From 7b062cfbcad8d0f0e76c26d431905c258de09016 Mon Sep 17 00:00:00 2001
From: Kenneth Endfinger <kaendfinger@gmail.com>
Date: Sun, 13 Oct 2019 00:38:36 -0500
Subject: [PATCH] Add a new research section for the signature format.

---
 README.md              |  1 +
 registration/README.md |  4 +---
 signature/README.md    | 11 +++++++++++
 3 files changed, 13 insertions(+), 3 deletions(-)
 create mode 100644 signature/README.md

diff --git a/README.md b/README.md
index 8538c01..5e5ed84 100644
--- a/README.md
+++ b/README.md
@@ -27,6 +27,7 @@ of the work. It has an HTTP server that has an API that allows fetching and uplo
 
 ## Research
 
+* [Signature](signature/README.md)
 * [Locator Service](locator/README.md)
 * [Cache Server API](server/README.md)
 
diff --git a/registration/README.md b/registration/README.md
index 3093bd5..3f15321 100644
--- a/registration/README.md
+++ b/registration/README.md
@@ -3,9 +3,7 @@
 Cache registration is the process that is typically necessary
 for Apple devices to use the cache.
 
-Unfortunately, the request that registers the cache seems to be "signed".
-
-I did however figure out that the length of the signed payload is a Big Endian 32-bit integer before the payload. Still working out the signature format.
+Unfortunately, the request that registers the cache seems to be signed.
 
 ```text
 Registration URL: https://lcdn-registration.apple.com/lcdn/register
diff --git a/signature/README.md b/signature/README.md
new file mode 100644
index 0000000..15cf96b
--- /dev/null
+++ b/signature/README.md
@@ -0,0 +1,11 @@
+# Signatures
+
+Unfortunately I'm not super familiar with signature formats and such in the Apple Ecosystem.
+
+However using a HEX Editor and a lot of coffeee, I'm confident I can break the signature algorithm.
+
+The signatures of the request seem to have two parts, a longer top part, and a shorter bottom part.
+
+The payload is in between these two parts.
+
+A 32-bit big endian unsigned number represents the payload size, and directly following the payload is a 32-bit big endian unsigned number representing the remaining bytes in the signature (however do note that there seem to be two trailing null characters).