Difference between revisions of "Talk:SHSH Protocol"

From The iPhone Wiki
Jump to: navigation, search
(Baseband SHSH Protocol)
m
Line 485: Line 485:
 
where 1.plist is a file with your plist
 
where 1.plist is a file with your plist
 
--[[User:Vasfed|Vasfed]] 09:41, 26 August 2010 (UTC)
 
--[[User:Vasfed|Vasfed]] 09:41, 26 August 2010 (UTC)
  +
  +
curl needs an extra header with a blank Expect to get past the "Done waiting for 100-continue" error. Add -H "Expect:" to the command above.
  +
  +
--[[User:Miketress|Miketress]] 18:43, 8 June 2011 (GMT+1)
   
 
== Request? ==
 
== Request? ==

Revision as of 16:42, 8 June 2011

Naming

Or should I better have named this TSS Protocol instead? -- http 21:23, 15 August 2010 (UTC)

I think the current title is easier to tell it relates to shsh. I can't recall what tss stands for, and I think it would also be easier to find. Iemit737 21:36, 15 August 2010 (UTC)

Implementation

How can I implement this on a Linux-based system? I have the request, but the 'telnet' and 'POST' commands don't work. --dra1nerdrake 22:40, 15 August 2010 (UTC)

Telnet should work. Just enter

telnet gs.apple.com 80

Then you get a HTTP connection. Then send the request and terminate with two CR/LF and you get the response. You can try with any other web page first, that should work the same way:

telnet www.google.com 80

Then:

GET / HTTP/1.0


And didn't semaphore release a unix version with some source code of TinyUmbrella? -- http 23:49, 15 August 2010 (UTC)

Great, thanks, forgot the port number. He released unix TinyUmbrella, but it segfaults and I can't code in Java. --dra1nerdrake 04:18, 16 August 2010 (UTC)

EDIT: I can't seem to get it to work. I do:

telnet cydia.saurik.com 80

Then I do

POST /TSS/controller?action=2 HTTP/1.1
Accept: */*
Cache-Control: no-cache
Content-type: text/xml; charset="utf-8"
User-Agent: InetURL/1.0
Content-Length: 411
Host: gs.apple.com

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>@HostIpAddress</key>
	<string>192.168.0.1</string>
	<key>@HostPlatformInfo</key>
	<string>darwin</string>
	<key>@VersionInfo</key>
	<string>3.8</string>
	<key>@Locality</key>
	<string>en_US</string>
	<key>ApProductionMode</key>
	<true/>
	<key>ApECID</key>
	<string>1430661561679</string>
	<key>ApChipID</key>
	<integer>35106</integer>
	<key>ApBoardID</key>
	<integer>2</integer>
	<key>ApSecurityDomain</key>
	<integer>1</integer>
	<key>UniqueBuildID</key>
	
	uvWKIop3L16LfQymS8IyiDZXXw0=
	
	<key>AppleLogo</key>
	<dict>
		<key>Digest</key>
		
		kK7SLPJWvaq+GAn9Dm/sG6aJjXg=
		
		<key>Info</key>
		<dict>
			<key>IsFirmwarePayload</key>
			<true/>
			<key>Path</key>
			<string>Firmware/all_flash/all_flash.n18ap.production/applelogo.s5l8922x.img3</string>
		</dict>
		<key>PartialDigest</key>
		
		QAAAAHgdAADDPQY07wMJ1z2qVSjKuM4iqjhFKw==
		
		<key>Trusted</key>
		<true/>
	</dict>
	<key>BatteryCharging</key>
	<dict>
		<key>Digest</key>
		
		lvxtYniO/PKy46ZZV0YIe9ZeNt0=
		
		<key>Info</key>
		<dict>
			<key>IsFirmwarePayload</key>
			<true/>
			<key>Path</key>
			<string>Firmware/all_flash/all_flash.n18ap.production/glyphcharging.s5l8922x.img3</string>
		</dict>
		<key>PartialDigest</key>
		
		QAAAAHhHAADPFoOCbp1jZBqTtFlCT3XE/qYkKw==
		
		<key>Trusted</key>
		<true/>
	</dict>
	<key>BatteryCharging0</key>
	<dict>
		<key>Digest</key>
		
