by Jarno
Share
To start with an attack, one first has to gain some knowledge!
My initial starting point was a long time ago, when m3u-stream references first began appearing on various websites.
NOTE: I am not certain if it would be wise to share the details of this adventure, as there are concerns about the potential consequences. However, given the rampant misuse of IPTV platforms, it is inevitable that significant changes will be made to these platforms in the future. Some measures have already been implemented, such as requiring ‘changing passwords‘, blocking IP addresses when MAC scanners are detected, and adding play-tokens to portals. Despite these efforts, as long as these types of IPTV boxes continue to be sold and used, many of these portals will remain vulnerable to hacking.
These m3u-stream references were generally effective, although not always reliable. At times, no picture was available, as these streams can only be accessed by one user at a time, unless the account has multiple users. It is worth noting that these accounts carry significant value.
Wireshark
Wireshark is ‘the’ tool to gather information about what kind of communication there lives between devices, in this case for the communication between the IPTV-box and the portal. Following chapters describe the steps that are required to come to the goal of playing an IPTV-stream. If you do not have an IPTV-box (as I also do not have one) you can also use BlueStacks and install Stbemu.
Information
Following values are used in the explanations below as example, note that these are fictional addresses!
portal-address = http://ip.tv:25461 mac-address = 00:1A:79:18:05:75 username = dNzSh5And2
Step 1 – [STB] Handshake
All communications with the portal is done based on Oauth 2.0, with the Bearer token RFC6750.
GET http://ip.tv:25461/portal.php?type=stb&action=handshake&JsHttpRequest=1-xml
Important is that we have to include the following headers into the GET-request:
User-Agent: Mozilla/5.0 (QtEmbedded; U; Linux; C)
Cookie: mac=00:1A:79:18:05:75; stb_lang=en; timezone=Europe/Amsterdam;
This Authorization Request will result in an Access Token in JSON format, returned from the portal.
{
"js":
{
"token":"C00F7332ED272F00D5FD3E82F567A282"
}
}
Step 2 – [STB] Get Profile
Profile information are settings used by the IPTV-box. Note that from now on we need to include the access-token to the GET-headers!
GET http://ip.tv:25461/portal.php?type=stb&action=get_profile&JsHttpRequest=1-xml
User-Agent: Mozilla/5.0 (QtEmbedded; U; Linux; C)
Cookie: mac=00:1A:79:18:05:75; stb_lang=en; timezone=Europe/Amsterdam;
Authorization: Bearer C00F7332ED272F00D5FD3E82F567A282
This Request will result in profile information in JSON format, returned from the portal.
{
"js":
{
"id":"692",
"name":"109",
"sname":"",
"pass":"",
"parent_password":"0000",
"bright":"200",
"contrast":"127",
"saturation":"127",
"video_out":"rca",
"volume":"65",
"playback_buffer_bytes":"0",
"playback_buffer_size":"0",
"audio_out":"1",
"mac":"MDA6MUE6Nzk6MTg6MDU6NzU=",
"ip":"109.129.183.25",
"ls":null,
"version":"",
"lang":null,
"locale":"en_GB.utf8",
"city_id":"0",
"hd":"1",
"main_notify":"1",
"fav_itv_on":"0",
"now_playing_start":null,
"now_playing_type":"0",
"now_playing_content":null,
"additional_services_on":"1",
"time_last_play_tv":null,
"time_last_play_video":null,
"operator_id":"0",
"storage_name":"",
"hd_content":"1",
"image_version":"218",
"last_change_status":null,
"last_start":null,
"last_active":null,
"keep_alive":null,
"screensaver_delay":"10",
"phone":"",
"fname":"",
"login":"",
"password":"dNzSh5And2",
"stb_type":"MAG254",
"num_banks":"0",
"tariff_plan_id":"0",
"comment":null,
"now_playing_link_id":null,
"now_playing_streamer_id":null,
"just_started":"1",
"last_watchdog":"1582481300",
"created":"1491317586",
"plasma_saving":"0",
"ts_enabled":"0",
"ts_enable_icon":"1",
"ts_path":null,
"ts_max_length":"3600",
"ts_buffer_use":"cyclic",
"ts_action_on_exit":"no_save",
"ts_delay":"on_pause",
"video_clock":"Off",
"verified":"0",
"hdmi_event_reaction":"1",
"pri_audio_lang":"",
"sec_audio_lang":"",
"pri_subtitle_lang":"",
"sec_subtitle_lang":"",
"subtitle_color":"16777215",
"subtitle_size":"20",
"show_after_loading":"main_menu",
"play_in_preview_by_ok":"1",
"hw_version":"2.5-IB-00",
"openweathermap_city_id":"0",
"theme":"",
"settings_password":"0000",
"expire_billing_date":"0000-00-00 00:00:00",
"reseller_id":null,
"account_balance":"",
"client_type":"STB",
"hw_version_2":"62",
"blocked":"0",
"units":"metric",
"tariff_expired_date":null,
"tariff_id_instead_expired":null,
"activation_code_auto_issue":"1",
"last_itv_id":"7139",
"updated":{
"id":"1",
"uid":"1",
"anec":"0",
"vclub":"0"
},
"rtsp_type":"4",
"rtsp_flags":"0",
"stb_lang":"en",
"display_menu_after_loading":"1",
"record_max_length":"180",
"web_proxy_host":"",
"web_proxy_port":"",
"web_proxy_user":"",
"web_proxy_pass":"",
"web_proxy_exclude_list":"",
"demo_video_url":"",
"tv_quality_filter":"",
"is_moderator":false,
"timeslot_ratio":0.33333333333333,
"timeslot":40,
"kinopoisk_rating":"1",
"enable_tariff_plans":"",
"strict_stb_type_check":"",
"cas_type":0,
"cas_params":null,
"cas_web_params":null,
"cas_additional_params":[],
"cas_hw_descrambling":0,
"cas_ini_file":"",
"logarithm_volume_control":"",
"allow_subscription_from_stb":"1",
"deny_720p_gmode_on_mag200":"1",
"enable_arrow_keys_setpos":"1",
"show_purchased_filter":"",
"timezone_diff":0,
"enable_connection_problem_indication":true,
"invert_channel_switch_direction":"",
"play_in_preview_only_by_ok":"true",
"enable_stream_error_logging":"",
"always_enabled_subtitles":"1",
"enable_service_button":"",
"enable_setting_access_by_pass":"",
"tv_archive_continued":"",
"plasma_saving_timeout":"600",
"show_tv_only_hd_filter_option":"",
"tv_playback_retry_limit":"0",
"fading_tv_retry_timeout":"1",
"epg_update_time_range":0.6,
"store_auth_data_on_stb":false,
"account_page_by_password":"",
"tester":false,
"enable_stream_losses_logging":"",
"external_payment_page_url":"",
"max_local_recordings":"10",
"tv_channel_default_aspect":"fit",
"default_led_level":"10",
"standby_led_level":"90",
"show_version_in_main_menu":"1",
"disable_youtube_for_mag200":"1",
"auth_access":false,
"epg_data_block_period_for_stb":"5",
"standby_on_hdmi_off":"1",
"force_ch_link_check":"",
"stb_ntp_server":"pool.ntp.org",
"overwrite_stb_ntp_server":"",
"hide_tv_genres_in_fullscreen":null,
"advert":null,
"aspect":"",
"playback_limit":3,
"country":null,
"watchdog_timeout":88,
"play_token":"e7f7uKdyF8:1582481370:1349",
"status":0,
"update_url":"",
"test_download_url":"",
"default_timezone":"Europe\/Brussels",
"default_locale":"en_GB.utf8",
"allowed_stb_types":
["aurahd",
"aurahd8",
"aurahd9",
.
.
.
"mag349",
"mag350",
"mag351",
"mag352",
"mag420",
"wr320"],
"allowed_stb_types_for_local_recording":
["aurahd",
"aurahd8",
"aurahd9",
.
.
.
"mag349",
"mag350",
"mag351",
"mag352",
"mag420",
"wr320"],
"storages":[],
"show_tv_channel_logo":true,
"show_channel_logo_in_preview":true,
"hls_fast_start":"1",
"check_ssl_certificate":0,
"enable_buffering_indication":1}}
Already good to know that this request also resulted into a password, which we can use later!
"login":"","password":"dNzSh5And2","stb_type":"MAG254"
Step 3 – [ITV] Get Genres
Genres are categories where TV-channels are stored. To get the genre-list we need to do the following request. Note that we now use type=itv instead of type=stb!
GET portal.php?type=itv&action=get_genres&JsHttpRequest=1-xml
User-Agent: Mozilla/5.0 (QtEmbedded; U; Linux; C)
Cookie: mac=00:1A:79:18:05:75; stb_lang=en; timezone=Europe/Amsterdam;
Authorization: Bearer C00F7332ED272F00D5FD3E82F567A282
This Request will result in a list in JSON format, returned from the portal.
{
"js":
[
{
"id":"*",
"title":"All",
"alias":"All",
"active_sub":true,
"censored":0
},
{
"id":"173",
"title":"TR | TURKIYE",
"modified":"",
"number":1,
"alias":"tr | turkiye",
"censored":0
},
{
"id":"179",
"title":"NL | NEDERLAND",
"modified":"",
"number":11,
"alias":"nl | nederland",
"censored":0
},
{
"id":"167",
"title":"NL | FILM ZENDERS",
"modified":"",
"number":15,
"alias":"nl | film zenders",
"censored":0
},
.
.
.
{
"id":"109",
"title":"IR | IRAN",
"modified":"",
"number":74,
"alias":"ir | iran",
"censored":0
},
{
"id":"128",
"title":"US | USA",
"modified":"",
"number":75,
"alias":"us | usa",
"censored":0}
]
}
The genres are identified with an id: “number”, which we need to get the TV-channels within this genre.
One genre extracted on which we will work further on:
{
"id":"179",
"title":"NL | NEDERLAND",
"modified":"",
"number":11,
"alias":"nl | nederland",
"censored":0
},
Step 4 – [ITV] Get Ordered List
To get all TV-channels from this genre (id=179), we need to use the action Get_Ordered_List with the following request:
GET portal.php?type=itv&action=get_ordered_list&genre=179&force_ch_link_check=&fav=0&sortby=number&hd=0&p=1&JsHttpRequest=1-xml
User-Agent: Mozilla/5.0 (QtEmbedded; U; Linux; C)
Cookie: mac=00:1A:79:18:05:75; stb_lang=en; timezone=Europe/Amsterdam;
Authorization: Bearer C00F7332ED272F00D5FD3E82F567A282
This Request will result in a list in JSON format, returned from the portal.
Note that we need to do several Get_Ordered_List to get all channels within this genre, because data-exchange is done with pages. Next page can be gotten by changing p=1 into p=2 in the GET-request.
