commandFailed/SessionValidationFailed

[ghost]

I initially started using StanTheRipper's siriAuth (https://github.com/StanTheRipper/SiriAuth) to start a Siri proxy server for use with Spire. It initially worked, but after an unknown amount of time, it would eventually start getting "commandFailed" and "not authenticated" errors.

When using plamoni's SiriProxy or Westbaer's SiriProxy, something similar happens.

This initially lead me to believe that this is an issue with the keys. However, on the 4S itself, Siri continues to function normally. When I try and retrieve new 4S auth keys from the same 4S, the keys are exactly the same as before.

I don't know if I have to wait for all of the keys to simply regenerate, or if it's an issue with these proxy servers, but it's starting to get slightly annoying.

[alnandr]

Brian and I are experiencing the same issue. Even when the keys regenerate from Apple's servers, "commandFailed" and "not authenticated" errors are still prominent on the proxy server. It does seem like an issue with the proxy servers, or it may be something on Apple's end that is blocking all requests from iPhones using certificates to intercept https://guzzoni.apple.com

Also, I did start to notice the following information that the proxy server wouldn't spit out before:

"Reliance on this certificate by any party assumes acceptance of the then applicable standard terms and conditions of use, certificate policy and certification practice statements."

It all starts here too:

"Injecting auth keys... [Info - Guzzoni] Object: GetSessionCertificateResponse (group: com.apple.ace.system, refId: 74C1194D-E570-4C4D-88B3-C6225C59D64F, aceId: c16b3a90-5327-49c8-8214-28a276a48f88) {"group"=>"com.apple.ace.system", "aceId"=>"c16b3a90-5327-49c8-8214-28a276a48f88", "class"=>"GetSessionCertificateResponse", "refId"=>"74C1194D-E570-4C4D-88B3-C6225C59D64F", "properties"=> {"certificate"=>"

Is this response normal? Also, all methods to "unblacklist" the Siri keys or to regenerate new ones faster have been unsuccessful, as the same validationData key is still provided even though the assistantID and speechID is reset.

I do understand that it's still a long ways and it will most likely be an impossibility to keep the Siri proxy server running for a long time, even if you only do share it with only 1 or 2 older iOS devices. Looks like we'll have to rely on Google Voice Search API instead if we want Siri-like operations on non-4S devices.

[ghost]

I'll go through my siriAuth logs to see what was going on while the server was actually working. By the way, when it /was/ working, it was literally perfect. Everything was fast and responsive, and then it died.

Also, I'm not doing any com.apple.assistantd.plist editing for any of this.

Sent from my iPad 2

On Jan 2, 2012, at 4:36 PM, alnandrreply@reply.github.com wrote:

Brian and I are experiencing the same issue. Even when the keys regenerate from Apple's servers, "commandFailed" and "not authenticated" errors are still prominent on the proxy server. It does seem like an issue with the proxy servers, or it may be something on Apple's end that is blocking all requests from iPhones using certificates to intercept https://guzzoni.apple.com

Also, I did start to notice the following information that the proxy server wouldn't spit out before:

"Reliance on this certificate by any party assumes acceptance of the then applicable standard terms and conditions of use, certificate policy and certification practice statements."

It all starts here too:

"Injecting auth keys... [Info - Guzzoni] Object: GetSessionCertificateResponse (group: com.apple.ace.system, refId: 74C1194D-E570-4C4D-88B3-C6225C59D64F, aceId: c16b3a90-5327-49c8-8214-28a276a48f88) {"group"=>"com.apple.ace.system", "aceId"=>"c16b3a90-5327-49c8-8214-28a276a48f88", "class"=>"GetSessionCertificateResponse", "refId"=>"74C1194D-E570-4C4D-88B3-C6225C59D64F", "properties"=> {"certificate"=>"

Is this response normal? Also, all methods to "unblacklist" the Siri keys or to regenerate new ones faster have been unsuccessful, as the same validationData key is still provided even though the assistantID and speechID is reset.

I do understand that it's still a long ways and it will most likely be an impossibility to keep the Siri proxy server running for a long time, even if you only do share it with only 1 or 2 older iOS devices. Looks like we'll have to rely on Google Voice Search API instead if we want Siri-like operations on non-4S devices.

---

Reply to this email directly or view it on GitHub: https://github.com/plamoni/SiriProxy/issues/250#issuecomment-3334933

[FineTralfazz]

Delete everything SiriProxy related and start a fresh install of Westbaer's fork.

[alnandr]

Doing that won't work, and any fork will still spawn the same result. The main issue here is with the validationData key and why Apple's Guzzoni server just doesn't authenticate it as a valid key when the iPhone 4S itself is able to make Siri requests with the SAME key without any connection problems.

[ghost]

@alnandr: I think that what you pasted is normal, although for me, I have a long string after the bottom "certificate".

@Salax: I don't feel as though started from scratch will do anything.

Also, is there an easy way to get the date/time stamp to insert into the server log? It'd be nice to know when certain things stop working.

[mcdull]

@alnandr Those key changed from time to time. Hard code it WOULD NOT enable siri forever. From my experience, the key expired in about 12 hours. So you need to keep using the 4S to generate new key for every few hours to keep it works. That's why Westbaer's one is a better solution, as it would save the most recent valid key for further use. NO OHTER BETTER SOLUTION YET. we need to wait for JB IP4S for further investigation. (Sadly my frd wont do siri for me for every few hours).

[ghost]

The issue with that is that sometimes the keys on the iPhone 4S are still exactly the same even after the server stops functioning properly.

-----Original Message----- From: mcdull Sent: Monday, January 02, 2012 6:39 PM To: besweeet Subject: Re: [SiriProxy] commandFailed/SessionValidationFailed (#250)

@alnandr Those key changed from time to time. Hard code it WOULD NOT enable siri forever. From my experience, the key expired in about 12 hours. So you need to keep using the 4S to generate new key for every few hours to keep it works. That's why Westbaer's one is a better solution, as it would save the most recent valid key for further use. NO OHTER BETTER SOLUTION YET. we need to wait for JB IP4S for further investigation. (Sadly my frd wont do siri for me for every few hours).

---

Reply to this email directly or view it on GitHub: https://github.com/plamoni/SiriProxy/issues/250#issuecomment-3335568

[ghost]

Also, I can't get Westbaer's fork to pull in new 4S keys, at least after deleting the old ones in ~/.siriproxy. No new files are generated after removing them and having the 4S connect to the server.

-----Original Message----- From: mcdull Sent: Monday, January 02, 2012 6:39 PM To: besweeet Subject: Re: [SiriProxy] commandFailed/SessionValidationFailed (#250)

@alnandr Those key changed from time to time. Hard code it WOULD NOT enable siri forever. From my experience, the key expired in about 12 hours. So you need to keep using the 4S to generate new key for every few hours to keep it works. That's why Westbaer's one is a better solution, as it would save the most recent valid key for further use. NO OHTER BETTER SOLUTION YET. we need to wait for JB IP4S for further investigation. (Sadly my frd wont do siri for me for every few hours).

---

Reply to this email directly or view it on GitHub: https://github.com/plamoni/SiriProxy/issues/250#issuecomment-3335568

[mcdull]

@besweeet I didnt investigate the siriAuth as it is not worthy to spent the effort. You don't want to change the key manually for every few hours. If you want to dig in, please make sure you compare the key when you found your server not working, AND connecting the Siri of your iphone via the SAME network of your server (Wifi / VPN / Whatever). It could be the sync issue that some server need new authentication while others server may not.

A lot of people did success on westbaer so it just work. Do investigate on the issue. If no new files are generated, please check the log and monitor if the 4S is properly connected. You may just have little DNS problem of your iphone 4s.

[ghost]

@mcdull Look, I've gathered keys from the same iPhone 4S at least 5 dozen times over the past week. I know what I'm doing in regards to grabbing the keys. Like I said, after the server stops working and I grab new keys, they're still the same.

[jpiper]

I'm having the same issue. Keys work fine when the 4S uses them, but I get SessionValidationFailed and CommandFailed errors when the 4 tries.

[ienthach]

the same with guys.

[FernandoGStocco]

Have you tried generating keys with i4SiriAutoCertificate? I haven't tried it but it might work

[alnandr]

@FernandoGStocco Wouldn't work since it generates certificates based on the IP address of the Mac you're using. Most [if not all] of us are using Linux boxes to run SiriProxy and we require certificates based on the IP address of that server. Unless of course, i4SiriAutoCertificate allows you to specify the IP/hostname, then it's worth a shot.

But let's go back to the main issue here: the keys are invalidated by Apple Guzzoni whenever a non-4S device tries to make a request, even with the Spire tweak installed and with the appropriate configuration files.

Again, the only solution to this is an iPhone 4S jailbreak where we can exactly see what information it sends to Apple's servers so that it's requests are ALWAYS authenticated. Apple must've done upgrades to Guzzoni to block certificates we generate.

[ghost]

To those who have working servers: Get several people to use it at once and see how long until it stops working :).

[jpiper]

Ok I've got some interesting information. Throughout all of this the 4S works fine using dnsmasq on the WLAN.

On the iPhone 4 when I use the hosts file on the iPhone 4 to point guzzoni.apple.com to my proxy, it doesn't work (commandFailed/SessionValidationFailed), but when I use dnsmasq on the router on the WLAN, it works fine. If I use Spire to point directly to the IP address, then the 4 won't authenticate as the cert isn't valid for that IP (only for gazzoni.apple.com).

So I see a few solutions, either sign TWO certificates (one for the 4S connecting to guzzoni.apple.com and one for the 4 connecting directly via IP), manage to sign a sort of hybrid certificate (I don't know if this is possible), or work out why editing the hosts file to point from guzzoni to the server makes it screw up.

Hopefully this provides a springboard for someone who knows ruby and/or certification better (I'm a C/C++/Python man myself) to have a prod :)

On 3 Jan 2012, at 21:19, besweeet wrote:

To those who have working servers: Get several people to use it at once and see how long until it stops working :).

---

Reply to this email directly or view it on GitHub: https://github.com/plamoni/SiriProxy/issues/250#issuecomment-3346345

[ghost]

@jpiper That doesn't seem to explain why all of a sudden everything decides to stop working, while it was all working previously for several people.

[jpiper]

True, and to add to the confusion, it seems that what I wrote is possibly wrong. I switched to fopina's master fork of SiriProxy and I can connect to it fine with on both the 4S and the 4 using all methods (hosts and dnsmasq) and I'm no longer getting any error messages. The only other thing I did was make sure my com.apple.assistant.plist file looked like this and was saved on the device in binary plist format.

So my checklist is:

• dnsmasq on local router forwarding guzzoni.apple.com to SiriProxy
• SiriProxy installed as per instructions on an ubuntu box with certs on it authenticating as guzzoni.apple.com
• iPhone 4S has Certs installed and works fine when on the local network
• iPhone 4 Spire settings point to https://guzzoni.apple.com
• iPhone 4 has Certs installed and IP address forwarding guzzoni.apple.com to the Proxy (for when I'm not on my home network)
• iPhone 4 has a the modified plist installed

For anyone that's interested, I'm taking advantage of Amazon's free EC2 micro instance to host the server (yay free server!)

[ghost]

I've never understood the point of pointing Spire to Guzzoni if you already have your own server. Why not point it to the server itself? That's what I was previously doing before the issues started occurring. I also don't see the point in editing the com.apple.assistant.plist file, since the information will automatically be replaced when connected to Siri.

-----Original Message----- From: Jason Piper Sent: Tuesday, January 03, 2012 6:16 PM To: besweeet Subject: Re: [SiriProxy] commandFailed/SessionValidationFailed (#250)

True, and to add to the confusion, it seems that what I wrote is possibly wrong. I switched to fopina's master fork of SiriProxy and I can connect to it fine with on both the 4S and the 4 using all methods (hosts and dnsmasq) and I'm no longer getting any error messages. The only other thing I did was make sure my com.apple.assistant.plist file looked like this and was saved on the device in binary plist format.

So my checklist is:

• dnsmasq on local router forwarding guzzoni.apple.com to SiriProxy
• SiriProxy installed as per instructions on an ubuntu box with certs on it authenticating as guzzoni.apple.com
• iPhone 4S has Certs installed and works fine when on the local network
• iPhone 4 Spire settings point to https://guzzoni.apple.com
• iPhone 4 has Certs installed and IP address forwarding guzzoni.apple.com to the Proxy (for when I'm not on my home network)
• iPhone 4 has a the modified plist installed

For anyone that's interested, I'm taking advantage of Amazon's free EC2 micro instance to host the server (yay free server!)

---

Reply to this email directly or view it on GitHub: https://github.com/plamoni/SiriProxy/issues/250#issuecomment-3349274

[ienthach]

You did "SiriProxy installed as per instructions on an ubuntu box with certs on it authenticating as guzzoni.apple.com"

Can you do step by step this "certs on it authenticating as guzzoni.apple.com" I did installed on a CentOs 5.7 with git://github.com/westbaer/SiriProxy.git by this http://methoddk.com/siriguide/. And i got it worked. 4s work siriproxy cached speech_id, session_data and assistant_id in .siriproxy. Then IP4 worked too. but when i restart the server, ip4 cannot get back to work.

PS: my centos is a VPS on the internet, it have static WAN IP.

[jpiper]

@besweet I point spire to guzzoni and then guzzoni to my proxy as the proxy's cert only seems to work for one address, so if I sign the cert for the proxy address, then I can point spire directly to it, but then it doesnt auth with the 4S. That's been my experience at least!

On 4 Jan 2012, at 01:34, besweeet wrote:

I've never understood the point of pointing Spire to Guzzoni if you already have your own server. Why not point it to the server itself? That's what I was previously doing before the issues started occurring. I also don't see the point in editing the com.apple.assistant.plist file, since the information will automatically be replaced when connected to Siri.

-----Original Message----- From: Jason Piper Sent: Tuesday, January 03, 2012 6:16 PM To: besweeet Subject: Re: [SiriProxy] commandFailed/SessionValidationFailed (#250)

True, and to add to the confusion, it seems that what I wrote is possibly wrong. I switched to fopina's master fork of SiriProxy and I can connect to it fine with on both the 4S and the 4 using all methods (hosts and dnsmasq) and I'm no longer getting any error messages. The only other thing I did was make sure my com.apple.assistant.plist file looked like this and was saved on the device in binary plist format.

So my checklist is:

• dnsmasq on local router forwarding guzzoni.apple.com to SiriProxy
• SiriProxy installed as per instructions on an ubuntu box with certs on it authenticating as guzzoni.apple.com
• iPhone 4S has Certs installed and works fine when on the local network
• iPhone 4 Spire settings point to https://guzzoni.apple.com
• iPhone 4 has Certs installed and IP address forwarding guzzoni.apple.com to the Proxy (for when I'm not on my home network)
• iPhone 4 has a the modified plist installed

For anyone that's interested, I'm taking advantage of Amazon's free EC2 micro instance to host the server (yay free server!)

---

Reply to this email directly or view it on GitHub: https://github.com/plamoni/SiriProxy/issues/250#issuecomment-3349274

---

Reply to this email directly or view it on GitHub: https://github.com/plamoni/SiriProxy/issues/250#issuecomment-3349444

[alnandr]

@jpiper So let me get this straight, this is what you did?:

1.) Point Spire device to https://guzzoni.apple.com 2.) Generate proxy certificate with address of proxy server. 3.) Install said proxy certificate to Spire device (and 4S device for authkeys grabbing). 4.) Run dnsmasq/dns.py to point guzzoni.apple.com to address of proxy server. 5.) Make successful requests with Siri on Spire device?

[jpiper]

I generated the proxy certificate with the address of guzzoni.apple.com (it's the default address in the gencerts script in westbaer's fork). The iPhone thinks it's connecting to guzzoni.apple.com because of the DNS, so it needs to be signed as such.

I'm actually using dnsmasq built into my linux (tomato firmware) internet router using the following command, so that all computers on my home network will resolve guzzoni.apple.com to my proxy.

address=/guzzoni.apple.com/MYSERVERADDRESS

[alnandr]

@jpiper Alright, I've tried that with westbaer's fork with no luck. I guess I should try it with fopina's SiriProxy fork, correct? I was reading issue #226 and apparently fopina has been working hard on overcoming this issue a few days ago. I'll go ahead and give it a try. Thanks for your input.

[ienthach]

@alnandr Did you get over those errors?!

[jpiper]

@ienthach I posted above the steps I used with fopina's fork which has been working flawlessly for a couple of days now.

[ghost]

@jpiper Again, how many people do you have connecting to it, and how often? I think that that is one of the more important factors...

[jpiper]

At the moment it's just two, so it's very light usage.

Sent from my iPhone

On 5 Jan 2012, at 15:04, besweeetreply@reply.github.com wrote:

@jpiper Again, how many people do you have connecting to it, and how often? I think that that is one of the more important factors...

---

Reply to this email directly or view it on GitHub: https://github.com/plamoni/SiriProxy/issues/250#issuecomment-3370824

[ghost]

I still believe that the issue is the overall amount of users. To confirm this, someone with a working server needs to get several people to actively use it.

[Treenity]

my server work fine with iPhone 4S, but my iphone4 is stuck on that issue ...

[alnandr]

Update on this issue:

It seems that my Siri proxy server started randomly working again a few hours ago, and it started to successfully take and process requests from my iPhone 4, especially with a new authkey I provided after leaving it alone for a few days.

After several days of "research" (so I call it), I have finally been able to realize exactly how Apple Guzzoni gets "authenticated":

Your Siri proxy server is provided with the following three ID's, and with it's priorities:

• Assistant ID Key (1)
• Speech ID Key (3)
• Validation Data Key (2) Not important: - X-Ace Host Key

The "commandFailed/SessionValidationFailed" error obviously indicates that the Validation Data Key is the culprit here, but it actually isn't. If you look closely at the error message:

"reason"=>"Critical Error: Cannot create Assistant!",

That means Apple's Guzzoni server only blocks the assistantID you're using with your Siri proxy server. The solution? Grab the assistantID of any other device... an iPhone 3GS/4, etc. If you had your Siri proxy server working earlier, you can easily look through the logs and randomly pick any assistantID. The log might refer to this as a "refID."

Go to ~/.siriproxy and edit the assistantKey file to reflect this new key. Reboot your server, and see if it works for you. In my experience, commandFailed errors were still present but were gone after a little while.

Verdict: Apple Guzzoni handles the authentication of the Siri proxy server through the use of the assistantID key. It NEVER blacklists the sessionValidationKey (which is refreshed every 24 hours), and you still being able to use your 4S to access Siri is proof of that.

Reference: http://www.ketchup-mayo-senf.de/blog/-it-unbanning-an-iphone-4s-and-some-infos-around-siri-authentication

[ghost]

Is there a fork that can somehow fix this yet? The different forks don't seem to have any simple way of figuring out the differences.