Running Apple's Backup Without a .Mac Account

This page has long been outdated, since the the instructions didn't work for the current version of Backup (3). But I'm glad to say I found out how to get the unrestricted functionality for this version as well.

So here's a short description on how to fool Backup 3 into thinking you have a paid .Mac account. This does not require running a WebDAV based iDisk on your web server although you might want to do that as well. I'm not very interested in using iDisk for backup myself.

In trial mode, you can only make backups of 100MB or less, even if you are not using your iDisk but backing up to hard disk, CD or DVD instead. The trick below makes Backup think you have a paid .Mac account so you can backup data without size restrictions. Note that I'm not hacking the .Mac service, in fact, since I'm directing the authentication request to my own web server, and only backup to CD or DVD, I'm not using the .Mac servers at all.

Later I'll try to extend the instruction with some more details.

Setup a https web server. You can use a self signed certificate. Set the Common Name of the certificate to www.mac.com. Make the web server answers requests to www.apple.com.
Import your certificate into your X509Anchors on your mac. You can see here how to do that.
Fool your mac into talking to your web server when trying to connect to www.mac.com by editing /etc/hosts on your mac, as described here.

Create a script to answer requests to /WebObjects/Info.woa/wa/XMLRPC/accountInfo. When this post is received:

<?xml version="1.0"?>
<methodCall>
<methodName>accountInfo</methodName>
<params>
<param>
<value><string>youraccount
</param>
<param>
<value><string>yourpassword
</param>
<param>
<value>
<string>daysLeftUntilExpiration</string>
</value>
</param>
</params>
</methodCall>

the script should return

<?xml version='1.0'?>
<methodResponse><params><param><value><struct>
<member><name>daysLeftUntilExpiration</name><value><int>-1</int></value></member>
</struct></value></param></params></methodResponse>

The trick is to extend you subscription very a very long period of time. Minus one essentialy means "indefinite". Next enable the paid services; when this post is received:

<?xml version="1.0"?>
<methodCall>
<methodName>accountInfo</methodName>
<params>
<param>
<value><string>youraccount</string></value>
</param>
<param>
<value><string>yourpassword</string></value>
</param>
<param>
<value>
<string>servicesAvailable</string>
</value>
</param>
</params>
</methodCall>

the script should return:

<?xml version='1.0'?>
<methodResponse><params><param><value><struct>
<member><name>servicesAvailable</name><value><array>
<value><string>iDisk</string></value>
<value><string>iSync</string></value>
<value><string>Email</string></value>
<value><string>WebHosting</string></value>
<value><string>Backup</string></value>
</array></value></member>
</struct></value></param></params></methodResponse>

In both cases, the Content-Type should be text/html. Here's an example script. The trick is to include Backup in the list. If you have a trial account and are talking to the real .Mac servers, the line is not included. Backup 3 then decides you have a trial account only.

Run Backup 3, and then it should show:

The rest of this page is still the original. Again, these instructions do not work for Backup 3, but the general comments an method still applies.

Kudos to MacOS Rumors for being the first to pick up this story!

A short time ago Apple introduced the paid service .Mac as a followup to the free iTools service. .Mac provides nice services like email, web hosting, virus protection software, online WebDAV based disk storage (dubbed iDisk) and backup software. The last two work together, you can make backups to your iDisk. The backup program, called Backup is also capable of backing up to recordable CD or DVD. Backup can be downloaded for free from Apple.

The full functionality of Backup only works if you have a paid .Mac account. You cannot make backups to CD or DVD with a trial account. Also, scheduling of backups only works if you have a paid .Mac account.

The security of a remote backup is a big concern. Do you want your data to pass through the internet unencrypted (iDisk traffic is in clear text) and stored in clear text in an unknown location? I do not question the Apple's intentions, but I do not have any way of checking that the iDisk data is well protected.

Another important questions is: how does Backup check if it is talking to the right servers? It is interesting to know how Apple does a subscription based service where the actual work is done locally. Since Backup checks your .Mac account, there should be some form of remote authentication.

The Challenge

Come up with a way to use the full functionality of Backup, without having a .Mac account. Preferably without hacking Backup itself.

I can say that I succeeded. You can fool Backup because it does not do a proper server authentication when checking your .Mac account or accessing the iDisk server. The remainder of this document describes how the solution works.

The Analysis

To come up with a solution, I analyzed the behavior of Backup using a few tools. If you are interested, you can read more on how I did that.

The Solution

To make Backup believe you have a .Mac account, you need:

A machine running an https and WebDAV enabled web server. Note that running your WebDAV server on MacOS X is possible, but has some drawbacks.
Knowledge on how to configure your web server. I give some basic instructions for Apache on OpenBSD only.

I used an i386 based OpenBSD 3.1 machine as Apache server, furthermore a Blue & White G3 running MacOS X 1.2 and a white iBook running MacOS X 10.2.1 as clients. I used version 1.2 of Backup. I also successfully checked this method using Mac OS X 10.2.2 and Backup 1.2.1.

You have to perform the following steps:

Setup a WebDAV enabled Apache server, using mod_dav with a small patch.
Create a WebDAV account on your web server, using digest authentication.
Create a directory Backup on your own iDisk.

Here is a more detailed description of some of these steps.

After these steps are done, you have an iDisk that is being served by your own server. This disk can be accessed by Connect to Server menu item of the Go menu of the Finder.

Please do not ask me for more detailed info than I give here. If you are a web server admin, the instructions should be sufficient for you. If not, educate yourself using books, google, friends, or whatever.

Next thing to do is to have your web server act as a .Mac authentication server:

Setup your web server to be https enabled. You can use a self signed certificate.
Make https requests to www.mac.com go to your web server.
Make http requests to idisk.mac.com go your web server.
Let the web server return a "authorization granted" page when the account check URL is accessed.

Here is a more detailed description of these steps. After these steps are done, you can use Backup to backup to your own iDisk, CD or DVD. Scheduling of backups also works. The iDisk menu item of the Go menu of the Finder will mount your own iDisk.

What should Apple have done?

My task would have been much harder if Backup did proper server authentication. This can be done by validating the certificate that is returned by the web server. Validation is done by

Checking that the SSL handshake is done with a private key that corresponds to the public key in the certificate.
Checking the certificate subject identity information.
Checking the identity information of the certificate issuer against a list of acceptable issuers.
Verifying the signatures of the certificate.

Not all these checks are done in the current version of Backup. I've set up my web server with a simple, self signed certificate which is accepted by Backup, probably because Backup simply does not check the certificate. The iDisk server is also not authenticated, since it is accessed using http, not https. This means that you do not have any way of knowing for sure to which servers Backup is talking.

Is this illegal?

As far as I know, it is not. I am not changing Backup, I am only changing the environment in which it runs. I am not trying to hack the iDisk or .Mac servers. The license does not even mention a .Mac subscription.

While technically easy, I am not offering this as a service to the public. I've written these pages only to educate, showing that Apple has taken a short cut to proper server authentication.

What about iSync?

iSync does not use the WebDAV protocol, so it does not work with the described setup. For more information, take a look at Jeremy Baker's page.

Known issues

Accessing www.mac.com no longer works. You can't have it all.
The iDisk control panel does not work. This does not hamper to functionality of iDisk or Backup. The iDisk control panel requires a trusted certificate. Since it doesn't get a trusted certificate, it aborts the SSL handshake. The page about setting up a pseudo .Mac server contains details on making the iDisk control panel work, although this is not neccesary for the proper operation of iDisk or Backup.
Unpatched mod_dav reports zero quota, disabling iDisk backups. This can be solved by installing a patched mod_dav.
Patched mod_dav report nonsense quotas.
It seems that after a successful account check by Backup, it does not check again ever. This may have something to do with returning -1 as the number of days left. You can force the account check by removing the file Library/Preferences/com.apple.Backup.plist and then running Backup again.

This article has been discussed on Slashdot.