Reverse Engineering A Mysterious UDP Stream in My Hotel

Hey everyone, I have been staying at a hotel for a while. It’s one of those modern ones with smart TVs and other connected goodies. I got curious and opened Wireshark, as any tinkerer would do.

I was very surprised to see a huge amount of UDP traffic on port 2046. I looked it up but the results were far from useful. This wasn’t a standard port, so I would have to figure it out manually.

At first, I suspected that the data might be a television stream for the TVs, but the packet length seemed too small, even for a single video frame.

This article is also available in French.

Grabbing the data

The UDP packets weren’t sent to my IP and I wasn’t doing ARP spoofing, so these packets were sent to everyone. Upon closer inspection, I found out that these were Multicast packets. This basically means that the packets are sent once and received by multiple devices simultaneously. Another thing I noticed was the fact that all of those packets were the same length (634 bytes).

I decided to write a Python script to save and analyze this data. First of all, here’s the code I used to receive Multicast packets. In the following code, 234.0.0.2 is the IP I got from Wireshark.

import socket
import struct

s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM, socket.IPPROTO_UDP)
s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
s.bind(('', 2046))

mreq = struct.pack("4sl", socket.inet_aton("234.0.0.2"), socket.INADDR_ANY)
s.setsockopt(socket.IPPROTO_IP, socket.IP_ADD_MEMBERSHIP, mreq)

while True:
    data = s.recv(2048)
    print(data)

On top of this, I also used binascii to convert this to hex in order make reading the bytes easier. After watching thousands of these packets scroll through the console, I noticed that the first ~15 bytes were the same. These bytes probably indicate the protocol and the packet/command ID but I only received the same one so I couldn’t investigate those.

Audio is so LAME

It also took me an embarrassingly long time to see the string LAME3.91UUUUUUU at the end of the packets. I suspected this was MPEG compressed audio data, but saving one packet as test.mp3 failed to played with mplayer and the file utility only identified this as test.mp3: data. There was obviously data in this packet and file should know when it sees MPEG Audio data, so I decided to write another Python script to save the packet data with offsets. This way it would save the file test1 skipping 1 byte from the packet, test2 skipping 2 bytes and so on. Here’s the code I used and the result.

data = s.recv(2048)
for i in range(25):
    open("test{}".format(i), "wb+").write(data[i:])

After this, I ran file test* and voilà! Now we know we have to skip 8 bytes to get to the MPEG Audio data.

$ file test*
test0:    data
test1:    UNIF v-16624417 format NES ROM image
test10:   UNIF v-763093498 format NES ROM image
test11:   UNIF v-1093499874 format NES ROM image
test12:   data
test13:   TTComp archive, binary, 4K dictionary
test14:   data
test15:   data
test16:   UNIF v-1939734368 format NES ROM image
test17:   UNIF v-1198759424 format NES ROM image
test18:   UNIF v-256340894 format NES ROM image
test19:   UNIF v-839862132 format NES ROM image
test2:    UNIF v-67173804 format NES ROM image
test20:   data
test21:   data
test22:   data
test23:   DOS executable (COM, 0x8C-variant)
test24:   COM executable for DOS
test3:    UNIF v-1325662462 format NES ROM image
test4:    data
test5:    data
test6:    data
test7:    data
test8:    MPEG ADTS, layer III, v1, 192 kbps, 44.1 kHz, JntStereo
test9:    UNIF v-2078407168 format NES ROM image

while True:
    data = s.recv(2048)
    sys.stdout.buffer.write(data[8:])

Now all we need to do is continuously read packets, skip the first 8 bytes, write them to a file and it should play perfectly.

But what was this audio? Was this a sneakily placed bug that listened to me? Was it something related to the smart TVs in my room? Something related to the hotel systems? Only one way to find out.

$ python3 listen_2046.py > test.mp3
* wait a little to get a recording *
^C

$ mplayer test.mp3
MPlayer (C) 2000-2016 MPlayer Team
224 audio & 451 video codecs

Playing test.mp3.
libavformat version 57.25.100 (external)
Audio only file format detected.
=====
Starting playback...
A:   3.9 (03.8) of 13.0 (13.0)  0.7%

The Revelation/Disappointment

What the hell? I can’t believe I spent time for this. It’s just elevator music. It is played in the hotel corridors around the elevators. Oh well, at least I can listen to it from my room now.

Comment by I am interested in the spam detector
2021-07-25 at 09:29
Spam probability: 28.007%

Hi, Fantastic Blog Post! Thanks For Your Blog. Buy Burberry Here. Burberry Handbags.

Comment by Jan
2021-05-30 at 12:30
Spam probability: 0.0%

Interesting read, do you happen to have a capture (PCAP, plain blob etc) of the stream?

Comment by
2021-04-02 at 09:09
Spam probability: 0.0%

The suspense was killing me throughout. Funny ending, nice writeup.

Comment by Anonymous Coward
2021-04-01 at 23:45
Spam probability: 0.0%

So..... what would happen if you did ARP spoofing to silence the actual source, and multicasted something else? I'm not going to suggest you multicast audio from an adult movie, but it is the 1st of April after all.......

Comment by b1tninja
2021-04-01 at 21:09
Spam probability: 0.0%

What you should have thought next was, hey holy shit, the elevator listens to udp rtsp stream? And I have the multicast group

Comment by
2021-04-01 at 19:51
Spam probability: 0.0%

Oh man, all that effort for elevator music. Beautiful. <3 Thanks for the chuckle.

Comment by admin
2021-04-01 at 17:30
Spam probability: 0.0%

Thanks for the report @Guest, I fixed the errors that were reported on this page. It should validate cleanly now, unless anything got cached along the way.

Comment by Zombielinux
2021-04-01 at 16:57
Spam probability: 0.0%

Now I'm curious as to what hardware they're running to catch the stream.

Comment by
2021-04-01 at 16:13
Spam probability: 0.0%

For the future, why not use tail to not need to save the file offsets out? `tail --bytes=+8 test.mp3 | file -` You can use a sh FOR loop as well

Comment by Guest
2021-04-01 at 15:54
Spam probability: 0.0%

Just commenting en-passant to notify that no, it's not actually valid HTML. (but I CBA with an email for that)

Comment by jimmy
2021-04-01 at 15:33
Spam probability: 0.0%

I was kinda hoping to get a link to an mp3 file so I could listen as well.

Comment by utahcon
2021-04-01 at 15:20
Spam probability: 0.0%

great read, this was useful in understanding a bit of the RE mentality. Thanks! Enjoy your muzak!

Comment by SmallProject
2021-04-01 at 15:08
Spam probability: 0.0%

So... can you control the audio the hotel plays? Lots of fun potential if so

Comment by Dude
2021-04-01 at 15:07
Spam probability: 0.0%

But now you probably can broadcast your own music to elevator!

Comment by Cam
2019-06-10 at 23:52
Spam probability: 0.0%

Good read, thanks!

Comment by iTacoTaco
2019-06-05 at 23:38
Spam probability: 0.0%

On the bright side, now you can host a party in your room except it only plays elevator music.

Comment by haha
2018-11-02 at 23:50
Spam probability: 0.0%

was fun to read. but still idk why they streaming lame music to all folks in their network xD