fdca 041d fdca 6270 6c69 7374 3030  ........bplist00
0x0050:  d201 0203 0c5a 5f5f 6172 6775 6d65 6e74  .....Z__argument
0x0060:  5a5f 5f73 656c 6563 746f 72d4 0405 0607  Z__selector.....
0x0070:  0809 0a0b 5f10 1b57 4952 4170 706c 6963  ...._..WIRApplic
0x0080:  6174 696f 6e49 6465 6e74 6966 6965 724b  ationIdentifierK
0x0090:  6579 5f10 1a57 4952 436f 6e6e 6563 7469  ey_..WIRConnecti
0x00a0:  6f6e 4964 656e 7469 6669 6572 4b65 795c  onIdentifierKey\
0x00b0:  5749 5253 656e 6465 724b 6579 5f10 1457  WIRSenderKey_..W
0x00c0:  4952 5061 6765 4964 656e 7469 6669 6572  IRPageIdentifier
0x00d0:  4b65 795f 1016 636f 6d2e 6170 706c 652e  Key_..com.apple.
0x00e0:  6d6f 6269 6c65 7361 6661 7269 5f10 2441  mobilesafari_.$A
0x00f0:  3535 3134 3645 372d 3244 4544 2d34 3832  55146E7-2DED-482
0x0100:  412d 3839 3133 2d31 3033 3337 4537 4634  A-8913-10337E7F4
0x0110:  3330 465f 1024 3230 3041 3935 3146 2d30  30F_.$200A951F-0
0x0120:  3839 432d 3445 3741 2d41 3642 322d 3331  89C-4E7A-A6B2-31
0x0130:  4235 4432 3737 4341 3635 1001 5f10 185f  B5D277CA65.._.._
0x0140:  7270 635f 666f 7277 6172 6453 6f63 6b65  rpc_forwardSocke
0x0150:  7453 6574 7570 3a00 0800 0d00 1800 2300  tSetup:.......#.
0x0160:  2c00 4a00 6700 7400 8b00 a400 cb00 f200  ,.J.g.t.........
0x0170:  f400 0000 0000 0002 0100 0000 0000 0000  ................
0x0180:  0d00 0000 0000 0000 0000 0000 0000 0001  ................
0x0190:  0f                                       .

{ __argument: 
  { WIRApplicationIdentifierKey: 'com.apple.mobilesafari',
    WIRConnectionIdentifierKey: 'A55146E7-2DED-482A-8913-10337E7F430F',
    WIRSenderKey: '200A951F-089C-4E7A-A6B2-31B5D277CA65',
    WIRPageIdentifierKey: 1 },
  __selector: '_rpc_forwardSocketSetup:' }

And what I’m sending with JSON plist:

16:39:18.669088 IP6 localhost.63836 > localhost.27753: Flags [P.], seq 413:742, ack 1, win 9175, options [nop,nop,TS val 89654016 ecr 89654016], length 329
0x0000:  6000 0000 0169 0640 0000 0000 0000 0000  `....i.@........
0x0010:  0000 0000 0000 0001 0000 0000 0000 0000  ................
0x0020:  0000 0000 0000 0001 f95c 6c69 0226 fab5  .........\li.&..
0x0030:  6fff d8d3 8018 23d7 0171 0000 0101 080a  o.....#..q......
0x0040:  0558 0300 0558 0300 6270 6c69 7374 3030  .X...X..bplist00
0x0050:  d201 0203 0c5a 5f5f 6172 6775 6d65 6e74  .....Z__argument
0x0060:  5a5f 5f73 656c 6563 746f 72d4 0405 0607  Z__selector.....
0x0070:  0809 0a0b 5f10 1b57 4952 4170 706c 6963  ...._..WIRApplic
0x0080:  6174 696f 6e49 6465 6e74 6966 6965 724b  ationIdentifierK
0x0090:  6579 5f10 1a57 4952 436f 6e6e 6563 7469  ey_..WIRConnecti
0x00a0:  6f6e 4964 656e 7469 6669 6572 4b65 795c  onIdentifierKey\
0x00b0:  5749 5253 656e 6465 724b 6579 5f10 1457  WIRSenderKey_..W
0x00c0:  4952 5061 6765 4964 656e 7469 6669 6572  IRPageIdentifier
0x00d0:  4b65 795f 1016 636f 6d2e 6170 706c 652e  Key_..com.apple.
0x00e0:  6d6f 6269 6c65 7361 6661 7269 5f10 2465  mobilesafari_.$E
0x00f0:  3962 6431 6564 312d 6164 3161 2d34 6266  9BD1ED1-AD1A-4BF
0x0100:  302d 6238 3066 2d61 3331 3136 3962 6434  0-B80F-A31169BD4
0x0110:  3431 315f 1024 6630 3538 6663 3761 2d63  411_.$F058FC7A-C
0x0120:  6232 332d 3465 3339 2d61 6535 312d 3734  B23-4E39-AE51-74
0x0130:  6363 3730 6333 6262 3033 1001 5f10 185f  CC70C3BB03.._.._
0x0140:  7270 635f 666f 7277 6172 6453 6f63 6b65  rpc_forwardSocke
0x0150:  7453 6574 7570 3a00 0800 0d00 1800 2300  tSetup:.......#.
0x0160:  2c00 4a00 6700 7400 8b00 a400 cb00 f200  ,.J.g.t.........
0x0170:  f400 0000 0000 0002 0100 0000 0000 0000  ................
0x0180:  0d00 0000 0000 0000 0000 0000 0000 0001  ................
0x0190:  0f                                       .

{ __argument: 
  { WIRApplicationIdentifierKey: 'com.apple.mobilesafari',
    WIRConnectionIdentifierKey: 'E9BD1ED1-AD1A-4BF0-B80F-A31169BD4411',
    WIRSenderKey: 'F058FC7A-CB23-4E39-AE51-74CC70C3BB03',
    WIRPageIdentifierKey: 1 },
  __selector: '_rpc_forwardSocketSetup:' }

Apart from the keys (which, from my experiments, don’t seem make any difference – I’ve tried keys that Safari’s used to no avail) the two are byte-for-byte identical and produce identical plists. I can compare the traffic between Safari & Mobile Safari and my code & Mobile Safari side by side, and they only diverge at this point.

I don’t know what the problem is, but there are a few possibilites as far as I can see:

  • The packets aren’t identical and I’ve spelt something wrong/screwed something else up
  • The keys aren’t ok (perhaps the Sender Key needs to be generated from the Connection ID Key)
  • There’s data being passed between the two elsewhere

Just to clear up some avenues that I’ve investigated:

  • It’s not time sensitive (another project — not mine — can successfully connect but sends all connection packets at once)
  • I’ve checked to see if there’s (tcp) data being passed over another port – there isn’t as far as I can tell

What could be going wrong? Why is Mobile Safari refusing my connection?

The project is on Github.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Issue is line 36:

    data.__argument.WIRSocketDataKey = JSON.stringify(data.__argument.WIRSocketDataKey);

    bplistCreator.js treats WIRSocketDataKey as a string when it’s actually data in bplist terms.

    Line 36 should be:

    data.__argument.WIRSocketDataKey = new Buffer(JSON.stringify(data.__argument.WIRSocketDataKey));

    For this to work the version of bplistCreator.js from GH is required as the version with data support doesn’t appear to be available via npm yet https://github.com/nearinfinity/node-bplist-creator

    Have kept history below just for reference:

    Done a bit more digging and watching the system.log during execution…

    tail -f /var/log/system.log

    And I see the following when the browser crashes 

    -[__NSCFString bytes]: unrecognized selector sent to instance 0xa947af0
*** Terminating app due to uncaught exception 'NSInvalidArgumentException', reason: '-[__NSCFString bytes]: unrecognized selector sent to instance 0xa947af0'
*** First throw call stack:
(0x48b012 0x1578e7e 0x5164bd 0x47abbc 0x47a94e 0x413390 0x43b763 0xb55415 0x44bf0f5 0x45080d8 0x45085f1 0x3557548 0x40ef3f 0x40e96f 0x431734 0x430f44 0x430e1b 0x3556c50 0x9026e557 0x90258cee)
com.apple.launchd.peruser.501[237] (UIKitApplication:com.apple.mobilesafari[0x10ee][59604]):     Job appears to have crashed: Abort trap: 6
backboardd[54902]: Application 'UIKitApplication:com.apple.mobilesafari[0x10ee]' exited     abnormally with signal 6: Abort trap: 6
ReportCrash[59611]: Saved crash report for MobileSafari[59604] version 1659.13 to /Users/xx/Library/Logs/DiagnosticReports/MobileSafari_2013-01-29-212042_Andy-Daviess-MacBook-Pro.crash

    (I’ve removed times and dates from above)

    EDIT:

    I think the issue is that WIRSocketDataKey is being sent as a string when it should be data

    Doesn’t look like node-bplist-creator supports data type at the moment so that’s the first thing that we need to fixup.

    EDIT 2:

    GH version of node-bplist-creater does support data type, but doesn’t appear to be packaged (???)

    EDIT 3:

    Got it working will send you a pull request tomorrow!

    • 0