ios 6 (getting past createsessioninforequest)

[rotastrain]

I was looking at the new ios 6 and why the server just stops after trying to connect.

The problem is

Earlier the phone used to send a request by createtsessioninforequest and we would bypass it by sending commandfailed.

However now sending a commandfailed just stops the protocol.

After spoofing a createsessioninforesponse the iphone just responds by saying "can you please say that again?"

if i connect to TLP proxy and then in the next 20 seconds switch over to our own proxy the protocol goes through and siri works. this is because the iphone doesnt ask for a getsessioninforesponse and directly goes to loadassistant

Any thoughts and insights on this? Unless we can bypass it google api servers are extinct. :X

[janrueth]

I don't have a phone that has siri on iOS 6... So I cannot investigate it... Are there instructions for iphone 4?

[rotastrain]

Instructions for iPhone 4?? I didn't understand If you mean how to get siri on iOS 6 yes there are you need to install iOS 6 jail break using redsnow tethered and add the repo cydia.bassamkassem.com and install acid siri.

[weinzach]

"After spoofing a createsessioninforesponse the iphone just responds by saying "can you please say that again?"

if i connect to TLP proxy and then in the next 20 seconds switch over to our own proxy the protocol goes through and siri works. this is because the iphone doesnt ask for a getsessioninforesponse and directly goes to loadassistant"

What do you mean by this?

[rotastrain]

What I mean is that if you don't send a command failed and instead write a object called createsessioninforesponse and send back a sessioninfo with a validation then it replies back by saying say that again.

If you connect to a three little pigs proxy server and use a 4s keys to connect and get a validation from apple then the next time you connect siri works even I a google server as for the time being a session info has been gotten already from apple

We have to find a method to go past the createsessioninforequest.

Sent from my iPhone

On Oct 11, 2012, at 3:44 AM, zdog1230 notifications@github.com wrote:

"After spoofing a createsessioninforesponse the iphone just responds by saying "can you please say that again?"

if i connect to TLP proxy and then in the next 20 seconds switch over to our own proxy the protocol goes through and siri works. this is because the iphone doesnt ask for a getsessioninforesponse and directly goes to loadassistant"

What do you mean by this?

— Reply to this email directly or view it on GitHub.

[rotastrain]

@Eichhoernchen would you be investigating this ? i could provide you some logs if you need...

[janrueth]

I don't have siri for iOS 6, that's what I meant by instructions... how to obtain etc... I only have a iphone 4, so no siri support from factory...

I also one did investigate this, however I failed. I think one needs to create a createsessioninforesponse properly, which involves certificates and signing... I'm unaware of what is encrypted or signed. In the previous versions siri did continue if one just sent a CommandFailed but now as far as I can tell from your descriptions this now fails and stops the connection

[rotastrain]

Ok can you think of any way to get around this? Maybe a mobile substrate hook to bypass it.?. You can download siri from the repo I wrote above to test it out.. I am also working on trying to find a solution. Will post here if I find anything

Sent from my iPhone

On Oct 11, 2012, at 11:40 PM, Jan notifications@github.com wrote:

I don't have siri for iOS 6, that's what I meant by instructions... how to obtain etc... I only have a iphone 4, so no siri support from factory...

I also one did investigate this, however I failed. I think one needs to create a createsessioninforesponse properly, which involves certificates and signing... I'm unaware of what is encrypted or signed. In the previous versions siri did continue if one just sent a CommandFailed but now as far as I can tell from your descriptions this now fails and stops the connection

— Reply to this email directly or view it on GitHub.

[janrueth]

Well, I could try again... Also a mobile substrate hook could solve this, however this might be as difficult as trying to just solve it directly. One would also need to have a deep look where and how things are processed and if you knew that you could simply code the correct input...

