Plex Premium Hack

This repository contains a "mock" proxy that sits in your network and tricks Plex into thinking you have a Plex Premium subscription.

Requirements

• A router that can redirect traffic (i.e. OPNsense, pfSense, DD-WRT...)
• (alternative) a DNS server that can redirect traffic (some apps won't work due to DNS pinning)
• A reverse proxy (i.e. Traefik, Nginx, Caddy...)
• A Plex server (self-hosted)

What works?

• PlexAmp mobile (download mode)

How to setup ?

Due to the nature of this hack, you'll have to :

• generate a new certificate authority (CA) for the proxy
• trust or patch the CA on clients and/or apps that will connect to your Plex server

1. Generate a new Certificate Authority (CA) and proxy certificate

# Generate a root CA
openssl genrsa -out plexhackCA.key 4096
# Create a self-signed root CA certificate
openssl req -x509 -new -nodes -key plexhackCA.key -sha256 -days 3650 -out plexhackCA.pem -subj "/C=US/ST=SomeState/L=SomeCity/O=PlexHack/OU=PlexHack/CN=PlexHackCA"
  
# Generate private key for proxy
openssl genrsa -out plexhackproxy.key 2048
  
# Create a config file for the proxy certificate (SANs)
cat > plexhacksan.cnf <<EOL
[req]
distinguished_name = req_distinguished_name
req_extensions     = v3_req
prompt             = no

[req_distinguished_name]
C  = US
ST = SomeState
L = SomeCity
O = PlexHack
OU = PlexHack
CN = plex.tv

[v3_req]
subjectAltName = @alt_names

[alt_names]
DNS.1 = plex.tv
DNS.2 = *.plex.tv
DNS.3 = *.provider.plex.tv

EOL

# Create a certificate signing request (CSR) using the SAN config
openssl req -new -key plexhackproxy.key -out plexhackproxy.csr -config plexhacksan.cnf

# Sign the CSR with your root CA to create the proxy certificate
openssl x509 -req -in plexhackproxy.csr -CA plexhackCA.pem -CAkey plexhackCA.key -CAcreateserial -out plexhackproxy.crt -days 365 -sha256 -extfile plexhacksan.cnf -extensions v3_req

Now you should have two files plexhackproxy.crt and plexhackproxy.key that you will use in your reverse proxy. You should also have the plexhackCA.crt file that you will need to trust on your clients.

Important

You will need to trust the plexhackCA.crt certificate on every device that will connect to your Plex server (i.e. mobile, desktop, smart TV...). How to do this depends on the device and OS, you will need to search for instructions specific to your device.

2. Setup reverse proxy

In my case I'm using Traefik, so here is an example configuration :

tls:
  certificates:
    # use certificates generated in step 1
    - certFile: /etc/traefik/ssl/custom/plexhackproxy.crt
      keyFile: /etc/traefik/ssl/custom/plexhackproxy.key

http:
  routers:
    plex:
      entryPoints:
        - https
      service: plex
      rule: Host(`plex.<your-domain>.com`)
      # you may want to use TLS here too (don't use the custom CA cert generated in step 1)
    plex_proxy:
      entryPoints:
        - https
      service: plex_proxy
      rule: Host(`clients.plex.tv`) || Host(`plex.tv`)
      tls: { }

  services:
    plex:
      loadBalancer:
        servers:
          - url: http://<plex-machine-ip>:32400
    plex_proxy:
      loadBalancer:
        servers:
          - url: http://<machine-where-proxy-is>:8000

3. Redirect traffic

For this to work we need to redirect the domain clients.plex.tv and plex.tv to our proxy. This is easily done if you own a router that can do this but might be tricky if you don't.

Important

Mobile/desktop apps tends to use hardcoded DNS servers so if you don't have a router that can redirect traffic, you will not be able to use this hack. It might be possible to patch the app to use a custom DNS server but the apps are usually obfuscated and it's not easy to do so.

OPNsense / pfSense

First, find the IP address behind the plex domains.

dig clients.plex.tv +short
# 172.64.151.205
# 104.18.36.51

dig plex.tv +short
# 52.17.59.150
# 52.49.56.127

Then go into Firewall > Aliases and create two aliases:

• plex_ips
  • Type: Host(s)
  • Content: <the 4 IPs you found above>
• plex_do_not_proxy
  • Type: Host(s)
  • Content: and

Then go into Firewall > NAT > Port Forward and create a new rule:

• Interface: LAN
• Protocol: TCP
• Source / Invert: [☑️]
• Source: (select alias) plex_do_not_proxy
• Source Port Range: any
• Destination: (select alias) plex_ips
• Destination Port Range: 443
• Redirect Target IP: <your proxy server IP>
• Redirect Target Port: 443

Finally go to Firewall > NAT > Outbound and create a new rule (select Hybrid mode if needed):

• Interface: LAN
• TCP/IP Version: IPv4
• Protocol: any
• Source address: any
• Destination address:
• Destination port : 443
• Translation / target: Interface address

Test the redirection

Now if you try to go to https://clients.plex.tv/api/hack you should see a JSON response along the lines of :

{
  "status": "OK, Plex Pass features proxy enabled"
}

If you see the Plex "Oops, 404" page then something is wrong with your redirection or proxy.

Patch Plexamp

Important

You'll need to have the official PlexAmp app installed on your device for this to work.

