Talk:SHSH Protocol

From The iPhone Wiki
Revision as of 09:41, 26 August 2010 by Vasfed (talk | contribs) (Implementation)
Jump to: navigation, search

Naming

Or should I better have named this TSS Protocol instead? -- http 21:23, 15 August 2010 (UTC)

I think the current title is easier to tell it relates to shsh. I can't recall what tss stands for, and I think it would also be easier to find. Iemit737 21:36, 15 August 2010 (UTC)

Implementation

How can I implement this on a Linux-based system? I have the request, but the 'telnet' and 'POST' commands don't work. --dra1nerdrake 22:40, 15 August 2010 (UTC)

Telnet should work. Just enter

telnet gs.apple.com 80

Then you get a HTTP connection. Then send the request and terminate with two CR/LF and you get the response. You can try with any other web page first, that should work the same way:

telnet www.google.com 80

Then:

GET / HTTP/1.0


And didn't semaphore release a unix version with some source code of TinyUmbrella? -- http 23:49, 15 August 2010 (UTC)

Great, thanks, forgot the port number. He released unix TinyUmbrella, but it segfaults and I can't code in Java. --dra1nerdrake 04:18, 16 August 2010 (UTC)

EDIT: I can't seem to get it to work. I do:

telnet cydia.saurik.com 80

Then I do

POST /TSS/controller?action=2 HTTP/1.1
Accept: */*
Cache-Control: no-cache
Content-type: text/xml; charset="utf-8"
User-Agent: InetURL/1.0
Content-Length: 411
Host: gs.apple.com

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>@HostIpAddress</key>
	<string>192.168.0.1</string>
	<key>@HostPlatformInfo</key>
	<string>darwin</string>
	<key>@VersionInfo</key>
	<string>3.8</string>
	<key>@Locality</key>
	<string>en_US</string>
	<key>ApProductionMode</key>
	<true/>
	<key>ApECID</key>
	<string>1430661561679</string>
	<key>ApChipID</key>
	<integer>35106</integer>
	<key>ApBoardID</key>
	<integer>2</integer>
	<key>ApSecurityDomain</key>
	<integer>1</integer>
	<key>UniqueBuildID</key>
	
	uvWKIop3L16LfQymS8IyiDZXXw0=
	
	<key>AppleLogo</key>
	<dict>
		<key>Digest</key>
		
		kK7SLPJWvaq+GAn9Dm/sG6aJjXg=
		
		<key>Info</key>
		<dict>
			<key>IsFirmwarePayload</key>
			<true/>
			<key>Path</key>
			<string>Firmware/all_flash/all_flash.n18ap.production/applelogo.s5l8922x.img3</string>
		</dict>
		<key>PartialDigest</key>
		
		QAAAAHgdAADDPQY07wMJ1z2qVSjKuM4iqjhFKw==
		
		<key>Trusted</key>
		<true/>
	</dict>
	<key>BatteryCharging</key>
	<dict>
		<key>Digest</key>
		
		lvxtYniO/PKy46ZZV0YIe9ZeNt0=
		
		<key>Info</key>
		<dict>
			<key>IsFirmwarePayload</key>
			<true/>
			<key>Path</key>
			<string>Firmware/all_flash/all_flash.n18ap.production/glyphcharging.s5l8922x.img3</string>
		</dict>
		<key>PartialDigest</key>
		
		QAAAAHhHAADPFoOCbp1jZBqTtFlCT3XE/qYkKw==
		
		<key>Trusted</key>
		<true/>
	</dict>
	<key>BatteryCharging0</key>
	<dict>
		<key>Digest</key>
		
		+o+lH7zqvh90+/cRCjNeSmTsNvU=
		
		<key>Info</key>
		<dict>
			<key>IsFirmwarePayload</key>
			<true/>
			<key>Path</key>
			<string>Firmware/all_flash/all_flash.n18ap.production/batterycharging0.s5l8922x.img3</string>
		</dict>
		<key>PartialDigest</key>
		
