关于Airplay Mirroring ... fp设置后的事情 [英] about Airplay Mirroring... things after fp-setup

问题描述

我的项目是从Android设备中获取解密的Airplay Mirrorred h.264屏幕数据.
由于我对类似AES的东西一无所知...所以我跳过了在iPad和AppleTV之间进行全方位压缩的硬编码数据的步骤.

My project is to grab decrypted Airplay Mirrorred h.264 screen data from my Android device.
Since I know nothing about AES-like things... So I skipped that step with hard coded data, omnipeek'ed from, between My iPad and AppleTV.

从非官方Airplay协议"开始.
类似于序列，我在iPad上使用"fp-setup"进行了询问.

Started with the "Unofficial Airplay Protocol".
Resembled the sequence, and I've questioned from my iPad with "fp-setup".

检查 AirTunesController源代码非常有帮助. ，我从该代码中获得了很多提示.因此，我从iPad，AppleTV抓取了"FPLY"启动二进制文件.只需回复我的iPad，"fp-setup"步骤就完成了！

It was very helpful to examine the AirTunesController source code, I've got pretty much hints from that code. So, I grabbed the 'FPLY' starting binaries from my iPad, AppleTV. Just replied to my iPad, and "fp-setup" step is done!

顺序是..
从iPad收到FPLY311，
我回答了FPLY312，
从iPad收到FPLY313，
我回答了FPLY314 ..然后，"POST/stream"出现了一些二进制参数列表(bplist).
看起来像..(从我的adb logcat捕获)

Sequence is..
received FPLY311 from the iPad,
I answered with FPLY312,
received FPLY313 from the iPad,
I answered FPLY314.. then the "POST /stream" came to me with some binary parameter lists (bplist).
It look like.. (captured from my adb logcat)

D/Server(432):AIRPLAY镜像服务器:检测到新连接
D/服务器(432):AIRPLAY服务器:添加了新连接
D/服务器(432):BReNTT:/stream.xml
D/服务器(432):BReNTT:/stream.xml >> GET
D/Server(432):BReNTT:响应536字节的内容
D/服务器(432):BReNTT:/fp-setup，主体大小:16
D/服务器(432):0x46 0x50 0x4c 0x59 0x03 0x01 0x01 0x00 0x00 0x00 0x00 0x04 0x02 0x00 0x03 0xbb
D/服务器(432):BReNTT:/fp-setup >> POST >> 311
D/Server(432):BReNTT:响应257字节的内容
D/服务器(432):BReNTT:/fp-setup，正文大小:164
D/服务器(432):0x46 0x50 0x4c 0x59 0x03 0x01 0x03 0x00 0x00 0x00 0x00 0x98 0x01 0x8f 0x1a 0x9c
D/Server(432):0x7d 0x0a 0xf2 0x57 0xb3 0x1f 0x21 0xf5 0xc2 0xd2 0xbc 0x81 0x4c 0x03 0x2d 0x45
D/服务器(432):0x78 0x35 0xad 0x0b 0x06 0x25 0x05 0x74 0xbb 0xc7 0xab 0x4a 0x58 0xcc 0xa6 0xee
D/服务器(432):0xad 0x2c 0x91 0x1d 0x7f 0x3e 0x1e 0x7e 0xd4 0xc0 0x58 0x95 0x5d 0xff 0x3d 0x5c
D/Server(432):0xee 0xf0 0x14 0x38 0x7a 0x98 0x5b 0xdb 0x34 0x99 0x50 0x15 0xe3 0xdf 0xbd 0xac
D/服务器(432):0xc5 0x60 0x47 0xcb 0x92 0x6e 0x09 0x3b 0x13 0xe9 0xfd 0xb5 0xe1 0xee 0xe3 0x17
D/服务器(432):0xc0 0x18 0xbb 0xc8 0x7f 0xc5 0x45 0x3c 0x76 0x71 0x64 0x7d 0xa6 0x86 0xda 0x3d
D/服务器(432):0x56 0x48 0x75 0xd0 0x3f 0x8a 0xea 0x9d 0x60 0x09 0x2d 0xe0 0x61 0x10 0xbc 0x7b
D/服务器(432):0xe0 0xc1 0x6f 0x39 0x1c 0x36 0x9c 0x75 0x34 0x4a 0xe4 0x7f 0x33 0xac 0xfc 0xf1
D/服务器(432):0x0e 0x63 0xa9 0xb5 0x8b 0xfc 0xe2 0x15 0xe9 0x60 0x01 0xc4 0x9e 0x4b 0xe9 0x67
D/服务器(432):0xc5 0x06 0x7f 0x2a
D/服务器(432):BReNTT:/fp-setup >> POST >> 313
D/服务器(432):BReNTT:正在响应...
D/服务器(432):0x46 0x50 0x4c 0x59 0x03 0x01 0x04 0x00 0x00 0x00 0x00 0x14 0x0e 0x63 0xa9 0xb5
D/服务器(432):0x8b 0xfc 0xe2 0x15 0xe9 0x60 0x01 0xc4 0x9e 0x4b 0xe9 0x67 0xc5 0x06 0x7f 0x2a
D/Server(432):BReNTT:响应142字节的内容
D/服务器(432):BReNTT:/stream >> POST !!内容长度为750

