pallas-request

A library to support making requests to Apple's Pallas server (gdmf.apple.com and mesu.apple.com). More info on The Apple Wiki.

Installation

Using pip

cd ~/Downloads/
mkdir pallas-request && cd pallas-request
curl "https://github.com/Riigess/UAFAssets-updater/archive/refs/heads/main.zip" -o main.zip
unzip main.zip
pip3 install ./

Usage

You can either use this as a Python 3.9+ module, or as a CLI tool. You can find the module docs here.

CLI Tool Reference

Good news! The tool supports argparse. Here's a sample of that output as it stands.

$ pallas-request -h

Acknowledgements

I don't take any responsibility for your use of this library. This is purely for educational purposes only.

• @Nicolás17 for providing insights on pallas-archive over on gitlab
• @r00tfs and @dhinakg for validating the work and making sure I'm not backtracking the entire way through the project (sanity checking is always good)
• @Siguza Bruh called me ChatGPT, so I had to finish the project. Betting he's still labeling me as nothing more than ChatGPT..

Notes

In order to query Pallas, you need to use JSON Web Tokens (JWTs) and Base64 for encryption/decryption. A request may look like

{
    "AssetAudience": "02d8e57e-dd1c-4090-aa50-b4ed2aef0062",
    "AssetType": "com.apple.MobileAsset.UAF.Siri.UnderstandingNLOverrides",
    "ClientVersion": 2,
    "CertIssuanceDay": "2023-12-10",
    "DeviceName": "Mac",
    "TrainName": "GlowSeed"
}

AssetAudience

There are likely hundreds, if not thousands, of Asset Audiences used for groups of Assets. When Pallas generates a response, it is able to provide this information without using the device's generic audience. What is attached to this library is the generic asset audience for the OS you would like to query. In this example, we're using the corresponding Audience.macos_generic audience.

AssetType

This is typically an identifier for different assets. This can also expose information such as the daemon owner of a particular asset. As provided in this example, MobileAsset is the daemon responsible for fetching and maintaining UAF.Siri.UnderstandingNLOverrides on-device.

DeviceName

I am personally a little surprised this is even a field in here since the TrainName and AssetAudience should be enough of an identifier for Pallas to establish what device is making a query and how it should respond. This is as generic as it gets. Examples of this are "Mac", "iPhone", "Apple Watch", etc.. (see DeviceType.py for more known references)

TrainName

Each OS release will have a few variations on the train names. For instance, DawnESeed, DawnFSeed, GlowSeed, GlowBSeed, etc. These OS names can be found in the device's IPSW BuildManifest.plist. Sometimes leaks for these names (iOS 19, iOS 18, iOS 17, ...) show up. I'm not able to validate any of this information (I simply don't know), but if a rumor shows up I will add the original source if it's added to this library for any references of pre-release information.

Requests

Please note that if you make a request given the above format only will result in larger than normal dumps of information. Devices don't download the generic assets as this results in 1 -> 10MB in some cases for a JWT response from Pallas. Example response may look like something like this;

{
    "Nonce": "",
    "PallasNonce": "........-....-....-....-........",
    "SessionId": "",
    "LegacyXmlUrl": "",
    "PostingDate": "YYYY-MM-DD",
    "Transformations":{
        "_Measurement":"data",
        "SEPDigest":"data",
        "RSEPDigest":"data"
    },
    "Assets":[
        {
            "ArchiveDecryptionKey":"",
            "ArchiveDecryptionKeyFile":"",
            "ArchiveID":"",
            "AssetFormat":"AppleArchive",
            "AssetSpecifier":"com.apple.siri.understanding.nl.overrides.en_GB",
            "AssetType":"com.apple.MobileAsset.UAF.Siri.Understanding",
            "AssetVersion":"3304.2400.1720760365.100.134,0",
            "AssetVersionInfo":{
                "AssetVersionGroup":0,
                "AssetVersionLong":"3304.2400.1720760365.100.134,0",
                "AssetVersionTuple":"3304.2400.1720760365.100.134",
                "BuildVersionTuple":"",
                "BundleVersionTuple":"3304.2400.1720760365"
            },
            "Build":"100G134",
            "Factor":"com.apple.siri.understanding.nl.overrides.en_GB",
            "_CompressionAlgorithm":"AppleArchive",
            "_DownloadSize":65536,
            "_ISMAAutoAsset":true,
            "_Measurement":"",
            "_MeasurementAlgorithm":"SHA-1",
            "_PreSoftwareUpdateAssetStaging":false,
            "_UnarchivedSize":1,
            "__BaseURL":"",
            "__CanUseLocalCacheServer":true,
            "__RelativePath":"",
            "version":"3304.2400.1720760365",
            "_OSVersionCompatibilities":{}
            "Ramp":false
        },
        ...
    ]
}

This is (almost) a real partial from a response for an NLOverrides with locale en_GB. A few of the keys will be modified but should still be present in the final response as well.

• PallasNonce has been replaced with periods (.) to represent an alphanumeric character equal to the length of the original string in place.
• _OSVersionCompatibilities has been truncated to remove all capable devices
• _UnarchivedSize has been truncated to represent a positive integer response
• _Measurement is typically a String equal to the (_MeasurementAlgorithm) hash of the asset after downloading
• __BaseURL and __RelativePath have both been removed to not point to a specific URL to download this version
• -DecryptionKey and -DecryptionKeyFile have both been removed to display the keys with no specific significance being brought to accessing the asset in this example
• AssetFormat can be either "AppleArchive" or "AppleEncryptedArchive", usually expect "AppleArchive" here

Everything else usually matches formatting at least.