├── .gitignore
├── BoringSSLKeys.plist
├── Makefile
├── README.md
├── Tweak.xm
├── Tweam.mm
├── control
└── packages
    └── com.evilpenguin.boringsslkeys_0.0.1-2+debug_iphoneos-arm.deb


/.gitignore:
--------------------------------------------------------------------------------
 1 | # Xcode
 2 | #
 3 | # gitignore contributors: remember to update Global/Xcode.gitignore, Objective-C.gitignore & Swift.gitignore
 4 | 
 5 | ## User settings
 6 | xcuserdata/
 7 | 
 8 | ## compatibility with Xcode 8 and earlier (ignoring not required starting Xcode 9)
 9 | *.xcscmblueprint
10 | *.xccheckout
11 | 
12 | ## compatibility with Xcode 3 and earlier (ignoring not required starting Xcode 4)
13 | build/
14 | DerivedData/
15 | *.moved-aside
16 | *.pbxuser
17 | !default.pbxuser
18 | *.mode1v3
19 | !default.mode1v3
20 | *.mode2v3
21 | !default.mode2v3
22 | *.perspectivev3
23 | !default.perspectivev3
24 | 
25 | ## VSCode
26 | .vscode
27 | 
28 | ## Theos
29 | .theos
30 | 
31 | # DS Files
32 | .DS_Store
33 | 


--------------------------------------------------------------------------------
/BoringSSLKeys.plist:
--------------------------------------------------------------------------------
1 | {
2 | 	Filter = {
3 | 		Bundles = (
4 | 			"com.apple.UIKit"
5 | 		);
6 | 	};
7 | }


--------------------------------------------------------------------------------
/Makefile:
--------------------------------------------------------------------------------
 1 | THEOS_DEVICE_IP = 192.168.1.205
 2 | 
 3 | include $(THEOS)/makefiles/common.mk
 4 | 
 5 | TWEAK_NAME = BoringSSLKeys
 6 | $(TWEAK_NAME)_FILES = Tweak.xm
 7 | $(TWEAK_NAME)_CFLAGS = -Wno-unused-function -Wno-unused-variable
 8 | 
 9 | include $(THEOS_MAKE_PATH)/tweak.mk
10 | 
11 | after-install::
12 | 	install.exec "killall -9 SpringBoard"
13 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # BoringSSLKeys
 2 | - Allows use of `SSL_CTX_set_keylog_callback` in Apples version of libboringssl
 3 | - Logs to console and cached file
 4 |     - `CLIENT_RANDOM` 
 5 |     - `CLIENT_HANDSHAKE_TRAFFIC_SECRET` 
 6 |     - `SERVER_HANDSHAKE_TRAFFIC_SECRET` 
 7 |     - `CLIENT_TRAFFIC_SECRET_0` 
 8 |     - `SERVER_TRAFFIC_SECRET_0` 
 9 |     - `EXPORTER_SECRET`
10 | 
11 | Required
12 | ----------
13 | - iOS 13.3.1
14 | - Jailbroken using Mobile Substrate
15 | 
16 | Suggested
17 | ----------
18 | - rvictl (to connect iOS device)
19 | - tcpdump (To capture packets)
20 | - Wireshark (to decrypt pcaps)
21 | 
22 | Useage
23 | ----------
24 | - rvictl -s UDID
25 | - tcpdump -i rvi0 -w capture.pcap -P
26 | - Run the app you want
27 | - Pull keylog from `/var/mobile/Containers/Data/Application/{UUID}/Library/Caches/BoringSSLKey.keylog`
28 | - wireshark -r capture.pcap -o tls:keylog_file:BoringSSLKey.keylog
29 | - Science
30 | 
31 | Console.app Output Filtered by `[BoringSSLKey]`
32 | ----------
33 | ```
34 | [BoringSSLKey] CLIENT_RANDOM STUFF STUFF
35 | [BoringSSLKey] Writing to: /var/mobile/Containers/Data/Application/{UUID}/Library/Caches/BoringSSLKey.keylog
36 | [BoringSSLKey] CLIENT_HANDSHAKE_TRAFFIC_SECRET STUFF STUFF
37 | [BoringSSLKey] Writing to: /var/mobile/Containers/Data/Application/{UUID}/Library/Caches/BoringSSLKey.keylog
38 | [BoringSSLKey] SERVER_HANDSHAKE_TRAFFIC_SECRET STUFF STUFF
39 | [BoringSSLKey] Writing to: /var/mobile/Containers/Data/Application/{UUID}/Library/Caches/BoringSSLKey.keylog
40 | 
41 | ```
42 | 


