Changed authentication and provided a different version of send command

[dickschoeller]

Capture the tv_challenge in addition to the cookie. The challenge number doesn't expire. So, you aren't constantly refreshing.

Changed some of the echo commands to work in Cygwin. The \n stuff wasn't working very well.

Provided a different version of the send_command script that looks up the code from its mnemonic in the ircc codes file.

The new script lso uses the tv_challenge value instead of the cookie for authentication.

Added the file holding the tv_challenge code to the .gitignore file.

Note that this is keeping the TV's "password" in plain text. Probably not the best idea.

One final thing to note, the list returned from the TV when you query the ircc commands is incomplete. It might be better to keep a file obtained from one of the online line sources like openremote.org.

[breunigs]

Thank you for your patch.

However, the patch seems to mix a lot of things, that I would like to keep separate. Essentially, stuff in example subfolders is meant to show how to achieve certain things, rather than be actually useful. It's more of a very detailed guide if you want to implement this on your own (say, an android app).

So, as of that it would be nice if the "official" cookie and the kinda hack with just reusing the challenge could be kept separate, so that newcomers can easily see that these are kinda unrelated.

Anything that is on the top level is meant to be used. I think it could be possible to merge the functionality of your more user friendly sendcommand compared to the current basic one. I.e. accept base64 encoded stuff, valid named commands or bail.

Would you be able to make those changes? If you want, you can submit no-brainer stuff like replacing echo "\n" with echo;echo separately to make your patch less huge. If not, I will try to incorporate your changes once I find the time.

On a different topic: I am still amazed that the security is really that laughable and is mainly for show. Anyway, I will definitely test that on my TV later.

Cheers Stefan

[dickschoeller]

Hi Stefan,

I can certainly break this up into separate pull requests. I appreciate that it might have combined a unrelated changes. It may take me a few days to get to this. The weekend is almost over and the work week approaches. :frowning:

I agree with you that this security approach is kind of a joke. It is pretty clear that applications that bind to the TV must keep the challenge string around. Otherwise, they would have their access retired if they weren't frequently interacting with the TV. That leaves the whole thing at the mercy of the security of the client applications. I don't even know if using the Cookie is lighter weight than just using the password.

One other thing that I did notice in various discussions is the ability to set the pre-shared key. That isn't present in my TV (XBR-65X900A). My guess is that the feature was added for the 2015 TVs. Potentially that means that a variety of different solutions might be needed for different age TVs.

I am actually in the midst of trying to create a hub for use with an Amazon Echo that we just received as a gift. What I will probably do is roll most of what I learn over into a Spring Boot application that I will run in a dedicated Raspberry PI. Besides the TV, I have a number of devices that require IR control through Global Cache iTach devices. That includes my cable box.

Dick

[dickschoeller]

I finally got back to this. I have reduced it to only the changes to auth.sh and the .gitignore changes to cover the output files. I did add a commented out section to cover capturing the MAC address. This can be useful when you turn around to implement Wake-on-LAN.

[breunigs]

Thank you for the patch. I also removed the now unused tv_auth_header… had I known before that basic auth can be achieved this easily with a --user argument to curl, it would've been so much easier for the users that didn't have a base64 tool installed. Anyway: merged!