{
"js":{
"total_items":24,
"max_page_items":14,
"selected_item":0,
"cur_page":0,
"data":[
{
"id":"3031",
"name":"## | NEDERLAND 4K+ | ##",
"number":"462",
"censored":"",
"cmd":"ffmpeg http://localhost/ch/3031_",
"cost":"0",
"count":"0",
"status":1,
"hd":"0",
"tv_genre_id":"179",
"base_ch":"1",
"xmltv_id":"",
"service_id":"",
"bonus_ch":"0",
"volume_correction":"0",
"mc_cmd":"",
"enable_tv_archive":0,
"wowza_tmp_link":"0",
"wowza_dvr":"0",
"use_http_tmp_link":"1",
"monitoring_status":"1",
"enable_monitoring":"0",
"enable_wowza_load_balancing":"0",
"cmd_1":"",
"cmd_2":"",
"cmd_3":"",
"logo":"",
"correct_time":"0",
"nimble_dvr":"0",
"allow_pvr":0,
"allow_local_pvr":0,
"allow_remote_pvr":0,
"modified":"",
"allow_local_timeshift":"1",
"nginx_secure_link":"1",
"tv_archive_duration":0,
"locked":0,
"lock":0,
"fav":0,
"archive":0,
"genres_str":"",
"cur_playing":"[No channel info]",
"epg":[
],
"open":1,
"cmds":[
{
"id":"3031",
"ch_id":"3031",
"priority":"0",
"url":"ffmpeg http://localhost/ch/3031_",
"status":"1",
"use_http_tmp_link":"1",
"wowza_tmp_link":"0",
"user_agent_filter":"",
"use_load_balancing":"0",
"changed":"",
"enable_monitoring":"0",
"enable_balancer_monitoring":"0",
"nginx_secure_link":"1",
"flussonic_tmp_link":"0"
}
],
"use_load_balancing":0,
"pvr":0
},
{
"id":"31917",
"name":"NL | NPO 1 4K+",
"number":"463",
"censored":"",
"cmd":"ffmpeg http://localhost/ch/31917_",
"cost":"0",
"count":"0",
"status":1,
"hd":"0",
"tv_genre_id":"179",
"base_ch":"1",
"xmltv_id":"NPO1.nl",
"service_id":"",
"bonus_ch":"0",
"volume_correction":"0",
"mc_cmd":"",
"enable_tv_archive":1,
"wowza_tmp_link":"0",
"wowza_dvr":"0",
"use_http_tmp_link":"1",
"monitoring_status":"1",
"enable_monitoring":"0",
"enable_wowza_load_balancing":"0",
"cmd_1":"",
"cmd_2":"",
"cmd_3":"",
"logo":"http://ip.tv:8000/nl/npo1.png",
"correct_time":"0",
"nimble_dvr":"0",
"allow_pvr":0,
"allow_local_pvr":0,
"allow_remote_pvr":0,
"modified":"",
"allow_local_timeshift":"1",
"nginx_secure_link":"1",
"tv_archive_duration":24,
"locked":0,
"lock":0,
"fav":0,
"archive":1,
"genres_str":"",
"cur_playing":"[No channel info]",
"epg":[
],
"open":1,
"cmds":[
{
"id":"31917",
"ch_id":"31917",
"priority":"0",
"url":"ffmpeg http://localhost/ch/31917_",
"status":"1",
"use_http_tmp_link":"1",
"wowza_tmp_link":"0",
"user_agent_filter":"",
"use_load_balancing":"0",
"changed":"",
"enable_monitoring":"0",
"enable_balancer_monitoring":"0",
"nginx_secure_link":"1",
"flussonic_tmp_link":"0"
}
],
"use_load_balancing":0,
"pvr":0
},
{
"id":"31916",
"name":"NL | NPO 2 4K+",
"number":"464",
"censored":"",
"cmd":"ffmpeg http://localhost/ch/31916_",
"cost":"0",
"count":"0",
"status":1,
"hd":"0",
"tv_genre_id":"179",
"base_ch":"1",
"xmltv_id":"NPO2.nl",
"service_id":"",
"bonus_ch":"0",
"volume_correction":"0",
"mc_cmd":"",
"enable_tv_archive":1,
"wowza_tmp_link":"0",
"wowza_dvr":"0",
"use_http_tmp_link":"1",
"monitoring_status":"1",
"enable_monitoring":"0",
"enable_wowza_load_balancing":"0",
"cmd_1":"",
"cmd_2":"",
"cmd_3":"",
"logo":"http://ip.tv:8000/nl/npo2.png",
"correct_time":"0",
"nimble_dvr":"0",
"allow_pvr":0,
"allow_local_pvr":0,
"allow_remote_pvr":0,
"modified":"",
"allow_local_timeshift":"1",
"nginx_secure_link":"1",
"tv_archive_duration":24,
"locked":0,
"lock":0,
"fav":0,
"archive":1,
"genres_str":"",
"cur_playing":"[No channel info]",
"epg":[
],
"open":1,
"cmds":[
{
"id":"31916",
"ch_id":"31916",
"priority":"0",
"url":"ffmpeg http://localhost/ch/31916_",
"status":"1",
"use_http_tmp_link":"1",
"wowza_tmp_link":"0",
"user_agent_filter":"",
"use_load_balancing":"0",
"changed":"",
"enable_monitoring":"0",
"enable_balancer_monitoring":"0",
"nginx_secure_link":"1",
"flussonic_tmp_link":"0"
}
],
"use_load_balancing":0,
"pvr":0
},
{
"id":"31915",
"name":"NL | NPO 3 4K+",
"number":"465",
"censored":"",
"cmd":"ffmpeg http://localhost/ch/31915_",
"cost":"0",
"count":"0",
"status":1,
"hd":"0",
"tv_genre_id":"179",
"base_ch":"1",
"xmltv_id":"NPO3.nl",
"service_id":"",
"bonus_ch":"0",
"volume_correction":"0",
"mc_cmd":"",
"enable_tv_archive":1,
"wowza_tmp_link":"0",
"wowza_dvr":"0",
"use_http_tmp_link":"1",
"monitoring_status":"1",
"enable_monitoring":"0",
"enable_wowza_load_balancing":"0",
"cmd_1":"",
"cmd_2":"",
"cmd_3":"",
"logo":"http://ip.tv:8000/nl/npo3.png",
"correct_time":"0",
"nimble_dvr":"0",
"allow_pvr":0,
"allow_local_pvr":0,
"allow_remote_pvr":0,
"modified":"",
"allow_local_timeshift":"1",
"nginx_secure_link":"1",
"tv_archive_duration":24,
"locked":0,
"lock":0,
"fav":0,
"archive":1,
"genres_str":"",
"cur_playing":"[No channel info]",
"epg":[
],
"open":1,
"cmds":[
{
"id":"31915",
"ch_id":"31915",
"priority":"0",
"url":"ffmpeg http://localhost/ch/31915_",
"status":"1",
"use_http_tmp_link":"1",
"wowza_tmp_link":"0",
"user_agent_filter":"",
"use_load_balancing":"0",
"changed":"",
"enable_monitoring":"0",
"enable_balancer_monitoring":"0",
"nginx_secure_link":"1",
"flussonic_tmp_link":"0"
}
],
"use_load_balancing":0,
"pvr":0
},
.
.
.
{
"id":"31908",
"name":"NL | SBS 9 4K+",
"number":"472",
"censored":"",
"cmd":"ffmpeg http://localhost/ch/31908_",
"cost":"0",
"count":"0",
"status":1,
"hd":"0",
"tv_genre_id":"179",
"base_ch":"1",
"xmltv_id":"SBS9.nl",
"service_id":"",
"bonus_ch":"0",
"volume_correction":"0",
"mc_cmd":"",
"enable_tv_archive":1,
"wowza_tmp_link":"0",
"wowza_dvr":"0",
"use_http_tmp_link":"1",
"monitoring_status":"1",
"enable_monitoring":"0",
"enable_wowza_load_balancing":"0",
"cmd_1":"",
"cmd_2":"",
"cmd_3":"",
"logo":"http://ip.tv:8000/nl/sbs9.png",
"correct_time":"0",
"nimble_dvr":"0",
"allow_pvr":0,
"allow_local_pvr":0,
"allow_remote_pvr":0,
"modified":"",
"allow_local_timeshift":"1",
"nginx_secure_link":"1",
"tv_archive_duration":24,
"locked":0,
"lock":0,
"fav":0,
"archive":1,
"genres_str":"",
"cur_playing":"[No channel info]",
"epg":[
],
"open":1,
"cmds":[
{
"id":"31908",
"ch_id":"31908",
"priority":"0",
"url":"ffmpeg http://localhost/ch/31908_",
"status":"1",
"use_http_tmp_link":"1",
"wowza_tmp_link":"0",
"user_agent_filter":"",
"use_load_balancing":"0",
"changed":"",
"enable_monitoring":"0",
"enable_balancer_monitoring":"0",
"nginx_secure_link":"1",
"flussonic_tmp_link":"0"
}
],
"use_load_balancing":0,
"pvr":0
},
]
}
}
One channel extracted:
{
"id":"31915",
"name":"NL | NPO 3 4K+",
"number":"465",
"censored":"",
"cmd":"ffmpeg http://localhost/ch/31915_",
"cost":"0",
"count":"0",
"status":1,
"hd":"0",
"tv_genre_id":"179",
"base_ch":"1",
"xmltv_id":"NPO3.nl",
"service_id":"",
"bonus_ch":"0",
"volume_correction":"0",
"mc_cmd":"",
"enable_tv_archive":1,
"wowza_tmp_link":"0",
"wowza_dvr":"0",
"use_http_tmp_link":"1",
"monitoring_status":"1",
"enable_monitoring":"0",
"enable_wowza_load_balancing":"0",
"cmd_1":"",
"cmd_2":"",
"cmd_3":"",
"logo":"http://ip.tv:8000/nl/npo3.png",
"correct_time":"0",
"nimble_dvr":"0",
"allow_pvr":0,
"allow_local_pvr":0,
"allow_remote_pvr":0,
"modified":"",
"allow_local_timeshift":"1",
"nginx_secure_link":"1",
"tv_archive_duration":24,
"locked":0,
"lock":0,
"fav":0,
"archive":1,
"genres_str":"",
"cur_playing":"[No channel info]",
"epg":[
],
"open":1,
"cmds":[
{
"id":"31915",
"ch_id":"31915",
"priority":"0",
"url":"ffmpeg http : //localhost/ch/31915_",
"status":"1",
"use_http_tmp_link":"1",
"wowza_tmp_link":"0",
"user_agent_filter":"",
"use_load_balancing":"0",
"changed":"",
"enable_monitoring":"0",
"enable_balancer_monitoring":"0",
"nginx_secure_link":"1",
"flussonic_tmp_link":"0"
}
],
"use_load_balancing":0,
"pvr":0
},
But still we cannot play the stream for this channel, we still do not have enough information, only thing we need is the following step and the data from parameter cmd:
"http://localhost/ch/31915_"
Step 5 – [ITV] Create Link
To get the URL-stream of the TV-channel, we need to use the action Create_Link with the following request where cmd is gotten from the previous step:
GET portal.php?type=itv&action=create_link&cmd=http://localhost/ch/31915_&series=&forced_storage=undefined&disable_ad=0&download=0&JsHttpRequest=1-xml
User-Agent: Mozilla/5.0 (QtEmbedded; U; Linux; C)
Cookie: mac=00:1A:79:18:05:75; stb_lang=en; timezone=Europe/Amsterdam;
Authorization: Bearer C00F7332ED272F00D5FD3E82F567A282
This Request will result in a list in JSON format, returned from the portal.
{
"js":{
"id":"47534",
"cmd":"ffmpeg http://ip.tv:8000:80/dNzSh5And2/MoCmEzytdO/47534?play_token=Hsv87nbU99"
},
"streamer_id":0,
"link_id":0,
"load":0,
"error":""
}
Step 6 – Play the TV-stream
Only thing we need to do now is to open this cmd-stream in VLC Player or, in my case, Stalker Player for Windows.
http://ip.tv:8000:80/dNzSh5And2/MoCmEzytdO/47534?play_token=Hsv87nbU99
Note that the stream format is as following:
http : / / { stalker_portal_address : port } / { username } / { password } / {stream_id } ? { play_token }
What’s next
So for now on we used actions on the functions stb and itv. The same should be done for the vod function to play Video On Demand. Below the functions of the available types are listed. The not yet described functions which are also available are indicated in italic.
STB
- handshake
- get_profile
- get_localization
- get_preload_images
- get_modules
- get_tv_aspects
- log
- get_ad
ITV
- get_genres
- get_ordered_list
- create_link
- get_epg_info
- get_short_epg
- get_all_channels
- set_fav_status
- get_fav_ids
- get_all_channels
- get_all_fav_channels
VOD
- get_categories
- get_ordered_list
- create_link
TO BE CONTINUED…
XtreamCodesExtendAPI – Player API
player_api
Actions:
- ‘none’ (GetUserInfo)
- get_live_categories
- get_vod_categories
- get_live_streams
- get_short_epg
- get_simple_data_table
- get_vod_streams
- get_vod_info
https://github.com/gtaman92/XtreamCodesExtendAPI/blob/master/player_api.php
panel.api
http://ip.tv:25461/panel_api.php?username=fRjLIq8ybj&password=vNlCUc55Ut
- ‘none’ (GetCategories)
- get_epg
xmltv_api
http://ip.tv:25461/xmltv.php?username=fRjLIq8ybj&password=vNlCUc55Ut
Unauthenticated SQL Injection
For Stalker / Ministra version5.4.1:
TO BE CONTINUED…
All communications with the portal is done based on Oauth 2.0, with the Bearer token RFC6750.
GET http://ip.tv:25461/portal.php?type=stb&action=handshake&JsHttpRequest=1-xml
Important is that we have to include the following headers into the GET-request:
User-Agent: Mozilla/5.0 (QtEmbedded; U; Linux; C) Cookie: mac=00:1A:79:18:05:75; stb_lang=en; timezone=Europe/Amsterdam;
This Authorization Request will result in an Access Token in JSON format, returned from the portal.
{
"js":
{
"token":"C00F7332ED272F00D5FD3E82F567A282"
}
}
Step 2 – [STB] Get Profile
Profile information are settings used by the IPTV-box. Note that from now on we need to include the access-token to the GET-headers!
GET http://ip.tv:25461/portal.php?type=stb&action=get_profile&JsHttpRequest=1-xml User-Agent: Mozilla/5.0 (QtEmbedded; U; Linux; C) Cookie: mac=00:1A:79:18:05:75; stb_lang=en; timezone=Europe/Amsterdam; Authorization: Bearer C00F7332ED272F00D5FD3E82F567A282
This Request will result in profile information in JSON format, returned from the portal.
{
"js":
{
"id":"692",
"name":"109",
"sname":"",
"pass":"",
"parent_password":"0000",
"bright":"200",
"contrast":"127",
"saturation":"127",
"video_out":"rca",
"volume":"65",
"playback_buffer_bytes":"0",
"playback_buffer_size":"0",
"audio_out":"1",
"mac":"MDA6MUE6Nzk6MTg6MDU6NzU=",
"ip":"109.129.183.25",
"ls":null,
"version":"",
"lang":null,
"locale":"en_GB.utf8",
"city_id":"0",
"hd":"1",
"main_notify":"1",
"fav_itv_on":"0",
"now_playing_start":null,
"now_playing_type":"0",
"now_playing_content":null,
"additional_services_on":"1",
"time_last_play_tv":null,
"time_last_play_video":null,
"operator_id":"0",
"storage_name":"",
"hd_content":"1",
"image_version":"218",
"last_change_status":null,
"last_start":null,
"last_active":null,
"keep_alive":null,
"screensaver_delay":"10",
"phone":"",
"fname":"",
"login":"",
"password":"dNzSh5And2",
"stb_type":"MAG254",
"num_banks":"0",
"tariff_plan_id":"0",
"comment":null,
"now_playing_link_id":null,
"now_playing_streamer_id":null,
"just_started":"1",
"last_watchdog":"1582481300",
"created":"1491317586",
"plasma_saving":"0",
"ts_enabled":"0",
"ts_enable_icon":"1",
"ts_path":null,
"ts_max_length":"3600",
"ts_buffer_use":"cyclic",
"ts_action_on_exit":"no_save",
"ts_delay":"on_pause",
"video_clock":"Off",
"verified":"0",
"hdmi_event_reaction":"1",
"pri_audio_lang":"",
"sec_audio_lang":"",
"pri_subtitle_lang":"",
"sec_subtitle_lang":"",
"subtitle_color":"16777215",
"subtitle_size":"20",
"show_after_loading":"main_menu",
"play_in_preview_by_ok":"1",
"hw_version":"2.5-IB-00",
"openweathermap_city_id":"0",
"theme":"",
"settings_password":"0000",
"expire_billing_date":"0000-00-00 00:00:00",
"reseller_id":null,
"account_balance":"",
"client_type":"STB",
"hw_version_2":"62",
"blocked":"0",
"units":"metric",
"tariff_expired_date":null,
"tariff_id_instead_expired":null,
"activation_code_auto_issue":"1",
"last_itv_id":"7139",
"updated":{
"id":"1",
"uid":"1",
"anec":"0",
"vclub":"0"
},
"rtsp_type":"4",
"rtsp_flags":"0",
"stb_lang":"en",
"display_menu_after_loading":"1",
"record_max_length":"180",
"web_proxy_host":"",
"web_proxy_port":"",
"web_proxy_user":"",
"web_proxy_pass":"",
"web_proxy_exclude_list":"",
"demo_video_url":"",
"tv_quality_filter":"",
"is_moderator":false,
"timeslot_ratio":0.33333333333333,
"timeslot":40,
"kinopoisk_rating":"1",
"enable_tariff_plans":"",
"strict_stb_type_check":"",
"cas_type":0,
"cas_params":null,
"cas_web_params":null,
"cas_additional_params":[],
"cas_hw_descrambling":0,
"cas_ini_file":"",
"logarithm_volume_control":"",
"allow_subscription_from_stb":"1",
"deny_720p_gmode_on_mag200":"1",
"enable_arrow_keys_setpos":"1",
"show_purchased_filter":"",
"timezone_diff":0,
"enable_connection_problem_indication":true,
"invert_channel_switch_direction":"",
"play_in_preview_only_by_ok":"true",
"enable_stream_error_logging":"",
"always_enabled_subtitles":"1",
"enable_service_button":"",
"enable_setting_access_by_pass":"",
"tv_archive_continued":"",
"plasma_saving_timeout":"600",
"show_tv_only_hd_filter_option":"",
"tv_playback_retry_limit":"0",
"fading_tv_retry_timeout":"1",
"epg_update_time_range":0.6,
"store_auth_data_on_stb":false,
"account_page_by_password":"",
"tester":false,
"enable_stream_losses_logging":"",
"external_payment_page_url":"",
"max_local_recordings":"10",
"tv_channel_default_aspect":"fit",
"default_led_level":"10",
"standby_led_level":"90",
"show_version_in_main_menu":"1",
"disable_youtube_for_mag200":"1",
"auth_access":false,
"epg_data_block_period_for_stb":"5",
"standby_on_hdmi_off":"1",
"force_ch_link_check":"",
"stb_ntp_server":"pool.ntp.org",
"overwrite_stb_ntp_server":"",
"hide_tv_genres_in_fullscreen":null,
"advert":null,
"aspect":"",
"playback_limit":3,
"country":null,
"watchdog_timeout":88,
"play_token":"e7f7uKdyF8:1582481370:1349",
"status":0,
"update_url":"",
"test_download_url":"",
"default_timezone":"Europe\/Brussels",
"default_locale":"en_GB.utf8",
"allowed_stb_types":
["aurahd",
"aurahd8",
"aurahd9",
.
.
.
"mag349",
"mag350",
"mag351",
"mag352",
"mag420",
"wr320"],
"allowed_stb_types_for_local_recording":
["aurahd",
"aurahd8",
"aurahd9",
.
.
.
"mag349",
"mag350",
"mag351",
"mag352",
"mag420",
"wr320"],
"storages":[],
"show_tv_channel_logo":true,
"show_channel_logo_in_preview":true,
"hls_fast_start":"1",
"check_ssl_certificate":0,
"enable_buffering_indication":1}}
Already good to know that this request also resulted into a password, which we can use later!
"login":"","password":"dNzSh5And2","stb_type":"MAG254"
Step 3 – [ITV] Get Genres
Genres are categories where TV-channels are stored. To get the genre-list we need to do the following request. Note that we now use type=itv instead of type=stb!
GET portal.php?type=itv&action=get_genres&JsHttpRequest=1-xml User-Agent: Mozilla/5.0 (QtEmbedded; U; Linux; C) Cookie: mac=00:1A:79:18:05:75; stb_lang=en; timezone=Europe/Amsterdam; Authorization: Bearer C00F7332ED272F00D5FD3E82F567A282
This Request will result in a list in JSON format, returned from the portal.
{
"js":
[
{
"id":"*",
"title":"All",
"alias":"All",
"active_sub":true,
"censored":0
},
{
"id":"173",
"title":"TR | TURKIYE",
"modified":"",
"number":1,
"alias":"tr | turkiye",
"censored":0
},
{
"id":"179",
"title":"NL | NEDERLAND",
"modified":"",
"number":11,
"alias":"nl | nederland",
"censored":0
},
{
"id":"167",
"title":"NL | FILM ZENDERS",
"modified":"",
"number":15,
"alias":"nl | film zenders",
"censored":0
},
.
.
.
{
"id":"109",
"title":"IR | IRAN",
"modified":"",
"number":74,
"alias":"ir | iran",
"censored":0
},
{
"id":"128",
"title":"US | USA",
"modified":"",
"number":75,
"alias":"us | usa",
"censored":0}
]
}
The genres are identified with an id: “number”, which we need to get the TV-channels within this genre.
One genre extracted on which we will work further on:
{
"id":"179",
"title":"NL | NEDERLAND",
"modified":"",
"number":11,
"alias":"nl | nederland",
"censored":0
},
Step 4 – [ITV] Get Ordered List
To get all TV-channels from this genre (id=179), we need to use the action Get_Ordered_List with the following request:
GET portal.php?type=itv&action=get_ordered_list&genre=179&force_ch_link_check=&fav=0&sortby=number&hd=0&p=1&JsHttpRequest=1-xml User-Agent: Mozilla/5.0 (QtEmbedded; U; Linux; C) Cookie: mac=00:1A:79:18:05:75; stb_lang=en; timezone=Europe/Amsterdam; Authorization: Bearer C00F7332ED272F00D5FD3E82F567A282
This Request will result in a list in JSON format, returned from the portal.
Note that we need to do several Get_Ordered_List to get all channels within this genre, because data-exchange is done with pages. Next page can be gotten by changing p=1 into p=2 in the GET-request.
{
"js":{
"total_items":24,
"max_page_items":14,
"selected_item":0,
"cur_page":0,
"data":[
{
"id":"3031",
"name":"## | NEDERLAND 4K+ | ##",
"number":"462",
"censored":"",
"cmd":"ffmpeg http://localhost/ch/3031_",
"cost":"0",
"count":"0",
"status":1,
"hd":"0",
"tv_genre_id":"179",
"base_ch":"1",
"xmltv_id":"",
"service_id":"",
"bonus_ch":"0",
"volume_correction":"0",
"mc_cmd":"",
"enable_tv_archive":0,
"wowza_tmp_link":"0",
"wowza_dvr":"0",
"use_http_tmp_link":"1",
"monitoring_status":"1",
"enable_monitoring":"0",
"enable_wowza_load_balancing":"0",
"cmd_1":"",
"cmd_2":"",
"cmd_3":"",
"logo":"",
"correct_time":"0",
"nimble_dvr":"0",
"allow_pvr":0,
"allow_local_pvr":0,
"allow_remote_pvr":0,
"modified":"",
"allow_local_timeshift":"1",
"nginx_secure_link":"1",
"tv_archive_duration":0,
"locked":0,
"lock":0,
"fav":0,
"archive":0,
"genres_str":"",
"cur_playing":"[No channel info]",
"epg":[
],
"open":1,
"cmds":[
{
"id":"3031",
"ch_id":"3031",
"priority":"0",
"url":"ffmpeg http://localhost/ch/3031_",
"status":"1",
"use_http_tmp_link":"1",
"wowza_tmp_link":"0",
"user_agent_filter":"",
"use_load_balancing":"0",
"changed":"",
"enable_monitoring":"0",
"enable_balancer_monitoring":"0",
"nginx_secure_link":"1",
"flussonic_tmp_link":"0"
}
],
"use_load_balancing":0,
"pvr":0
},
{
"id":"31917",
"name":"NL | NPO 1 4K+",
"number":"463",
"censored":"",
"cmd":"ffmpeg http://localhost/ch/31917_",
"cost":"0",
"count":"0",
"status":1,
"hd":"0",
"tv_genre_id":"179",
"base_ch":"1",
"xmltv_id":"NPO1.nl",
"service_id":"",
"bonus_ch":"0",
"volume_correction":"0",
"mc_cmd":"",
"enable_tv_archive":1,
"wowza_tmp_link":"0",
"wowza_dvr":"0",
"use_http_tmp_link":"1",
"monitoring_status":"1",
"enable_monitoring":"0",
"enable_wowza_load_balancing":"0",
"cmd_1":"",
"cmd_2":"",
"cmd_3":"",
"logo":"http://ip.tv:8000/nl/npo1.png",
"correct_time":"0",
"nimble_dvr":"0",
"allow_pvr":0,
"allow_local_pvr":0,
"allow_remote_pvr":0,
"modified":"",
"allow_local_timeshift":"1",
"nginx_secure_link":"1",
"tv_archive_duration":24,
"locked":0,
"lock":0,
"fav":0,
"archive":1,
"genres_str":"",
"cur_playing":"[No channel info]",
"epg":[
],
"open":1,
"cmds":[
{
"id":"31917",
"ch_id":"31917",
"priority":"0",
"url":"ffmpeg http://localhost/ch/31917_",
"status":"1",
"use_http_tmp_link":"1",
"wowza_tmp_link":"0",
"user_agent_filter":"",
"use_load_balancing":"0",
"changed":"",
"enable_monitoring":"0",
"enable_balancer_monitoring":"0",
"nginx_secure_link":"1",
"flussonic_tmp_link":"0"
}
],
"use_load_balancing":0,
"pvr":0
},
{
"id":"31916",
"name":"NL | NPO 2 4K+",
"number":"464",
"censored":"",
"cmd":"ffmpeg http://localhost/ch/31916_",
"cost":"0",
"count":"0",
"status":1,
"hd":"0",
"tv_genre_id":"179",
"base_ch":"1",
"xmltv_id":"NPO2.nl",
"service_id":"",
"bonus_ch":"0",
"volume_correction":"0",
"mc_cmd":"",
"enable_tv_archive":1,
"wowza_tmp_link":"0",
"wowza_dvr":"0",
"use_http_tmp_link":"1",
"monitoring_status":"1",
"enable_monitoring":"0",
"enable_wowza_load_balancing":"0",
"cmd_1":"",
"cmd_2":"",
"cmd_3":"",
"logo":"http://ip.tv:8000/nl/npo2.png",
"correct_time":"0",
"nimble_dvr":"0",
"allow_pvr":0,
"allow_local_pvr":0,
"allow_remote_pvr":0,
"modified":"",
"allow_local_timeshift":"1",
"nginx_secure_link":"1",
"tv_archive_duration":24,
"locked":0,
"lock":0,
"fav":0,
"archive":1,
"genres_str":"",
"cur_playing":"[No channel info]",
"epg":[
],
"open":1,
"cmds":[
{
"id":"31916",
"ch_id":"31916",
"priority":"0",
"url":"ffmpeg http://localhost/ch/31916_",
"status":"1",
"use_http_tmp_link":"1",
"wowza_tmp_link":"0",
"user_agent_filter":"",
"use_load_balancing":"0",
"changed":"",
"enable_monitoring":"0",
"enable_balancer_monitoring":"0",
"nginx_secure_link":"1",
"flussonic_tmp_link":"0"
}
],
"use_load_balancing":0,
"pvr":0
},
{
"id":"31915",
"name":"NL | NPO 3 4K+",
"number":"465",
"censored":"",
"cmd":"ffmpeg http://localhost/ch/31915_",
"cost":"0",
"count":"0",
"status":1,
"hd":"0",
"tv_genre_id":"179",
"base_ch":"1",
"xmltv_id":"NPO3.nl",
"service_id":"",
"bonus_ch":"0",
"volume_correction":"0",
"mc_cmd":"",
"enable_tv_archive":1,
"wowza_tmp_link":"0",
"wowza_dvr":"0",
"use_http_tmp_link":"1",
"monitoring_status":"1",
"enable_monitoring":"0",
"enable_wowza_load_balancing":"0",
"cmd_1":"",
"cmd_2":"",
"cmd_3":"",
"logo":"http://ip.tv:8000/nl/npo3.png",
"correct_time":"0",
"nimble_dvr":"0",
"allow_pvr":0,
"allow_local_pvr":0,
"allow_remote_pvr":0,
"modified":"",
"allow_local_timeshift":"1",
"nginx_secure_link":"1",
"tv_archive_duration":24,
"locked":0,
"lock":0,
"fav":0,
"archive":1,
"genres_str":"",
"cur_playing":"[No channel info]",
"epg":[
],
"open":1,
"cmds":[
{
"id":"31915",
"ch_id":"31915",
"priority":"0",
"url":"ffmpeg http://localhost/ch/31915_",
"status":"1",
"use_http_tmp_link":"1",
"wowza_tmp_link":"0",
"user_agent_filter":"",
"use_load_balancing":"0",
"changed":"",
"enable_monitoring":"0",
"enable_balancer_monitoring":"0",
"nginx_secure_link":"1",
"flussonic_tmp_link":"0"
}
],
"use_load_balancing":0,
"pvr":0
},
.
.
.
{
"id":"31908",
"name":"NL | SBS 9 4K+",
"number":"472",
"censored":"",
"cmd":"ffmpeg http://localhost/ch/31908_",
"cost":"0",
"count":"0",
"status":1,
"hd":"0",
"tv_genre_id":"179",
"base_ch":"1",
"xmltv_id":"SBS9.nl",
"service_id":"",
"bonus_ch":"0",
"volume_correction":"0",
"mc_cmd":"",
"enable_tv_archive":1,
"wowza_tmp_link":"0",
"wowza_dvr":"0",
"use_http_tmp_link":"1",
"monitoring_status":"1",
"enable_monitoring":"0",
"enable_wowza_load_balancing":"0",
"cmd_1":"",
"cmd_2":"",
"cmd_3":"",
"logo":"http://ip.tv:8000/nl/sbs9.png",
"correct_time":"0",
"nimble_dvr":"0",
"allow_pvr":0,
"allow_local_pvr":0,
"allow_remote_pvr":0,
"modified":"",
"allow_local_timeshift":"1",
"nginx_secure_link":"1",
"tv_archive_duration":24,
"locked":0,
"lock":0,
"fav":0,
"archive":1,
"genres_str":"",
"cur_playing":"[No channel info]",
"epg":[
],
"open":1,
"cmds":[
{
"id":"31908",
"ch_id":"31908",
"priority":"0",
"url":"ffmpeg http://localhost/ch/31908_",
"status":"1",
"use_http_tmp_link":"1",
"wowza_tmp_link":"0",
"user_agent_filter":"",
"use_load_balancing":"0",
"changed":"",
"enable_monitoring":"0",
"enable_balancer_monitoring":"0",
"nginx_secure_link":"1",
"flussonic_tmp_link":"0"
}
],
"use_load_balancing":0,
"pvr":0
},
]
}
}
One channel extracted:
{
"id":"31915",
"name":"NL | NPO 3 4K+",
"number":"465",
"censored":"",
"cmd":"ffmpeg http://localhost/ch/31915_",
"cost":"0",
"count":"0",
"status":1,
"hd":"0",
"tv_genre_id":"179",
"base_ch":"1",
"xmltv_id":"NPO3.nl",
"service_id":"",
"bonus_ch":"0",
"volume_correction":"0",
"mc_cmd":"",
"enable_tv_archive":1,
"wowza_tmp_link":"0",
"wowza_dvr":"0",
"use_http_tmp_link":"1",
"monitoring_status":"1",
"enable_monitoring":"0",
"enable_wowza_load_balancing":"0",
"cmd_1":"",
"cmd_2":"",
"cmd_3":"",
"logo":"http://ip.tv:8000/nl/npo3.png",
"correct_time":"0",
"nimble_dvr":"0",
"allow_pvr":0,
"allow_local_pvr":0,
"allow_remote_pvr":0,
"modified":"",
"allow_local_timeshift":"1",
"nginx_secure_link":"1",
"tv_archive_duration":24,
"locked":0,
"lock":0,
"fav":0,
"archive":1,
"genres_str":"",
"cur_playing":"[No channel info]",
"epg":[
],
"open":1,
"cmds":[
{
"id":"31915",
"ch_id":"31915",
"priority":"0",
"url":"ffmpeg http : //localhost/ch/31915_",
"status":"1",
"use_http_tmp_link":"1",
"wowza_tmp_link":"0",
"user_agent_filter":"",
"use_load_balancing":"0",
"changed":"",
"enable_monitoring":"0",
"enable_balancer_monitoring":"0",
"nginx_secure_link":"1",
"flussonic_tmp_link":"0"
}
],
"use_load_balancing":0,
"pvr":0
},
But still we cannot play the stream for this channel, we still do not have enough information, only thing we need is the following step and the data from parameter cmd:
"http://localhost/ch/31915_"
Step 5 – [ITV] Create Link
To get the URL-stream of the TV-channel, we need to use the action Create_Link with the following request where cmd is gotten from the previous step:
GET portal.php?type=itv&action=create_link&cmd=http://localhost/ch/31915_&series=&forced_storage=undefined&disable_ad=0&download=0&JsHttpRequest=1-xml User-Agent: Mozilla/5.0 (QtEmbedded; U; Linux; C) Cookie: mac=00:1A:79:18:05:75; stb_lang=en; timezone=Europe/Amsterdam; Authorization: Bearer C00F7332ED272F00D5FD3E82F567A282
This Request will result in a list in JSON format, returned from the portal.
{
"js":{
"id":"47534",
"cmd":"ffmpeg http://ip.tv:8000:80/dNzSh5And2/MoCmEzytdO/47534?play_token=Hsv87nbU99"
},
"streamer_id":0,
"link_id":0,
"load":0,
"error":""
}
Step 6 – Play the TV-stream
Only thing we need to do now is to open this cmd-stream in VLC Player or, in my case, Stalker Player for Windows.
http://ip.tv:8000:80/dNzSh5And2/MoCmEzytdO/47534?play_token=Hsv87nbU99
Note that the stream format is as following:
http : / / { stalker_portal_address : port } / { username } / { password } / {stream_id } ? { play_token }
What’s next
So for now on we used actions on the functions stb and itv. The same should be done for the vod function to play Video On Demand. Below the functions of the available types are listed. The not yet described functions which are also available are indicated in italic.
STB
- handshake
- get_profile
- get_localization
- get_preload_images
- get_modules
- get_tv_aspects
- log
- get_ad
ITV
- get_genres
- get_ordered_list
- create_link
- get_epg_info
- get_short_epg
- get_all_channels
- set_fav_status
- get_fav_ids
- get_all_channels
- get_all_fav_channels
VOD
- get_categories
- get_ordered_list
- create_link
TO BE CONTINUED…
XtreamCodesExtendAPI – Player API
player_api
Actions:
- ‘none’ (GetUserInfo)
- get_live_categories
- get_vod_categories
- get_live_streams
- get_short_epg
- get_simple_data_table
- get_vod_streams
- get_vod_info
https://github.com/gtaman92/XtreamCodesExtendAPI/blob/master/player_api.php
panel.api
http://ip.tv:25461/panel_api.php?username=fRjLIq8ybj&password=vNlCUc55Ut
- ‘none’ (GetCategories)
- get_epg
xmltv_api
http://ip.tv:25461/xmltv.php?username=fRjLIq8ybj&password=vNlCUc55Ut
Unauthenticated SQL Injection
For Stalker / Ministra version5.4.1:
TO BE CONTINUED…
by Jarno
Share
MARCH 2020 \plugins\system\cssconfig\cssconfig.phpCSSConfig System plug-in @package CSSConfig System plug-in
Each minute an RF burst is send into the air somewhere in the neighbourhood of my house at the frequency 868.4 MHz in AM modulation. Is this data intended for me? I dont know, so I would like to figure it out… ;-)
Moving to our new house gave us the advantage of a ‘new’ energy meter for electricity, clean installed with counters starting from zero. Luckely for us they installed a Smart Meter type. These type of meters have a lot of ‘smart’ ports, and one of them is the P1 port. Through this port it is possible to read […]
– clone from git git clone https://github.com/merbanan/rtl_433.git – install need cmake apt-get install cmake – install libusb apt-get install libusb-1.0-0-dev – start rtl_433 -a KlikAan KlikUit: *** signal_start = 251271090, signal_end = 251291121 signal_len = 20031, pulses = 1 Distance coding: Pulse length 30 Short distance: 1000000, long distance: 0, packet distance: 0 p_limit: 30 […]
