about Airplay Mirroring… things after fp-setup [closed]

Question

Closed. This question needs to be more focused. It is not currently accepting answers. Learn more.

---

Want to improve this question? Update the question so it focuses on one problem only by editing this post.

Closed 5 years ago.

My project is to grab decrypted Airplay Mirrorred h.264 screen data from my Android device.
Since I know nothing about AES-like things... So I skipped that step with hard coded data, omnipeek'ed from, between My iPad and AppleTV.

Started with the "Unofficial Airplay Protocol".
Resembled the sequence, and I've questioned from my iPad with "fp-setup".

It was very helpful to examine the AirTunesController source code, I've got pretty much hints from that code. So, I grabbed the 'FPLY' starting binaries from my iPad, AppleTV. Just replied to my iPad, and "fp-setup" step is done!

Sequence is..
received FPLY311 from the iPad,
I answered with FPLY312,
received FPLY313 from the iPad,
I answered FPLY314.. then the "POST /stream" came to me with some binary parameter lists (bplist).
It look like.. (captured from my adb logcat)

D/Server( 432): AIRPLAY Mirroring Server: New connection detected
D/Server( 432): AIRPLAY Server: New connection added
D/Server( 432): BReNTT: /stream.xml
D/Server( 432): BReNTT: /stream.xml >> GET
D/Server( 432): BReNTT: responding 536 bytes of content
D/Server( 432): BReNTT: /fp-setup, body size: 16
D/Server( 432): 0x46 0x50 0x4c 0x59 0x03 0x01 0x01 0x00 0x00 0x00 0x00 0x04 0x02 0x00 0x03 0xbb
D/Server( 432): BReNTT: /fp-setup >> POST >> 311
D/Server( 432): BReNTT: responding 257 bytes of content
D/Server( 432): BReNTT: /fp-setup, body size: 164
D/Server( 432): 0x46 0x50 0x4c 0x59 0x03 0x01 0x03 0x00 0x00 0x00 0x00 0x98 0x01 0x8f 0x1a 0x9c
D/Server( 432): 0x7d 0x0a 0xf2 0x57 0xb3 0x1f 0x21 0xf5 0xc2 0xd2 0xbc 0x81 0x4c 0x03 0x2d 0x45
D/Server( 432): 0x78 0x35 0xad 0x0b 0x06 0x25 0x05 0x74 0xbb 0xc7 0xab 0x4a 0x58 0xcc 0xa6 0xee
D/Server( 432): 0xad 0x2c 0x91 0x1d 0x7f 0x3e 0x1e 0x7e 0xd4 0xc0 0x58 0x95 0x5d 0xff 0x3d 0x5c
D/Server( 432): 0xee 0xf0 0x14 0x38 0x7a 0x98 0x5b 0xdb 0x34 0x99 0x50 0x15 0xe3 0xdf 0xbd 0xac
D/Server( 432): 0xc5 0x60 0x47 0xcb 0x92 0x6e 0x09 0x3b 0x13 0xe9 0xfd 0xb5 0xe1 0xee 0xe3 0x17
D/Server( 432): 0xc0 0x18 0xbb 0xc8 0x7f 0xc5 0x45 0x3c 0x76 0x71 0x64 0x7d 0xa6 0x86 0xda 0x3d
D/Server( 432): 0x56 0x48 0x75 0xd0 0x3f 0x8a 0xea 0x9d 0x60 0x09 0x2d 0xe0 0x61 0x10 0xbc 0x7b
D/Server( 432): 0xe0 0xc1 0x6f 0x39 0x1c 0x36 0x9c 0x75 0x34 0x4a 0xe4 0x7f 0x33 0xac 0xfc 0xf1
D/Server( 432): 0x0e 0x63 0xa9 0xb5 0x8b 0xfc 0xe2 0x15 0xe9 0x60 0x01 0xc4 0x9e 0x4b 0xe9 0x67
D/Server( 432): 0xc5 0x06 0x7f 0x2a
D/Server( 432): BReNTT: /fp-setup >> POST >> 313
D/Server( 432): BReNTT: responding...
D/Server( 432): 0x46 0x50 0x4c 0x59 0x03 0x01 0x04 0x00 0x00 0x00 0x00 0x14 0x0e 0x63 0xa9 0xb5
D/Server( 432): 0x8b 0xfc 0xe2 0x15 0xe9 0x60 0x01 0xc4 0x9e 0x4b 0xe9 0x67 0xc5 0x06 0x7f 0x2a
D/Server( 432): BReNTT: responding 142 bytes of content
D/Server( 432): BReNTT: /stream >> POST !! Content-Length is 750

Finally I got the list.. with Param1 and Param2.
They're the AES key and AES initialization vector data, 72 bytes and 16 bytes relatively. And, from the same port 7100, suddenly, iPad's screen binary data came to me continuously.

Key: deviceInfoTime Value=-422009852.719235
Key: macAddress Value=64:20:0C:EF:DF:81
Key: param1 is Binary type.
BReNTT-Debug( 432): 46 50 4C 59 01 02 01 00 00 00 00 3C 00 00 00 00
BReNTT-Debug( 432): 88 E4 F8 2C 81 78 C1 8B 47 51 AC 24 B2 7C 0C 2A
BReNTT-Debug( 432): 00 00 00 10 C8 99 DC 69 65 C1 08 1D E6 A9 D9 66
BReNTT-Debug( 432): E2 BA 3E 34 54 8C DB C6 51 C3 22 DB 18 DC 22 F5
BReNTT-Debug( 432): 8F E1 54 A6 0A EC EE 18
Key: sessionID Value=-1483478994
Key: deviceID Value=110088818777987
Key: connectTime Value=0.009737
Key: version Value=200.54
Key: latencyMs Value=90
Key: fpsInfo type=4
Key: authTime Value=422009852.735252
Key: prepareTime Value=0.004542
Key: configTime Value=0.004692
Key: resolveDNSTime Value=0.008402
Key: timestampInfo type=4
Key: param2 is Binary type.
BReNTT-Debug( 432): 66 A7 5D 63 6D 80 C8 30 19 95 2A EC 2D D7 2F 1C

And..
It is the question I want to ask you.

According to the Unofficial Airplay Protocol,
If optional Param1 and Param2 exists, then the screen data is encrypted, right?

How do I deal with these 72 bytes, and 16 bytes AES data to decrypt the h.264 screen data, coming from my iPad??

Thank you.

Answer 1

The two params; param1 and param2 are encrypted using FairPlay. You will need to work out how that encryption works first then you will get the AES key to decrypt the H.264 video stream.