Skip to content

Instantly share code, notes, and snippets.

@gabonator
Created November 26, 2017 20:05
Show Gist options
  • Save gabonator/2c8885127cf6e0954c24e5d698ff99b6 to your computer and use it in GitHub Desktop.
Save gabonator/2c8885127cf6e0954c24e5d698ff99b6 to your computer and use it in GitHub Desktop.
ABcom satellite settop box protocol reverse engineering
/*
reverse engineering of ABcom Cryptobox 600HD mini dvbs box protocol
Firstly I examined android package (since it was easier to get it) "g-mscreen-2-3-11.apk". It
uses C++ library for implementing control protocol. Then I was trying to capture UPnP communication
from iphone connected to OSX running wireshark. But without luck. GMScreen allowed to connection
to box using ip address and port. This traffic was easier to caputre and analyse. Requests by
client application are human readable json/xml code. Some response packets are compressed using
zlib.
nm -D -C libdvbtoip.so | grep DVB
0000f0a0 T DVBtoIP::initialize()
0006cf10 B DVBtoIP::_serverList
0006cf0c B DVBtoIP::_clientHandle
0000f838 T DVBtoIP::getChannelURL(char const*)
0000f678 T DVBtoIP::getServerList(bool)
000103f4 T DVBtoIP::getChannelList(char const*, bool)
0000f0a8 T DVBtoIP::getChannelUserKey(char const*)
00010210 T DVBtoIP::updateChannelList(char*)
0000f1dc T DVBtoIP::initResourceForPlayer(int, char const*, int, int)
0000fc60 T DVBtoIP::upnpClientEventCallback(Upnp_EventType_e, void*, void*)
0000f49c T DVBtoIP::destroyResourceForPlayer()
0000fff8 T DVBtoIP::updateChannelListParseBuffer(char*, int*, std::map.....)
0000f0a4 T DVBtoIP::cleanup()
0006cf28 B DVBtoIP::_isInit
0000f1b4 T DVBtoIP::setSeed(int)
0000f790 T DVBtoIP::DVBtoIP()
0000f790 T DVBtoIP::DVBtoIP()
0000f5d4 T DVBtoIP::~DVBtoIP()
0000f590 T DVBtoIP::~DVBtoIP()
0000f590 T DVBtoIP::~DVBtoIP()
*/
var net = require('net');
const zlib = require('zlib');
const decompress = (buffer, handler) => zlib.unzip(buffer, {}, (err, buffer) => {err || handler(buffer.toString()); });
const alibuffer = (buffer) => "Start" + ("0000000" + buffer.length).substr(-7) + "End" + buffer;
const alijson = (json) => alibuffer(JSON.stringify(json));
satbox = new net.Socket();
satbox.connect(20000, "192.168.1.77", () =>
{
console.log('Satellite box connected');
satbox.write(alibuffer("<?xml version='1.0' encoding='UTF-8' standalone='yes' ?><Command request=\"998\" />"));
//satbox.write(alijson({request:"22"})); // list of satellites
//satbox.write(alijson({request:"14"})); // ProductName, SoftwareVersion, MaxNumOfPrograms, cur_channel_list_type...
//satbox.write(alijson({request:"15"})); // StbStatus, ProductName, SoftwareVersion
//satbox.write(alijson({request:"4"})); // no response
satbox.write(alijson({request:"24"})); // unknown binary response
//satbox.write(alijson({request:"0",FromIndex:"0",ToIndex:"10"})); // "ServiceID":"00010013405044", "ServiceName":"Markiza HD"
//satbox.write(alijson({"request":"1009","TvState":"0","ProgramId":"00010012413208"})); // streaming request?
//satbox.write(alijson({"request":"1040","array":[{"KeyValue":"1"}]})); // key up
//satbox.write(alijson({"request":"1040","array":[{"KeyValue":"2"}]})); // key down
});
satbox.on('close', () => console.log('Connection closed'));
satbox.on('data', (data) =>
{
if (data[0] == 0x5b && data[1] == 0x5b)
console.log(data); // unknown encoding
else if (data[0] == 0x78 && data[1] == 0x9c) // gzip
decompress(data, (decompressed) => console.log(decompressed));
else if (data.length == 16 && data.toString().substr(0, 4) == "GCDH")
{} // ack header before data
else
console.log(data);
});
/*
[{
"StbStatus": 1,
"ProductName": "600HD Mini",
"SoftwareVersion": "1.09.17769_patch",
"SerialNumber": "170428042664",
"ChannelNum": 281,
"MaxNumOfPrograms": 6100
}]
*/
@Delitants
Copy link

Delitants commented Dec 13, 2020

Yeah? Then what was the problem to enable scrambled ch playback? Nowadays there is no FTA left on any sat, making script useless. What, legal issues? Seems MGscreen doesn't have any.

