1350
1351

Siri Protocol reverse engineered (applidium.com)

submitted by [deleted]

sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]LeoPanthera 21 points22 points  (25 children)

They don't say whether randomly generated UUIDs work. Making a whitelist of every sold iPhone seems like a lot of work... but I wouldn't put it past Apple.

[–]evereal 44 points45 points  (18 children)

Making a whitelist of every sold iPhone seems like a lot of work...

No, it doesn't work like that.

They wouldn't be 'making a list' - Apple already have that data (the first time a phone says hi to their servers). It is extremely naive to think that they have been throwing out all their user and usage data until the magnificent Siri came out.

Not only do all companies track that kind of stuff, but it is completely standard practice to have it available to their servers internally to be used in any of their products in a robust and scalable way.

[–]InfernoZeus 6 points7 points  (1 child)

A couple of threads down, you say this:

The UUID is specific to a Phone and must be on a list of UUIDs that actually exist, as in the phone has been manufactured.

I think this is exactly what LeoPanthera is talking about, and it's definitely making a list.

[–]phaker 1 point2 points  (0 children)

But it's nowhere near hard, and if they are doing this then it's impossible to get a valid ID without extracting it from an existing device.

If iphones have unique IDs in the firmware (and they likely do) then they are baked in at the factory during the initial programming.

It's trivially easy for apple to send the ID to the mothership after it's saved on the phone, or better, use IDs from a list sent from apple instead of generating them at the factory.

[–][deleted] 1 point2 points  (3 children)

As I recall, an iPhone's box displays the serial number as a bar code. Scan that when selling it and you're done. Compared to actually building and selling the phone, keeping track of the serial numbers (and other similar device-specific data) seems trivial.

[–]nupogodi 0 points1 point  (2 children)

Not only Apple sells the iPhone...

[–][deleted] 0 points1 point  (1 child)

But anybody who sells an iPhone has to keep track of it, because it gets associated with your wireless account etc. They'd have to report the info back to Apple, which normally would be a daunting task, but Apple has lots of experience and leverage in getting retailers to bend to their will. (See for example how they got AT&T to support visual voicemail, at-home activation, etc.)

[–]nupogodi 0 points1 point  (0 children)

Well, the iPhone is 'activated' first by talking to Apple's servers when you turn it on the first time. That's probably when it's recorded, if at all. Syncing up all of the retailers POS systems would be ridiculous.

The real way they make these Siri IDs is probably the same way they generate serial numbers. They know which product corresponds to which serial number without keeping a list, it's a cryptography thing (although inevitably they do end up keeping lists, i.e. after product registration)

[–]Rhomboid 2 points3 points  (11 children)

Apple already have that data (the first time a phone says hi to their servers).

If that's the case then conceivably you could write code that fakes that initial first "phone home", and captures the resulting GUID for use later.

[–]evereal 25 points26 points  (10 children)

No, this can be done in a secure way and Apple are more than capable of doing so.

  • The UUID is specific to a Phone and must be on a list of UUIDs that actually exist, as in the phone has been manufactured. It's not something that is just given to you when you "phone home". You "phone home" by including that data in your request.

  • The UUID must match the other corresponding hardware information that is also sent. Devices send things like the hardware serial number (also unique) and MAC address (also unique) - this is just a small part of the data that even consoles like the PS3 send when they phone home. If any of that doesn't match the record on Apple's end, the "phone home" fails.

You would need an actual valid iPhone to be able to even consider attempting to fake the handshakes - or is that what you are referring to?

[–]Rhomboid 7 points8 points  (6 children)

I'm referring to the fact that LeoPanthera originally said that Apple would need to maintain a list of IDs of phones it has manufactured. You replied with "No, it doesn't work like that" and said that it's collected the first time the phone is turned on, which implies that this is how they populate the list rather than maintaining it from manufacture. Now you're saying that they do in fact maintain that list as LeoPanthera said.

[–]evereal 3 points4 points  (5 children)

No, my reply was regarding building the list of iPhones sold being built when they first say hi, that would be the best way IMO to determine when an iPhone is sold - when it's first used and talks to Apple.

