Analysis of Backup

To analyze how Backup checks if you have a paid account, I used a few command line tools available on MacOS. The main tool I used is tcpdump. This tools allows you to watch TCP/IP traffic. Another tool I used is lynx, a text based browser that also can be used to construct outgoing and watch incoming http and https traffic. lynx is not available standard on MacOS X, but can be downloaded from Apple. Sadly this version does not support https, so I had to use my OpenBSD machine to do some of the work.

Watching TCP/IP traffic

To solve this problem, I first did some analysis using tcpdump. First I used tcpdump -i en0. This showed that starting up Backup I then used tcpdump -X -s 1500 -i en0 '(port http) or (port https)' to get the actual packet dumps. Now I could see that accessing the iDisk site is using the WebDAV protocol. Watching the traffic to www.mac.com does not show much, since the traffic is encrypted. To solve this problem, I configured my OpenBSD machine as https enabled web server, that also handles the WebDAV protocol. I also directed the traffic from Backup to my web server, as described here.

After setting up apache, I could connect to my local WebDAV server using the Finder's Go iDisk menu item. Running Backup and looking at the web server's log showed that it was accessing my own server. But Backup failed, thinking it was trying to access www.mac.com using https. This was no surprise, since it was actually accessing my own web server.

Watching the .Mac account check

I saw in the error log of my web server that Backup was trying to access this URL using a POST: 
	https://www.mac.com/WebObjects/Info.woa/wa/Query/accountInfo
The next thing to do was to setup a cgi script that would catch to information submitted by the POST. The following information was sent: 
{
	body = {keys = (iToolsBackupActivated, trialAccountDaysLeft); }; 
	function = accountInfo; 
	header = {password = foobar; username = mydotmactrialaccount; }; 
}
To see what the required response was, I used the following command, using the https enabled lynx on OpenBSD: 
lynx -mime_header -source -post_data \
  https://www.mac.com/WebObjects/Info.woa/wa/Query/accountInfo << EOT
{
	body = {keys = (iToolsBackupActivated, trialAccountDaysLeft); }; 
	function = accountInfo; 
	header = {password = foobar; username = mydotmactrialaccount; }; 
}
EOT
The command produces the following information: 
HTTP/1.1 200 Apple
Server: Netscape-Enterprise/3.6 SP3
Date: Tue, 17 Sep 2002 19:30:32 GMT
Expires: Tue, 17 Sep 2002 19:30:32 GMT
X-webobjects-loadaverage: 0
Cache-control: private
Cache-control: no-cache
Cache-control: no-store
Cache-control: must-revalidate
Cache-control: max-age=0
Cache-control: post-check=0
Cache-control: pre-check=0
Pragma: no-cache
Date: Tue, 17 Sep 2002 19:30:32 GMT
Content-length: 103

{
	payload = {iToolsBackupActivated = N; trialAccountDaysLeft = 13; }; 
	statusCode = success; 
}
When I changed my accountInfo script to return the following information 
{
	payload = {iToolsBackupActivated = Y; trialAccountDaysLeft = -1; };
	statusCode = success; 
}
I was a happy camper!

To main page

Copyright © 2002 Otto Moerbeek
Last modified $Date: 2007/03/31 09:56:59 $.