How to reverse-engineer the KabelDeutschland tv-streaming API

The main intention

As a paying customer for many years, with both cable-tv and cable-internet, i found it very frustrating to not be able to watch tv on my smartphone or tablet but only on my tv. Back in 2014 my provider KabelDeutschland pulled out an tv-app for iOS that enables exactly this functionality but only for Apple mobile-devices. I always hoped that they would release an Android version shortly after but until today every customer-service-request regarding this topic leads to a “it will be available somewhere in the future” and “we can’t provide it because of some technical difficulties”. As a software developer and hardware engineer i know that this answer is just nonsense. If it runs in iOS there shouldn’t be any problem to get it up and running on Android and even on desktop.

Besides the intention to simply prove, that it is possible to get the streaming working on other devices, i had a more direct need. I bought a whole home-cinema setup including an Epson EH-TW 6100 beamer, an Onkyo Dolby Atmos capable surround-system and an Amazon Fire TV. I was not able to watch TV on this setup, because i had no DVB-C receiver to attach it to the system. But being able to install XBMC/Kodi paired with the IPTV plugin, it would be easy to do so, if there were any streaming sources.

Important Information

You need to have two contracts with KD. One for cable-tv and one for internet over cable. The second one is necessary because the streams are only available inside of their own network.

If you like to go further please be sure to met both dependencies.

Reverse-engineer the API

Final conclusion

I am aware that this part of this article should be at the end but i think some of you are not that interested in the hard details on how to do a man-in-the-middle-attack to uncover the KD API. So i decided to write this first. You can grab the fully functional streaming-proxy script as a repository in my github account: edi-design/kd-streaming-proxy. There is a README on how to get it up and running but i will provide a more detailed version below.

But by now i will continue with the description of the whole information-gathering-process.

Needed hardware and tools

Setup Burp and the iDevice

The first step is to download Burp and start it using the command line. Because Burp is written in Java you need at least the Java Runtime Environment.

Open your preferred console and type the following command to start Burp.

You will the following window. First we need to disable the intercept-function, push the button until it says intercept is of.

Burp Suite - intercept is off

Burp Suite – intercept is off

Next we go to the Options Tab and change the interface from 127.0.0.1:8080 to *:8080. This can be done by clicking the edit-button and select the All interfaces checkbox.

Burp interfaces

Burp interfaces

This is the complete part of configuring Burp. Now we switch over to our iPhone and connect it to the same network the computer running Burp is connected to. The next step is configuring Burp as proxy for this network. Go to Settings -> Wifi -> click on your Network -> HTTP Proxy Manual and add your computers IP-Adress as server.

iPhone proxy configuration

iPhone proxy configuration

Because part of the communication between the app and the KabelDeutschland API is SSL-encrypted, we need to install the Burp-provided SSL certificate. This provides us with the possibility to read the encrypted communication in plain text.

Open Safari on your iPhone and browse to http://burp. Click on CA Certificate. This will download the cert and asks you if you want to install it. Ignore the possible security risk. You can delete it afterwards.

Capturing some data

After the preparation has been finished we can now start the TV-app and collect the data it sends and gets from their backend services.

Burp should now look like this.

Captured data

Captured data

Analyzing the data

Starting to analyze the data by reading every call with its request and response, step by step.

The first call before even asking for credentials goes against an getconfig endpoint. It provides the app with all the necessary information regarding the api.

The response.

In this data we see the JsonGateway, this is the main entry-point. The second relevant information is the initObj. If you take a look at all further calls this object is needed as a mandatory param to identify against their api.

The sign-in

Before we can do any further calls, we need to have a valid session. The app does a SSOSignIn request to gather information about a SiteGuid and a DomainId. Both of these have to be appended to our formerly captured initObj. At this point you need your KD-CSC credentials. These are typically username and password you need to view your contract or invoice. KD use it to determine wether you are a cable customer or not.

The response.

Get the channel-list

Since we now have all the information to query the channel-list endpoint, lets do it. Finding the call inside of the Burp result is easy, search for GetChannelMediaList. Thanks to KD almost all of there methods are self-explanatory.

The list of all possible tv-channel will be returned, including a streaming link. I will only show an excerpt of it, because the whole response is nearly 3000 lines of json. The first element in my case contains all information about Das Erste (ARD).

Watching the stream?

Seeing the output above, it should be very easy to watch the stream. We’ve got an url that looks like a valid stream, but if you click on it, it gives you an access denied.

After some more digging into the log of Burp, i saw that there was another call named GetLicensedLinks, always called after selecting a channel to view. It provides as response the valid streaming link.

This call takes, next to the obvious initObj, two other params, the FileId and the Link. Both can be gathered from the above channel-list call.

Seeing the response, there is our most-wanted information.

You can paste one of the two urls into VLC media player and you will be able to watch the channel.

Conclusion

Because the whole process is a bit tricky and time-consuming, especially if you just want to sit down and watch tv, thats why i provided a little PHP-script at github (https://github.com/edi-design/kd-streaming-proxy). This script will do all of the work for you. You will need a webserver running inside of your home, because of the mandatory KD internet contract. Calling the script without params will provide you with the download of a playlist, containing all of the channels provided. This playlist contains links to the script itself with the channel id as param. Every time it gets called, it generate a new valid licensed link and redirects to it, that enables you to watch the stream.

I hope it is easy enough to set up and handle. As a simple webserver i can recommend the Synology NAS or a raspberry pi.

If you have any questions, feel free to ask.