Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - Mulder3

16
Anyone knows any online app(from any provider) based on MS Mediaroom Presentation Foundation-MPF(Tasman successor for building mediaroom based interactive applications) ??

Thanks.
17
I don't know what your "program manager" is? is that something to remote-control the DVR? if, yes, we have it
18
Guys, can you please write that sort of things in english?? (at least in the wiki) (yes, i do realize this is the forum's german section) This forum is visited by guys from UK, US, Portugal, etc
19
WinCE / TV2xmlDecrypt
29. Aug 2009, 19:14
In the fallowing days i will post a detailed explanation of how the XML is encrypted and how the aes key and certificates are exchanged during the bootstrap... in the mean time... here is the code...

http://pastebin.com/f12f3527a
21
Software / Re: ThomsonIP1101 tv2client
19. Aug 2009, 13:45
The French Club-Internet used Thomson STBs running MS Mediaroom(at the time known as MSTV IPTV edition), then they exchanged all those STBs for Sigma SMP8634 based ones(probably was a Microsoft imposition)
Those Thomson STBs don't have a secure cpu like Sigma's XPU, all DRM/crypto stuff is running unprotected and the RSA private keys are stored on a simple Flash, and the icing on the cake is it's x86 CPU(Intel Celeron) witch is perfect for Hex Rays decompiler :)
22
Software / ThomsonIP1101 tv2client
19. Aug 2009, 02:09
Anyone have a dump of the tv2client version of ThomsonIP1101(or any other STB without Sigma's SMP)? I know that such firmware is old and very different from the actual tv2client, but i want to take a look...

I've looked into a firmware from a German IPTV provider using ThomsonIP1101, but i couldn't find tv2client...

23
Even if you can get MythTV to work via DirectFB/QT Embedded, i think that MythTV will try to use FFmpeg codecs(ffmpeg uses cpu, not the SMP DSP's) to decode the video... And the poor 300mhz cpu simply don't have power to decode video... So, unless the DirectFB version of SMP863x has some kind of abstraction to mrua libs for video decoding, you'll have to patch MythTV(or libavcodec) to use mrua...
24
Others / Re: Need Help
06. Aug 2009, 02:53

Hi there folks.

Im from portugal and i have a little problem.
i have 2 x300t working, one was provided by my ISP and the other was from other user that disconnected from ISP provider and when i connect him the box tells me that service is not provided...

There are any Registry in x300 that could be block the box???(diferent of my OK box provided by ISP) or my ISP is blocking any kind of registry

please, any help


Are those boxes really x300t from Deutsche Telekom? or "MEO Boxes" from Portugal Telecom?
If you have the "MEO" iptv service(or any other ms mediaroom based iptv provider as a matter of fact), you can only use boxes that are registered in your account... You can't connect using your friend's box...

PS-Your friend can get into troube, since Portugal Telecom doesn't sell boxes, only rents them... He must return the box if their service is terminated , or, soon or later, they will charge him with the full price of the equipment(witch i think is around 400/500euros)
25
WinCE / Re: TV2 DRM
05. Aug 2009, 16:35

Err, what I meant was modyfing the tv2clientce to display the aes key would be easier than hooking the functions ;)

Sorry about my misunderstanding :)
26
WinCE / Re: TV2 DRM
05. Aug 2009, 03:41

The rdp username/password is not fixed, that's what is included in the xml data, it looks like this:
Code: [Select]
<GetTerminalServerCredentialsPerApp3Response xmlns="http://www.microsoft.com/tv2/server/tsmonitor">
<GetTerminalServerCredentialsPerApp3Result>Succeed</GetTerminalServerCredentialsPerApp3Result>
<loginCredentials serverName="a.server.T-ONLINE.DE" domainName="TSSF01008" username="rdpsessionuser004" password="Adbe9d0d2-f1cb-48cb-a394-24bb7d2c38b9z" sessionId="5" port="3389" Token="1021cd1d-f894-4681-b4a3-63fcc35719d5" />
</GetTerminalServerCredentialsPerApp3Response>
- The token id seems to be needed to connect.

Like i said, i haven't looked into the xml communications, my box is not modded, but i know how the standard RDP protocol is implemented on a windows 2000/xp, and given the fact i can connect to it using a normal windows xp client, i can assume the protocol used in ms mediaroom is the same, RDP protocol works by exchanging RSA certificates and a salt value, so it can set up an encrypted RC4 path between client and server.
About that xml you presented here, i can't comment on that without further investigation...


The aes key can be captured, i watched it and the corresponding IVs with the help of http://www.t-hack.com/forum/index.php?topic=293.0 and http://www.t-hack.com/forum/index.php?topic=278.0 about a year ago, but a modified tv2clientce would be much easier ;)

That would be your opinion :) If i had the soldering skills to directly enable jtag in SMP, i will certainly prefer Wireshark to dumped xml files...
Anyway, since i'm on vacations for about two months and don't have better things to do(I don't think there are better lifes than the student ones :P ) can i ask you to capture some wireshark log and the corresponding aes key? So, when i finally get my box modded, i can use my favorite way of reversing strange/alien protocols(after all, that was why Wireshark was developed)

PS- I really don't understand why you say a modified tv2client spitting dumped xml files is more easy to use then Wireshark...can you explain me why? just out of curiosity? I'm in the middle of a university degree in Telecommunications Engineering and we use Wireshark for almost everything, from GSM/UMTS protocols to simple HTTP...
27
WinCE / Re: TV2 DRM
04. Aug 2009, 21:16

A rdp session password can be requested and will then be delivered as part of the encrypted xml communication - the complicated part is the extra security, even a valid password is not enough to log in, "someone" has already tried this *cough*.

I haven't look into xml rdp request yet, however from my past experience with windows server terminal services, i'm guessing there two types of RDP authentication here, the first is the standard windows login username/password, witch, by the facts that i already described, it must be a fixed/per provider/per box username/combination, after the windows login session is established, then terminal services in single-application mode(i don't expect they were dumb enough to give a full windows interactive session)  delivers to the box the iptv-specific application, and that application authentication can be a session based one delivered via xml... but that has nothing to do with RDP auth... I am talking about RDP/Windows server stdandard auth.... Of course if you pass the first authentication(the windows one) that is useless without passing the second... but it's a start... 



A wireshark dissector is rather useless, because like I already said, the key is inside the rsa encrypted first server response, and it's different each time.


I know it's different every session, that's why i said that when tv2 decrypts the first rsa sent by the server, the key could be written to some field in the UI by a modified tv2... So if anyone want to sniff something in the xml,then it would be possible to do "live sniffing" with wireshark instead of relying on a modified tv2client to dump xml files to hard disk...(of course the first step will be to get the key from that field in the UI and insert it on Wireshark, on every capture session, since the key changes in every session)
Or tv2client doesn't even have access to key, and the decryption in done inside the XPU??
28
WinCE / Re: TV2 DRM
04. Aug 2009, 06:07


I don't understand what you mean by rdp stuff beeing complicated, RDP does what i does(i.e. the same that remote desktop on windows does, witch is showing a remote screen) If you use wireshark to get one of the rdp servers hostname, you can connect using the normal remote desktop client in windows... They use RDP to show the interface for activating/deactivating channels(witch is just a normal windows program running on a a normal winserver2003 terminal server session, the client in the box just maps the remote button presses to pc keyboard events) since the native mediaroom does not have that capability.


Do you found the password for logging in into the RDP? or is it a sessionbased one?


I didn't found the password used but is shouldn't be to hard to find, a couple years ago i *hacked* a Win2k terminal server box, using arp poisoning and some proggie i don't recall the name that faked a RDP server and logged the password to file, so when one of the win2k users logged in the machine, they were actually logging in my fake rdp server. I will try this trick tomorrow or so, In this particular case i don't even need to use arp poisoning, i can simply configure my router to redirect my provider's rdp server IP to my pc. 

However, in my opinion the password is fixed(or per. provider) or per. box, it's very unlikely that they use a session-based one, because that would imply a modified LSASS(Local Security Authority) or some modifications on Active Directory/Kerberos auth. or other core changes in windows server core components, i really doubt that they dared to mess with windows internals... If they did that(witch i really doubt) then, it's like killing an ant with a nuclear bomb...
29
WinCE / Re: TV2 DRM
04. Aug 2009, 02:59

Afaik the best part of the whole xml mess is the epg, which is compressed, so the incredibly powerful 300mhz cpu has to parse and decompress ~1MB of binary data wrapped into xml data and then parse the decompressed data again. Unfortunately the rdp stuff is somewhat tamper resistant because it's complicated...


I don't understand what you mean by rdp stuff beeing complicated, RDP does what i does(i.e. the same that remote desktop on windows does, witch is showing a remote screen) If you use wireshark to get one of the rdp servers hostname, you can connect using the normal remote desktop client in windows... They use RDP to show the interface for activating/deactivating channels(witch is just a normal windows program running on a a normal winserver2003 terminal server session, the client in the box just maps the remote button presses to pc keyboard events) since the native mediaroom does not have that capability.

About the AES key used to decrypt/encypt the xml communication, we could dump it to some field on the UI(i.e. the about page) Then it should be easy the write a Wireshark protocol dissector to decrypt the xml instead of relying on a modified tv2client to dump the xml. It will facilitate the reversing for all of us
If someone can provide me a wireshark log and the corresponding AES key for the captured session, i can try to write the dissector....
(I can't capture it myself because i'm still trying to find someone with the necessary soldering skills to enable jtag pin on the SMP)

PS-they use the 31313 port for RDP instead of the usual 3389(at least in my Portuguese provider)
30
WinCE / Re: TV2 DRM
04. Aug 2009, 00:53

Wrapping tons of binary data into xml is one of the reasons why the box needs ages to boot...


I totally agree with you, the main benefit of using xml serialization is being human-readable, given the fact that they made a good job preventing that, what's the point of using xml? Specially if they like to embed blobs in the middle of a xml document? They should have used some kind of binary protocol... The same thing about using SOAP for web-services? Everybody is using REST and JSON these days for Web-Services... And i don't even comment the fact that they use RDP protocol for some interactive services...