ChromeCast utiliza http para recibir comandos
https://www.elladodelmal.com/2018/10/chromecast-hacking-con-metasploit-y.html
https://www.elladodelmal.com/2017/10/chromecrash-o-como-jugar-con-tu-google.html
https://www.elladodelmal.com/2018/05/taketv-como-descubrir-y-utilizar.html
http://docs.52im.net/extend/docs/api/android-50/google/play-services/cast.html
https://www.xatakandroid.com/tutoriales/como-actualizar-chromecast-ultima-version // Uso de Google home y curl, este último no funciona.
$ avahi-discover -r _googlecast._tcp
Actualmente solo es posible enviar unos pocos comandos básicos por http al web server que corre en el Chromecast.
https://blog.oakbits.com/google-cast-protocol-discovery-and-connection.html
Se podría utilizar librerías de Google Cast para desarrollar una app(Android o web) que envie datos al Chromecast.
Android sender app:
https://developers.google.com/cast/docs/developers#setup_for_development
https://github.com/googlecast/CastVideos-android
https://developers.google.com/cast/docs/android_sender/integrate
https://developers.google.com/cast/docs/sample_apps
https://developers.google.com/android/reference/com/google/android/gms/cast/package-summary
chromecast solo acepta .mp4?:
https://stackoverflow.com/questions/23450163/open-chromecast-youtube-video-from-android-application
Android youtube player web receiver:
https://github.com/PierfrancescoSoffritti/android-youtube-player#chromecast-extension-library
Enviar comandos por terminal al Chromecast: funciona bien.
https://github.com/vishen/go-chromecast // Utiliza el puerto 8009 ( ajp13 )
The Apache JServ Protocol (AJP) is essentially an optimized binary version of HTTP
Con:
go-chromecast watch
Me indica que esta utilizando castv_2_1_0
CHROMECAST BROADCAST MESSAGE: type=MEDIA_STATUS proto=CASTV2_1_0 (namespace=urn:x-cast:com.goá gle.cast.media) 77182ee4-230e-487a-8973-2a574fe71536 -> * | {"type":"MEDIA_STATUS","status":[{"mediaSessionId":4,"playbackRate":1,"playerState":"PLAYING","currentTime":0.780988,"supportedMediaCommands":12495,"volume":{"level":1,"muted":false},"activeTrackIds":[],"currentItemId":4,"repeatMode":"REPEAT_OFF"}],"requestId":0}
https://dms.redbull.tv/v3/linear-borb/eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJjYXRlZ29yeSI6InNtYXJ0X3R2IiwiY291bnRyeV9jb2RlIjoiZXMiLCJleHBpcmVzIjoiMjAyMS0wNy0yMVQxMTowMzo1NC41NDY0OTk3MzZaIiwibG9jYWxlIjoiZXNfRVMiLCJvc19mYW1pbHkiOiJjaHJvbWVjYXN0IiwicmVtb3RlX2lwIjoiMTkzLjExMS41Mi41MyIsInVhIjoiTW96aWxsYS81LjAgKFgxMTsgTGludXggYXJtdjdsKSBBcHBsZVdlYktpdC81MzcuMzYgKEtIVE1MLCBsaWtlIEdlY2tvKSBDaHJvbWUvODMuMC40MTAzLjk3IFNhZmFyaS81MzcuMzYgQ3JLZXkvMS40OS4yNTA5NDYiLCJ1aWQiOiJiZmI5YjhkMi0zOTZhLTRkMzMtYmQ4YS1iMDA3ZmFkN2U4ZTMifQ.JcISPvnnVVfSgf7nMcZ64BQmLIcSqTDp7SJ1G1B2fTY/playlist.m3u8?namespace=rbtv
Intento ver la comunicación entre la app go-chromecast y el propio ChromeCast por Wireshark pero no consigo capturarla, solo en binario. Sí cuando utilizo Firefox y curl en la terminal.
"The only difference being that port 8009 communicates with the Apache JServ Protocol while port 8080 uses HTTP."
https://github.com/thibauts/node-castv2#protocol-description
v2 van por el 3.5 podría estar obsoleto
Revisar código por comandos http.//TODO.
6984f99d-54b0-5366-a078-8cd6f90bc176
connect?uuid=6984f99d-54b0-5366a078-8cd6f90bc176addr=192.168.0.102&port=8008
curl -X POST -H "Content-Type: application/json" -d "{'params': 'ota foreground'}" http://192.168.0.102:8008/setup -v
$ curl -X POST -H "Content-Type: application/json" http://192.168.0.108:8008/connect?uuid=6984f99d-54b0-5366a078-8cd6f90bc176addr=192.168.0.108&port=8008
[3] 15392
[2] Hecho
curl -X POST -H "Content-Type: application/json" -dttp://192.168.0.102:8008/stop?uuid=6984f99d-54b0-5366a078-8cd6f90bc176
En https://github.com/vishen/go-chromecast/blob/master/http/handlers.go :
//Actualización: Estos son solo las rutas del servidor propio del programa go-chromecast.
| GET /devices |
| POST /connect?uuid=<device_uuid>&addr=<device_addr>&port=<device_port> |
| POST /disconnect?uuid=<device_uuid> |
| POST /disconnect-all |
| POST /status?uuid=<device_uuid> |
| POST /pause?uuid=<device_uuid> |
| POST /unpause?uuid=<device_uuid> |
| POST /mute?uuid=<device_uuid> |
| POST /unmute?uuid=<device_uuid> |
| POST /stop?uuid=<device_uuid> |
| GET /volume?uuid=<device_uuid> |
| POST /volume?uuid=<device_uuid>&volume=<float> |
| POST /rewind?uuid=<device_uuid>&seconds=<int> |
| POST /seek?uuid=<device_uuid>&seconds=<int> |
| POST /seek-to?uuid=<device_uuid>&seconds=<float> |
| POST /load?uuid=<device_uuid>&path=<filepath_or_url>&content_type=<string> |
| /* |
1-
Scaneo de red buscando el puerto 8008 abierto. Es el que utiliza Chromecast.
dal@lolo:~
$ sudo nmap 192.168.0.0/24 -p 8008 -sS -Pn
Starting Nmap 7.70 ( https://nmap.org ) at 2021-07-12 13:50 CEST
Nmap scan report for 192.168.0.1
Host is up (0.0022s latency).
Nmap scan report for 192.168.0.102
Host is up (-0.058s latency).
PORT STATE SERVICE
8008/tcp open http
MAC Address: E4:F0:42:90:42:26 (Google)
2-
Ahora sabemos que utiliza la ip 192.168.0.102.
Chromecast se comunica mediante http en el puerto 8008:
En un navegador:
http://192.168.0.102:8008/ssdp/device-desc.xml
http://192.168.0.102:8008/setup/eureka_info?options=detail
http://192.168.0.102:8008/setup/supported_timezones
Mediante curl en una terminal antes se podía cambiar el nombre:
curl -X POST -H "Content-Type: application/json" -d '{"name": ""}' http://MyChrome192.168.0.108:8008/setup/set_eureka_info -v
curl -X POST -H "Content-Type: application/json" -d '{"name": "{NOMBRE}"}' http://{CHROMECAST_IP}:8008/setup/set_eureka_info -v Pero parece que han implementado un mecanismo de seguridad.
Me da acceso prohibido forbiden 403.
curl -X POST -H "Content-Type: application/json" -d "{'params': 'ota foreground'}" http://192.168.0.102:8008/setup/reboot -v
Note: Unnecessary use of -X or --request, POST is already inferred.
* Expire in 0 ms for 6 (transfer 0x1f7beb0)
* Trying 192.168.0.102...
* TCP_NODELAY set
* Expire in 200 ms for 4 (transfer 0x1f7beb0)
* Connected to 192.168.0.102 (192.168.0.102) port 8008 (#0)
> POST /setup/reboot HTTP/1.1
> Host: 192.168.0.102:8008
> User-Agent: curl/7.64.0
> Accept: */*
> Content-Type: application/json
> Content-Length: 28
>
* upload completely sent off: 28 out of 28 bytes
< HTTP/1.1 403 Forbidden // prohibido
< Access-Control-Allow-Headers:Content-Type
< Cache-Control:no-cache
< Content-Length:0
<
* Connection #0 to host 192.168.0.102 left intact
Información relacionada:
https://www.elladodelmal.com/2019/11/homepwn-swiss-army-knife-for-pentesting.html
https://github.com/Telefonica/HomePWN
https://www.elladodelmal.com/2020/05/evilssdp-como-poner-dispositivos.html
