mathieub/plex-premium-mock-proxy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
plex-premium-mock-proxy/README.md

7.2 KiB
Raw Blame History

Plex Premium Hack

This repository contains a "mock" proxy that sits in your network and tricks Plex into thinking you have a Plex Premium subscription.

Requirements

  • A router that can redirect traffic (i.e. OPNsense, pfSense, DD-WRT...)
  • (alternative) a DNS server that can redirect traffic (some apps won't work due to DNS pinning)
  • A reverse proxy (i.e. Traefik, Nginx, Caddy...)
  • A Plex server (self-hosted)

What works?

  • PlexAmp mobile (download mode)

How to setup ?

Due to the nature of this hack, you'll have to :

  • generate a new certificate authority (CA) for the proxy
  • trust or patch the CA on clients and/or apps that will connect to your Plex server

1. Generate a new Certificate Authority (CA) and proxy certificate

# Generate a root CA
openssl genrsa -out plexhackCA.key 4096
# Create a self-signed root CA certificate
openssl req -x509 -new -nodes -key plexhackCA.key -sha256 -days 3650 -out plexhackCA.crt -subj "/C=US/ST=Unknown/L=Unknown/O=Unknown/CN=PlexHackCA"
  
# Generate private key for proxy
openssl genrsa -out plexhackproxy.key 2048
  
# Create a config file for the proxy certificate (SANs)
cat > plexhacksan.cnf <<EOL
[req]
distinguished_name = req_distinguished_name
req_extensions     = req_ext
prompt             = no

[req_distinguished_name]
C  = US
ST = Unknown
L  = Unknown
O  = Unknown
CN = plex.tv

[req_ext]
subjectAltName = @alt_names

[alt_names]
DNS.1 = plex.tv
DNS.2 = clients.plex.tv
EOL

# Create a certificate signing request (CSR) using the SAN config
openssl req -new -key plexhackproxy.key -out plexhackproxy.csr -config plexhacksan.cnf

# Sign the CSR with your root CA to create the proxy certificate
openssl x509 -req -in plexhackproxy.csr -CA plexhackCA.crt -CAkey plexhackCA.key -CAcreateserial -out plexhackproxy.crt -days 825 -sha256 -extfile plexhacksan.cnf -extensions req_ext

Now you should have two files plexhackproxy.crt and plexhackproxy.key that you will use in your reverse proxy. You should also have the plexhackCA.crt file that you will need to trust on your clients.

Important

You will need to trust the plexhackCA.crt certificate on every device that will connect to your Plex server (i.e. mobile, desktop, smart TV...). How to do this depends on the device and OS, you will need to search for instructions specific to your device.

2. Setup reverse proxy

In my case I'm using Traefik, so here is an example configuration :

tls:
  certificates:
    # use certificates generated in step 1
    - certFile: /etc/traefik/ssl/custom/plexhackproxy.crt
      keyFile: /etc/traefik/ssl/custom/plexhackproxy.key

http:
  routers:
    plex:
      entryPoints:
        - https
      service: plex
      rule: Host(`plex.<your-domain>.com`)
      # you may want to use TLS here too (don't use the custom CA cert generated in step 1)
    plex_proxy:
      entryPoints:
        - https
      service: plex_proxy
      rule: Host(`clients.plex.tv`) || Host(`plex.tv`)
      tls: { }

  services:
    plex:
      loadBalancer:
        servers:
          - url: http://<plex-machine-ip>:32400
    plex_proxy:
      loadBalancer:
        servers:
          - url: http://<machine-where-proxy-is>:8000

3. Redirect traffic

For this to work we need to redirect the domain clients.plex.tv and plex.tv to our proxy. This is easily done if you own a router that can do this but might be tricky if you don't.

Important

Mobile/desktop apps tends to use hardcoded DNS servers so if you don't have a router that can redirect traffic, you will not be able to use this hack. It might be possible to patch the app to use a custom DNS server but the apps are usually obfuscated and it's not easy to do so.

OPNsense / pfSense

First, find the IP address behind the plex domains.

dig clients.plex.tv +short
# 172.64.151.205
# 104.18.36.51

dig plex.tv +short
# 52.17.59.150
# 52.49.56.127

Then go into Firewall > Aliases and create two aliases:

  • plex_ips
    • Type: Host(s)
    • Content: <the 4 IPs you found above>
  • plex_do_not_proxy
    • Type: Host(s)
    • Content: and

Then go into Firewall > NAT > Port Forward and create a new rule:

  • Interface: LAN
  • Protocol: TCP
  • Source / Invert: [☑️]
  • Source: (select alias) plex_do_not_proxy
  • Source Port Range: any
  • Destination: (select alias) plex_ips
  • Destination Port Range: 443
  • Redirect Target IP: <your proxy server IP>
  • Redirect Target Port: 443

Finally go to Firewall > NAT > Outbound and create a new rule (select Hybrid mode if needed):

  • Interface: LAN
  • TCP/IP Version: IPv4
  • Protocol: any
  • Source address: any
  • Destination address:
  • Destination port : 443
  • Translation / target: Interface address
Test the redirection

Now if you try to go to https://clients.plex.tv/api/hack you should see a JSON response along the lines of :

{
  "status": "OK, Plex Pass features proxy enabled"
}

If you see the Plex "Oops, 404" page then something is wrong with your redirection or proxy.

Patch PlexAmp

Important

You'll need to have the official PlexAmp app installed on your device for this to work.

You can use ADB to extract the APK from your device:

# Execute this from the root of the cloned repo
# Also make sure you have adb installed and your device connected
mkdir extracted_apks && cd extracted_apks
for apk in $(adb shell pm path tv.plex.labs.plexamp | sed 's/package://'); do
    adb pull "$apk" .
done

Note

You might be able to download the APK from some websites but it's safer to extract it from your own device.

You'll end up with something like this in the extracted_apks folder:

.
├── base.apk
├── split_config.arm64_v8a.apk
├── split_config.de.apk
├── split_config.fr.apk
├── split_config.it.apk
└── split_config.xxxhdpi.apk

Then you need to patch the cacert.pem file inside the base.apk to add the plexhackCA.crt certificate generated in step 1 and re-sign all the APKs.
This might sound harder than it is, just follow these steps:

# 1. Extract the existing cacert.pem from base.apk
unzip base.apk assets/cacert.pem -d tmp/

# 2. Append your custom CA cert
cat ../certs/plexhackCA.crt >> tmp/assets/cacert.pem

# 3. Replace the file inside base.apk (no compression)
zip -r -0 base.apk tmp/assets/cacert.pem

# 4. Remove existing signatures from ALL APKs (base + splits)
for f in base.apk split_config.*.apk; do
    zip -d "$f" 'META-INF/*'
done

# 5. Generate a keystore if you dont already have one
mkdir -p ../keystores
# This will prompt you for some info, you can put whatever you want here and enter "yes" at the end
# WARNING: Take note of the password you enter here as you'll need it to sign the APKs
keytool -genkey -v -keystore ../keystores/plexamphack.keystore -alias plexamphack -keyalg RSA -keysize 2048 -validity 10000

# 6. Sign ALL APKs with the same key
for f in base.apk split_config.*.apk; do
    apksigner sign --ks ../keystores/plexamphack.keystore "$f"
done

You can now install the modified APK on your Android device.

# Make sure to uninstall the official PlexAmp app first
adb install-multiple base.apk split_config.*.apk