Skip to content

dxasm/shape-ios

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
src
src
 
 
.gitignore
.gitignore
 
 
Cargo.lock
Cargo.lock
 
 
Cargo.toml
Cargo.toml
 
 
README.md
README.md
 
 

Repository files navigation

shape-ios

Reverse engineered Shape iOS native SDK

Overview

This was written based on APIGuard.framework SDK 4.6.0 found on com.southwest.iphoneprod. The current SDK version is 4.7.2.

Won't go too much in depth, but here's some info about it:

Headers

X-dUblrIiu-a
X-dUblrIiu-b
X-dUblrIiu-c
X-dUblrIiu-d
X-dUblrIiu-e
X-dUblrIiu-f
X-dUblrIiu-g
X-dUblrIiu-z

On app launch, there's an init request:

https://mobile.southwest.com/sw_check/ios/init?cid=ios_config

Response:

{
  "kernelId": "...",
  "kernel": "...",
  "ck": {
    "a0": {
      "c": "...",
      "d": "..."
    },
    "b1": {
      "c": "...",
      "d": "..."
    },
    "c2": {
      "c": "...",
      "d": "..."
    },
    "d3": {
      "c": "...",
      "d": "..."
    },
    "e4": {
      "c": "...",
      "d": "..."
    },
    "f5": {
      "c": "...",
      "d": "..."
    },
    "g6": {
      "c": "...",
      "d": "..."
    },
    "h7": {
      "c": "...",
      "d": "..."
    },
    "i8": {
      "c": "...",
      "d": "..."
    },
    "j9": {
      "c": "...",
      "d": "..."
    },
    "k0": {
      "c": "...",
      "d": "..."
    },
    "l1": {
      "c": "...",
      "d": "..."
    },
    "m2": {
      "c": "...",
      "d": "..."
    },
    "n3": {
      "c": "...",
      "d": "..."
    },
    "o4": {
      "c": "...",
      "d": "..."
    },
    "p5": {
      "c": "...",
      "d": "..."
    },
    "q6": {
      "c": "...",
      "d": "..."
    }
  },
  "sk": "..."
}

Init response

Field Notes
kernelId Kernel identifier.
kernel JS VM (compared to the web version, mobile doesn't have WASM).
ck Lua VM bytecode. Instead of 1 bytecode, they split it into 17 parts.
sk Undocumented. Possibly session key?!

Headers

Header Source Notes
-a JS VM Main fingerprint payload. If the payload is too large, it's being split as a0, a1, a2, etc.
-b, -c, -d, -z JS VM Undocumented.
-e Native SDK Device fingerprinting. (also has kernelId).
-f Init response Kernel identifier: kernelId.
-g Native SDK VM Device fingerprinting. Modified Lua VM; bytecode comes from ck.

Supported

  • -e header encode/decode: b;<ciphertext>;<nonce>

Usage

Decode

cargo run --release -- decode --data "b;..." --prefix "X-dUblrIiu-"
Argument Required Description
--data yes Data to decode: b;<ciphertext>;<nonce>.
--prefix yes Prefix used for key derivation.

Encode

cargo run --release -- encode --data "..." --nonce <random-nonce> --prefix "X-dUblrIiu-"
Argument Required Description
--data yes Data to encode.
--nonce yes Random 32-byte nonce as 64 hex characters.
--prefix yes Prefix used for key derivation.

About

Reverse engineered Shape iOS native SDK

Resources

Readme
Activity

Stars

31 stars

Watchers

0 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages