Zeroconf based Authentication by command line

[jgabriel98]

I want to mock (simulate) a connection to the lib by code, with the zeroconf authentication mode.

In other words, i want to run a librespot instance, and then connect to it as a "spotify connect" device, but using code or cli, not the spotify app.

is this possible?

[noelhibbard]

I'm looking to do something similar. My goal is to programmatically swap which account the librespot instance is associated with. The document you referenced above explains how the auth blob is decoded but I need to know how to encode a blob which I would then use for zeroconf auth.

[idcmp]

I have a similar need. I've got a Spotify Connect device at http://192.168.1.118/spotify that I would like to programatically run "addUser" on from one of two accounts. Calls to kick the current user off: curl -d action=resetUsers http://192.168.1.118/spotify and get details about the device curl -d action=getInfo http://192.168.1.118/spotify work fine, but similar to @noelhibbard I'm not quite sure how to craft a "blob"

[noelhibbard]

I'm not super knowledgeable on encryption but I'm thinking you would need the private key to construct the blob and all we have is the public key for decrypting the blob. As far as I know, only the official Spotify clients are capable of initiating a zero config auth. If there is an open source project that can handle that side of the process then we could look at that for hints but I don't think one exists.

[idcmp]

@plietar - I see you're the author of the zeroconf authentication page. Can you offer up any details on how to generate blobs? Whose private key do I need to do the DH exchange?

[ashthespy]

In the odd case you haven't already seen the docs on zeroconf..

[noelhibbard]

Those docs only explain how you decrypt a blob. We are trying to do the opposite.

[ashthespy]

Ah fair enough, sorry for the noise :-)

[plietar]

@idcmp with DH, both sides have a private and a public key. They exchange public keys to compute a shared secret.

• Generate a random private key
• Compute the corresponding public key
• Fetch the device's public key using getInfo
• Combine your private key with the device's public key to obtain the shared secret
• Compute the encryption and checksum key. The docs look like they have some typos and don't match exactly what the code does (especially around the slicing the key bit). In doubt the code is more reliable.
• Encrypt the blob using AES128-CTR and a random 16 byte IV.
• Compute the mac of the encrypted blob using hmac-sha1
• Concatenate the IV, mac and encrypted blob and send that to the device.

---

To actually compute the blob, you'd have to implement this function, backwards. There seem to be a couple of fields in the unencrypted blob that aren't described. I'm not sure what these are. Running librespot and printing their values could help.

[idcmp]

Got it. Sorry if this is a stupid question, is

librespot/core/src/authentication.rs

Lines 92 to 95 in 06f5aa9

	let l = data.len();
	for i in 0..l - 0x10 {
	data[l - i - 1] ^= data[l - i - 0x11];
	}

just doing the CTR (except the last 16 bytes?)?

As listed in:

blob = AES128-CTR-DECRYPT(encryption_key, IV, encrypted)

[plietar]

That piece of code corresponds to the login_data = AES192-DECRYPT(key, data) line in the docs.

The code is a naive manual translation from the disassembled binary to Rust. I’m no crypto expert, so I have a hard time identifying the “high level” algorithms.

It is certainly not CTR, since it is XORing pieces of the plaintext together, rather than the plaintext with some AES stream. On the other hand, it doesn’t match any of the other common cipher modes.

[devgianlu]

You can have a look at the Java implementation too: https://github.com/librespot-org/librespot-java/blob/1c9537a2a21833d68491f8bda077606fe1120c75/lib/src/main/java/xyz/gianlu/librespot/core/Session.java#L867

[mdbraber]

Hi @devgianlu @plietar @idcmp - I'm interested in this too and have been looking around, but found very few examples where this has been done or reverse engineered fully. Would https://github.com/badfortrains/spotcontrol/blob/master/blob.go#L97 be an example to start from (in Go, but should be portable)?

[Johannesd3]

If you really want to do it, please also take a look at #673. While I did not make any attempt to reverse the encryption stuff, I tried to prepare the requests and responses of the http server to work the other way round.

[mdbraber]

Thanks @Johannesd3 that sounds intriguing. I haven't done any Rust at at all so unfortunately wont be able to add much :-( My main goal would be to have something that can 'trigger' Spotify Connect devices in my home network to be selectable in Home Assistant ultimately. I've got some Javascript UPNP stuff done and can send the addUser request. Only figuring out the blob is the part lacking. I'll follow along and test where I can.

[idcmp]

When I was looking into this, I got to the point where I felt like there was a private key of sorts that was missing from the equation that I didn't have access to. I could have been wrong - reversing protocols is definitely not more forte anymore.

[TimotheeGerber]

For those still interested, I published today a tool to connect your librespot devices with Spotify Connect through CLI. You can find my spotify-connect tool here : https://github.com/TimotheeGerber/spotify-connect

I don't have official Spotify Connect hardware. I only tested it on librespot 0.3.1. If someone can test it and tell me if it works on official hardware, it would be nice!

[GiviMAD]

hutspot seems to have this implemented in cpp, is doesn't look easy to port to java or javascript which is what I'm looking for.

https://github.com/sailfish-spotify/hutspot/blob/fa8b33ccc6289db60113eb0fd9467774c8173c87/src/connect/spconnect.cpp#L76

[maraid]

If someone stumbles upon this topic, I created a simplified version of TimotheeGerber's Spotify Connect app in Python.
https://github.com/maraid/zerospot