I'm working in analyze the live tv streaming from TVB(HK)
Well known the url(s) to watch them are:
http://token.tvb.com/stream/live/hls/mobilehd_hdj.smil
http://token.tvb.com/stream/live/hls/mobilehd_j2.smil
http://token.tvb.com/stream/live/hls/mobilehd_inews.smil
We can directly watch by url(s) above in any apple native software(such as QuickTime, Safari) no matter in Mac or iOS. And also known they are using AppleCoreMedia framework. But it won't works in other platforms. You will get HTTP 200 but "access denied" in content. I analyzed all the traffic about it. I found that the HTTP request(by CoreMedia) to the endpoint(the server really provide video) contain a header:
x-playback-session-id: xxxxx
The video arrived instead of "access denied" message after I add the header manually(I tried in Chrome or Firefox), no matter what the user-agent is. But the problem occur is, I can't find any other place contain this header in earlier request(since it redirected a few times) in the traffic I dumped. So I'm curious what AppleMediaCore did when it playing http stream? Did it calculated a session id(or hash) or it got the id from somewhere i missed?
p.s. I'm not sure TVB do a IP check or not. Since they had a copyright or legal concern so maybe blocked to access from somewhere. You maybe need a VPN.
Finally I found the answer. The x-playback-session-id is a UUID comes from the AVPlayer Framework. But in fact this won't affect I got token or not. The real token is HTTP cookie.
Authorization process I found:
p.s. HLS from TVB for android has different process I haven't figure out. But I found that if user-agent contains "Android" then authorization will fail.