D/Server( 432): AIRPLAY Mirroring Server: New connection detected
D/Server( 432): AIRPLAY Server: New connection added
D/Server( 432): BReNTT: /stream.xml
D/Server( 432): BReNTT: /stream.xml >> GET
D/Server( 432): BReNTT: responding 536 bytes of content
D/Server( 432): BReNTT: /fp-setup, body size: 16
D/Server( 432): 0x46 0x50 0x4c 0x59 0x03 0x01 0x01 0x00 0x00 0x00 0x00 0x04 0x02 0x00 0x03 0xbb
D/Server( 432): BReNTT: /fp-setup >> POST >> 311
D/Server( 432): BReNTT: responding 257 bytes of content
D/Server( 432): BReNTT: /fp-setup, body size: 164
D/Server( 432): 0x46 0x50 0x4c 0x59 0x03 0x01 0x03 0x00 0x00 0x00 0x00 0x98 0x01 0x8f 0x1a 0x9c
D/Server( 432): 0x7d 0x0a 0xf2 0x57 0xb3 0x1f 0x21 0xf5 0xc2 0xd2 0xbc 0x81 0x4c 0x03 0x2d 0x45
D/Server( 432): 0x78 0x35 0xad 0x0b 0x06 0x25 0x05 0x74 0xbb 0xc7 0xab 0x4a 0x58 0xcc 0xa6 0xee
D/Server( 432): 0xad 0x2c 0x91 0x1d 0x7f 0x3e 0x1e 0x7e 0xd4 0xc0 0x58 0x95 0x5d 0xff 0x3d 0x5c
D/Server( 432): 0xee 0xf0 0x14 0x38 0x7a 0x98 0x5b 0xdb 0x34 0x99 0x50 0x15 0xe3 0xdf 0xbd 0xac
D/Server( 432): 0xc5 0x60 0x47 0xcb 0x92 0x6e 0x09 0x3b 0x13 0xe9 0xfd 0xb5 0xe1 0xee 0xe3 0x17
D/Server( 432): 0xc0 0x18 0xbb 0xc8 0x7f 0xc5 0x45 0x3c 0x76 0x71 0x64 0x7d 0xa6 0x86 0xda 0x3d
D/Server( 432): 0x56 0x48 0x75 0xd0 0x3f 0x8a 0xea 0x9d 0x60 0x09 0x2d 0xe0 0x61 0x10 0xbc 0x7b
D/Server( 432): 0xe0 0xc1 0x6f 0x39 0x1c 0x36 0x9c 0x75 0x34 0x4a 0xe4 0x7f 0x33 0xac 0xfc 0xf1
D/Server( 432): 0x0e 0x63 0xa9 0xb5 0x8b 0xfc 0xe2 0x15 0xe9 0x60 0x01 0xc4 0x9e 0x4b 0xe9 0x67
D/Server( 432): 0xc5 0x06 0x7f 0x2a
D/Server( 432): BReNTT: /fp-setup >> POST >> 313
D/Server( 432): BReNTT: responding...
D/Server( 432): 0x46 0x50 0x4c 0x59 0x03 0x01 0x04 0x00 0x00 0x00 0x00 0x14 0x0e 0x63 0xa9 0xb5
D/Server( 432): 0x8b 0xfc 0xe2 0x15 0xe9 0x60 0x01 0xc4 0x9e 0x4b 0xe9 0x67 0xc5 0x06 0x7f 0x2a
D/Server( 432): BReNTT: responding 142 bytes of content
D/Server( 432): BReNTT: /stream >> POST !! Content-Length is 750

最后我得到了列表..带有Param1和Param2.
它们分别是AES密钥和AES初始化矢量数据，分别为72个字节和16个字节. 而且，突然从同一个端口7100，iPad的屏幕二进制数据不断传给我.

