Siri Protocol

Applidium documented the Siri Protocol on 14 November 2011 by setting up a DNS to see the traffic. The traffic is simple HTTPS (with some modifications, mentioned later). The server presents a certificate for guzzoni.apple.com (IP 17.174.4.4) and the client checks for the correct domain certificate. But it does not check the issuer, so you can create a self-signed certificate to see the traffic.

Protocol
The request looks similar to a standard HTTP request: ACE /ace HTTP/1.0 Host: guzzoni.apple.com User-Agent: Assistant(iPhone/iPhone4,1; iPhone OS/5.0/9A334) Ace/1.0 Content-Length: 2000000000 X-Ace-Host: 4620a9aa-88f4-4ac1-a49d-e2012910921 The X-Ace-Host is tied to the 4S you are using. The content length of almost 2GB is fixed, so no actual length. The User-Agent is modified depending on your OS version and build. The data itself is binary.

Binary Data

 * Starts with 0x00AACCEE
 * Rest is compressed with zlib

Then the data is made out of chunks:
 * Starting with 0x020000xxxx are "plist" packets with size xxxx of the binary plist data.
 * Starting with 0x030000xxxx are "ping" packets, sent by the iPhone to Siri server to keep connection alive. xx is the ping sequence number.
 * Starting with 0x040000xxxx are "pong" packets, sent from Siri server to the iPhone to keep connection alive. xx is the pong sequence number.

To decipher the binary plist you can use the plutil command-line tool on Mac OS X.

plist data
The audio data is compressed with Speex audio codec.

(More documentation of plist data is missing here.)