With knowledge of the protocol in hand, you can now start writing code to fetch search results from Apple and access the XML-formatted metadata.
Searching the iTMS with wget.
wget is a command-line agent for grabbing data off the Web. In general, if you pass a URL to the wget command, wget will download the contents pointed to by the URL and save them to disk. wget is standard issue on most Unix-like platforms, including Mac OS X, and you can also download it for Windows platforms from various sources (try Googling for "wget for Windows").
You can grab encrypted iTMS data from Apple yourself with wget, but you need to specify an iTunes User-Agent header to override wget's default User-Agent header:
$ wget http://phobos.apple.com/WebObjects/MZSearch.woa/wa/ *
com.apple.jingle.search.DirectAction/search?term=Xiu%20Xiu -U *
"iTunes/4.0 (Macintosh; U; PPC Mac OS X 10.2)"
Of course, the fetched file is encrypted with AES, as described above. Unfortunately, there are no standardissue tools for decrypting these files, so we need to resort to some relatively simple Perl code to go any further.
Cryptography programming in Perl.
To decrypt AES-128 CBC, you need two nonstandard Perl modules: Crypt::CBC and Crypt::Rijndael. Both modules can be downloaded from CPAN (http://www.cpan.org).
TIP
In case you are wondering, Rijndael is another name for AES, since the Rijndael algorithm was selected as the AES standard.
CBC.pm is pure Perl, but the Rijndael module must be compiled for your platform. Compilation instructions are included with the module package that you download from CPAN. Once installed, these modules can be included in your Perl program as follows:
use Crypt::CBC;
use Crypt::Rijndael;
You can get the encryption initialization vector (IV) for the x-apple-crypto-iv HTTP header, as described previously. Apple picks a fresh IV for each response, and you must use the IV included with a response to decrypt that response. Assume the IV is 19953b75e9846ea59715be906cdca0c8. You can set up variables for the key and IV as follows:
my $iTunesKeyHex = "8a9dad399fb014c131be611820d78895";
my $ivHex = "19953b75e9846ea59715be906cdca0c8";
The CBC module requires that both keys and IVs be in binary form, though we currently have them in hex-encoded form. We can pack our key and IV into binary form as follows:
my $iTunesKeyBinary = pack( "H*", $iTunesKeyHex );
my $ivBinary = pack( "H*", $ivHex );
Using these binary values, you can create a Rijndael CBC cipher as follows:
my $cipher = Crypt::CBC->new( { 'key' => $iTunesKeyBinary,
'cipher' => 'Rijndael',
'iv' => $ivBinary,
'regenerate_key' => 0,
'padding' => 'standard',
'prepend_iv' => 0
} );
You can think of this initialized cipher object as a black box that takes encrypted data as input an outputs decrypted data. Assuming that you have your encrypted GZIP data stored in a variable called $encryptedSearchResults, you can finally decrypt the results as follows:
my $decryptedSearchResultsGZIP =
$cipher->decrypt( $encryptedSearchResults );
Now, your results can be decompressed with GZIP, producing raw XML that you can peruse, parse, and otherwise enjoy.
iTMS-4-ALL.
iTMS-4-ALL is a Perl-based CGI script that pulls all of the aforementioned pieces together into a user-friendly package. The script can be installed on any web server that supports CGI and Perl and then accessed from any web browser. The user interface for searching the iTMS was shown earlier in . If you want to explore the script right away, you can download the code from http://hcsoftware.sourceforge.net/ jason-rohrer/itms4all/. A live installation of the script is also available on that page, so you can search the iTMS from your browser without installing anything.
The HTML user interface generated by iTMS-4-ALL is basic by design: it works in all web browsers, including text-mode applications such as Lynx and the palmtop microbrowsers present on cell phones. Thus, iTMS-4-ALL not only unshackles iTMS searching from the officially supported iTunes platforms, it also enables searching away from the desktop. You can now browse the iTunes store while sitting on the bus.
Installing the script on your own web server is relatively painless. All necessary Perl modules are included with the download package, and a script is provided to compile the modules for your server's platform. After running the compilation script, you need to copy the files into your web server's cgi-bin directory. For example, if your server keeps CGI scripts in /httpd/cgi-bin, you would type:
cp –r itms4all.pl Crypt IO auto /httpd/cgi-bin
Finally, you need to make sure that your web server has permission to execute your script. For most common server setups, you can grant permission with the following command:
chmod o+x /httpd/cgi-bin/itms4all.pl
This command grants execution permission (x) to the other users (o), including your web server. Now you are ready to test the script. If your server had the address http://www.myserver.com, you could run the script by pointing your browser to http://www.myserver.com/cgi-bin/itms4all.pl.
—Jason Rohrer
