iOS9 #12
Comments
|
what happened? |
ghost
reopened this
|
I just updated the first post. It works, the problem was I wasn't keeping the event port open. But the decryption key seems incorrect. As a sanity check I checked the challenge/response from a log of ios9 and an appleTV and fed the same into the existing airtunesd and the results are different. ios9 still seems to accept them and sends the video data though. I can only guess the decryption key must have changed. |
|
There also seems to be data of type 5 every 30 video packets. I'm guessing it may be audio info since everything is now being sent over this one connection. Type is: 1 |
|
Strangely ios7 works with the same protocol, AND the video data still doesn't decrypt. |
|
Hmm looks like i've hit a dead :( It seems ios9 is using a different key/encryption which probably needs the library from the new apple tv firmware. I don't think decryption keys are available for the new apple tv firmware tho? Any ideas on your end? It's also possible the video format has changed but i doubt it. |
|
Maybe the sochi firmware can handle this type of encryption. I'll have to setup qemu and find the entry points tho. Any chance you have the entry points already? |
|
No. I'm going to have a look at all this soon now that unicorn is released. |
|
Oh i didn't know about unicorn! I'm attempting to decrypt an even newer firmware at the moment, will let you know how it goes. In the meantime here's a quick test vector for challenge 1 so you can check if it's generating with the new or old key.
The current airtunesd returns this instead: |
|
@Kam187 which firmware do you use to pass negotiate? |
|
It's a special set of attributes in the bonjour message to skip it. Let me get to my computer and I'll post it in about half an hour. |
|
Here you go: |
|
@Kam187 when I change the attributes as you said above , no video data comes and logs below on iOS 9.0.2 |
|
It's not as simple as that. The protocol is totally different. If you're just expecting it to work it won't, a lot more work needs to be done yet. |
|
@Kam187 ok , if you decode the video successfully, please let me know. |
|
The encryption has changed so we need to find the decryption key for the new firmware and then reverse that firmware to find the decrypt function :/ |
|
What would be useful is a packet capture of the newer protocol. Can you help with that? |
|
Yeah sure Ill upload it when I get to my computer In the mean time there's one on here too: Although it doesn't show the actual image data |
|
Hmm a bit of an update. I've managed to debug through a commercial solution (took forever) to get me a decrypt key for a logged session but the resulting data has no valid NALU format :/ Any ideas? |
ghost
mentioned this issue
|
I wonder if it's switched to AES-GCM mode, but i wonder what the authenticated tag is... |
|
Nope not AES-GCM :/ |
|
@Kam187 leave me an email |
|
My id at gmail dot com |
|
Anyway I'll try to debug and double check the key when I have time. The only other thing I can thing to do is try to debug the decryption part but the whole thing is heavily obfuscated :/. Probably the original AirPlay library embedded in there. |
|
I've got hold of a airtunesd from version 190.9, it looks to have updated init/challenge/decrypt functions which i've identified. It contains thumb code though so we need a better emulator - espes drop me an email I can pass it over if you want to have a go. |
|
One more experiment, i sent a fake bonjour with features 0x527FFFF7 but pointing to a commercial airplay receiver. I traced the traffic and there was no pair verify as expected but the whole thing worked fine. So that means (for now at least) we can ignore the pair verify and use this feature ID and concentrate on the init/challenge/decrypt. |
|
I have been using all your advice here to get video decoding working! |
|
In /info Question: Thanks. |
|
I believe all clients I've tested so far return the same constant which is indicative of the formats it supports (either AAC or ALAC). The client is the one that tells the server what format the stream it's sending is via the SETUP call. they have an audioFormat plist property there which I've seen come in with either: |
|
Does anyone know how the audio is encrypted? |
|
with the AES Key/IV that is provided (FP encrypted) on the SETUP call? |
|
Well for video its But audio doesn't have a streamId so Im not sure what cipher or key/iv to use. |
|
It’s the original AES key and IV sent on SETUP.
…On Sat, Sep 30, 2017 at 11:47 AM Michael Rogers ***@***.***> wrote:
Well for video its
First 16 of SHAHash("AirPlayStream{the string 'Key' or
'IV'}{StreamConnectionID}{FairplayMasterKey}")
In AES/CTR 128
But audio doesn't have a streamId so Im not sure what cipher or key/iv to
use.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#12 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AATd-cLnb6t32E4lFZWYld7GtamtxZ0pks5snmKNgaJpZM4GRiD8>
.
|
|
@robertoandrade Audio is encrypted in CBC mode ? or CTR ? |
|
CBC I believe. I still have issues once I get The properly decrypted ALAC
frames on putting them back together for playback, something weird
regarding the playback rate (even though I have it with the 352 frames per
sample, 16 bit, 2 channel settings) when wrapping it in an MP4 container
with the ALAC magic cookie it still seems to be playing faster than the
original (checked the frame duration headers and all) and with a few
hiccups or audio artifacts here and there. Would appreciate if anyone has
got any experience with the decoding part of the ALAC stream since it seems
like decryption is working fine.
