So I’ve been interested in the chromecast device since I had heard of it a while back and finally got around to ordering one. For $35 before shipping its not bad, even if its just to play with briefly.
Mine finally arrived today! I am going to share some very quick things I’ve discovered about this nifty little device.
Let me first start off by mentioning that I have NOT gotten this device to successfully connect to my wireless network. Part of the reason I even investigated this (and thus decided to share some of my findings here) are due to being unable to get this sweet little device onto my wifi network. That being said I think looking under the hood allows us to peer into how Google designed this device and how it works!
So step 1? Plug the thing into a power source and stick it into one of my TVs many HDMI ports and see what comes up!
The first thing that comes up is a welcome screen showing you the name of the device which is always ChromecastXXXX where the Xs are four randomly generated numbers. At this point I downloaded the android app and proceeded with the configuration which allowed me to do the following things:
1. detect my chromecastXXX device
2. configure it to connect to my wifi network
3. connect to it via my wifi network for the main functionality provided it can now connect to my wifi network.
It was step 3 that kept failing no matter how many times I tried (and rebooted the device) so I decided to see exactly how this setup process worked.
So I grabbed one of my smaller laptops (this one) and decided to try the “manual setup” which is decribed at (https://cast.google.com/chromecast/setup?np=manualsetup).
So how does step 1 work? How was my app able to detect the presence of my ChromecastXXXX device? I assumed it was bluetooth and that configuration occured over a paired bluetooth channel. As it turns out that is not the case. It’s actually good old wifi!
So step one in the manual setup process is to connect to the wireless network with the SSID that represents your device name. In the case where I actually took note of this my device SSID was Chromecast8991.
So the little thing starts up an AP and lets you configure it somewhat like a router! Cool. So I connected to this AP and requested an IP address with dhclient. After [forever] I got one.
I got an IP of 192.168.255.250 and the device itself turned out to be 192.168.255.249. Of course the first thing I did was check for open ports. The following ports were open:
53 (non working DNS)
8008 (main communications)
As soon as you connect to the device as a client it will give you a random 4 digit code on screen which I imagine is used for further communications in the case someone else decides to connect to your unencrypted and open device SSID. It will prevent someone unable to see your TV screen to configure your device but thats about it. Once I get this thing working I will take a look at sniffing network traffic to see if I can “cross the streams” on other people’s chromecasts so to speak. Would be hilarious.
Anyway once you get this code the first step in the configuration begins. All communication with the device at this point is done over json encoded data over HTTP.
The next phase involves telling the device to scan for wireless networks so you can tell it which to connect to and with what security mechanisms. The network traffic looks like this:
GET /setup/eureka_info HTTP/1.1
Host: 192.168.255.249:8008
Connection: keep-aliveHTTP/1.1 200 OK
Access-Control-Allow-Headers: Content-Type
Cache-Control: no-cache
Access-Control-Allow-Origin: https://cast.google.com
Content-Type: application/json
Content-Length: 852{“build_version”:”12072″,”connected”:false,”has_update”:false,”hdmi_control”:true,”hotspot_bssid”:”FA:8F:XX:XX:XX:XX”,”locale”:
“en_US”,”mac_address”:”D0:E7:XX:XX:XX:XX”,”name”:”Chromecast8991″,”opt_in”:{“crash”:true,”device_id”:false,”stats”:true},”publi
c_key”:”MIIBCgKCAQEAyoaWlKNT6W5+/cJXEpIfeGvogtJ1DghEUs2PmHkX3n4bByfmMRDYjuhcb97vd8N3HFe5sld6QSc+FJz7TSGp/700e6nrkbGj9abwvobey/I
rLbHTPLtPy/ceUnwmAXczkhay32auKTaM5ZYjwcHZkaU9XuOQVIPpyLF1yQerFChugCpQ+bvIoJnTkoZAuV1A1Vp4qf3nn4Ll9Bi0R4HJrGNmOKUEjKP7H1aCLSqj13
FgJ2s2g20CCD8307Otq8n5fR+9/c01dtKgQacupysA+4LVyk4npFn5cXlzkkNPadcKskARtb9COTP2jBWcowDwjKSBokAgi/es/5gDhZm4dwIDAQAB”,”release_tr
ack”:”stable-channel”,”setup_state”:11,”ssdp_udn”:”82c5cb87-27b4-2a9a-d4e1-5811f2b1992c”,”ssid”:””,”uma_client_id”:”4DE23B6E-B2
B0-7DBC-7BFB-F29D84AF87EF”,”uptime”:83.5,”version”:4,”wpa_configured”:false,”wpa_state”:3};,`* cSc52{zerogoki7w,/y*;,`* cSc52{z
erogoki7w,/y*GET /setup/eureka_info HTTP/1.1
Host: 192.168.255.249:8008
Based on the traffic you can see that the /setup/eureka_info URL is used to request the initial scan/results. You can also see various information about the bssid/ssid as well as some of its current configuration, the hostname of the system connected to it, and a bunch of IDs. Also that I’ve somehow opted into sending Google information when there is a crash as well as for stats is noted. Fun. You can see that there seems to be public key crypto which is good if we’re going to be sending our wifi network details over an open and unencrypted wireless network.
I did notice during the multiple times I’ve tried to connect this to my wireless network that the public key changes so it is generated by the device and not hardcoded (which is just fine). What I did find very interesting is that this very request the last couple of times included GPS data which means this device has GPS????? Here is a snippet of a previous response:
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Content-Type
Cache-Control: no-cache
Access-Control-Allow-Origin: https://cast.google.com
Content-Type: application/json
Content-Length: 998{“build_version”:”12072″,”connected”:false,”has_update”:false,”hdmi_control”:true,”hotspot_bssid”:”FA:8F:XX:XX:XX:XX”,”locale”:”en_US”,”location”:{“latitude”:39.XXXXXX,”longitude”:-76.XXXXXXX},”mac_address”:”D0:E7:XX:XX:XX:XX”,”name”:”Chromecast6603″,”noise_level”:-84,”opt_in”:{“crash”:true,”device_id”:false,”stats”:true},”public_key”:”MIIBCgKCAQEA1eq2miUMleKr/vjbb/3cd3rMkSZG0PnerBYpAjkHPA02FM8OCoMe+OIV0t6OJ3BFNnf3nJLThSw/ckQ+h6CpWfxVlc/d5ETKdl5RMuco3y0pos3Boz83ZUlXyGgfZeSUAh1oopf+xdterfc2E9S6GUdfY0yrwwpah0BxBAze6Bwk4kfPNJnH5Vvew8f8S3uLhXIIV7loyxzdf+XVd1eXyeMU61BI32X2Ft81wZI116LzirloUsUju7E1DZZTMHSDzqkZezOwGUDkFZZxPDrNcZnU1kEcxpXtXaaxNeWWGFvhf1QYPegu9J9bxWAvz5ZimlW8qOnCxgYBdr75jXAidwIDAQAB”,”release_track”:”stable-channel”,”setup_state”:11,”signal_level”:-46,”ssdp_udn”:”63023a09-fa02-e49e-9289-6edd183146f1″,”ssid”:”myssid”,”timezone”:”America/New_York”,”uma_client_id”:”C23C5542-B402-A470-FBD2-C0E8701D4E6B”,”uptime”:3284.05,”version”:4,”wpa_configured”:false,”wpa_id”:0,”wpa_state”:1}
I’ve verified that that lat/long is exactly where I live. EXACTLY. Very creepy.
Next we see some more data about the public key to use:
{“build_version”:”12072″,”connected”:false,”has_update”:false,”hdmi_control”:true,”hotspot_bssid”:”FA:8F:XX:XX:XX:XX”,”locale”:”en_US”,”mac_address”:”D0:E7:XX:XX:XX:XX”,”name”:”Chromecast8991″,”opt_in”:{“crash”:true,”device_id”:false,”stats”:true},”public_key”:”MIIBCgKCAQEAyoaWlKNT6W5+/cJXEpIfeGvogtJ1DghEUs2PmHkX3n4bByfmMRDYjuhcb97vd8N3HFe5sld6QSc+FJz7TSGp/700e6nrkbGj9abwvobey/IrLbHTPLtPy/ceUnwmAXczkhay32auKTaM5ZYjwcHZkaU9XuOQVIPpyLF1yQerFChugCpQ+bvIoJnTkoZAuV1A1Vp4qf3nn4Ll9Bi0R4HJrGNmOKUEjKP7H1aCLSqj13FgJ2s2g20CCD8307Otq8n5fR+9/c01dtKgQacupysA+4LVyk4npFn5cXlzkkNPadcKskARtb9COTP2jBWcowDwjKSBokAgi/es/5gDhZm4dwIDAQAB”,”release_track”:”stable-channel”,”setup_state”:11,”sign”:{“certificate”:”—–BEGIN CERTIFICATE—–\nMIIDqzCCApOgAwIBAgIEUf6McjANBgkqhkiG9w0BAQUFADB9MQswCQYDVQQGEwJV\nUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzET\nMBEGA1UECgwKR29vZ2xlIEluYzESMBAGA1UECwwJR29vZ2xlIFRWMRgwFgYDVQQD\nDA9FdXJla2EgR2VuMSBJQ0EwHhcNMTMwODA0MTcxNjM0WhcNMzMwNzMwMTcxNjM0\nWjCBgDETMBEGA1UEChMKR29vZ2xlIEluYzETMBEGA1UECBMKQ2FsaWZvcm5pYTEL\nMAkGA1UEBhMCVVMxFjAUBgNVBAcTDU1vdW50YWluIFZpZXcxEjAQBgNVBAsTCUdv\nb2dsZSBUVjEbMBkGA1UEAxMSWktCVjIgRkE4RkNBM0EwQ0QwMIIBIjANBgkqhkiG\n9w0BAQEFAAOCAQ8AMIIBCgKCAQEA+HGhzj+XEwhUT7W4FbaR8M2sNxCF0VrlWsw6\nSkFHOINt6t+4B11Q7TSfz1yzrMhUSQvaE2gP2F/h3LD03rCnnE4avonZYTBr/U/E\nJZYDjEtOClFmBmqNf6ZEE8bxF/nsit1e5XicO0OJHSmRlvibbrmC2rnFwj/cEDpm\na1hdqpRQkeG0ceb9qbvvpxBq4MBsomzzbSq2nl7dQFBpxDd2jm7g+4EC7KqWmkWt\n3XgX++0qk4qFlbc/+ySqheYYddU0eeExvg93WkTRr5m6ZuaTQn7LOO9IiR8PwSnz\nxQmuirtAc50089T1oyV7ANZlNtj2oW2XjKUvxA3n+x8jCqAwfwIDAQABoy8wLTAJ\nBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAjANBgkq\nhkiG9w0BAQUFAAOCAQEAXmXinb7zoutrwCw+3SQVGbQycnMpWz1hDRS+BZ04QCm0\naxneva74Snptjasnw3eEW9Yb1N8diLlrUWkT5Q9l8AA/W4R3B873lPTzWhobXFCq\nIhrkTDBSOtx/bQj7Sy/npmoj6glYlKKANqTCDhjHvykOLrUUeCjltYAy3i8km+4b\nTxjfB6D3IIGB3kvb1L4TmvgSuXDhkz0qx2qR/bM6vGShnNRCQo6oR4hAMFlvDlXR\nhRfuibIJwtbA2cLUyG/UjgQwJEPrlOT6ZyLRHWMjiROKcqv3kqatBfNyIjkVD4uH\nc+WK9DlJnI9bLy46qYRVbzhhDJUkfZVtDKiUbvz3bg==\n—–END CERTIFICATE—–\n”,”nonce”:”Aw4o0/sbVr537Kdrw9YotiXxCLIaiRrDkHeHrOpih3U=”,”signed_data”:”fcTwn3K4I/ccok1MeZ5/nkM0pI5v4SrTv3Q4ppOQtVL5ii3qitNo+NLhY+DM9zmnP6ndNMZbkyIEyMm7LjganoDoE+o0e0/r4TyGEGLxYlfWSzf+Z3cSdNe4+MyHx/7z02E0/3lLsOFuOEPSgR26JFtyhDLCJ9Y8Cpl3GZMUqm4toaTNaIbhNMR9Bwjkz4ozKXzFl9dF5FTU6N48KeUP/3CuYqgm04BVUGxg+DbBmTidRnZE4eGdt9ICJht9ArUNQDL2UdRYVY2sfgLmF29exTaSrVkBZb/MsbDxN5nYpF1uE7IhzJnT5yFM9pmUOIKKTfeVaLVLGgoWd+pjEbOv+Q==”},”ssdp_udn”:”82c5cb87-27b4-2a9a-d4e1-5811f2b1992c”,”ssid”:””,”uma_client_id”:”4DE23B6E-B2B0-7DBC-7BFB-F29D84AF87EF”,”uptime”:101.98,”version”:4,”wpa_configured”:false,”wpa_state”:3}GET /setup/eureka_info HTTP/1.1
Host: 192.168.255.249:8008
After this the device knows you are ready to configure it and returns the next bit of data which represents the results of a successful wireless scan of potential SSIDs to connect to:
[{“bssid”:”c8:xx:xx:xx:xx:xx”,”signal_level”:-41,”ssid”:”myssid”,”wpa_auth”:7,”wpa_cipher”:4},{“bssid”:”5c:0a:xx:xx:xx:xx”,”si
gnal_level”:-42,”ssid”:”myotherssid”,”wpa_auth”:7,”wpa_cipher”:4},{“bssid”:”30:46:xx:xx:xx:xx”,”signal_level”:-53,”ssid”:”Hooters”,”wpa_auth”:7,”wpa_cipher”:4},{“bssid”:”00:1d:xx:xx:xx:xx”,”signal_level”:-61,”ssid”:”neighborsssid”,”wpa_auth”:7,”wpa_cipher”:4},{“bssid”:”b8:9b:xx:xx:xx:xx”,”signal_level”:-64,”ssid”:”anotherRetardedNeighborSSID”,”wpa_auth”:7,”wpa_cipher”:4},{“bssid”:”06:27:xx:xx:xx:xx”,”signal_level”:-42,”ssid”:”free open wifi1″,”wpa_auth”:1,”wpa_cipher”:1},{“bssid”:”06:27:xx:xx:xx:xx”,”signal_level”:-44,”ssid”:”more free open wifi”,”wpa_auth”:1,”wpa_cipher”:1}]&,* cSc52{zerogoki7w,/y*&,* cSc563:T`;&,* cSc562zerogoki7w,/y*&,* cSc563:T`;zerogokiwwwwgooglecom
A fun thing to note is that I’ve opted for not sending any information but this is conveniently ignored and I am still opting in for submitting data when there is a crash and for stats. Anyway, you can see SSID signal levels and other information. At this point you configure the device to connect to a wifi network by telling it the SSID and password.
This looks like the following:
POST /setup/connect_wifi HTTP/1.1
Host: 192.168.255.249:8008
Connection: keep-alive
Content-Length: 450
Origin: https://cast.google.com
User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/29.0.1547.57 Safari/537.36
Content-Type: application/json;charset=UTF-8
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8{“bssid”:”5c:0a:xx:xx:xx:xx”,”signal_level”:-42,”ssid”:”myotherssid”,”wpa_auth”:7,”wpa_cipher”:4,”enc_passwd”:”AKWQ1K76dYzBzd5XLCkieFepJq+jvWcDMzTWGud7U66iWpfHS5LN4hhzEEcCdrWGyRC2pw0FRbx6dXUILPr40Os2ysp7AYqIloazqc6JsKAP+aLVv9OW8UpJJTEQVbkgcJiuh9+tPLZrmnHTURWHpXlBuYSJkwZDkW8ywnTcg8+wnrRho6BtMtKyXvNH3QIJhk+nXKHxLh154aMdA9+N3R4ZfH+4SNHrFiHhILXPiBgVmsMCM64kEgNQTRNu3Fzasyfea6XVVaQdWRB2DZC+euapWM1G/Pr9dXz1MraUc2tlEaO1LvDoDmy+08+k/ATwuOQO0DjIExsrEcHQIVXfPY=”}HTTP/1.1 200 OK
Access-Control-Allow-Headers: Content-Type
Cache-Control: no-cache
Access-Control-Allow-Origin: https://cast.google.com
Content-Length: 0
At this point you can see that the request to connect uses the URL /setup/connect_wifi and is encrypted with the public key of the router (thankfully). You can see the target SSID/BSSID cipher type and password in the request.