		QAAAAPhEAADGKdYO2peJTZrXjeitEdUEMiC8hw==
		
		<key>Trusted</key>
		<true/>
	</dict>
	<key>BatteryCharging1</key>
	<dict>
		<key>Digest</key>
		
		u7NDP6MdWuEGT5Q4Qsm/OrsGTuE=
		
		<key>Info</key>
		<dict>
			<key>IsFirmwarePayload</key>
			<true/>
			<key>Path</key> 
			<string>Firmware/all_flash/all_flash.n18ap.production/batterycharging1.s5l8922x.img3</string>
		</dict>
		<key>PartialDigest</key>
		
		QAAAADhZAAAWwQq0Y75xTjOyQ9gxMVNrczF01g==
		
		<key>Trusted</key>
		<true/>
	</dict>
	<key>BatteryFull</key>
	<dict>
		<key>Digest</key>
		
		fTK7DLd3XJTHX9ywLJy97+VeUN0=
		
		<key>Info</key>
		<dict>
			<key>IsFirmwarePayload</key>
			<true/>
			<key>Path</key>
			<string>Firmware/all_flash/all_flash.n18ap.production/batteryfull.s5l8922x.img3</string>
		</dict>
		<key>PartialDigest</key>
		
		QAAAADghAQDNQ9aqlsb/szaE/5Xh9OJF1WIhxw==
		
		<key>Trusted</key>
		<true/>
	</dict>
	<key>BatteryLow0</key>
	<dict>
		<key>Digest</key>
		
		rdMyyO2tICLCLzvxY05lirfWrzQ=
		
		<key>Info</key>
		<dict>
			<key>IsFirmwarePayload</key>
			<true/>
			<key>Path</key>
			<string>Firmware/all_flash/all_flash.n18ap.production/batterylow0.s5l8922x.img3</string>
		</dict>
		<key>PartialDigest</key>
		
		QAAAALjVAAB7wuaDZva7tC1CGWUl4ATOZ7aUbA==
		
		<key>Trusted</key>
		<true/>
	</dict>
	<key>BatteryLow1</key>
	<dict>
		<key>Digest</key>
		
		ecfArQo2Cxly0h6D7iYT9TLKSSE=
		
		<key>Info</key>
		<dict>
			<key>IsFirmwarePayload</key>
			<true/>
			<key>Path</key>
			<string>Firmware/all_flash/all_flash.n18ap.production/batterylow1.s5l8922x.img3</string>
		</dict>
		<key>PartialDigest</key>
		
		QAAAAPj2AAABqpmcEB9sOeTSulytXfC8KWZU9g==
		
		<key>Trusted</key>
		<true/>
	</dict>
	<key>BatteryPlugin</key>
	<dict>
		<key>Digest</key>
		
		MtXc08RsYs+6BMhD4kY0quNr/AU=
		
		<key>Info</key>
		<dict>
			<key>IsFirmwarePayload</key>
			<true/>
			<key>Path</key>
			<string>Firmware/all_flash/all_flash.n18ap.production/glyphplugin.s5l8922x.img3</string>
		</dict>
		<key>PartialDigest</key>
		
		QAAAAHhDAABQJN3XJEBkNhnJqv6Ra2zBYJeuoQ==
		
		<key>Trusted</key>
		<true/>
	</dict>
	<key>DeviceTree</key>
	<dict>
		<key>Digest</key>
		
		ngiLrFM16Bg/BkPkmqf59h3H90c=
		
		<key>Info</key>
		<dict>
			<key>IsFirmwarePayload</key>
			<true/>
			<key>Path</key>
			<string>Firmware/all_flash/all_flash.n18ap.production/DeviceTree.n18ap.img3</string>
		</dict>
		<key>PartialDigest</key>
		
		QAAAALiDAABl290rfckYS+L3TjGRA7j8avdgDg==
		
		<key>Trusted</key>
		<true/>
	</dict>
	<key>KernelCache</key>
	<dict>
		<key>Digest</key>
		
		F978uz3zV6USmE34FMmm6xeQDwU=
		
		<key>Info</key>
		<dict>
			<key>Path</key>
			<string>kernelcache.release.s5l8922x</string>
		</dict>
		<key>PartialDigest</key>
		
		QAAAALhxPQDOpPhRPAe/mVP5J89iIhtaQEmJgg==
		
		<key>Trusted</key>
		<true/>
	</dict>
	<key>LLB</key>
	<dict>
		<key>BuildString</key>
		<string>iBoot-636.66~5</string>
		<key>Info</key>
		<dict>
			<key>IsFirmwarePayload</key>
			<true/>
			<key>Path</key>
			<string>Firmware/all_flash/all_flash.n18ap.production/LLB.n18ap.RELEASE.img3</string>
		</dict>
		<key>PartialDigest</key>
		
		QAAAADgxAQDkevEFsIGKqarjmv9T7avG8oGXhg==
		
	</dict>
	<key>NeedService</key>
	<dict>
		<key>Digest</key>
		
		klkKn9XNikUb9bdtVU7b2yv9OYc=
		
		<key>Info</key>
		<dict>
			<key>IsFirmwarePayload</key>
			<true/>
			<key>Path</key>
			<string>Firmware/all_flash/all_flash.n18ap.production/needservice.s5l8922x.img3</string>
		</dict>
		<key>PartialDigest</key>
		
		QAAAALhHAACO1eYCz8W9YsCQ5OT1T0CFHk+aHQ==
		
		<key>Trusted</key>
		<true/>
	</dict>
	<key>OS</key>
	<dict>
		<key>Info</key>
		<dict>
			<key>Path</key>
			<string>018-6152-014.dmg</string>
		</dict>
	</dict>
	<key>RecoveryMode</key>
	<dict>
		<key>Digest</key>
		
		DjD6JMIq4Qnnsay14L3jL+AdxPs=
		
		<key>Info</key>
		<dict>
			<key>IsFirmwarePayload</key>
			<true/>
			<key>Path</key>
			<string>Firmware/all_flash/all_flash.n18ap.production/recoverymode.s5l8922x.img3</string>
		</dict>
		<key>PartialDigest</key>
		
		QAAAAPiyAABju7ZnxiRutww2vcmjIIlXG4KSAA==
		
		<key>Trusted</key>
		<true/>
	</dict>
	<key>RestoreDeviceTree</key>
	<dict>
		<key>Digest</key>
		
		ngiLrFM16Bg/BkPkmqf59h3H90c=
		
		<key>Info</key>
		<dict>
			<key>Path</key>
			<string>Firmware/all_flash/all_flash.n18ap.production/DeviceTree.n18ap.img3</string>
		</dict>
		<key>PartialDigest</key>
		
		QAAAALiDAABl290rfckYS+L3TjGRA7j8avdgDg==
		
		<key>Trusted</key>
		<true/>
	</dict>
	<key>RestoreKernelCache</key>
	<dict>
		<key>Digest</key>
		
		F978uz3zV6USmE34FMmm6xeQDwU=
		
		<key>Info</key>
		<dict>
			<key>Path</key>
			<string>kernelcache.release.s5l8922x</string>
		</dict>
		<key>PartialDigest</key>
		
		QAAAALhxPQDOpPhRPAe/mVP5J89iIhtaQEmJgg==
		
		<key>Trusted</key>
 		<true/>
	</dict>
	<key>RestoreLogo</key>
	<dict>
		<key>Digest</key>
		
		kK7SLPJWvaq+GAn9Dm/sG6aJjXg=
		
		<key>Info</key>
		<dict>
			<key>Path</key>
			<string>Firmware/all_flash/all_flash.n18ap.production/applelogo.s5l8922x.img3</string>
		</dict>
		<key>PartialDigest</key>
		
		QAAAAHgdAADDPQY07wMJ1z2qVSjKuM4iqjhFKw==
		
		<key>Trusted</key>
		<true/>
	</dict>
	<key>RestoreRamDisk</key>
	<dict>
		<key>Digest</key>
		
		20tqZkEp1wApx1tz+ZCP38axvHE=
		
		<key>Info</key>
		<dict>
			<key>Path</key>
			<string>018-6145-014.dmg</string>
		</dict>
		<key>PartialDigest</key>
		
