

Apple AirTunes private key extracted - PascalW
http://www.mafipulation.org/blagoblig/2011/04/08#shairport
Now that the AirTunes private key is known, it could allow for 3rd party software to act like AirTunes devices.
If this for example would be implemented in XBMC, Plex, Boxee etc you could send audio from your IOS device straight to XBMC using IOS built-in Airplay support.
======
daeken
Hah, awesome. Many years ago, I patched iTunes to use my own public key, so I
could stream to an AirTunes server I ran on another machine. I had intended to
pull the firmware off the Airport Express, but didn't have the hardware skills
at the time. It's awesome to see this happen.

------
Timothee
Could someone explain the implications of this?

edit: it looks like it would allow another software to show up as an Airport
Express in iTunes, thus becoming the potential target of streaming audio over
WiFi from iTunes. But am I right?

~~~
illumin8
The Airport Express public key was previously known, which allowed anyone to
write a program to stream audio to an Apple Airport Express. Now that the
private key is known, anyone can write a program to receive audio from iTunes,
or from another program that sends to Airport Express.

This means you will be able to easily send audio to other rooms in your house
with something like XBMC running on a PC, nettop, or netbook.

edit: Just to clarify - previously you could do this:

iTunes -- stream to --> Apple Airport Express

3rd party software -- stream to --> Apple Airport Express

Now you can do this:

iTunes -- stream to --> 3rd party software/hardware

~~~
i386
Speculation: If iTunes plays the role of the Fairplay DRM decoder and relied
on the channel between iTunes and the Airplay device being encrypted to secure
content would it now be possible to use the private key to masquerade as a
capable Airplay device and dump a the stream pure and DRM free? Would this
work for video enabled Airplay devices?

If so, Apple and this hacker are about to be lawyered hard by the MPAA.

~~~
chopsueyar
Airport Express only streams audio out (no movies/tv/video), so it would be
the RIAA, not the MPAA.

~~~
alanh
Apple TVs work similarly now for video streamed from iPhone/iPad/iPod Touch
devices since iOS 4.2. Might they use the same private key?

------
jedsmith
ASCII key, from the source: <http://pastebin.com/raw.php?i=RFeUcdXd>

~~~
peterwwillis
The whole source: <http://pastebin.com/raw.php?i=mXVK93sY> (edit: updated with
0.03)

~~~
jameshl
Already out of date - 0.03 fixes IPv6. Please, get it from the site (if it
hasn't been Slashdotted or something yet :/)

~~~
peterwwillis
The first time I tried it was slashdotted so I pastebin'd. Thank you for your
work!

------
acgourley
What are the legal implications of selling a small unit that acts as an
airport express, then? And what if you didn't ship the key, but it was obvious
to users where to get it?

~~~
rhizome
"Wink wink" has been long dealt with in law. If it's a device that is useless
without the key, it'd wind up as a distinction without a difference if Apple
really chased this down rather than hiring the devs. "Substantial non-
infringing use" is the bar to clear in patent terms.

~~~
jrockway
Except, streaming music you own to a computer you own is legal regardless of
whether or not some piece of propietary software you use has a private key
that you aren't supposed to know. The key is out. Using it for anything is
legal.

~~~
eli
Uh, I'm not so sure about that. The DMCA makes circumventing a copyright
protection measure illegal unless you fall into one of the very narrow
exemptions.

~~~
jrockway
How is this circumventing a copyright protection measure?

This is like opening the hood of a car that requires a key that the
manufacturer will only give to authorized dealers. If you figure out how to
open the hood, the government is not going to stop you from messing around
with the stuff in your car. It's yours, after all.

Here's what's happening here. Apple wants you to buy Apple hardware, so they
cripple iTunes such that it will only speak with devices that know a secret
password. Now, with the secret out, it will talk to any device.

This has absolutely nothing to do with copyright infringement.

~~~
eli
_This is like opening the hood of a car that requires a key that the
manufacturer will only give to authorized dealers._

Yes, that's exactly what it's like. Indeed, auto manufacturers have already
been abusing the DMCA to prevent independent repair shops from accessing
computer diagnostic codes.

<https://www.eff.org/deeplinks/2009/05/right-repair-law-pro> (The bill
mentioned in that article that would have addressed this died in committee, by
the way)

~~~
billybob
Wow. That's nasty on the auto makers' part.

------
angusgr
I know the OP probably isn't reading this, but I'd be curious to know what OS
the Airport Express runs.

I always wondered. My guess is maybe a proprietary RTOS to perform its simple
functions?

Back in the day I figured it'd make a great OpenWRT Linux box, although now
boxes with those features/size/price-point are much more common.

~~~
angusgr
I asked the OP and they responded to me offline and confirmed vxWorks.

~~~
patrickk
Hadn't heard of vxWorks before. Did a quick googling, it's been used in a huge
array of products: Boeing aircraft, industrial robots, Apache attack
helicopters, BMW iDrive, Linksys routers, even spacecraft!

[http://en.wikipedia.org/wiki/VxWorks#Notable_products_using_...](http://en.wikipedia.org/wiki/VxWorks#Notable_products_using_VxWorks)

------
Logicwax
Works great! Even supports multiple audio streams!

For Debian/Ubuntu users, I had to do a few things to get it to compile: 1\.
sudo apt-get install libcrypt-openssl-rsa-perl libao2 libao-dev 2\. comment
out line 642 in hairtunes.c 3\. 'make'

~~~
jameshl
Fixed the code bug in 0.02, and added this to the documentation. Thanks!

------
Natsu
I wonder if people will get their IPs subpoenaed for looking at that link, as
was the case with the Sony keys?

~~~
eli
I'm pretty sure Sony's goal there was to gather information to support their
argument that a California court is the right venue and generally to
intimidate geohot. Not to sue anyone who merely viewed the page.

------
conradev
This is awesome! I know many have tried before, but have not been successful.

Also, I thought i would put this out there: As with the creation of the new
AirPlay protocol, the RAOP (AirTunes) protocol was also changed (to support
album art and other metadata, I assume). My proof of this lies in the Apple
TV. If you analyze network traffic between iTunes and the ATV's airtunesd
daemon, you can see that the initial pairing does not have the 'rsaaeskey'
field but instead a 'fpaeskey' field. So instead of a RSA public/private
scheme, it uses something else to encrypt the session keys. I found this out
when trying to reverse the airtunesd binary, trying to get the key that way.
:P

------
shimonamit
So, are there no alternatives to embedding a single private key across
multiple hardware devices?

~~~
fhars
You could store the key in a TPM, which would at least require carefully
applied stong acids and an electron microscope to dump them.

~~~
shimonamit
Interesting. So why didn't they use a TMP? Cost savings? International
distribution constraints? (I see TPMs are illegal in China
-<http://en.wikipedia.org/wiki/Trusted_Platform_Module.>) It is somewhat
peculiar given Apple's known DRM policies.

~~~
gnaffle
Probably cost and lack of effort. Just look at the iTunes / App Store DRM. It
can be removed quite easily, it's mostly there for deterrence. As soon as
Apple could, they dropped DRM on iTunes audio files by switching to iTunes
Plus (and before that, you could burn the songs to a CD and import it back).

You'll find a quite different story when Palm made the Pre compatible with
iTunes through reverse engineering. The certainly didn't want non-Apple
devices in the iTunes ecosystem and spent quite some effort to put a stop to
that, even though it had nothing to do with DRM.

------
palish
The source code is very cool. I'd encourage everyone to skim through it.

~~~
Simucal
Could you provide a mirror? The link seems to be dead.

~~~
oomkiller
I uploaded it to Github here in case anyone wants to hack on it:
<https://github.com/bbhoss/shairport>

------
illumin8
This is very cool. Do you know if this would work with AirPlay video streaming
as well as audio? I can imagine it would be pretty cool to display video on
any PC monitor.

~~~
Timothee
Is AirPlay encrypting streams though? There are a few apps that can playback
AirPlay videos. Recently, I started to use a script that made Plex show up as
an AirPlay target and it worked fine.

edit: NB: I'm not sure "encrypting" is the right word here… do not hesitate to
correct me

~~~
illumin8
I'm not sure - I've heard of an Android app that can send video to an AppleTV,
but I haven't heard of an app that can receive video from an iOS device. If
you know of one, I'd appreciate a link.

~~~
Timothee
AirPlayer from Erica Sadun would work: <http://ericasadun.com/ftp/AirPlay/>

However, she mentions that you can't stream music to AirPlayer due to RAOP:
<http://en.wikipedia.org/wiki/Remote_Audio_Output_Protocol>

which, I guess is not true anymore due to the parent link :)

But it does seem to show that iTunes was indeed checking keys before sending
to an Airport Express, but that AirPlay (for video) wasn't affected. As far as
I know, AirPlay is not much more than HTTP Live Streaming.

Also of interest in the same area (though this is an iOS app, so could
technically include some key checking without knowing it):
<https://github.com/nto/AirView>

------
blasdel
A couple years ago I unsuccessfully tried to extract the keys from the AppleTV
version of OS X (which provides the same functionality).

The binaries were heavily obfuscated, and I couldn't get the IDA Pro remote to
run on the AppleTV, nor could I port the binaries to run on normal OS X. Gave
up after a week or so. I figured that some pro reverser would get the keys
eventually that way, but I never expected that anyone would find success
cracking open an Airport Express!

~~~
mdg
cool story bro

------
sh1mmer
There have been a number of manufacturers implementing 'airplay' devices that
support being airtunes speakers but it's great to see this making it possible
to do with open source. It would be nice to see airtunes added to some of the
cheap linux wall warts on the market.

------
albertzeyer
Has someone tried it and was able to play something?

I tried it and iTunes lists it as a device but I cannot activate it in iTunes
(if I select it, it immediately unselects itself). From the console output, I
see that iTunes even does not try to connect to it (to TCP Port 5000).

I am currently on a Mac so I needed to do some porting
(<https://github.com/albertz/shairport/>) but I think this shouldn't have an
impact on the behavior I am getting.

~~~
snotrockets
Author states this is broken on a Mac.

~~~
albertzeyer
That is why I have patched it. For example, it uses `dns-sd` instead of
`avahi-publish-service`. Registering seems to work, at least iTunes shows it.
But there is no single connection attempt, so everything else (all the C-code
etc.) is anyway unrelated because it doesn't even get there.

Maybe it refuses to connect because it is the same (localhost) machine? I
don't have another machine at hand to try out right now.

~~~
chopsueyar
Is your firewall blocking the port?

------
coffeedrinker
For those who might not know this, you can stream the audio from one mac to
another.

[http://www.macgeekery.com/tips/configuration/playing_live_au...](http://www.macgeekery.com/tips/configuration/playing_live_audio_on_another_mac)

I use it to move music streams to the other computers in the house.

------
joeshaw
Does Apple use the same protocol for streaming video to an Apple TV? If so, is
the key from an Apple TV needed to emulate a video endpoint, or is just some
tweaking required (presumably to the MDNS service data) to identify it as
video-enabled?

~~~
lloeki
Video is seemingly not encrypted, only pure audio streams required the key.
See Airplayer (<http://ericasadun.com/ftp/AirPlay/>) and apparently Airfoil
Video Player (<http://www.rogueamoeba.com/airfoil/mac/>) for example.

~~~
conradev
Video is also an entirely different protocol.

------
andrewcooke
wasn't this done before, years ago, by Jon Lech Johansen? he wrote justeport -
<http://nanocr.eu/software/justeport/> (and i rewrote that in java as jjuste,
but no longer have the code...)

here are the keys he found - <http://nanocr.eu/2004/08/11/reversing-airtunes/>
and <http://nanocr.eu/sw/justeport/itunesrsakeys.txt>

~~~
peapicker
Johansen found the public keys to allow you to stream music to an Airport
Express... now we are talking about the private key, which lets you emulate an
Airport Express with any hardware that is capable.

~~~
andrewcooke
ah! thanks! (the idea that someone had to "find" the public keys seems a bit
odd, but i guess it was obfuscated?)

------
tobiasbischoff
Totally want to try this, but my Snow Leopard won't install
Crypt::OpenSSL::RSA via cpan, any ideas? <http://pastie.org/1783565>

~~~
gresrun
Try this:

ARCHFLAGS="-arch i386 -arch x86_64" perl -MCPAN -e 'install
Crypt::OpenSSL::RSA'

------
kblnig
i am trying to use the hairport (on apple tv1 running ubuntu hardy)... i am
getting the following error:

atv@appletv-ubuntu:~/scripts/bbhoss-shairport-31cf954$ make gcc hairtunes.c
alac.c -D__i386 -lm `pkg-config --cflags --libs ao openssl` -o hairtunes
hairtunes.c: In function âinit_outputâ: hairtunes.c:642: error:
âao_sample_formatâ has no member named âmatrixâ

Could someone help me with this matter :) ?

------
kash
awesome!, now only if we can get forked-daapd to show up under home sharing
we'd be set!

------
lawfulfalafel
I wonder if another aacs controversy is going to rise.

