Another day, another cipher change

New hack: youtubefeed.

I subscribe to a lot of music video blogs, and I used to do so through Miro, but they have been so slow to track the latest Youtube and Vimeo download-countermeasure escalations in their nightlies that I've given up on it. I uninstalled Miro and wrote my own script that polls those feeds using my youtubedown.

Sorry, guys. Miro's UI isn't bad, but you're too slow and/or don't care enough about this problem. My mixtapes are suffering as a result. I'll just browse the new videos using a Finder window instead, if that means that I don't miss fully 90% of them.

(When I say "I only hack in self-defense", this is the kind of crap I mean.)

Youtube has been rolling out new ciphers almost daily of late, but my code in youtubedown that falls back on actually parsing the minimized and obfuscated Javascript to determine the new cipher seems to be fairly robust, in its own Rube Goldbergian way, so you don't actually need to download a new youtubedown every time the cipher changes now.


Vimeo's pulled some new shit I haven't quite figured out yet. I can't download this video with youtubedown.

They seem to be doing User-Agent sniffing, but in a weird way. When I play that video in the HTML5 player in either Safari or Firefox, and note the underlying "play_redirect" URL that the browser loads, I can get video from that URL with wget if I send the same User-Agent that the browser sent. However, swap in the other User-Agent, it doesn't work! URLs A and B only work with Agents A and B, not vice versa. So they must be hashing the agent into the sig? But, if I sent the same (Firefox) UA for each URL I load, including the HTML page that delivered the sig to me, it still fails. I am imperfectly imitating whatever the browser is sending, but I'm not seeing what the difference is.

The challenge here is: use wget load this HTML; pull out the signature and timestamp from the embedded JSON; and construct from that a play_redirect URL that wget can load that gives you video instead of an HTML error message.

I have not yet succeeded in this. How about you?

Previously, previously, previously.

Tags: , , , , , ,

3 Responses:

  1. James says:

    Maybe I misunderstand your requirements, but this works:

    # /bin/bash
    signature=$(cat $clip | tr "," "\n" | grep \"signature | cut -d\" -f4)
    timestamp=$(cat $clip | tr "," "\n" | grep \"timestamp | cut -d: -f2)

    wget -O video "$signature&time=$timestamp&quality=hd&codecs=H264,VP8,VP6&type=moogaloop_local&embed_location=&seek=0"

    • James says:

      Replace the value of clip_id in the last wget with $clip. Oops.

      • jwz says:

        Ok, I figured it out. Wow, was that confusing!

        1) Turns out that while "$id/" contains a signature, it is one that doesn't work! You need the sig from "$id/" instead.

        2) It doesn't seem to actually matter what User-Agent you send, but you have to send the same one for both the "$id/" and for the "" URL. Apparently the UA is part of what is signed by the signature!

        Thanks for your help!

  • Previously