You can use ADB to extract the APK from your device:

# Execute this from the root of the cloned repo
# Also make sure you have adb installed and your device connected
mkdir extracted_apks && cd extracted_apks
for apk in $(adb shell pm path tv.plex.labs.plexamp | sed 's/package://'); do
    adb pull "$apk" .
done

Note

You might be able to download the APK from some websites but it's safer to extract it from your own device.

You'll end up with something like this in the extracted_apks folder:

.
├── base.apk
├── split_config.arm64_v8a.apk
├── split_config.de.apk
├── split_config.fr.apk
├── split_config.it.apk
└── split_config.xxxhdpi.apk

Then you need to patch the cacert.pem file inside the base.apk to add the plexhackCA.crt certificate generated in step 1 and re-sign all the APKs.
This might sound harder than it is, just follow these steps:

# 1. Extract the existing cacert.pem from base.apk
unzip base.apk assets/cacert.pem -d ./

# 2. Append your custom CA cert
echo -e "\nPlexHack" >> assets/cacert.pem
echo -e "==================================" >> assets/cacert.pem
cat ../certs/plexhackCA.pem >> assets/cacert.pem

# 3. Remove old cacert.pem and add the new one (with no compression)
zip -d base.apk assets/cacert.pem
zip -X0 base.apk assets/cacert.pem

# 4. Remove existing signatures from ALL APKs (base + splits)
for f in base.apk split_config.*.apk; do
    zip -d "$f" 'META-INF/*'
done

# 5. Generate a keystore if you don’t already have one
mkdir -p ../keystores
# This will prompt you for some info, you can put whatever you want here and enter "yes" at the end
# WARNING: Take note of the password you enter here as you'll need it to sign the APKs
keytool -genkey -v -keystore ../keystores/plexamphack.keystore -alias plexamphack -keyalg RSA -keysize 2048 -validity 10000

# 6. Sign ALL APKs with the same key
for f in base.apk split_config.*.apk; do
    apksigner sign --ks ../keystores/plexamphack.keystore "$f"
done

You can now install the modified APK on your Android device.

# Make sure to uninstall the official PlexAmp app first
adb install-multiple base.apk split_config.*.apk

Patch Plexamp Headless

# Execute this from the root of the cloned repo
mkdir plexamp_headless && cd plexamp_headless

# Download and extract Plexamp Headless
wget https://plexamp.plex.tv/headless/Plexamp-Linux-headless-v4.12.4.tar.bz2 -O plexamp-headless.tar.bz2 -k
tar -xvf plexamp-headless.tar.bz2 && rm plexamp-headless.tar.bz2
mv plexamp/* ./ && rmdir plexamp

# Add the custom CA cert to the cacert.pem file
echo -e "\nPlexHack" >> cacert.pem
echo -e "==================================" >> cacert.pem
cat ../certs/plexhackCA.pem >> cacert.pem

# Now you can run Plexamp Headless with the custom CA cert
node js/index.js

# (optional) You can also setup the systemd service included
mv plexamp.service /etc/systemd/system/
systemctl daemon-reload
systemctl enable --now plexamp # to start at boot and start now

Configure Plexamp Headless

Once started I recommend settings these settings for optimal experience:

# Do not mixdown to stereo (val: true/false)
echo "Bfalse" > ${HOME}/.local/share/Plexamp/Settings/%40Plexamp%3Asettings%3AaudioMixdownToStereo

# Set cache size to 512MB (val: 256, 512, 1024, 2048, 4096, 8192, 16384, 32768, 65536, 131072)
echo "N512" > ${HOME}/.local/share/Plexamp/Settings/%40Plexamp%3Asettings%3AcacheSize

# Set how many songs to precache on WiFi (val: 0/5/10/15/20/25/40)
echo "N0" > ${HOME}/.local/share/Plexamp/Settings/%40Plexamp%3Asettings%3AcachingWiFi

# Set player name (Marantz here)
echo "SMarantz" > ${HOME}/.local/share/Plexamp/Settings/%40Plexamp%3Asettings%3AplayerName

# Set precache network speed to 10Mbps (val: 0/1/5/10/50/100)
echo "N10" > ${HOME}/.local/share/Plexamp/Settings/%40Plexamp%3Asettings%3AprecacheNetworkSpeed

# Set sample rate conversion quality to highest (64 point sinc) (val: 0-4)
echo "N4" > ${HOME}/.local/share/Plexamp/Settings/%40Plexamp%3Asettings%3AsampleRateConversionQuality

# Set sample rate matching to "Strict" (val: 0-2)
echo "N2" > ${HOME}/.local/share/Plexamp/Settings/%40Plexamp%3Asettings%3AsampleRateMatching

I don't recommend accessing the Plexamp Headless webUI as it might cause issues with the hack (not tested though).

Setup output device

I had to manually overwrite the default connection as I wanted to output to a S/PDIF device, check your devices with aplay -l :

**** List of PLAYBACK Hardware Devices ****
card 1: PCH [HDA Intel PCH], device 0: ALCS1200A Analog [ALCS1200A Analog]
  Subdevices: 1/1
  Subdevice #0: subdevice #0

Create the file /etc/asound.conf and modify it to match your device, this worked for me:

pcm.!default {
    type plug
    slave {
        pcm "iec958:CARD=PCH,DEV=0"
    }
}

ctl.!default {
    type hw
    card PCH
}