TiVo Community
TiVo Community
TiVo Community
Go Back   TiVo Community > Underground Playground > TiVo Underground
TiVo Community
Reply
Forum Jump
 
Thread Tools
Old 02-27-2011, 10:04 AM   #31
jbuehl
Registered User
 
Join Date: Nov 2004
Location: Los Angeles, CA
Posts: 19
So how's the weather in Mission Viejo? We had rain and hail here yesterday.
jbuehl is offline   Reply With Quote
Old 02-27-2011, 10:05 AM   #32
jbuehl
Registered User
 
Join Date: Nov 2004
Location: Los Angeles, CA
Posts: 19
OK, one more...
jbuehl is offline   Reply With Quote
Old 02-27-2011, 10:17 AM   #33
jbuehl
Registered User
 
Join Date: Nov 2004
Location: Los Angeles, CA
Posts: 19
Here is a zip with 2 captures. One is where the iPad app failed to work and one where it succeeded. The successful one doesn't contain the entire exchange between the devices.
Attached Files
File Type: zip ipad-tivo.zip (21.5 KB, 11 views)
jbuehl is offline   Reply With Quote
Old 02-27-2011, 10:57 AM   #34
moyekj
Registered User
 
Join Date: Jan 2006
Location: Mission Viejo, CA
Posts: 8,510
OK thanks. As you said it looks like Premiere (192.168.1.151) is communicating on port 1393 with the iPad (192.168.1.138) using TCP/IP communication. I don't see any http/https level communication between them and therefore there is no header information to look at or anything else interesting to look at. So doesn't look like network sniffing is going to be too useful...
__________________
Roamio Pro (GigE)
Elite (MoCA)
Premiere (MoCA adapter)
Cox - Motorola CableCards & TAs
Slingbox 350 via TiVo Mini & TiVo Stream for remote viewing

To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.
moyekj is offline   Reply With Quote
Old 02-27-2011, 11:52 AM   #35
orangeboy
yes, I AM orangeboy!
 
Join Date: Apr 2004
Location: Moline, IL
Posts: 4,075
Something to try (and I don't know if it will help any) -

Set up this filter in Wireshark to display only traffic between the iPad and Premiere, regardless of port:
Code:
(ip.src == 192.168.1.151 and ip.dst == 192.168.1.138) or (ip.src == 192.168.1.138 and ip.dst == 192.168.1.151)
Use the iPad to navigate around the Premiere, as if it were only a remote control, and make note of the action (used TiVo button, Right Arrow, etc). I haven't seen the app to know if what I'm asking is possible.

When saving the capture, save only the displayed packets.
__________________

To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.


To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.


To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.


To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.


To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.
orangeboy is offline   Reply With Quote
Old 02-27-2011, 12:53 PM   #36
wmcbrine
Resistance Useless
 
wmcbrine's Avatar
 
Join Date: Aug 2003
Posts: 8,758
Quote:
Originally Posted by moyekj View Post
So doesn't look like network sniffing is going to be too useful...
Man, you give up way too easily.
__________________

To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.
wmcbrine is offline   Reply With Quote
Old 02-27-2011, 01:27 PM   #37
moyekj
Registered User
 
Join Date: Jan 2006
Location: Mission Viejo, CA
Posts: 8,510
Who said anything about giving up? The revelation that port 1393 is being used on TiVo is a good start and made the exercise well worth while. Just don't know if anything else useful can be gleamed from the captured raw data.
__________________
Roamio Pro (GigE)
Elite (MoCA)
Premiere (MoCA adapter)
Cox - Motorola CableCards & TAs
Slingbox 350 via TiVo Mini & TiVo Stream for remote viewing

To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.
moyekj is offline   Reply With Quote
Old 02-27-2011, 01:38 PM   #38
jbuehl
Registered User
 
Join Date: Nov 2004
Location: Los Angeles, CA
Posts: 19
Quote:
Use the iPad to navigate around the Premiere, as if it were only a remote control, and make note of the action (used TiVo button, Right Arrow, etc). I haven't seen the app to know if what I'm asking is possible.

When saving the capture, save only the displayed packets.
Good idea, orangeboy. I'll try that in a while.

Last edited by jbuehl : 02-27-2011 at 01:44 PM.
jbuehl is offline   Reply With Quote
Old 02-27-2011, 02:31 PM   #39
orangeboy
yes, I AM orangeboy!
 
