-
Notifications
You must be signed in to change notification settings - Fork 7
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Not compatible with this version of iTunes #2
Comments
@joerg-krause Which version iTunes do you use ? Apple-Challenge refers to RSA Authentication, which is not allowed for AP2 |
iTunes version is 12.10.7.3. This is the log:
|
Thanks @joerg-krause , Windows version of iTunes does not support FairPlay authentication. |
Thanks @ckdo for sharing the RSA branch. Actually, iTunes on Windows does support FairPlay v2 authentication. I've tested in by advertising the AP2 device as an AP1 device using only the _raop._tcp service. However, if I re-enable the _airplay._tcp service, iTunes sends the "Apple-Challenge" in the |
@joerg-krause RSA branch is updated to compute Apple-Response correctly. Apple-Response is accepted for _raop._tcp service, but for _airplay._tcp the dialog is stopping, so I guess RSA auth cannot be used on AP2 devices. |
Thanks @ckdo ! I wonder, why iTunes on Windows sends the Apple-Challenge. What authentication algorithm does it expect, if not RSA? Looks like an unsolved mystery for now... |
@ckdo I managed to get iTunes on Windows to try to connect with the AirPlay 2 receiver using FairPlay v2. The features needs to be set to
As you can see, the fifth byte send in the request is |
Interesting findings ! Like said in this case ANNOUNCE method is used, so it means raop/ap1. But... it can be interesting to know that for instance to ensure backward compatibility with ap1 with a device publishing only a _airplay._tcp service. |
The |
Yes so that AP2 devices ensure AP1 backward compatibility since there is one single enpoint for both protocols. You can also quite easily check rtsp streams with a tcpdump since for iTunes/Windows they are not encrypted. |
I see! As I am far more experienced with C than with Python, I fiddled around with the FairPlay v2 feature using shairplay. This is my experimental FP2 branch: https://github.com/joerg-krause/shairplay/tree/fairplay_v2. iTunes on Windows successfully connects to the AirPlay device, but shairport aborts, while buffering. Something is wrong with the audio decryption. Maybe the audio is not encrypted using AES 128 CBC? I hope, that adding FairPlay v2 support can be used as a backward compatibility for iTunes on Windows... |
Nice work I will check that... about encryption with Fairplayv2 I don't know but with MFi auth there's no particular change with encryption. |
Is your latest code pushed onto shairplay branch ? There are several points I don't understand (only fply_2 is used, fply_header and payload are not used in response) |
The branch is named fairplay_v2. It is a single commit joerg-krause/shairplay@d5f0953. |
Yes, but I mean there https://github.com/joerg-krause/shairplay/blob/d5f0953d2380502366592e30a0a59fe3879f3c59/src/lib/fairplay_playfair.c#L93-L97 : res only rely on fply_2, which does not use neither fply_header nor payload . Is it normal ? |
You're right! The reply needs to be distinguished whether by the request data. Depending on one byte set in the request, the header and payload data are needed for the response. That part is missing. I will add it soon, right now I am quite busy. Thanks for looking into it! |
Update: The missing part is not relevant for the fairplay v2 handshake. The main problem seems to be the decryption. I guess, there is a difference between v2 and v3 decryption.
EDIT: RSA is only working when using the |
Fix KeyError for devices which don't support IPv6
I took a stab at getting the framework in place for RSA and perhaps also FP. The bits remaining to fix are decryption. There is a nice FP decryptor [1] available in C, so until that gets ported to Python, it's lib time. Was there anything interesting that you discovered when you tried to fix compatibility? [1] https://github.com/juhovh/shairplay/tree/master/src/lib/playfair |
I've pushed commits to master https://github.com/openairplay/airplay2-receiver/ which implement ANNOUNCE. This means you can receive audio encrypted using rsaaeskey. If I run: Apple-Challenge headers. But my iTunes for Windows never accepts those using your branch here. Perhaps Apple changed what is expected in the Apple-Response? I tried your approach in the RSA branch, using PKCS1_OAEP, with and without hardware ID. Maybe I didn't try every combo. Don't like black-box crypto stuff so much 🤷 Any ideas @ckdo ? |
The FairPlay authentification works fine with iOS, but fails with iTunes: The AirPlay device "myap2" is not compatible with this version of iTunes.
Something i noticed: iTunes sends an OPTION request with an "Apple-Challenge".
The text was updated successfully, but these errors were encountered: