You can discover new QMI message identifier using the tools available in this directory. You can combine two approaches for this task.
The function qmi::MessageBase::validateMsgId is called by a large number of QMI message, the iPhone sends and receives.
Its two parameters are the instance pointer of the MessageBase object and the message_id as an unsigned short.
Thus, we can use it to translate previously unknown message ids to strings and better understand the communication between the iPhone application processor and its baseband processor.
The dynamic approach uses Frida to intercept calls to the function qmi::MessageBase::validateMsgId from the library libQMIParserDynamic.dylib in real-time.
You can try different things on the iPhone to collect as much message ids as possible.
A jailbroken iPhone is required to execute the script.
It is optimized for an iPhone 12 mini with iOS 14.2.1.
frida -U -l explore_frida.ts CommCenterMessages of the QMI position determination service (PDS) are handled by the locationd process.
Its executable can be found in /usr/libexec/locationd.
frida -U locationd -l explore_frida.tsThe static approach uses a Ghidra script to scan all references to the function qmi::MessageBase::validateMsgId and show respective message ids & calling functions in a table.
To use it, add this folder as a script directory in Ghidra (so it can detect the file ExtractQMIMessageIDs.java), point your cursor to the entry point of the function __auth_stubs::__ZN3qmi11MessageBase13validateMsgIdEt in your target library and run it using the script manager.
Good resources to learn Ghidra scripting are
Based on static approach we can automatically analyze binaries, extract their QMI definitions, and convert them to libqmi data structures which in turn can be used for improving the dissector.
- Get IPSW
ipsw dyld imports dyld_shared_cache_arm64e /usr/lib/libQMIParserDynamic.dylib- Put each file in Ghidra
- Apply plugin
- Run script to import
Repeat for executables like locationd but apply symbol plugin before
The results can be used to manually improve the iOS extensions for libqmi, located in the libqmi-ios-ext directory.