Breaking into your local radio station

My local radio station has a web stream, that you can play from their website ( Their site, in addition to having annoying ads that delay the start of the music, only runs on Adobe Flashplayer. I wanted to be able to play it on my Raspberry Pi from XBMC, which is running an arm processor instead of an intel, and there is no flashplayer for arm. Using the website is not an option for running it on the Pi, so I had to find another way to play it.

Given that the stream is a normal mp3 stream once it starts, and there are lots of mp3 players for the Pi, I thought I could dig and get the stream URL and put that in a normal mp3 playing program… wow was I wrong!

The first try was to take a look at the URL that the flashplayer calls. This ends up being

Pasting that into VLC did not work. I also tried without a token, which basically says I need to authenticate.  Ok, the task gets a bit more challenging since instead of having a simple URL I will now need to write a script to generate the token and pass that to my media problem.  This should be simple enough, once I know where to get my precious token.

I did some tracing of exactly how the page starts the stream. The above URL, including the token changes each time the stream starts, is delivered by the following URL:

First it makes a request to /authenticate, which returns a token:
GET /authenticate HTTP/1.1
Connection: keep-alive
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_4) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=190596092.1734083112.1338502802.1340537404.1340564465.20;|utmccn=(referral)|utmcmd=referral|utmcct=/koeln/rk/111960/webradio; __utma=190596092.1734083112.1338502802.1340537404.1340564465.20;
__utmb=190596092.19.10.1347781728;|utmccn=(referral)|utmcmd=referral|utmcct=/koeln/rk/111960/webradio; __utmc=190596092

When this is done “quickly”, it returns the following JSON result:

So then I tried replaying the request: no dice all I could get was a “not authenticated” result. Repeated attempts show that the SID is the only value that changes, so this must be a one-time token.  Next try is to try this with a fresh SID that hasnt yet been sent.

Using Firefox with Firebug and Tamperdata, I was able to interrupt the request for /authenticate, and manually copy out the SID.  Try as I might, with my fresh SID I could not get an authentication succeeded in my telnet session.  Furthermore, if I took the entire request from Tamperdata and put it through my telnet connection, I would also get authentication denied.  My only explanation here is, the SID contains a timestamp and needs to happen within a shorter time than it takes me to stop the request, copy the SID, edit the telnet GET request, and send it via telnet.

Plan B – Radio Koeln also has an iPad app – maybe that has a simpler URL, however tools aren’t as readily available to ‘tamper’ with the connection.

I setup my router to capture traffic between the iPad and the internet.  Within 30 seconds, I had some positive results:

Wireshark Screenshot


Furthermore, I could not find anywhere in the XML requests where this URL is passed to the app – which to me indicates that the URL is hardcoded into the app.  Disclaimer, I have never developed an app and don’t know what I am doing! However, I don’t see how this could be changed without requiring an update to the app – it should be relatively static.

If anyone is looking for Radio Koeln streams to add to your favourite music player:

For the other “NRW Lokalradios” you can change the city name and it seems to work: