Emby Theater premiere bypass

Emby-theater-premiere-bypass.md

/!\ Anyone interested in this Gist should look at the work of @danielchc ;)
-> https://gist.github.com/danielchc/c159626485a08c76856b2d30ae457e04

DNS

/!\ I used bind9 on my local server to add mb3admin.com entry for all devices ( like android app ) Otherwise in hosts fie :

<your_server> mb3admin.com

Optionnal (electron app - Emby Theater) main.js update

C:\Users\<YOUR_USER>\AppData\Roaming\Emby-Theater\system\electronapp
Add after app.on('window-all-closed', function () { block L:18
To accept self certificate

app.on('certificate-error', (event, webContents, url, error, certificate, callback) => {
        event.preventDefault()
        callback(true)
})

On your web server

• Create /var/www/mb3admin.com folder
• In /var/www/mb3admin.com/ create file index.php with

<?php
if (false){
	$file = 'data.log';
	$content = file_get_contents($file);
	$content .= date('Y-m-d H:i:s').' : '.$_SERVER['REMOTE_ADDR'].' URL : '.$_SERVER['REDIRECT_URL'].' Query : '.json_encode($_REQUEST)."\r\n";
	file_put_contents($file, $content);
}

if ($_SERVER['REDIRECT_URL'] == '/admin/service/registration/validate'){
	header('content-type:application/json');
	$date = new DateTime();
	$date->add(new DateInterval('P14D'));
	echo '{"featId":"'.$_POST['feature'].'","registered":true,"expDate":"'.$date->format('Y-m-d').'","key":"'.$_POST['key'].'"}';
	
}elseif ($_SERVER['REDIRECT_URL'] == '/admin/service/registration/validateDevice'){
	header('content-type:application/json');
	echo '{"cacheExpirationDays":21,"resultCode":"GOOD","message":"Device Valid"}';
}

• Create file .htaccess

Allow from all Options -Indexes <IfModule mod_rewrite.c>
<IfModule mod_negotiation.c>
    Options -MultiViews
</IfModule>
<IfModule mod_headers.c>
    Header set Access-Control-Allow-Origin "*"
</IfModule>
RewriteEngine On
# Redirect Trailing Slashes If Not A Folder...
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)/$ /$1 [L,R=301]
# Handle Front Controller...
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^ index.php [L] </IfModule>

Apache site conf

# /etc/apache2/sites-enabled/mb3admin.conf
<VirtualHost *:80>
        DocumentRoot "/var/www/mb3admin.com"
        ServerName mb3admin.com

        <Directory "/var/www/mb3admin.com/">
                Options MultiViews FollowSymlinks

                AllowOverride All
                Order allow,deny
                Allow from all
        </Directory>
        TransferLog /var/log/apache2/mb3admin_access.log
        ErrorLog /var/log/apache2/mb3admin_error.log
</VirtualHost>

<VirtualHost *:443>
        DocumentRoot "/var/www/mb3admin.com"
        ServerName mb3admin.com

        SSLEngine on
        SSLCertificateFile      /etc/apache2/mb3admin.crt # Self signed certificate
        SSLCertificateKeyFile /etc/apache2/mb3admin.key


        <Directory "/var/www/mb3admin.com/">
                Options MultiViews FollowSymlinks

                AllowOverride All
                Order allow,deny
                Allow from all
        </Directory>
        TransferLog /var/log/apache2/mb3admin_access.log
        ErrorLog /var/log/apache2/mb3admin_error.log
</VirtualHost>

@qwedass i have patched the Emby.Web.dll to point to another FQDN owned by me, and it works from browsers (PC, phone, TV), however it is hardcoded in every standalone app meaning:

• Samsung TV emby app, have it's own variant of Emby.Web.dll
• Android & iOS apps have https://mb3admin.com hardcoded too.

At least, i got new domain name for premier verification and don't have to change hosts file or accept self signed certs (from web client/browser).

To make this work we would have to patch all standalone apps to point to another domain since we can't issue valid cert for mb3admin.com

@demogorgonz
If I understood correctly, you have:
Patched the server Emby.Web.dll to force the server to authenticate against a different FQDN, to avoid having to set up a redirect within /etc/hosts (which is what I effectively do within my docker compose network).

I did not get how you managed to make the server return the patched connectionmanager.js? In my testing just patching the server was not enough, as the web client also tries to authenticate against mb3admin.com (which is why I patched the connectionmanager.js with a hard-coded valid authentication response).

Regarding the standalone clients, at first I assumed as well that they will have their own authentication logic (instead of having to pull js files off of the server). But then I saw one of the server js files referring to "native" versions of the js files for iOS and Android clients. This made me believe that the "native" clients are nothing more than a browser without an address bar, but I did not investigate much further.

How do you know that the standalone apps do not download the authentication logic from the server? Did you try to MITM the connection between them to see what is being exchanged?

@qwedass You understood correctly, Emby.Web.dll provide web client with auth URL https://mb3admin.com, replacing that url in the dll file provide client with another URL for which i can generate valid SSL to avoid importing cert to all clients to be able to stream TV channels. On first look, server seemed like control point to provide clients with auth URL.

I will have to look further into this, will checkout android app since it can be easily decompiled to be sure what logic standalone clients use to obtain mb3admin.com url. Hopefully it is all server side logic so that we can provide patch set of files to unlock all features.

Will post if i find anything useful :).

@qwedass just to confirm, tried iOS and Samsung TV, both clients have hardcoded https://mb3admin.com, if you are using local dns with the record as per @all3kcis instructions, you might be able to access premier features only if the client can handle(trust) self signed cert. Since that is not case for my TV i am locked on features 😞 . Unfortunately the URL is not provided from server side.

@qwedass just to confirm, tried iOS and Samsung TV, both clients have hardcoded https://mb3admin.com, if you are using local dns with the record as per @all3kcis instructions, you might be able to access premier features only if the client can handle(trust) self signed cert. Since that is not case for my TV i am locked on features 😞 . Unfortunately the URL is not provided from server side.

Same thing on my 2 LG TVs (webos). As posted a few months back, i managed (after too many failed attempts!) to redirect both TVs to my fake local https://mb3admin.com, only to learn that this wasn't enough... Unfortunately webos TVs do not allow self signed certs (trust me i've searched it), which is absolutely critical for emby app to succesfully contact the local fake https://mb3admin.com and unlock premier features on TV side! So, since this is not possible, the emby app on my TVs remain forever premierless..

Have anyone tried sslstrip with arpspoof to strip ssl from mb3admin.com ?

managed to get premiere on the raspberry pi where my emby server run, using the docker but on window 10 when I go to emby.media or 192.168.x.xxx:8096... I dont get the premiere. I edited the host file in windows to have the mb3admin.com but it seems not to be enough. Any idea what to do?

The way to progress further is to decompile the /system/Emby.Web.dll DLL and see what can be done for the cache reloading.

You can disassemble this file with ildasm and then reassemble it with ilasm after making the necessary changes.

E.g. if you have Emby server installed in /system on a Linux install.

mkdir -p /tmp/patches
cd /tmp/patches
ildasm /system/Emby.Web.dll -out=Emby.Web.il

Now all the JS files are in the current directory (/tmp/patches) and you can apply the registration patches with a regular text editor.

vim /tmp/patches/Emby.Web.dashboard_ui.bower_components.emby_apiclient.connectionmanager.js

I personally like to replace the getRegPromise with a fully mocked server response.

-getRegPromise=ajax({url:"https://mb3admin.com/admin/service/registration/validateDevice?"+paramsToString(params),type:"POST",dataType:"json"})
+getRegPromise=Promise.resolve(new Response('{"cacheExpirationDays":365,"message":"Device Valid","resultCode":"GOOD"}').json())

Reassemble the DLL and overwrite the original assembly.

ilasm -dll /tmp/patches/Emby.Web.il -out=/system/Emby.Web.dll

On Windows you need to replace -out= with /out=.

The binaries for a typical 64-bit Linux install can be downloaded here.

• https://nuget.info/packages/runtime.linux-x64.Microsoft.NETCore.ILDAsm/5.0.0
• https://nuget.info/packages/runtime.linux-x64.Microsoft.NETCore.ILAsm/5.0.0

Or use the native nuget client if you are on Windows.

nuget install Microsoft.NETCore.ILDAsm
nuget install Microsoft.NETCore.ILAsm

For good measure, also patch the duplicate code in /system/dashboard-ui/bower_components/emby-apiclient/connectionmanager.js because I'm unsure when this file is served instead of the file embedded in Emby.Web.dll.

---

After all this is said and done, some clients are unlocked while other still require client-side patching. There is a discrepancy between platforms where some platforms load the connection manager from the server while other apps are self-contained (e.g. the Electron edition of Emby Theater).

So far, Emby for Android seems to be fully unlocked after patching the connection manager in both locations. Emby Theater for Smart TV still shows the Premiere nagging popup so I suspect it contains its own connection manager. I don't know where to go from here without rooting my TV / other devices with self-contained Emby Theaters.

I tried replace mb3admin.com with dnSpy in dll files, but it wasnt perfect. Too much work. Some plugins in repositary have hardcoded mb3admin.com in licence class. So on my vps I configure apache with alias mb3admin.com. In Windows I add line in C:/windows/system32/driver/etc
myiptovps mb3admin.com

I generated certificate for domains (Im using Virtualmin on vps) and set in conf of apache webserver.
mb3admin.com
www.mb3admin.com

Then I installed this cert.cer on Windows.

index.php

<?php
if ( true ){
	$file = 'data.log';
	$content = file_get_contents($file);
	$content .= date('Y-m-d H:i:s').' : '.$_SERVER['REMOTE_ADDR'].' URL : '.$_SERVER['REDIRECT_URL'].' Query : '.json_encode($_REQUEST)."\r\n";
	file_put_contents($file, $content);
}

if ( $_SERVER['REDIRECT_URL'] == '/admin/service/registration/validate' ){

	header('content-type:application/json');
	$date = new DateTime();
	$date->add(new DateInterval('P14D'));
	echo '{"featId":"'.$_POST['feature'].'","registered":true,"expDate":"'.$date->format('Y-m-d').'","key":"'.$_POST['key'].'"}';

} elseif ($_SERVER['REDIRECT_URL'] == '/admin/service/services/ppipn.php' ){

	header('content-type:application/json');
	echo '{}';	

} elseif ($_SERVER['REDIRECT_URL'] == '/admin/service/appstore/register' ){

	header('content-type:application/json');
	echo '{"featId": "","registered": true,"expDate": "2099-01-01","key": ""}';

} elseif ($_SERVER['REDIRECT_URL'] == '/admin/service/registration/getStatus' ){

	header('content-type:application/json');
	echo '{"deviceStatus": "0", "planType": "Lifetime", "subscriptions": {}}';

} elseif ($_SERVER['REDIRECT_URL'] == '/emby/Plugins/SecurityInfo' ){

	header('content-type:application/json');
	echo '{SupporterKey: "", IsMBSupporter: true}';

} elseif ($_SERVER['REDIRECT_URL'] == '/admin/service/registration/validateDevice' ){

	header('content-type:application/json');
	echo '{"cacheExpirationDays":365,"resultCode":"GOOD","message":"Device Valid"}';

}

?>

Hi, when restart apache show error,
SSLCertificateFile takes one argument, SSL Server Certificate file ('/path/to/file' - PEM or DER encoded)

cert create con /etc/apache2

on mb3admin.conf
SSLEngine on
SSLCertificateFile "/etc/apache2/mb3admin.crt" # Self signed certificate
SSLCertificateKeyFile "/etc/apache2/mb3admin.key"

with "" or without "" same error

Any idea how to resolve? Thanks

To be honest, there is no easy way to make Premiere work everywhere. It works for me, but my way may not suit everyone.

Emby server

I use the method described above (webserver with PHP script). I also have a DNS server running on my homelab (Adguard Home) so I pointed mb3admin.com to my local webserver. Nothing more to add to the instructions above.
Don't forget to edit /opt/emby-server/etc/ssl/certs/ca-certificates.crt and add your self-signed certificate at the end.

Web client

I often use the web client outside my home, so more practical way is to patch the web UI (as described above) and replace mb3admin.com with your public domain pointing to the same web server (mb3.example.com for me) so it will work everywhere. You also need a valid SSL certificate for your custom domain (let's encrypt or just cloudflare will work).

For example (Debian 11 server):

ildasm /opt/emby-server/system/Emby.Web.dll -out=Emby.Web.dll
sed -i 's/mb3admin.com/mb3.example.com/g' Emby.Web.dashboard_ui.modules.emby_apiclient.connectionmanager.js
ilasm -dll Emby.Web.dll -out=/opt/emby-server/system/Emby.Web.dll

iOS app / Android app

Inside my home network it works with the fake web server and DNS. Outside my home I usually connected to my home network using WireGuard so my DNS and web server are always accessible.

Android TV

As ATV app doesn't accept self-signed certificates and there is no way to install certs to the device (correct me?) I patched the emby app.
You need Android SDK and apktool installed on your computer. Next you disassemble, patch, build and sign the app.

For example (now I use my Windows PC):

1. Decompile the app:
   .\apktool.bat d .\app-google-release.apk

2. Replace all mb3admin.com entries with your mb3.example.com domain in files:

smali_classes2\mediabrowser\apiinteraction\connect\ConnectService.smali
smali_classes2\tv\emby\embyatv\util\LogReporter.smali
smali_classes2\tv\emby\embyatv\validation\AppValidator.smali

3. Build the app:
   .\apktool.bat build --output patched.apk .\app-google-release\

4. Create an aligned APK file:
   zipalign 4 .\patched.apk .\patched-sign.apk

5. Create a sign key:
   keytool -genkey -v -keystore my-release-key.keystore -alias alias_name -keyalg RSA -keysize 2048 -validity 10000

6. Sign the APK:
   apksigner.bat sign --ks .\my-keystore.keystore .\patched-sign.apk

7. Install signed APK to your device.

I'm not sure if you can patch an Apple TV or WebOS app. You also need to patch apps after every update and maintain PHP script with the API changes. IMO, it's not worth to waste time setting up and maintaining a web server, decompiling apps, etc. It was really fun to play with tools and things, but I got the Premiere. It really worth it.

mkdir -p /tmp/patches
cd /tmp/patches
ildasm /system/Emby.Web.dll -out=Emby.Web.il

Now all the JS files are in the current directory (/tmp/patches) and you can apply the registration patches with a regular text editor.

vim /tmp/patches/Emby.Web.dashboard_ui.bower_components.emby_apiclient.connectionmanager.js

I personally like to replace the getRegPromise with a fully mocked server response.

-getRegPromise=ajax({url:"https://mb3admin.com/admin/service/registration/validateDevice?"+paramsToString(params),type:"POST",dataType:"json"})
+getRegPromise=Promise.resolve(new Response('{"cacheExpirationDays":365,"message":"Device Valid","resultCode":"GOOD"}').json())

Reassemble the DLL and overwrite the original assembly.

ilasm -dll /tmp/patches/Emby.Web.il -out=/system/Emby.Web.dll

@adequate-coder

I got this error after trying the ilasm options:

	*** Error Report ***
	Version: 4.6.4.0
	Command line: C:\EmbyServer\system\EmbyServer.dll
	Operating system: Microsoft Windows 10.0.19044
	Framework: .NET Core 3.1.13
	OS/Process: x64/x64
	Runtime: C:/EmbyServer/system/System.Private.CoreLib.dll
	Processor count: 8
	Data path: C:\EmbyServer\programdata
	Application path: C:\EmbyServer\system
	System.BadImageFormatException: System.BadImageFormatException: Could not load file or assembly 'Emby.Web, Version=4.6.4.0, Culture=neutral, PublicKeyToken=null'. An attempt was made to load a program with an incorrect format.
	File name: 'Emby.Web, Version=4.6.4.0, Culture=neutral, PublicKeyToken=null'
	   at Emby.Server.Implementations.ApplicationHost.GetComposablePartAssemblies()
	   at Emby.Server.Implementations.ApplicationHost.DiscoverTypes()
	   at Emby.Server.Implementations.ApplicationHost.Init()
	   at EmbyServer.HostedService.StartAsync(CancellationToken cancellationToken)
	
	
	Source: Emby.Server.Implementations
	TargetSite: System.Collections.Generic.List`1[System.Tuple`2[System.Reflection.Assembly,System.String]] GetComposablePartAssemblies()```

I have tried everything here and nothing works.

I am using version 4.7.0.32

I can no longer find the file /system/dashboard-ui/bower_components/emby-apiclient/connectionmanager.js.

But I can still find the file /system/Emby.Web.dll .

The variable getRegPromise changed, it is now feature=ajax({...

Still, nothing worked it thanks me for validating the key, but no features work.

@DrissiReda "unpack" Emby.Web.dll with ildasm and you will find the connectionmanager.js

See examples above.

@DrissiReda "unpack" Emby.Web.dll with ildasm and you will find the connectionmanager.js

See examples above.

Like I said, I have found it, after unpacking that dll, and I modified it, the UI shows I have emby premiere but I have no features. And Emby Theather doesn't work.

Good morning all,
can a charitable person explain to me how to do it
thank you

Good morning all, can a charitable person explain to me how to do it thank you

Don't bother, it does not work anymore.

ok thank you for your answer

Only five words: FOLLOW CAREFULLY ALL THE INSTRUCTIONS En miércoles, 1 de junio de 2022, 18:57:46 CEST, rossi29 ***@***.***> escribió: @rossi29 commented on this gist. ok thank you for your answer — Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you commented.Message ID: ***@***.***>

Seulement cinq mots : SUIVEZ ATTENTIVEMENT TOUTES LES INSTRUCTIONS En miércoles, 1 de junio de 2022, 18:57:46 CEST, rossi29 @.> escribió : @rossi29 a commenté cet essentiel. ok merci pour votre réponse — Répondez directement à cet e-mail, consultez-le sur GitHub ou désabonnez-vous. Vous recevez ceci parce que vous avez commenté. ID du message : @.>

Sorry, I don't understand your message.

Only five words: FOLLOW CAREFULLY ALL THE INSTRUCTIONS

This. I still use it and it works.

OK
I don't know where to install the file "Create /var/www/mb3admin.com folder
In /var/www/mb3admin.com/create file index.php with"
thanks to you potatoru

possibility of a tutorial

anyone for a step by step explanation

Only five words: FOLLOW CAREFULLY ALL THE INSTRUCTIONS

This. I still use it and it works.

What version of Emby are you using? And are you hosting it through Docker?

What version of Emby are you using? And are you hosting it through Docker?

I use the latest 4.8.0.0 beta. Yes I use custom docker image based on linuxserver, but with the addition of very small patch. It works fine for web client and hw transcode, but you still need a DNS and a web server for your mobile clients.

What version of Emby are you using? And are you hosting it through Docker?

I use the latest 4.8.0.0 beta. Yes I use custom docker image based on linuxserver, but with the addition of very small patch. It works fine for web client and hw transcode, but you still need a DNS and a web server for your mobile clients.

can you give me guide ? i have iis with ssl, please, thanks you.

My solution with a Docker container https://gist.github.com/danielchc/c159626485a08c76856b2d30ae457e04

My solution with a Docker container https://gist.github.com/danielchc/c159626485a08c76856b2d30ae457e04

Great job!

My solution with a Docker container https://gist.github.com/danielchc/c159626485a08c76856b2d30ae457e04

Nice job ;)

Best method is replacing mb3admin.com in DLL.
Download https://www.softtreetech.com/24x7/archive/50.htm
FileBinReplace.exe Emby.Web.dll mb3admin.com mydomain.com
Domains has to be 12 characters. On domain there is index.php in this gists.