Skip to content

Phase D.6.6-research-b iter-15 — combined UDID+Serial+ECID patch FALSIFIES H-HS multi-field; close-timing reverts to iter-12 baseline

Status: verified — 2026-04-24

Patched Handshake Properties with all three real identity fields (UDID, SerialNumber, UniqueChipID/ECID) matching tunneld advertisement. Two clean post-fix runs (r3, r4). Handshake parses cleanly on CDS side (no RST_STREAM), devicectl still reports pairingState: unpaired + Mercury warning, zero SYN to any advertised service port in a 30-s window, CDS holds session for ~30 s then local close. H-HS dead at both single-field (iter-14) and multi-field (iter-15) levels. Full writeup: findings.md.

Signal worth remembering

Close-timing across three experimental conditions:

iter Identity fields Close timing
iter-12 all zeros ~30 s (local close)
iter-14 UDID alone ~3 s (peer close, decisive reject)
iter-15 UDID + Serial + ECID coherent ~30 s (local close, same as iter-12)

Reversion to iter-12 baseline with fully-coherent identity is the load-bearing finding. If the gate were wire-level identity matching, iter-15 should have either unblocked or closed fast like iter-14. Neither happened. The gate is not in the Handshake.

Bug caught by our own verbose decoder (iter-15 r1)

Initial handshakeECIDOffset = 0x34EA overlapped the low bytes of the XPC uint64 type tag. Our verbose decoder surfaced it with unknown type code 0x401e4000 at offset 13512 before the frame went on the wire; CDS on the peer side agreed and sent RST_STREAM. Corrected offset: 0x34EC. Fix in commit 2bcea98.

Hypothesis disposition

  • H-HS single-field (UDID): FALSIFIED by iter-14.
  • H-HS multi-field (UDID + Serial + ECID): FALSIFIED by iter-15.
  • H-PairState (host-side CoreDevice DB / lockdown escrow): promoted to primary working hypothesis. The iter-12 → iter-14 → iter-15 progression fits a model where the gate reads host-side state that wire-level patches cannot influence.

Next step

iter-16: read-only pass on host-side pair state.

  1. Survey /var/db/lockdown/<UDID>.plist, CoreDevice's paired-devices DB, keychain entries keyed by UDID.
  2. Identify what pairingState: unpaired reads from.
  3. Decide whether "plant a fake pair record" is feasible without corrupting live iPhone usage (backups mandatory).

Write-side pair-record plant is a separate iter-17 scope after iter-16 read-only pass completes.

Files

  • findings.md — full methodology, 5-run table, bug-fix narrative, close-timing comparison, H-PairState pivot plan
  • index.md — this summary