Update #4 almost impossible to fix

Hey Guys,

it has been a while since my last update. It was a busy week an unfortunately not a good one for the proxy.

I managed to patch the certificate pinning out of the App to be able to read the SSL encrypted traffic and thought that from now on, it would be easy to get the proxy up and running again.

I was wrong. I was able to reverse engineer the new API but when it comes to play the actual stream I always got the already mentioned Forbidden response from the server. Until yesterday I was not sure what is the problem but then I discovered, that there is always a request on a port directly on the device.

Calling internal SSL Proxy

Calling internal SSL Proxy

What Vodafone is doing here is, they are proxying the stream through an internal SSL-Proxy. This is kind of a a VPN which secures the complete communication of the stream.

I am not able to see what happens inside of this secure connection.

There is a only slight chance that I am able to find some solutions in the source of the Android App, but it is very hard. Vodafone uses a SSL-Proxy package provided by Ineoquest and I am not able to disassemble this part of the code, because it is encrypted.

I am sorry but I think they found an very effective way from preventing us watching TV on other devices than the allowed ones.

Best regards,
André

Update #3 Progress on fixing the problem

This is just a very short Update to tell you that finally I found a solution to query the API of KabelDeutschland (Vodafone Kabel) again.

Postman Query Channel List

Postman Query Channel List

I found the reason why the API was not responding anymore.

There is still a problem getting the licensed channel-links. The request results in an error.

VLC error Channel Link

VLC error Channel Link

Hopefully I will find a solution for this soon.

Best regards,
André

Update #2 on the still broken KabelDeutschland (Vodafone Kabel) Proxy

Hey,
I try to keep you guys updated as often as I can.

Today i was able to take a look into the current version of the Vodafone Kabel TV App. I tried to find the part of the code where they check if someone is interfering with the communication of the app. And to be honest, Vodafone (KabelDeutschland) found a pretty efficient way to prevent me from reading the SSL-encrypted traffic.

The following code example out of the app shows, how they did it.

In the onCreate action of the splash-screen, they are checking if the provided SSL-pub-key fits to the one provided by the app itself. This prevents me from using a proxy with a self-signed certificate to decrypt the communication.

I have not completely given up on this, but it is getting harder and harder to find a way to fix the proxy.

In the source I am able to see what requests are made, but the payload of the request body will be generated with a couple of properties but also dynamically generated IDs. These IDs I was not able to re-generate by myself, yet.

It definitely will take longer than expected to get this up and running again.

Best regards,
André

Update on the still broken KabelDeutschland (Vodafone Kabel) Proxy

Hey Guys,

to give you a little update about the current state of my work, here is what I tried already.

First, I was not able to solve the problem. KabelDeutschland (Vodafone Kabel) changed something in their API and within their Apps.
Normally I would use the same strategy I did to start this project in the first place, reverse engineering.

Unfortunately KabelDeutschland(Vodafone Kabel) now scans on every startup of the App (Android and iOS) if something listens to the connection. I am not able to use burp as a proxy to read the HTTPS encrypted traffic by now. It always tells me that I am not connected to the internet.

Vodafone TV App Error

Vodafone TV App Error

I will have to find another way to get into the encrypted communication of the app, to find out what they changed within their API.

If anyone has an idea, I would love to hear it.

Beste regards,
André

KabelDeutschland Streaming Proxy broken at the moment

Hey Guys,

as some of you already noted, the Proxy is not working at the moment. KabelDeutschland changed something the way they deliver the streams.

Good news, the App on Android and iOS is still working, so I am able to reverse engineer what is going on.

I will keep you updated as soon as I know more.

Best regards,
André

Fixed CDN problem with KabelDeutschland streaming proxy

What’s new

As some of you already noted, there have been some issues with getting the channel-list from the KabelDeutschland API. They migrated to a new Content-Delivery-Network which does not support a get-header-Request anymore. This causes the proxy to generate invalid channel-links and your were unable to watch the streams.

This should be fixed by now. I committed the fix within the PHP and the GO version of the proxy and also compiled the binaries to a new version 0.1.3.

Please give me feedback if the problem is solved for you.

