For a long time now, apps can stream high-quality audio to an Airport Express or an Apple TV using the RAOP protocol. However, the reverse cannot be done due to the fact that the protocol uses asymmetric encryption, which means the private key is baked into the firmware of the Apple (or Apple-licensed) device.
Finally, someone has done something about it. James Laird dumped the ROM of his Airport Express and extracted the private key. He posted the private key to the vlc-devel mailing list.
And now, the site on which he hosts his implementation called shairport is returning HTTP 500.
Update 13-Apr-2011: The link to shairport and his site is back up.
A few semesters back, our school started trial runs to use these “clickers” as well. At that time I was thinking of cracking it open to see what makes it tick, as well as evil plans like trying to impersonate other clickers or sniffing what other people’s responses were.
I only managed to peel back a bit of the plastic in front, but since the clicker was brand-new and I had to return it in a good condition, I didn’t dare to proceed any further than that.
[Photo stolen from Travis Goodspeed]
Last night I came across this blog entry to reverse-engineer it. Since all the hard work has been done, it looks quite feasible to just buy one of these Nordic RF chips and attempt to listen in on the responses.
At our institution, each of the venues have been allocated a particular channel and the signage is displayed prominently at the front or side of the lecture theatre or classroom. It’s not hard to find a session to sit in and start sniffing.