dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
2646

vbman213
@99.38.184.x

vbman213

Anon

Ditched AT&T U-Verse Voice, Spoofing notification packets for TV caller ID

Alright, maybe this isn't the right message board for this question but I'll try first here. I actually need somebody to help with collecting some sample data that I could have to parse through.

Anyways, I ditched AT&T U-Verse Voice in favor of VoIP.ms. I had the idea of packet sniffing my network to figure out what magical packets AT&T uses to trigger the STB's to display a caller id notification on screen. I would do my own packet sniffing, but since I no longer have active voice service, I am unable to do so! Anybody care to help me out? I would love to see if this is something that can be reverse engineered to deliver trigger any type of message on the TVs and possibly write a FreePBX module to automate the process.

ortizdr
The One the Only
join:2014-01-15
North Richland Hills, TX

ortizdr

Member

Verizon FiOS does this as well but they aren't using VOIP. It would be interesting to know if they used the same tech. Wish I had voice and TV, I'd help you out.

vbman213
@99.38.184.x

vbman213

Anon

Thanks for the support! Anybody else want to do some sniffing? Even if you are not technically savvy, I can give you very specific instructions on what you need to do

rolande
Certifiable
MVM,
join:2002-05-24
Dallas, TX
ARRIS BGW210-700
Cisco Meraki MR42

rolande

MVM,

I might be able to do it for you more easily, since I have my STBs all plugged into a switch I can do port mirroring on. It is likely a multicast or broadcast packet from the RG to the local STBs. Let me know if no one else helps, I'll see if I can look at it later today or tomorrow.

trparky
Premium Member
join:2000-05-24
Cleveland, OH

trparky

Premium Member

I'd love to know this myself as well so that I can build some kind of uVerse caller ID app for Windows.

mindlesstux
join:2004-09-20
Wake Forest, NC

mindlesstux to vbman213

Member

to vbman213
As would I, thinking ability to push notifications from my media center or the likes.

vbman213
@166.205.68.x

vbman213

Anon

Anybody who wants to help collect data, make sure your PC is on the same L3 as your set top boxes and gateway, install wire shark and scan during an inbound phone call. Share with us the pcap file and the IP addresses of your RG and STBs.

brookeKrige
join:2012-11-05
San Jose, CA

brookeKrige

Member

Gateway web-pages I believe has buttons to Ring line-1 or 2.

Too much to hope for I guess that: said buttons actually ring a line even if not subscribed to uverse voice, and also that this manual ring event includes triggering the TV display (of something)?

Darknessfall
Premium Member
join:2012-08-17
Motorola MG8725
Asus RT-N66

1 edit

Darknessfall

Premium Member

said by brookeKrige:

Too much to hope for I guess that: said buttons actually ring a line even if not subscribed to uverse voice, and also that this manual ring event includes triggering the TV display (of something)?

When I do the ring line function on my 3801, it doesn't show up on the TV at all.

vbman213
@99.38.184.x

vbman213

Anon

I can confirm that the ring button does not ring if not subscribed to voice service.

rolande
Certifiable
MVM,
join:2002-05-24
Dallas, TX
ARRIS BGW210-700
Cisco Meraki MR42

rolande to vbman213

MVM,

to vbman213
Okay, I've got a capture from one of my STBs. I isolated the STB by mirroring just the traffic in and out of its port to an interface on my Macbook. I captured using Wireshark. I called my phone from my cell and watched the alert appear on the screen and then stopped the capture.

I've filtered out the BPDUs, some IPv6 router advertisements and some ARP traffic. All that is left is this UDP traffic. Aside from the multicasts there are a few unicasts but I believe they are related to the AT&T PPV guide channel I had tuned on on this particular STB to avoid a flood of video stream traffic.

calleridtest3.pcapng
3241 bytes
(calleridtest3.pcapng.zip)


From what I can tell each of the STBs communicate at a regular 3 second interval via UDP multicast to 239.255.255.250. They each send a single packet from a unique source port in the 1000 range to port 8082 that looks like a keepalive registration. That is likely to associate to the main DVR STB to receive access to the channel guide, DVR, and video streams.

I have 5 STBs.

  1. Main DVR Family Room - 192.168.1.65

  2. Master Bedroom - 192.168.1.130

  3. Kid's Playroom - 192.168.1.135

  4. Workout Room - 192.168.1.136

  5. Shared STB (Patio TV) - 192.168.1.138


At first glance, I can not determine which packet actually contains the CallerID message. If it is in a Multicast packet, it is encoded in some XML field.

I need to run another capture on my DVR and see what it sees. Unfortunately my kids are glued to a Netflix show on there at the moment. So it will have to be later.

gerick
join:2001-01-17
San Antonio, TX

gerick to vbman213

Member

to vbman213
Even better, I wish someone could hack the 3800 RG to allow us to put our own SIP credentials into the VOIP settings.

vbman213
@99.38.184.x

vbman213

Anon

I have zero experience with embedded hardware hacking. But I LOVE this idea. Does the stock/non-AT&T-branded 3800 support this?
vbman213

vbman213 to rolande

Anon

to rolande
@rolande thanks for the dump! It's late so I'm probably overlooking something dumb, but I'm getting an error in wireshark, "... isn't a capture file in a format Wireshark understands." What am I missing?

mackey
Premium Member
join:2007-08-20

mackey

Premium Member

said by vbman213 :

@rolande thanks for the dump! It's late so I'm probably overlooking something dumb, but I'm getting an error in wireshark, "... isn't a capture file in a format Wireshark understands." What am I missing?

This forum "automagically" zips up all attachments unless they're images or already zipped. Rename to calleridtest3.pcapng.zip, unzip, and try again.

/M

vbman213
@99.38.184.x

vbman213

Anon

haha thanks! I really should just register on these forums.

mackey
Premium Member
join:2007-08-20

mackey to rolande

Premium Member

to rolande
said by rolande:

At first glance, I can not determine which packet actually contains the CallerID message.

Unfortunately it does not look like it's in this packet capture. All the multicast packets are from STBs and the only 3 from the DVR contain info on a recording (and are exactly 3 seconds apart). The only 4 unicast packets don't look to me like they contain the call info.

/M

vbman213
@99.38.184.x

vbman213

Anon

^ I tend to agree with this. From what I can deduce, the packets we are seeing are nothing more than syncing packets that the STBs use to inform themselves of recording schedules, DVR stats, triggering the little red "record" LED, etc etc

rolande
Certifiable
MVM,
join:2002-05-24
Dallas, TX

rolande to mackey

MVM,

to mackey
Yeah. I actually did it multiple times and I can say that the capture looks practically identical. I was not finding it either but I also did not stare at it that long. I need to capture again on the DVR and see what it is getting from the RG.

vbman213
@99.38.184.x

vbman213

Anon

Hey, just keeping this thread alive to see if and progress has been made Thanks for everybody who has helped review the first packet dump brought to us by @rolande (thanks a bunch)! Honestly, I've also posted in the AT&T developer forums seeing if there is any plans for an API for TV push notifications. Seems like another "screen" that could benefit from a notification platform.

rolande
Certifiable
MVM,
join:2002-05-24
Dallas, TX

rolande

MVM,

I'll see if I can get a capture from my DVR in the morning.

dahan
join:2000-10-25
Leander, TX

2 edits

dahan to vbman213

Member

to vbman213
dvrcap.zip
3,074 bytes
dvr3.cap.zip
765 bytes
I'm pretty sure it's the 4 UDP packets to port 1026 with data length 178. I.e., in calleridtest3.pcapng, packets 17 to 20.

Or in dvr1.cap attached to this post, packets 10 to 13; and in dvr2.cap, also packets 10 to 13.

I have no idea how to decipher them though. I'd expect the phone number to be there in ASCII, but it must be either encoded or encrypted somehow

Things I noticed:
•The contents of the 4 packets are very similar to each other; only a handful of bytes differ.
•However, the packets are very different between two calls from the same phone number. (dvr1.cap and dvr2.cap are logs from calls from the same phone number). There are only a couple bytes towards the beginning of the data that are the same in dvr1 and dvr2.
•The bytes that stayed the same in dvr1 and dvr2 are also the same for a call from a different phone number. (Attached dvr3.cap is a call from a different number than dvr1 and dvr2)

So, it does seem like the packets are encrypted somehow, rather than the phone number being treated as an integer and being encoded in binary or something weird like that.

vbman213
@99.38.184.x

vbman213

Anon

I attempted to "replay" these packets to my STBs using »packetsender.com/

No luck.

dahan
join:2000-10-25
Leander, TX

dahan

Member

said by vbman213 :

I attempted to "replay" these packets to my STBs using »packetsender.com/

No luck.

Yeah, I had noticed that too... it's consistent though--although there's various other traffic, such as the SSDP NOTIFYs (which are semi-documented at »www.danwilsonsoftware.co ··· -Doc.pdf), and some other occasional traffic on UDP port 1026, whenever a call comes in, that group of 4 UDP packets is sent to the DVR. So I'm pretty sure that's the call notification, but I don't think AT&T's gonna make it easy to make our own packets

vbman213
@99.38.184.x

vbman213

Anon

Actually, replaying your packets kicked the STB offline and required a power cycle to revive... weird.
vbman213

vbman213

Anon

Just chiming in for the day to see if anybody has gotten any more information/dumps/etc. for this project? Thanks for you're help!
vbman213
join:2014-06-25
West Columbia, SC

vbman213 to vbman213

Member

to vbman213
Any developments on this?

dahan
join:2000-10-25
Leander, TX

dahan

Member

What are you looking for? Your OP asked for sample data, and there are now packet captures from four calls in this thread. If you want something else, post it, but at the moment, it looks like you have what you asked for

vbman213_ano
@99.38.184.x

vbman213_ano

Anon

Okay, I did some more testing here, which leads me to believe we haven't exhausted all our options yet. I think we need to get a dump from behind the STBs. So here's what I did. I set up TV Notes (look it up in the Interactive Apps dashboard) and using my phone as a signal trigger, I can initiate popups on my TVs. However, I'm not seeing any specific packet(s) linked to this trigger. Could they be multiplexing these triggers over the IPTV stream? Is this even possible?

rolande
Certifiable
MVM,
join:2002-05-24
Dallas, TX
ARRIS BGW210-700
Cisco Meraki MR42

rolande

MVM,

said by vbman213_ano :

Could they be multiplexing these triggers over the IPTV stream? Is this even possible?

IPTV is delivered as a multicast stream over UDP. So, no. It is not "multiplexed". Is it possible they do a packet rewrite to include the pop up alert info as a custom header in the UDP stream? Maybe. If so, I don't think that would happen at the RG. It would likely happen at the DVR box. The multicast streams are encrypted and only the DVR and STBs have the keys to decrypt. The pop up is never stored in a recorded show. So that means it is delivered outside of the video data stream. It could only be in the UDP header if it is encoded in a live video stream at all.

I think it is sent encoded in the keep-alive/hello multicast XML message from the DVR to the STBs that appears to go out once every 3 seconds. All boxes get the message and it is independent of any video stream they happen to be receiving at that moment. If you were in the middle of changing channels, you might miss the alert.