Hah, awesome. Many years ago, I patched iTunes to use my own public key, so I could stream to an AirTunes server I ran on another machine. I had intended to pull the firmware off the Airport Express, but didn't have the hardware skills at the time. It's awesome to see this happen.
edit: it looks like it would allow another software to show up as an Airport Express in iTunes, thus becoming the potential target of streaming audio over WiFi from iTunes. But am I right?
The Airport Express public key was previously known, which allowed anyone to write a program to stream audio to an Apple Airport Express. Now that the private key is known, anyone can write a program to receive audio from iTunes, or from another program that sends to Airport Express.
This means you will be able to easily send audio to other rooms in your house with something like XBMC running on a PC, nettop, or netbook.
edit: Just to clarify - previously you could do this:
iTunes -- stream to --> Apple Airport Express
3rd party software -- stream to --> Apple Airport Express
Now you can do this:
iTunes -- stream to --> 3rd party software/hardware
Speculation: If iTunes plays the role of the Fairplay DRM decoder and relied on the channel between iTunes and the Airplay device being encrypted to secure content would it now be possible to use the private key to masquerade as a capable Airplay device and dump a the stream pure and DRM free? Would this work for video enabled Airplay devices?
If so, Apple and this hacker are about to be lawyered hard by the MPAA.
It doesn't. The Airplay device receives ALAC (Apple lossless audio) data, so this doesn't get you anything that wasn't already easily available by other means.
Yes, provided you were the MitM, you could capture every song streamed. However, Apple is far more likely to be worried about someone writing an AirPlay emulator that keeps perfect copies on it's local hard drive. They probably built encryption in just to satisfy any possible media company objections about the copying of streamed media.
"Airfoil Speakers works pretty much like an AirPort Express from the point of view of Airfoil. It advertises its services over Bonjour, then uses the same AirTunes 2 protocol that Apple uses. However, despite using the same protocol, iTunes won’t talk to Airfoil Speakers. iTunes uses cryptographic authentication to ensure that it only talks to real AirPort Expresses, and we weren’t able to mimic that. Until Apple removes those checks, Airfoil Speakers will only work with Airfoil 3 and Airfoil for Windows."
IIRC, the traditional way around such legal ambiguity is for the project to offer a configuration variable akin to "input your favorite private key here." If the user is in a country which permits use of the AirPlay key, great, if not then the project can continue to operate as before. Either way, the project is indemnified because /they/ didn't provide the key.
"Now that the AirTunes private key is known, it could allow for 3rd party software to act like AirTunes devices.
If this for example would be implemented in XBMC, Plex, Boxee etc you could send audio from your IOS device straight to XBMC using IOS built-in Airplay support."
What are the legal implications of selling a small unit that acts as an airport express, then? And what if you didn't ship the key, but it was obvious to users where to get it?
"Wink wink" has been long dealt with in law. If it's a device that is useless without the key, it'd wind up as a distinction without a difference if Apple really chased this down rather than hiring the devs. "Substantial non-infringing use" is the bar to clear in patent terms.
Except, streaming music you own to a computer you own is legal regardless of whether or not some piece of propietary software you use has a private key that you aren't supposed to know. The key is out. Using it for anything is legal.
Uh, I'm not so sure about that. The DMCA makes circumventing a copyright protection measure illegal unless you fall into one of the very narrow exemptions.
How is this circumventing a copyright protection measure?
This is like opening the hood of a car that requires a key that the manufacturer will only give to authorized dealers. If you figure out how to open the hood, the government is not going to stop you from messing around with the stuff in your car. It's yours, after all.
Here's what's happening here. Apple wants you to buy Apple hardware, so they cripple iTunes such that it will only speak with devices that know a secret password. Now, with the secret out, it will talk to any device.
This has absolutely nothing to do with copyright infringement.
This is like opening the hood of a car that requires a key that the manufacturer will only give to authorized dealers.
Yes, that's exactly what it's like. Indeed, auto manufacturers have already been abusing the DMCA to prevent independent repair shops from accessing computer diagnostic codes.
"(c) Other Rights, Etc., Not Affected. — (1) Nothing in this section shall affect rights, remedies, limitations, or defenses to copyright infringement, including fair use, under this title."
IANAL, but that would not protect you from the DMCA provisions that make it a crime to distribute tools designed for breaking DRM, even if you intend such tools to be used for fair use purposes.
Then you should probably ship a small device that a general computer, and there just happens to be some firmware / software floating around on the internet for it.
I doubt you'd fare much better than running a P2P service that could be used for anything, but was obviously intended for copyright infringement. And that doesn't seem to be doing so hot for Limewire.
Hadn't heard of vxWorks before. Did a quick googling, it's been used in a huge array of products: Boeing aircraft, industrial robots, Apache attack helicopters, BMW iDrive, Linksys routers, even spacecraft!
Works great! Even supports multiple audio streams!
For Debian/Ubuntu users, I had to do a few things to get it to compile:
1. sudo apt-get install libcrypt-openssl-rsa-perl libao2 libao-dev
2. comment out line 642 in hairtunes.c
3. 'make'
I'm pretty sure Sony's goal there was to gather information to support their argument that a California court is the right venue and generally to intimidate geohot. Not to sue anyone who merely viewed the page.
This is awesome! I know many have tried before, but have not been successful.