(From memory:) I think there is first a command which is only send by the iphone very seldom as the data that is returned has a validity time of some days. The server response to this request contains two certificated in DER format with a certain prefix (this is also implemented in the the server). I guess then the iphone uses the public keys in the certs to generate some signatures or encrypted some data which can only be read by the server using the private key, if the data is valid (I think this also contains the udid of the device) the server replies with some unknown to me binary blob which seems to be verifiable by the client so there seems to be a signature process included. So one needs to investigate which keys are used to sign data. It would be helpful to know which key the iphone uses, such that one can give it a certain key to which one has the private key that one can decrypt or what ever is done there, to see which data is sent...

However last time I tried I think I used self signed certificates however the iphone did not like them, possibly the iphone checks wether or not the supplied certificate is issued from apple and valid (this is not fake-able)

[rotastrain]

I understand I will also look into this. Maybe you can also try again in some free time. I don't want this beautiful google API server to die because of one protocol change. :)

Sent from my iPhone

On Oct 11, 2012, at 11:58 PM, Jan notifications@github.com wrote:

Well, I could try again... Also a mobile substrate hook could solve this, however this might be as difficult as trying to just solve it directly. One would also need to have a deep look where and how things are processed and if you knew that you could simply code the correct input...

(From memory:) I think there is first a command which is only send by the iphone very seldom as the data that is returned has a validity time of some days. The server response to this request contains two certificated in DER format with a certain prefix (this is also implemented in the the server). I guess then the iphone uses the public keys in the certs to generate some signatures or encrypted some data which can only be read by the server using the private key, if the data is valid (I think this also contains the udid of the device) the server replies with some unknown to me binary blob which seems to be verifiable by the client so there seems to be a signature process included. So one needs to investigate which keys are used to sign data. It would be helpful to know which key the iphone uses, such that one can give it a certain key to which one has the private key that one can decrypt or what ever is done there, to see which data is sent...

However last time I tried I think I used self signed certificates however the iphone did not like them, possibly the iphone checks wether or not the supplied certificate is issued from apple and valid (this is not fake-able)

— Reply to this email directly or view it on GitHub.

[janrueth]

I'm currently downloading redsnow... got a free evening, will dig a little bit into it

[rotastrain]

Ok :) Here's a link you need to install cydia using ssh

http://www.idownloadblog.com/2012/09/19/how-to-jailbreak-ios-6-and-install-cydia/

Sent from my iPhone

On Oct 12, 2012, at 12:06 AM, Jan notifications@github.com wrote:

I'm currently downloading redsnow... got a free evening, will dig a little bit into it

— Reply to this email directly or view it on GitHub.

[janrueth]

Thanks, I already got everything, just need to download ios6 for jailbreaking again, deleted the ipsw...

[janrueth]

Jailbreaking does not work for me... I always get a Exploit failed

[rotastrain]

Have you downloaded the redsnow dev version? " RedSnow 0.9.13 dev 4 ". this is the version you need. ---not the latest "redsnow 0.9.14".---

On Fri, Oct 12, 2012 at 1:02 AM, Jan notifications@github.com wrote:

Jailbreaking does not work for me... I always get a Exploit failed

— Reply to this email directly or view it on GitHubhttps://github.com/Eichhoernchen/SiriServerCore/issues/94#issuecomment-9354610.

[rotastrain]

Here is the link to the correct redsnow

For mac:

https://sites.google.com/a/iphone-dev.com/files/home/redsn0w_mac_0.9.13dev4.zip?attredirects=0&d=1

for windows:

https://sites.google.com/a/iphone-dev.com/files/home/redsn0w_win_0.9.13dev4.zip?attredirects=0&d=1

On Fri, Oct 12, 2012 at 1:05 AM, Aditya Raut rotastrain@gmail.com wrote:

Have you downloaded the redsnow dev version? " RedSnow 0.9.13 dev 4 ". this is the version you need. ---not the latest "redsnow 0.9.14".---

On Fri, Oct 12, 2012 at 1:02 AM, Jan notifications@github.com wrote:

Jailbreaking does not work for me... I always get a Exploit failed

— Reply to this email directly or view it on GitHubhttps://github.com/Eichhoernchen/SiriServerCore/issues/94#issuecomment-9354610.

