Difference between revisions of "Talk:SHSH Protocol"

From The iPhone Wiki
Jump to: navigation, search
(Problem solving, Content-Length)
Line 526: Line 526:
 
:So if i want to create a SHSH request, i just copy the BuildManifest.plist and add the ECID value only? If no, is there any sample SHSH Request plist with the entire thing? --[[User:sn0wra1n|sn0wra1n]]
 
:So if i want to create a SHSH request, i just copy the BuildManifest.plist and add the ECID value only? If no, is there any sample SHSH Request plist with the entire thing? --[[User:sn0wra1n|sn0wra1n]]
 
::yes but the baseband will also give its nonce key ( witch is required to validate the shsh of the baseband ) so you could cash the baseband shsh's but the nonce is what makes them work --[[User:Liamchat|liamchat]] 14:59, 19 December 2010 (UTC)
 
::yes but the baseband will also give its nonce key ( witch is required to validate the shsh of the baseband ) so you could cash the baseband shsh's but the nonce is what makes them work --[[User:Liamchat|liamchat]] 14:59, 19 December 2010 (UTC)
  +
 
I decided to use my iPod Touch 4 then my iPhone 4 so this is what I got [http://pastie.org/private/7xcigxahj9sdfjeoa5f0w SHSH Request Plist] but the problem is I dont receive anything after submitting. How long should I wait to receive it?
 
I decided to use my iPod Touch 4 then my iPhone 4 so this is what I got [http://pastie.org/private/7xcigxahj9sdfjeoa5f0w SHSH Request Plist] but the problem is I dont receive anything after submitting. How long should I wait to receive it?
 
*How do i calculate my content-length (with or without the headers size?)
 
*How do i calculate my content-length (with or without the headers size?)
 
*Must the plist be spaced/formatted correctly?
 
*Must the plist be spaced/formatted correctly?
 
--[[User:Sn0wra1n|Sn0wra1n]] 01:59, 21 December 2010 (UTC)
 
--[[User:Sn0wra1n|Sn0wra1n]] 01:59, 21 December 2010 (UTC)
  +
:*Content-Length: This is the standard http protocol. See [http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.13 RFC2616] chapters 14.13 and 4.4. In short: only the message body, not the header.
  +
:*spacing/formatting: shouldn't matter; it's XML
  +
:*time: answer should come immediately. If you get no reply, try to get the Google start page this way first - there you don't need a message body. Also you can start with HTTP/1.0, there you don't need ''any'' header rows (except the GET statement of course):
  +
GET / HTTP/1.0
  +
  +
  +
:--[[User:Http|http]] 07:41, 21 December 2010 (UTC)

Revision as of 07:41, 21 December 2010

Naming

Or should I better have named this TSS Protocol instead? -- http 21:23, 15 August 2010 (UTC)

I think the current title is easier to tell it relates to shsh. I can't recall what tss stands for, and I think it would also be easier to find. Iemit737 21:36, 15 August 2010 (UTC)

Implementation

How can I implement this on a Linux-based system? I have the request, but the 'telnet' and 'POST' commands don't work. --dra1nerdrake 22:40, 15 August 2010 (UTC)

Telnet should work. Just enter

telnet gs.apple.com 80

Then you get a HTTP connection. Then send the request and terminate with two CR/LF and you get the response. You can try with any other web page first, that should work the same way:

telnet www.google.com 80

Then:

GET / HTTP/1.0


And didn't semaphore release a unix version with some source code of TinyUmbrella? -- http 23:49, 15 August 2010 (UTC)

Great, thanks, forgot the port number. He released unix TinyUmbrella, but it segfaults and I can't code in Java. --dra1nerdrake 04:18, 16 August 2010 (UTC)

EDIT: I can't seem to get it to work. I do:

telnet cydia.saurik.com 80

Then I do

POST /TSS/controller?action=2 HTTP/1.1
Accept: */*
Cache-Control: no-cache
Content-type: text/xml; charset="utf-8"
User-Agent: InetURL/1.0
Content-Length: 411
Host: gs.apple.com

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>@HostIpAddress</key>
	<string>192.168.0.1</string>
	<key>@HostPlatformInfo</key>
	<string>darwin</string>
	<key>@VersionInfo</key>
	<string>3.8</string>
	<key>@Locality</key>
	<string>en_US</string>
	<key>ApProductionMode</key>
	<true/>
	<key>ApECID</key>
	<string>1430661561679</string>
	<key>ApChipID</key>
	<integer>35106</integer>
	<key>ApBoardID</key>
	<integer>2</integer>
	<key>ApSecurityDomain</key>
	<integer>1</integer>
	<key>UniqueBuildID</key>
	
	uvWKIop3L16LfQymS8IyiDZXXw0=
	
	<key>AppleLogo</key>
	<dict>
		<key>Digest</key>
		
		kK7SLPJWvaq+GAn9Dm/sG6aJjXg=
		
		<key>Info</key>
		<dict>
			<key>IsFirmwarePayload</key>
			<true/>
			<key>Path</key>
			<string>Firmware/all_flash/all_flash.n18ap.production/applelogo.s5l8922x.img3</string>
		</dict>
		<key>PartialDigest</key>
		
		QAAAAHgdAADDPQY07wMJ1z2qVSjKuM4iqjhFKw==
		
		<key>Trusted</key>
		<true/>
	</dict>
	<key>BatteryCharging</key>
	<dict>
		<key>Digest</key>
		
		lvxtYniO/PKy46ZZV0YIe9ZeNt0=
		
		<key>Info</key>
		<dict>
			<key>IsFirmwarePayload</key>
			<true/>
			<key>Path</key>
			<string>Firmware/all_flash/all_flash.n18ap.production/glyphcharging.s5l8922x.img3</string>
		</dict>
		<key>PartialDigest</key>
		
		QAAAAHhHAADPFoOCbp1jZBqTtFlCT3XE/qYkKw==
		
		<key>Trusted</key>
		<true/>
	</dict>
	<key>BatteryCharging0</key>
	<dict>
		<key>Digest</key>
		
		+o+lH7zqvh90+/cRCjNeSmTsNvU=
		
		<key>Info</key>
		<dict>
			<key>IsFirmwarePayload</key>
			<true/>
			<key>Path</key>
			<string>Firmware/all_flash/all_flash.n18ap.production/batterycharging0.s5l8922x.img3</string>
		</dict>
		<key>PartialDigest</key>
		
		QAAAAPhEAADGKdYO2peJTZrXjeitEdUEMiC8hw==
		
		<key>Trusted</key>
		<true/>
	</dict>
	<key>BatteryCharging1</key>
	<dict>
		<key>Digest</key>
		
		u7NDP6MdWuEGT5Q4Qsm/OrsGTuE=
		
		<key>Info</key>
		<dict>
			<key>IsFirmwarePayload</key>
			<true/>
			<key>Path</key> 
			<string>Firmware/all_flash/all_flash.n18ap.production/batterycharging1.s5l8922x.img3</string>
		</dict>
		<key>PartialDigest</key>
		
		QAAAADhZAAAWwQq0Y75xTjOyQ9gxMVNrczF01g==
		
		<key>Trusted</key>
		<true/>
	</dict>
	<key>BatteryFull</key>
	<dict>
		<key>Digest</key>
		
		fTK7DLd3XJTHX9ywLJy97+VeUN0=
		
		<key>Info</key>
		<dict>
			<key>IsFirmwarePayload</key>
			<true/>
			<key>Path</key>
			<string>Firmware/all_flash/all_flash.n18ap.production/batteryfull.s5l8922x.img3</string>
		</dict>
		<key>PartialDigest</key>
		
		QAAAADghAQDNQ9aqlsb/szaE/5Xh9OJF1WIhxw==
		
		<key>Trusted</key>
		<true/>
	</dict>
	<key>BatteryLow0</key>
	<dict>
		<key>Digest</key>
		
		rdMyyO2tICLCLzvxY05lirfWrzQ=
		
		<key>Info</key>
		<dict>
			<key>IsFirmwarePayload</key>
			<true/>
			<key>Path</key>
			<string>Firmware/all_flash/all_flash.n18ap.production/batterylow0.s5l8922x.img3</string>
		</dict>
		<key>PartialDigest</key>
		
		QAAAALjVAAB7wuaDZva7tC1CGWUl4ATOZ7aUbA==
		
		<key>Trusted</key>
		<true/>
	</dict>
	<key>BatteryLow1</key>
	<dict>
		<key>Digest</key>
		
		ecfArQo2Cxly0h6D7iYT9TLKSSE=
		
		<key>Info</key>
		<dict>
			<key>IsFirmwarePayload</key>
			<true/>
			<key>Path</key>
			<string>Firmware/all_flash/all_flash.n18ap.production/batterylow1.s5l8922x.img3</string>
		</dict>
		<key>PartialDigest</key>
		
		QAAAAPj2AAABqpmcEB9sOeTSulytXfC8KWZU9g==
		
		<key>Trusted</key>
		<true/>
	</dict>
	<key>BatteryPlugin</key>
	<dict>
		<key>Digest</key>
		
		MtXc08RsYs+6BMhD4kY0quNr/AU=
		
		<key>Info</key>
		<dict>
			<key>IsFirmwarePayload</key>
			<true/>
			<key>Path</key>
			<string>Firmware/all_flash/all_flash.n18ap.production/glyphplugin.s5l8922x.img3</string>
		</dict>
		<key>PartialDigest</key>
		
		QAAAAHhDAABQJN3XJEBkNhnJqv6Ra2zBYJeuoQ==
		
		<key>Trusted</key>
		<true/>
	</dict>
	<key>DeviceTree</key>
	<dict>
		<key>Digest</key>
		
		ngiLrFM16Bg/BkPkmqf59h3H90c=
		
		<key>Info</key>
		<dict>
			<key>IsFirmwarePayload</key>
			<true/>
			<key>Path</key>
			<string>Firmware/all_flash/all_flash.n18ap.production/DeviceTree.n18ap.img3</string>
		</dict>
		<key>PartialDigest</key>
		
		QAAAALiDAABl290rfckYS+L3TjGRA7j8avdgDg==
		
		<key>Trusted</key>
		<true/>
	</dict>
	<key>KernelCache</key>
	<dict>
		<key>Digest</key>
		
		F978uz3zV6USmE34FMmm6xeQDwU=
		
		<key>Info</key>
		<dict>
			<key>Path</key>
			<string>kernelcache.release.s5l8922x</string>
		</dict>
		<key>PartialDigest</key>
		
		QAAAALhxPQDOpPhRPAe/mVP5J89iIhtaQEmJgg==
		
		<key>Trusted</key>
		<true/>
	</dict>
	<key>LLB</key>
	<dict>
		<key>BuildString</key>
		<string>iBoot-636.66~5</string>
		<key>Info</key>
		<dict>
			<key>IsFirmwarePayload</key>
			<true/>
			<key>Path</key>
			<string>Firmware/all_flash/all_flash.n18ap.production/LLB.n18ap.RELEASE.img3</string>
		</dict>
		<key>PartialDigest</key>
		
		QAAAADgxAQDkevEFsIGKqarjmv9T7avG8oGXhg==
		
	</dict>
	<key>NeedService</key>
	<dict>
		<key>Digest</key>
		
		klkKn9XNikUb9bdtVU7b2yv9OYc=
		
		<key>Info</key>
		<dict>
			<key>IsFirmwarePayload</key>
			<true/>
			<key>Path</key>
			<string>Firmware/all_flash/all_flash.n18ap.production/needservice.s5l8922x.img3</string>
		</dict>
		<key>PartialDigest</key>
		
		QAAAALhHAACO1eYCz8W9YsCQ5OT1T0CFHk+aHQ==
		
		<key>Trusted</key>
		<true/>
	</dict>
	<key>OS</key>
	<dict>
		<key>Info</key>
		<dict>
			<key>Path</key>
			<string>018-6152-014.dmg</string>
		</dict>
	</dict>
	<key>RecoveryMode</key>
	<dict>
		<key>Digest</key>
		
		DjD6JMIq4Qnnsay14L3jL+AdxPs=
		
		<key>Info</key>
		<dict>
			<key>IsFirmwarePayload</key>
			<true/>
			<key>Path</key>
			<string>Firmware/all_flash/all_flash.n18ap.production/recoverymode.s5l8922x.img3</string>
		</dict>
		<key>PartialDigest</key>
		
		QAAAAPiyAABju7ZnxiRutww2vcmjIIlXG4KSAA==
		
		<key>Trusted</key>
		<true/>
	</dict>
	<key>RestoreDeviceTree</key>
	<dict>
		<key>Digest</key>
		
		ngiLrFM16Bg/BkPkmqf59h3H90c=
		
		<key>Info</key>
		<dict>
			<key>Path</key>
			<string>Firmware/all_flash/all_flash.n18ap.production/DeviceTree.n18ap.img3</string>
		</dict>
		<key>PartialDigest</key>
		