--------------------------------------------------------------------------------
/Tweak.xm:
--------------------------------------------------------------------------------
 1 | //
 2 | // Created by EvilPenguin (James Emrich)
 3 | // BoringSSL
 4 | // Date: 4/26/2020
 5 | //
 6 | //
 7 | //
 8 | 
 9 | #import <mach-o/dyld.h>
10 | #import <CydiaSubstrate.h>
11 | 
12 | static void _write_to_file(const char *line) {
13 |     if (line != NULL) {
14 |         NSMutableString *lineString = [NSMutableString stringWithUTF8String:line];
15 |         if (lineString.length > 0) {
16 |             // Add new line
17 |             [lineString appendString:@"\n"];
18 | 
19 |             // Get Cache directory
20 |             NSString *cachesDirectory = [NSSearchPathForDirectoriesInDomains(NSCachesDirectory, NSUserDomainMask, YES) firstObject];
21 |             NSString *logPath = [cachesDirectory stringByAppendingPathComponent:@"BoringSSLKey.keylog"];
22 |             NSLog(@"[BoringSSLKey] Writing to: %@", logPath);
23 | 
24 |             // Write empty file
25 |             if (![NSFileManager.defaultManager fileExistsAtPath:logPath]) {
26 |                 [NSData.data writeToFile:logPath atomically:YES];
27 |             } 
28 | 
29 |             // Write keys to file
30 |             NSFileHandle *handle = [NSFileHandle fileHandleForWritingAtPath:logPath];
31 |             [handle truncateFileAtOffset:handle.seekToEndOfFile];
32 |             [handle writeData:[lineString dataUsingEncoding:NSUTF8StringEncoding]];
33 |             [handle closeFile];
34 |         }
35 |     }
36 | }
37 | 
38 | static void call_back(const void *ssl, const char *line) {
39 |     // Log
40 |     NSLog(@"[BoringSSLKey] %s", line);
41 | 
42 |     // Write
43 |     _write_to_file(line);
44 | }
45 | 
46 | /*
47 | iOS 13.3.1 libboringssl.dylib
48 | 
49 |  __ZN4bssl14ssl_log_secretEPK6ssl_stPKcNS_4SpanIKhEE: // bssl::ssl_log_secret(ssl_st const*, char const*, bssl::Span<unsigned char const>)
50 | 0x0000000185366358 FF8301D1               sub        sp, sp, #0x60 
51 | 0x000000018536635c F65703A9               stp        x22, x21, [sp, #0x30]
52 | 0x0000000185366360 F44F04A9               stp        x20, x19, [sp, #0x40]
53 | 0x0000000185366364 FD7B05A9               stp        x29, x30, [sp, #0x50]
54 | 0x0000000185366368 FD430191               add        x29, sp, #0x50
55 | 0x000000018536636c 083440F9               ldr        x8, [x0, #0x68]        ; Offset of ctx pointer
56 | 0x0000000185366370 086141F9               ldr        x8, [x8, #0x2c0]       ; Offset of keylog_callback pointer
57 | */
58 | 
59 | static void (*orig_SSL_CTX_set_min_proto_version)(void *ctx, uint16_t version);
60 | static void new_SSL_CTX_set_min_proto_version(void *ctx, uint16_t version) {
61 |     intptr_t ctx_char = (intptr_t)ctx;
62 |     intptr_t **keylog_callback = (intptr_t **)(ctx_char + 0x2c0); // change this offset per iOS version
63 |     *keylog_callback = (intptr_t *)call_back;
64 | 
65 |     orig_SSL_CTX_set_min_proto_version(ctx, version);
66 | }
67 | 
68 | %ctor {
69 |     void *boringssl_handle = dlopen("/usr/lib/libboringssl.dylib", RTLD_NOW);
70 |     void *SSL_CTX_set_min_proto_version = dlsym(boringssl_handle, "SSL_CTX_set_min_proto_version");
71 |     if (SSL_CTX_set_min_proto_version) {
72 |         MSHookFunction(SSL_CTX_set_min_proto_version, (void *)new_SSL_CTX_set_min_proto_version, (void **)&orig_SSL_CTX_set_min_proto_version);
73 |     }
74 | }
75 | 


--------------------------------------------------------------------------------
/Tweam.mm:
--------------------------------------------------------------------------------
1 | Tweak.xm


--------------------------------------------------------------------------------
/control:
--------------------------------------------------------------------------------
 1 | Package: com.evilpenguin.boringsslkeys
 2 | Name: BoringSSLKeys
 3 | Depends: mobilesubstrate
 4 | Version: 0.0.1
 5 | Architecture: iphoneos-arm
 6 | Description: An awesome MobileSubstrate tweak!
 7 | Maintainer: JDE
 8 | Author: JDE
 9 | Section: Tweaks
10 | 


--------------------------------------------------------------------------------
/packages/com.evilpenguin.boringsslkeys_0.0.1-2+debug_iphoneos-arm.deb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/evilpenguin/BoringSSLKeys/a272e898bea2a2937b77f00864bf83b6c6a5dcc2/packages/com.evilpenguin.boringsslkeys_0.0.1-2+debug_iphoneos-arm.deb


--------------------------------------------------------------------------------