Well, not really behind the scenes. But these are my findings of how Telias IPTV works. The original reason behind this is that I would like to stream the channels to my computers.

The base of it all is a series of multicasted UDP streams in the range 239.16.16.0/24, including both the actual channels and box configuration/firmware. The program guide is more or less a normal web side accessed over HTTP.

The hardware involved is a Zyxel Prestige 660H Triple Play and the Motorola/Kreatel 1510 STB. To connect to the IPTV service using a normal network one have to hook up the IPTV-port of the Zyxel modem directly to a computer. Sniffing the traffic to/from the STB can be done by simply bridging two interfaces and using the box as normal. It’s also possible to enable the IPTV service on one of the unused ports by reconfiguring the modem (to get two output ports).

Getting an IP-address

The DHCP request to Telias server must contain the following option, otherwise, their server won’t respond.

Option(60) Vendor-class-identifier XX XX XX XX XX

The XX-string is a 5 byte value that is rumored to be some sort of serial number. I haven’t found any hard evidence of this as my value doesn’t match any of those on the box. The following should be enough configuration (dhclient.conf) of the ISC DHCP client to send the correct option.

send vendor-class-identifier XX:XX:XX:XX:XX;

Once the interface has been bound to an address the connection should work just like a normal Telia ADSL connection, the PTR record of the address is a subdomain to digitaltv.telia.com.

Boot sequence of the Kreatel/Motorola 1500 box

During the boot sequence (after DHCP) the box joins the multicast group 239.16.16.202 which distributes the initial configuration over something called infocast2, UDP port 5555. Among other things the local time and a xml file containing a “portal URL” which is http://iptvlogin.telia.se/iptvgui/initial.html this page displays the initial “hour glass” one sees when booting the box.

Next, depending on the revision of the box it will download its firmware based on the configuration file, they point out further multicast groups to join. The following was valid during writing

kreatel-ip-stb-rev-4, kreatel-ip-stb-rev-6, kreatel-ip-stb-rev-11

bc_kernel_addr 239.16.16.205:5555
bc_kernel_name software_1500
bc_root_addr 239.16.16.205:5555
bc_root_name software_1500
bc_splash_addr 239.16.16.204:5555
bc_splash_name splash-data_mipsel

kreatel-ip-stb-rev-9, kreatel-ip-stb-rev-13, kreatel-ip-stb-rev-15

bc_kernel_addr 239.16.16.209:5555
bc_kernel_name software_1500_secure
bc_splash_addr 239.16.16.210:5555
bc_splash_name splash-data_mipsel_secure

What do you know, seems like the box is based on a MIPS CPU (not that surprising)

software_1500: ELF 32-bit LSB executable, MIPS, version 1 (SYSV), statically linked, not stripped

The firmware “software_1500_secure” just identifies as “data” and has the first 3 bytes set to “SEC”, encrypted ELF file perhaps?

This data (configuration and firmware) can be extracted with the Infocast2Tools. The package contains a server and a client. Simply start the client with the multicast address of interest and start the box.

Streaming TV to VLC

Viewing a channel is as simple as joining the correct multicast group, unfortunately, some channels are encrypted/scrambled. All channels are streamed over UDP/5555 using ISO/IEC 13818 MPEG-2.

Viewing is as simple as

vlc udp://@239.16.16.1:5555

The following channels are currently not scrambled (Swedish)

• 239.16.16.1 – SVT1
• 239.16.16.2 – SVT2
• 239.16.16.21 – TV4
• 239.16.16.35 – canal+ sport? (I’m not sure which channel this actually is)
• 239.16.16.44 – Telia/Comhem info
• 239.16.16.45 – Telia/Comhem info
• 239.16.16.46 – Telia/Comhem info
• 239.16.16.47 – Telia/Comhem info
• 239.16.16.65 – Disney channel
• 213.16.16.100 – Cartoon Network

Scrambled channels

Not the whole stream is scrambled, but only individual sub-frames. These have the “Transport Scrambling Control” field in the ISO/IEC 13818 header set to 2 (User defined).

The box does not utilize a CA card, instead it has some software solution which I believe is VeriMatrix VCAS system for IPTV. During packet analysis I found that the box does a few TCP connections to hyca.iptv.telia.com (213.64.59.103) on ports 12697, 12698, 12699 and 12700. These connections turned out to be SSL connections involving two certificates issued by CA@Verimatrix.com for VCI.XXXX@TeliaSonera.com and SUBCA.YYYY@TeliaSonera.com (XXXX/YYYY are integer strings, I don’t know if they are unique yet, I guess not).

Certificate (pkcs-9-at-emailAddress=CA@Verimatrix.com,id-at-commonName=Verimatrix ROOT CA,id-at-organizationalUnitName=VCAS,id-at-organizationName=Verimatrix,id-at-localityName=San Diego,id-at-stateOrProvinceName=CA,id-at-countryName=US)

The Verimatrix website describes a “Video Content Authority System” that utilizes public/private keys, my guess is that ones identification code or control code is sent to their system over this channel and a decryption key is returned which can be used to decrypt the scrambled frames.

Figuring out what to send and which decryption method that is used (the VeriMatrix web page talks about AES) is the key to stream scrambled channels to a normal computer or to a HTPC.

Further studies of their product sheets/white papers reveals that each channel stream gets its own encryption key. If this really is the case, the authorization key one receives from Telia when signing up for the service (the key one has to enter into the STB to be able to use it) can only be used to control which encryption keys that are sent from the their key server to the STB.

Update: Seems I was partially right and partially wrong about the TCP connections. The connections to 12697 and 12699 are SSL connections, however the connections to 12698 and 12700 are not.