How QuickTime Player(or actually CoreMedia) works while playing HTTP stream?

Question

I'm working in analyze the live tv streaming from TVB(HK)

Well known the url(s) to watch them are:

http://token.tvb.com/stream/live/hls/mobilehd_hdj.smil
http://token.tvb.com/stream/live/hls/mobilehd_j2.smil
http://token.tvb.com/stream/live/hls/mobilehd_inews.smil

We can directly watch by url(s) above in any apple native software(such as QuickTime, Safari) no matter in Mac or iOS. And also known they are using AppleCoreMedia framework. But it won't works in other platforms. You will get HTTP 200 but "access denied" in content. I analyzed all the traffic about it. I found that the HTTP request(by CoreMedia) to the endpoint(the server really provide video) contain a header:

x-playback-session-id: xxxxx

The video arrived instead of "access denied" message after I add the header manually(I tried in Chrome or Firefox), no matter what the user-agent is. But the problem occur is, I can't find any other place contain this header in earlier request(since it redirected a few times) in the traffic I dumped. So I'm curious what AppleMediaCore did when it playing http stream? Did it calculated a session id(or hash) or it got the id from somewhere i missed?

p.s. I'm not sure TVB do a IP check or not. Since they had a copyright or legal concern so maybe blocked to access from somewhere. You maybe need a VPN.

Answer 1

Finally I found the answer. The x-playback-session-id is a UUID comes from the AVPlayer Framework. But in fact this won't affect I got token or not. The real token is HTTP cookie.

Authorization process I found:

1. token.tvb.com redirect to vod server with a couple of GET value
2. VOD Server check GET value and set cookie if valid. Also respond m3u8 file(contains several different quality stream url)
3. Player will request one or more url in m3u8 to retrieve streams. VOD server will then check cookie and user-agent as token.
4. In the coming time player will keep using the cookie and user-agent as token to request ts files.

p.s. HLS from TVB for android has different process I haven't figure out. But I found that if user-agent contains "Android" then authorization will fail.