Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

iOS9 #12

Open
hay187 opened this issue Oct 19, 2015 · 149 comments
Open

iOS9 #12

hay187 opened this issue Oct 19, 2015 · 149 comments

Comments

@hay187
Copy link

@hay187 hay187 commented Oct 19, 2015

So i've managed to get iOS9 to negotiate and start sending data. The config record looks correct (non encrypted). But the video data makes no sense once decrypted.

It appears that the key must have changed.

I tried to find a decrypted version of the newest formware for apple TV but I can't seem to find one. Emulating thumb is not a problem if i can find the firmware.

Any ideas

@hay187 hay187 changed the title iOS9 - some progress! iOS9 Oct 20, 2015
@hay187 hay187 closed this Oct 20, 2015
@espes

This comment has been minimized.

Copy link
Owner

@espes espes commented Oct 20, 2015

what happened?

@hay187 hay187 reopened this Oct 20, 2015
@hay187

This comment has been minimized.

Copy link
Author

@hay187 hay187 commented Oct 20, 2015

I just updated the first post.

It works, the problem was I wasn't keeping the event port open. But the decryption key seems incorrect.

As a sanity check I checked the challenge/response from a log of ios9 and an appleTV and fed the same into the existing airtunesd and the results are different. ios9 still seems to accept them and sends the video data though.

I can only guess the decryption key must have changed.

@hay187

This comment has been minimized.

Copy link
Author

@hay187 hay187 commented Oct 20, 2015

There also seems to be data of type 5 every 30 video packets. I'm guessing it may be audio info since everything is now being sent over this one connection.

Type is: 1
config record
Type is: 0
Encrypted Video Data
Type is: 0
Encrypted Video Data
Type is: 0
Encrypted Video Data
Type is: 0
Encrypted Video Data
Type is: 0
Encrypted Video Data
Type is: 0
Encrypted Video Data
Type is: 0
Encrypted Video Data
Type is: 0
Encrypted Video Data
Type is: 0
Encrypted Video Data
Type is: 0
Encrypted Video Data
Type is: 0
Encrypted Video Data
Type is: 0
Encrypted Video Data
Type is: 0
Encrypted Video Data
Type is: 0
Encrypted Video Data
Type is: 0
Encrypted Video Data
Type is: 0
Encrypted Video Data
Type is: 0
Encrypted Video Data
Type is: 0
Encrypted Video Data
Type is: 0
Encrypted Video Data
Type is: 0
Encrypted Video Data
Type is: 0
Encrypted Video Data
Type is: 0
Encrypted Video Data
Type is: 0
Encrypted Video Data
Type is: 0
Encrypted Video Data
Type is: 0
Encrypted Video Data
Type is: 0
Encrypted Video Data
Type is: 0
Encrypted Video Data
Type is: 0
Encrypted Video Data
Type is: 0
Encrypted Video Data
Type is: 0
Encrypted Video Data
Type is: 0
Encrypted Video Data
Type is: 0
Encrypted Video Data
Type is: 0
Encrypted Video Data
Type is: 0
Encrypted Video Data
Type is: 0
Encrypted Video Data
Type is: 0
Encrypted Video Data
Type is: 5
wtf 194 5 0 0.0
Type is: 0
Encrypted Video Data
Type is: 0
Encrypted Video Data
Type is: 0
Encrypted Video Data
Type is: 0
Encrypted Video Data
Type is: 0
Encrypted Video Data
Type is: 0
Encrypted Video Data
Type is: 0
Encrypted Video Data
Type is: 0
Encrypted Video Data
Type is: 0
Encrypted Video Data
Type is: 0
Encrypted Video Data
Type is: 0
Encrypted Video Data
Type is: 0
Encrypted Video Data
Type is: 0
Encrypted Video Data
Type is: 0
Encrypted Video Data
Type is: 0
Encrypted Video Data
Type is: 0
Encrypted Video Data
Type is: 0
Encrypted Video Data
Type is: 0
Encrypted Video Data
Type is: 0
Encrypted Video Data
Type is: 0
Encrypted Video Data
Type is: 0
Encrypted Video Data
Type is: 0
Encrypted Video Data
Type is: 0
Encrypted Video Data
Type is: 0
Encrypted Video Data
Type is: 0
Encrypted Video Data
Type is: 0
Encrypted Video Data
Type is: 0
Encrypted Video Data
Type is: 0
Encrypted Video Data
Type is: 0
Encrypted Video Data
Type is: 5
wtf 25194 5 0 0.0

@hay187

This comment has been minimized.

