Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Change player clients & deobfuscate params with NewPipeExtractor #1774

Closed
wants to merge 18 commits into from

Conversation

gechoto
Copy link
Contributor

@gechoto gechoto commented Dec 24, 2024

Should fix #1748 #1781 #1775 #1770 #1758 #1764 #1760 #1757

Changes:

  • Use WEB_CREATOR client for logged in player requests
  • Use NewPipeExtractor to deobfuscate signature and throttling parameter
  • Send login only for clients which support it (IOS client doesn't support it anymore)
  • Update clients
  • Workaround until Issue#1686 YouTube cookie set to null by logout. #1694 is done

Disadvantages:

  • Premium audio formats don't work currently. The WEB_CREATOR client doesn't support them. There could be something added later to try with the WEB_REMIX client for premium users first.

… logged in player requests + don't send login for IOS client
Copy link

gitguardian bot commented Dec 24, 2024

⚠️ GitGuardian has uncovered 1 secret following the scan of your pull request.

Please consider investigating the findings and remediating the incidents. Failure to do so may lead to compromising the associated services or software components.

Since your pull request originates from a forked repository, GitGuardian is not able to associate the secrets uncovered with secret incidents on your GitGuardian dashboard.
Skipping this check run and merging your pull request will create secret incidents on your GitGuardian dashboard.

🔎 Detected hardcoded secret in your pull request
GitGuardian id GitGuardian status Secret Commit Filename
14305798 Triggered Google API Key d4f9aad innertube/src/main/java/com/zionhuang/innertube/models/YouTubeClient.kt View secret
🛠 Guidelines to remediate hardcoded secrets
  1. Understand the implications of revoking this secret by investigating where it is used in your code.
  2. Replace and store your secret safely. Learn here the best practices.
  3. Revoke and rotate this secret.
  4. If possible, rewrite git history. Rewriting git history is not a trivial act. You might completely break other contributing developers' workflow and you risk accidentally deleting legitimate data.

To avoid such incidents in the future consider


🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request.

@gechoto gechoto marked this pull request as draft December 24, 2024 02:31
@gechoto gechoto changed the title Deobfuscate params with NewPipeExtractor Switch to WEB_REMIX client for logged-in player & deobfuscate params with NewPipeExtractor Dec 24, 2024
@gechoto gechoto changed the title Switch to WEB_REMIX client for logged-in player & deobfuscate params with NewPipeExtractor Change player clients & deobfuscate params with NewPipeExtractor Dec 24, 2024
@th3y
Copy link

th3y commented Dec 29, 2024

Its normal to have error 403? Access denied?

@gechoto
Copy link
Contributor Author

gechoto commented Dec 29, 2024

Its normal to have error 403? Access denied?

This can happen for multiple reasons but for most users it shouldn't. Some questions:

  • Which client did you use? (If you don't know: Are you logged in or out?)
  • Can you play the same song in a private window in a browser on the same device?
  • Anything interesting in the logs?

@th3y
Copy link

th3y commented Dec 29, 2024

Its normal to have error 403? Access denied?

This can happen for multiple reasons but for most users it shouldn't. Some questions:

  • Which client did you use? (If you don't know: Are you logged in or out?)
  • Can you play the same song in a private window in a browser on the same device?
  • Anything interesting in the logs?

Logged in but also tried as guest
Deobfuscate works as intended. but for some reason, im getting 'PlayBack error', and watching the url i got 403

Return: from Video https://music.youtube.com/watch?v=URhQ9iJHIsU
https://rr8---sn-uqx2-aphr.googlevideo.com/videoplayback?expire=1735460448&ei=ALJwZ6vgJvue-LAPvZ3XqA4&ip=XXX.XXX.XXX.XXX&id=o-AHJYPKV01HGpAWLZ9FiUmWLEdbRpsRUO4BakwhQIlI5w&itag=251&source=youtube&requiressl=yes&xpc=EgVo2aDSNQ%3D%3D&met=1735438848%2C&mh=xI&mm=31%2C26&mn=sn-uqx2-aphr%2Csn-bg0e6n7r&ms=au%2Conr&mv=m&mvi=8&pcm2cms=yes&pl=24&rms=au%2Cau&initcwndbps=2232500&bui=AfMhrI99h7HMEacM0Dbwlshb4EeyBMVdZrPtdLjMuE0qA3_hO9hOQgBsIIhe0V5oW7TQtsMc45f9p8rJ&spc=x-caUDZnceXKfFpodNb1NxUDhVPNOEI3_P81ReUaAvJg5ANSFRQ_BgChOuaN5igQQGXpYwE&vprv=1&svpuc=1&mime=audio%2Fwebm&ns=P3Tp5SBO-sv-ydBi1FBRC0UQ&rqh=1&gir=yes&clen=56536689&dur=3265.281&lmt=1708991197969251&mt=1735438384&fvip=3&keepalive=yes&fexp=51326932%2C51335594%2C51371294&c=WEB_REMIX&sefc=1&txp=4532434&n=BUnpG-DaInQBjPA_&sparams=expire%2Cei%2Cip%2Cid%2Citag%2Csource%2Crequiressl%2Cxpc%2Cbui%2Cspc%2Cvprv%2Csvpuc%2Cmime%2Cns%2Crqh%2Cgir%2Cclen%2Cdur%2Clmt&lsparams=met%2Cmh%2Cmm%2Cmn%2Cms%2Cmv%2Cmvi%2Cpcm2cms%2Cpl%2Crms%2Cinitcwndbps&lsig=AGluJ3MwRQIgfG6GgMye-2fs1s7uoxDJs4ccw4aZ6EtNEVtiZq1ZnAACIQD6lwr4Sl5d4qJPwCDAbkfRt_T49H672hN9NwO771zwOQ%3D%3D&sig=dJDJfQdSswRQIgZKhQdqu_woF4pX6TZeatAJERGyfy%3DVI-%3DwBIseR3GNcCIQCTWz_wxBuiDHRmemYo8FKy5IRetgNF-TdTuxi6QFGUA&range=0-56536689

The IP is deleted (But you can see the rest of the deob)

@gechoto
Copy link
Contributor Author

gechoto commented Dec 29, 2024

@th3y your url contains c=WEB_REMIX which should not happen. Are you sure you installed the latest version? It uses the WEB_CREATOR client instead now.

@th3y
Copy link

th3y commented Dec 29, 2024

@th3y your url contains c=WEB_REMIX which should not happen. Are you sure you installed the latest version? It uses the WEB_CREATOR client instead now.

I was switching between WEB, WEB_REMIX and got the same result. i could also share a video probably)

@gechoto
Copy link
Contributor Author

gechoto commented Dec 29, 2024

I was switching between WEB, WEB_REMIX

These are known to be more likely to result in 403s.
Please try the WEB_CREATOR client. It is the default now if you are logged-in and don't change any code from this PR.

@gechoto gechoto marked this pull request as ready for review December 29, 2024 02:50
@th3y
Copy link

th3y commented Dec 29, 2024

I was switching between WEB, WEB_REMIX

These are known to be more likely to result in 403s. Please try the WEB_CREATOR client. It is the default now if you are logged-in and don't change any code from this PR.

From: https://music.youtube.com/watch?v=bs9bQAGksao
https://rr6---sn-uqx2-aphk.googlevideo.com/videoplayback?expire=1735461957&ei=5bdwZ5adINWO-LAP4tjY6A4&ip=000.000.000.000&id=o-AICemrz-cHA1di9_aCzDy6pqEVfbGXgXEu-Mxdm5jRld&itag=251&source=youtube&requiressl=yes&xpc=EgVo2aDSNQ%3D%3D&met=1735440357%2C&mh=l9&mm=31%2C26&mn=sn-uqx2-aphk%2Csn-a5mekn6s&ms=au%2Conr&mv=m&mvi=6&pl=24&rms=au%2Cau&gcr=pe&initcwndbps=2096250&bui=AfMhrI_4hbG4ohX225VXADkAq-_pIRvUBHsaC9vSA41rN2mntcOZK5s4mbOnviLt93MyhHZE8jrmEeur&spc=x-caUPmQQYhzDQ3Rxfzx-RAlE2NBBltRn8299TtRKmjrvwsS9eML1fyJ_ut15dO5o830uhI&vprv=1&svpuc=1&mime=audio%2Fwebm&ns=DXTTbo86Ykjj9BiStiGl1n8Q&rqh=1&gir=yes&clen=2965446&dur=168.041&lmt=1714727050410263&mt=1735440068&fvip=3&keepalive=yes&fexp=51326932%2C51335594%2C51355912%2C51371294&c=WEB&sefc=1&txp=2318224&n=eAvmXiANlg3_M_Ap&sparams=expire%2Cei%2Cip%2Cid%2Citag%2Csource%2Crequiressl%2Cxpc%2Cgcr%2Cbui%2Cspc%2Cvprv%2Csvpuc%2Cmime%2Cns%2Crqh%2Cgir%2Cclen%2Cdur%2Clmt&lsparams=met%2Cmh%2Cmm%2Cmn%2Cms%2Cmv%2Cmvi%2Cpl%2Crms%2Cinitcwndbps&lsig=AGluJ3MwRQIhAMifkyigSiK2L5wchAWVpYgti4TSoBnR2wncUHQcVrsBAiAqm-oBogOvAkSWf9tZ1j4gL7TMZyrAIwYAMIWVDbTKmw%3D%3D&sig=aJgJfQdSswRQIhAKh7zAG4ORHwpFbVi1tGAAoJxM0_%3Dz9F%3D7JcQd1yCVtUAiADb25xsB1ugtWlZHW_AiM1LNsqUlwBdC3QhhCCZ0E7J&range=0-2965446