It is at this point that the on screen display says: Connecting to “myssid” and for me it sits there FOREVER and never connects. I even tried to connect to a router I setup 5 feet away and ended up with this being the furthest it would go.
Obviously once I get this connected I’ll continue my review of this cool little device and more importantly see what kind of fun things we can discover by analyzing its network traffic. For example I don’t even see the 4 digit code used in the communication between the client and the device but who knows? Maybe it is used in some obscure way that I haven’t seen. Another interesting thing is that although you can see that the http traffic is local between you and the device, it is facilitated over a connection to the public internet URL (https://cast.google.com/chromecast/setup?np=manualsetup) that uses local IP links/requests. I havent’ even looked at the website/js that performs these actions yet but I’m sure it would be interesting as well. Especially since I’m sure it takes note of the various responses returned from your GPS enabled device.
All in all, very impressive for a $35 device. Its tiny and comes with a built in AP used for configuration. I look forward to checking out its actual functionality once successfully connected!
I’ve been trying to connect my Chromecastration (CC) device for 2 days and like you decided to dig in a bit. I’ve come to the conclusion that its strictly designed for DHCP. Google assumes we are all stupid and can’t manage a static IP based network.
I know very well I can get this working in a snap if I change my network over to DHCP but I refuse. Soooo I installed the CC into my TV, downloaded the CC app to my laptop. Got so far into it and couldn’t connect to the CC. I noticed my wifi indication kept going offline. Something was trying to change my wifi.
After a few minutes of staring like a zombie, I said hey this is trying connect to the CC. Well my laptop has a static IP so if that’s whats going on it will never happen. I got the bright idea to set my laptop to “DHCP” mode, Sure enough I was now connected to the CC’s little wifi network.
Like you I received an IP of 192.168.255.250 etc. I was able to configure up to the point that it wanted my SSID/password for my wifi network. That’s when everything failed epically. Not having my packet sniffer I’m not sure what’s going on that it failed to connect to my wifi network.
I suspect that its waiting for an IP address from my DHCP server that I don’t have and wont have !!!. So I got real smart for a minute and said how can I assign the CC an IP on my network without a DHCP server. Well my wifi router didn’t have what I needed.
So I installed a DHCP server android app on my Samsung GS4. I verified that it does work with my IPAD – it received an IP address on my wifi network as a test.
SO I have a mini DHCP server waiting for a request from the CC. I seen in the DHCP log a request from 0.0.0.0 but it never sends out an IP like it did to my IPAD. At this point I said screw this and threw it the box and decided it was not worth the trouble.
I also had the same issue with a Google Chromebook – same deal wants a DHCP IP.
Sorry Google – Im not stupid – I’m not a clueless noob that cant configure a network.
I did a google search for 192.168.255.250 and found this blog – I’m surprised we are the only 2 that like to dig.
Later !
The device is not GPS enabled, and anyway most people use it indoors where there is no GPS reception. Probably you see your lat/long because the device is connected to the Internet and knows the wifi SSID around it, this is enough to guess an accurate location http://en.wikipedia.org/wiki/Wi-Fi_positioning_system
That is possible yes. Either way the fact that they’re interested in grabbing your location while you’re setting up or using your device is a bit unsettling though. Real time tracking of every smart phone user is of course common place these days.
I’d be more inclined to think it queried the gmaps API, they have location-by-MAC built in now 😉
https://developers.google.com/maps/documentation/business/geolocation/