Copy link
Author

@hay187 hay187 commented Oct 20, 2015

Strangely ios7 works with the same protocol, AND the video data still doesn't decrypt.

@hay187

This comment has been minimized.

Copy link
Author

@hay187 hay187 commented Oct 20, 2015

Hmm looks like i've hit a dead :( It seems ios9 is using a different key/encryption which probably needs the library from the new apple tv firmware. I don't think decryption keys are available for the new apple tv firmware tho?

Any ideas on your end? It's also possible the video format has changed but i doubt it.

@hay187

This comment has been minimized.

Copy link
Author

@hay187 hay187 commented Oct 20, 2015

Maybe the sochi firmware can handle this type of encryption. I'll have to setup qemu and find the entry points tho. Any chance you have the entry points already?

@espes

This comment has been minimized.

Copy link
Owner

@espes espes commented Oct 20, 2015

No. I'm going to have a look at all this soon now that unicorn is released.

@hay187

This comment has been minimized.

Copy link
Author

@hay187 hay187 commented Oct 20, 2015

Oh i didn't know about unicorn! I'm attempting to decrypt an even newer firmware at the moment, will let you know how it goes. In the meantime here's a quick test vector for challenge 1 so you can check if it's generating with the new or old key.

46504c590301010000000004020003bb
< 46504c5903010200000000820203d7ce93237c7d52efb40385eee64ed14616cad9dc49bdba930c1d8b359475f8d3da5a8356dbdd929eddb74e3a5e2b1e3c7e2587b9ba5a48f387484a4530f825d789440f15f9965d547d2bb51d45f1de0c58962bcbc0b8ca451793305a89aafbd60bf436272dd75fff777b2976112f8b373bac39e8175ac4a5b08e2f95cab6e47e

The current airtunesd returns this instead:
46504c5903010200000000820203879f7a3d3ce5a4c5db51176fa886babd9ca307a9626d8bbeee2ec31a2efdec3d9f5714833e2b3ffe6044b09a8c9946dfda0bceb86af01d27757f2f37ab366d138c0bd89b792d35695884089618460d4888ee0d09ed829b61a94f41e0f4cba1d49a2009130a64336ce44a030bca9960b9ba91511db91f4a3df46f246de2171f98

@Noiled

This comment has been minimized.

Copy link

@Noiled Noiled commented Oct 22, 2015

@kam187 which firmware do you use to pass negotiate?

@hay187

This comment has been minimized.

Copy link
Author

@hay187 hay187 commented Oct 22, 2015

It's a special set of attributes in the bonjour message to skip it. Let me get to my computer and I'll post it in about half an hour.

@hay187

This comment has been minimized.

Copy link
Author

@hay187 hay187 commented Oct 22, 2015

Here you go:
The real device sends 0x507FFFF7,0x1E but the following is sufficient to make the device connect AND skip the initial verify stages:

            'features': u'0x507FFFF7',
            'model' : u'AppleTV3,2',
            'srcvers': u'220.68',
@Noiled

This comment has been minimized.

Copy link

@Noiled Noiled commented Oct 22, 2015

@kam187 when I change the attributes as you said above , no video data comes and logs below
AirTunes: 172.16.8.93 - - [22/Oct/2015 16:11:39] "POST /fp-setup HTTP/1.1" 200 -
AirTunes: 172.16.8.93 - - [22/Oct/2015 16:11:39] code 501, message Unsupported method ('TEARDOWN')

on iOS 9.0.2

@hay187

This comment has been minimized.

Copy link
Author

@hay187 hay187 commented Oct 22, 2015

It's not as simple as that. The protocol is totally different. If you're just expecting it to work it won't, a lot more work needs to be done yet.

@Noiled

This comment has been minimized.

Copy link

@Noiled Noiled commented Oct 22, 2015

@kam187 ok , if you decode the video successfully, please let me know.

@hay187

This comment has been minimized.

Copy link
Author

@hay187 hay187 commented Oct 22, 2015

The encryption has changed so we need to find the decryption key for the new firmware and then reverse that firmware to find the decrypt function :/

@espes

This comment has been minimized.

Copy link
Owner

@espes espes commented Oct 23, 2015

What would be useful is a packet capture of the newer protocol. Can you help with that?

@espes espes mentioned this issue Oct 23, 2015
@hay187

This comment has been minimized.