@Amadeus23000
Copy link

Amadeus23000 commented Dec 16, 2020

I think it could be missing these strings:

public static final String G_MS_BROADCAST_INFO_MAGIC_CODE = "39WwijOog54a";
public static final int G_MS_BROADCAST_INFO_MAGIC_CODE_LEN = 12;

Alongside "GCDH"

@Delitants
Copy link

I think it could be missing these strings:

public static final String G_MS_BROADCAST_INFO_MAGIC_CODE = "39WwijOog54a";
public static final int G_MS_BROADCAST_INFO_MAGIC_CODE_LEN = 12;

Alongside "GCDH"

Do you know how to put that in the script?

@Amadeus23000
Copy link

No, but I'm hoping the author would.

@MedDhiia
Copy link

MedDhiia commented Dec 27, 2020

done
[
  {
    StbStatus: 1,
    ProductName: 'SR-T50 SUPER',
    SoftwareVersion: '2.85',
    ChannelNum: 16,
    MaxNumOfPrograms: 7000
  }
]
Start0000016End{"request":"15"}
done
Start0000046End{"request":"0","FromIndex":"0","ToIndex":"99"}
done
Start0000049End{"request":"0","FromIndex":"100","ToIndex":"199"}
done
Start0000049End{"request":"0","FromIndex":"200","ToIndex":"280"}
done
[ { Command: '' }, { Command: '' }, { Command: '' } ]
Start0000015End{"request":"3"}
done

Request "0" is always empty i can't get the channels list ?

@Amadeus23000
Copy link

Try these steps:

2 - Check how many channels your STB has and add lines as much as you need to, in the part of the script shown below.
Otherwise if you ask for channel(prognumber) 1000 and you only have lines up to 999 in your script, it will fail to find the channel and you will instead end up getting "Channel not found"
Note that it's okay to add lines more than you STB actually has, but the more you add the longer it will take to load

  .then( (resp) => maxChannels = resp[0].ChannelNum )
  .then( () => AliTv.requestChannelRange(0, 99) )
  .then( (subChannels) => AliTv._channels = AliTv._channels.concat(subChannels) )
  .then( () => AliTv.requestChannelRange(100, 199) )
  .then( (subChannels) => AliTv._channels = AliTv._channels.concat(subChannels) )
  .then( () => AliTv.requestChannelRange(200, 299) )
  .then( (subChannels) => AliTv._channels = AliTv._channels.concat(subChannels) )
  .then( () => AliTv.requestChannelRange(300, 399) )
  .then( (subChannels) => AliTv._channels = AliTv._channels.concat(subChannels) )
  .then( () => AliTv.requestChannelRange(400, 499) )
  .then( (subChannels) => AliTv._channels = AliTv._channels.concat(subChannels) )
  .then( () => AliTv.requestChannelRange(500, 599) )
  .then( (subChannels) => AliTv._channels = AliTv._channels.concat(subChannels) )
  .then( () => AliTv.requestChannelRange(600, 699) )
  .then( (subChannels) => AliTv._channels = AliTv._channels.concat(subChannels) )
  .then( () => AliTv.requestChannelRange(700, 799) )
  .then( (subChannels) => AliTv._channels = AliTv._channels.concat(subChannels) )
  .then( () => AliTv.requestChannelRange(800, 899) )
  .then( (subChannels) => AliTv._channels = AliTv._channels.concat(subChannels) )
  .then( () => AliTv.requestChannelRange(900, 999) )
  .then( (subChannels) => AliTv._channels = AliTv._channels.concat(subChannels) )
  .then( () => AliTv.requestChannelRange(1000, 1099) )
  .then( (subChannels) => AliTv._channels = AliTv._channels.concat(subChannels) )
  .then( () => AliTv._channels);

3 - Remove these 3 lines as they appear to actually stop the stream from starting

//.then( (current) => AliTv.getStreamUrl("DAJTO HD") )
.then( (current) => AliTv.getStreamUrl("TA3 HD") )
//.then( (current) => AliTv.getStreamUrl("Markiza HD") )

