Apple AirTunes private key extracted (mafipulation.org)
Now that the AirTunes private key is known, it could allow for 3rd party software to act like AirTunes devices.
If this for example would be implemented in XBMC, Plex, Boxee etc you could send audio from your IOS device straight to XBMC using IOS built-in Airplay support.
96 comments
[ 2.6 ms ] story [ 164 ms ] threadIf this for example would be implemented in XBMC, Plex, Boxee etc you could send audio from your IOS device straight to XBMC using IOS built-in Airplay support.
edit: NB: I'm not sure "encrypting" is the right word here… do not hesitate to correct me
However, she mentions that you can't stream music to AirPlayer due to RAOP: http://en.wikipedia.org/wiki/Remote_Audio_Output_Protocol
which, I guess is not true anymore due to the parent link :)
But it does seem to show that iTunes was indeed checking keys before sending to an Airport Express, but that AirPlay (for video) wasn't affected. As far as I know, AirPlay is not much more than HTTP Live Streaming.
Also of interest in the same area (though this is an iOS app, so could technically include some key checking without knowing it): https://github.com/nto/AirView
edit: it looks like it would allow another software to show up as an Airport Express in iTunes, thus becoming the potential target of streaming audio over WiFi from iTunes. But am I right?
This means you will be able to easily send audio to other rooms in your house with something like XBMC running on a PC, nettop, or netbook.
edit: Just to clarify - previously you could do this:
iTunes -- stream to --> Apple Airport Express
3rd party software -- stream to --> Apple Airport Express
Now you can do this:
iTunes -- stream to --> 3rd party software/hardware
If so, Apple and this hacker are about to be lawyered hard by the MPAA.
How is this all that ground breaking from what you've been able to do with Rogue Amoeba apps for a while now?
http://rogueamoeba.com/airfoil/
http://rogueamoeba.com/utm/2008/01/10/a-tour-of-airfoil-3/
"Airfoil Speakers works pretty much like an AirPort Express from the point of view of Airfoil. It advertises its services over Bonjour, then uses the same AirTunes 2 protocol that Apple uses. However, despite using the same protocol, iTunes won’t talk to Airfoil Speakers. iTunes uses cryptographic authentication to ensure that it only talks to real AirPort Expresses, and we weren’t able to mimic that. Until Apple removes those checks, Airfoil Speakers will only work with Airfoil 3 and Airfoil for Windows."
In fact, I don't see how this private key getting "outed" is going to hurt Apple at all in any countries where things like DMCA exist.
I always wondered. My guess is maybe a proprietary RTOS to perform its simple functions?
Back in the day I figured it'd make a great OpenWRT Linux box, although now boxes with those features/size/price-point are much more common.
http://en.wikipedia.org/wiki/VxWorks#Notable_products_using_...
http://www.copyright.gov/title17/92chap12.html#1201
§1201(a)(1) does restrict personal use. That's what makes the DMCA really insidious.
This is like opening the hood of a car that requires a key that the manufacturer will only give to authorized dealers. If you figure out how to open the hood, the government is not going to stop you from messing around with the stuff in your car. It's yours, after all.
Here's what's happening here. Apple wants you to buy Apple hardware, so they cripple iTunes such that it will only speak with devices that know a secret password. Now, with the secret out, it will talk to any device.
This has absolutely nothing to do with copyright infringement.
Yes, that's exactly what it's like. Indeed, auto manufacturers have already been abusing the DMCA to prevent independent repair shops from accessing computer diagnostic codes.
https://www.eff.org/deeplinks/2009/05/right-repair-law-pro (The bill mentioned in that article that would have addressed this died in committee, by the way)
You'll find a quite different story when Palm made the Pre compatible with iTunes through reverse engineering. The certainly didn't want non-Apple devices in the iTunes ecosystem and spent quite some effort to put a stop to that, even though it had nothing to do with DRM.
Combine that with a way to update and blacklist keys and devices, and you have the state of the art DRM type system. The cryptography used in the BluRay format is probably about the best currently deployed in that application, and can just be bypassed. The same people (Paul Kocher's Cryptography Research; IMO the top cryptography consultancy in the world) who developed that developed the original Divx system (video rental at Circuit City) did the crypto for BD+. http://en.wikipedia.org/wiki/DIVX
TPMs are unfortunately usually only FIPS 140-2 level 2 or 3, and not THAT hard to break a single instance of. The TCG's TPM architecture is such that compromising one TPM doesn't class break everything. If you naively put a global key into a low-security module like that, and put millions of them in enemy hands, you will get screwed by someone with some acids and an electron microscope at college (or a competitor leaking it anonymously)
For Debian/Ubuntu users, I had to do a few things to get it to compile: 1. sudo apt-get install libcrypt-openssl-rsa-perl libao2 libao-dev 2. comment out line 642 in hairtunes.c 3. 'make'
I tried it and iTunes lists it as a device but I cannot activate it in iTunes (if I select it, it immediately unselects itself). From the console output, I see that iTunes even does not try to connect to it (to TCP Port 5000).
I am currently on a Mac so I needed to do some porting (https://github.com/albertz/shairport/) but I think this shouldn't have an impact on the behavior I am getting.
Maybe it refuses to connect because it is the same (localhost) machine? I don't have another machine at hand to try out right now.
I guess running the server and iTunes client on the same machine caused the problem.
My config: MBP on 10.6.7
And thank you for your dns-sd patch on https://github.com/albertz/shairport/
sudo /sbin/ip addr del <ipv6address>/<prefixlength> dev ethX
atv@appletv-ubuntu:~/scripts/bbhoss-shairport-31cf954$ make gcc hairtunes.c alac.c -D__i386 -lm `pkg-config --cflags --libs ao openssl` -o hairtunes hairtunes.c: In function âinit_outputâ: hairtunes.c:642: error: âao_sample_formatâ has no member named âmatrixâ
Could someone help me with this matter :) ?
http://www.macgeekery.com/tips/configuration/playing_live_au...
I use it to move music streams to the other computers in the house.
Also, I thought i would put this out there: As with the creation of the new AirPlay protocol, the RAOP (AirTunes) protocol was also changed (to support album art and other metadata, I assume). My proof of this lies in the Apple TV. If you analyze network traffic between iTunes and the ATV's airtunesd daemon, you can see that the initial pairing does not have the 'rsaaeskey' field but instead a 'fpaeskey' field. So instead of a RSA public/private scheme, it uses something else to encrypt the session keys. I found this out when trying to reverse the airtunesd binary, trying to get the key that way. :P
ARCHFLAGS="-arch i386 -arch x86_64" perl -MCPAN -e 'install Crypt::OpenSSL::RSA'
here are the keys he found - http://nanocr.eu/2004/08/11/reversing-airtunes/ and http://nanocr.eu/sw/justeport/itunesrsakeys.txt
The binaries were heavily obfuscated, and I couldn't get the IDA Pro remote to run on the AppleTV, nor could I port the binaries to run on normal OS X. Gave up after a week or so. I figured that some pro reverser would get the keys eventually that way, but I never expected that anyone would find success cracking open an Airport Express!