Join Date: Apr 2004
Location: Moline, IL
Posts: 4,075
Hopefully with some methodical testing, something may come of it. And with methodical, I mean hit the TiVo button, wait about 10 seconds, hit Live TV, wait 10 seconds, hit Pause, wait 10 seconds, etc... Something that will clearly show that the action performed was actually captured. Getting to the more esoteric functions like "scrubbing" the progress bar can be done later IF the iPad protocol can be figured out.
__________________

To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.


To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.


To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.


To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.


To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.
orangeboy is offline   Reply With Quote
Old 02-27-2011, 02:51 PM   #40
wmcbrine
Resistance Useless
 
wmcbrine's Avatar
 
Join Date: Aug 2003
Posts: 8,758
Quote:
Originally Posted by moyekj View Post
Just don't know if anything else useful can be gleamed from the captured raw data.
Let's see... start with the visible ASCII strings in the initial response from the TiVo (which include the TSN, BTW). I can see that each string is preceded by a length byte, and the length byte is preceded by a byte that may indicate the data type -- it's always 0x13 for the ASCII strings, except for the pure numeric sequences that end in "Z"; they're 0x17. In between these may be sections beginning with 0x30 (followed by a single byte) or 0x31 (followed by eight bytes). Not sure I've parsed that right yet, but it's early. The first group of strings etc. is almost repeated after the numeric strings. (Besides the TSN, the other strings in this group are "TiVo Inc.", "IT", "Alviso", "California", and "US". Admittedly that doesn't seem useful, but it did help confirm the string format.)

Another thing I might look for would be data in HME-like formats (e.g., variable-length integers and packed dicts), which are also used in push requests, so TiVo seems to like them. But the string format doesn't fit that theme.

Anyway, there are patterns here; you just have to keep at it.
__________________

To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.
wmcbrine is offline   Reply With Quote
Old 02-27-2011, 02:54 PM   #41
wmcbrine
Resistance Useless
 
wmcbrine's Avatar
 
Join Date: Aug 2003
Posts: 8,758
Quote:
Originally Posted by orangeboy View Post
And with methodical, I mean hit the TiVo button, wait about 10 seconds, hit Live TV, wait 10 seconds, hit Pause, wait 10 seconds, etc... Getting to the more esoteric functions like "scrubbing" the progress bar can be done later
My understanding is that the iPad app uses the known network remote interface for the basic stuff, so the "esoteric" functions are the only ones to worry about. I can't confirm that, though.
__________________

To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.
wmcbrine is offline   Reply With Quote
Old 02-27-2011, 02:58 PM   #42
jbuehl
Registered User
 
Join Date: Nov 2004
Location: Los Angeles, CA
Posts: 19
Here are 2 captures of a play and a pause message. When the remote is active on the iPad, the Tivo continuously sends 298 byte messages at 1 second intervals to the iPad, no doubt to update the progress bar. The iPad only sends data when a button is pressed.

Sorry, I couldn't figure out how to save only the filtered packets.
Attached Files
File Type: zip ipad-tivo-remote.zip (11.6 KB, 7 views)
jbuehl is offline   Reply With Quote
Old 02-27-2011, 03:29 PM   #43
moyekj
Registered User
 
Join Date: Jan 2006
Location: Mission Viejo, CA
Posts: 8,510
It's pretty easy to filter when viewing with Wireshark. Simply right click on one of the TCP lines and choose "Follow TCP Stream". That will filter out the other network traffic. Other useful thing to note is in the middle pane click on the Data row to show actual data being communicated without the TCP related overhead.
__________________
Roamio Pro (GigE)
Elite (MoCA)
Premiere (MoCA adapter)
Cox - Motorola CableCards & TAs
Slingbox 350 via TiVo Mini & TiVo Stream for remote viewing

To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.
moyekj is offline   Reply With Quote
Old 02-27-2011, 03:51 PM   #44
jbuehl
Registered User
 
Join Date: Nov 2004
Location: Los Angeles, CA
Posts: 19
Quote:
Originally Posted by moyekj View Post
It's pretty easy to filter when viewing with Wireshark. Simply right click on one of the TCP lines and choose "Follow TCP Stream". That will filter out the other network traffic. Other useful thing to note is in the middle pane click on the Data row to show actual data being communicated without the TCP related overhead.

Right, I know how to do that, but when I save it to a file, it includes everything that was captured. The Save As... dialog has an option to save a range of packets, but it didn't seem to work.

The hex dump that I posted earlier is from "Follow TCP Stream" and includes just the data without the overhead.
jbuehl is offline   Reply With Quote
Old 02-27-2011, 04:17 PM   #45
orangeboy
yes, I AM orangeboy!
 
