Has anyone reversed engineered the protocol used by Apple's iOS Remote app for controlling an Apple TV over IP?

reverse-engineering tvos apple-tv remote-control
GuyGizmo picture GuyGizmo · Feb 12, 2016 · Viewed 10k times · Source

I'm curious if it's possible for me to write programs that can control an Apple TV, specifically an Apple TV 4th gen running tvOS 9.1.1, like Apple's Remote app for iOS can. I'd like to send it commands for navigating in the four cardinal directions, selecting an item on the screen, going up the navigation stack -- essentially what Apple's Remote app can do.

Has anyone done any work reverse engineering the protocol it uses? Cursory Googling only has so far yielded out of date results about earlier generation Apple TVs and the DAAP protocol which looks like something different than what I want.

Answer

Nicola Giancecchi picture Nicola Giancecchi · Feb 29, 2016

I captured the traffic on my iPhone using tcpdump and analyzed it with WireShark. The Remote app asks the Apple TV with normal HTTP requests on port 3689.

The workflow of the app consists in four HTTP requests:

  • /server-info for getting infos about the Apple TV. It responds with a Apple proprietary DAAP response (Digital Audio Access Protocol) providing some tags about the device, like the display name.
  • /login is performed during connection, when the app displays the "Connecting to Apple TV..." message. It responds with a DAAP about the login status.
  • Here's the bottleneck. /home-share-verify validates the connection between the app and the Apple TV. This call needs a Client-DAAP-Validation header with a long unknown string value. According to Wikipedia, this seems to be like an hash generated by a certificate exchange between verified sources that was introduced in iTunes 7.0+ and never reverse engineered.
  • /ctrl-int/1/{controlpromptupdate|controlpromptentry|playstatusupdate} seems to be the calls made for the input buttons.

Some other minor calls are fired in between (like a Bonjour service update or a /databases call).

Here and here you can find more infos. Hope this helps for getting an overview of how this simple (but protected) app works.

Related questions

List of all index & index columns in SQL Server DB

How do I get a list of all index & index columns in SQL Server 2005+? The closest I could get is: select s.name, t.name, i.name, c.name from sys.tables t inner join sys.schemas s on …

Read More
decompiling DEX into Java sourcecode

How can one decompile Android DEX (VM bytecode) files into corresponding Java sourcecode?

Read More
How do I decompile a .NET EXE into readable C# source code?

I wrote a C# application for a client a couple of years ago, but I no longer have the source code. All I have is the EXE that I deployed on the client's PC. Is there a way I can …

Read More