…On Tue, Oct 10, 2017 at 6:15 AM vitiluck ***@***.***> wrote:
@robertoandrade <https://github.com/robertoandrade> Audio is encrypted in
CBC mode ? or CTR ?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#12 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AATd-XnPJ0CjnKewKzUnHZfCnMb_prQHks5sq0OqgaJpZM4GRiD8>
.
|
|
@comwizz2 How to get the 'FairplayMasterKey'? Can you give me some advice? SHAHash("AirPlayStream{the string 'Key' or 'IV'}{StreamConnectionID}{FairplayMasterKey}") |
|
@suiye223 |
|
@robertoandrade |
|
The ekey is an encrypted key (using FairPlay) so once you decrypt it you
get 16 bytes which is the AES 128 bit key.
…On Wed, Oct 11, 2017 at 3:57 PM Michael Rogers ***@***.***> wrote:
@robertoandrade <https://github.com/robertoandrade>
aes cbc 128?
The only key and IV I get sent during setup are "ekay" and "eiv" and they
are 72 bytes and 16 bytes respectively, which means the key is the wrong
size? Is it a subset of that blob?
Sorry if I am bugging you, just information on this is sparce!
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#12 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AATd-Ye10CRSdkQog4oB950PeUvoILPhks5srR2qgaJpZM4GRiD8>
.
|
|
when pair-setup/verify is skipped. key/iv from FairPlay,then do SHA512 AirPlayStream Key,IV and streamID. decode video is fine. |
|
@robertoandrade Did you use the key provided when you were doing pair verify? Or did you skip pair verify? |
|
@vitiluck @robertoandrade when capture mirror data, I have the following problems. SETUP rtsp://192.168.123.47/6108990559123033009 RTSP/1.0 bplist00.......... The x-apple-binary-plist format data was parsed as following: and the return package should as following: .eventPort .12854 .timingPort .22897When my iphone connet to android receiver, iphone will promt the message 'cann't connect to xxx' |
|
Some body can help me? |
|
i just crack pair-setup/verify and solve the video/audio decode issue. and build our airplay mirror sdk for android/iOS/linux/windows. |
|
The GET /info "pk" field is the Curve25519 public key. Create at PairSetup step. |
|
Anyone here familiar with what the PI field is supposed to be in the bonjour record? |
|
@comwizz2 pi field just a guid string. |
|
Anyone figured out the /fp-setup2 call yet? Seems this is needed for fairplay airplay streams (such as youtube video.) |
|
I believe the default is replying with a 0 byte response, the data itself is not used from what I gathered in decrypting data since the Youtube sends a custom HLS URL that points to "localhost" for streaming the content. Haven't figured out how to crack that part yet. |
|
So from reading a working stream, it seems if you respond to /fp-setup2 correctly, all communications become encrypted. Part of this I have observed is that if there are certain headers (x-apple-session I believe) you respond with HTTP/1.1 instead of RTSP/1.0, this is the only way I get the fp-setup2 call. |
|
I've noticed that as well, responding to the GET /server-info with a features=0x0 also makes is so that it falls back to the older PTTH/1.0 protocol to send in the remote commands and state for playback after the fp-setup2. |
|
From what I have seen of a working connection, I'm pretty sure that this
fp-setup2 may be the key to fixing YouTube streams, because as you have
said, other paths cause that useless localhost url path. The problem is
figuring out what exact type of encryption and how to derive the key...
…On Thu, Apr 19, 2018 at 11:26 AM Roberto Andrade ***@***.***> wrote:
I've noticed that as well, responding to the GET /server-info with a
features=0x0 also makes is so that it falls back to the older PTTH/1.0
protocol to send in the remote commands and state for playback after the
fp-setup2.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#12 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AFidfkzuJm5s7D7uipLiqA43LcFiYORnks5tqLrAgaJpZM4GRiD8>
.
|
|
Thanks all of you guys. |
|
I've tried your project but if you want to simulator x86 ,even arm instrument unicorn is a good choice |
1 similar comment
|
I've tried your project but if you want to simulator x86 ,even arm instrument unicorn is a good choice |
|
HI. I combine two pieces of code in https://github.com/561546441/shairplay |
and others
So i've managed to get iOS9 to negotiate and start sending data. The config record looks correct (non encrypted). But the video data makes no sense once decrypted.
It appears that the key must have changed.
I tried to find a decrypted version of the newest formware for apple TV but I can't seem to find one. Emulating thumb is not a problem if i can find the firmware.
Any ideas
The text was updated successfully, but these errors were encountered: