jailbreak - Rec iOS conversations. Where to start?

Question

I would like to rec each time I have a conversation with the MobilePhone App. My device is jailbroken, so no problem about the appStore restrictions.

Of course I guess the public framework will provide nothing. Also, I've been looking at the private frameworks, but haven't seen anything useful.

Currently I am able to rec from the microphone, but when a conversation starts, it takes the microphone in exclusive mode, and the data is no longer received.

Any guidance?

Answer 1

"Audio Recorder" is indeed a very simple tweak. The author tried to obfuscate important parts of his tweak (which function is being hooked), but here is what I found.

Tweak basically hooks just one function - AudioConverterConvertComplexBuffer from AudioToolbox.framework. Tweak is loaded in mediaserverd daemon at startup.

First, we need to find out when we should start recording because AudioConverterConvertComplexBuffer is called even when you just playing regular audio files. To achieve that tweak is listening to kCTCallStatusChangeNotification notification from CTTelephonyCenter.

Second, AudioConverterConvertComplexBuffer implementation. I didn't finished it yet so I will post what I have so far. Here is somewhat working example that will get you started.

Helper class to keep track of AudioConverterRef - ExtAudioFileRef pairs

@interface ConverterFile : NSObject

@property (nonatomic, assign) AudioConverterRef converter;
@property (nonatomic, assign) ExtAudioFileRef file;
@property (nonatomic, assign) BOOL failedToOpenFile;

@end

@implementation ConverterFile
@end

ConverterFile objects container

NSMutableArray* callConvertersFiles = [[NSMutableArray alloc] init];

AudioConverterConvertComplexBuffer original implementation

OSStatus(*AudioConverterConvertComplexBuffer_orig)(AudioConverterRef, UInt32, const AudioBufferList*, AudioBufferList*);

AudioConverterConvertComplexBuffer hook declaration

OSStatus AudioConverterConvertComplexBuffer_hook(AudioConverterRef inAudioConverter, UInt32 inNumberPCMFrames, const AudioBufferList *inInputData, AudioBufferList *outOutputData);

Hooking

MSHookFunction(AudioConverterConvertComplexBuffer, AudioConverterConvertComplexBuffer_hook, &AudioConverterConvertComplexBuffer_orig);

AudioConverterConvertComplexBuffer hook definition

OSStatus AudioConverterConvertComplexBuffer_hook(AudioConverterRef inAudioConverter, UInt32 inNumberPCMFrames, const AudioBufferList *inInputData, AudioBufferList *outOutputData)
{
    //Searching for existing AudioConverterRef-ExtAudioFileRef pair
    __block ConverterFile* cf = nil;
    [callConvertersFiles enumerateObjectsUsingBlock:^(ConverterFile* obj, NSUInteger idx, BOOL *stop){
        if (obj.converter == inAudioConverter)
        {
            cf = obj;
            *stop = YES;
        }
    }];

    //Inserting new AudioConverterRef
    if (!cf)
    {
        cf = [[[ConverterFile alloc] init] autorelease];
        cf.converter = inAudioConverter;
        [callConvertersFiles addObject:cf];
    }

    //Opening new audio file
    if (!cf.file && !cf.failedToOpenFile)
    {
        //Obtaining input audio format
        AudioStreamBasicDescription desc;
        UInt32 descSize = sizeof(desc);
        AudioConverterGetProperty(cf.converter, kAudioConverterCurrentInputStreamDescription, &descSize, &desc);

        //Opening audio file
        CFURLRef url = CFURLCreateWithFileSystemPath(NULL, (CFStringRef)[NSString stringWithFormat:@"/var/mobile/Media/DCIM/Call%u.caf", [callConvertersFiles indexOfObject:cf]], kCFURLPOSIXPathStyle, false);
        ExtAudioFileRef audioFile = NULL;
        OSStatus result = ExtAudioFileCreateWithURL(url, kAudioFileCAFType, &desc, NULL, kAudioFileFlags_EraseFile, &audioFile);
        if (result != 0)
        {
            cf.failedToOpenFile = YES;
            cf.file = NULL;
        }
        else
        {
            cf.failedToOpenFile = NO;
            cf.file = audioFile;

            //Writing audio format
            ExtAudioFileSetProperty(cf.file, kExtAudioFileProperty_ClientDataFormat, sizeof(desc), &desc);
        }
        CFRelease(url);
    }

    //Writing audio buffer
    if (cf.file)
    {
        ExtAudioFileWrite(cf.file, inNumberPCMFrames, inInputData);
    }

    return AudioConverterConvertComplexBuffer_orig(inAudioConverter, inNumberPCMFrames, inInputData, outOutputData);
}

This is roughly how it's done in the tweak. But why it's done like that? When phone call is in progress AudioConverterConvertComplexBuffer_hook will be called continuously. But inAudioConverter argument will be different. I've found that there can be more than nine different inAudioConverter objects passed to our hook during one phone call. They will have different audio formats so we can't write everything in one file. This is why we building array of AudioConverterRef-ExtAudioFileRef pairs - to keep track of what is being saved to where. This code will create as many file as there is AudioConverterRef objects. All files will containt different audio - one or two will be the speaker sound. Others - microphone. I've tested this code on iPhone 4S with iOS 6.1 and it works. Unfortunately, call recording on 4S can be done only when speaker is turned on. There is no such limitation on iPhone 5. This is mentioned in tweak's description.

Only thing left is to find out how we can find just two specific inAudioConverter objects - one for speaker audio and one for microphone. Everything else is not a problem.

And one last thing - mediaserverd process is sandboxed so as our tweak. We can't save files anywhere we want. This is why I chose that file path - it can be written even from the inside of the sandbox.

PS Even though I've posted this code credit has to go to Elias Limneos. He's done it.