Has anyone reversed engineered the protocol used by Apple's iOS Remote app for controlling an Apple TV over IP? - reverse-engineering

I'm curious if it's possible for me to write programs that can control an Apple TV, specifically an Apple TV 4th gen running tvOS 9.1.1, like Apple's Remote app for iOS can. I'd like to send it commands for navigating in the four cardinal directions, selecting an item on the screen, going up the navigation stack -- essentially what Apple's Remote app can do.
Has anyone done any work reverse engineering the protocol it uses? Cursory Googling only has so far yielded out of date results about earlier generation Apple TVs and the DAAP protocol which looks like something different than what I want.


I captured the traffic on my iPhone using tcpdump and analyzed it with WireShark. The Remote app asks the Apple TV with normal HTTP requests on port 3689.
The workflow of the app consists in four HTTP requests:
/server-info for getting infos about the Apple TV. It responds with a Apple proprietary DAAP response (Digital Audio Access Protocol) providing some tags about the device, like the display name.
/login is performed during connection, when the app displays the "Connecting to Apple TV..." message. It responds with a DAAP about the login status.
Here's the bottleneck. /home-share-verify validates the connection between the app and the Apple TV. This call needs a Client-DAAP-Validation header with a long unknown string value. According to Wikipedia, this seems to be like an hash generated by a certificate exchange between verified sources that was introduced in iTunes 7.0+ and never reverse engineered.
/ctrl-int/1/{controlpromptupdate|controlpromptentry|playstatusupdate} seems to be the calls made for the input buttons.
Some other minor calls are fired in between (like a Bonjour service update or a /databases call).
Here and here you can find more infos. Hope this helps for getting an overview of how this simple (but protected) app works.


i wanted to tell alexa to trigger appletv and that would wake my appletv up and via HDMI & CEC turn my tv on,
in order to do that:
from your mac\linux\windows simply run:
curl -XPOST -d 'cmcc\x00\x00\x00\x01\x30cmbe\x00\x00\x00\x04menu' 'http://10.1.1.56:3689/ctrl-int/1/controlpromptentry?prompt-id=144&session-id=1'
the abstract command is:
curl -XPOST -d 'cmcc\x00\x00\x00\x01\x30cmbe\x00\x00\x00\x04menu' 'http://{APPLETV_IP}:3689/ctrl-int/1/controlpromptentry?prompt-id={CONTROL_PAIR_ID}&session-id={CONTROL_SESSION_ID}'
i extracted the CONTROL_PAIR_ID and CONTROL_SESSION_ID by setting my iphone wifi http proxy settings to my mac with fiddler on it and activated the old appletv remote app and that displayed the requests the app is executing
if you don't know how to set iphone to work with fiddler you can find it here:
http://docs.telerik.com/fiddler/Configure-Fiddler/Tasks/ConfigureForiOS


I did manage to control my Apple TV (currently running tvOS 9.2) from a python script. It turns out that you don't need to use Home Sharing to have a remote app control the Apple TV. I don't know if the following method will work if Home Sharing is enabled, but with it disabled on the Apple TV, the iOS Remote app has the option to manually add a device. (This may require removing all of the devices it is already paired with, since that was unfortunately necessary for me to get it to display the 'Add a device' button.) Once I had paired my iPhone to the Apple TV, I recorded some of its requests, copied the pairing GUID, and then constructed some of my own requests.
The only three requests necessary to make are:
/login?pairing-guid=< your pairing guid here >&hasFP=1
Logs into the Apple TV. The last four bytes of the response's is a session id, encoded as a big-endian four byte integer.
/logout?session-id=< your session id here >
Logs out. Not strictly necessary, as I found that logging in simply gets you a new session id, but probably not a bad idea to do things the way it expects.
/ctrl-int/1/controlpromptentry?prompt-id=114&session-id=< your session id here >
Send user input to the Apple TV. The data is one of several buffers that input a command, or possible a moving touch. For movement in the cardinal directions, sending several of these requests to simulate a moving touch is necessary.
I have a python script demonstrating how to do this here:
http://pastebin.com/mDHc353A
Utilizes the requests library: http://docs.python-requests.org/en/master/
Also special thanks to Adam Miskiewicz / github user skevy, since I made use of this file in his atlas-backend repo that conveniently had the right buffers to send for movement: https://github.com/skevy/atlas-backend/blob/master/atlas/services/appletv.coffee


For any people still checking out this question, I recommend checking out pyatv if they want to control their Apple TV through a python or command line interface.

Related

How to stop http request from dash_renderer

I am trying a build a realtime monitoring system for high frequency data. To increase the performance, I used the extendData property of dcc.Graph() and websocket. So that, the brouser does not need to send request to get data.
I found that it still not increasing the performance as expected. The reason I found is, from the browser, I see (by inspecting network from browser) after some miliseconds browser is still sendng request and the initiator is the dash_renderer.
This picture is for a vanilla example just to show even for a textbox example the http request goes on and on. And for my real time websocket dashboard the frequency of requests get very high.
My question is:
What dash_renderer do?
why it is sending http request?
And how to stop that?

If you run Dash in Debug mode, it has a feature called Hot Reloading which regularly (every 3 seconds by default) checks for changes to your codebase and updates your running app if it finds any. That check for updated code is what you're seeing in the network inspection.
To turn it off, either don't run in debug mode or explicitly set dev_tools_hot_reload to False like so:
app.run_server(debug=True, dev_tools_hot_reload=False)

Although it is late, After some experience, my realization is dash is not designed to work with websocket. It uses call-backs which actually sends requests to server and in server, the callback function (which is python) send back some result.
These call-backs are designed to send HTTP request to server.
For high speed data, the websocket should be used with extendTrace method of plotly.js in client side.

Does Strophe support message carbon?

I am planning to add in the message carbon function(when a user is logged into multiple device and send a message or/receive a message, it will sync between all devices) for a chat server, i am running on Ejabberd and using strophe.js...
I am wondering if there are plugin written for Ejabberd that i can install and also for strophe.js???
I looked over https://github.com/processone/ejabberd-contrib and the github for strophe.js
None of them seem to have plugins for message carbon. Wondering if anyone has this implemented before??
I have read that if it doesnt, i should treat it as a groupchat??? I am not sure why that would work??? And not exactly sure if thats good for the resources, and what if it scales up, would that have impact on the overall structure.
If it is treated as a group chat, then i assume each resource/session would be treated as a different user? Then when a message is sent into that group, all of those other session/users are updated, so even there are 2 users??

ejabberd supports message carbons as default in latest version.
This feature is unrelated to groupchat and cannot and should not be treated similarly.
If you read XEP-0280 Message Carbons you should see that sending a packet similar to the following is enough to enable it:
<iq id='enable1' type='set'>
<enable xmlns='urn:xmpp:carbons:2'/>
</iq>
You may find also valuable information in XMPP Academy video #2 at 27m30s.

How to take a screenshot in WP8?

How to produce a complete WP8 screenshot? By “complete” I mean “including application bar, status bar, message boxes and keyboard”.
Things I’ve tried:
GDI API that worked in WP7 (GetDC, CreateCompatibleDC, BitBlt), result - CreateCompatibleDC or CreateDCW return NULL, GetLastError says “the specified procedure could not be found”. Moreover, it seems WP8 only has the single HDC, namely 0x00dc00dc, so no off-screen GDI DCs are possible.
InvokeScreenCapture and SaveApplicationScreenShot from ShellChrome.dll – application deactivates, nothing else happens.
D3D11Device1::GetImmediateContext, ID3D11RenderTargetView::OMGetRenderTargets – OMGetRenderTargets returns NULL.
Any other ideas?
I don’t need to pass marketplace certification, so unsupported/undocumented APIs are OK.

In WP8 and under there is no way to capture the entire screen without running in TCB (requires a hacked image) and loading in libs that don't ship with any SDK.

Stream .LRF files via webbserver

i've noticed that on LoLReplays webpage you can now stream live games via their program LoLRecorder. I found this code on their page
href="lrf://spectator spectator.eu.lol.riotgames.com 2nHvYdkaSjjqC7f+mtHQeIhFcUSQLFu5 488978485 EUN1 3.01.0.1"
And i've tried a little to stream from my own (already recorded) game. But all i get is unable to find match. My question is: Does anyone here know how this works?
Thanks!

TL;DR; You can't stream anything, but you can open LoLReplay in spectator mode for a specific match.
Try reinstalling LoLReplay, seemed to fix the issues that I was having.
The title of your post is somewhat misleading as no streaming actually happens - all that the link does is open LoLReplay on your local machine and pass in the details of the match you want to spectate.
This will only work for matches that are happening now, as it connects in a similar way as the LoL client does when you spectate a match.
Calling LoLReplay from the browser
The links seem to be formatted as follows:
lrf://spectator [Observer IP Address][:Observer Port] [Observer Encryption Key] [Game Id] [Platform Id] [Client Version?]
lrf://spectator tells LoLReplay to open up in spectator mode.
Observer IP Address is required and can either be a hostname or an IP address. The hostname is usually in the format spectator.[eu/na/br/etc.].lol.riotgames.com.
Observer Port is optional, I believe it defaults to 8088 which appears to be the default spectator mode port.
Observer Encryption Key... is a required per-match encryption key.
Game Id is a required, per-match integer id.
Platform Id is a more specific version of the region, I guess relating to how Riot have grouped their servers. For example EUW1.
Client Version, the last field appears to be a version number - I can only assume this is either the version of the client that LoLReplay is using OR the version of the client the players in the match are using.
How to find IP address, encryption key etc.
Edit: you can now grab all the info you need using the official Riot API, you just need the SummonerId of the user you're querying for. See current-game API docs for usage.

Chrome extension to listen and capture streaming audio

Is it possible for a Chrome extension to listen for streaming audio from any of the browser's tabs? I would like to capture the streaming audio data and then analyse it.
Thanks

You could try 3 ways, neither one does provide 100% guarantee to meet your needs.
Before going into more detailed descriptions, I must note that Chrome extensions do not provide convenient tools for working on per connection level - sufficiently low level, required for stream capturing. This is by design. This is why the 1-st way is:
To look at other browsers, for example Firefox, which provides low-level APIs for connections. They are already known to be used by similar extensions. You may have a look at MediaStealer. If you do not have a specific requirement to build your system on Chrome, you should possibly move to Firefox.
You can develop a Chrome extension, which intercepts HTTP-requests by means of webRequest API, analyses their headers and extracts media urls (such as containing audio/mpeg MIME-type, for example, in HTTP-headers). Just for a quick example of code you make look at the following SO question - How to change response header in Chrome. Having the url you may force appropriate media download as a file. It will land in default downloads folder and may have unfriendly name. (I made such an extension, but I do not have requirements for further processing). If you need to further process such files, it can be a challenge to monitor them in the folder, and run additional analysis in a separate program.
You may have a look at NPAPI plugins in general, and their streaming APIs in particular. I can imagine that you create a plugin registered for, again, audio/mpeg MIME-type, and receives the data via NPP_NewStream, NPP_WriteReady and NPP_Write methods. The plugin can be wrapped into a Chrome extension. Though I made NPAPI plugins, I never used this API, and I'm not sure it will work as expected. Nethertheless, I'm mentioning this possibility here for completenees. This method requires some coding other than web-coding, meaning C/C++. NB. NPAPI plugins are deprecated and not supported in Chrome since September 2015.
Taking into account that you have some external (to the extension) "fingerprinting service" in mind, which sounds like an intelligent data processing, you may be interested in building all the system out of a browser. For example, you could, possibly, involve a HTTP-proxy, saving media from passing traffic.

If you're writing a Chrome extension, you can use the Chrome tabCapture API to record audio.
chrome.tabCapture.capture({audio: true}, function(stream) {
var recorder = new MediaRecorder(stream);
[...]
});
The rest is left as an exercise to the reader; MDN has more documentation on how to use MediaRecorder.
When this question was asked in 2013, neither chrome.tabCapture nor MediaRecorder existed.

Mac OSX solution using soundflower: http://rogueamoeba.com/freebies/soundflower/
After installing soundflower it should appear as a separate audio device in the sound preferences (apple > system preferences > sound). Divert the computer's audio to the 2ch option (stereo, 16ch is surround), then inside a DAW, such as 'audacity', set the audio input as soundflower. Now the sound should be channeled to your DAW ready for recording.
Note: having diverted the audio from the internal speakers to soundflower you will only be able to hear the audio if the 'soundflowerbed' app is actually open. You know it's open if there's a 8 legged blob in the top right task bar. Clicking this icon gives you the sound flower options.

My privoxy has the following log:
2013-08-28 18:25:27.953 00002f44 Request: api.audioaddict.com/v1/di/listener_sessions.jsonp?_method=POST&callback=_AudioAddict_WP_ListenerSession_create&listener_session%5Bid%5D=null&listener_session%5Bis_premium%5D=false&listener_session%5Bmember_id%5D=null&listener_session%5Bdevice_id%5D=6&listener_session%5Bchannel_id%5D=178&listener_session%5Bstream_set_key%5D=webplayer&_=1377699927926
2013-08-28 18:25:27.969 0000268c Request: api.audioaddict.com/v1/ping.jsonp?callback=_AudioAddict_WP_Ping__ping&_=1377699927928
2013-08-28 18:25:27.985 00002d48 Request: api.audioaddict.com/v1/di/track_history/channel/178.jsonp?callback=_AudioAddict_TrackHistory_Channel&_=1377699927942
2013-08-28 18:25:54.080 00003360 Request: pub7.di.fm/di_progressivepsy_aac?type=.flv
So I got the stream url and record it:
D:\Profiles\user\temp>wget pub7.di.fm/di_progressivepsy_aac?type=.flv
--18:26:32-- http://pub7.di.fm/di_progressivepsy_aac?type=.flv
=> `di_progressivepsy_aac#type=.flv'
Resolving pub7.di.fm... done.
Connecting to pub7.di.fm[67.221.255.50]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [video/x-flv]
[ <=> ] 1,234,151 8.96K/s
I got the file that can be reproduced in any multimedia pleer.