TV2 DRM

Started by Mulder3, 03. Aug 2009, 01:29

previous topic - next topic
Go Down

Mulder3

#15
05. Aug 2009, 03:41 Last Edit: 05. Aug 2009, 04:05 by Mulder3

The rdp username/password is not fixed, that's what is included in the xml data, it looks like this:
Code: [Select]
<GetTerminalServerCredentialsPerApp3Response xmlns="http://www.microsoft.com/tv2/server/tsmonitor">
<GetTerminalServerCredentialsPerApp3Result>Succeed</GetTerminalServerCredentialsPerApp3Result>
<loginCredentials serverName="a.server.T-ONLINE.DE" domainName="TSSF01008" username="rdpsessionuser004" password="Adbe9d0d2-f1cb-48cb-a394-24bb7d2c38b9z" sessionId="5" port="3389" Token="1021cd1d-f894-4681-b4a3-63fcc35719d5" />
</GetTerminalServerCredentialsPerApp3Response>
- The token id seems to be needed to connect.

Like i said, i haven't looked into the xml communications, my box is not modded, but i know how the standard RDP protocol is implemented on a windows 2000/xp, and given the fact i can connect to it using a normal windows xp client, i can assume the protocol used in ms mediaroom is the same, RDP protocol works by exchanging RSA certificates and a salt value, so it can set up an encrypted RC4 path between client and server.
About that xml you presented here, i can't comment on that without further investigation...


The aes key can be captured, i watched it and the corresponding IVs with the help of http://www.t-hack.com/forum/index.php?topic=293.0 and http://www.t-hack.com/forum/index.php?topic=278.0 about a year ago, but a modified tv2clientce would be much easier ;)

That would be your opinion :) If i had the soldering skills to directly enable jtag in SMP, i will certainly prefer Wireshark to dumped xml files...
Anyway, since i'm on vacations for about two months and don't have better things to do(I don't think there are better lifes than the student ones :P ) can i ask you to capture some wireshark log and the corresponding aes key? So, when i finally get my box modded, i can use my favorite way of reversing strange/alien protocols(after all, that was why Wireshark was developed)

PS- I really don't understand why you say a modified tv2client spitting dumped xml files is more easy to use then Wireshark...can you explain me why? just out of curiosity? I'm in the middle of a university degree in Telecommunications Engineering and we use Wireshark for almost everything, from GSM/UMTS protocols to simple HTTP...

zfeet


ssl ?!


What, the connection isn't encrypted?

mce2222

yeah its encrypted... but it is not using ssl protocol.

and about the RDP password.... there is no fixed RDP password, so you can forget about that.
the way it works is like this:
the box requests a RDP session... the RDP server creates a login token that is transmitted to the client on a secure channel (assuming that the client is unmodified :) )
then the client establishes the RDP connection using that login-token.
and of course that token is different for each connection attempt.
this "enhanced security RDP" is discribed somewhere in the MSDN, but I dont have the link handy.

Hoernchen


PS- I really don't understand why you say a modified tv2client spitting dumped xml files is more easy to use then Wireshark...can you explain me why? just out of curiosity?

Err, what I meant was modyfing the tv2clientce to display the aes key would be easier than hooking the functions ;)
bringer of linux, conqueror of hdmi, jack of all trades.

Mulder3


Err, what I meant was modyfing the tv2clientce to display the aes key would be easier than hooking the functions ;)

Sorry about my misunderstanding :)

Go Up