Just to be sure, does loudnessDb gives you value?

@gechoto
Copy link
Contributor Author

gechoto commented Dec 29, 2024

does loudnessDb gives you value?

yes

If it is missing for you please make sure you are testing with new songs which were never loaded before and are not in the db already. If in doubt just reset the app (delete all data or uninstall->reinstall without restoring a backup).

@Figim
Copy link

Figim commented Dec 29, 2024

Http 403/ New yt blocking:
TeamNewPipe/NewPipe#11803 (comment)

A potoken is required in the middle and end of the video.

If you want a solution to play songs: Wait until the Invidious API supports the Invidious companion.

Support PR for Invidious companion: iv-org/invidious#4985

Support for android applications using Invidious APİ : iv-org/invidious-companion#22

Project link: https://github.com/iv-org/invidious-companion

Copy link
Contributor

@Malopieds Malopieds left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Whilst the implementation is working I feel like we are getting dependent of another library. Furthermore, since the IOS player is working (but not for logged in) this PR (as of now) is only for logged in users? It feels like using a bulldozer to move a small rock, since it's essentially 3 function that (if I understood correctly) NewPipe is getting from the /s/player YouTube's js scripts, we could maybe find a way to abstract from NewPipe and use only the js since it looks like it's the only solution to counter the YouTube's frequent changes. If we could add this to the WEB_REMIX too it would be great, but when trying to do so while testing this PR, I stumbled about the fact that potoken is now needed (as @Figim stated)

@gechoto
Copy link
Contributor Author

gechoto commented Dec 29, 2024

@Malopieds

Whilst the implementation is working I feel like we are getting dependent of another library.

I think this is a good thing here because this way we can share efforts with the NewPipe team.

this PR (as of now) is only for logged in users?

for now - the deobfuscation stuff is only used for logged in users
but this PR does also contain a fix to ensure logged out users correctly use the IOS client again

It feels like using a bulldozer to move a small rock, since it's essentially 3 function that (if I understood correctly) NewPipe is getting from the /s/player YouTube's js scripts, we could maybe find a way to abstract from NewPipe and use only the js

This is barely a problem. If you make a release build there is an optimization step which means all code from NewPipeExtractor which InnerTune does not use is removed. The final apk only contains the 3 functions (and the functions they call) which are used from NewPipeExtractor.

If we "abstract from NewPipe" this will barely help because it already includes only the minimal code it needs from it.
Also I like the idea of using a library for this job because if anything breaks someone will only need to fix it in one place - NewPipeExtractor - and multiple apps can profit - which seems more efficient to me.

If we could add this to the WEB_REMIX too it would be great

Sure that would be cool because the WEB_REMIX client does provide premium audio formats (higher quality) which are not available with the WEB_CREATOR client.
The reason why this PR does not use WEB_REMIX is because for some it requires a po_token now.
In the future InnerTune could just try the WEB_REMIX client first and if it results in an error fallback to WEB_CREATOR.
However this would need more code changes (because when it fails the url is already in the player) so I think this would be better handled in a separate PR afterwards.