Join Date: Apr 2004
Location: Moline, IL
Posts: 4,075
Only frame 34 of the "Play" capture contains data from the iPad to the Premiere. Frame 7 of the "Pause" capture is also the only frame with data. Nothing on port 31339.

Edit: the first 5 bytes are common between both Pause and Play: 17 03 01 00 a0
__________________

To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.


To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.


To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.


To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.


To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.
orangeboy is offline   Reply With Quote
Old 02-27-2011, 04:36 PM   #46
jbuehl
Registered User
 
Join Date: Nov 2004
Location: Los Angeles, CA
Posts: 19
Quote:
Originally Posted by orangeboy View Post
Only frame 34 of the "Play" capture contains data from the iPad to the Premiere. Frame 7 of the "Pause" capture is also the only frame with data. Nothing on port 31339.

Edit: the first 5 bytes are common between both Pause and Play: 17 03 01 00 a0
All the messages from the Tivo in those captures also start with 17030100. As I posted earlier, every message I have seen starts with 14030100, 15030100, 16030100, or 17030100. The ones starting with 16 occur when the devices initially connect, and the one starting with 15 is sent when they disconnect.

I am also seeing that signature at the beginning of messages sent from the Tivo to a server at Tivo with the IP address 208.73.181.192. The iPad app won't work unless the Tivo can be talking to a server at the mother ship.

Last edited by jbuehl : 02-27-2011 at 05:13 PM.
jbuehl is offline   Reply With Quote
Old 02-27-2011, 07:49 PM   #47
tomhorsley
Registered User
 
Join Date: Jul 2010
Posts: 575
Shucks, I was hoping it would be something obvious like XML messages. This is gonna be more work to crack. I wonder if broadcom has some "standard" communications library they sold tivo (like they sold them the flash nonsense).
tomhorsley is offline   Reply With Quote
Old 02-28-2011, 04:13 PM   #48
tomhorsley
Registered User
 
Join Date: Jul 2010
Posts: 575
Quote:
Originally Posted by orangeboy View Post
Hopefully with some methodical testing, something may come of it. And with methodical, I mean hit the TiVo button, wait about 10 seconds, hit Live TV, wait 10 seconds, hit Pause, wait 10 seconds, etc... Something that will clearly show that the action performed was actually captured. Getting to the more esoteric functions like "scrubbing" the progress bar can be done later IF the iPad protocol can be figured out.
Or setup a video camera to record the iPad with timestamps turned on and compare the time of the IP packets :-).
tomhorsley is offline   Reply With Quote
Old 02-28-2011, 08:08 PM   #49
reneg
Registered User
 
Join Date: Jun 2002
Posts: 444
Quote:
Originally Posted by orangeboy View Post
Only frame 34 of the "Play" capture contains data from the iPad to the Premiere. Frame 7 of the "Pause" capture is also the only frame with data. Nothing on port 31339.

Edit: the first 5 bytes are common between both Pause and Play: 17 03 01 00 a0
Looks like the data starting with 17 03 01 00 a0 is SSL application data header according to MS Network Monitor.
Code:
  Frame: Number = 7, Captured Frame Length = 231, MediaType = ETHERNET
+ Ethernet: Etype = Internet IP (IPv4),DestinationAddress:[00-11-D9-31-A2-74],SourceAddress:[D8-A2-5E-49-C3-02]
+ Ipv4: Src = 192.168.1.138, Dest = 192.168.1.151, Next Protocol = TCP, Packet ID = 16021, Total IP Length = 217
+ Tcp: Flags=...AP..., SrcPort=49957, DstPort=1393, PayloadLen=165, Seq=2321678643 - 2321678808, Ack=2797587107, Win=32942
  TLSSSLData: Transport Layer Security (TLS) Payload Data
- TLS: TLS Rec Layer-1 SSL Application Data
  - TlsRecordLayer: TLS Rec Layer-1 SSL Application Data 
     ContentType: SSL Application Data (0x17)
   + Version: TLS 1.0 (0x0301)
     Length: 160 (0xA0)
   - ApplicationData: 
      SSLApplicationData: Binary Large Object (160 Bytes)
Makes me wonder if we're dealing with a XMPP interface.
reneg is online now   Reply With Quote
Old 02-28-2011, 10:05 PM   #50
jbuehl
Registered User
 
Join Date: Nov 2004
Location: Los Angeles, CA
Posts: 19
Quote:
Originally Posted by reneg View Post
Looks like the data starting with 17 03 01 00 a0 is SSL application data header according to MS Network Monitor.

