The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Difference between revisions of "SHSH Protocol"
(New page for the protocol to request the shsh certificate from Apple) |
(No difference)
|
Revision as of 21:17, 15 August 2010
Here is a description about the protocol that is used when iTunes or TinyUmbrella request the SHSH certificate from Apple. For details about what this is used for, please see the main article SHSH.
This is a simple HTTP (POST) request and answer. You can retry this via a Telnet session or similar. The destination host is gs.apple.com (as of 15. August 2010 at IP 17.151.36.30) and runs on the common HTTP port 80. The data is plaintext and not encoded in any way.
Contents
Sending data (request)
POST /TSS/controller?action=2 HTTP/1.1 Accept: */* Cache-Control: no-cache Content-type: text/xml; charset="utf-8" User-Agent: InetURL/1.0 Content-Length: 12345 Host: gs.apple.com (here comes the XML request file)
Receiving data (answer)
HTTP/1.1 200 OK Date: Sun, 15 Aug 2010 19:25:18 GMT Server: Apache-Coyote/1.1 X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5 Content-Type: text/html Content-Length: 123456 MS-Author-Via: DAV STATUS=0&MESSAGE=SUCCESS&REQUEST_STRING=(here comes the requested shsh file)
XML request file
As you can see, this is a simple XML file. Within <dict> there is always a <key> and then a value.
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>@APTicket</key> <true /> <key>@BBTicket</key> <true /> <key>@HostIpAddress</key> <string>192.168.0.1</string> <key>@HostPlatformInfo</key> <string>windows</string> <key>@Locality</key> <string>en_US</string> <key>@VersionInfo</key> <string>libauthinstall-34</string> <key>ApBoardID</key> <integer>2</integer> <key>ApChipID</key> <integer>12345</integer> <key>ApECID</key> <string>1234567890123</string> <key>ApProductionMode</key> <true /> <key>ApSecurityDomain</key> <integer>1</integer> <key>UniqueBuildID</key> 123412341234123412341234123= <key>AppleLogo</key> <dict> <key>Digest</key> 123412341234123412341234123= <key>PartialDigest</key> 12341234123412341234123412341234123412== <key>Trusted</key> <true /> </dict> The <key><dict> tags repeat here. </plist>
In the above request, the <key><dict> tags repeat for:
- AppleLogo
- BatteryCharging
- BatteryCharging0
- BatteryCharging1
- BatteryFull
- BatteryLow0
- BatteryLow1
- BatteryPlugin
- DeviceTree
- KernelCache
- LLB (*)
- RecoveryMode
- RestoreDeviceTree
- RestoreKernelCache
- RestoreLogo
- RestoreRamDisk
- iBEC (*)
- iBSS (*)
- iBoot
The requested <key><dict> values may depend on the firmware version, because we need a certificate for each part.
All these <key> values have a <dict> block with the tags Digest, PartialDigets, Trusted. Only exception are the marked (*) values: These have a dict block with the tags BuildString and PartialDigest only. The BuildString always contains the value "iBoot-889.24~4" in my test request for all three keys.
Infos about the needed values:
- ApChipID: This is probably the CHIPID
- ApECID: This is the ECID in decimal format.
- UniqueBuildID: (unknown) Base64 encoded
- Digest: (unknown) Base64 encoded
- PartialDigest: (unknown) Base64 encoded
Other parameters / open questions
Some parameters could have other values. Not all details are known.
- action=2 in the request. What other values exist and what is their meaning?
- STATUS=0&MESSAGE=SUCCESS in the answer. What other values exist?
- @APTicket can have other values than true? What is this for?
- @BBTicket can have other values than true? What is this for?
- @HostIpAddress This was not my IP address, so it is assumed this will not be checked.
- @HostPlatformInfo What would this value be on a MAC?
- @Locality This will probably not be checked. This test request was from outside US.
- @VersionInfo Are other values in use?
- ApBoardID Do values other than 2 exist? Where can this value be read?
- ApProductionMode What does this mean? Is there a test environment?
- ApSecurityDomain Meaning?
- Trusted What is this for?
- Full description of the above values for UniqueBuildID, Digest, PartialDigest and BuildString.