Copy link
Author

@hay187 hay187 commented Oct 23, 2015

Yeah sure Ill upload it when I get to my computer

In the mean time there's one on here too:

juhovh/shairplay#43

Although it doesn't show the actual image data

@hay187

This comment has been minimized.

Copy link
Author

@hay187 hay187 commented Oct 28, 2015

Hmm a bit of an update. I've managed to debug through a commercial solution (took forever) to get me a decrypt key for a logged session but the resulting data has no valid NALU format :/

Any ideas?

@hay187

This comment has been minimized.

Copy link
Author

@hay187 hay187 commented Oct 28, 2015

I wonder if it's switched to AES-GCM mode, but i wonder what the authenticated tag is...

@hay187

This comment has been minimized.

Copy link
Author

@hay187 hay187 commented Oct 28, 2015

Nope not AES-GCM :/

@Noiled

This comment has been minimized.

Copy link

@Noiled Noiled commented Oct 29, 2015

@kam187 leave me an email

@hay187

This comment has been minimized.

Copy link
Author

@hay187 hay187 commented Oct 29, 2015

My id at gmail dot com

@hay187

This comment has been minimized.

Copy link
Author

@hay187 hay187 commented Oct 29, 2015

Anyway I'll try to debug and double check the key when I have time. The only other thing I can thing to do is try to debug the decryption part but the whole thing is heavily obfuscated :/. Probably the original AirPlay library embedded in there.

@hay187

This comment has been minimized.

Copy link
Author

@hay187 hay187 commented Oct 29, 2015

I've got hold of a airtunesd from version 190.9, it looks to have updated init/challenge/decrypt functions which i've identified.

It contains thumb code though so we need a better emulator - espes drop me an email I can pass it over if you want to have a go.

@hay187

This comment has been minimized.

Copy link
Author

@hay187 hay187 commented Oct 29, 2015

One more experiment, i sent a fake bonjour with features 0x527FFFF7 but pointing to a commercial airplay receiver. I traced the traffic and there was no pair verify as expected but the whole thing worked fine.

So that means (for now at least) we can ignore the pair verify and use this feature ID and concentrate on the init/challenge/decrypt.

@comwizz2

This comment has been minimized.

Copy link

@comwizz2 comwizz2 commented Sep 27, 2017

I have been using all your advice here to get video decoding working!
Now I run into the problem that I do not know how to decode the audio?
In this newer protocol, how is the audio encoded? I get the stream but the bytes don't seem right and ffmpeg complains they are not valid acc-eld data

@bobj1212

This comment has been minimized.

Copy link

@bobj1212 bobj1212 commented Sep 28, 2017

In /info
I see:
audioFormats


audioInputFormats
67108860

Question:
What is 67108860?
Is it Apple Lossless codec?
AAC? AAC-ELD?
Is there table for these formats codes?

Thanks.

@robertoandrade

This comment has been minimized.

Copy link

@robertoandrade robertoandrade commented Sep 29, 2017

I believe all clients I've tested so far return the same constant which is indicative of the formats it supports (either AAC or ALAC). The client is the one that tells the server what format the stream it's sending is via the SETUP call.

they have an audioFormat plist property there which I've seen come in with either:

ALAC = 0x40000
AAC  = 0x1000000
@comwizz2

This comment has been minimized.

Copy link

@comwizz2 comwizz2 commented Sep 29, 2017

Does anyone know how the audio is encrypted?

@robertoandrade

This comment has been minimized.

Copy link

@robertoandrade robertoandrade commented Sep 29, 2017

with the AES Key/IV that is provided (FP encrypted) on the SETUP call?

@comwizz2

This comment has been minimized.

Copy link

@comwizz2 comwizz2 commented Sep 30, 2017

Well for video its
First 16 of SHAHash("AirPlayStream{the string 'Key' or 'IV'}{StreamConnectionID}{FairplayMasterKey}")
In AES/CTR 128

But audio doesn't have a streamId so Im not sure what cipher or key/iv to use.

@robertoandrade

This comment has been minimized.

Copy link

@robertoandrade robertoandrade commented Sep 30, 2017

@vitiluck

This comment has been minimized.

Copy link

@vitiluck vitiluck commented Oct 10, 2017

@robertoandrade Audio is encrypted in CBC mode ? or CTR ?

@robertoandrade

This comment has been minimized.

Copy link

@robertoandrade robertoandrade commented Oct 10, 2017

@training-bit123

This comment has been minimized.

