Skip to main content
XUI.one Install |Guide |Free

How XUI.one Verifies Licenses: Secrets Behind IPTV License Security

IPTVTools

How XUI.one Verifies Licenses: Secrets Behind IPTV License Security

If you're passionate about IPTV or developing custom solutions on top of XUI.one, understanding the licensing system is crucial. In this deep technical breakdown, we explore the full lifecycle of how XUI.one verifies licenses — from HWID collection to AES decryption and internal validation. Whether you're debugging, securing, or simply learning, this is the ultimate license flow guide for XUI.one users.


✅ COMPLETE LICENSE VERIFICATION FLOW IN XUI

🔹 1. Collecting Hardware Identity (HWID) Information

XUI.one gathers hardware and network-specific identifiers to verify its license:

{
  "uuid": "9d13e21e-1d7b-ca52-18d7-06a81fcbecab",
  "mac": "2c:4d:54:46:6b:bd",
  "ip": "94.130.37.247",
  "license_key": "cracked",
  "time": 1752229791
}

Data sources:

  • uuid: blkid -o value -s UUID
  • mac: ip link | awk '/ether/ {print $2}'
  • ip: getHostByName(getHostName())
  • license_key: Read from [XUI] in config.ini
  • time: UNIX timestamp via time()

🔹 2. Calling the verifyLicense(...) Function

Main PHP call:

Xui\Functions::verifyLicense($uuid, $mac, $ip, false);

This links to the C function zim_Xui_Functions_verifyLicense within the encrypted binary xui.so.


🔹 3. Accessing the License File

The binary accesses the local license stored at:

/home/xui/config/license

Process:

  1. Reads base64url-encoded first line
  2. Decrypts using AES-256-CBC with a hardcoded key & IV
  3. Parses JSON result containing uuid, mac, ip, time, license key

🔹 4. Validating HWID Fields

Each input value is validated against the decrypted license data:

  • input_uuid == license.uuid
  • input_mac == license.mac
  • input_ip == license.ip

Any mismatch results in rejection.


🔹 5. License Expiry Check

A timestamp comparison validates expiry:

if (decrypted_data.time < current_time - 31536000)
    return false;

This allows licenses valid up to 1 year.


🔹 6. Final Result

  • All fields match and license not expired → ✅ Valid
  • Any mismatch or outdated timestamp → ❌ Invalid

📂 Structure of /home/xui/config/license

<EhDZ... base64url string>
------ LICENSE FILE DATA -------
<multiple blocks of encrypted lines>
--------------------------------
  • First line: Encrypted JSON license block
  • Additional section: May hold extended or future-proofed payload

🔐 Encryption Details

  • Algorithm: AES-256-CBC
  • Key + IV: Hardcoded in binary
  • Input: JSON object with uuid, mac, ip, license key, time
  • Output: Base64url string used for verification

🧐 Summary: XUI License Verification Logic

Step Action
1 Extract uuid, mac, ip
2 Call verifyLicense()
3 Read encrypted license file
4 Decrypt and parse JSON
5 Match HWID and IP fields
6 Check timestamp validity
7 Return true or false

🧪 Sample Script to Extract License Info

<?php
$ini_file = '/home/xui/config/config.ini';
$license_key = 'unknown';

if (file_exists($ini_file)) {
    $config = parse_ini_file($ini_file, true);
    if (isset($config['XUI']['license'])) {
        $license_key = trim($config['XUI']['license'], "\"");
    }
}

$uuid = trim(shell_exec("blkid -o value -s UUID | head -n 1"));
$mac = trim(shell_exec("ip link | awk '/ether/ {print \$2; exit}'"));
$ip = getHostByName(getHostName());
$time = time();

$data = [
    'uuid' => $uuid,
    'mac' => $mac,
    'ip' => $ip,
    'license_key' => $license_key,
    'time' => $time
];

header('Content-Type: application/json');
echo json_encode($data, JSON_PRETTY_PRINT);