[janrueth]

yep... using 0.9.13 dev 4

[janrueth]

maybe a good old reboot will solve this :D brb

[janrueth]

... it really solved it... sigh

[janrueth]

So, I got it up and running up to the point that you guys also have

[weinzach]

Maybe this link can help http://roxy4.guzzoniproxy.com/log/logcontacts.txt this is a link to a log of a TLP Proxy and it shows what the server sends back to a createsessioninforequest. I also believe maybe a mobile substrate hook could work as well to solve this...

[janrueth]

Just a tip for those who are testing, you can get status output from the iphone about siri status:

Create a file called com.apple.AssistantServices.plist in /var/mobile/Library/Preferences and add:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>AFLogLevel</key>
        <integer>10</integer>
        <key>AFOutputLevel</key>
        <integer>10</integer>
</dict>
</plist>

You can see the output in the iphones console

[rotastrain]

I added the file. but where do i see the output?? i didnt understand.. any breakthrough? i havent gotten ahead as of now..

[janrueth]

Open X-Code->Organizer-> Select your phone and select console... or, if you don't want to use xcode, you can also use the iphone configuration utility or install socat via cydia and ssh into the phone and use: socat - UNIX-CONNECT:/var/run/lockdown/syslog.sock and then use watch to see the current output

[janrueth]

I still haven't found a way to properly debug assistantd... ida + debugserver does not seem to work, anyone knows how to debug properly?

[rotastrain]

no i have no concrete experience in using ida really

[weinzach]

Could this help http://siriport.ru/forum/topic/980-ios-6-siri-files-with-cache-4s-for-dev-only/#entry25207 it has a link to the ios 6 siri header files from assistantd so maybe that can help serverside of for a mobilesubstrate hook...

[rotastrain]

Thanks I have two methods I have thought of to get past this problem and one of them needs the headers. However the headers seem to be incomplete and I will need to dump and fix them myself from the cache. Il try the easier method first when I head back from university and re post here.

Sent from my iPhone

On Oct 13, 2012, at 4:34 AM, zdog1230 notifications@github.com wrote:

Could this help http://siriport.ru/forum/topic/980-ios-6-siri-files-with-cache-4s-for-dev-only/#entry25207 it has a link to the ios 6 siri header files from assistantd so maybe that can help serverside of for a mobilesubstrate hook...

— Reply to this email directly or view it on GitHub.

[janrueth]

Yeah I have the headers too, I got the methodname of the method that is responsible for initial failing

[rotastrain]

I think if anyone can get past it its you eich.. I am working at it from another angle. when i was on 5.1.1 and when i had downloaded the acid siri port for it i had noticed a peculiar behavior of the port which was causing the phone to never send a "createsessioninforeaquest" unless the assistant.plist was first deleted, i am going back to 5.1.1 to find out what was causing this and if it can be reproduced.

[janrueth]

I think that is just caching behavior and you didn't see it the first time, if you delete that file it will do the command again

[weinzach]

I came across this plist http://huzzoni.servebeer.com/working.plist . Do you think NeedDestruction YES can be used for an advantage?

[janrueth]

I don't know what this is used for...

I think one would need to investigate the -[ADAuthenticator _getSessionRequestForCertificate:completion:] method in assistantd, more precisely the completion block that is used... which initializes the authentication process using certificates.... I'll write a mobile substrate hook to find out the parameters and get a look at how it works... there is a 36 cases switch involved in a subroutine within the completion block... It's kinda difficult to get a clue what does what as I'm not very good in asm and sadly don't own hexrays arm tools to turn it back to C code :D However the demo version of IDA is great for mac.