Copy link

@training-bit123 training-bit123 commented Oct 11, 2017

@comwizz2 How to get the 'FairplayMasterKey'? Can you give me some advice?

SHAHash("AirPlayStream{the string 'Key' or 'IV'}{StreamConnectionID}{FairplayMasterKey}")

@comwizz2

This comment has been minimized.

Copy link

@comwizz2 comwizz2 commented Oct 11, 2017

@suiye223
You get it through the /fp-setup calls. I did not write that code in my project, I received it from another developer and do not have rights to share it.

@comwizz2

This comment has been minimized.

Copy link

@comwizz2 comwizz2 commented Oct 11, 2017

@robertoandrade
aes cbc 128?
The only key and IV I get sent during setup are "ekay" and "eiv" and they are 72 bytes and 16 bytes respectively, which means the key is the wrong size? Is it a subset of that blob?
Sorry if I am bugging you, just information on this is sparce!

@robertoandrade

This comment has been minimized.

Copy link

@robertoandrade robertoandrade commented Oct 11, 2017

@vitiluck

This comment has been minimized.

Copy link

@vitiluck vitiluck commented Oct 16, 2017

when pair-setup/verify is skipped. key/iv from FairPlay,then do SHA512 AirPlayStream Key,IV and streamID. decode video is fine.
when pair-setup/verify is enabled. former video decoding ---- invalid .
pair-verify is authentication method to verify device identity. does it affect video data decoding process?

@comwizz2

This comment has been minimized.

Copy link

@comwizz2 comwizz2 commented Nov 1, 2017

@robertoandrade Did you use the key provided when you were doing pair verify? Or did you skip pair verify?

@lhzheng880828

This comment has been minimized.

Copy link

@lhzheng880828 lhzheng880828 commented Nov 24, 2017

@vitiluck @robertoandrade when capture mirror data, I have the following problems.
My iphone version is 10.0.
After the second fp-setup, client will send SETUP method data package as following,

SETUP rtsp://192.168.123.47/6108990559123033009 RTSP/1.0
Content-Length: 425
Content-Type: application/x-apple-binary-plist
CSeq: 5
DACP-ID: E28CCF9054EDE3B9
Active-Remote: 3016615115
User-Agent: AirPlay/320.20

bplist00..........
..
.........RetTname]sourceVersionZtimingPortXdeviceIDUmodelZmacAddress^osBuildVersion[sessionUUIDTekeySeiv. ..GrandStream-6plusV320.20..&..D8:BB:2C:1F:28:94YiPhone7,1_..D8:BB:2C:1F:28:92U14G60_.$54C77E8B-F4BE-4BB1-A9D7-D246D6672D8BO.HFPLY.......<....?z.(...K`.....}.....'......W...B...6j..w.{^..d...,...!.O..Ds*..i#6...D.T.!.....".'.5.@.I.O.Z.i.u.z.~...................H...............................[ RTSP/1.0 200 OK
Date: Thu, 19 Oct 2017 02:16:37 GMT
CSeq: 5
Server: AirTunes/220.68
Content-Length: 284

.eventPort .12854 .timingPort .22897

The x-apple-binary-plist format data was parsed as following:

                                                       <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
                                                       <plist version="1.0">
                                                       <dict>
                                                       	<key>et</key>
                                                       	<integer>32</integer>
                                                       	<key>timingProtocol</key>
                                                       	<string>NTP</string>
                                                       	<key>eiv</key>
                                                       	<data>
                                                       		HrbJSlqmPgmRn6xM0XugdQ==
                                                       	</data>
                                                       	<key>sessionUUID</key>
                                                       	<string>49C67001-A72D-45D2-A6FD-4F12793AC289</string>
                                                       	<key>osBuildVersion</key>
                                                       	<string>15B5086a</string>
                                                       	<key>sourceVersion</key>
                                                       	<string>353.10.2</string>
                                                       	<key>timingPort</key>
                                                       	<integer>59855</integer>
                                                       	<key>isGroupLeader</key>
                                                       	<false/>
                                                       	<key>ekey</key>
                                                       	<data>
                                                       		RlBMWQECAQAAAAA8AAAAADivBtZxGx1sJy0zzHc08RQAAAAQfPRypPd33scqq5zmjC4ubyylv52ntqYvptwEsauzGT59pHhG
                                                       	</data>
                                                       	<key>groupContainsGroupLeader</key>
                                                       	<false/>
                                                       	<key>groupUUID</key>
                                                       	<string>9E1B966B-1E20-460B-B255-FD61A1BDC0CD</string>
                                                       	<key>deviceID</key>
                                                       	<string>D0:E1:40:A4:C1:F8</string>
                                                       	<key>model</key>
                                                       	<string>iPad4,1</string>
                                                       	<key>name</key>
                                                       	<string>GSiPadAir</string>
                                                       	<key>macAddress</key>
                                                       	<string>D0:E1:40:A4:C1:F6</string>
                                                       </dict>
                                                       </plist>

and the return package should as following:

.eventPort .12854 .timingPort .22897

When my iphone connet to android receiver, iphone will promt the message 'cann't connect to xxx'
How can I deal with eventPort and timingPort?

