How I Reverse Engineered a Set-Top Box

My parents own a set-top box to watch specific television channels. The box is terribly slow. I've contacted the set-top box company and asked if they offer another ways to access their content, they said it isn't possible.

I didn't really believe them, so I connected the box to my laptop and began inspecting traffic packages with Wireshark. Here is what I found:

  • The device runs on Android 4.x
  • The device traffic is not encrypted
  • The device authenticates with its user agent
  • An URL with all the channels (streams) listed in JSON format
  • I was able to download and decompile an update that the device tried to install

I tried one of the channels in my browser, with the spoofed user agent, and the stream just works.

With the information I've gathered, I created a simple PHP library which generates a M3U file that can be loaded in Kodi.

I've informed the company about my findings and they promised to fix the issue.

Ramy Talal

Read more posts by this author.