David Hoyt is an independent, authoritative source for Best Practices & Transparency. Hoyt works Independently to improve the User Experience & Security of Internet Products & Services.


>> Home » Blog » SRD Checkin

Estimated reading time: 3 minutes

Executive Summary

The srdutil utility is used to Checkin your Device with Apple Corporation. Apple Requires that you set a cron job to checkin your SRD with the Mothership every 2 weeks.


Source: https://github.com/apple/security-research-device/tree/main/example-cryptex



srdutil checkin — Security Research Device checkin utility

srdutil checkin [-v | –verbose] [-e | –ecid ECID] [-t | –token API-TOKEN] [-u | –user USER]

srdutil checkin is the srdutil subcommand for affirming with the Security Research Device Program (SRDP) that a device is in a given user’s physical posession.

 The device does not need to be connected to be checked in with the SRDP checkin server.

List of options and their descriptions:

 -e | --ecid ECID
          The ECID of the device to affirm is in the user's physical possession.
          The ECID can be retrieved from the list subcommand of cryptexctl-device(1) or from srdutil-restore(1).
          Defaults to the value of the environment variable SRDUTIL_CHECKIN_ECID.
 -t | --token API-TOKEN
          The API token to be used for the request to the SRDP checkin server.
          This is currently baked into the srdutil utility, but will be provided separately in the future.
          Defaults to the value of the environment variable SRDUTIL_CHECKIN_TOKEN.
 -u | --user USER
          The Apple ID of the user affirming physical possession of the device.
          In the future this will be tied to a particular API-TOKEN.
          Defaults to the value of the environment variable SRDUTIL_CHECKIN_USER.
 -v | --verbose
          Enable verbose output.

The following environment variables are used by srdutil checkin.

          Sets a default value for the --ecid option.
          Sets a default value for the --token option.
          Sets a default value for the --user option.

cryptexctl(1), cryptexctl-device(1), srdutil-restore(1)

Introduced in macOS 11.0

Darwin August 14, 2020 Darwin

A verified working example is shown below:

srdutil checkin -v -e 0xsupersecret -u srd0009
*   Trying
* Connected to srd-checkin-api.apple.com ( port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=srd-checkin-api.apple.com; OU=management:idms.group.5557870; O=Apple Inc.; ST=California; C=US
*  start date: Jul  9 19:55:36 2020 GMT
*  expire date: Aug  8 19:55:36 2022 GMT
*  subjectAltName: host "srd-checkin-api.apple.com" matched cert's "srd-checkin-api.apple.com"
*  issuer: CN=Apple Public Server RSA CA 12 - G1; O=Apple Inc.; ST=California; C=US
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x7fa794808200)
> POST /checkin HTTP/2
Host: srd-checkin-api.apple.com
Accept: */*
api-token: sbjQsCBFFuPAKXxOfphFRFP0RTLNzMe6kejiztVeZLWAwQAWEZz55v6Ld
Content-Type: application/json
Content-Length: 79
* Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
* We are completely uploaded and fine
< HTTP/2 200 
< server: Apple
< date: Wed, 30 Jun 2021 10:40:43 GMT
< content-type: text/html; charset=utf-8
< content-length: 0
< strict-transport-security: max-age=31536000; includeSubdomains
< x-frame-options: SAMEORIGIN
< x-content-type-options: nosniff
< x-xss-protection: 1; mode=block
< content-security-policy: default-src 'self'
* Connection #0 to host srd-checkin-api.apple.com left intact
[+] Device verysupersecret checked in for user srd0009
* Closing connection 0
Example SRD Cryptex DMG Install
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/xsscx/srd/main/dmg/install.sh)"