1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Discovering the iPad interface

Discussion in 'TiVo Underground' started by wmcbrine, Jan 18, 2011.

  1. Feb 27, 2011 #41 of 366
    wmcbrine

    wmcbrine Ziphead

    10,366
    22
    Aug 2, 2003
    My understanding is that the iPad app uses the known network remote interface for the basic stuff, so the "esoteric" functions are the only ones to worry about. I can't confirm that, though.
     
  2. Feb 27, 2011 #42 of 366
    jbuehl

    jbuehl New Member

    19
    0
    Nov 23, 2004
    Los Angeles, CA
    Here are 2 captures of a play and a pause message. When the remote is active on the iPad, the Tivo continuously sends 298 byte messages at 1 second intervals to the iPad, no doubt to update the progress bar. The iPad only sends data when a button is pressed.

    Sorry, I couldn't figure out how to save only the filtered packets.
     

    Attached Files:

  3. Feb 27, 2011 #43 of 366
    moyekj

    moyekj Well-Known Member

    11,142
    31
    Jan 23, 2006
    Mission...
    It's pretty easy to filter when viewing with Wireshark. Simply right click on one of the TCP lines and choose "Follow TCP Stream". That will filter out the other network traffic. Other useful thing to note is in the middle pane click on the Data row to show actual data being communicated without the TCP related overhead.
     
  4. Feb 27, 2011 #44 of 366
    jbuehl

    jbuehl New Member

    19
    0
    Nov 23, 2004
    Los Angeles, CA

    Right, I know how to do that, but when I save it to a file, it includes everything that was captured. The Save As... dialog has an option to save a range of packets, but it didn't seem to work.

    The hex dump that I posted earlier is from "Follow TCP Stream" and includes just the data without the overhead.
     
  5. Feb 27, 2011 #45 of 366
    orangeboy

    orangeboy yes, I AM orangeboy!

    4,083
    0
    Apr 19, 2004
    East Moline, IL
    Only frame 34 of the "Play" capture contains data from the iPad to the Premiere. Frame 7 of the "Pause" capture is also the only frame with data. Nothing on port 31339.

    Edit: the first 5 bytes are common between both Pause and Play: 17 03 01 00 a0
     
  6. Feb 27, 2011 #46 of 366
    jbuehl

    jbuehl New Member

    19
    0
    Nov 23, 2004
    Los Angeles, CA
    All the messages from the Tivo in those captures also start with 17030100. As I posted earlier, every message I have seen starts with 14030100, 15030100, 16030100, or 17030100. The ones starting with 16 occur when the devices initially connect, and the one starting with 15 is sent when they disconnect.

    I am also seeing that signature at the beginning of messages sent from the Tivo to a server at Tivo with the IP address 208.73.181.192. The iPad app won't work unless the Tivo can be talking to a server at the mother ship.
     
  7. Feb 27, 2011 #47 of 366
    tomhorsley

    tomhorsley Active Member

    1,168
    4
    Jul 22, 2010
    Shucks, I was hoping it would be something obvious like XML messages. This is gonna be more work to crack. I wonder if broadcom has some "standard" communications library they sold tivo (like they sold them the flash nonsense).
     
  8. Feb 28, 2011 #48 of 366
    tomhorsley

    tomhorsley Active Member

    1,168
    4
    Jul 22, 2010
    Or setup a video camera to record the iPad with timestamps turned on and compare the time of the IP packets :).
     
  9. Feb 28, 2011 #49 of 366
    reneg

    reneg Member

    699
    0
    Jun 19, 2002
    Looks like the data starting with 17 03 01 00 a0 is SSL application data header according to MS Network Monitor.
    Code:
      Frame: Number = 7, Captured Frame Length = 231, MediaType = ETHERNET
    + Ethernet: Etype = Internet IP (IPv4),DestinationAddress:[00-11-D9-31-A2-74],SourceAddress:[D8-A2-5E-49-C3-02]
    + Ipv4: Src = 192.168.1.138, Dest = 192.168.1.151, Next Protocol = TCP, Packet ID = 16021, Total IP Length = 217
    + Tcp: Flags=...AP..., SrcPort=49957, DstPort=1393, PayloadLen=165, Seq=2321678643 - 2321678808, Ack=2797587107, Win=32942
      TLSSSLData: Transport Layer Security (TLS) Payload Data
    - TLS: TLS Rec Layer-1 SSL Application Data
      - TlsRecordLayer: TLS Rec Layer-1 SSL Application Data 
         ContentType: SSL Application Data (0x17)
       + Version: TLS 1.0 (0x0301)
         Length: 160 (0xA0)
       - ApplicationData: 
          SSLApplicationData: Binary Large Object (160 Bytes)
    
    Makes me wonder if we're dealing with a XMPP interface.
     
  10. Feb 28, 2011 #50 of 366
    jbuehl

    jbuehl New Member

    19
    0
    Nov 23, 2004
    Los Angeles, CA
    I think you're right. I assumed it wasn't encrypted because Wireshark didn't flag it as something special and I saw the clear text in the second message, but those signatures make sense. I don't know much about SSL, but the text is probably Tivo's SSL certificate.

    Here is a description that I found of the protocol

    http://publib.boulder.ibm.com/infocenter/tpfhelp/current/index.jsp?topic=/com.ibm.ztpf-ztpfdf.doc_put.cur/gtps5/s5rcd.html

    And here's the RFC

    http://tools.ietf.org/html/rfc2246
     
  11. Mar 1, 2011 #51 of 366
    moyekj

    moyekj Well-Known Member

    11,142
    31
    Jan 23, 2006
    Mission...
    If it's any help, attached is the TiVo SSL certificate from the iPad application.
     

    Attached Files:

  12. Mar 1, 2011 #52 of 366
    moyekj

    moyekj Well-Known Member

    11,142
    31
    Jan 23, 2006
    Mission...
    Some progress. Using openssl as I was able to establish a connection with my Premiere on port 1393:
    (NOTE: I x'd out my TSN below)
    Code:
    C:\OpenSSL-Win32\bin>openssl s_client -connect 192.168.10.199:1393 -state -nbio
    Loading 'screen' into random state - done
    CONNECTED(000000AC)
    turning on non blocking io
    SSL_connect:before/connect initialization
    SSL_connect:SSLv2/v3 write client hello A
    SSL_connect:error in SSLv2/v3 read server hello A
    write R BLOCK
    SSL_connect:SSLv3 read server hello A
    depth=0 CN = 746-0001-xxxx-xxxx, O = TiVo Inc., OU = IT, L = Alviso, ST = Califo
    rnia, C = US
    verify error:num=18:self signed certificate
    verify return:1
    depth=0 CN = 746-0001-xxxx-xxxx, O = TiVo Inc., OU = IT, L = Alviso, ST = Califo
    rnia, C = US
    verify return:1
    SSL_connect:SSLv3 read server certificate A
    SSL_connect:SSLv3 read server done A
    SSL_connect:SSLv3 write client key exchange A
    SSL_connect:SSLv3 write change cipher spec A
    SSL_connect:SSLv3 write finished A
    SSL_connect:SSLv3 flush data
    SSL_connect:error in SSLv3 read finished A
    SSL_connect:error in SSLv3 read finished A
    read R BLOCK
    SSL_connect:SSLv3 read finished A
    read R BLOCK
    ---
    Certificate chain
     0 s:/CN=746-0001-xxxx-xxxx/O=TiVo Inc./OU=IT/L=Alviso/ST=California/C=US
       i:/CN=746-0001-xxxx-xxxx/O=TiVo Inc./OU=IT/L=Alviso/ST=California/C=US
    ---
    Server certificate
    -----BEGIN CERTIFICATE-----
    MIICWTCCAcICCQCXECFzZRrCKDANBgkqhkiG9w0BAQUFADBxMRswGQYDVQQDExI3
    NDYtMDAwMS05MDM1LThCQTgxEjAQBgNVBAoTCVRpVm8gSW5jLjELMAkGA1UECxMC
    SVQxDzANBgNVBAcTBkFsdmlzbzETMBEGA1UECBMKQ2FsaWZvcm5pYTELMAkGA1UE
    BhMCVVMwHhcNMTAwNDI2MjAzMTI5WhcNMjAwNDIzMjAzMTI5WjBxMRswGQYDVQQD
    ExI3NDYtMDAwMS05MDM1LThCQTgxEjAQBgNVBAoTCVRpVm8gSW5jLjELMAkGA1UE
    CxMCSVQxDzANBgNVBAcTBkFsdmlzbzETMBEGA1UECBMKQ2FsaWZvcm5pYTELMAkG
    A1UEBhMCVVMwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKF7vQnT0+7Dd5dn
    cr+OUVT+urRzKGW4SOOLxd8G0FwdEdYdKKUz5HyuvXczv77+SjThtleaFAaeeLUO
    X96uBGOHIv5bjoxsA1GiTizBY5dDJj3qLDS8qnnyY5EsBy2gxElsN/7+rTFson06
    Ui5jA75hY4ZId/NKUPI1ayHSEcD3AgMBAAEwDQYJKoZIhvcNAQEFBQADgYEARIgE
    mo/0Bj/GwpuQX4X1DleiXvyM75giRIMAqVa6tXHZa/75y0vdsKy30uyj6wXkahnb
    X/4GuzxYhADWfiVnVhiTyLdCzALChH3+5rEkUC/AMcNp8NIauEL5NGdkPrifFYhS
    n6wpyf1PF3JOcNDEeeiILQyEhjN7cP93zRTs+FU=
    -----END CERTIFICATE-----
    subject=/CN=746-0001-xxxx-xxxx/O=TiVo Inc./OU=IT/L=Alviso/ST=California/C=US
    issuer=/CN=746-0001-xxxx-xxxx/O=TiVo Inc./OU=IT/L=Alviso/ST=California/C=US
    ---
    No client certificate CA names sent
    ---
    SSL handshake has read 767 bytes and written 408 bytes
    ---
    New, TLSv1/SSLv3, Cipher is AES256-SHA
    Server public key is 1024 bit
    Secure Renegotiation IS NOT supported
    Compression: NONE
    Expansion: NONE
    SSL-Session:
        Protocol  : TLSv1
        Cipher    : AES256-SHA
        Session-ID: 96F08F7587604AA95B9AA41E878D88011441DE79FF9EC21E0247910CEB447ECD
    
        Session-ID-ctx:
        Master-Key: A3E16A6834CDEF6A1F6F63BE321BEEE7F78391683678710FDDBB8832DC8CE8D9
    C62473BC9E03CAD94AAA09A2DEF8327D
        Key-Arg   : None
        PSK identity: None
        PSK identity hint: None
        Start Time: 1298986922
        Timeout   : 300 (sec)
        Verify return code: 18 (self signed certificate)
    ---
    ^C
    
    An article on SSL debugging:
    http://www.sslshopper.com/article-debugging-ssl-communications.html

    I believe we have the client certificate in my previous post obtained from the iPad app.
     
  13. Mar 1, 2011 #53 of 366
    jbuehl

    jbuehl New Member

    19
    0
    Nov 23, 2004
    Los Angeles, CA
    That's good news moyekj. It should be possible to write a man-in-the-middle to see the messages in the clear.
     
  14. May 1, 2011 #54 of 366
    ckrames1234

    ckrames1234 New Member

    4
    0
    May 1, 2011
    The traffic is in fact, encrypted with SSL. The fact that every packet above starts with the same data proves that; it is the SSL header. The TiVo uses the MRPC (MindRPC) protocol. I, being an Objective-C hacker, actually went as far as to disable SSL inside the app's binary, and although this disables the app from working, I captured the first request it sends to the TiVo, unencrypted:

    Code:
    MRPC/2 224 85
    Type:request
    RpcId:4
    SchemaVersion:7
    Content-Type:application/json
    RequestType:bodyAuthenticate
    ResponseCount:single
    BodyId:
    X-ApplicationName:Quicksilver
    X-ApplicationVersion:1.2
    X-ApplicationSessionId:0x3bc3f0
    
    {"type":"bodyAuthenticate","credential":{"type":"makCredential","key":"XXXXXXXXXX"}}
    Going further, I found the sweet spot in the code, I can now get all requests before they are sent out in the app (i.e. unencrypted). It seems MRPC is a very configurable protocol, you specify a request type (recordingSearch, subscriptionSearch, contentSearch, offerSearch, and collectionSearch are the common ones I see), and then specify what you want to search for, and also how you want to receive the results. All in JSON. An example request to get all your season passes:

    Code:
    MRPC/2 246 651
    Type:request
    RpcId:37
    SchemaVersion:7
    Content-Type:application/json
    RequestType:subscriptionSearch
    ResponseCount:single
    BodyId:tsn:XXXXXXXXXXXXXXX
    X-ApplicationName:Quicksilver
    X-ApplicationVersion:1.2
    X-ApplicationSessionId:0x3a82a0 (Unique, random number, probably based on time, that remains the same per one authentication session)
    	
    {"type":"subscriptionSearch","noLimit":true,"bodyId":"tsn:XXXXXXXXXXXXXXX","levelOfDetail":"medium","responseTemplate":[{"type":"responseTemplate","fieldName":["subscription"],"typeName":"subscriptionList"},{"type":"responseTemplate","fieldName":["title","subscriptionId","idSetSource","maxRecordings","showStatus","keepBehavior"],"typeName":"subscription"},{"type":"responseTemplate","fieldName":["title","contentId","channel","startTime","duration","hasSignLanguage","hasAudioDescription","screenFormat","offerId","cc","collectionId"],"typeName":"offer"}],"objectIdAndType":["581641651188047","581641651188014","581641651187883","581641651187995"]}
    Overall:
    You send an authentication request to your TiVo on port 1413 with your MAK, encrypted with SSL. Then you send any request you want to obtain the data you want. I will probably provide a more in depth dissemination of the protocol and some sample code in perl soon. (I wrote this in a rush, sorry :p)
     
  15. May 1, 2011 #55 of 366
    orangeboy

    orangeboy yes, I AM orangeboy!

    4,083
    0
    Apr 19, 2004
    East Moline, IL
    Awesome first post!
     
  16. May 1, 2011 #56 of 366
    ckrames1234

    ckrames1234 New Member

    4
    0
    May 1, 2011
    Thanks!

    And to clear up some points above:

    - SSL was created for, and is used, for the express purpose of preventing people from spying on data in between two ends of a connection. When you found the SSL certificate, you could have used it with Wireshark (if it was built with GnuTLS) to decrypt the packets, but i think the developers changed the certificate, removed the file, and integrated it into the binary, because I couldn't find a tivo.cer file anywhere. Without that certificate, packet captures are useless other than to tell which port is being used.

    - It is very rare to see a TCP protocol not based on plaintext.

    - The best method, in my opinion, to capture packets between the two devices, is by installing and using tcpdump on a jailbroken iPad :p
    Code:
    tcpdump -w ./tivo_dump.pcap -vvv -s 0 'src or dst 192.168.2.202'
    - Are you guys seeing port 1393 being used? My 3 day old, recently updated TiVo Premiere was using port 1413. It may vary per TiVo?

    - Random note: Looking through IDA shows that there are some classes specifically for iPhone in the code, so we should be seeing an iPhone version soon
     
  17. May 1, 2011 #57 of 366
    tomhorsley

    tomhorsley Active Member

    1,168
    4
    Jul 22, 2010
    Actually, it looks to me like they are not using a certificate based SSL anymore. On my linux box, I setup this entry in my stunnel.conf file:

    [tivo]
    accept = 1413
    connect = tivo-7460001902dac0b.my.lan:1413

    (where that ridiculous name is the name the tivo gave itself via dhcp and .my.lan is what I call my local subnet in my dns server).

    I then do this:

    telnet localhost 1413

    and paste in the example authentication request, modified to contain my tivo's mak, and the telnet session prints this:

    MRPC/2 75 97
    Content-Type: application/json
    IsFinal: true
    RpcId: 4
    Type: response

    {"message": "Authentication successful", "status": "success", "type": "bodyAuthenticateResponse"}

    So I get a successful authentication back just using the same sort of SSL connection you'd use to connect to an SSL protected mail server, etc. So it looks like things are ready to take off maybe (I can hope :).
     
  18. May 1, 2011 #58 of 366
    orangeboy

    orangeboy yes, I AM orangeboy!

    4,083
    0
    Apr 19, 2004
    East Moline, IL
    Well huh! With no thread activity in two months, I thought this was a dead project!
     
  19. May 1, 2011 #59 of 366
    innocentfreak

    innocentfreak Active Member

    8,950
    3
    Aug 25, 2001
    Florida
    Same here lol. Even with an iPad now I would still love to see some of this functionality figured out.

    Speaking of dead projects, any progress ;)
     
  20. May 1, 2011 #60 of 366
    orangeboy

    orangeboy yes, I AM orangeboy!

    4,083
    0
    Apr 19, 2004
    East Moline, IL
    I haven't even looked at python code for months. Christmas break did just that: it broke my habit of further development... :(
     

Share This Page