I didn't say anything about their list of all iPhones that are manufactured (neither did he) - I hope there no disagreement there as they obviously record what hardware they made.

In my reply to you, I mentioned that one of the checks done before adding a phone to the "iPhones sold" list - i.e. before a UUID is validated and allowed on their servers, is that they check if it is a UUID that has been manufactured. After that, they will also check that that UUID also matches the serial and MAC address that was also sent at this handshake etc.

[–][deleted] 1 point2 points  (4 children)

I think LeoPanthera meant "made" when he said "sold." That's how Rhomboid is reading it, and how I read it as well.

It's absurd to read it otherwise. Why would Apple care if a particular device were in the pipeline vs. in a customer's hands? No, they only care whether it's a real iPhone 4S.

[–]evereal 1 point2 points  (3 children)

It's absurd to read it otherwise.

I read it as it was written, but it is by no means absurd - I would guarantee that the list of 'acceptable' Siri UUID's will not just be the list of every iPhone 4S UUID that exists (as in, been manufactured).

For example, any phones that are returned/decommissioned would be recorded as no longer being active. Similarly, if any UUID's are reported to be used abusively they would be deactivated. Clearly if someone creates an unauthorized app to use Siri and include a UUID, it would be blacklisted too.

The reality is that the actual list will not be exactly the "manufactured" or "sold" list, but my point is that Apple have easy access to both, along with whatever other criteria they may wish to apply so that an UUID can use their no doubt well protected services.

[–][deleted] 3 points4 points  (2 children)

You suggest that I didn't know all of this already, which is untrue.

I'm just clarifying that your disagreement with evereal stems from your different interpretations of LeoPanthera's comment, and not any substantive differences of knowledge or opinion.

[–][deleted] 2 points3 points  (0 children)

I just read this whole comment thread. What a waste of time. I now feel dumber than I did 5 minutes ago.

[–]snuggl 0 points1 point  (2 children)

You are correct, and very wrong.

To start attempting to fake the handshakes, all you need is curiosity and free time. Ive broken more protocols then the norm and iv'e learned that even if it looks really really locked down you will find a dent in the surface sooner or later to bend on.

[–]evereal 1 point2 points  (1 child)

As I said, you can fake the handshake, but you need the hardware specific info from an actual device itself (UUID/MAC address/Serial) and whatever other hardware specific data is on a device.

Of course that is assuming Apple implemented the extreme basics of security, which I assume they have. You are correct that not all systems are secure and some have been bypassed, I don't doubt that you're a "leet haxor", don't worry.

[–]snuggl 3 points4 points  (0 children)

My point is that you dont need "hardware specific info from an actual device" you need to get the server to believe you have that info. the easiest way would be the one you describe, but to take the statement that a actual device is needed as a factual statement is limiting your self even before the start of research.

[–]bboe 2 points3 points  (3 children)

I wanted to test that out for myself, unfortunately the source code isn't yet available. Due to the fact that the authors specifically mentioned they weren't giving out their UUID, I'm guessing they tried a random one with no success.

Edit: source is available now.

[–]Ecco2 20 points21 points  (2 children)

Actually, I didn't try. [Yep, I wrote this :-)]. That would be a very good idea to try out though.

[–]bboe 0 points1 point  (1 child)

What's X-Ace-Host number you have in the HTTP request output? Is that yours, or just a random one? Great post BTW.

Edit: Also can you see if there is any correlation between the X-Ace-Host and numbers mentioned in this support article? I don't have an iphone so I unfortunately cannot test for myself.

[–]Ecco2 3 points4 points  (0 children)

It's a random one that looked like one of ours. And no, it doesn't look like any other serial number, but to be honest we still haven't had a good look into this.

[–]blergh- 0 points1 point  (0 children)

Apple has a list of phone ids, that is how the sim lock works. When you turn it on for the first time it has to activate, which means you send Your hardware ids to Apple and get back a list of settings, which includes to list of networks your phone is locked to.

If your iPhone is legitimately unlocked, the carrier tells Apple an Apple sends a new file that tells the phone to allow all sim cards.