@Darklore69
Copy link

Please merge the pr so that we can download it @z-huang

@gechoto
Copy link
Contributor Author

gechoto commented Dec 31, 2024

@th3y

Update (Some songs are returning HTTP 403)

Please do this:
1.) Keep a note with songs which return 403
2.) Clear app data (full reset without restoring a backup)
3.) Try to play the songs again (without login at this point) - LEAVE A COMMENT HERE IF IT WORKS
4.) Clear app data again (full reset without restoring a backup) - YES A SECOND TIME
5.) Login in within InnerTune
6.) Try to play the songs again - LEAVE A COMMENT HERE IF IT WORKS


@ecomaikgolf

some videos are not playable

I had the cache clean and the account logged in.

Clearing the cache does not remove the songs from the database. It still keeps some metadata from before which can cause issue. One example is this:
#1631

If you really want to reload the songs currently you have to reset the whole app (remove app data or uninstall->reinstall without restoring a backup).

I known that is annoying and makes testing harder but unfortunately this is still how this app works (I hope this will change in the future).

For that reason @ecomaikgolf also try the steps above (with the resets) and check if the songs/videos now play for you.

@gechoto
Copy link
Contributor Author

gechoto commented Dec 31, 2024

Just an info: the IOS client does not have a global loudnessDb anymore.
This breaks normalization for logged out users.

One possible fix to make such metadata consistent might be to make two requests:

  • One for metadata with the WEB_REMIX client
  • Another one for the streams with the WEB_CREATOR or IOS client

But I feel like this should be done in a separate PR after merging this one here.

@Figim
Copy link

Figim commented Dec 31, 2024

Just an info: the IOS client does not have a global loudnessDb anymore. This breaks normalization for logged out users.

One possible fix to make such metadata consistent might be to make two requests:

  • One for metadata with the WEB_REMIX client
  • Another one for the streams with the WEB_CREATOR or IOS client

But I feel like this should be done in a separate PR after merging this one here.

ReVanced uses android vr (no auth), android tv, Android vr, ios tv (not stable) client

ReVanced/revanced-patches#4180

We can wait for the Http 403 error to be fixed by NewPipe.

There is a useful tool: https://github.com/LuanRT/BgUtils

@th3y
Copy link

th3y commented Dec 31, 2024

Just an info: the IOS client does not have a global loudnessDb anymore. This breaks normalization for logged out users.

One possible fix to make such metadata consistent might be to make two requests:

  • One for metadata with the WEB_REMIX client
  • Another one for the streams with the WEB_CREATOR or IOS client

But I feel like this should be done in a separate PR after merging this one here.

IOS don't let use low quality audio too.
Update (139)

@ecomaikgolf
Copy link

@gechoto:

Please do this:
1.) Keep a note with songs which return 403
2.) Clear app data (full reset without restoring a backup)
3.) Try to play the songs again (without login at this point) - LEAVE A COMMENT HERE IF IT WORKS
4.) Clear app data again (full reset without restoring a backup) - YES A SECOND TIME
5.) Login in within InnerTune
6.) Try to play the songs again - LEAVE A COMMENT HERE IF IT WORKS

The sample https://www.youtube.com/watch?v=r3P9vakbsaw worked in step 3 "Try to play the songs again (without login at this point)"

The channel was also loadable and all its videos played without issues.

Clearing the cache does not remove the songs from the database. It still keeps some metadata from before which can cause issue. One example is this:
#1631

If you really want to reload the songs currently you have to reset the whole app (remove app data or uninstall->reinstall without restoring a backup).

I just checked my exported backup sqlite and some songs have the metadata broken. Does that mean users won't be able to export/import the backup (as this broken-metadata songs won't be able to play anymore)?

@gechoto
Copy link
Contributor Author

gechoto commented Dec 31, 2024

I just checked my exported backup sqlite and some songs have the metadata broken. Does that mean users won't be able to export/import the backup (as this broken-metadata songs won't be able to play anymore)?

I guess the songs with broken metadata might be playable again at some point as the urls in the database should expire after some time. However I haven't tested it.
(Maybe you can test again with your backup tomorrow?)

But it would be better if someone made a PR which fixes the caching issues like this:

  • Remove saved formats and stream urls from the database when users request to clear the cache
  • If a song is removed from the cache (due to max cache size reached) also remove it from the database (reset format & url)
  • Do not partially cache songs but only add songs to the cache if they are 100% loaded

This should fix all the caching issues we currently have.
Does someone want to work on this?

@gechoto
Copy link
Contributor Author

gechoto commented Dec 31, 2024

Just an info: the IOS client does not have a global loudnessDb anymore.

Update: The WEB_CREATOR client does still have this field but with different values so everything will be much quieter.

We should really switch to using the WEB_REMIX client for metadata and use the other clients only for the streams.

@gechoto
Copy link
Contributor Author

gechoto commented Dec 31, 2024

@z-huang This can be merged now.
The remaining todos should be handled afterwards but separate from this PR.

Please squash the commits.
If you want to have the foss PR builds separate feel free to remove them again before merging and maybe add them back in a separate commit.

@gechoto
Copy link
Contributor Author

gechoto commented Jan 1, 2025

IOS don't let use low quality audio too.
Update (139)

Format 139 seems to be missing now on multiple clients. In the case of InnerTune this can lead to completely broken/unplayable songs now for some users (until they reset all app data but this is obviously a bad workaround).
You can read about why this happens here:
#1631 (comment)

Sounds like the caching and format saving issues should be fixed asap. I will add it to the TODO list.

@gechoto gechoto mentioned this pull request Jan 1, 2025
6 tasks
@gechoto
Copy link
Contributor Author

gechoto commented Jan 1, 2025

I transferred the TODO list from here to a separate issue:
#1785

This way it is easier to keep track of what needs to be done for the next release and we have a place to discuss who wants to work on which issue.

@z-huang can you pin the TODO issue?

@kaneryu
Copy link

kaneryu commented Jan 2, 2025

Is it possible to compile it to package com.zionhuang.music instead of com.zionhuang.music.debug so we can update the existing app in the meantime?

(this is assuming the PR will be merged with no additional changes)

@ecomaikgolf
Copy link

Is it possible to compile it to package com.zionhuang.music instead of com.zionhuang.music.debug so we can update the existing app in the meantime?

I don't think this will work as the APK signatures won't match (assuming CI doesn't use the same building signature key)

But you can export the database from your current app and restore in the debug version if you want in the meantime. Then do the same process (from debug) with the future release.

@mikooomich
Copy link

It is probably easier on the dev side to be able to configure a local newpipe extractor when building, like how newpipe has configured in their repo. For example, it would be something like this in settings.gradle: mikooomich/OuterTune@e0aabfa

Then, comment this out for regular builds (so it uses the remote builds), and when you need to use a custom newpipe extractor for whatever reason, uncomment it so the local path is used instead

@gechoto
Copy link
Contributor Author

gechoto commented Jan 3, 2025

@mikooomich I also had this for working on my NewPipeExtractor PR however this alone is not enough in my experience. You will also need to remove the version from the dependency or it will still use the specified release/commit.

@KenGato
Copy link

KenGato commented Jan 3, 2025 via email

@mikooomich
Copy link

@gechoto you mean even after gradle resyncs project it would still use the version defined in the .toml? Hmmm. Maybe I didn't run into this because the remote extractor failed to download

@gechoto
Copy link
Contributor Author

gechoto commented Jan 3, 2025

@gechoto you mean even after gradle resyncs project it would still use the version defined in the .toml?

@mikooomich Exactly.

Maybe I didn't run into this because the remote extractor failed to download

This might be the cause I guess it will try to prefer the version/commit from the .toml if it exists in the remote repo

Why did the download fail for you?

@mikooomich
Copy link

Why did the download fail for you?

Weird. I tried again it and succeeded this time

@gechoto
Copy link
Contributor Author

gechoto commented Jan 3, 2025

Why did the download fail for you?

Weird. I tried again it and succeeded this time

@mikooomich jitpack can take a while to build it and also seems they had some downtime recently

HGStyle added a commit to HGStyle/InnerTuneBeta that referenced this pull request Jan 3, 2025
@gechoto gechoto closed this Jan 5, 2025
@gechoto gechoto mentioned this pull request Jan 5, 2025
@gechoto gechoto deleted the newpipe-deobfuscate branch January 5, 2025 04:56
@gechoto
Copy link
Contributor Author

gechoto commented Jan 5, 2025

New PR with additional improvements: #1789

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Unable to play songs in the app
10 participants