search

nikagl / hisense

10 stars 3 forks source link

No longer works after updating tv to V0010.08.50S.O0918 tv software #4

Open cherpake opened 1 month ago

cherpake commented 1 month ago

Hi My TV asked me to update and after the update the script stopped working, TV shows message saying my mobile app is out of date and I need to update it. So I grabbed Frida tools and got VIDAA app on my phone to see what's going on. First thing I noticed is that clientId changed... instead of _vidaacommon_001 it now uses _secure_001 (or maybe that was always the case)?

Any way here is what I grabbed using Frida - this connects to TV and shows pairing PIN code. Any chance you see what else changed?


     ____
    / _  |   Frida 16.5.6 - A world-class dynamic instrumentation toolkit
   | (_| |
    > _  |   Commands:
   /_/ |_|       help      -> Displays the help system
   . . . .       object?   -> Display information about 'object'
   . . . .       exit/quit -> Exit
   . . . .
   . . . .   More info at https://frida.re/docs/home/
   . . . .
   . . . .   Connected to iPhone (id=5bc87ccba00d686fb37b61c2eef96f26e53630f3)
Spawned `com.vidaa.remote`. Resuming main thread!                       
[iPhone::com.vidaa.remote ]-> Enter -[MGCDAsyncSocket writeData:withTimeout:tag:]
Sending:              0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F  0123456789ABCDEF
281869c80  10 7d 00 04 4d 51 54 54 04 ce 00 24 00 27 35 35  .}..MQTT...$.'55
281869c90  3a 38 42 3a 34 42 3a 34 39 3a 46 46 3a 38 30 24  :8B:4B:49:FF:80$
281869ca0  68 69 73 24 35 44 41 44 41 41 5f 73 65 63 75 72  his$5DADAA_secur
281869cb0  65 5f 30 30 31 00 05 2f 77 69 6c 6c 00 06 64 69  e_001../will..di
281869cc0  65 6f 75 74 00 17 68 69 73 24 36 32 33 39 37 35  eout..his$623975
281869cd0  39 37 38 36 33 33 32 34 39 32 30 31 38 00 20 46  9786332492018. F
281869ce0  37 35 36 37 38 46 30 34 30 37 32 39 34 37 46 45  75678F04072947FE
281869cf0  45 36 41 33 46 30 38 42 32 46 43 31 31 37 32     E6A3F08B2FC1172
Leave -[MGCDAsyncSocket writeData:withTimeout:tag:]
Enter -[MGCDAsyncSocket writeData:withTimeout:tag:]
Sending:              0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F  0123456789ABCDEF
1029a6a90  82 e4 03 00 01 00 58 2f 72 65 6d 6f 74 65 61 70  ......X/remoteap
1029a6aa0  70 2f 6d 6f 62 69 6c 65 2f 35 35 3a 38 42 3a 34  p/mobile/55:8B:4
1029a6ab0  42 3a 34 39 3a 46 46 3a 38 30 24 68 69 73 24 35  B:49:FF:80$his$5
1029a6ac0  44 41 44 41 41 5f 73 65 63 75 72 65 5f 30 30 31  DADAA_secure_001
1029a6ad0  2f 75 69 5f 73 65 72 76 69 63 65 2f 64 61 74 61  /ui_service/data
1029a6ae0  2f 61 75 74 68 65 6e 74 69 63 61 74 69 6f 6e 00  /authentication.
1029a6af0  00 5c 2f 72 65 6d 6f 74 65 61 70 70 2f 6d 6f 62  .\/remoteapp/mob
1029a6b00  69 6c 65 2f 35 35 3a 38 42 3a 34 42 3a 34 39 3a  ile/55:8B:4B:49:
1029a6b10  46 46 3a 38 30 24 68 69 73 24 35 44 41 44 41 41  FF:80$his$5DADAA
1029a6b20  5f 73 65 63 75 72 65 5f 30 30 31 2f 75 69 5f 73  _secure_001/ui_s
1029a6b30  65 72 76 69 63 65 2f 64 61 74 61 2f 61 75 74 68  ervice/data/auth
1029a6b40  65 6e 74 69 63 61 74 69 6f 6e 63 6f 64 65 00 00  enticationcode..
1029a6b50  61 2f 72 65 6d 6f 74 65 61 70 70 2f 6d 6f 62 69  a/remoteapp/mobi
1029a6b60  6c 65 2f 35 35 3a 38 42 3a 34 42 3a 34 39 3a 46  le/55:8B:4B:49:F
1029a6b70  46 3a 38 30 24 68 69 73 24 35 44 41 44 41 41 5f  F:80$his$5DADAA_
1029a6b80  73 65 63 75 72 65 5f 30 30 31 2f 75 69 5f 73 65  secure_001/ui_se
1029a6b90  72 76 69 63 65 2f 64 61 74 61 2f 61 75 74 68 65  rvice/data/authe
1029a6ba0  6e 74 69 63 61 74 69 6f 6e 63 6f 64 65 63 6c 6f  nticationcodeclo
1029a6bb0  73 65 00 00 61 2f 72 65 6d 6f 74 65 61 70 70 2f  se..a/remoteapp/
1029a6bc0  6d 6f 62 69 6c 65 2f 35 35 3a 38 42 3a 34 42 3a  mobile/55:8B:4B:
1029a6bd0  34 39 3a 46 46 3a 38 30 24 68 69 73 24 35 44 41  49:FF:80$his$5DA
1029a6be0  44 41 41 5f 73 65 63 75 72 65 5f 30 30 31 2f 75  DAA_secure_001/u
1029a6bf0  69 5f 73 65 72 76 69 63 65 2f 64 61 74 61 2f 61  i_service/data/a
1029a6c00  75 74 68 65 6e 74 69 63 61 74 69 6f 6e 63 6f 64  uthenticationcod
1029a6c10  65 74 6f 61 73 74 00 00 5d 2f 72 65 6d 6f 74 65  etoast..]/remote
1029a6c20  61 70 70 2f 6d 6f 62 69 6c 65 2f 35 35 3a 38 42  app/mobile/55:8B
1029a6c30  3a 34 42 3a 34 39 3a 46 46 3a 38 30 24 68 69 73  :4B:49:FF:80$his
1029a6c40  24 35 44 41 44 41 41 5f 73 65 63 75 72 65 5f 30  $5DADAA_secure_0
1029a6c50  30 31 2f 70 6c 61 74 66 6f 72 6d 5f 73 65 72 76  01/platform_serv
1029a6c60  69 63 65 2f 64 61 74 61 2f 74 6f 6b 65 6e 69 73  ice/data/tokenis
1029a6c70  73 75 61 6e 63 65 00                             suance.
Leave -[MGCDAsyncSocket writeData:withTimeout:tag:]
Enter -[MGCDAsyncSocket writeData:withTimeout:tag:]
Sending:              0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F  0123456789ABCDEF
2804346c0  32 8a 01 00 5a 2f 72 65 6d 6f 74 65 61 70 70 2f  2...Z/remoteapp/
2804346d0  74 76 2f 75 69 5f 73 65 72 76 69 63 65 2f 35 35  tv/ui_service/55
2804346e0  3a 38 42 3a 34 42 3a 34 39 3a 46 46 3a 38 30 24  :8B:4B:49:FF:80$
2804346f0  68 69 73 24 35 44 41 44 41 41 5f 73 65 63 75 72  his$5DADAA_secur
280434700  65 5f 30 30 31 2f 61 63 74 69 6f 6e 73 2f 76 69  e_001/actions/vi
280434710  64 61 61 5f 61 70 70 5f 63 6f 6e 6e 65 63 74 00  daa_app_connect.
280434720  02 7b 22 61 70 70 5f 76 65 72 73 69 6f 6e 22 3a  .{"app_version":
280434730  32 2c 22 64 65 76 69 63 65 5f 74 79 70 65 22 3a  2,"device_type":
280434740  22 4d 6f 62 69 6c 65 20 41 70 70 22 7d           "Mobile App"}
Leave -[MGCDAsyncSocket writeData:withTimeout:tag:]
Enter -[MGCDAsyncSocket writeData:withTimeout:tag:]
Sending:              0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F  0123456789ABCDEF
283149990  e0 00                                            ..
Leave -[MGCDAsyncSocket writeData:withTimeout:tag:]
cherpake commented 1 month ago

Seems like client id was always "_secure_001" but now user name is longer. Attaching capture from connecting to old and new firmwares

Old

Last login: Sun Oct 27 18:23:01 on ttys001
cherpake:Dev % frida -U -f com.vidaa.remote -l vidaa.js
     ____
    / _  |   Frida 16.5.6 - A world-class dynamic instrumentation toolkit
   | (_| |
    > _  |   Commands:
   /_/ |_|       help      -> Displays the help system
   . . . .       object?   -> Display information about 'object'
   . . . .       exit/quit -> Exit
   . . . .
   . . . .   More info at https://frida.re/docs/home/
   . . . .
   . . . .   Connected to iPhone (id=5bc87ccba00d686fb37b61c2eef96f26e53630f3)
Spawned `com.vidaa.remote`. Resuming main thread!                       
[iPhone::com.vidaa.remote ]-> Enter -[MGCDAsyncSocket writeData:withTimeout:tag:]
Sending:              0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F  0123456789ABCDEF
2802a7400  10 74 00 04 4d 51 54 54 04 ce 00 24 00 27 32 38  .t..MQTT...$.'28
2802a7410  3a 38 42 3a 39 38 3a 36 45 3a 35 30 3a 30 45 24  :8B:98:6E:50:0E$
2802a7420  68 69 73 24 30 44 37 46 37 38 5f 73 65 63 75 72  his$0D7F78_secur
2802a7430  65 5f 30 30 31 00 05 2f 77 69 6c 6c 00 06 64 69  e_001../will..di
2802a7440  65 6f 75 74 00 0e 68 69 73 24 31 37 33 30 30 34  eout..his$173004
2802a7450  36 32 39 37 00 20 32 45 33 35 45 35 30 36 35 41  6297. 2E35E5065A
2802a7460  33 36 46 44 39 39 46 39 45 42 35 42 44 39 31 42  36FD99F9EB5BD91B
2802a7470  33 34 32 46 37 36                                342F76
Leave -[MGCDAsyncSocket writeData:withTimeout:tag:]
Enter -[MGCDAsyncSocket writeData:withTimeout:tag:]
Sending:              0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F  0123456789ABCDEF
111f61b80  82 e4 03 00 01 00 58 2f 72 65 6d 6f 74 65 61 70  ......X/remoteap
111f61b90  70 2f 6d 6f 62 69 6c 65 2f 32 38 3a 38 42 3a 39  p/mobile/28:8B:9
111f61ba0  38 3a 36 45 3a 35 30 3a 30 45 24 68 69 73 24 30  8:6E:50:0E$his$0
111f61bb0  44 37 46 37 38 5f 73 65 63 75 72 65 5f 30 30 31  D7F78_secure_001
111f61bc0  2f 75 69 5f 73 65 72 76 69 63 65 2f 64 61 74 61  /ui_service/data
111f61bd0  2f 61 75 74 68 65 6e 74 69 63 61 74 69 6f 6e 00  /authentication.
111f61be0  00 5c 2f 72 65 6d 6f 74 65 61 70 70 2f 6d 6f 62  .\/remoteapp/mob
111f61bf0  69 6c 65 2f 32 38 3a 38 42 3a 39 38 3a 36 45 3a  ile/28:8B:98:6E:
111f61c00  35 30 3a 30 45 24 68 69 73 24 30 44 37 46 37 38  50:0E$his$0D7F78
111f61c10  5f 73 65 63 75 72 65 5f 30 30 31 2f 75 69 5f 73  _secure_001/ui_s
111f61c20  65 72 76 69 63 65 2f 64 61 74 61 2f 61 75 74 68  ervice/data/auth
111f61c30  65 6e 74 69 63 61 74 69 6f 6e 63 6f 64 65 00 00  enticationcode..
111f61c40  61 2f 72 65 6d 6f 74 65 61 70 70 2f 6d 6f 62 69  a/remoteapp/mobi
111f61c50  6c 65 2f 32 38 3a 38 42 3a 39 38 3a 36 45 3a 35  le/28:8B:98:6E:5
111f61c60  30 3a 30 45 24 68 69 73 24 30 44 37 46 37 38 5f  0:0E$his$0D7F78_
111f61c70  73 65 63 75 72 65 5f 30 30 31 2f 75 69 5f 73 65  secure_001/ui_se
111f61c80  72 76 69 63 65 2f 64 61 74 61 2f 61 75 74 68 65  rvice/data/authe
111f61c90  6e 74 69 63 61 74 69 6f 6e 63 6f 64 65 63 6c 6f  nticationcodeclo
111f61ca0  73 65 00 00 61 2f 72 65 6d 6f 74 65 61 70 70 2f  se..a/remoteapp/
111f61cb0  6d 6f 62 69 6c 65 2f 32 38 3a 38 42 3a 39 38 3a  mobile/28:8B:98:
111f61cc0  36 45 3a 35 30 3a 30 45 24 68 69 73 24 30 44 37  6E:50:0E$his$0D7
111f61cd0  46 37 38 5f 73 65 63 75 72 65 5f 30 30 31 2f 75  F78_secure_001/u
111f61ce0  69 5f 73 65 72 76 69 63 65 2f 64 61 74 61 2f 61  i_service/data/a
111f61cf0  75 74 68 65 6e 74 69 63 61 74 69 6f 6e 63 6f 64  uthenticationcod
111f61d00  65 74 6f 61 73 74 00 00 5d 2f 72 65 6d 6f 74 65  etoast..]/remote
111f61d10  61 70 70 2f 6d 6f 62 69 6c 65 2f 32 38 3a 38 42  app/mobile/28:8B
111f61d20  3a 39 38 3a 36 45 3a 35 30 3a 30 45 24 68 69 73  :98:6E:50:0E$his
111f61d30  24 30 44 37 46 37 38 5f 73 65 63 75 72 65 5f 30  $0D7F78_secure_0
111f61d40  30 31 2f 70 6c 61 74 66 6f 72 6d 5f 73 65 72 76  01/platform_serv
111f61d50  69 63 65 2f 64 61 74 61 2f 74 6f 6b 65 6e 69 73  ice/data/tokenis
111f61d60  73 75 61 6e 63 65 00                             suance.
Leave -[MGCDAsyncSocket writeData:withTimeout:tag:]
Enter -[MGCDAsyncSocket writeData:withTimeout:tag:]
Sending:              0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F  0123456789ABCDEF
281e9a7f0  32 8a 01 00 5a 2f 72 65 6d 6f 74 65 61 70 70 2f  2...Z/remoteapp/
281e9a800  74 76 2f 75 69 5f 73 65 72 76 69 63 65 2f 32 38  tv/ui_service/28
281e9a810  3a 38 42 3a 39 38 3a 36 45 3a 35 30 3a 30 45 24  :8B:98:6E:50:0E$
281e9a820  68 69 73 24 30 44 37 46 37 38 5f 73 65 63 75 72  his$0D7F78_secur
281e9a830  65 5f 30 30 31 2f 61 63 74 69 6f 6e 73 2f 76 69  e_001/actions/vi
281e9a840  64 61 61 5f 61 70 70 5f 63 6f 6e 6e 65 63 74 00  daa_app_connect.
281e9a850  02 7b 22 61 70 70 5f 76 65 72 73 69 6f 6e 22 3a  .{"app_version":
281e9a860  32 2c 22 64 65 76 69 63 65 5f 74 79 70 65 22 3a  2,"device_type":
281e9a870  22 4d 6f 62 69 6c 65 20 41 70 70 22 7d           "Mobile App"}
Leave -[MGCDAsyncSocket writeData:withTimeout:tag:]