@lbenz
Copy link

lbenz commented Dec 27, 2020

done
[
  {
    StbStatus: 1,
    ProductName: 'SR-T50 SUPER',
    SoftwareVersion: '2.85',
    ChannelNum: 16,
    MaxNumOfPrograms: 7000
  }
]
Start0000016End{"request":"15"}
done
Start0000046End{"request":"0","FromIndex":"0","ToIndex":"99"}
done
Start0000049End{"request":"0","FromIndex":"100","ToIndex":"199"}
done
Start0000049End{"request":"0","FromIndex":"200","ToIndex":"280"}
done
[ { Command: '' }, { Command: '' }, { Command: '' } ]
Start0000015End{"request":"3"}
done

Request "0" is always empty i can't get the channels list ?

We have same problem, i already tried lots of requests to catch some channel, but without luck unfortunately.
It seems chipset GS21200GB is not fully compatible.

@MedDhiia
Copy link

Try these steps:

2 - Check how many channels your STB has and add lines as much as you need to, in the part of the script shown below.
Otherwise if you ask for channel(prognumber) 1000 and you only have lines up to 999 in your script, it will fail to find the channel and you will instead end up getting "Channel not found"
Note that it's okay to add lines more than you STB actually has, but the more you add the longer it will take to load

  .then( (resp) => maxChannels = resp[0].ChannelNum )
  .then( () => AliTv.requestChannelRange(0, 99) )
  .then( (subChannels) => AliTv._channels = AliTv._channels.concat(subChannels) )
  .then( () => AliTv.requestChannelRange(100, 199) )
  .then( (subChannels) => AliTv._channels = AliTv._channels.concat(subChannels) )
  .then( () => AliTv.requestChannelRange(200, 299) )
  .then( (subChannels) => AliTv._channels = AliTv._channels.concat(subChannels) )
  .then( () => AliTv.requestChannelRange(300, 399) )
  .then( (subChannels) => AliTv._channels = AliTv._channels.concat(subChannels) )
  .then( () => AliTv.requestChannelRange(400, 499) )
  .then( (subChannels) => AliTv._channels = AliTv._channels.concat(subChannels) )
  .then( () => AliTv.requestChannelRange(500, 599) )
  .then( (subChannels) => AliTv._channels = AliTv._channels.concat(subChannels) )
  .then( () => AliTv.requestChannelRange(600, 699) )
  .then( (subChannels) => AliTv._channels = AliTv._channels.concat(subChannels) )
  .then( () => AliTv.requestChannelRange(700, 799) )
  .then( (subChannels) => AliTv._channels = AliTv._channels.concat(subChannels) )
  .then( () => AliTv.requestChannelRange(800, 899) )
  .then( (subChannels) => AliTv._channels = AliTv._channels.concat(subChannels) )
  .then( () => AliTv.requestChannelRange(900, 999) )
  .then( (subChannels) => AliTv._channels = AliTv._channels.concat(subChannels) )
  .then( () => AliTv.requestChannelRange(1000, 1099) )
  .then( (subChannels) => AliTv._channels = AliTv._channels.concat(subChannels) )
  .then( () => AliTv._channels);

3 - Remove these 3 lines as they appear to actually stop the stream from starting
//.then( (current) => AliTv.getStreamUrl("DAJTO HD") )
.then( (current) => AliTv.getStreamUrl("TA3 HD") )
//.then( (current) => AliTv.getStreamUrl("Markiza HD") )

Yes i did everything and i tried a lots of requests but there's no channels

@MedDhiia
Copy link

done
[
  {
    StbStatus: 1,
    ProductName: 'SR-T50 SUPER',
    SoftwareVersion: '2.85',
    ChannelNum: 16,
    MaxNumOfPrograms: 7000
  }
]
Start0000016End{"request":"15"}
done
Start0000046End{"request":"0","FromIndex":"0","ToIndex":"99"}
done
Start0000049End{"request":"0","FromIndex":"100","ToIndex":"199"}
done
Start0000049End{"request":"0","FromIndex":"200","ToIndex":"280"}
done
[ { Command: '' }, { Command: '' }, { Command: '' } ]
Start0000015End{"request":"3"}
done

Request "0" is always empty i can't get the channels list ?

