GetUID

[barhom]

Hey,

What do you know about device_id, device_id2, signature ?

I've been trying to look at the code available here: https://github.com/azhurb/stalker_portal/blob/c9cce4fe82e014ff3f2941d479f18a0f45f8414a/c/xpcom.common.js

            'device_id'        : stb.GetUID ? stb.GetUID() : '',
            'device_id2'       : device_id2,
            'signature'        : stb.GetUID ? stb.GetUID(this.access_token) : '',

But I dont really know what these mean. I can sniff device_id and device_id2 from a mag250 box using wireshark. These two always stays the same. But the signature changes everytime you reload the mag device.

Do you have any idea how to properly create the signature?

[mvasilchuk]

Hi,

I don't know how it should work. See my comment https://github.com/mvasilchuk/yasem-mag-api/blob/master/gstb.cpp#L2333

But because access token (a random value from a handshake, when a portal connects to a server) is one of GetUID's arguments, I assume GetUID calculates some hash from the token.

[barhom]

I saw the comment but I wanted to start a discussion to try to figure it the algo for signature. How much digging have you actually done? I can dig more.

One thing for certain is that stb.GetUID is not documented in http://soft.infomir.com.ua/mag250/Doc/JS_API-html-2015-03-27.zip

I can try to to force a specific access token (handshake) to see if we always get the same signature if it is the same access token.

Is there no way to see how the function stb.GetUID is run? Do you know if its simple .js files that are located inside the rootfs of mag250/254 or is it compiled into stbapp?

[barhom]

Well this didnt work,

function GetUID() { [native code] }

The function is compiled into the JS interpreter probably inside the binary stbapp.

[mvasilchuk]

Yes, all these functions are compiled into stbapp. As far as I know, Infomir uses Qt 4.6 for creating API, like I do in yasem. So the only way to see what this function do is to decompile stbapp. I've done it once a few years ago, but I don't know the assembler for MAG's CPU, so didn't understand what this function do.

[barhom]

Alright, unless we find somebody that knows some assembler for the mag cpu we wont know exactly what this functions does.

Do we even know how/where stalker checks signature server side? MAG calculates the signature, sure, but where exactly does the server do anything with it?

[mvasilchuk]

Server doesn't calculate signature. It just writes signature of the first device that connected using some MAC address into database, after that the server compares MAC/signature (since Stalker 5.0, afaik, also checks serial number) pair on each request from a device. If MAC/signature (one of them) are not the same as in database, Stalker shows message "Your STB is broken". If you want to find the place, where it checks, you have to download Stalker 4.3, because since Stalker 5 this part of code is encrypted. After you downloaded it, the required code should be in /server/lib/core/stb.class.php.

[barhom]

From what I noticed it is only when changing "device_id" or "device_id2" when you get a "Your STB is broken". I could be wrong though, maybe Im testing towards an old stalker.

[eclipsetalk]

Hello, Quick question: You mentioned "I can sniff device_id and device_id2 from a mag250 box using wireshark". Could you please elaborate how to do it. I tried to ssh and did the following but it doesn't work:

cd /tmp wget chmod a+x tcpdump-4.3.0-static ./tcpdump-4.3.0-static -A -vvv | grep -Eo "(sn=[0-9a-zA-Z]).(device_id=[0-9a-zA-Z]).(device_id2=[0-9a-zA-Z]).(signature=[0-9a-zA-Z]*)"

Thanks

[gamelaster]

For getting the deviceID etc. , I use weinre for connecting into STB, then executing JavaScript functions what I need.

[Dem85]

My debug from mag254 (maybe helpful):

gSTB.GetUID('DF533EF4F8A4591B96886DFFABF63074');

9729E64119869B40B2F691677DDDA23880FD364A0DAECEC522BF15D1E49D9CD4

gSTB.GetUID('DF533EF4F8A4591B96886DFFABF63074','DF533EF4F8A4591B96886DFFABF63074');

7559F9D8C823C56BFDB819610C6F789B783B10283D3164C688AC786EB7F73A06

gSTB.GetHashVersion1("{"mac":"D0:76:58:01:49:60","sn":"","model":"WR330","type":"STB","uid":"","random":"8f2011c67bab5f29f0e5d3dd399830ae83dde846"}", "8f2011c67bab5f29f0e5d3dd399830ae83dde846");

gSTB.GetUID('qwe');

968C0B20BE9C9562A6DA40405A6E15EF054D24F74B85CE6289F3F6040B95E56A

gSTB.GetUID();

6409717102758C55337FDFA4B1CE059C8CD2785CDBAA0FC4C5649028AE55005A

[AlJohri]

If we figure out how gSTB.GetUID and use it to run the get_profile action on a second device, do you know if the first device will get "unactivated"?

In other words, can only one handshake token work at a given time?

[gamelaster]

@AlJohri as far as I remember, yeah, it will deactivate the old-box