Binaries Download

Shared Folder at mega.co.nz (mirror at dropbox)

Sourcecode Repositories

PHP

https://github.com/edi-design/kd-streaming-proxy

GO

https://github.com/edi-design/kd-go

Updated KabelDeutschland streaming proxy

What’s new

The last time, I released my KabelDeutschland streaming proxy as a result of the reverse-engineering of the KabelDeutschland API. There have been a few minor issues, mainly in using the proxy together with some other tools like Kodi / XBMC or some stream-recorder based on ffmpeg.

Today i’d like to announce a new version of the KabelDeutschland streaming proxy that solves these issues. We are now able to use it together with the media-center software.

The playlist-handling has been fully rewritten to avoid the multiple redirects during playback. This was the main problem why ffmpeg could not read the playlist and its streams and prevented the media-center from playing the channels.

You can now select the quality of the stream by adding this param to the call. There are 3 options available, low | medium | high. Load your desired quality by opening http://[ip-address]/medium. If there was no quality-selector given, it will return the medium streams. There is still the debug option available by adding /txt at the end of the url after the quality identifier http://[ip-address]/medium/txt.

Below you will find the binaries for all supported architectures but there was also an update at the PHP version of this tool. This update can be grabbed from github.

Download

Shared Folder at mega.co.nz (mirror at dropbox)

Use cases

The last time i mentioned that i was trying to get the proxy running in conclusion with Kodi / XBMC and some other useful tools. Here is a short description of how to get these tools to work with the KabelDeutschland streaming proxy.

Kodi / XBMC

To watch live TV using this proxy in Kodi or XBMC, you have to enable an add-on called PVR IPTV Simple Client. This can be found under the PVR-Clients section in the add-ons category. After enabling it, there needs to be one configuration to be set-up, the Url of the playlist has to be added as seen on the screens. Also the checkbox cache m3u at local storage has to be unchecked so it reloads the playlist every time Kodi starts. After enabling and configuring the add-on, the last step is to enable Live-TV at the Kodi settings by checking the box under Settings -> Live TV.

Now you should see an option at the main menu named TV. Select the channel sub-option and enjoy the program.

The first time, the loading of the channel-list could take up to one minute, so please be patient.

Tvstreamrecord

I crashed into this tool (http://pavion.github.io/tvstreamrecord/) by looking for some new stuff for my Synology DS215j. It has a prebuilt package so i decided to give it a try and installed it. I imported the generated playlist but unfortunately i was not able to record the stream. As i described in my introduction, the problem was ffmpeg that could not handle redirects in playlists but with the new version of the KabelDeutschland streaming proxy it was easy to get the recorder running. Nevertheless there are some tweaks you have to do before it works.

As a step by step introduction we will start by adding the playlist. Open http://[Synology]:8030, click on the Channels-tab and click the Import button. Select your generated playlist. After the upload, you will see a list of all channels. You can now grab the EPG information at one of the two EPG tabs. Now we have to change the configuration. Switch over to Config -> FFMPEG support and add http to the list of stream-type. Hit submit-changes.

Now the last step is to change the path for your recordings under the General tab.

Thats it, you are now able to create a scheduled record.

How to reverse-engineer the KabelDeutschland tv-streaming API

The main intention

As a paying customer for many years, with both cable-tv and cable-internet, i found it very frustrating to not be able to watch tv on my smartphone or tablet but only on my tv. Back in 2014 my provider KabelDeutschland pulled out an tv-app for iOS that enables exactly this functionality but only for Apple mobile-devices. I always hoped that they would release an Android version shortly after but until today every customer-service-request regarding this topic leads to a “it will be available somewhere in the future” and “we can’t provide it because of some technical difficulties”. As a software developer and hardware engineer i know that this answer is just nonsense. If it runs in iOS there shouldn’t be any problem to get it up and running on Android and even on desktop.

Besides the intention to simply prove, that it is possible to get the streaming working on other devices, i had a more direct need. I bought a whole home-cinema setup including an Epson EH-TW 6100 beamer, an Onkyo Dolby Atmos capable surround-system and an Amazon Fire TV. I was not able to watch TV on this setup, because i had no DVB-C receiver to attach it to the system. But being able to install XBMC/Kodi paired with the IPTV plugin, it would be easy to do so, if there were any streaming sources.

Important Information

You need to have two contracts with KD. One for cable-tv and one for internet over cable. The second one is necessary because the streams are only available inside of their own network.

