TiVo App "Transcoder" object
This code is responsible for the log ouput :
Mar 30 20:46:24 XXXXXXXX-iPod Quicksilver[1286] <Warning>: config for http://10.0.0.109:49152/sysinfo/json/svcinfo:
Mar 30 20:46:24 XXXXXXXX-iPod Quicksilver[1286] <Warning>: config for http://10.0.0.109:49152/sysinfo/json/clients:
Mar 30 20:46:24 XXXXXXXX-iPod Quicksilver[1286] <Warning>: config for http://10.0.0.109:49152/sysinfo/json/main-dyn:
It was not hard to find given that IDA Pro can search for strings.
I found the method "FetchJSONAtURL()" on the Transcoder object to be very interesting
Pseudo Code:
- Hits http://{TIVO_STREAM_IP}:49152/sysinfo/json/main-dyn
- Validate output, some callbacks
- Hits http://{TIVO_STREAM_IP}:49152/sysinfo/json/clients
- Validate output, some callbacks
- Hits http://{TIVO_STREAM_IP}:49152/sysinfo/json/svcinfo
- Validate output, some callbacks, saves the list of TSN's (TiVO Id's) listed
- If the TiVo stream has at least one TSN on the network (as dictated by our JSON response)
- Call "fetchWhiteBoxKey:withPort"
- Hits https:/{TIVO_STREAM_IP:49151/live-streaming/XX_DUMMY_TSN_XX/key.scbin?uuid={UNIQUE_IDENTIFIER}
- Save response as a property "whiteBoxKey" on object "Transcoder"
White-Box Key
The code pertaining to "key" and "WhiteBoxKey" has me interested, but also discouraged. White-Box cryptography is an industry term used to describe highly obfuscated encryption techniques that disguise the keys. Things are not looking good.
Trying to hit the Transcoder URL's ourselves
Attempting to hit all the /sysinfo/json/* urls is no problem, the TiVo Stream spits out all the data we want.
However when we try to hit the "key.scbin" url we do not receive a response. something more must be going on here, are thye expecting a POST? or maybe an SSL client key (perhaps the one we found in the TiVo App folder earlier).
Let's start looking at the ssdata.p12 and cdata.p12 files we looked at earlier...
No comments:
Post a Comment