February 25, 2011

Subsonic music stream license.

I recently discovered Subsonic music streamer for my android (EVO) phone. I love it but that's not the point of this posting but rather how odd their licensing is. I realize they are trying to generate money but what they do, is force you to donate to get a license key.

OK, fine, I get that BUT the product is GPL. Is that even legal? Either way, I'm a software engineer so of course I start wondering. In a matter of minutes I found my way through there source and noticed all they are doing is MD5'ng the email. Really?? Come on guys.. MD5? Jez... Anyway for those of you that are in search of a crack or a hack. Just paste these key into the server.. I'm posting the source that I used to generate it.

foo@bar.com = f3ada405ce890b6f8204094deb12d8a8

SettingsService.java @ line 586

import java.security.MessageDigest;
import org.apache.commons.codec.binary.Hex;

public class License {
public static void main(String[] args) throws Exception {
MessageDigest md5 = MessageDigest.getInstance("MD5");
System.out.println( new String(Hex.encodeHex(md5.digest("foo@bar.com".getBytes("utf8")) )));
}
}

56 comments:

Anonymous said...

It works with a single shell command line under Unix (if you do not want to use Java code) :
echo -n foo@bar.com | md5sum
f3ada405ce890b6f8204094deb12d8a8 -

Paul said...

Yeah, I also found the marketing and 'donating' quite dodgy.

It's advertised as free and GPL, then after installing it, I find out it'll be useless to me after a 'trial' period after which the features I wanted would require a 'donation'.

I was rather annoyed at this.

Anonymous said...

I still suggest you make a donation if you use the program. Even if it's just $5. Make it worth his while to work on this. It's an excellent program. If he doesn't feel appreciated, improvements will cease.

patronanejo said...
This comment has been removed by the author.
patronanejo said...

Wow, I just 7-Zip unpacked every file in the Subsonic program folder (Windows 7 Ultimate), examining every potential config file for authentication values to overwrite with MD5'd attributes as you describe.

I finally figured it out after staying up all night. I'm sure the instructions "Just paste these key into the server.." weren't intended to be diabolically cryptic, but I'm glad they are.

In the end, I donated after I finally figured out what you were talking about. GPL or no, the developer deserves his green.

Popeen said...

Hi Kevin!

I acctually think it is legal for them to charge but Im not a 100% sure on this. Anyway I must agree with some of the comments that if you like the program you should donate BUT since they advertise themselves as a free program I also agree with you that people should be able to use it without donating. However I belive that your post might be kind of hard to understand for the non programmers that might be out looking for a free license. Therefor I thought I should tell them my way of getting it for free.

Just as you I quickly realized that they just used an md5 encryption. However instead of changing the source code for the program I made a PHP script that generated license codes.

For all of you out there that want a free subsonic license and dont have the programming skill to change the source code I recomend going to this website to simply generate one. No download is required.

http://subsonic.noads.biz/

And as I stated earlier it is my belief that if you like the program you should donate.

Regards
Popeen at www.MrPopeen.com

Anonymous said...

I agree that donating is a good thing, not only to support developers but also to keep development going. I've done so for other applications, but I shouldn't have to spend time installing and setting up a program, only to find out that I was misled.

I'm just a little less keen on paying a developer for his time, when he's just misled me into wasting my time if I don't consequently pay him.

Anonymous said...

I'm not sure if cracking a license is legal, however being open source, it IS completely legal for you to take the source code, remove the licensing and release your own unlocked version.

Sindre Mehus said...

Just a heads up, guys. Future versions of Subsonic will detect if you try to cheat the system as described above. Use it at your own peril.

Sindre Mehus
Subsonic developer

Kevin said...

Sindre Mehus,

Wow... Really? You're going to phone-home on ever startup? That seems harsh!!!

http://subsonic.svn.sourceforge.net/viewvc/subsonic/trunk/subsonic-main/src/main/java/net/sourceforge/subsonic/service/SettingsService.java?r1=2405&r2=2418

Anonymous said...

It's under GPL, so as long as he is releasing object code, he must continue to make source code available. If you don't like the licensing, nothing is stopping you from removing it, and re-posting the free version to sourceforge.

