|
Fully secured iOS streaming... unrippable. Testers required
OK, tagging on from my continued saga against the rippers, I've finally gotten extremely well protected iOS streams going....
Just so you can test: http://bw.borkedcoder.com/iOS/ *NOTE* (and I know the GFY crowd won't read this) if you *aren't* on an iOS device, you won't see the beauty - you'll just get a SWF stream This test is purely for iOS (which as you know doesn't support flash). If you're into this stuff, you know the problems of iOS support - html5, agent spoofing, chunk downloads... all meaning a ripper's playground to get your swf-protected content out there... Well, this fucks with all that and makes it unrippable. Everything, including the actual stream is 128bit-strong encrypted. Have a bash, and try rip the iOS stream... game on. btw, *if* you have apple TV, the iOS stream *should* be projectable to your AppleTV. This is something I'm interested in testing, but don't have one to test... if you have, can you try projecting (little button on iOS device during stream to send to AppleTV) and see... Porn on Apple TV in a secure way - that would be cooooool :thumbsup |
Very impressive, if I thought I had the knowledge to trumph you, I would give it a shot. But knowing that it's you behind it, I won't even waste my time. Five years ago, I would have taken on the challenge...
|
what is to stop someone from doing a low level analysis of the data going to the video at the os level, and saving that data to be re-assembled into an unencrypted ripped and viewable format? just curious
|
Can I just use a program like FRAPS, etc, combined with a user agent spoofer to grab 'em? Trying to save myself the effort if you've already coded around that. ;)
|
Sounds kind of interesting.
Quote:
|
If it's HTML5 then I guess it's using User-Agent combined with HTTP Referrer to detect where the client is coming from.
User-Agent alteration doesn't seem to work though. |
I've managed to get it to load in Mac Safari.
|
In this regard no matter what you do will prove naive and futile.
This is taking place in a browser? People modify browsers. |
...just ripped it with snapz pro :(
|
Quote:
Quote:
|
Quote:
|
Quote:
The player is customisable to show some server-determined string every x seconds for y milliseconds to be able to identify the source of a screen rip... However, snapz pro didn't rip the iOS stream, which is what this is about :winkwink: |
Quote:
iDevices send out http requests for videos at a level much deeper than the browser, and you cannot get around this as it's within the iOS webkit. You can't get around that and so the streaming server will reject the request :thumbsup It's true that jailbroken iDevices can then recover the video from the cache. However, this is useless since the cached video is 128bit encrypted and the public key has long disappeared from the cache :thumbsup |
cool, well best of luck with it!
|
You're alive!
|
thanks testers - I could see iOS5.x users would receive "not permitted", but now that's fixed.
iOS 5 now supported |
Quote:
yeah, but with retinal burn in.... been hard at work So are you! Thought you may have gotten washed away :( |
Quote:
Thought I'd play around with that option as well, cos it's useful for live streams like cams n shit. |
Nice idea. Streaming the great race is it ?
Edit: at 1:09 it dies. |
yup,
I would like to implement this also for android, although I don't have an android device to test with :( If anyone with android could test this link I can see things better my end - you probably will be able to stream, but at least I can see server-end to secure it... |
Quote:
|
I don't know what you have changed but I'm getting quite a bit of stutter on the stream now from time to time.
|
Quote:
|
Quote:
|
looks like its just wowza and apple's live http streaming.
seems like it wouldnt be too hard to bypass since the encryption key is also sent at the same time |
Quote:
That is why I have asked for attempts at cracking the stream into a un-encrypted video on a computer, or any device. I know it seems like it wouldn't be too hard, and that's why I put a *lot* of time and effort into it ;) And no - there is no encryption key sent. Only an encrypted stream name. The private secure key is server-side only. Known only to apache and the streaming server. The beauty is in how iOS handles live http streaming... which is actually a plus for Apple |
lacks fresh poo... fail...
|
Quote:
Android 2.3 browser |
Hmm. It works using Skyfire browser which converts it for the phone, but is only a small size on the screen and won't expand to anything bigger than the size of a large postage stamp.
|
Quote:
|
Quote:
A HTTP request is a HTTP request. If it's deeper then that's just a TCP socket. |
Quote:
|
Quote:
Im not too familiar at all with android but i thought 2.3 supported m3u8 plalists in httplive requests... Do you know of any urls working for html5 android streaming of m3u8 playlists so i can look? |
Quote:
|
new android device in by friday for testing purposes mostly.
|
Quote:
Quote:
Fairly low spec phone (zte blade) as I got it specifically to fuck about with and not care about if I was going to turn it into a paperweight. Skyfire is this and I only use it on video sites as the phone doesn't officially support flash. Although I have got Adobe Flash Player 10.2 on there since someone fixed it to work with the Arm6 processor but it struggles and plays things a bit shakily. I don't understand enough about Linux to even start thinking about how to save your video :( |
It's streaming just fine for me in IE8. Is it not supposed to?
|
Quote:
It's not working for me now iOS5. |
Quote:
|
Quote:
Are you sure it was a new page refresh and not an already-watched video? A video that has already been watched will require a page refresh since the encryption keys for the actual video have long expired - they are single-use keys. Can you hit up the page again, refresh and try again? If still not, I'll have to fire up itunes and update from 4 to 5 which I didn't really want to do! |
Quote:
1. Apple have never supported flash 2. Adobe are giving up on flash mobile. So, got to get secure streams to mobiles/pads.... |
Quote:
Imagine the potential buying power.... HD porn in a secure way on your big phat plasma.... --edit if someone wants to buy me one, I'll happily test it :P |
Quote:
|
Quote:
Quote:
|
Someone else on the wowza forum also posted a step by step guide of easily decrypting the streams:
http://www.wowza.com/forums/showthre...7600#post67600 |
thanks pstation - I wouldn't say "at best this is good for preventing from browser plugins". It is a real effort to lock down iOS streams.
This is exactly what I wanted testers for (hence the title). I know what every step entails and where keys are sent. The point is is to make it so darn difficult to rip the stream that it won't be worth it. Sure, if you have an ass-to-mouth exclusive of David Cameron on Barack Obama , then it's gonna get ripped one way or the other. If you want 100% security, don't put it on the internet ;) Anyways, I see how you did it and so I can probably close that door... Additionally, I found a bug in the streaming logic - where the request for the key didn't go through the same checks to verify it was coming from an embedded <video> tag. If you would like to hit me up on email (see sig), I would like for you to test further once I've modified a few things... |
It works fine with AirPlay and AppleTV. :)
|
Quote:
You didn't get the key at all, just the URL, so there wasn't a bug in the logic. :thumbsup Sure, I see you got the encrypted chunks but never the key. |
Quote:
I saw how airplay works now and it really is a restream from the ipad - I was thinking the ipad was simply sending the URL and AppleTV was grabbing the stream (in which case this wouldn't work), but nope - it really is restreaming to the tv many thanks |
bump for a good cause
|
| All times are GMT -7. The time now is 08:11 PM. |
Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2025, vBulletin Solutions, Inc.
©2000-, AI Media Network Inc123