#EXT-X-KEY:METHOD=AES-128,URI="tivocrypt:///29919494ac3b53ab93ba79b17cd06819"
Custom "tivocrypt" Scheme
So I know that the iOS will attempt to hit that URL to retrieve the key, but where is the code that handles that? And can we extract the key programmatically?
I found a location where the "tivocrypt" string was used on a URL in TiVoProtocolHandler."startLoading"(), this sounds exactly like what we want.
I spent quite a bit of time understanding what this method does, my pseudo code:
- Read the incoming request URLs absolute string ("tivocrypt:///{32-hex characters}"), grab the data to the right of "tivoCrypt://" (This should come from the iphone internally)
- Split the "/{32-hex characters}" on "/", grab the 2nd string in the array
- Loops over the string, converting it to a 16-byte binary called "CompareUrlData"
- Call this["compareURLData:withData:"]( CompareUrlData, WithData) to get a new Data object, this new object is our AES-128 key for decrypting video...
- Create NsUrlResponse with a NsUrlResponse["initWithURL:MIMEType:expectedContentLength:textEncodingName:"](this["request"]()["URL"]();, "application/octet-stream", Content["length"](), ???); (this should be sent back to the iphone internally)
- Have this["client"] (URLProtocolClient) fire off its events
So it is clear, "compareURLData:withData" is taking in some data and outputting our 16-byte key. Looking at the actual code, the first parameter is the tivocrypt folder name converted from 32-hex characters to a 16-byte value. But the second argument?
Well...that would be the White Box Key we got from the TiVo Stream earlier!
So, we know both arguments of "compareURLData:withdata", hopefully its just a simple decryption technique...
No comments:
Post a Comment