The Three Little Pigs Authentication System

The Three Little Pigs Experimental Authentication System and Ban Protection ;-)

source on the experimental branch: https://github.com/jimmykane/The-Three-Little-Pigs-Siri-Proxy


The above bubble diagram explains how the authentication system works internally when the private mode is ON!!!

The authentication is based upon Appleid and contact card. This means that the user must have a apple iCloud id, and also must be using his contact card for Siri and have a clean assistant.plist

So lets see how the authentication system of The Three Little Pigs works in simple...
  • There are 2 categories of Clients: New and Old! 
  • When a new client connects his apple account id number, name, nickname and appledbid are inserted in the clients table in the database. By default the status of the client is set to invalid thus denying access!
    That's all for new clients. In other words the are just inserted to database (becoming old Client) and access is denied! 
  • When an Old Client connects , the server checks if the Client is valid or not and denies or grants access to that user. 
How to use this? Right now there is no webgui for this and you will have to use phpmyAdmin or navicat in order to manually connect to the database set. A webinterface will be published soon when the beta is finished!

-----How to Use the Authentication Feature-----
  • Step 1: Setup the server as normal and don't forget to put private mode to "ON" on the config.yml
  • Step 2: Give the certificates and host to any people you like and dont worry if they share that. You can also put other protection methods on that like, passwords, udid etc. 
  • Step 3: By now people will be trying to connect but with no luck and you will have the Client table populated with many records. Now you need to get in contact with the person that wants access, browse thought the database records, find his name or nickname, set him to valid='True' and done. If you can find the person, maybe he has the same name with some other and he doesnt have a unique nicknacme ask him to put one in his contact card, the one that he has put in Siri Settings for Siri to use. The record will be updated and thus you will be able to recognize that person on the database.Remeber each client is unique based upon appleid so don't worry about duplicate names etc
Info: Every client creates one or more Assistants in the assistant Table.
Every Assistant is linked to a client and has info on what device the client uses! :-)

Enjoy and keep in mind that this is a Alpha version of auth. Contact me for any problems in GITHUB https://github.com/jimmykane/The-Three-Little-Pigs-Siri-Proxy/issues  not in twitter etc because 140 characters cant hold the log :-)

----The banning system and ban protection - Happy hour---

Lets talk a little on the banning system. 

After working some time on public servers like http://www.paradox-productions.net I ve found out several interesting things. Lets take it from start:

  • When a new device uses Siri for the first time, the first thing that happen is to create a record in Apple Siri DB, containing an Assistintid and speechID (unique for every user). This I call creation of Assistnt objects.This also happens when a user changes the Spire Host or deletes the /var/mobile/Library/Preferences/com.apple.assistant.plist 
  • If you notice the devices that have never used Siri, or cant connect to a Server don't have the Assistantid and speechId in /var/mobile/Library/Preferences/com.apple.assistant.plist . These devices are not setup!  
  • In order to create these records in Apple Siri Db the older devices use 4S validation data to get approved by Apple to connect to the servers! But there is a limit by apple on that.
  • Eg. a 4S key can allow up to 15 simultaneous Assistant object creation. Then Apple replies with commandFailed, thus blocking new, or not setup devices to connect. (Also there is a weekly/dayly limit of ~=50 assistants or more)
  • If you have the ban protection on in the TLP config.yml then when this happens, the key used for that is marked as banned because it cannot support any more not setup devices.
  • When marked as banned this key is still used for processing speech packets but not used for new devices.
  • After some time these keys become unbanned by apple, and thus again allowing of more new or non setup devices to create assistant objects. This is where the happy hour setting comes in place.
     
  • The happy hour setting waits for 6 hours (or what you please) and then sets all non expired keys to unbanned! This allows again new or non setup devices to make requests for assistant object creation until apple banns them again.

So as far as banning is concerned and people that think that they got their 4S phones banned: ONE WORD: They are not banned but cannot create any more assistants because they are juiced out!
Keep the 4S key not shared for a while or turn on the banning system in the config.yml (default is ON)


Thank you,

Jimmy Kane


Δεν υπάρχουν σχόλια:

Δημοσίευση σχολίου