mathieub/plex-premium-mock-proxy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

added doc for patching plexamp and certificate

Browse Source
This commit is contained in:
Mathieu Broillet 2025-08-25 12:36:41 +02:00
parent a7492c152d
commit d2f1a7eafa
Signed by: mathieub
GPG Key ID: 4428608CDA3A98D3
2 changed files with 113 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
.gitignore vendored
View File

@ -5,4 +5,5 @@ build/
dist/
tmp/
*.spec
.idea/
.idea/
certs/

115
README.md
View File

@ -20,9 +20,54 @@ Due to the nature of this hack, you'll have to :
- generate a new certificate authority (CA) for the proxy
- trust or patch the CA on clients and/or apps that will connect to your Plex server
### 1. Generate a new Certificate Authority (CA)
### 1. Generate a new Certificate Authority (CA) and proxy certificate
in writing...
```bash
# Generate a root CA
openssl genrsa -out plexhackCA.key 4096
# Create a self-signed root CA certificate
openssl req -x509 -new -nodes -key plexhackCA.key -sha256 -days 3650 -out plexhackCA.crt -subj "/C=US/ST=Unknown/L=Unknown/O=Unknown/CN=PlexHackCA"
# Generate private key for proxy
openssl genrsa -out plexhackproxy.key 2048
# Create a config file for the proxy certificate (SANs)
cat > plexhacksan.cnf <<EOL
[req]
distinguished_name = req_distinguished_name
req_extensions = req_ext
prompt = no
[req_distinguished_name]
C = US
ST = Unknown
L = Unknown
O = Unknown
CN = plex.tv
[req_ext]
subjectAltName = @alt_names
[alt_names]
DNS.1 = plex.tv
DNS.2 = clients.plex.tv
EOL
# Create a certificate signing request (CSR) using the SAN config
openssl req -new -key plexhackproxy.key -out plexhackproxy.csr -config plexhacksan.cnf
# Sign the CSR with your root CA to create the proxy certificate
openssl x509 -req -in plexhackproxy.csr -CA plexhackCA.crt -CAkey plexhackCA.key -CAcreateserial -out plexhackproxy.crt -days 825 -sha256 -extfile plexhacksan.cnf -extensions req_ext
```
Now you should have two files `plexhackproxy.crt` and `plexhackproxy.key` that you will use in your reverse proxy.
You should also have the `plexhackCA.crt` file that you will need to trust on your clients.
> [!IMPORTANT]
> You will need to trust the `plexhackCA.crt` certificate on every device that
> will connect to your Plex server (i.e. mobile, desktop, smart TV...).
> How to do this depends on the device and OS, you will need to search for instructions
> specific to your device.
### 2. Setup reverse proxy
@ -32,8 +77,8 @@ In my case I'm using Traefik, so here is an example configuration :
tls:
certificates:
# use certificates generated in step 1
- certFile: /etc/traefik/ssl/custom/plexfakeclients.crt
keyFile: /etc/traefik/ssl/custom/plexfakeclients.key
- certFile: /etc/traefik/ssl/custom/plexhackproxy.crt
keyFile: /etc/traefik/ssl/custom/plexhackproxy.key
http:
routers:
@ -129,3 +174,65 @@ Now if you try to go to `https://clients.plex.tv/api/hack` you should see a JSON
If you see the Plex "Oops, 404" page then something is wrong with your redirection or proxy.
## Patch PlexAmp
>[!IMPORTANT]
> You'll need to have the official PlexAmp app installed on your device for this to work.
You can use ADB to extract the APK from your device:
```bash
# Execute this from the root of the cloned repo
# Also make sure you have adb installed and your device connected
mkdir extracted_apks && cd extracted_apks
for apk in $(adb shell pm path tv.plex.labs.plexamp | sed 's/package://'); do
adb pull "$apk" .
done
```
>[!NOTE]
> You might be able to download the APK from some websites but it's safer to extract it from your own device.
You'll end up with something like this in the `extracted_apks` folder:
```
.
├── base.apk
├── split_config.arm64_v8a.apk
├── split_config.de.apk
├── split_config.fr.apk
├── split_config.it.apk
└── split_config.xxxhdpi.apk
```
Then you need to patch the `cacert.pem` file inside the `base.apk` to add the `plexhackCA.crt` certificate generated in step 1 and re-sign all the APKs.
_This might sound harder than it is, just follow these steps_:
```bash
# 1. Extract the existing cacert.pem from base.apk
unzip base.apk assets/cacert.pem -d tmp/
# 2. Append your custom CA cert
cat ../certs/plexhackCA.crt >> tmp/assets/cacert.pem
# 3. Replace the file inside base.apk (no compression)
zip -r -0 base.apk tmp/assets/cacert.pem
# 4. Remove existing signatures from ALL APKs (base + splits)
for f in base.apk split_config.*.apk; do
zip -d "$f" 'META-INF/*'
done
# 5. Generate a keystore if you dont already have one
mkdir -p ../keystores
# This will prompt you for some info, you can put whatever you want here and enter "yes" at the end
# WARNING: Take note of the password you enter here as you'll need it to sign the APKs
keytool -genkey -v -keystore ../keystores/plexamphack.keystore -alias plexamphack -keyalg RSA -keysize 2048 -validity 10000
# 6. Sign ALL APKs with the same key
for f in base.apk split_config.*.apk; do
apksigner sign --ks ../keystores/plexamphack.keystore "$f"
done
```
You can now install the modified APK on your Android device.
```bash
# Make sure to uninstall the official PlexAmp app first
adb install-multiple base.apk split_config.*.apk
```