@lhzheng880828

This comment has been minimized.

Copy link

@lhzheng880828 lhzheng880828 commented Nov 27, 2017

Some body can help me?

@notedit

This comment has been minimized.

Copy link

@notedit notedit commented Feb 6, 2018

i just crack pair-setup/verify and solve the video/audio decode issue. and build our airplay mirror sdk for android/iOS/linux/windows.
we provide commercial support.
sorry for the bother.

@daviyang35

This comment has been minimized.

Copy link

@daviyang35 daviyang35 commented Mar 12, 2018

The GET /info "pk" field is the Curve25519 public key. Create at PairSetup step.
audioFormat
ALAC = 0x40000 spf = 352
AAC = 0x400000
AAC-ELD = 0x1000000 spf = 480
I found standalone audio stream use ALAC, screen mirroring audio stream use AAC-ELD.
Any one known the "ct" field means?

@comwizz2

This comment has been minimized.

Copy link

@comwizz2 comwizz2 commented Apr 2, 2018

Anyone here familiar with what the PI field is supposed to be in the bonjour record?

@daviyang35

This comment has been minimized.

Copy link

@daviyang35 daviyang35 commented Apr 4, 2018

@comwizz2 pi field just a guid string.

@comwizz2

This comment has been minimized.

Copy link

@comwizz2 comwizz2 commented Apr 13, 2018

Anyone figured out the /fp-setup2 call yet? Seems this is needed for fairplay airplay streams (such as youtube video.)

@robertoandrade

This comment has been minimized.

Copy link

@robertoandrade robertoandrade commented Apr 14, 2018

I believe the default is replying with a 0 byte response, the data itself is not used from what I gathered in decrypting data since the Youtube sends a custom HLS URL that points to "localhost" for streaming the content. Haven't figured out how to crack that part yet.

@comwizz2

This comment has been minimized.

Copy link

@comwizz2 comwizz2 commented Apr 19, 2018

So from reading a working stream, it seems if you respond to /fp-setup2 correctly, all communications become encrypted. Part of this I have observed is that if there are certain headers (x-apple-session I believe) you respond with HTTP/1.1 instead of RTSP/1.0, this is the only way I get the fp-setup2 call.

@robertoandrade

This comment has been minimized.

Copy link

@robertoandrade robertoandrade commented Apr 19, 2018

I've noticed that as well, responding to the GET /server-info with a features=0x0 also makes is so that it falls back to the older PTTH/1.0 protocol to send in the remote commands and state for playback after the fp-setup2.

@comwizz2

This comment has been minimized.

Copy link

@comwizz2 comwizz2 commented Apr 19, 2018

@tishion

This comment has been minimized.

Copy link

@tishion tishion commented Nov 30, 2018

Thanks all of you guys.

@wellcomez

This comment has been minimized.

Copy link

@wellcomez wellcomez commented Jan 17, 2019

I've tried your project but if you want to simulator x86 ,even arm instrument unicorn is a good choice
@hay187. I've make ios app with arm instruction running on Mac successfully.

1 similar comment
@wellcomez

This comment has been minimized.

Copy link

@wellcomez wellcomez commented Jan 17, 2019

I've tried your project but if you want to simulator x86 ,even arm instrument unicorn is a good choice
@hay187. I've make ios app with arm instruction running on Mac successfully.

@561546441

This comment has been minimized.

Copy link

@561546441 561546441 commented Apr 7, 2019

HI.
I find someone had implemented the mirror function in ios12 based on shairplay. https://github.com/dsafa22/AirplayServer. But it is for android system.

I combine two pieces of code in https://github.com/561546441/shairplay
the mirroring handshake seem to be success。
But I can not find the mirroring stream from client.
Can you spend on a little of time to see why?

@robertoandrade @espes

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
You can’t perform that action at this time.