We have same problem, i already tried lots of requests to catch some channel, but without luck unfortunately.
It seems chipset GS21200GB is not fully compatible.

Thanks for you response ... Me too i tried a lots of requests i got the TP list on 24 and the satilites lists on 23 i think even the signal strength but there no channels list ... If the problem is with the chipset then why we can found all of this and no channels lists it's kinda wired no ?

@lbenz
Copy link

lbenz commented Dec 28, 2020

No idea why, we could reverse engineering firmware's box through binwalk to find interested things. If you have access to RS232 interface you could go this way. An other interesting thing is I want to understand how funcam sharing works. Anyway, if i find solution i'll share here.

@rameres8
Copy link

rameres8 commented Mar 25, 2021

Please How to creat any script to decrypt firmware Ali3526
or how to creat any logiciel to unpack firmware Ali3526 from code of gabonator
how to build any script from code of gabonator

@elloza
Copy link

elloza commented May 8, 2021

Hello everyone!

I'm trying to use the script (ali.js) in order to view the rstp stream from a Qviart Mini but I have tried the SETUP URL in VLC with any luck...

Could @Amadeus23000 or someone with experience with this code point me in the right direction? What URL is the right one for play the stream in VLC?

I got this error in the VLC log:

live555 error: Failed to connect with rtsp://192.168.0.113:554/?alisatid=0&freq=10818&pol=v&msys=dvbs2&mtype=8psk&ro=0.35&plts=on&sr=22000&fec=2&camode=1&vpid=167&apid=120&ttxpid=8191&subtpid=0&pmt=1038&prognumber=9967&pids=167,120,8191,0,1038&
satip error: Failed to play RTSP session

Thanks in advance!!

Start0000016End{"request":"15"}
done
[
  {
    StbStatus: 1,
    ProductName: 'QVIART MINI',
    SoftwareVersion: '1.20',
    SerialNumber: 'XXXX',
    ChannelNum: 196,
    MaxNumOfPrograms: 6100
  }
]


.........

< SETUP rtsp://192.168.0.113:554/?alisatid=0&freq=10818&pol=v&msys=dvbs2&mtype=8psk&ro=0.35&plts=on&sr=22000&fec=2&camode=1&vpid=167&apid=120&ttxpid=8191&subtpid=0&pmt=1038&prognumber=9967&pids=167,120,8191,0,1038& RTSP/1.0
< Transport: RTP/AVP/UDP;unicast;client_port=5114-5115
< CSeq: 1
< User-Agent: Lavf57.52.100

Connection closed
> RTSP/1.0 200 OK
> CSeq: 1
> Server: ALi feng/2.1.0_rc1
> com.ses.streamID: 2
> Transport: RTP/AVP;unicast;source=192.168.0.113;client_port=5114-5115;server_port=5006-5007;ssrc=4483D70A
> Session: 42eb817a115a268e
> Date: Week 4, 1 Mon0 0070 00:11:20 GMT

@elloza
Copy link

elloza commented May 8, 2021

Hello again,

I have figured out how to play in VLC the SETUP URL (I was running the script and VLC at the same time and it seems that it's incompatible).

I was able to play 40 seconds selecting an FTA channel (The same behaviour that @Amadeus23000 described previously).

When I try to play the SETUP URL of a scrambled channel with VLC several warnings appear in the console log of VLC with logs at verbose level (2).