Makes me wonder if we're dealing with a XMPP interface.
I think you're right. I assumed it wasn't encrypted because Wireshark didn't flag it as something special and I saw the clear text in the second message, but those signatures make sense. I don't know much about SSL, but the text is probably Tivo's SSL certificate.

Here is a description that I found of the protocol

http://publib.boulder.ibm.com/infoce...ps5/s5rcd.html

And here's the RFC

http://tools.ietf.org/html/rfc2246

Last edited by jbuehl : 02-28-2011 at 10:17 PM.
jbuehl is offline   Reply With Quote
Old 03-01-2011, 12:05 AM   #51
moyekj
Registered User
 
Join Date: Jan 2006
Location: Mission Viejo, CA
Posts: 8,510
If it's any help, attached is the TiVo SSL certificate from the iPad application.
Attached Files
File Type: zip tivo_ssl_certificate.zip (648 Bytes, 25 views)
__________________
Roamio Pro (GigE)
Elite (MoCA)
Premiere (MoCA adapter)
Cox - Motorola CableCards & TAs
Slingbox 350 via TiVo Mini & TiVo Stream for remote viewing

To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.
moyekj is offline   Reply With Quote
Old 03-01-2011, 07:51 AM   #52
moyekj
Registered User
 
Join Date: Jan 2006
Location: Mission Viejo, CA
Posts: 8,510
Progress

Some progress. Using openssl as I was able to establish a connection with my Premiere on port 1393:
(NOTE: I x'd out my TSN below)
Code:
C:\OpenSSL-Win32\bin>openssl s_client -connect 192.168.10.199:1393 -state -nbio
Loading 'screen' into random state - done
CONNECTED(000000AC)
turning on non blocking io
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:error in SSLv2/v3 read server hello A
write R BLOCK
SSL_connect:SSLv3 read server hello A
depth=0 CN = 746-0001-xxxx-xxxx, O = TiVo Inc., OU = IT, L = Alviso, ST = Califo
rnia, C = US
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = 746-0001-xxxx-xxxx, O = TiVo Inc., OU = IT, L = Alviso, ST = Califo
rnia, C = US
verify return:1
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:error in SSLv3 read finished A
SSL_connect:error in SSLv3 read finished A
read R BLOCK
SSL_connect:SSLv3 read finished A
read R BLOCK
---
Certificate chain
 0 s:/CN=746-0001-xxxx-xxxx/O=TiVo Inc./OU=IT/L=Alviso/ST=California/C=US
   i:/CN=746-0001-xxxx-xxxx/O=TiVo Inc./OU=IT/L=Alviso/ST=California/C=US
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICWTCCAcICCQCXECFzZRrCKDANBgkqhkiG9w0BAQUFADBxMRswGQYDVQQDExI3
NDYtMDAwMS05MDM1LThCQTgxEjAQBgNVBAoTCVRpVm8gSW5jLjELMAkGA1UECxMC
SVQxDzANBgNVBAcTBkFsdmlzbzETMBEGA1UECBMKQ2FsaWZvcm5pYTELMAkGA1UE
BhMCVVMwHhcNMTAwNDI2MjAzMTI5WhcNMjAwNDIzMjAzMTI5WjBxMRswGQYDVQQD
ExI3NDYtMDAwMS05MDM1LThCQTgxEjAQBgNVBAoTCVRpVm8gSW5jLjELMAkGA1UE
CxMCSVQxDzANBgNVBAcTBkFsdmlzbzETMBEGA1UECBMKQ2FsaWZvcm5pYTELMAkG
A1UEBhMCVVMwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKF7vQnT0+7Dd5dn
cr+OUVT+urRzKGW4SOOLxd8G0FwdEdYdKKUz5HyuvXczv77+SjThtleaFAaeeLUO
X96uBGOHIv5bjoxsA1GiTizBY5dDJj3qLDS8qnnyY5EsBy2gxElsN/7+rTFson06
Ui5jA75hY4ZId/NKUPI1ayHSEcD3AgMBAAEwDQYJKoZIhvcNAQEFBQADgYEARIgE
mo/0Bj/GwpuQX4X1DleiXvyM75giRIMAqVa6tXHZa/75y0vdsKy30uyj6wXkahnb
X/4GuzxYhADWfiVnVhiTyLdCzALChH3+5rEkUC/AMcNp8NIauEL5NGdkPrifFYhS
n6wpyf1PF3JOcNDEeeiILQyEhjN7cP93zRTs+FU=
-----END CERTIFICATE-----
subject=/CN=746-0001-xxxx-xxxx/O=TiVo Inc./OU=IT/L=Alviso/ST=California/C=US
issuer=/CN=746-0001-xxxx-xxxx/O=TiVo Inc./OU=IT/L=Alviso/ST=California/C=US
---
No client certificate CA names sent
---
SSL handshake has read 767 bytes and written 408 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 1024 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES256-SHA
    Session-ID: 96F08F7587604AA95B9AA41E878D88011441DE79FF9EC21E0247910CEB447ECD

    Session-ID-ctx:
    Master-Key: A3E16A6834CDEF6A1F6F63BE321BEEE7F78391683678710FDDBB8832DC8CE8D9
C62473BC9E03CAD94AAA09A2DEF8327D
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1298986922
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
---
^C
An article on SSL debugging:
http://www.sslshopper.com/article-de...nications.html

I believe we have the client certificate in my previous post obtained from the iPad app.
__________________
Roamio Pro (GigE)
Elite (MoCA)
Premiere (MoCA adapter)
Cox - Motorola CableCards & TAs
Slingbox 350 via TiVo Mini & TiVo Stream for remote viewing

To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.

Last edited by moyekj : 03-01-2011 at 07:57 AM.
moyekj is offline   Reply With Quote
Old 03-01-2011, 07:58 AM   #53
jbuehl
Registered User
 
Join Date: Nov 2004
Location: Los Angeles, CA
Posts: 19
That's good news moyekj. It should be possible to write a man-in-the-middle to see the messages in the clear.
jbuehl is offline   Reply With Quote
Old 05-01-2011, 11:37 AM   #54
ckrames1234
Registered User
 
Join Date: May 2011
Posts: 4
The traffic is in fact, encrypted with SSL. The fact that every packet above starts with the same data proves that; it is the SSL header. The TiVo uses the MRPC (MindRPC) protocol. I, being an Objective-C hacker, actually went as far as to disable SSL inside the app's binary, and although this disables the app from working, I captured the first request it sends to the TiVo, unencrypted:

Code:
MRPC/2 224 85
Type:request
RpcId:4
SchemaVersion:7
Content-Type:application/json
RequestType:bodyAuthenticate
ResponseCount:single
BodyId:
X-ApplicationName:Quicksilver
X-ApplicationVersion:1.2
X-ApplicationSessionId:0x3bc3f0

{"type":"bodyAuthenticate","credential":{"type":"makCredential","key":"XXXXXXXXXX"}}
Going further, I found the sweet spot in the code, I can now get all requests before they are sent out in the app (i.e. unencrypted). It seems MRPC is a very configurable protocol, you specify a request type (recordingSearch, subscriptionSearch, contentSearch, offerSearch, and collectionSearch are the common ones I see), and then specify what you want to search for, and also how you want to receive the results. All in JSON. An example request to get all your season passes:

Code:
MRPC/2 246 651
Type:request
RpcId:37
SchemaVersion:7
Content-Type:application/json
RequestType:subscriptionSearch
ResponseCount:single
BodyId:tsn:XXXXXXXXXXXXXXX
X-ApplicationName:Quicksilver
X-ApplicationVersion:1.2
X-ApplicationSessionId:0x3a82a0 (Unique, random number, probably based on time, that remains the same per one authentication session)
	
{"type":"subscriptionSearch","noLimit":true,"bodyId":"tsn:XXXXXXXXXXXXXXX","levelOfDetail":"medium","responseTemplate":[{"type":"responseTemplate","fieldName":["subscription"],"typeName":"subscriptionList"},{"type":"responseTemplate","fieldName":["title","subscriptionId","idSetSource","maxRecordings","showStatus","keepBehavior"],"typeName":"subscription"},{"type":"responseTemplate","fieldName":["title","contentId","channel","startTime","duration","hasSignLanguage","hasAudioDescription","screenFormat","offerId","cc","collectionId"],"typeName":"offer"}],"objectIdAndType":["581641651188047","581641651188014","581641651187883","581641651187995"]}
Overall:
You send an authentication request to your TiVo on port 1413 with your MAK, encrypted with SSL. Then you send any request you want to obtain the data you want. I will probably provide a more in depth dissemination of the protocol and some sample code in perl soon. (I wrote this in a rush, sorry :P)
ckrames1234 is offline   Reply With Quote
Old 05-01-2011, 12:20 PM   #55
orangeboy
yes, I AM orangeboy!
 
Join Date: Apr 2004
Location: Moline, IL
Posts: 4,075
Awesome first post!
__________________

To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.


To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.


To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.


To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.


To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.
orangeboy is offline   Reply With Quote
Old 05-01-2011, 03:52 PM   #56
ckrames1234
Registered User
 
Join Date: May 2011
Posts: 4
Thanks!

And to clear up some points above:

- SSL was created for, and is used, for the express purpose of preventing people from spying on data in between two ends of a connection. When you found the SSL certificate, you could have used it with Wireshark (if it was built with GnuTLS) to decrypt the packets, but i think the developers changed the certificate, removed the file, and integrated it into the binary, because I couldn't find a tivo.cer file anywhere. Without that certificate, packet captures are useless other than to tell which port is being used.

- It is very rare to see a TCP protocol not based on plaintext.

- The best method, in my opinion, to capture packets between the two devices, is by installing and using tcpdump on a jailbroken iPad :P
Code:
tcpdump -w ./tivo_dump.pcap -vvv -s 0 'src or dst 192.168.2.202'
- Are you guys seeing port 1393 being used? My 3 day old, recently updated TiVo Premiere was using port 1413. It may vary per TiVo?

- Random note: Looking through IDA shows that there are some classes specifically for iPhone in the code, so we should be seeing an iPhone version soon

Last edited by ckrames1234 : 05-01-2011 at 03:59 PM.
ckrames1234 is offline   Reply With Quote
Old 05-01-2011, 05:36 PM   #57
tomhorsley
Registered User
 
Join Date: Jul 2010
Posts: 575
Actually, it looks to me like they are not using a certificate based SSL anymore. On my linux box, I setup this entry in my stunnel.conf file:

[tivo]
accept = 1413
connect = tivo-7460001902dac0b.my.lan:1413

(where that ridiculous name is the name the tivo gave itself via dhcp and .my.lan is what I call my local subnet in my dns server).

I then do this:

telnet localhost 1413

and paste in the example authentication request, modified to contain my tivo's mak, and the telnet session prints this:

MRPC/2 75 97
Content-Type: application/json
IsFinal: true
RpcId: 4
Type: response

{"message": "Authentication successful", "status": "success", "type": "bodyAuthenticateResponse"}

So I get a successful authentication back just using the same sort of SSL connection you'd use to connect to an SSL protected mail server, etc. So it looks like things are ready to take off maybe (I can hope :-).
tomhorsley is offline   Reply With Quote
Old 05-01-2011, 05:44 PM   #58
orangeboy
yes, I AM orangeboy!
 
Join Date: Apr 2004
Location: Moline, IL
Posts: 4,075
Well huh! With no thread activity in two months, I thought this was a dead project!
__________________

To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.


To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.


To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.


To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.


To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.
orangeboy is offline   Reply With Quote
Old 05-01-2011, 05:56 PM   #59
innocentfreak
Registered User
 
Join Date: Aug 2001
Location: Florida
Posts: 8,409
Quote:
Originally Posted by orangeboy View Post
Well huh! With no thread activity in two months, I thought this was a dead project!
Same here lol. Even with an iPad now I would still love to see some of this functionality figured out.

Speaking of dead projects, any progress
__________________
1 - TiVo Roamio Pro
2 - TiVo Premiere XL

To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.


To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.
innocentfreak is offline   Reply With Quote
Old 05-01-2011, 06:05 PM   #60
orangeboy
yes, I AM orangeboy!
 
Join Date: Apr 2004
Location: Moline, IL
Posts: 4,075
I haven't even looked at python code for months. Christmas break did just that: it broke my habit of further development...
__________________

To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.


To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.


To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.


To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.


To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.
orangeboy is offline   Reply With Quote
Reply
Forum Jump




Thread Tools


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Advertisements

TiVo Community
Powered by vBulletin® Version 3.6.8
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
vBulletin Skins by: Relivo Media

(C) 2013 Magenium Solutions - All Rights Reserved. No information may be posted elsewhere without written permission.
TiVoŽ is a registered trademark of TiVo Inc. This site is not owned or operated by TiVo Inc.
All times are GMT -5. The time now is 01:49 PM.
OUR NETWORK: MyOpenRouter | TechLore | SansaCommunity | RoboCommunity | MediaSmart Home | Explore3DTV | Dijit Community | DVR Playground |