New


     ____
    / _  |   Frida 16.5.6 - A world-class dynamic instrumentation toolkit
   | (_| |
    > _  |   Commands:
   /_/ |_|       help      -> Displays the help system
   . . . .       object?   -> Display information about 'object'
   . . . .       exit/quit -> Exit
   . . . .
   . . . .   More info at https://frida.re/docs/home/
   . . . .
   . . . .   Connected to iPhone (id=5bc87ccba00d686fb37b61c2eef96f26e53630f3)
Spawned `com.vidaa.remote`. Resuming main thread!                       
[iPhone::com.vidaa.remote ]-> Enter -[MGCDAsyncSocket writeData:withTimeout:tag:]
Sending:              0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F  0123456789ABCDEF
281869c80  10 7d 00 04 4d 51 54 54 04 ce 00 24 00 27 35 35  .}..MQTT...$.'55
281869c90  3a 38 42 3a 34 42 3a 34 39 3a 46 46 3a 38 30 24  :8B:4B:49:FF:80$
281869ca0  68 69 73 24 35 44 41 44 41 41 5f 73 65 63 75 72  his$5DADAA_secur
281869cb0  65 5f 30 30 31 00 05 2f 77 69 6c 6c 00 06 64 69  e_001../will..di
281869cc0  65 6f 75 74 00 17 68 69 73 24 36 32 33 39 37 35  eout..his$623975
281869cd0  39 37 38 36 33 33 32 34 39 32 30 31 38 00 20 46  9786332492018. F
281869ce0  37 35 36 37 38 46 30 34 30 37 32 39 34 37 46 45  75678F04072947FE
281869cf0  45 36 41 33 46 30 38 42 32 46 43 31 31 37 32     E6A3F08B2FC1172
Leave -[MGCDAsyncSocket writeData:withTimeout:tag:]
Enter -[MGCDAsyncSocket writeData:withTimeout:tag:]
Sending:              0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F  0123456789ABCDEF
1029a6a90  82 e4 03 00 01 00 58 2f 72 65 6d 6f 74 65 61 70  ......X/remoteap
1029a6aa0  70 2f 6d 6f 62 69 6c 65 2f 35 35 3a 38 42 3a 34  p/mobile/55:8B:4
1029a6ab0  42 3a 34 39 3a 46 46 3a 38 30 24 68 69 73 24 35  B:49:FF:80$his$5
1029a6ac0  44 41 44 41 41 5f 73 65 63 75 72 65 5f 30 30 31  DADAA_secure_001
1029a6ad0  2f 75 69 5f 73 65 72 76 69 63 65 2f 64 61 74 61  /ui_service/data
1029a6ae0  2f 61 75 74 68 65 6e 74 69 63 61 74 69 6f 6e 00  /authentication.
1029a6af0  00 5c 2f 72 65 6d 6f 74 65 61 70 70 2f 6d 6f 62  .\/remoteapp/mob
1029a6b00  69 6c 65 2f 35 35 3a 38 42 3a 34 42 3a 34 39 3a  ile/55:8B:4B:49:
1029a6b10  46 46 3a 38 30 24 68 69 73 24 35 44 41 44 41 41  FF:80$his$5DADAA
1029a6b20  5f 73 65 63 75 72 65 5f 30 30 31 2f 75 69 5f 73  _secure_001/ui_s
1029a6b30  65 72 76 69 63 65 2f 64 61 74 61 2f 61 75 74 68  ervice/data/auth
1029a6b40  65 6e 74 69 63 61 74 69 6f 6e 63 6f 64 65 00 00  enticationcode..
1029a6b50  61 2f 72 65 6d 6f 74 65 61 70 70 2f 6d 6f 62 69  a/remoteapp/mobi
1029a6b60  6c 65 2f 35 35 3a 38 42 3a 34 42 3a 34 39 3a 46  le/55:8B:4B:49:F
1029a6b70  46 3a 38 30 24 68 69 73 24 35 44 41 44 41 41 5f  F:80$his$5DADAA_
1029a6b80  73 65 63 75 72 65 5f 30 30 31 2f 75 69 5f 73 65  secure_001/ui_se
1029a6b90  72 76 69 63 65 2f 64 61 74 61 2f 61 75 74 68 65  rvice/data/authe
1029a6ba0  6e 74 69 63 61 74 69 6f 6e 63 6f 64 65 63 6c 6f  nticationcodeclo
1029a6bb0  73 65 00 00 61 2f 72 65 6d 6f 74 65 61 70 70 2f  se..a/remoteapp/
1029a6bc0  6d 6f 62 69 6c 65 2f 35 35 3a 38 42 3a 34 42 3a  mobile/55:8B:4B:
1029a6bd0  34 39 3a 46 46 3a 38 30 24 68 69 73 24 35 44 41  49:FF:80$his$5DA
1029a6be0  44 41 41 5f 73 65 63 75 72 65 5f 30 30 31 2f 75  DAA_secure_001/u
1029a6bf0  69 5f 73 65 72 76 69 63 65 2f 64 61 74 61 2f 61  i_service/data/a
1029a6c00  75 74 68 65 6e 74 69 63 61 74 69 6f 6e 63 6f 64  uthenticationcod
1029a6c10  65 74 6f 61 73 74 00 00 5d 2f 72 65 6d 6f 74 65  etoast..]/remote
1029a6c20  61 70 70 2f 6d 6f 62 69 6c 65 2f 35 35 3a 38 42  app/mobile/55:8B
1029a6c30  3a 34 42 3a 34 39 3a 46 46 3a 38 30 24 68 69 73  :4B:49:FF:80$his
1029a6c40  24 35 44 41 44 41 41 5f 73 65 63 75 72 65 5f 30  $5DADAA_secure_0
1029a6c50  30 31 2f 70 6c 61 74 66 6f 72 6d 5f 73 65 72 76  01/platform_serv
1029a6c60  69 63 65 2f 64 61 74 61 2f 74 6f 6b 65 6e 69 73  ice/data/tokenis
1029a6c70  73 75 61 6e 63 65 00                             suance.
Leave -[MGCDAsyncSocket writeData:withTimeout:tag:]
Enter -[MGCDAsyncSocket writeData:withTimeout:tag:]
Sending:              0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F  0123456789ABCDEF
2804346c0  32 8a 01 00 5a 2f 72 65 6d 6f 74 65 61 70 70 2f  2...Z/remoteapp/
2804346d0  74 76 2f 75 69 5f 73 65 72 76 69 63 65 2f 35 35  tv/ui_service/55
2804346e0  3a 38 42 3a 34 42 3a 34 39 3a 46 46 3a 38 30 24  :8B:4B:49:FF:80$
2804346f0  68 69 73 24 35 44 41 44 41 41 5f 73 65 63 75 72  his$5DADAA_secur
280434700  65 5f 30 30 31 2f 61 63 74 69 6f 6e 73 2f 76 69  e_001/actions/vi
280434710  64 61 61 5f 61 70 70 5f 63 6f 6e 6e 65 63 74 00  daa_app_connect.
280434720  02 7b 22 61 70 70 5f 76 65 72 73 69 6f 6e 22 3a  .{"app_version":
280434730  32 2c 22 64 65 76 69 63 65 5f 74 79 70 65 22 3a  2,"device_type":
280434740  22 4d 6f 62 69 6c 65 20 41 70 70 22 7d           "Mobile App"}
Leave -[MGCDAsyncSocket writeData:withTimeout:tag:]
Enter -[MGCDAsyncSocket writeData:withTimeout:tag:]
Sending:              0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F  0123456789ABCDEF
283149990  e0 00                                            ..
Leave -[MGCDAsyncSocket writeData:withTimeout:tag:]
cherpake commented 4 weeks ago

After some investigating...

  1. VIDAA app now includes new P12 certificate, and after extracting and using it - the TV no longer shows message saying my mobile app is out of date and I need to update it. Attaching it here for others (passphrase is 471a0bfe63a93f22a76534c4dece85be) vidaa_cert.p12.zip

  2. MQTT user name and password generation has changed. Username now is longer and not just time stamp. OLD: his$1730046297 NEW: his$6239759786332492018.

cherpake commented 4 weeks ago

OK, Seems they changed the seed value for third hash to his+ last digit of timestamp + h!i@s#$v%I^d

[iPhone::com.vidaa.remote ]-> MD5String()
input:            0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F  0123456789ABCDEF
283666f60  26 76 69 64 61 61 23 5e 61 70 70                 &vidaa#^app
output:            0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F  0123456789ABCDEF
16da71400  38 d6 5d c3 0f 45 10 9a 36 9a 86 fc e8 66 a8 5b  8.]..E..6....f.[
MD5String()
input:            0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F  0123456789ABCDEF
28213cf80  33 38 44 36 35 44 43 33 30 46 34 35 31 30 39 41  38D65DC30F45109A
28213cf90  33 36 39 41 38 36 46 43 45 38 36 36 41 38 35 42  369A86FCE866A85B
28213cfa0  24 32 38 3a 38 42 3a 39 38 3a 36 45 3a 35 30 3a  $28:8B:98:6E:50:
28213cfb0  30 45                                            0E
output:            0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F  0123456789ABCDEF
16da713c0  0d 7f 78 ec 9c 8e ee 54 ac 66 ed b8 4a c3 f2 08  ..x....T.f..J...
MD5String()
input:            0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F  0123456789ABCDEF
283356fc0  68 69 73 31 68 21 69 40 73 23 24 76 25 69 5e 64  his1h!i@s#$v%i^d
283356fd0  26 61 2a 61                                      &a*a
output:            0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F  0123456789ABCDEF
16da713a0  56 fa c6 f2 3b 60 2b a9 20 de 0b 1b a3 86 16 e8  V...;`+. .......
MD5String()
input:            0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F  0123456789ABCDEF
283356fc0  31 37 33 30 31 32 36 39 38 34 24 35 36 46 41 43  1730126984$56FAC
283356fd0  36                                               6
output:            0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F  0123456789ABCDEF
16da71380  e4 0d 70 19 3a c2 46 65 17 95 90 4b 53 47 be 38  ..p.:.Fe...KSG.8
cherpake commented 4 weeks ago

Here is the code that generates username password and clientId 

void _generate_connect_data_new_vidaa_app(int arg0, int arg1, int arg2, int arg3, int arg4) {
    r4 = arg4;
    r3 = arg3;
    r2 = arg2;
    r1 = arg1;
    r0 = arg0;
    r29 = &saved_fp;
    r31 = r31 + 0xffffffffffffffa0 - 0xf0;
    r21 = 0x0;
    var_60 = **___stack_chk_guard;
    if (r3 == 0x0) goto loc_a5698;

loc_a52e8:
    r21 = 0x0;
    r23 = r0;
    if (r0 == 0x0) goto loc_a5698;

loc_a52f0:
    r21 = 0x0;
    r20 = r1;
    if (r1 == 0x0) goto loc_a5698;

loc_a52f8:
    r21 = 0x0;
    r25 = r2;
    if (r2 == 0x0) goto loc_a5698;

loc_a5300:
    r21 = 0x0;
    r24 = r4;
    if (r4 == 0x0) goto loc_a5698;

loc_a5308:
    r19 = r3;
    r8 = 0x0;
    q0 = *(int128_t *)"4}5\x1C/x*y5\x028z=v=";
    q0 = q0;
    r9 = r29 - 0x90;
    do {
            *(int8_t *)(r9 + r8) = *(int8_t *)(r9 + r8) ^ 0x5c;
            r8 = r8 + 0x1;
    } while (r8 != 0xb);
    r8 = 0x0;
    r9 = r29 - 0xa0;
    do {
            *(int8_t *)(r9 + r8) = *(int8_t *)(r9 + r8) ^ 0x5c;
            r8 = r8 + 0x1;
    } while (r8 != 0xb);
    r26 = strlen(r23);
    r28 = strlen(r20);
    r0 = strlen(r25);
    r27 = r0;
    var_100 = q0;
    var_F0 = q0;
    r8 = r29 - 0xa0;
    r9 = r29 - 0x90;
    if (r24 == 0x1) {
            if (!CPU_FLAGS & E) {
                    r0 = r8;
            }
            else {
                    r0 = r9;
            }
    }
    r8 = "002";
    if (CPU_FLAGS & E) {
            if (!CPU_FLAGS & E) {
                    r8 = "002";
            }
            else {
                    r8 = "001";
            }
    }
    *((r29 - 0x40) + 0xffffffffffffff00) = r8;
    _md5_encrypt(r0, r29 - 0x100);
    *((r29 - 0x38) + 0xffffffffffffff00) = &var_140;
    snprintf(&var_140 - (r26 + 0x31 & 0xfffffffffffffff0), r26 + 0x22, "%s%c%s", r3, r4, r5);
    r31 = (r21 - 0x20) + 0x20;
    *(int8_t *)(0x21 + r26 + r21) = 0x0;
    _md5_encrypt(r21, r29 - 0xd0);
    r0 = calloc(0x18, 0x1);
    r21 = r0;
    if (r0 == 0x0) goto loc_a5698;

loc_a5494:
    r26 = 0xe + r27 + r26 + r28;
    r0 = calloc(r26, 0x1);
    if (r0 == 0x0) goto loc_a5680;

loc_a54b0:
    r24 = r0;
    snprintf(r0, r26, "%s%c%s%c%s%c%s%c%s", r3, r4, r5, r6, r7, r23, 0x24, r20, 0x24);
    r31 = (r31 - 0x50) + 0x50;
    r25 = r28 + 0x16;
    r0 = calloc(r25, 0x1);
    if (r0 == 0x0) goto loc_a5678;

loc_a5508:
    r23 = r0;
    snprintf(r0, r25, "%s%c%lld", r3, r4, r5);
    r31 = (r31 - 0x20) + 0x20;
    if (r19 >= 0x1) {
            r8 = 0x0;
            r11 = r19;
            do {
                    r10 = 0xa;
                    asm { umulh      x12, x11, x9 };
                    r12 = r12 >> 0x3;
                    r8 = r8 + (r11 - r12 * r10);
                    COND = r11 > 0x9;
                    r11 = r12;
            } while (COND);
            r8 = r8 - (r8 * 0xcccccccd >> 0x23) * 0xa;
    }
    else {
            r8 = 0x0;
    }
    snprintf(&var_140 - (r28 + 0x21 & 0xfffffffffffffff0), r28 + 0x12, "%s%d%s", r3, r4, r5);
    *(int8_t *)(0x11 + r28 + (&var_140 - (r28 + 0x21 & 0xfffffffffffffff0))) = 0x0;
    *(int8_t *)((r29 - 0x10) + 0xffffffffffffff00) = 0x0;
    *(int128_t *)((r29 - 0x20) + 0xffffffffffffff00) = q0;
    *(int128_t *)((r29 - 0x30) + 0xffffffffffffff00) = q0;
    _md5_encrypt(&var_140 - (r28 + 0x21 & 0xfffffffffffffff0), r29 - 0x130);
    *(int8_t *)((r29 - 0x2a) + 0xffffffffffffff00) = 0x0;
    r20 = (&var_140 - (r28 + 0x21 & 0xfffffffffffffff0) - 0x20) + 0x20 - 0x20;
    snprintf(r20, 0x1c, "%lld%c%s", r3, r4, r5);
    r0 = calloc(0x21, 0x1);
    if (r0 == 0x0) goto loc_a5670;

loc_a5654:
    _md5_encrypt(r20, r0);
    *(int128_t *)r21 = r24;
    *(int128_t *)(r21 + 0x8) = r23;
    *(r21 + 0x10) = r19;
    goto loc_a5698;

loc_a5698:
    if (**___stack_chk_guard != var_60) {
            __stack_chk_fail();
    }
    return;

loc_a5670:
    free(r23);
    goto loc_a5678;

loc_a5678:
    free(r24);
    goto loc_a5680;

loc_a5680:
    free(r21);
    r21 = 0x0;
    goto loc_a5698;
}
cherpake commented 3 weeks ago

OK I cracked it new user name is constructed like this his$TIMESTAMP ^ 6239759785777146216

nikagl commented 3 weeks ago

Hi @cherpake , great work 👍just wanted to let you know that i haven't been able to look at my tv yet to see whether it has updates and such. As soon as i get home, probably this weekend, i will test and add a flag to my code for the new version...(as i suspect we need to retain the old method for older version tv's). Feel free to do a pull off course of you want to do it yourself...

nikagl commented 3 weeks ago

So, I have checked my TV and still have version V0010.06.30B.N0908. It looks like I can use the new certificate as well, I have extracted the relevant certificate and key using the following commands:

"openssl.exe" pkcs12 -in vidaa_cert.p12 -clcerts -nokeys -out vidaa_cert.cer -passin pass:471a0bfe63a93f22a76534c4dece85be
"openssl.exe" pkcs12 -in vidaa_cert.p12 -nocerts -nodes -out vidaa_cert.pem -passin pass:471a0bfe63a93f22a76534c4dece85be
"openssl.exe" pkcs8 -in vidaa_cert.pem -topk8 -nocrypt -out vidaa_cert.pkcs8

I have also added a command line switch to use the new authentication, let me know whether it works for you as I cannot test it with my TV...

nikagl commented 3 weeks ago

Commit d45acc6c86e97d68fb382e0f9730a9cca4755e0d