Reverse Engineering iOS API: Dealing with DeviceCheck Tokens

[haitangxinliceshi]

I’m considering doing reverse engineering on the Sora 2 iOS API and am looking for potential collaborators. I’ve obtained an IPA package, but I noticed that it uses DeviceCheck. From my understanding, this is almost unsolvable, because we can’t generate a valid token on a non-jailbroken device. So how do many third-party APIs that claim to use reversed iOS protocols actually manage to do this?

[432539]

I’m considering doing reverse engineering on the Sora 2 iOS API and am looking for potential collaborators. I’ve obtained an IPA package, but I noticed that it uses DeviceCheck. From my understanding, this is almost unsolvable, because we can’t generate a valid token on a non-jailbroken device. So how do many third-party APIs that claim to use reversed iOS protocols actually manage to do this?

Show me your packet capture data?

[haitangxinliceshi]

2627S:[16fd46360]:[18951]:_platform_memmove in({"messageId":"BB6D3643-7249-49DB-B24F-134FDE57B1A6","integrations":{},"context":{"user_traits":null,"screen":{"width":428,"height":926},"library":{"name":"analytics-swift","version":"1.9.1"},"app":{"namespace":"com.openai.noface.892SN8RUH7","build":"17691)(23f)@0x4c99d54
2627S:[16fd463e0]:[18951]:_platform_memmove in(/46390 lr=[0x4c[18951 _platform_memmove]slow_got->tar=0x1162e1af0 sp=0x16fd463e0 lr=[0x4c98488 0x10c3ec488]x16[0x107754000 0x107754000])(2)@0x4c98488
2627S:[16fd46710]:[18951]@0x4c7ab24:appendyySSF x[0xf0000000000003be 0x10ef76c00 0x16fd46790]({"messageId":"BB6D3643-7249-49DB-B24F-134FDE57B1A6","integrations":{},"context":{"user_traits":null,"screen":{"width":428,"height":926},"library":{"name":"analytics-swift","version":"1.9.1"},"app":{"namespace":"com.openai.noface.892SN8RUH7","build":"1769107637","name":"Sora","version":"1.2026.022"},"network":{"cellular":false,"wifi":false,"bluetooth":false},"timezone":"Asia/Shanghai","punch_out_info_token":null,"device":{"model":"iPhone14,8","type":"ios","manufacturer":"Apple","id":"B3365AAE-96E8-47AA-8C3B-2F271AEA4A71","name":"iPhone"},"device_id":null,"instanceId":"5CD1FAA5-9082-4C7A-95B3-646952FE5F0E","locale":"zh-Hans-CN","os":{"version":"18.6.2","name":"iOS"},"userAgent":"Sora/1.2026.022 (iOS 18.6.2; iPhone14,8; build 1769107637)"},"type":"track","event":"iOS: NoAuth: Google Button Tapped","timestamp":"2026-01-26T03:43:47.784Z","anonymousId":"700F206C-6121-4C23-987B-F4E2ABA2CD5A","_metadata":{"bundledIds":[],"unbundled":[],"bundled":[]}})
2627S:[16fd46cd0]:[18951]@0x5ff3d0(DCDevice->currentDevice)
2627S:[16fd46cd0]:[18951]@0x5ff3e8(DCDevice->isSupported)
2627S:[16fd46cd0]:[18951]@0x5ff40c(DCDevice->currentDevice)
2627S:[16fd46cd0]:[18951]@0x5ff51c(DCDevice->generateTokenWithCompletionHandler:)
2627S:[16fd46cf0]:[18951]Foundation.URL:x0xd00000000000001b 0x800000010ceb4950 0x10ef76650@0x5dd7f8
2627S:[16fd46cf0]:[18951]Foundation.URLRequest(https://ios.chat.openai.com/backend-api/preauth_devicecheck)[0x103ed8bd0 (nil)]@0x5fd298
2627S:[16fd46d00]:[18951]:_platform_memmove in(øÒë�)(80)@0x5e9bf8
2627S:[16fd46df0]: [18951]URLRequest.url.getter[https://ios.chat.openai.com/backend-api/preauth_devicecheck]
2627S:[16fd46ca0]:[18951]@0x544f40:Foundation.bridgeToObjectiveCS0xd000000000000011 0x800000010ceb49d0 0x103c481e0
2627S:[16fd46b40]:[18951]@0x4de24c4(SentryNetworkTracker->urlSessionTask:setState:)
2627S:[16fd46ad0]:[18951]@0x4e00a64(SentryNetworkTracker->isNetworkTrackingEnabled)
2627S:[16fd46ad0]:[18951]@0x4e00a70(SentryNetworkTracker->isNetworkBreadcrumbEnabled)
2627S:[16fd46ad0]:[18951]@0x4e00a8c(SentryNetworkTracker->isTaskSupported:)
2627S:[16fd46ad0]:[18951]@0x4e00a9c(__NSCFLocalDataTask->currentRequest)
2627S:[16fd46ad0]:18951(https://ios.chat.openai.com/backend-api/preauth_devicecheck)0x4e00aac

[haitangxinliceshi]

I’m considering doing reverse engineering on the Sora 2 iOS API and am looking for potential collaborators. I’ve obtained an IPA package, but I noticed that it uses DeviceCheck. From my understanding, this is almost unsolvable, because we can’t generate a valid token on a non-jailbroken device. So how do many third-party APIs that claim to use reversed iOS protocols actually manage to do this?

Show me your packet capture data?
OpenAI hasn’t released an Android version, probably because they can’t completely prevent cheating at the hardware level, whereas iOS makes that possible

[move132]

https://github.com/tibbar213/sora-downloader

和去水印应该是一样的原理吧？

[wx-11]

OpenAI hasn’t released an Android version, probably because they can’t completely prevent cheating at the hardware level, whereas iOS makes that possible

openai不是有谷歌play的iOS版本吗?

https://github.com/tibbar213/sora-downloader

和去水印应该是一样的原理吧？

去水印用的是安卓接口