1

In particular I'm looking for the method signature of the MRMediaRemoteSendCommandToApp method. There is a small amount of information here but I wasn't able to make much use of it.

There are definitions available for MRMediaRemoteSendCommand, which can look like:

typedef enum {
    kMRPlay = 0,
    kMRPause = 1,
    kMRTogglePlayPause = 2,
    kMRStop = 3,
    kMRNextTrack = 4,
    kMRPreviousTrack = 5,
    kMRToggleShuffle = 6,
    kMRToggleRepeat = 7,
    kMRStartForwardSeek = 8,
    kMREndForwardSeek = 9,
    kMRStartBackwardSeek = 10,
    kMREndBackwardSeek = 11,
    kMRGoBackFifteenSeconds = 12,
    kMRSkipFifteenSeconds = 13,
    kMRLikeTrack = 0x6A,
    kMRBanTrack = 0x6B,
    kMRAddTrackToWishList = 0x6C,
    kMRRemoveTrackFromWishList = 0x6D
} MRCommand;
Boolean MRMediaRemoteSendCommand(MRCommand command, id userInfo);

As suggested in the Getting signatures of private API methods for iOS question, I tried class-dump but couldn't find either methods. Hopper Disassembler v4 showed the correct symbols but I couldn't figure out how to get the method signature for either methods.

Dave
  • 479
  • 3
  • 13

1 Answers1

1

class-dump deals with Objective-C classes primarily, this is a normal C function.

Boolean MRMediaRemoteSendCommandToApp(MRMediaRemoteCommand command, NSDictionary *userInfo, _MROriginProtobuf *obj, NSString *bundleIdentifier, unsigned int optionSendOptionsNumber, NSObject<OS_dispatch_queue>* queue, void (^block)(NSError *, NSArray <NSNumber *> *));

MRMediaRemoteSendCommand internally just calls MRMediaRemoteSendCommandToApp so the commands are available here: https://github.com/theos/headers/blob/159a952c71bba3e7e3ae68b16d29c7fc549f5cdc/MediaRemote/MediaRemote.h#L79

_MROriginProtobuf: https://github.com/w0lfschild/macOS_headers/blob/master/macOS/PrivateFrameworks/MediaRemote/54/_MROriginProtobuf.h

Example usage:

MRMediaRemoteSendCommandToApp(MRMediaRemoteCommandPause, nil, nil, @"com.spotify.client", 0, nil, nil);

However after trying that I got the following error in Console.app: enter image description here

All commands were redirected to the now playing player.

Creating an app that with the com.apple.mediaremote.send-commands entitlement will result in a crash on launch. To prevent the crash you need do three things:

  1. Remove the com.apple.security.app-sandbox (App Sandbox) entitlement.
  2. Do not use an Apple issued signing certificate (Select None for Team in Signing & Capabilities) Xcode Sign to Run Locally
  3. Prevent AMFI from checking for the com.apple.mediaremote.send-commands entitlement. The method I recommend is using this kernel extension.
Dimitar Nestorov
  • 2,411
  • 24
  • 29
  • This shows the method signature for `MRMediaRemoteSendCommand`. The question is seeking the method signature for the `MRMediaRemoteSendCommandToApp` method. – Dave Apr 28 '20 at 20:05
  • Thanks for updating, I'm still unsure how to determine the method signature from the header file though? – Dave Apr 29 '20 at 11:21
  • @Dave not sure I understand your question. Header files contain method signatures. Which header file? – Dimitar Nestorov Apr 29 '20 at 11:51
  • The header file you linked to has the method signature for `MRMediaRemoteSendCommand`. I'm wondering how you discovered which parameters to pass to `MRMediaRemoteSendCommandToApp`? – Dave Apr 29 '20 at 18:50
  • 2
    @Dave I spent a couple of hours using Hopper, Ghidra, and IDA to see what's going on inside those functions to figure out what kind of parameters those functions are expecting. Sometimes I needed to go 6-7 functions deep. Then I tried passing in the possibly expected parameters to see if it would crash. – Dimitar Nestorov Apr 29 '20 at 19:17