SHSH Protocol

From The iPhone Wiki
Revision as of 12:11, 22 December 2010 by Sn0wra1n (talk | contribs)
Jump to: navigation, search

Here is a description about the protocol that is used when iTunes or TinyUmbrella request the SHSH certificate from Apple. For details about what this is used for, please see the main article SHSH.

This is a simple HTTP (POST) request and answer. You can retry this via a Telnet session or similar. The destination host is gs.apple.com (as of 28. October 2010 at IP 17.112.176.11) and runs on the common HTTP port 80. The data is plaintext and not encoded in any way. For details about the protocol itself, please see RFC2616.

Sending data (request)

POST /TSS/controller?action=2 HTTP/1.1
Accept: */*
Cache-Control: no-cache
Content-type: text/xml; charset="utf-8"
User-Agent: InetURL/1.0
Content-Length: 12345
Host: gs.apple.com

(here comes the Plist request file)

Receiving data (answer)

HTTP/1.1 200 OK
Date: Sun, 15 Aug 2010 19:25:18 GMT
Server: Apache-Coyote/1.1
X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5
Content-Type: text/html
Content-Length: 123456
MS-Author-Via: DAV

STATUS=0&MESSAGE=SUCCESS&REQUEST_STRING=(here comes the requested SHSH file)

Plist request file

As you can see, this is a simple Plist file. Within <dict> there is always a <key> and then a value.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">
<dict>
	<key>@HostIpAddress</key>
	<string>192.168.0.1</string>
	<key>@HostPlatformInfo</key>
	<string>-------</string>
	<key>@Locality</key>
	<string>en_US</string>
	<key>@VersionInfo</key>
	<string>libauthinstall-34</string>
	<key>ApBoardID</key>
	<integer>____</integer>
	<key>ApChipID</key>
	<integer>____</integer>
	<key>ApECID</key>
	<string>*************</string>
	<key>ApProductionMode</key>
	<true />
	<key>ApSecurityDomain</key>
	<integer>1</integer>
	<key>UniqueBuildID</key>
	_________________________
	<key>AppleLogo</key>
	<dict>
		<key>Digest</key>
		_________________________
		<key>PartialDigest</key>
		_________________________
		<key>Trusted</key>
		<true />
	</dict>
	<key>BatteryCharging</key>
	<dict>
		<key>Digest</key>
		_________________________
		<key>PartialDigest</key>
		_________________________
		<key>Trusted</key>
		<true />
	</dict>
	<key>BatteryCharging0</key>
 	<dict>
		<key>Digest</key>
		_________________________
		<key>PartialDigest</key>
		_________________________
 		<key>Trusted</key>
		<true />
	</dict>
	<key>BatteryCharging1</key>
	<dict>
 		<key>Digest</key>
 		_________________________
		<key>PartialDigest</key>
 		_________________________
 		<key>Trusted</key>
 		<true />
 	</dict>
 	<key>BatteryFull</key>
	<dict>
		<key>Digest</key>
		_________________________
		<key>PartialDigest</key>
		_________________________
		<key>Trusted</key>
		<true />
	</dict>
	<key>BatteryLow0</key>
	<dict>
		<key>Digest</key>
		_________________________
		<key>PartialDigest</key>
		_________________________
		<key>Trusted</key>
		<true />
	</dict>
	<key>BatteryLow1</key>
	<dict>
		<key>Digest</key>
		_________________________
		<key>PartialDigest</key>
		_________________________
		<key>Trusted</key>
		<true />
	</dict>
	<key>BatteryPlugin</key>
	<dict>
		<key>Digest</key>
		_________________________
 		<key>PartialDigest</key>
		_________________________
		<key>Trusted</key>
		<true />
	</dict>
	<key>DeviceTree</key>
	<dict>
		<key>Digest</key>
		_________________________
		<key>PartialDigest</key>
		_________________________
		<key>Trusted</key>
		<true />
	</dict>
	<key>KernelCache</key>
	<dict>
		<key>Digest</key>
		_________________________
		<key>PartialDigest</key>
		_________________________
		<key>Trusted</key>
		<true />
	</dict>
	<key>LLB</key>
	<dict>
		<key>BuildString</key>
		<string>_________________________</string>
		<key>PartialDigest</key>
		_________________________
	</dict>
	<key>RecoveryMode</key>
	<dict>
		<key>Digest</key>
		_________________________
		<key>PartialDigest</key>
		_________________________
		<key>Trusted</key>
		<true />
	</dict>
	<key>RestoreDeviceTree</key>
	<dict>
		<key>Digest</key>
		_________________________
		<key>PartialDigest</key>
		_________________________
		<key>Trusted</key>
		<true />
	</dict>
	<key>RestoreKernelCache</key>
	<dict>
		<key>Digest</key>
		_________________________
		<key>PartialDigest</key>
		_________________________
		<key>Trusted</key>
		<true />
	</dict>
	<key>RestoreLogo</key>
	<dict>
		<key>Digest</key>
		_________________________
		<key>PartialDigest</key>
		_________________________
		<key>Trusted</key>
		<true />
	</dict>
	<key>RestoreRamDisk</key>
	<dict>
		<key>Digest</key>
 		_________________________
		<key>PartialDigest</key>
		_________________________
		<key>Trusted</key>
		<true />
	</dict>
	<key>iBEC</key>
	<dict>
		<key>BuildString</key>
		<string>_________________________</string>
		<key>PartialDigest</key>
		_________________________
	</dict>
	<key>iBSS</key>
	<dict>
		<key>BuildString</key>
		<string>_________________________</string>
		<key>PartialDigest</key>
		_________________________
	</dict>
	<key>iBoot</key>
	<dict>
		<key>Digest</key>
 		_________________________
		<key>PartialDigest</key>
		_________________________
		<key>Trusted</key>
		<true />
	</dict>
</dict>
</plist>

The underlined values(_______) can be found from the BuildManifest.plist which is located inside a IPSW file.The asterisk value(****) is your own ECID.The hyphened(-----) value is "windows" without the quotes if you are using a Windows PC & "darwin" without the quotes if you are using a Mac/Linux System.
Infos about the needed values:

  • ApChipID: 5 digit number - probably platform ID.
  • ApECID: This is the ECID in decimal format.
  • UniqueBuildID: (unknown) Base64 encoded
  • Digest: (unknown) Base64 encoded
  • PartialDigest: (unknown) Base64 encoded

Other parameters / open questions

Some parameters could have other values. Not all details are known.

  • action=2 in the request. What other values exist and what is their meaning?
  • STATUS=0&MESSAGE=SUCCESS in the answer. What other values exist?
  • @HostIpAddress This was not my IP address, so it is assumed this will not be checked.
  • @HostPlatformInfo What would this value be on a Mac?
  • @Locality This will probably not be checked. This test request was from outside US.
  • @VersionInfo Are other values in use?
  • ApBoardID Do values other than 2 exist? Where can this value be read?
  • ApProductionMode What does this mean? Is there a test environment?
  • ApSecurityDomain Meaning?
  • Trusted What is this for?
  • Full description of the above values for UniqueBuildID, Digest, PartialDigest and BuildString.