		+o+lH7zqvh90+/cRCjNeSmTsNvU=
		
		<key>Info</key>
		<dict>
			<key>IsFirmwarePayload</key>
			<true/>
			<key>Path</key>
			<string>Firmware/all_flash/all_flash.n18ap.production/batterycharging0.s5l8922x.img3</string>
		</dict>
		<key>PartialDigest</key>
		
		QAAAAPhEAADGKdYO2peJTZrXjeitEdUEMiC8hw==
		
		<key>Trusted</key>
		<true/>
	</dict>
	<key>BatteryCharging1</key>
	<dict>
		<key>Digest</key>
		
		u7NDP6MdWuEGT5Q4Qsm/OrsGTuE=
		
		<key>Info</key>
		<dict>
			<key>IsFirmwarePayload</key>
			<true/>
			<key>Path</key> 
			<string>Firmware/all_flash/all_flash.n18ap.production/batterycharging1.s5l8922x.img3</string>
		</dict>
		<key>PartialDigest</key>
		
		QAAAADhZAAAWwQq0Y75xTjOyQ9gxMVNrczF01g==
		
		<key>Trusted</key>
		<true/>
	</dict>
	<key>BatteryFull</key>
	<dict>
		<key>Digest</key>
		
		fTK7DLd3XJTHX9ywLJy97+VeUN0=
		
		<key>Info</key>
		<dict>
			<key>IsFirmwarePayload</key>
			<true/>
			<key>Path</key>
			<string>Firmware/all_flash/all_flash.n18ap.production/batteryfull.s5l8922x.img3</string>
		</dict>
		<key>PartialDigest</key>
		
		QAAAADghAQDNQ9aqlsb/szaE/5Xh9OJF1WIhxw==
		
		<key>Trusted</key>
		<true/>
	</dict>
	<key>BatteryLow0</key>
	<dict>
		<key>Digest</key>
		
		rdMyyO2tICLCLzvxY05lirfWrzQ=
		
		<key>Info</key>
		<dict>
			<key>IsFirmwarePayload</key>
			<true/>
			<key>Path</key>
			<string>Firmware/all_flash/all_flash.n18ap.production/batterylow0.s5l8922x.img3</string>
		</dict>
		<key>PartialDigest</key>
		
		QAAAALjVAAB7wuaDZva7tC1CGWUl4ATOZ7aUbA==
		
		<key>Trusted</key>
		<true/>
	</dict>
	<key>BatteryLow1</key>
	<dict>
		<key>Digest</key>
		
		ecfArQo2Cxly0h6D7iYT9TLKSSE=
		
		<key>Info</key>
		<dict>
			<key>IsFirmwarePayload</key>
			<true/>
			<key>Path</key>
			<string>Firmware/all_flash/all_flash.n18ap.production/batterylow1.s5l8922x.img3</string>
		</dict>
		<key>PartialDigest</key>
		
		QAAAAPj2AAABqpmcEB9sOeTSulytXfC8KWZU9g==
		
		<key>Trusted</key>
		<true/>
	</dict>
	<key>BatteryPlugin</key>
	<dict>
		<key>Digest</key>
		
		MtXc08RsYs+6BMhD4kY0quNr/AU=
		
		<key>Info</key>
		<dict>
			<key>IsFirmwarePayload</key>
			<true/>
			<key>Path</key>
			<string>Firmware/all_flash/all_flash.n18ap.production/glyphplugin.s5l8922x.img3</string>
		</dict>
		<key>PartialDigest</key>
		
		QAAAAHhDAABQJN3XJEBkNhnJqv6Ra2zBYJeuoQ==
		
		<key>Trusted</key>
		<true/>
	</dict>
	<key>DeviceTree</key>
	<dict>
		<key>Digest</key>
		
		ngiLrFM16Bg/BkPkmqf59h3H90c=
		
		<key>Info</key>
		<dict>
			<key>IsFirmwarePayload</key>
			<true/>
			<key>Path</key>
			<string>Firmware/all_flash/all_flash.n18ap.production/DeviceTree.n18ap.img3</string>
		</dict>
		<key>PartialDigest</key>
		
		QAAAALiDAABl290rfckYS+L3TjGRA7j8avdgDg==
		
		<key>Trusted</key>
		<true/>
	</dict>
	<key>KernelCache</key>
	<dict>
		<key>Digest</key>
		
		F978uz3zV6USmE34FMmm6xeQDwU=
		
		<key>Info</key>
		<dict>
			<key>Path</key>
			<string>kernelcache.release.s5l8922x</string>
		</dict>
		<key>PartialDigest</key>
		
		QAAAALhxPQDOpPhRPAe/mVP5J89iIhtaQEmJgg==
		
		<key>Trusted</key>
		<true/>
	</dict>
	<key>LLB</key>
	<dict>
		<key>BuildString</key>
		<string>iBoot-636.66~5</string>
		<key>Info</key>
		<dict>
			<key>IsFirmwarePayload</key>
			<true/>
			<key>Path</key>
			<string>Firmware/all_flash/all_flash.n18ap.production/LLB.n18ap.RELEASE.img3</string>
		</dict>
		<key>PartialDigest</key>
		
		QAAAADgxAQDkevEFsIGKqarjmv9T7avG8oGXhg==
		
	</dict>
	<key>NeedService</key>
	<dict>
		<key>Digest</key>
		
		klkKn9XNikUb9bdtVU7b2yv9OYc=
		
		<key>Info</key>
		<dict>
			<key>IsFirmwarePayload</key>
			<true/>
			<key>Path</key>
			<string>Firmware/all_flash/all_flash.n18ap.production/needservice.s5l8922x.img3</string>
		</dict>
		<key>PartialDigest</key>
		
		QAAAALhHAACO1eYCz8W9YsCQ5OT1T0CFHk+aHQ==
		
		<key>Trusted</key>
		<true/>
	</dict>
	<key>OS</key>
	<dict>
		<key>Info</key>
		<dict>
			<key>Path</key>
			<string>018-6152-014.dmg</string>
		</dict>
	</dict>
	<key>RecoveryMode</key>
	<dict>
		<key>Digest</key>
		
		DjD6JMIq4Qnnsay14L3jL+AdxPs=
		
		<key>Info</key>
		<dict>
			<key>IsFirmwarePayload</key>
			<true/>
			<key>Path</key>
			<string>Firmware/all_flash/all_flash.n18ap.production/recoverymode.s5l8922x.img3</string>
		</dict>
		<key>PartialDigest</key>
		
		QAAAAPiyAABju7ZnxiRutww2vcmjIIlXG4KSAA==
		
		<key>Trusted</key>
		<true/>
	</dict>
	<key>RestoreDeviceTree</key>
	<dict>
		<key>Digest</key>
		
		ngiLrFM16Bg/BkPkmqf59h3H90c=
		
		<key>Info</key>
		<dict>
			<key>Path</key>
			<string>Firmware/all_flash/all_flash.n18ap.production/DeviceTree.n18ap.img3</string>
		</dict>
		<key>PartialDigest</key>
		
		QAAAALiDAABl290rfckYS+L3TjGRA7j8avdgDg==
		
		<key>Trusted</key>
		<true/>
	</dict>
	<key>RestoreKernelCache</key>
	<dict>
		<key>Digest</key>
		
		F978uz3zV6USmE34FMmm6xeQDwU=
		
		<key>Info</key>
		<dict>
			<key>Path</key>
			<string>kernelcache.release.s5l8922x</string>
		</dict>
		<key>PartialDigest</key>
		
		QAAAALhxPQDOpPhRPAe/mVP5J89iIhtaQEmJgg==
		
		<key>Trusted</key>
 		<true/>
	</dict>
	<key>RestoreLogo</key>
	<dict>
		<key>Digest</key>
		
		kK7SLPJWvaq+GAn9Dm/sG6aJjXg=
		
		<key>Info</key>
		<dict>
			<key>Path</key>
			<string>Firmware/all_flash/all_flash.n18ap.production/applelogo.s5l8922x.img3</string>
		</dict>
		<key>PartialDigest</key>
		
		QAAAAHgdAADDPQY07wMJ1z2qVSjKuM4iqjhFKw==
		
		<key>Trusted</key>
		<true/>
	</dict>
	<key>RestoreRamDisk</key>
	<dict>
		<key>Digest</key>
		
		20tqZkEp1wApx1tz+ZCP38axvHE=
		
		<key>Info</key>
		<dict>
			<key>Path</key>
			<string>018-6145-014.dmg</string>
		</dict>
		<key>PartialDigest</key>
		
		QAAAAPjQuwAyMjwJWKpL0b8bUzYKajbbPEVuPA==
		
		<key>Trusted</key>
		<true/>
	</dict>
	<key>iBEC</key>
	<dict>
		<key>BuildString</key>
		<string>iBoot-636.66~5</string>
		<key>Info</key>
		<dict>
			<key>Path</key>
			<string>Firmware/dfu/iBEC.n18ap.RELEASE.dfu</string>
		</dict>
		<key>PartialDigest</key>
		
		QAAAADjRAQDQA4xYDDo21pS9j57YWeGp6l/TvA==
		
	</dict>
	<key>iBSS</key>
	<dict>
		<key>BuildString</key>
		<string>iBoot-636.66~5</string>
		<key>Info</key>
		<dict>
			<key>Path</key>
			<string>Firmware/dfu/iBSS.n18ap.RELEASE.dfu</string>
		</dict>
		<key>PartialDigest</key>
		
		QAAAADjRAQA2J3DDdRv+TmjaGodpeT634g/Haw==
		
	</dict>
	<key>iBoot</key>
	<dict>
		<key>Digest</key>
		
		soCT6YL1cig/OKRvbam3igRcvaQ=
		
		<key>Info</key>
		<dict>
			<key>IsFirmwarePayload</key>
			<true/>
			<key>Path</key>
			<string>Firmware/all_flash/all_flash.n18ap.production/iBoot.n18ap.RELEASE.img3</string>
		</dict>
		<key>PartialDigest</key>
		
		QAAAADihAgB46rf/axQHtuftGLR8SDpdOuOywA==
		
		<key>Trusted</key>
		<true/>
	</dict>
</dict>
</plist>
<CR><LF>
<CR><LF>

But no dice. --dra1nerdrake 18:33, 16 August 2010 (UTC)


  • I think your main problem is that your content is more than the 411 bytes that you specified.
  • Where do you have the digest etc. values from?
  • In my article I didn't write about the Info key you added. What is that?

-- http 20:45, 16 August 2010 (UTC)

I copied the entire plist from a plist generated by idevicerestore. Digest values are from the buildmanifest.plist, at the root directory of the firmware. I ran it in debug mode (-d). What should I put in place of 411? --dra1nerdrake 02:12, 17 August 2010 (UTC)

It should be the size of the data you transfer. The data seems to be much longer than 411 bytes, I didn't count though. See section 14.13 here (RFC2616). --http 03:56, 17 August 2010 (UTC)

Did it finally work for you? Also: Do you know how idevicerestore creates these Digest values? If you find that out, maybe you can update the article. -- http 22:42, 24 August 2010 (UTC)

Curl is more suitable for LL HTTP, try something like:

$ curl -v "http://cydia.saurik.com/TSS/controller?action=2" -X POST -d @1.plist -H "Host: gs.apple.com" -H "Content-type: text/xml; charset=utf8"
* About to connect() to cydia.saurik.com port 80 (#0)
*   Trying 74.208.10.249... connected
* Connected to cydia.saurik.com (74.208.10.249) port 80 (#0)
> POST /TSS/controller?action=2 HTTP/1.1
> User-Agent: curl/7.19.7 (universal-apple-darwin10.0) libcurl/7.19.7 OpenSSL/0.9.8l zlib/1.2.3
> Accept: */*
> Host: gs.apple.com
> Content-type: text/xml; charset=utf8
> Content-Length: 8222
> Expect: 100-continue
> 
< HTTP/1.1 100 Continue
< HTTP/1.1 200 OK
< Server: nginx/0.7.64
< Date: Thu, 26 Aug 2010 09:27:56 GMT
< Content-Type: text/plain
< Transfer-Encoding: chunked
< Connection: keep-alive
< Cache-Control: private, proxy-revalidate
< 
STATUS=94&MESSAGE=This device isn't eligible for the requested build.
* Connection #0 to host cydia.saurik.com left intact
* Closing connection #0

where 1.plist is a file with your plist --Vasfed 09:41, 26 August 2010 (UTC)

curl needs an extra header with a blank Expect to get past the "Done waiting for 100-continue" error. Add -H "Expect:" to the command above.

--Miketress 18:43, 8 June 2011 (GMT+1)

Request?

I'm still not understanding the telnet part of this. I can connect fine, but what exactly is the request that I have to send in order to get back a plist file with the SHSH blobs? --Cool name 04:08, 16 August 2010 (UTC)

Rewrite

Somebody should rewrite this article as it is partially wrong and the iPhone 4 needs more values but i cant seem to figure out all of them.--sn0wra1n

it is not that different iphone 4 build manifest and iphone 3gs build manifest the only difference is
<key>BbChipID</key>
<string>0x50</string>
<key>BbSkeyId</key>

l6s0rAaT9bA7+3JtTiwlTxTicKE=

	<key>EBL-Digest</key>
	B/rJD65edrIfdautbDNZaJuUfOU=
	<key>FlashPSI-PartialDigest</key>
	QAQAAMB6AACo7NXgZ2muHRNmX3gIXFDTaxOfUA==
	<key>FlashPSI-SecPackDigest</key>
	aV7n5VUpvSbMWA4ImMj4R0vfpmk=
	<key>FlashPSI-Version</key>
	<string>0x00020008</string>
	<key>Info</key>
	<dict>
		<key>Path</key>
		<string>Firmware/ICE3_03.10.01_BOOT_02.08.Release.bbfw</string>
	</dict>
	<key>ModemStack-Digest</key>
	Bf9WSgSASGLSpQqRYdAFIt6Nce8=
	<key>ModemStack-Length</key>
	<string>0x006f0934</string>
	<key>ModemStack-SecPackDigest</key>
	sjmc0PFoajjg5fJLcLztnN27YVM=
	<key>RamPSI-PartialDigest</key>
	QAQAAMD5AACPnk/ZFyWqznQdTlQX95aC8NXjqQ==
	<key>RamPSI-Version</key>
	<string>0x00020008</string>
</dict>
</plist>

--liamchat 13:12, 19 December 2010 (UTC)

So if i want to create a SHSH request, i just copy the BuildManifest.plist and add the ECID value only? If no, is there any sample SHSH Request plist with the entire thing? --sn0wra1n
yes but the baseband will also give its nonce key ( witch is required to validate the shsh of the baseband ) so you could cash the baseband shsh's but the nonce is what makes them work --liamchat 14:59, 19 December 2010 (UTC)

I decided to use my iPod Touch 4 then my iPhone 4 so this is what I got SHSH Request Plist but the problem is I dont receive anything after submitting. How long should I wait to receive it?

  • How do i calculate my content-length (with or without the headers size?)
  • Must the plist be spaced/formatted correctly?

--Sn0wra1n 01:59, 21 December 2010 (UTC)

  • Content-Length: This is the standard http protocol. See RFC2616 chapters 14.13 and 4.4. In short: only the message body, not the header.
  • spacing/formatting: shouldn't matter; it's XML
  • time: answer should come immediately. If you get no reply, try to get the Google start page this way first - there you don't need a message body. Also you can start with HTTP/1.0, there you don't need any header rows (except the GET statement of course):
GET / HTTP/1.0


--http 07:41, 21 December 2010 (UTC)

Actually im not sure about calculating the Content-Length.Is it just the xml files words including spaces or not including spaces? --Sn0wra1n 10:07, 21 December 2010 (UTC)

It includes every byte you send: spaces, carriage-return, linefeed, etc. --http 16:28, 21 December 2010 (UTC)
Thanks for your help.Seems like Windows 7 adds 2 bytes extra to the file size so I had problems.I managed to get iTunes SHSH Request and found that the Info tag,BBTicket Value & APTicket Value is not needed--Sn0wra1n 09:26, 22 December 2010 (UTC)

Baseband SHSH Protocol

Seems like there is a Baseband SHSH Protocol too. Maybe someone should write a wiki page on it. Im trying to understand notcom's TinyUmbrella code --Whiteshinyapple 13:52, 9 March 2011 (UTC)

You're right that we need an article for the Baseband SHSH Protocol also. I initially created this page here. You just have to log what goes over the network. You could also easily trace what gets send to TinyUmbrella for the baseband, but you cannot trace the official answer from Apple unless you upgrade the baseband (or reinstall it). So you need a device with an already upgraded baseband. My iPhone 4 is still running 1.59.00, so I cannot test that. But you're right, the next time I do a restore, I'll document at least the request that goes out (unless somebody else is faster). -- http 22:14, 9 March 2011 (UTC)