If you like to go further please be sure to met both dependencies.

Reverse-engineer the API

Final conclusion

I am aware that this part of this article should be at the end but i think some of you are not that interested in the hard details on how to do a man-in-the-middle-attack to uncover the KD API. So i decided to write this first. You can grab the fully functional streaming-proxy script as a repository in my github account: edi-design/kd-streaming-proxy. There is a README on how to get it up and running but i will provide a more detailed version below.

But by now i will continue with the description of the whole information-gathering-process.

Needed hardware and tools

Setup Burp and the iDevice

The first step is to download Burp and start it using the command line. Because Burp is written in Java you need at least the Java Runtime Environment.

Open your preferred console and type the following command to start Burp.

You will the following window. First we need to disable the intercept-function, push the button until it says intercept is of.

Burp Suite - intercept is off

Burp Suite – intercept is off

Next we go to the Options Tab and change the interface from 127.0.0.1:8080 to *:8080. This can be done by clicking the edit-button and select the All interfaces checkbox.

Burp interfaces

Burp interfaces

This is the complete part of configuring Burp. Now we switch over to our iPhone and connect it to the same network the computer running Burp is connected to. The next step is configuring Burp as proxy for this network. Go to Settings -> Wifi -> click on your Network -> HTTP Proxy Manual and add your computers IP-Adress as server.

iPhone proxy configuration

iPhone proxy configuration

Because part of the communication between the app and the KabelDeutschland API is SSL-encrypted, we need to install the Burp-provided SSL certificate. This provides us with the possibility to read the encrypted communication in plain text.

Open Safari on your iPhone and browse to http://burp. Click on CA Certificate. This will download the cert and asks you if you want to install it. Ignore the possible security risk. You can delete it afterwards.

Capturing some data

After the preparation has been finished we can now start the TV-app and collect the data it sends and gets from their backend services.

Burp should now look like this.

Captured data

Captured data

Analyzing the data

Starting to analyze the data by reading every call with its request and response, step by step.

The first call before even asking for credentials goes against an getconfig endpoint. It provides the app with all the necessary information regarding the api.

The response.

In this data we see the JsonGateway, this is the main entry-point. The second relevant information is the initObj. If you take a look at all further calls this object is needed as a mandatory param to identify against their api.

The sign-in

Before we can do any further calls, we need to have a valid session. The app does a SSOSignIn request to gather information about a SiteGuid and a DomainId. Both of these have to be appended to our formerly captured initObj. At this point you need your KD-CSC credentials. These are typically username and password you need to view your contract or invoice. KD use it to determine wether you are a cable customer or not.

The response.

Get the channel-list

Since we now have all the information to query the channel-list endpoint, lets do it. Finding the call inside of the Burp result is easy, search for GetChannelMediaList. Thanks to KD almost all of there methods are self-explanatory.

The list of all possible tv-channel will be returned, including a streaming link. I will only show an excerpt of it, because the whole response is nearly 3000 lines of json. The first element in my case contains all information about Das Erste (ARD).

Watching the stream?

Seeing the output above, it should be very easy to watch the stream. We’ve got an url that looks like a valid stream, but if you click on it, it gives you an access denied.

After some more digging into the log of Burp, i saw that there was another call named GetLicensedLinks, always called after selecting a channel to view. It provides as response the valid streaming link.

This call takes, next to the obvious initObj, two other params, the FileId and the Link. Both can be gathered from the above channel-list call.

Seeing the response, there is our most-wanted information.

You can paste one of the two urls into VLC media player and you will be able to watch the channel.

Conclusion

Because the whole process is a bit tricky and time-consuming, especially if you just want to sit down and watch tv, thats why i provided a little PHP-script at github (https://github.com/edi-design/kd-streaming-proxy). This script will do all of the work for you. You will need a webserver running inside of your home, because of the mandatory KD internet contract. Calling the script without params will provide you with the download of a playlist, containing all of the channels provided. This playlist contains links to the script itself with the channel id as param. Every time it gets called, it generate a new valid licensed link and redirects to it, that enables you to watch the stream.

I hope it is easy enough to set up and handle. As a simple webserver i can recommend the Synology NAS or a raspberry pi.

If you have any questions, feel free to ask.