Created
November 26, 2017 20:05
-
-
Save gabonator/2c8885127cf6e0954c24e5d698ff99b6 to your computer and use it in GitHub Desktop.
ABcom satellite settop box protocol reverse engineering
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| reverse engineering of ABcom Cryptobox 600HD mini dvbs box protocol | |
| Firstly I examined android package (since it was easier to get it) "g-mscreen-2-3-11.apk". It | |
| uses C++ library for implementing control protocol. Then I was trying to capture UPnP communication | |
| from iphone connected to OSX running wireshark. But without luck. GMScreen allowed to connection | |
| to box using ip address and port. This traffic was easier to caputre and analyse. Requests by | |
| client application are human readable json/xml code. Some response packets are compressed using | |
| zlib. | |
| nm -D -C libdvbtoip.so | grep DVB | |
| 0000f0a0 T DVBtoIP::initialize() | |
| 0006cf10 B DVBtoIP::_serverList | |
| 0006cf0c B DVBtoIP::_clientHandle | |
| 0000f838 T DVBtoIP::getChannelURL(char const*) | |
| 0000f678 T DVBtoIP::getServerList(bool) | |
| 000103f4 T DVBtoIP::getChannelList(char const*, bool) | |
| 0000f0a8 T DVBtoIP::getChannelUserKey(char const*) | |
| 00010210 T DVBtoIP::updateChannelList(char*) | |
| 0000f1dc T DVBtoIP::initResourceForPlayer(int, char const*, int, int) | |
| 0000fc60 T DVBtoIP::upnpClientEventCallback(Upnp_EventType_e, void*, void*) | |
| 0000f49c T DVBtoIP::destroyResourceForPlayer() | |
| 0000fff8 T DVBtoIP::updateChannelListParseBuffer(char*, int*, std::map.....) | |
| 0000f0a4 T DVBtoIP::cleanup() | |
| 0006cf28 B DVBtoIP::_isInit | |
| 0000f1b4 T DVBtoIP::setSeed(int) | |
| 0000f790 T DVBtoIP::DVBtoIP() | |
| 0000f790 T DVBtoIP::DVBtoIP() | |
| 0000f5d4 T DVBtoIP::~DVBtoIP() | |
| 0000f590 T DVBtoIP::~DVBtoIP() | |
| 0000f590 T DVBtoIP::~DVBtoIP() | |
| */ | |
| var net = require('net'); | |
| const zlib = require('zlib'); | |
| const decompress = (buffer, handler) => zlib.unzip(buffer, {}, (err, buffer) => {err || handler(buffer.toString()); }); | |
| const alibuffer = (buffer) => "Start" + ("0000000" + buffer.length).substr(-7) + "End" + buffer; | |
| const alijson = (json) => alibuffer(JSON.stringify(json)); | |
| satbox = new net.Socket(); | |
| satbox.connect(20000, "192.168.1.77", () => | |
| { | |
| console.log('Satellite box connected'); | |
| satbox.write(alibuffer("<?xml version='1.0' encoding='UTF-8' standalone='yes' ?><Command request=\"998\" />")); | |
| //satbox.write(alijson({request:"22"})); // list of satellites | |
| //satbox.write(alijson({request:"14"})); // ProductName, SoftwareVersion, MaxNumOfPrograms, cur_channel_list_type... | |
| //satbox.write(alijson({request:"15"})); // StbStatus, ProductName, SoftwareVersion | |
| //satbox.write(alijson({request:"4"})); // no response | |
| satbox.write(alijson({request:"24"})); // unknown binary response | |
| //satbox.write(alijson({request:"0",FromIndex:"0",ToIndex:"10"})); // "ServiceID":"00010013405044", "ServiceName":"Markiza HD" | |
| //satbox.write(alijson({"request":"1009","TvState":"0","ProgramId":"00010012413208"})); // streaming request? | |
| //satbox.write(alijson({"request":"1040","array":[{"KeyValue":"1"}]})); // key up | |
| //satbox.write(alijson({"request":"1040","array":[{"KeyValue":"2"}]})); // key down | |
| }); | |
| satbox.on('close', () => console.log('Connection closed')); | |
| satbox.on('data', (data) => | |
| { | |
| if (data[0] == 0x5b && data[1] == 0x5b) | |
| console.log(data); // unknown encoding | |
| else if (data[0] == 0x78 && data[1] == 0x9c) // gzip | |
| decompress(data, (decompressed) => console.log(decompressed)); | |
| else if (data.length == 16 && data.toString().substr(0, 4) == "GCDH") | |
| {} // ack header before data | |
| else | |
| console.log(data); | |
| }); | |
| /* | |
| [{ | |
| "StbStatus": 1, | |
| "ProductName": "600HD Mini", | |
| "SoftwareVersion": "1.09.17769_patch", | |
| "SerialNumber": "170428042664", | |
| "ChannelNum": 281, | |
| "MaxNumOfPrograms": 6100 | |
| }] | |
| */ |
if your connection break after 41s
just you shoud send fake request with metod OPTION and same session every 30s.
I generate various requests until 2000 for the moments, there is nothing interesting but i will continue to check. Anyway, thank you very much for your help and your works, i appreciate, if I get some good news I will share here 😉
@lbenz ,
you have gn-cx200 minihd platinum which have gx6605s the same chip in my stb starsat sr-4040hd vega
gx6605s it's quite popular this and this
i want to get the channel list and possibly set other channel as current
what i have tested (0..2000)
0 => empty
... => empty
14 => empty
15 => StbStatus, ProductName, SoftwareVersion, SerialNumber, ChannelNum, MaxNumOfPrograms
16 => empty
... => empty
18 => empty
19 => Data: "0"
20 => empty
21 => empty
22 => list of satellites
23 => Data: "0"
24 => list of tps
25 => empty
26 => JSON Parse error
27 => empty
... => empty
402 => take long and end without response
403 => strength, quality
404 => take long and end without response
... => empty
998 => Error: Invalid response packet
... => empty
1012 => JSON Parse error: Unexpected identifier "undefined"
... => empty
2000 => empty
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Forget it, it won’t play scrambled channel. Didn’t you read the story above?