[rotastrain]

you were right.. the moment i deleted the file the command was sent. so it was useless. i read this from chpwn a while back

"The authentication is based on what I’m going to call “tokens”, which are signed by Apple. If I remember correctly (I haven’t looked at this for a month or so, and this is from memory), Siri (through the assistantd binary) first asks Apple for certificate data. This is then used to sign a blob of data generated by the iPhone and encrypted using AES. That signed data is then sent back to Apple, processed. If that was found to be valid, the device receives the “token” (called sessionInfo in the code) and an expiration date (the token is generally renewed daily).

The interesting part here is the AES-encrypted and signed data that is submitted to Apple for validation. The code that generates this is obfuscated (similar to FairPlay), but the general gist of what it does is reasonably simple. Firstly, assistantd calls out to the obfuscated absinthed, a part of the iPhone’s FairPlay subsystem. That then asks libMobileGestalt for both the UniqueDeviceID (the same UDID used for provisioning) and SerialNumber (the device’s serial number), and reads four bytes from a shared memory region. I currently do not know the source of these four byes (although I suspect the FairPlay daemon) or the purpose. This is then AES encrypted and sent back to assistantd to send to Apple, and (if valid) is exchanged for the session info."

The AES signing i think is being done by the certificate we our selves generate. I can see it being passed to the iphone in the first request...

there is something else i have noticed. if you connect to apples servers and get a valid session info and then connect to our google api one the server works. but immidiately it asks for the sessioninfo the next time even though the validity had been set for 9000 (1 day) something is triggering the iphone to ask for session info. i dont know what yet.

[weinzach]

Is it possible to keep sending the same valid session info over and over again to fix all this?

[rotastrain]

No i cant see any quick and dirty fix for this one. @Eichhoernchen. There's also another way to solve this. we can connect to apples servers when a create session info request comes and take the sessionreponse . then not respond back again and switch to our own servers for everything else. But that would be the last option i see

[weinzach]

"I don't know what this is used for...

I think one would need to investigate the -[ADAuthenticator _getSessionRequestForCertificate:completion:] method in assistantd, more precisely the completion block that is used... which initializes the authentication process using certificates.... I'll write a mobile substrate hook to find out the parameters and get a look at how it works... there is a 36 cases switch involved in a subroutine within the completion block... It's kinda difficult to get a clue what does what as I'm not very good in asm and sadly don't own hexrays arm tools to turn it back to C code :D However the demo version of IDA is great for mac." @Eichhoernchen

Maybe comparing the iOS 5 and iOS 6 headers could help. Also could there be a tweak made to just bypass this?? Or somehow downgrade part of Siri to work like iOS 5 did?

[rotastrain]

Any progress yet?, unfortunately I haven't gotten any success yet :(

Sent from my iPhone

On Oct 14, 2012, at 7:16 AM, zdog1230 notifications@github.com wrote:

"I don't know what this is used for...

I think one would need to investigate the -[ADAuthenticator _getSessionRequestForCertificate:completion:] method in assistantd, more precisely the completion block that is used... which initializes the authentication process using certificates.... I'll write a mobile substrate hook to find out the parameters and get a look at how it works... there is a 36 cases switch involved in a subroutine within the completion block... It's kinda difficult to get a clue what does what as I'm not very good in asm and sadly don't own hexrays arm tools to turn it back to C code :D However the demo version of IDA is great for mac." @Eichhoernchen

Maybe comparing the iOS 5 and iOS 6 headers could help. Also could there be a tweak made to just bypass this?? Or somehow downgrade part of Siri to work like iOS 5 did?

— Reply to this email directly or view it on GitHub.

[janrueth]

Haven't been able to work on it, will try this eveni g again, my car's clutch stopped working... Had no access to my mac for some days...

[janrueth]

I've been doing some testing and found out about some internals but due to lack of a working debugger it is a nightmare to find the way through assembly.

The sessionInfoRequest in CreateSessionInfoRequest, is the result what is posted as the third parameter to the complete block of [ADAuthenticator _getSessionRequestForCertificate:completion:] (which itself is called by -[ADAuthenticator prepareWithCertificateData:completion:]), it is somehow derived from the certificates, there is a 36 case switch (probably some kind of automaton which I'm unable to understand :( ) Also it is stored as requestData property to ADAuthenticator.

[rotastrain]

Ok any way you can think of to get past this or disable it?

Sent from my iPhone

On Oct 16, 2012, at 2:31 AM, Jan notifications@github.com wrote:

I've been doing some testing and found out about some internals but due to lack of a working debugger it is a nightmare to find the way through assembly.

The sessionInfoRequest in CreateSessionInfoRequest, is the result what is posted as the third parameter to the complete block of [ADAuthenticator _getSessionRequestForCertificate:completion:](which itself is called by -[ADAuthenticator prepareWithCertificateData:completion:]), it is somehow derived from the certificates, there is a 36 case switch (probably some kind of automaton which I'm unable to understand :( ) Also it is stored as requestData property to ADAuthenticator.

— Reply to this email directly or view it on GitHub.

[janrueth]

Don't know yet, I think disabling it will be difficult, as it initializes a lot. I would like to see why custom certificates fail but the original apple don't, however I haven't figured out how to analyse that easily.

[janrueth]

haha got it, was easier than I thought... I just looked at the wrong place... I was able to disable authentication completely... However there are some flaws in AcidSiri, for example they don't set the assistant language, resulting in the server not knowing which language to use.

Little extra, it also allows you to connect to guzzoni and create an assistant, however guzzoni rejects speech packets...

[rotastrain]

I fixed the language part by writing a custom language selector for people when they connect for the time being. I always knew that if there was a man on the planet who could do it it was eich. Could you share the code and also please for my sake write a small tutorial on how you went around solving this problem? It would be an honor to learn from you.

Sent from my iPhone

On Oct 16, 2012, at 2:27 PM, Jan notifications@github.com wrote:

haha got it, was easier than I thought... I just looked at the wrong place... I was able to disable authentication completely... However there are some flaws in AcidSiri, for example they don't set the assistant language, resulting in the server not knowing which language to use.

Little extra, it also allows you to connect to guzzoni and create an assistant, however guzzoni rejects speech packets...

— Reply to this email directly or view it on GitHub.

[janrueth]

I will first need to take a look into some new things in SAObjects.framework to make it work. I will either release the code or a deb file to make it work. Also I think it is also possible without a extension to solve this, will try this first... than give more instructions

[janrueth]

It works also without an extension....

just edit the following file on your device (convert it to xml first):

cd /var/mobile/Library/Preferences
plutil -convert xml1 com.apple.assistant.plist 

now edit the contents and add:

<key>Authentication Disabled</key>
<true/>

this must be within the

respring and you are good to go

[rotastrain]

But this key will be removed if they delete the file. A substrate tweak can be more effective in being permanent?

Sent from my iPhone

On Oct 16, 2012, at 2:51 PM, Jan notifications@github.com wrote:

It works also without an extension....

just edit the following file on your device (convert it to xml first):

cd /var/mobile/Library/Preferences plutil -convert xml1 com.apple.assistant.plist now edit the contents and add:

Authentication Disabled

this must be within the

respring and you are good to go

— Reply to this email directly or view it on GitHub.

[rotastrain]

Remember the peculiar behavior in acid Siri which I had told u of in 5.1:1? I just saw the assistant file and this was the line that had been added there.i had missed It totally looking for more complicated solutions.

[rotastrain]

Also eich do you know from which header the loadassistant command comes from? As the createsessioninfo is now not in use udid hooking will have to be done from loadassistant...

[janrueth]

I'm currently parsing the ios6 headers and have created a valid systemObjects library from it.

Will commit changes soon

[rotastrain]

Ok!

Sent from my iPhone

On Oct 16, 2012, at 4:03 PM, Jan notifications@github.com wrote:

I'm currently parsing the ios6 headers and have created a valid systemObjects library from it.

Will commit changes soon

— Reply to this email directly or view it on GitHub.