The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Talk:SHSH Protocol
Contents
Naming
Or should I better have named this TSS Protocol instead? -- http 21:23, 15 August 2010 (UTC)
I think the current title is easier to tell it relates to shsh. I can't recall what tss stands for, and I think it would also be easier to find. Iemit737 21:36, 15 August 2010 (UTC)
Implementation
How can I implement this on a Linux-based system? I have the request, but the 'telnet' and 'POST' commands don't work. --dra1nerdrake 22:40, 15 August 2010 (UTC)
Telnet should work. Just enter
telnet gs.apple.com 80
Then you get a HTTP connection. Then send the request and terminate with two CR/LF and you get the response. You can try with any other web page first, that should work the same way:
telnet www.google.com 80
Then:
GET / HTTP/1.0
And didn't semaphore release a unix version with some source code of TinyUmbrella? -- http 23:49, 15 August 2010 (UTC)
Great, thanks, forgot the port number. He released unix TinyUmbrella, but it segfaults and I can't code in Java. --dra1nerdrake 04:18, 16 August 2010 (UTC)
EDIT: I can't seem to get it to work. I do:
telnet cydia.saurik.com 80
Then I do
POST /TSS/controller?action=2 HTTP/1.1 Accept: */* Cache-Control: no-cache Content-type: text/xml; charset="utf-8" User-Agent: InetURL/1.0 Content-Length: 411 Host: gs.apple.com <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>@HostIpAddress</key> <string>192.168.0.1</string> <key>@HostPlatformInfo</key> <string>darwin</string> <key>@VersionInfo</key> <string>3.8</string> <key>@Locality</key> <string>en_US</string> <key>ApProductionMode</key> <true/> <key>ApECID</key> <string>1430661561679</string> <key>ApChipID</key> <integer>35106</integer> <key>ApBoardID</key> <integer>2</integer> <key>ApSecurityDomain</key> <integer>1</integer> <key>UniqueBuildID</key> uvWKIop3L16LfQymS8IyiDZXXw0= <key>AppleLogo</key> <dict> <key>Digest</key> kK7SLPJWvaq+GAn9Dm/sG6aJjXg= <key>Info</key> <dict> <key>IsFirmwarePayload</key> <true/> <key>Path</key> <string>Firmware/all_flash/all_flash.n18ap.production/applelogo.s5l8922x.img3</string> </dict> <key>PartialDigest</key> QAAAAHgdAADDPQY07wMJ1z2qVSjKuM4iqjhFKw== <key>Trusted</key> <true/> </dict> <key>BatteryCharging</key> <dict> <key>Digest</key> lvxtYniO/PKy46ZZV0YIe9ZeNt0= <key>Info</key> <dict> <key>IsFirmwarePayload</key> <true/> <key>Path</key> <string>Firmware/all_flash/all_flash.n18ap.production/glyphcharging.s5l8922x.img3</string> </dict> <key>PartialDigest</key> QAAAAHhHAADPFoOCbp1jZBqTtFlCT3XE/qYkKw== <key>Trusted</key> <true/> </dict> <key>BatteryCharging0</key> <dict> <key>Digest</key> +o+lH7zqvh90+/cRCjNeSmTsNvU= <key>Info</key> <dict> <key>IsFirmwarePayload</key> <true/> <key>Path</key> <string>Firmware/all_flash/all_flash.n18ap.production/batterycharging0.s5l8922x.img3</string> </dict> <key>PartialDigest</key> QAAAAPhEAADGKdYO2peJTZrXjeitEdUEMiC8hw== <key>Trusted</key> <true/> </dict> <key>BatteryCharging1</key> <dict> <key>Digest</key> u7NDP6MdWuEGT5Q4Qsm/OrsGTuE= <key>Info</key> <dict> <key>IsFirmwarePayload</key> <true/> <key>Path</key> <string>Firmware/all_flash/all_flash.n18ap.production/batterycharging1.s5l8922x.img3</string> </dict> <key>PartialDigest</key> QAAAADhZAAAWwQq0Y75xTjOyQ9gxMVNrczF01g== <key>Trusted</key> <true/> </dict> <key>BatteryFull</key> <dict> <key>Digest</key> fTK7DLd3XJTHX9ywLJy97+VeUN0= <key>Info</key> <dict> <key>IsFirmwarePayload</key> <true/> <key>Path</key> <string>Firmware/all_flash/all_flash.n18ap.production/batteryfull.s5l8922x.img3</string> </dict> <key>PartialDigest</key> QAAAADghAQDNQ9aqlsb/szaE/5Xh9OJF1WIhxw== <key>Trusted</key> <true/> </dict> <key>BatteryLow0</key> <dict> <key>Digest</key> rdMyyO2tICLCLzvxY05lirfWrzQ= <key>Info</key> <dict> <key>IsFirmwarePayload</key> <true/> <key>Path</key> <string>Firmware/all_flash/all_flash.n18ap.production/batterylow0.s5l8922x.img3</string> </dict> <key>PartialDigest</key> QAAAALjVAAB7wuaDZva7tC1CGWUl4ATOZ7aUbA== <key>Trusted</key> <true/> </dict> <key>BatteryLow1</key> <dict> <key>Digest</key> ecfArQo2Cxly0h6D7iYT9TLKSSE= <key>Info</key> <dict> <key>IsFirmwarePayload</key> <true/> <key>Path</key> <string>Firmware/all_flash/all_flash.n18ap.production/batterylow1.s5l8922x.img3</string> </dict> <key>PartialDigest</key> QAAAAPj2AAABqpmcEB9sOeTSulytXfC8KWZU9g== <key>Trusted</key> <true/> </dict> <key>BatteryPlugin</key> <dict> <key>Digest</key> MtXc08RsYs+6BMhD4kY0quNr/AU= <key>Info</key> <dict> <key>IsFirmwarePayload</key> <true/> <key>Path</key> <string>Firmware/all_flash/all_flash.n18ap.production/glyphplugin.s5l8922x.img3</string> </dict> <key>PartialDigest</key> QAAAAHhDAABQJN3XJEBkNhnJqv6Ra2zBYJeuoQ== <key>Trusted</key> <true/> </dict> <key>DeviceTree</key> <dict> <key>Digest</key> ngiLrFM16Bg/BkPkmqf59h3H90c= <key>Info</key> <dict> <key>IsFirmwarePayload</key> <true/> <key>Path</key> <string>Firmware/all_flash/all_flash.n18ap.production/DeviceTree.n18ap.img3</string> </dict> <key>PartialDigest</key> QAAAALiDAABl290rfckYS+L3TjGRA7j8avdgDg== <key>Trusted</key> <true/> </dict> <key>KernelCache</key> <dict> <key>Digest</key> F978uz3zV6USmE34FMmm6xeQDwU= <key>Info</key> <dict> <key>Path</key> <string>kernelcache.release.s5l8922x</string> </dict> <key>PartialDigest</key> QAAAALhxPQDOpPhRPAe/mVP5J89iIhtaQEmJgg== <key>Trusted</key> <true/> </dict> <key>LLB</key> <dict> <key>BuildString</key> <string>iBoot-636.66~5</string> <key>Info</key> <dict> <key>IsFirmwarePayload</key> <true/> <key>Path</key> <string>Firmware/all_flash/all_flash.n18ap.production/LLB.n18ap.RELEASE.img3</string> </dict> <key>PartialDigest</key> QAAAADgxAQDkevEFsIGKqarjmv9T7avG8oGXhg== </dict> <key>NeedService</key> <dict> <key>Digest</key> klkKn9XNikUb9bdtVU7b2yv9OYc= <key>Info</key> <dict> <key>IsFirmwarePayload</key> <true/> <key>Path</key> <string>Firmware/all_flash/all_flash.n18ap.production/needservice.s5l8922x.img3</string> </dict> <key>PartialDigest</key> QAAAALhHAACO1eYCz8W9YsCQ5OT1T0CFHk+aHQ== <key>Trusted</key> <true/> </dict> <key>OS</key> <dict> <key>Info</key> <dict> <key>Path</key> <string>018-6152-014.dmg</string> </dict> </dict> <key>RecoveryMode</key> <dict> <key>Digest</key> DjD6JMIq4Qnnsay14L3jL+AdxPs= <key>Info</key> <dict> <key>IsFirmwarePayload</key> <true/> <key>Path</key> <string>Firmware/all_flash/all_flash.n18ap.production/recoverymode.s5l8922x.img3</string> </dict> <key>PartialDigest</key> QAAAAPiyAABju7ZnxiRutww2vcmjIIlXG4KSAA== <key>Trusted</key> <true/> </dict> <key>RestoreDeviceTree</key> <dict> <key>Digest</key> ngiLrFM16Bg/BkPkmqf59h3H90c= <key>Info</key> <dict> <key>Path</key> <string>Firmware/all_flash/all_flash.n18ap.production/DeviceTree.n18ap.img3</string> </dict> <key>PartialDigest</key> QAAAALiDAABl290rfckYS+L3TjGRA7j8avdgDg== <key>Trusted</key> <true/> </dict> <key>RestoreKernelCache</key> <dict> <key>Digest</key> F978uz3zV6USmE34FMmm6xeQDwU= <key>Info</key> <dict> <key>Path</key> <string>kernelcache.release.s5l8922x</string> </dict> <key>PartialDigest</key> QAAAALhxPQDOpPhRPAe/mVP5J89iIhtaQEmJgg== <key>Trusted</key> <true/> </dict> <key>RestoreLogo</key> <dict> <key>Digest</key> kK7SLPJWvaq+GAn9Dm/sG6aJjXg= <key>Info</key> <dict> <key>Path</key> <string>Firmware/all_flash/all_flash.n18ap.production/applelogo.s5l8922x.img3</string> </dict> <key>PartialDigest</key> QAAAAHgdAADDPQY07wMJ1z2qVSjKuM4iqjhFKw== <key>Trusted</key> <true/> </dict> <key>RestoreRamDisk</key> <dict> <key>Digest</key> 20tqZkEp1wApx1tz+ZCP38axvHE= <key>Info</key> <dict> <key>Path</key> <string>018-6145-014.dmg</string> </dict> <key>PartialDigest</key> QAAAAPjQuwAyMjwJWKpL0b8bUzYKajbbPEVuPA== <key>Trusted</key> <true/> </dict> <key>iBEC</key> <dict> <key>BuildString</key> <string>iBoot-636.66~5</string> <key>Info</key> <dict> <key>Path</key> <string>Firmware/dfu/iBEC.n18ap.RELEASE.dfu</string> </dict> <key>PartialDigest</key> QAAAADjRAQDQA4xYDDo21pS9j57YWeGp6l/TvA== </dict> <key>iBSS</key> <dict> <key>BuildString</key> <string>iBoot-636.66~5</string> <key>Info</key> <dict> <key>Path</key> <string>Firmware/dfu/iBSS.n18ap.RELEASE.dfu</string> </dict> <key>PartialDigest</key> QAAAADjRAQA2J3DDdRv+TmjaGodpeT634g/Haw== </dict> <key>iBoot</key> <dict> <key>Digest</key> soCT6YL1cig/OKRvbam3igRcvaQ= <key>Info</key> <dict> <key>IsFirmwarePayload</key> <true/> <key>Path</key> <string>Firmware/all_flash/all_flash.n18ap.production/iBoot.n18ap.RELEASE.img3</string> </dict> <key>PartialDigest</key> QAAAADihAgB46rf/axQHtuftGLR8SDpdOuOywA== <key>Trusted</key> <true/> </dict> </dict> </plist> <CR><LF> <CR><LF>
But no dice. --dra1nerdrake 18:33, 16 August 2010 (UTC)
- I think your main problem is that your content is more than the 411 bytes that you specified.
- Where do you have the digest etc. values from?
- In my article I didn't write about the Info key you added. What is that?
-- http 20:45, 16 August 2010 (UTC)
I copied the entire plist from a plist generated by idevicerestore. Digest values are from the buildmanifest.plist, at the root directory of the firmware. I ran it in debug mode (-d). What should I put in place of 411? --dra1nerdrake 02:12, 17 August 2010 (UTC)
It should be the size of the data you transfer. The data seems to be much longer than 411 bytes, I didn't count though. See section 14.13 here (RFC2616). --http 03:56, 17 August 2010 (UTC)
Did it finally work for you? Also: Do you know how idevicerestore creates these Digest values? If you find that out, maybe you can update the article. -- http 22:42, 24 August 2010 (UTC)
Curl is more suitable for LL HTTP, try something like:
$ curl -v "http://cydia.saurik.com/TSS/controller?action=2" -X POST -d @1.plist -H "Host: gs.apple.com" -H "Content-type: text/xml; charset=utf8" * About to connect() to cydia.saurik.com port 80 (#0) * Trying 74.208.10.249... connected * Connected to cydia.saurik.com (74.208.10.249) port 80 (#0) > POST /TSS/controller?action=2 HTTP/1.1 > User-Agent: curl/7.19.7 (universal-apple-darwin10.0) libcurl/7.19.7 OpenSSL/0.9.8l zlib/1.2.3 > Accept: */* > Host: gs.apple.com > Content-type: text/xml; charset=utf8 > Content-Length: 8222 > Expect: 100-continue > < HTTP/1.1 100 Continue < HTTP/1.1 200 OK < Server: nginx/0.7.64 < Date: Thu, 26 Aug 2010 09:27:56 GMT < Content-Type: text/plain < Transfer-Encoding: chunked < Connection: keep-alive < Cache-Control: private, proxy-revalidate < STATUS=94&MESSAGE=This device isn't eligible for the requested build. * Connection #0 to host cydia.saurik.com left intact * Closing connection #0
where 1.plist is a file with your plist --Vasfed 09:41, 26 August 2010 (UTC)
Request?
I'm still not understanding the telnet part of this. I can connect fine, but what exactly is the request that I have to send in order to get back a plist file with the SHSH blobs? --Cool name 04:08, 16 August 2010 (UTC)
Rewrite
Somebody should rewrite this article as it is partially wrong and the iPhone 4 needs more values but i cant seem to figure out all of them.--sn0wra1n
- it is not that different iphone 4 build manifest and iphone 3gs build manifest the only difference is
<key>BbChipID</key> <string>0x50</string> <key>BbSkeyId</key> l6s0rAaT9bA7+3JtTiwlTxTicKE= <key>EBL-Digest</key> B/rJD65edrIfdautbDNZaJuUfOU= <key>FlashPSI-PartialDigest</key> QAQAAMB6AACo7NXgZ2muHRNmX3gIXFDTaxOfUA== <key>FlashPSI-SecPackDigest</key> aV7n5VUpvSbMWA4ImMj4R0vfpmk= <key>FlashPSI-Version</key> <string>0x00020008</string> <key>Info</key> <dict> <key>Path</key> <string>Firmware/ICE3_03.10.01_BOOT_02.08.Release.bbfw</string> </dict> <key>ModemStack-Digest</key> Bf9WSgSASGLSpQqRYdAFIt6Nce8= <key>ModemStack-Length</key> <string>0x006f0934</string> <key>ModemStack-SecPackDigest</key> sjmc0PFoajjg5fJLcLztnN27YVM= <key>RamPSI-PartialDigest</key> QAQAAMD5AACPnk/ZFyWqznQdTlQX95aC8NXjqQ== <key>RamPSI-Version</key> <string>0x00020008</string> </dict> </plist>
--liamchat 13:12, 19 December 2010 (UTC)
- So if i want to create a SHSH request, i just copy the BuildManifest.plist and add the ECID value only? If no, is there any sample SHSH Request plist with the entire thing? --sn0wra1n
- yes but the baseband will also give its nonce key ( witch is required to validate the shsh of the baseband ) so you could cash the baseband shsh's but the nonce is what makes them work --liamchat 14:59, 19 December 2010 (UTC)
I decided to use my iPod Touch 4 then my iPhone 4 so this is what I got SHSH Request Plist but the problem is I dont receive anything after submitting. How long should I wait to receive it?
- How do i calculate my content-length (with or without the headers size?)
- Must the plist be spaced/formatted correctly?
--Sn0wra1n 01:59, 21 December 2010 (UTC)
- Content-Length: This is the standard http protocol. See RFC2616 chapters 14.13 and 4.4. In short: only the message body, not the header.
- spacing/formatting: shouldn't matter; it's XML
- time: answer should come immediately. If you get no reply, try to get the Google start page this way first - there you don't need a message body. Also you can start with HTTP/1.0, there you don't need any header rows (except the GET statement of course):
GET / HTTP/1.0
- --http 07:41, 21 December 2010 (UTC)
Actually im not sure about calculating the Content-Length.Is it just the xml files words including spaces or not including spaces? --Sn0wra1n 10:07, 21 December 2010 (UTC)
- It includes every byte you send: spaces, carriage-return, linefeed, etc. --http 16:28, 21 December 2010 (UTC)