Using cdata.p12 to find TiVo's

Now that we have the cdata.p12 password, we can extract it's contents.  Inside is a client certificate that is used to communicate with the TiVo boxes when scanning the network looking for TiVo boxes.

Convert cdata.p12 file to Java Keystore file

keytool -importkeystore -srckeystore cdata.p12 -srcstoretype pkcs12 -srcstorepass cxWmcQ03ukPV -destkeystore cdata.jks -deststoretype jks -deststorepass "changeit"

 Write a program to extract the TiVo host SSL certificate using our client certificate:

import java.net.MalformedURLException;

import java.net.URL;

import java.security.cert.Certificate;

import java.io.*;

import javax.net.ssl.HttpsURLConnection;

import javax.net.ssl.SSLPeerUnverifiedException;

import java.security.KeyStore;

import java.security.cert.CertificateFactory;

import java.security.cert.X509Certificate;

import javax.net.ssl.KeyManagerFactory;

import javax.net.ssl.SSLContext;

import javax.net.ssl.TrustManagerFactory;

import javax.net.ssl.KeyManager;

import javax.net.ssl.TrustManager;

import java.security.SecureRandom;

import javax.net.ssl.X509TrustManager;

import java.security.cert.CertificateException;

import javax.net.ssl.SSLSocket;

import javax.net.ssl.SSLSocketFactory;

import javax.net.ssl.SSLSession;

import java.io.OutputStream;

import java.util.Enumeration;

public class Scanner{

   public static void main(String[] args) throws Exception

   {

ScanIp("10.0.0.","141");

   }

   private static void ScanIp(String Mask,int Ip) throws Exception {

try {

System.out.println("Scanning "+ Mask + Integer.toString(Ip));

KeyStore ks = getKeyStore();

KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");

kmf.init(ks, "cxWmcQ03ukPV".toCharArray());

KeyManager[] kms = kmf.getKeyManagers();

// Custom Trust manager that lets anything in

X509TrustManager bypassTrustManager = new X509TrustManager() {

public void checkClientTrusted(

X509Certificate[] chain,

String authType) throws CertificateException {

}

public void checkServerTrusted(

X509Certificate[] chain,

String authType) throws CertificateException {

}

public X509Certificate[] getAcceptedIssuers() {

return null;

}

};

TrustManager[] tms = new TrustManager[] {bypassTrustManager};

SSLContext sslContext = SSLContext.getInstance("TLS");

sslContext.init(kms, tms, new SecureRandom());

SSLSocket sslSocket = (SSLSocket) sslContext.getSocketFactory().createSocket(Mask + Integer.toString(Ip), 443);

sslSocket.setSoTimeout(100); // 100 ms

sslSocket.getInputStream();

//sslSocket.startHandshake();

System.out.println("Found a TiVo!");

SSLSession session = sslSocket.getSession();

java.security.cert.Certificate[] servercerts = session.getPeerCertificates();

for (int i = 0; i < servercerts.length; i++) {

System.out.print("-----BEGIN CERTIFICATE-----\n");

System.out.print(new sun.misc.BASE64Encoder().encode(servercerts[i].getEncoded()));

System.out.print("\n-----END CERTIFICATE-----\n");

}

sslSocket.close();

} catch (Exception e) {

System.out.println("No endpoint found");

e.printStackTrace();

} 

 

   }

   

   private static KeyStore getKeyStore() throws Exception {

KeyStore ks = KeyStore.getInstance("JKS");

    java.io.FileInputStream fis = new java.io.FileInputStream("cdata.jks");

    ks.load(fis, "changeit".toCharArray());

    fis.close();

return ks;

   }

}

If given a TiVo IP, the program will output the base64 host certificate.  This will contain the TSN id described in the earlier post about IP Scanning which will allow you to identify the model of the TiVo box.