Talk:SHSH Protocol

Naming
Or should I better have named this TSS Protocol instead? -- http 21:23, 15 August 2010 (UTC)

I think the current title is easier to tell it relates to shsh. I can't recall what tss stands for, and I think it would also be easier to find. Iemit737 21:36, 15 August 2010 (UTC)

Implementation
How can I implement this on a Linux-based system? I have the request, but the 'telnet' and 'POST' commands don't work. --dra1nerdrake 22:40, 15 August 2010 (UTC)

Telnet should work. Just enter telnet gs.apple.com 80 Then you get a HTTP connection. Then send the request and terminate with two CR/LF and you get the response. You can try with any other web page first, that should work the same way: telnet www.google.com 80 Then: GET / HTTP/1.0 And didn't semaphore release a unix version with some source code of TinyUmbrella? -- http 23:49, 15 August 2010 (UTC)

Great, thanks, forgot the port number. He released unix TinyUmbrella, but it segfaults and I can't code in Java. --dra1nerdrake 04:18, 16 August 2010 (UTC)

EDIT: I can't seem to get it to work. I do: telnet cydia.saurik.com 80 Then I do POST /TSS/controller?action=2 HTTP/1.1 Accept: */* Cache-Control: no-cache Content-type: text/xml; charset="utf-8" User-Agent: InetURL/1.0 Content-Length: 411 Host: gs.apple.com  <!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">  @HostIpAddress 192.168.0.1 	 @HostPlatformInfo darwin @VersionInfo 3.8 	 @Locality en_US ApProductionMode ApECID 1430661561679 	 ApChipID 35106 	 ApBoardID 2 	 ApSecurityDomain 1 	 UniqueBuildID AppleLogo Digest Info IsFirmwarePayload Path Firmware/all_flash/all_flash.n18ap.production/applelogo.s5l8922x.img3 PartialDigest Trusted BatteryCharging Digest Info IsFirmwarePayload Path Firmware/all_flash/all_flash.n18ap.production/glyphcharging.s5l8922x.img3 PartialDigest Trusted BatteryCharging0 Digest Info IsFirmwarePayload Path Firmware/all_flash/all_flash.n18ap.production/batterycharging0.s5l8922x.img3 PartialDigest Trusted BatteryCharging1 Digest Info IsFirmwarePayload Path Firmware/all_flash/all_flash.n18ap.production/batterycharging1.s5l8922x.img3 PartialDigest Trusted BatteryFull Digest Info IsFirmwarePayload Path Firmware/all_flash/all_flash.n18ap.production/batteryfull.s5l8922x.img3 PartialDigest Trusted BatteryLow0 Digest Info IsFirmwarePayload Path Firmware/all_flash/all_flash.n18ap.production/batterylow0.s5l8922x.img3 PartialDigest Trusted BatteryLow1 Digest Info IsFirmwarePayload Path Firmware/all_flash/all_flash.n18ap.production/batterylow1.s5l8922x.img3 PartialDigest Trusted BatteryPlugin Digest Info IsFirmwarePayload Path Firmware/all_flash/all_flash.n18ap.production/glyphplugin.s5l8922x.img3 PartialDigest Trusted DeviceTree Digest Info IsFirmwarePayload Path Firmware/all_flash/all_flash.n18ap.production/DeviceTree.n18ap.img3 PartialDigest Trusted KernelCache Digest Info Path kernelcache.release.s5l8922x PartialDigest Trusted LLB BuildString iBoot-636.66~5 Info IsFirmwarePayload Path Firmware/all_flash/all_flash.n18ap.production/LLB.n18ap.RELEASE.img3 PartialDigest NeedService Digest Info IsFirmwarePayload Path Firmware/all_flash/all_flash.n18ap.production/needservice.s5l8922x.img3 PartialDigest Trusted OS 		 Info Path 018-6152-014.dmg RecoveryMode Digest Info IsFirmwarePayload Path Firmware/all_flash/all_flash.n18ap.production/recoverymode.s5l8922x.img3 PartialDigest Trusted RestoreDeviceTree Digest Info Path Firmware/all_flash/all_flash.n18ap.production/DeviceTree.n18ap.img3 PartialDigest Trusted RestoreKernelCache Digest Info Path kernelcache.release.s5l8922x PartialDigest Trusted RestoreLogo Digest Info Path Firmware/all_flash/all_flash.n18ap.production/applelogo.s5l8922x.img3 PartialDigest Trusted RestoreRamDisk Digest Info Path 018-6145-014.dmg PartialDigest Trusted iBEC BuildString iBoot-636.66~5 Info Path Firmware/dfu/iBEC.n18ap.RELEASE.dfu PartialDigest iBSS BuildString iBoot-636.66~5 Info Path Firmware/dfu/iBSS.n18ap.RELEASE.dfu PartialDigest iBoot Digest Info IsFirmwarePayload Path Firmware/all_flash/all_flash.n18ap.production/iBoot.n18ap.RELEASE.img3 PartialDigest Trusted   But no dice. --dra1nerdrake 18:33, 16 August 2010 (UTC)

-- http 20:45, 16 August 2010 (UTC)
 * I think your main problem is that your content is more than the 411 bytes that you specified.
 * Where do you have the digest etc. values from?
 * In my article I didn't write about the Info key you added. What is that?

I copied the entire plist from a plist generated by idevicerestore. Digest values are from the buildmanifest.plist, at the root directory of the firmware. I ran it in debug mode (-d). What should I put in place of 411? --dra1nerdrake 02:12, 17 August 2010 (UTC)

It should be the size of the data you transfer. The data seems to be much longer than 411 bytes, I didn't count though. See section 14.13 here (RFC2616). --http 03:56, 17 August 2010 (UTC)

Did it finally work for you? Also: Do you know how idevicerestore creates these Digest values? If you find that out, maybe you can update the article. -- http 22:42, 24 August 2010 (UTC)

Curl is more suitable for LL HTTP, try something like: $ curl -v "http://cydia.saurik.com/TSS/controller?action=2" -X POST -d @1.plist -H "Host: gs.apple.com" -H "Content-type: text/xml; charset=utf8" > POST /TSS/controller?action=2 HTTP/1.1 > User-Agent: curl/7.19.7 (universal-apple-darwin10.0) libcurl/7.19.7 OpenSSL/0.9.8l zlib/1.2.3 > Accept: */* > Host: gs.apple.com > Content-type: text/xml; charset=utf8 > Content-Length: 8222 > Expect: 100-continue > < HTTP/1.1 100 Continue < HTTP/1.1 200 OK < Server: nginx/0.7.64 < Date: Thu, 26 Aug 2010 09:27:56 GMT < Content-Type: text/plain < Transfer-Encoding: chunked < Connection: keep-alive < Cache-Control: private, proxy-revalidate < STATUS=94&MESSAGE=This device isn't eligible for the requested build. where 1.plist is a file with your plist --Vasfed 09:41, 26 August 2010 (UTC)
 * About to connect to cydia.saurik.com port 80 (#0)
 * Trying 74.208.10.249... connected
 * Connected to cydia.saurik.com (74.208.10.249) port 80 (#0)
 * Connection #0 to host cydia.saurik.com left intact
 * Closing connection #0

curl needs an extra header with a blank Expect to get past the "Done waiting for 100-continue" error. Add -H "Expect:" to the command above.

--Miketress 18:43, 8 June 2011 (GMT+1)

Request?
I'm still not understanding the telnet part of this. I can connect fine, but what exactly is the request that I have to send in order to get back a plist file with the SHSH blobs? --Cool name 04:08, 16 August 2010 (UTC)

Rewrite
Somebody should rewrite this article as it is partially wrong and the iPhone 4 needs more values but i cant seem to figure out all of them.--sn0wra1n
 * it is not that different iphone 4 build manifest and iphone 3gs build manifest the only difference is

BbChipID 0x50 BbSkeyId EBL-Digest FlashPSI-PartialDigest FlashPSI-SecPackDigest FlashPSI-Version 0x00020008 Info Path Firmware/ICE3_03.10.01_BOOT_02.08.Release.bbfw ModemStack-Digest ModemStack-Length 0x006f0934 ModemStack-SecPackDigest RamPSI-PartialDigest RamPSI-Version 0x00020008 --liamchat 13:12, 19 December 2010 (UTC)
 * So if i want to create a SHSH request, i just copy the BuildManifest.plist and add the ECID value only? If no, is there any sample SHSH Request plist with the entire thing? --sn0wra1n
 * yes but the baseband will also give its nonce key ( witch is required to validate the shsh of the baseband ) so you could cash the baseband shsh's but the nonce is what makes them work --liamchat 14:59, 19 December 2010 (UTC)

I decided to use my iPod Touch 4 then my iPhone 4 so this is what I got SHSH Request Plist but the problem is I dont receive anything after submitting. How long should I wait to receive it? --Sn0wra1n 01:59, 21 December 2010 (UTC)
 * How do i calculate my content-length (with or without the headers size?)
 * Must the plist be spaced/formatted correctly?
 * Content-Length: This is the standard http protocol. See RFC2616 chapters 14.13 and 4.4. In short: only the message body, not the header.
 * spacing/formatting: shouldn't matter; it's XML
 * time: answer should come immediately. If you get no reply, try to get the Google start page this way first - there you don't need a message body. Also you can start with HTTP/1.0, there you don't need any header rows (except the GET statement of course):

GET / HTTP/1.0
 * --http 07:41, 21 December 2010 (UTC)

Actually im not sure about calculating the Content-Length.Is it just the xml files words including spaces or not including spaces? --Sn0wra1n 10:07, 21 December 2010 (UTC)
 * It includes every byte you send: spaces, carriage-return, linefeed, etc. --http 16:28, 21 December 2010 (UTC)
 * Thanks for your help.Seems like Windows 7 adds 2 bytes extra to the file size so I had problems.I managed to get iTunes SHSH Request and found that the Info tag,BBTicket Value & APTicket Value is not needed--Sn0wra1n 09:26, 22 December 2010 (UTC)

Baseband SHSH Protocol
Seems like there is a Baseband SHSH Protocol too. Maybe someone should write a wiki page on it. Im trying to understand notcom's TinyUmbrella code --Whiteshinyapple 13:52, 9 March 2011 (UTC)
 * You're right that we need an article for the Baseband SHSH Protocol also. I initially created this page here. You just have to log what goes over the network. You could also easily trace what gets send to TinyUmbrella for the baseband, but you cannot trace the official answer from Apple unless you upgrade the baseband (or reinstall it). So you need a device with an already upgraded baseband. My iPhone 4 is still running 01.59.00, so I cannot test that. But you're right, the next time I do a restore, I'll document at least the request that goes out (unless somebody else is faster). -- http 22:14, 9 March 2011 (UTC)