		QAAAAPjQuwAyMjwJWKpL0b8bUzYKajbbPEVuPA==
		
		<key>Trusted</key>
		<true/>
	</dict>
	<key>iBEC</key>
	<dict>
		<key>BuildString</key>
		<string>iBoot-636.66~5</string>
		<key>Info</key>
		<dict>
			<key>Path</key>
			<string>Firmware/dfu/iBEC.n18ap.RELEASE.dfu</string>
		</dict>
		<key>PartialDigest</key>
		
		QAAAADjRAQDQA4xYDDo21pS9j57YWeGp6l/TvA==
		
	</dict>
	<key>iBSS</key>
	<dict>
		<key>BuildString</key>
		<string>iBoot-636.66~5</string>
		<key>Info</key>
		<dict>
			<key>Path</key>
			<string>Firmware/dfu/iBSS.n18ap.RELEASE.dfu</string>
		</dict>
		<key>PartialDigest</key>
		
		QAAAADjRAQA2J3DDdRv+TmjaGodpeT634g/Haw==
		
	</dict>
	<key>iBoot</key>
	<dict>
		<key>Digest</key>
		
		soCT6YL1cig/OKRvbam3igRcvaQ=
		
		<key>Info</key>
		<dict>
			<key>IsFirmwarePayload</key>
			<true/>
			<key>Path</key>
			<string>Firmware/all_flash/all_flash.n18ap.production/iBoot.n18ap.RELEASE.img3</string>
		</dict>
		<key>PartialDigest</key>
		
		QAAAADihAgB46rf/axQHtuftGLR8SDpdOuOywA==
		
		<key>Trusted</key>
		<true/>
	</dict>
</dict>
</plist>
<CR><LF>
<CR><LF>

But no dice. --dra1nerdrake 18:33, 16 August 2010 (UTC)


  • I think your main problem is that your content is more than the 411 bytes that you specified.
  • Where do you have the digest etc. values from?
  • In my article I didn't write about the Info key you added. What is that?

-- http 20:45, 16 August 2010 (UTC)

I copied the entire plist from a plist generated by idevicerestore. Digest values are from the buildmanifest.plist, at the root directory of the firmware. I ran it in debug mode (-d). What should I put in place of 411? --dra1nerdrake 02:12, 17 August 2010 (UTC)

It should be the size of the data you transfer. The data seems to be much longer than 411 bytes, I didn't count though. See section 14.13 here (RFC2616). --http 03:56, 17 August 2010 (UTC)

Did it finally work for you? Also: Do you know how idevicerestore creates these Digest values? If you find that out, maybe you can update the article. -- http 22:42, 24 August 2010 (UTC)

Curl is more suitable for LL HTTP, try something like:

$ curl -v "http://cydia.saurik.com/TSS/controller?action=2" -X POST -d @1.plist -H "Host: gs.apple.com" -H "Content-type: text/xml; charset=utf8"
* About to connect() to cydia.saurik.com port 80 (#0)
*   Trying 74.208.10.249... connected
* Connected to cydia.saurik.com (74.208.10.249) port 80 (#0)
> POST /TSS/controller?action=2 HTTP/1.1
> User-Agent: curl/7.19.7 (universal-apple-darwin10.0) libcurl/7.19.7 OpenSSL/0.9.8l zlib/1.2.3
> Accept: */*
> Host: gs.apple.com
> Content-type: text/xml; charset=utf8
> Content-Length: 8222
> Expect: 100-continue
> 
< HTTP/1.1 100 Continue
< HTTP/1.1 200 OK
< Server: nginx/0.7.64
< Date: Thu, 26 Aug 2010 09:27:56 GMT
< Content-Type: text/plain
< Transfer-Encoding: chunked
< Connection: keep-alive
< Cache-Control: private, proxy-revalidate
< 
STATUS=94&MESSAGE=This device isn't eligible for the requested build.
* Connection #0 to host cydia.saurik.com left intact
* Closing connection #0

where 1.plist is a file with your plist --Vasfed 09:41, 26 August 2010 (UTC)

Request?

I'm still not understanding the telnet part of this. I can connect fine, but what exactly is the request that I have to send in order to get back a plist file with the SHSH blobs? --Cool name 04:08, 16 August 2010 (UTC)