We are finalizing Yandex. Station to watch YouTube

On Yandex.Stations, it’s inconvenient to watch YouTube. There are no recommendations, subscriptions and even the search does not work normally. Therefore, I wrote a telegram to the bot to send any video to it.

Under the cut, the story is how I did it despite the fact that there is no official open API .

How did it all start?

I am an engineer. I constantly study how different technologies and things work around, and also do a lot of interesting projects myself. When my friends gave me Yandex.Station, I reversed the activation protocol and developed the idea of ​​data transfer oriented to the wow-effect.

I have a stupid (not smart) TV, and as the main media console I use the Station. Everything is fine, but just watching YouTube is completely uncomfortable. You can’t log into your YouTube account, which means that there are no recommendations and subscriptions. In addition, video search in the Station, as I understand it, is carried out through Yandex.Video. Unfortunately, such a scheme does not work very well. Sometimes there are no videos even if you literally pronounce the name, and you can’t watch new videos at all until Yandex indexes them.

I almost came to terms with the fact that you can’t watch YouTube on the Station, but that all changed a couple of weeks ago.

What happened?

On Saturday morning, I decided to watch the last season of Silicon Valley. I went to Kinopoisk and saw the following:

After clicking on the button, the video flew to Yandex.Station and was played further there. Just like ChromeCast or AirPlay. Delight! But I was delighted not with the functionality itself, but with the potential opportunity to send any video to the station.

I forgot to think about the series - for the whole weekend I went into reverse engineering and development.

Let's get it right.

We open Kinopoisk or Yandex.Video in Chrome - there are excellent tools for web development. Find the desired button, right-click, select "Explore the item."

There’s a lot that can be learned there, but we are interested in what request is executed when this button is clicked. We go to the "Network" tab of the developer tools and look at the requests.

Yes, a lot of statistics fly off, but 2 interesting requests are immediately visible. These are devices_online_stats and station.

Get a list of devices

devices_online_stats - request active user devices. Simple get request. If you are authorized in Yandex, you can find out about your devices simply by opening the link in your browser:


What in the answer:

{ "items":[ { "icon":"https://avatars.mds.yandex.net/get-yandex-station/1540981/yandexstationicon/orig", "id":"************", "name":" ", "online":true, "platform":"yandexstation", "screen_capable":true, "screen_present":true } ], "status":"ok" } 

Interesting and quite intuitive. I replaced the Station ID in the example with asterisks just in case, but we will need it in the future.

Play video

A request to yandex.ru/video/station is sent using the POST method. Repeat it from the console, receiving the command as follows:

Run in the terminal and get the answer:

 { "status": "play", "msg": "success", "code": 1 } 

After a couple of seconds, the video starts at the station. Success!

We collect

I removed all the "extra" fields from the request so that it remains operational. To send video to the Station in the body and the headers of the POST request, you need to put only 4 parameters:

  • SessionID - authorization in Yandex
  • x-csrf-token
  • provider_item_id - link to the video (or identifier for some services)
  • device - The identifier of the device that we received earlier

What is x-csrf-token? We will not go deep now. It can be obtained simply by a GET request to frontend.vh.yandex.ru/csrf_token if you are authorized in Yandex.

At this point, I had already started wrapping everything in a Python script. As a result, the function for sending video to the station looks something like this:

 def sendToScreen(video_url): # Auth and getting Session_id auth_data = { 'login': config.login, 'passwd': config.password } s = requests.Session() s.get("https://passport.yandex.ru/") s.post("https://passport.yandex.ru/passport?mode=auth&retpath=https://yandex.ru", data=auth_data) Session_id = s.cookies["Session_id"] # Getting x-csrf-token token = s.get('https://frontend.vh.yandex.ru/csrf_token').text # Getting devices info TODO: device selection here devices_online_stats = s.get("https://quasar.yandex.ru/devices_online_stats").text devices = json.loads(devices_online_stats)["items"] # Preparing request headers = { "x-csrf-token": token, } data = { "msg": { "provider_item_id": video_url }, "device": devices[0]["id"] } if "https://www.youtube" in video_url: data["msg"]["player_id"] = "youtube" # Sending command with video to device res = s.post("https://yandex.ru/video/station", data=json.dumps(data), headers=headers) return res.text 

You may have noticed that I add the player_id field if a link from YouTube is sent. The fact is that there are several players on the Station with the codes youtube, vh and ott. By default, vh is used, but then the preview and the title of the video breaks. In addition, its state is not reset when the movie is changed, which often causes errors (Perhaps, not all fields in the request were “redundant”). The ott player, as I understand it, is used for streaming services, which means that in the future you can watch IPTV through the station.

What is the result?

Now I have a bot through which we send video from YouTube to the Station. Just click "Share" in the YouTube application and send the link to Bot. By the way, I called it “Box” and made a logo).

I did not make it public, so as not to collect logins and passwords. But you can deploy the same for yourself or modify it for OAuth authorization or sending videos from other sites. All sources are available on GitHub .

I wanted to make a browser extension to work just like AirPlay with any video, but I realized that it’s more convenient to send from the application from the phone. And for this scenario, a bot is better suited. Here is a video of his work:


When an engineer lacks functionality, he completes it himself. Now we really regularly use this bot - very convenient :)

Yandex developers, please do not break this request. This is not a vulnerability. Only works with authentication. And if you can - make the device API public - so much more can be done!

Thank you for reading my articles! I hope you were interested.

Good luck!

Source: https://habr.com/ru/post/479242/

All Articles