Phase D.6.6-research-a — Handshake Properties byte-diff: dict shape identical, H-HS narrowed to 5 identity fields¶
Status: verified — completed 2026-04-24
Byte-diffed the 46-key Handshake Properties sub-dict between our iter-01 SPIKE fixture and the real iPhone's iter-10 reference pcap. 36 keys bit-exact same, 5 zeroed-by-us (declared redactions: UDID/Serial/MAC/ ChipID/BootSessionUUID), 5 differ (all iOS point-version drift 26.4.1→26.4.2, not gate candidates), 0 only-ours, 0 only-real. Dict shape, key set, insertion order all identical. Full writeup: findings.md.
Takeaway¶
H-HS narrowed: the trust gate (if inside Properties) is
one of the 5 zeroed identity fields. iter-12's speculative
candidates (HostAttached, PairRecords,
TrustedHostAttached, ActivationState,
PasswordProtected) are not in the Properties dict —
they live in the classic-lockdown GetValue response at
:50367 that CDS never reaches in SPIKE mode.
Shortlist ranked¶
| Rank | Field | Why |
|---|---|---|
| 1 | UniqueDeviceID |
Canonical device identity; tunneld + CoreDevice + devicectl all key by UDID |
| 2 | SerialNumber |
Secondary identity; cross-referenced against host ioreg cache |
| 3 | UniqueChipID (ECID) |
Cryptographic binding for pair-record certs |
| 4 | BootSessionUUID |
Per-boot freshness; weaker tie to trust state |
| 5 | EthernetMacAddress |
Lowest prior; not meaningfully used over host transports |
Next step¶
D.6.6-research-b: env-gated UDID patch first
(IOSMUX_HANDSHAKE_UDID=from-tunneld), re-run iter-12
wide-pcap trigger, check for SYN to [::1]:50367. If UDID
alone unblocks, we have the gate. Fall through the rest of
the shortlist only if needed.
Files¶
findings.md— full diff, results tables, ranked shortlist, research-b patch plan, hypothesis status updateindex.md— this summary