Overview
vmdecrypt
decrypts multicast MPEG TS streams encrypted with Verimatrix VCAS (CAID=0x5601) and serve them on HTTP. You also need the corresponding channel key for each of the encrypted streams. The channel key is an AES key which is used for decrypting the ECM packets. The ECM packets contain 2 AES keys which are used for decrypting the TS packets. The ECM keys are rotated every 10sec. but the channel key is usually rotated every 24h and can be easily shared.
I presented vmdecrypt
at BSides Sofia, you can watch the recording here (in Bulgarian).
Obtaining channel keys
First you need an STB (or some other device) which can play the encrypted streams. Get root access to the STB and find the RSA key which is used for signing the payload sent to VCAS. Then you can obtain the channel keys with the following protocol:
- Send
CreateSessionKey
command to VCAS and pass the STB MAC address. The VCAS returns an RC4 session key (16 bytes) and a timestamp. This communication is done over a TLS socket.
- Send
GetAllChannelKeys
command to VCAS with the following payload: RC4_Encrypt(RSA_Sign(MD5(timestamp)))
using the RC4 session key and the RSA key from the STB. The VCAS returns all channel keys encrypted with the RC4 session key. This communication is done over plain socket.
Usage
go get -u github.com/rgerganov/vmdecrypt
vmdecrypt -i eth0 -a 192.168.1.10:8080 -c https://example.com/channels.json
Here eth0
is the multicast interface, the channels file will be downloaded from https://example.com/channels.json
and the HTTP server will be started at 192.168.1.10:8080
.
When started, http://192.168.1.10:8080/channels.m3u
returns an M3U playlist with all channels.