Also, I thought i would put this out there:
As with the creation of the new AirPlay protocol, the RAOP (AirTunes) protocol was also changed (to support album art and other metadata, I assume). My proof of this lies in the Apple TV. If you analyze network traffic between iTunes and the ATV's airtunesd daemon, you can see that the initial pairing does not have the 'rsaaeskey' field but instead a 'fpaeskey' field. So instead of a RSA public/private scheme, it uses something else to encrypt the session keys. I found this out when trying to reverse the airtunesd binary, trying to get the key that way. :P
You'd want a combination of storing the keys in tamper-resistant/tamper-responding FIPS 140-2 smartcard module (like a TPM), and some kind of certificated key architecture (where each mac and each airport have a key signed by Apple, but where breaking a single device and extracting the key isn't a class break -- it only provides the ability for everyone to stream to or from that one physical device. That way the Apple Signing Public Key can be in everything, but the Apple Private Key can be kept offline in Cupertino. You could even do a multi-level system where there are manufacturing keys signed by Apple's key so the contract manufacturers don't steal things.
Combine that with a way to update and blacklist keys and devices, and you have the state of the art DRM type system. The cryptography used in the BluRay format is probably about the best currently deployed in that application, and can just be bypassed. The same people (Paul Kocher's Cryptography Research; IMO the top cryptography consultancy in the world) who developed that developed the original Divx system (video rental at Circuit City) did the crypto for BD+. http://en.wikipedia.org/wiki/DIVX
TPMs are unfortunately usually only FIPS 140-2 level 2 or 3, and not THAT hard to break a single instance of. The TCG's TPM architecture is such that compromising one TPM doesn't class break everything. If you naively put a global key into a low-security module like that, and put millions of them in enemy hands, you will get screwed by someone with some acids and an electron microscope at college (or a competitor leaking it anonymously)
Interesting. So why didn't they use a TMP? Cost savings? International distribution constraints? (I see TPMs are illegal in China -http://en.wikipedia.org/wiki/Trusted_Platform_Module.) It is somewhat peculiar given Apple's known DRM policies.
Probably cost and lack of effort. Just look at the iTunes / App Store DRM. It can be removed quite easily, it's mostly there for deterrence. As soon as Apple could, they dropped DRM on iTunes audio files by switching to iTunes Plus (and before that, you could burn the songs to a CD and import it back).
You'll find a quite different story when Palm made the Pre compatible with iTunes through reverse engineering. The certainly didn't want non-Apple devices in the iTunes ecosystem and spent quite some effort to put a stop to that, even though it had nothing to do with DRM.
This is very cool. Do you know if this would work with AirPlay video streaming as well as audio? I can imagine it would be pretty cool to display video on any PC monitor.
Is AirPlay encrypting streams though? There are a few apps that can playback AirPlay videos. Recently, I started to use a script that made Plex show up as an AirPlay target and it worked fine.
edit: NB: I'm not sure "encrypting" is the right word here… do not hesitate to correct me
I'm not sure - I've heard of an Android app that can send video to an AppleTV, but I haven't heard of an app that can receive video from an iOS device. If you know of one, I'd appreciate a link.
which, I guess is not true anymore due to the parent link :)
But it does seem to show that iTunes was indeed checking keys before sending to an Airport Express, but that AirPlay (for video) wasn't affected. As far as I know, AirPlay is not much more than HTTP Live Streaming.
Also of interest in the same area (though this is an iOS app, so could technically include some key checking without knowing it): https://github.com/nto/AirView
A couple years ago I unsuccessfully tried to extract the keys from the AppleTV version of OS X (which provides the same functionality).
The binaries were heavily obfuscated, and I couldn't get the IDA Pro remote to run on the AppleTV, nor could I port the binaries to run on normal OS X. Gave up after a week or so. I figured that some pro reverser would get the keys eventually that way, but I never expected that anyone would find success cracking open an Airport Express!
There have been a number of manufacturers implementing 'airplay' devices that support being airtunes speakers but it's great to see this making it possible to do with open source. It would be nice to see airtunes added to some of the cheap linux wall warts on the market.
Has someone tried it and was able to play something?
I tried it and iTunes lists it as a device but I cannot activate it in iTunes (if I select it, it immediately unselects itself). From the console output, I see that iTunes even does not try to connect to it (to TCP Port 5000).
I am currently on a Mac so I needed to do some porting (https://github.com/albertz/shairport/) but I think this shouldn't have an impact on the behavior I am getting.
Sweet, thanks for your port! I just got everything working on my iMac. It shows up as an AirSpeaker from my iPhone on the same network and I can stream music from the iPhone to my iMac!
That is why I have patched it. For example, it uses `dns-sd` instead of `avahi-publish-service`. Registering seems to work, at least iTunes shows it. But there is no single connection attempt, so everything else (all the C-code etc.) is anyway unrelated because it doesn't even get there.
Maybe it refuses to connect because it is the same (localhost) machine? I don't have another machine at hand to try out right now.
Does Apple use the same protocol for streaming video to an Apple TV? If so, is the key from an Apple TV needed to emulate a video endpoint, or is just some tweaking required (presumably to the MDNS service data) to identify it as video-enabled?
wasn't this done before, years ago, by Jon Lech Johansen? he wrote justeport - http://nanocr.eu/software/justeport/ (and i rewrote that in java as jjuste, but no longer have the code...)
Johansen found the public keys to allow you to stream music to an Airport Express... now we are talking about the private key, which lets you emulate an Airport Express with any hardware that is capable.
i am trying to use the hairport (on apple tv1 running ubuntu hardy)... i am getting the following error:
atv@appletv-ubuntu:~/scripts/bbhoss-shairport-31cf954$ make
gcc hairtunes.c alac.c -D__i386 -lm `pkg-config --cflags --libs ao openssl` -o hairtunes
hairtunes.c: In function âinit_outputâ:
hairtunes.c:642: error: âao_sample_formatâ has no member named âmatrixâ