Anonymous said...

expect a fork and loss of control of the project if it stops working when there is no internet connection available to call home and validate license.

if only it was talked about as 'purchasing' advanced features or support like every other GPL based project that makes money rather than a 'donation' with which you get advanced features not available for free after the trial.

simple semantics. Still, for most people it's easier just to donate to get the key and this is a good model but for GPL code to be calling home and checking licensing sounds somewhat wrong.

I imagine though, those that helped write the various other projects he uses would expect a cut of the money too?

As I say, a donation is donation at despite the charity industry turning it into capitalism without tax.

Anonymous said...

http://www.gnu.org/licenses/gpl-faq.html#DoesTheGPLAllowMoney

Anonymous said...

He is absolutely allowed to charge a fee, phone home, and even include popups that call you an asshole if he so desires. The beauty of GPL is that you are allowed to take his code and change it any way you like to suit your needs (i.e. remove these "features") and redistribute

Anonymous said...

Just get the older version of the file from sourceforge svn and recompile SettingsService.java.

1. Find the webapps/subsonic/WEB-INF/classes/net/sourceforge/subsonic/service directory.
2. Delete the current SettingsService.class and put the downloaded older SettingsService.java file in it's place.
3. Then go back up to the subsonic/WEB-INF/classes directory.

then run javac with inclusion of libs and current directory into classpath... like the following.

javac -classpath .:../lib/commons-io-1.3.1.jar:../lib/commons-lang-2.1.jar net/sourceforge/subsonic/service/SettingsService.javasudo javac -classpath .:../lib/commons-io-1.3.1.jar:../lib/commons-lang-2.1.jar net/sourceforge/subsonic/service/SettingsService.java

This seems to work with latest version but at some future version you might have to take the latest version and comment the offending code shown by Kevin.

Kevin said...

I'm sure he can charge for it. GPL is extremely open.

However, I do respect the intentions of GPL and this is definitively not what Richard Stallman intended.

My point was that:

1) it just seems pointless given its all open source. It takes me much less time to read his code than it does for him to write it. He's opening himself up for a cat-and-mouse game.

For example, I'm pretty sure that is a very easy workaround for his latest fix. All you need to do is map his domain to a different IP and it won't ever be able to phone-home. The way it's written it looks like it only invalidates the license if the call is successful.

2) MD5 is an extremely lame license format. If you don't believe me, Google "MD5 rainbow table".

I'm hoping that Sindre Mehus sees my point here. He's put all this effort into making an good product. Either switch the license to non-GPL or just use the honor system.

piccolapatria said...

You can just replace the license stuff with "return true".

Anyway Sindre is free to ask a donation from people who wants a plug-and-play streaming server.

The others, able to hack the code, may probably be able to choiche ampache.

Anyway, please, try to understand that even floss people need to survive, and if you use subsonic you at least owe a beer to Sindre.

Peace,
R.

Anonymous said...

https://gist.github.com/1318300

Disables the license checking and phone-home validation.

Donations are a good thing, especially for a program of this caliber. But it should be an actual donation.

The Way said...

Hello. It may very well be legal under the GPL but I found the obvious bait-and-switch of it being marketed as being totally free and then all of a sudden you have to pay for it after the unmentioned trial period has expired to be quite insulting. I am a software developer and definitely find this to be ethically challenged and morally questionable. I have cracked my install of the software and will not be donating anything until the author changes the way the product is marketed. He can lie and take what he can squeeze from the poor people he's duped into giving him money and I'll be happy to use his software without paying the jerk a dime or he can tell the truth on his site, be up front about the trial period, treat his potential customers as they deserve, and I'll happily fork over $10, $15, $20+ dollars to support his honest efforts.

'Til then, crack on, crackers!

Anonymous said...

So this key stopped working with the 4.6 release...any help would be greatly appreciated

Anonymous said...

The newer versions of Subsonic have a phone home function. Originally, it just hashed your email. Now, it verifies your email with a license server. You have to disable the code that phones home (just have it return true).

Anonymous said...

So put simple for a wondowz moron- how does one crack the new system?

Anonymous said...

on osx:

in terminal just type:

cho -n some@email.com | md5

and you will see the output in the line under..

cheers :-)
Franksemi

Anonymous said...

echo -n some@email.com | md5

Anonymous said...

Here's how to defeat the call-home validation:
1. Setup an http server on the machine where you will be running Subsonic server. For Windows a good choice is UniServer.
2. In your http server's root directory replicate the Subsonic file structure: backend/validateLicense.view

To create the file validateLicense.view just make a plain text file named validateLicense.txt, put the word "true" in it, then change the file extension to ".view"

3. Open your hosts file and add the line: "127.0.0.1 subsonic.org"
The hosts file on Windows 7 is here: c:\Windows\System32\drivers\etc\hosts

What that does is vector any requests for subsonic.net to your local http server. When subsonic tries to validate the code it will always get the word "true" which causes the code to be accepted.

This code works OK:
e-mail: foo@bar.com
code: f3ada405ce890b6f8204094deb12d8a8

4. Finally, you need to change the port Subsonic server runs on to something other than your http server's port, which by default will be 80. For example, try running Subsonic server on port 8081 (avoid port numbers less than 1000). You can see a list of standard ports here:
http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers

Anonymous said...

In my how-to "subsonic.net" should have by been "subsonic.org".

What I meant by "your http server's root directory" is the directory where your index.html (or index.htm) file resides. It's the file that will be served when you enter "localhost" in a browser, so to be sure you got it right try modifying the index file and see if your changes are reflected when you reload "localhost". In that folder create the "backend" folder, and put the "validateLicense.view" file in it.

When you bring up "sonic.org/backend/validateLicense.view" in a browser you should see the plain text word "true".

Anonymous said...

Another fat-fingered typo crept in. Change that test link to "subsonic.org/backend/validateLicense.view"

Over and out.

Anonymous said...

Isn't blocking the call home as simple as blocking the addresses in a HOST file without the "true" setting?

I think I'd be more inclined to donate, if I wasn't forced to do so. Honestly. The app is very cool.

Note to Dev: Awesome effort, but please label this as shareware since people have to pay for continued use.

alex said...

Yes, it's legal for them to charge for it. But it's arguably amoral and definitely stupid. The biggest reason to love free software is the lack of incentive to include anti-user functionality. Licensing in an open source project is just asking for a fork.

It's also legal for us to modify the software to eliminate the check, and yes, it's legal for us to crack licence codes (since subsonic has no licence agreement other than the GPL, and can't legally have one *because* of the GPL)

I would personally have gladly donated in good faith to an open source project this awesome, but by doing this, they lose the "open source vibe," and my support.

Sindre is right that the app now phones home, so just use *his* licence key!
sindre@activeobjects.no - 308ed0af23d48f6d2fd4717e77a23e0c

Sindre: you can consider this a promise that, if you take out the licence key rubbish, I *will* donate $25 to the project. I'm not bullshitting. Feel free to contact me if necessary.

In the meantime I will probably just make a subsonic fork, keep up to date on any *useful* new features in subsonic, but gut all the bullshit.

alex said...
This comment has been removed by the author.
SR said...

Good I did not upgrade to 4.6! :)

I also got quite chocked when I saw ".org", "GPL license" and "trial period" in the same context... something really felt wrong...

Anonymous said...

I run your sources.
However, it seemed that a bug.
Javac is not as sweet, but the file.

Subsonic 4.6.

Please send the modified source.

Thank you.

Teno said...

Another side step to this issue is within the subsonic.properties file. Drop it into notepad. You will see expiration lines with a long stream of numbers. Those numbers are based in milliseconds from a date back 1960's or 70's. Increasing that number places the "trial" of the software to any end date you wish. I used 1599000000000 as the millisecond number which pushes my trial out to 2020.(That portion being server side.) On the android app just stop service and process and clear cache and app data in the application manager. So far, I have had no issue maintaining connection to my server past the 30 day mark without having to modify source code or donate.

Anonymous said...

Well actually for some reason the Dev's are using December 20, 1969 as a comparable date on the trial period. Just go ahead and take any desired data and subtract Dec 20, 1969 form it. Convert that time into milliseconds, and insert that into the expiration on the said *.properties file. That date will no be 'x' milliseconds away from 12/20/1969 which will be the new 'trial expiration' data.