Finally I got the list.. with Param1 and Param2.
They're the AES key and AES initialization vector data, 72 bytes and 16 bytes relatively. And, from the same port 7100, suddenly, iPad's screen binary data came to me continuously.

键:deviceInfoTime值= -422009852.719235
密钥:macAddress值= 64:20:0C:EF:DF:81
密钥:param1是Binary类型.
BReNTT-Debug(432):46 50 4C 59 01 02 02 00 00 00 00 3C 00 00 00 00
BReNTT-Debug(432):88 E4 F8 2C 81 78 C1 8B 47 51 AC 24 B2 7C 0C 2A
BReNTT-Debug(432):00 00 00 10 C8 99 DC 69 65 C1 08 1D E6 A9 D9 66
BReNTT-Debug(432):E2 BA 3E 34 54 8C DB C6 51 C3 22 DB 18 DC 22 F5
BReNTT-Debug(432):8F E1 54 A6 0A EC EE 18
密钥:sessionID值= -1483478994
密钥:deviceID值= 110088818777987
密钥:connectTime值= 0.009737
密钥:版本值= 200.54
密钥:latencyMs值= 90
密钥:fpsInfo type = 4
密钥:authTime值= 422009852.735252
密钥:prepareTime值= 0.004542
密钥:configTime值= 0.004692
密钥:resolveDNSTime值= 0.008402
密钥:timestampInfo type = 4
密钥:param2是Binary类型.
BReNTT-Debug(432):66 A7 5D 63 6D 80 C8 30 19 95 2A EC 2D D7 2F 1C

Key: deviceInfoTime Value=-422009852.719235
Key: macAddress Value=64:20:0C:EF:DF:81
Key: param1 is Binary type.
BReNTT-Debug( 432): 46 50 4C 59 01 02 01 00 00 00 00 3C 00 00 00 00
BReNTT-Debug( 432): 88 E4 F8 2C 81 78 C1 8B 47 51 AC 24 B2 7C 0C 2A
BReNTT-Debug( 432): 00 00 00 10 C8 99 DC 69 65 C1 08 1D E6 A9 D9 66
BReNTT-Debug( 432): E2 BA 3E 34 54 8C DB C6 51 C3 22 DB 18 DC 22 F5
BReNTT-Debug( 432): 8F E1 54 A6 0A EC EE 18
Key: sessionID Value=-1483478994
Key: deviceID Value=110088818777987
Key: connectTime Value=0.009737
Key: version Value=200.54
Key: latencyMs Value=90
Key: fpsInfo type=4
Key: authTime Value=422009852.735252
Key: prepareTime Value=0.004542
Key: configTime Value=0.004692
Key: resolveDNSTime Value=0.008402
Key: timestampInfo type=4
Key: param2 is Binary type.
BReNTT-Debug( 432): 66 A7 5D 63 6D 80 C8 30 19 95 2A EC 2D D7 2F 1C

然后..
这是我想问你的问题.

And..
It is the question I want to ask you.

根据非官方的Airplay协议，
如果存在可选的Param1和Param2，则对屏幕数据进行加密，对吧?

According to the Unofficial Airplay Protocol,
If optional Param1 and Param2 exists, then the screen data is encrypted, right?

如何处理来自我的iPad的这72个字节和16个字节的AES数据以解密h.264屏幕数据?

How do I deal with these 72 bytes, and 16 bytes AES data to decrypt the h.264 screen data, coming from my iPad??

谢谢.

推荐答案

两个参数； param1和param2使用FairPlay加密.您首先需要弄清楚加密的工作原理，然后将获得AES密钥来解密H.264视频流.

The two params; param1 and param2 are encrypted using FairPlay. You will need to work out how that encryption works first then you will get the AES key to decrypt the H.264 video stream.

这篇关于关于Airplay Mirroring ... fp设置后的事情的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！