TV2 DRM

Started by Mulder3, 03. Aug 2009, 01:29

previous topic - next topic
Print
Go Down
Pages: 1 [2]

Mulder3

#15
05. Aug 2009, 03:41 Last Edit: 05. Aug 2009, 04:05 by Mulder3
Quote from: Hoernchen on 04. Aug 2009, 23:15

The rdp username/password is not fixed, that's what is included in the xml data, it looks like this:
Code: [Select]
<GetTerminalServerCredentialsPerApp3Response xmlns="http://www.microsoft.com/tv2/server/tsmonitor">
<GetTerminalServerCredentialsPerApp3Result>Succeed</GetTerminalServerCredentialsPerApp3Result>
<loginCredentials serverName="a.server.T-ONLINE.DE" domainName="TSSF01008" username="rdpsessionuser004" password="Adbe9d0d2-f1cb-48cb-a394-24bb7d2c38b9z" sessionId="5" port="3389" Token="1021cd1d-f894-4681-b4a3-63fcc35719d5" />
</GetTerminalServerCredentialsPerApp3Response> - The token id seems to be needed to connect.

Like i said, i haven't looked into the xml communications, my box is not modded, but i know how the standard RDP protocol is implemented on a windows 2000/xp, and given the fact i can connect to it using a normal windows xp client, i can assume the protocol used in ms mediaroom is the same, RDP protocol works by exchanging RSA certificates and a salt value, so it can set up an encrypted RC4 path between client and server.
About that xml you presented here, i can't comment on that without further investigation...

Quote from: Hoernchen on 04. Aug 2009, 23:15

The aes key can be captured, i watched it and the corresponding IVs with the help of http://www.t-hack.com/forum/index.php?topic=293.0 and http://www.t-hack.com/forum/index.php?topic=278.0 about a year ago, but a modified tv2clientce would be much easier ;)

That would be your opinion :) If i had the soldering skills to directly enable jtag in SMP, i will certainly prefer Wireshark to dumped xml files...
Anyway, since i'm on vacations for about two months and don't have better things to do(I don't think there are better lifes than the student ones :P ) can i ask you to capture some wireshark log and the corresponding aes key? So, when i finally get my box modded, i can use my favorite way of reversing strange/alien protocols(after all, that was why Wireshark was developed)

PS- I really don't understand why you say a modified tv2client spitting dumped xml files is more easy to use then Wireshark...can you explain me why? just out of curiosity? I'm in the middle of a university degree in Telecommunications Engineering and we use Wireshark for almost everything, from GSM/UMTS protocols to simple HTTP...

zfeet

#16
05. Aug 2009, 08:06
Quote from: Hoernchen on 04. Aug 2009, 21:11

ssl ?!


What, the connection isn't encrypted?

mce2222

#17
05. Aug 2009, 12:00
yeah its encrypted... but it is not using ssl protocol.

and about the RDP password.... there is no fixed RDP password, so you can forget about that.
the way it works is like this:
the box requests a RDP session... the RDP server creates a login token that is transmitted to the client on a secure channel (assuming that the client is unmodified :) )
then the client establishes the RDP connection using that login-token.
and of course that token is different for each connection attempt.
this "enhanced security RDP" is discribed somewhere in the MSDN, but I dont have the link handy.

Hoernchen

#18
05. Aug 2009, 14:21
Quote from: Mulder3 on 05. Aug 2009, 03:41

PS- I really don't understand why you say a modified tv2client spitting dumped xml files is more easy to use then Wireshark...can you explain me why? just out of curiosity?

Err, what I meant was modyfing the tv2clientce to display the aes key would be easier than hooking the functions ;)
bringer of linux, conqueror of hdmi, jack of all trades.

Mulder3

#19
05. Aug 2009, 16:35
Quote from: Hoernchen on 05. Aug 2009, 14:21

Err, what I meant was modyfing the tv2clientce to display the aes key would be easier than hooking the functions ;)

Sorry about my misunderstanding :)
Print
Go Up
Pages: 1 [2]