Anonymous said...

now** and date**
..fail...
:)

Anonymous said...

Yeah, I’m looking on. Hate frauds like this, and the hacks do not seem 2 work /anymore.

Add's subsonic 2 my blacklist of * applications.

Kevin said...

I haven't tried this but you should be able to use the JVM acls to limit the socket permissions.


http://docs.oracle.com/javase/6/docs/technotes/guides/security/permissions.html#SocketPermission

Anonymous said...

https://github.com/Mach5/supersonic

free fork of subsonic

Kevin said...

Wow.. I just clicked over to https://github.com/Mach5/supersonic and was impressed with the effort that has gone into sharing this software. Nice work!

Jonathan Brown said...

Fraud? Deception? Totally within the GPL, and he clearly advertises on the front page that you need to donate to get advanced features such as streaming from devices such as Roku etc.

Anyone who tries to get out of donating $5 for this excellent software and is attempting to uses excuses such as this for being ignorant, cheap, childish, naive, selfish, etc (pick one or add your own) should be ashamed. You are all idiots. Yes it's easy to cheat it, but the reasons you are giving for not donating are simply wrong and inaccurate. Use supersonic or give the guy some coffee money. W T F

Kevin said...


re: Jonathan Brown.

I think you've missing the point. Sindre Mehus is more than welcome to charge whatever he wants for his software but he was one what that decided to use the GPL license. No one is cracking his software, doing anything dishonest, being cheap, naive, selfish, or whatever insults you want to call them. They have the legal right to do this all because HE picked GPL. He should have realized this when he invested all of his time into the software that he was giving away the value for free.

Now is someone is really bored, what they should do is look into what software library Sindre is using to build subsonic. Because most commonly, why a software is license under GPL is that it includes GPL software within it. If that is the case, then Sindre is actually the one who's stealing software!!!!







Hadir Mohamed Diaa said...

Hi, I'm Hadir. And I dont understand how to use any of these. Can someone please explain?
My email address is HMDEMN@live.com
Thanks in advance

Anonymous said...

I used the millisecond update after getting the error message about api expiration on my ios client.

eff anyone that masks a license purchase as a donation using open license development.

Sindre, develop properly and I would happily support your cause. What youre doing now isnt that. I will happily re-purpose your software within the rights of the open development and avoid your 'donation' (masked license).

Living In The Heaven said...

Thank's Very Much, cumulus13

Anonymous said...

i simply let /etc/hosts point subsonic.org point to localhost and added an "always return 'true'" script to my localhost apache...

Anonymous said...

I simply set "127.0.0.1 subsonic.org" in my /etc/hosts file to prevent any phoning home. Registering with any key works now.

Anonymous said...

Ya but when you try and register a server it doesn't work is there anyway to register this code and set up a server?

Jake said...

I put up a guide on how to easily modify the source to avoid the license check. Basically, you unpack the source and need to change one file. I also included a patch and build instructions. If you can use notepad and a command line, you should be able to make the change easily. Since it's GPL, it's completely allowed. Here's the link with detailed instructions:

Modify Subsonic to avoid license check

Anonymous said...

Get Subsonic Premium
115,625,029 day(s) left of trial

I would donate just like i donated for the rest of the software that i use on my home server but i don't like being pushed to do so.

Thad said...

I don't have a problem with paying for free software.

I DO have a problem paying for software that treats me like a criminal by phoning home every time I use it.

If the Subsonic devs were to spend less time on new and creative ways to spy on their customers, and more time fixing the regression bugs in the OSX version of their software (seriously, the current stable version of the software available for download on their site WILL NOT RUN AT ALL, and neither the current stable version nor the current beta will transcode correctly), I'd be a lot happier giving them my money.

Anonymous said...

thanks for this very helpful tip.

Anonymous said...

Does this method still work with the latest stable build 5.2.1 (build 4428)?

Anonymous said...

"Does this method still work with the latest stable build 5.2.1 (build 4428)?"

Yes it will.

Unknown said...

thanx Kevin!

kr, murlo

Anonymous said...

Doesn't work with 6.0 beta 2 anymore :(

Anonymous said...

We are the 25/01/2021 and it still work xD