main debug: creating demux: access='rtsp' demux='any' location='192.168.0.113:554/?alisatid=0&freq=10906&pol=v&msys=dvbs2&mtype=8psk&ro=0.35&plts=on&sr=22000&fec=2&camode=1&vpid=163&apid=98&ttxpid=8191&pmt=1027&prognumber=30004&pids=163,98,8191,1027&' file='\\192.168.0.113:554\'
main debug: looking for demux module matching "any": 55 candidates
main debug: looking for xml reader module matching "any": 1 candidates
main debug: using xml reader module "xml"
webvtt debug: subtitle demux discarded
ts debug: Standard set to Auto
main debug: using demux module "ts"
ts debug: DEMUX_SET_GROUP 0 00000000
main debug: looking for meta reader module matching "any": 2 candidates
lua debug: Trying Lua scripts in C:\Users\Loza\AppData\Roaming\vlc\lua\meta\reader
lua debug: Trying Lua scripts in C:\Program Files (x86)\VideoLAN\VLC\lua\meta\reader
lua debug: Trying Lua playlist script C:\Program Files (x86)\VideoLAN\VLC\lua\meta\reader\filename.luac
main debug: no meta reader modules matched
main debug: `rtsp://192.168.0.113:554/?alisatid=0&freq=10906&pol=v&msys=dvbs2&mtype=8psk&ro=0.35&plts=on&sr=22000&fec=2&camode=1&vpid=163&apid=98&ttxpid=8191&pmt=1027&prognumber=30004&pids=163,98,8191,1027&' successfully opened
ts debug: pid[163] unknown
ts debug: first packet for pid=163 cc=0x8
ts warning: scrambled state changed on pid 163 (0->1)
ts debug: pid[98] unknown
ts debug: first packet for pid=98 cc=0xc
ts warning: scrambled state changed on pid 98 (0->1)
ts debug: pid[1027] unknown
ts debug: first packet for pid=1027 cc=0x8
ts debug: pid[1863] unknown
satip warning: Gap in seq_nr (399 > 398), probably lost a packet
satip warning: Gap in seq_nr (451 > 450), probably lost a packet
satip warning: Gap in seq_nr (453 > 452), probably lost a packet
satip warning: Gap in seq_nr (456 > 455), probably lost a packet
satip warning: Gap in seq_nr (1338 > 1337), probably lost a packet
satip warning: Gap in seq_nr (1392 > 1390), probably lost a packet
satip warning: Gap in seq_nr (1735 > 1734), probably lost a packet
satip warning: Gap in seq_nr (1744 > 1740), probably lost a packet
satip warning: Gap in seq_nr (1753 > 1751), probably lost a packet
satip warning: Gap in seq_nr (1780 > 1779), probably lost a packet
satip warning: Gap in seq_nr (6773 > 6771), probably lost a packet
satip warning: Gap in seq_nr (6999 > 6998), probably lost a packet
satip warning: Gap in seq_nr (7246 > 7245), probably lost a packet
satip warning: Gap in seq_nr (7558 > 7554), probably lost a packet
satip warning: Gap in seq_nr (7640 > 7637), probably lost a packet
satip warning: Gap in seq_nr (7714 > 7712), probably lost a packet
satip warning: Gap in seq_nr (7721 > 7718), probably lost a packet
satip warning: Gap in seq_nr (7733 > 7732), probably lost a packet
satip warning: Gap in seq_nr (7735 > 7734), probably lost a packet
.....
satip warning: Gap in seq_nr (18231 > 18230), probably lost a packet
satip debug: timed out waiting for data...
ts debug: Can't read TS packet at 17459372
main debug: EOF reached
main debug: removing module "ts"
main debug: removing module "record"
main debug: removing module "cache_block"
main debug: removing module "satip"
satip error: Failed to teardown RTSP session
main debug: dead input
main debug: changing item without a request (current 2/3)
main debug: nothing to play
qt debug: IM: Deleting the input

I think it could be a misconfiguration of the VLC because after sniffing the transmitted data from the Android G-MScreen app, the requested URL is the same... (I'm sorry for my ignorance on this topic pretty new in this topic).

@Delitants
Copy link

Forget it, it won’t play scrambled channel. Didn’t you read the story above?

@mohammadhosin
Copy link

if your connection break after 41s
just you shoud send fake request with metod OPTION and same session every 30s.

@assiless
Copy link

assiless commented Oct 11, 2023

I generate various requests until 2000 for the moments, there is nothing interesting but i will continue to check. Anyway, thank you very much for your help and your works, i appreciate, if I get some good news I will share here 😉

@lbenz ,
you have gn-cx200 minihd platinum which have gx6605s the same chip in my stb starsat sr-4040hd vega
gx6605s it's quite popular this and this

i want to get the channel list and possibly set other channel as current

what i have tested (0..2000)
0 => empty
... => empty
14 => empty
15 => StbStatus, ProductName, SoftwareVersion, SerialNumber, ChannelNum, MaxNumOfPrograms
16 => empty
... => empty
18 => empty
19 => Data: "0"
20 => empty
21 => empty
22 => list of satellites
23 => Data: "0"
24 => list of tps
25 => empty
26 => JSON Parse error
27 => empty
... => empty
402 => take long and end without response
403 => strength, quality
404 => take long and end without response
... => empty
998 => Error: Invalid response packet
... => empty
1012 => JSON Parse error: Unexpected identifier "undefined"
... => empty
2000 => empty

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment