|
vbman213
Anon
2014-Jun-20 7:58 pm
Ditched AT&T U-Verse Voice, Spoofing notification packets for TV caller IDAlright, maybe this isn't the right message board for this question but I'll try first here. I actually need somebody to help with collecting some sample data that I could have to parse through.
Anyways, I ditched AT&T U-Verse Voice in favor of VoIP.ms. I had the idea of packet sniffing my network to figure out what magical packets AT&T uses to trigger the STB's to display a caller id notification on screen. I would do my own packet sniffing, but since I no longer have active voice service, I am unable to do so! Anybody care to help me out? I would love to see if this is something that can be reverse engineered to deliver trigger any type of message on the TVs and possibly write a FreePBX module to automate the process. |
|
ortizdrThe One the Only join:2014-01-15 North Richland Hills, TX |
ortizdr
Member
2014-Jun-20 11:34 pm
Verizon FiOS does this as well but they aren't using VOIP. It would be interesting to know if they used the same tech. Wish I had voice and TV, I'd help you out. |
|
|
vbman213
Anon
2014-Jun-21 12:54 am
Thanks for the support! Anybody else want to do some sniffing? Even if you are not technically savvy, I can give you very specific instructions on what you need to do |
|
rolandeCertifiable MVM, join:2002-05-24 Dallas, TX ARRIS BGW210-700 Cisco Meraki MR42
|
I might be able to do it for you more easily, since I have my STBs all plugged into a switch I can do port mirroring on. It is likely a multicast or broadcast packet from the RG to the local STBs. Let me know if no one else helps, I'll see if I can look at it later today or tomorrow. |
|
trparky Premium Member join:2000-05-24 Cleveland, OH |
trparky
Premium Member
2014-Jun-21 8:53 pm
I'd love to know this myself as well so that I can build some kind of uVerse caller ID app for Windows. |
|
|
to vbman213
As would I, thinking ability to push notifications from my media center or the likes. |
|
|
vbman213
Anon
2014-Jun-21 10:56 pm
Anybody who wants to help collect data, make sure your PC is on the same L3 as your set top boxes and gateway, install wire shark and scan during an inbound phone call. Share with us the pcap file and the IP addresses of your RG and STBs. |
|
|
Gateway web-pages I believe has buttons to Ring line-1 or 2.
Too much to hope for I guess that: said buttons actually ring a line even if not subscribed to uverse voice, and also that this manual ring event includes triggering the TV display (of something)? |
|
Motorola MG8725 Asus RT-N66
1 edit |
said by brookeKrige:Too much to hope for I guess that: said buttons actually ring a line even if not subscribed to uverse voice, and also that this manual ring event includes triggering the TV display (of something)? When I do the ring line function on my 3801, it doesn't show up on the TV at all. |
|
|
vbman213
Anon
2014-Jun-22 10:49 am
I can confirm that the ring button does not ring if not subscribed to voice service. |
|
rolandeCertifiable MVM, join:2002-05-24 Dallas, TX ARRIS BGW210-700 Cisco Meraki MR42
|
to vbman213
Okay, I've got a capture from one of my STBs. I isolated the STB by mirroring just the traffic in and out of its port to an interface on my Macbook. I captured using Wireshark. I called my phone from my cell and watched the alert appear on the screen and then stopped the capture. I've filtered out the BPDUs, some IPv6 router advertisements and some ARP traffic. All that is left is this UDP traffic. Aside from the multicasts there are a few unicasts but I believe they are related to the AT&T PPV guide channel I had tuned on on this particular STB to avoid a flood of video stream traffic. calleridtest3.pcapng 3241 bytes (calleridtest3.pcapng.zip)From what I can tell each of the STBs communicate at a regular 3 second interval via UDP multicast to 239.255.255.250. They each send a single packet from a unique source port in the 1000 range to port 8082 that looks like a keepalive registration. That is likely to associate to the main DVR STB to receive access to the channel guide, DVR, and video streams. I have 5 STBs.
- Main DVR Family Room - 192.168.1.65
- Master Bedroom - 192.168.1.130
- Kid's Playroom - 192.168.1.135
- Workout Room - 192.168.1.136
- Shared STB (Patio TV) - 192.168.1.138
At first glance, I can not determine which packet actually contains the CallerID message. If it is in a Multicast packet, it is encoded in some XML field. I need to run another capture on my DVR and see what it sees. Unfortunately my kids are glued to a Netflix show on there at the moment. So it will have to be later. |
|
gerick join:2001-01-17 San Antonio, TX |
to vbman213
Even better, I wish someone could hack the 3800 RG to allow us to put our own SIP credentials into the VOIP settings. |
|
|
vbman213
Anon
2014-Jun-22 11:06 pm
I have zero experience with embedded hardware hacking. But I LOVE this idea. Does the stock/non-AT&T-branded 3800 support this? |
|
vbman213 |
vbman213 to rolande
Anon
2014-Jun-22 11:27 pm
to rolande
@rolande thanks for the dump! It's late so I'm probably overlooking something dumb, but I'm getting an error in wireshark, "... isn't a capture file in a format Wireshark understands." What am I missing? |
|
mackey Premium Member join:2007-08-20 |
mackey
Premium Member
2014-Jun-23 12:09 am
said by vbman213 :@rolande thanks for the dump! It's late so I'm probably overlooking something dumb, but I'm getting an error in wireshark, "... isn't a capture file in a format Wireshark understands." What am I missing? This forum "automagically" zips up all attachments unless they're images or already zipped. Rename to calleridtest3.pcapng.zip, unzip, and try again. /M |
|
|
vbman213
Anon
2014-Jun-23 12:22 am
haha thanks! I really should just register on these forums. |
|
mackey Premium Member join:2007-08-20 |
to rolande
said by rolande:At first glance, I can not determine which packet actually contains the CallerID message. Unfortunately it does not look like it's in this packet capture. All the multicast packets are from STBs and the only 3 from the DVR contain info on a recording (and are exactly 3 seconds apart). The only 4 unicast packets don't look to me like they contain the call info. /M |
|
|
vbman213
Anon
2014-Jun-23 12:38 am
^ I tend to agree with this. From what I can deduce, the packets we are seeing are nothing more than syncing packets that the STBs use to inform themselves of recording schedules, DVR stats, triggering the little red "record" LED, etc etc |
|
rolandeCertifiable MVM, join:2002-05-24 Dallas, TX |
to mackey
Yeah. I actually did it multiple times and I can say that the capture looks practically identical. I was not finding it either but I also did not stare at it that long. I need to capture again on the DVR and see what it is getting from the RG. |
|
|
vbman213
Anon
2014-Jun-23 10:29 pm
Hey, just keeping this thread alive to see if and progress has been made Thanks for everybody who has helped review the first packet dump brought to us by @rolande (thanks a bunch)! Honestly, I've also posted in the AT&T developer forums seeing if there is any plans for an API for TV push notifications. Seems like another "screen" that could benefit from a notification platform. |
|
rolandeCertifiable MVM, join:2002-05-24 Dallas, TX |
I'll see if I can get a capture from my DVR in the morning. |
|
dahan join:2000-10-25 Leander, TX 2 edits |
to vbman213
I'm pretty sure it's the 4 UDP packets to port 1026 with data length 178. I.e., in calleridtest3.pcapng, packets 17 to 20. Or in dvr1.cap attached to this post, packets 10 to 13; and in dvr2.cap, also packets 10 to 13. I have no idea how to decipher them though. I'd expect the phone number to be there in ASCII, but it must be either encoded or encrypted somehow Things I noticed: •The contents of the 4 packets are very similar to each other; only a handful of bytes differ. •However, the packets are very different between two calls from the same phone number. (dvr1.cap and dvr2.cap are logs from calls from the same phone number). There are only a couple bytes towards the beginning of the data that are the same in dvr1 and dvr2. •The bytes that stayed the same in dvr1 and dvr2 are also the same for a call from a different phone number. (Attached dvr3.cap is a call from a different number than dvr1 and dvr2) So, it does seem like the packets are encrypted somehow, rather than the phone number being treated as an integer and being encoded in binary or something weird like that. |
|
|
vbman213
Anon
2014-Jun-24 12:15 pm
I attempted to "replay" these packets to my STBs using » packetsender.com/No luck. |
|
|
dahan join:2000-10-25 Leander, TX |
dahan
Member
2014-Jun-24 2:06 pm
said by vbman213 :I attempted to "replay" these packets to my STBs using »packetsender.com/
No luck. Yeah, I had noticed that too... it's consistent though--although there's various other traffic, such as the SSDP NOTIFYs (which are semi-documented at » www.danwilsonsoftware.co ··· -Doc.pdf), and some other occasional traffic on UDP port 1026, whenever a call comes in, that group of 4 UDP packets is sent to the DVR. So I'm pretty sure that's the call notification, but I don't think AT&T's gonna make it easy to make our own packets |
|
|
vbman213
Anon
2014-Jun-24 4:22 pm
Actually, replaying your packets kicked the STB offline and required a power cycle to revive... weird. |
|
vbman213 |
vbman213
Anon
2014-Jun-25 9:48 pm
Just chiming in for the day to see if anybody has gotten any more information/dumps/etc. for this project? Thanks for you're help! |
|
vbman213 join:2014-06-25 West Columbia, SC |
to vbman213
Any developments on this? |
|
dahan join:2000-10-25 Leander, TX |
dahan
Member
2014-Jun-27 11:44 pm
What are you looking for? Your OP asked for sample data, and there are now packet captures from four calls in this thread. If you want something else, post it, but at the moment, it looks like you have what you asked for |
|
|
vbman213_ano
Anon
2014-Jul-3 12:40 am
Okay, I did some more testing here, which leads me to believe we haven't exhausted all our options yet. I think we need to get a dump from behind the STBs. So here's what I did. I set up TV Notes (look it up in the Interactive Apps dashboard) and using my phone as a signal trigger, I can initiate popups on my TVs. However, I'm not seeing any specific packet(s) linked to this trigger. Could they be multiplexing these triggers over the IPTV stream? Is this even possible? |
|
rolandeCertifiable MVM, join:2002-05-24 Dallas, TX ARRIS BGW210-700 Cisco Meraki MR42
|
said by vbman213_ano :Could they be multiplexing these triggers over the IPTV stream? Is this even possible? IPTV is delivered as a multicast stream over UDP. So, no. It is not "multiplexed". Is it possible they do a packet rewrite to include the pop up alert info as a custom header in the UDP stream? Maybe. If so, I don't think that would happen at the RG. It would likely happen at the DVR box. The multicast streams are encrypted and only the DVR and STBs have the keys to decrypt. The pop up is never stored in a recorded show. So that means it is delivered outside of the video data stream. It could only be in the UDP header if it is encoded in a live video stream at all. I think it is sent encoded in the keep-alive/hello multicast XML message from the DVR to the STBs that appears to go out once every 3 seconds. All boxes get the message and it is independent of any video stream they happen to be receiving at that moment. If you were in the middle of changing channels, you might miss the alert. |
|