		QAAAALiDAABl290rfckYS+L3TjGRA7j8avdgDg==
		
		<key>Trusted</key>
		<true/>
	</dict>
	<key>RestoreKernelCache</key>
	<dict>
		<key>Digest</key>
		
		F978uz3zV6USmE34FMmm6xeQDwU=
		
		<key>Info</key>
		<dict>
			<key>Path</key>
			<string>kernelcache.release.s5l8922x</string>
		</dict>
		<key>PartialDigest</key>
		
		QAAAALhxPQDOpPhRPAe/mVP5J89iIhtaQEmJgg==
		
		<key>Trusted</key>
 		<true/>
	</dict>
	<key>RestoreLogo</key>
	<dict>
		<key>Digest</key>
		
		kK7SLPJWvaq+GAn9Dm/sG6aJjXg=
		
		<key>Info</key>
		<dict>
			<key>Path</key>
			<string>Firmware/all_flash/all_flash.n18ap.production/applelogo.s5l8922x.img3</string>
		</dict>
		<key>PartialDigest</key>
		
		QAAAAHgdAADDPQY07wMJ1z2qVSjKuM4iqjhFKw==
		
		<key>Trusted</key>
		<true/>
	</dict>
	<key>RestoreRamDisk</key>
	<dict>
		<key>Digest</key>
		
		20tqZkEp1wApx1tz+ZCP38axvHE=
		
		<key>Info</key>
		<dict>
			<key>Path</key>
			<string>018-6145-014.dmg</string>
		</dict>
		<key>PartialDigest</key>
		
		QAAAAPjQuwAyMjwJWKpL0b8bUzYKajbbPEVuPA==
		
		<key>Trusted</key>
		<true/>
	</dict>
	<key>iBEC</key>
	<dict>
		<key>BuildString</key>
		<string>iBoot-636.66~5</string>
		<key>Info</key>
		<dict>
			<key>Path</key>
			<string>Firmware/dfu/iBEC.n18ap.RELEASE.dfu</string>
		</dict>
		<key>PartialDigest</key>
		
		QAAAADjRAQDQA4xYDDo21pS9j57YWeGp6l/TvA==
		
	</dict>
	<key>iBSS</key>
	<dict>
		<key>BuildString</key>
		<string>iBoot-636.66~5</string>
		<key>Info</key>
		<dict>
			<key>Path</key>
			<string>Firmware/dfu/iBSS.n18ap.RELEASE.dfu</string>
		</dict>
		<key>PartialDigest</key>
		
		QAAAADjRAQA2J3DDdRv+TmjaGodpeT634g/Haw==
		
	</dict>
	<key>iBoot</key>
	<dict>
		<key>Digest</key>
		
		soCT6YL1cig/OKRvbam3igRcvaQ=
		
		<key>Info</key>
		<dict>
			<key>IsFirmwarePayload</key>
			<true/>
			<key>Path</key>
			<string>Firmware/all_flash/all_flash.n18ap.production/iBoot.n18ap.RELEASE.img3</string>
		</dict>
		<key>PartialDigest</key>
		
		QAAAADihAgB46rf/axQHtuftGLR8SDpdOuOywA==
		
		<key>Trusted</key>
		<true/>
	</dict>
</dict>
</plist>
<CR><LF>
<CR><LF>

But no dice. --dra1nerdrake 18:33, 16 August 2010 (UTC)


  • I think your main problem is that your content is more than the 411 bytes that you specified.
  • Where do you have the digest etc. values from?
  • In my article I didn't write about the Info key you added. What is that?

-- http 20:45, 16 August 2010 (UTC)

I copied the entire plist from a plist generated by idevicerestore. Digest values are from the buildmanifest.plist, at the root directory of the firmware. I ran it in debug mode (-d). What should I put in place of 411? --dra1nerdrake 02:12, 17 August 2010 (UTC)

It should be the size of the data you transfer. The data seems to be much longer than 411 bytes, I didn't count though. See section 14.13 here (RFC2616). --http 03:56, 17 August 2010 (UTC)

Did it finally work for you? Also: Do you know how idevicerestore creates these Digest values? If you find that out, maybe you can update the article. -- http 22:42, 24 August 2010 (UTC)

Curl is more suitable for LL HTTP, try something like:

$ curl -v "http://cydia.saurik.com/TSS/controller?action=2" -X POST -d @1.plist -H "Host: gs.apple.com" -H "Content-type: text/xml; charset=utf8"
* About to connect() to cydia.saurik.com port 80 (#0)
*   Trying 74.208.10.249... connected
* Connected to cydia.saurik.com (74.208.10.249) port 80 (#0)
> POST /TSS/controller?action=2 HTTP/1.1
> User-Agent: curl/7.19.7 (universal-apple-darwin10.0) libcurl/7.19.7 OpenSSL/0.9.8l zlib/1.2.3
> Accept: */*
> Host: gs.apple.com
> Content-type: text/xml; charset=utf8
> Content-Length: 8222
> Expect: 100-continue
> 
< HTTP/1.1 100 Continue
< HTTP/1.1 200 OK
< Server: nginx/0.7.64
< Date: Thu, 26 Aug 2010 09:27:56 GMT
< Content-Type: text/plain
< Transfer-Encoding: chunked
< Connection: keep-alive
< Cache-Control: private, proxy-revalidate
< 
STATUS=94&MESSAGE=This device isn't eligible for the requested build.
* Connection #0 to host cydia.saurik.com left intact
* Closing connection #0

where 1.plist is a file with your plist --Vasfed 09:41, 26 August 2010 (UTC)

Request?

I'm still not understanding the telnet part of this. I can connect fine, but what exactly is the request that I have to send in order to get back a plist file with the SHSH blobs? --Cool name 04:08, 16 August 2010 (UTC)

Rewrite

Somebody should rewrite this article as it is partially wrong and the iPhone 4 needs more values but i cant seem to figure out all of them.--sn0wra1n

it is not that different iphone 4 build manifest and iphone 3gs build manifest the only difference is
<key>BbChipID</key>
<string>0x50</string>
<key>BbSkeyId</key>

l6s0rAaT9bA7+3JtTiwlTxTicKE=

	<key>EBL-Digest</key>
	B/rJD65edrIfdautbDNZaJuUfOU=
	<key>FlashPSI-PartialDigest</key>
	QAQAAMB6AACo7NXgZ2muHRNmX3gIXFDTaxOfUA==
	<key>FlashPSI-SecPackDigest</key>
	aV7n5VUpvSbMWA4ImMj4R0vfpmk=
	<key>FlashPSI-Version</key>
	<string>0x00020008</string>
	<key>Info</key>
	<dict>
		<key>Path</key>
		<string>Firmware/ICE3_03.10.01_BOOT_02.08.Release.bbfw</string>
	</dict>
	<key>ModemStack-Digest</key>
	Bf9WSgSASGLSpQqRYdAFIt6Nce8=
	<key>ModemStack-Length</key>
	<string>0x006f0934</string>
	<key>ModemStack-SecPackDigest</key>
	sjmc0PFoajjg5fJLcLztnN27YVM=
	<key>RamPSI-PartialDigest</key>
	QAQAAMD5AACPnk/ZFyWqznQdTlQX95aC8NXjqQ==
	<key>RamPSI-Version</key>
	<string>0x00020008</string>
</dict>
</plist>

--liamchat 13:12, 19 December 2010 (UTC)

So if i want to create a SHSH request, i just copy the BuildManifest.plist and add the ECID value only? If no, is there any sample SHSH Request plist with the entire thing? --sn0wra1n
yes but the baseband will also give its nonce key ( witch is required to validate the shsh of the baseband ) so you could cash the baseband shsh's but the nonce is what makes them work --liamchat 14:59, 19 December 2010 (UTC)

I decided to use my iPod Touch 4 then my iPhone 4 so this is what I got SHSH Request Plist but the problem is I dont receive anything after submitting. How long should I wait to receive it?

  • How do i calculate my content-length (with or without the headers size?)
  • Must the plist be spaced/formatted correctly?

--Sn0wra1n 01:59, 21 December 2010 (UTC)

  • Content-Length: This is the standard http protocol. See RFC2616 chapters 14.13 and 4.4. In short: only the message body, not the header.
  • spacing/formatting: shouldn't matter; it's XML
  • time: answer should come immediately. If you get no reply, try to get the Google start page this way first - there you don't need a message body. Also you can start with HTTP/1.0, there you don't need any header rows (except the GET statement of course):
GET / HTTP/1.0


--http 07:41, 21 December 2010 (UTC)