Figuring out Encrypted Video

On some packets, whose UDP payload started with 0x05100100, the RTP header typically encoded a kind worth of 98. In these packets, the RTP payload appeared to include an H.264 video stream utilizing the format in RFC 6184. On this format, the RTP payload is a collection of a number of NALUs (Community Abstraction Layer Items), which carry elements of the video (e.g., varied varieties of video frames, metadata on decoder settings, and many others). Some of the NALUs had been fragmented utilizing the scheme from the RFC for “Fragmentation Unit A” (FU-A). We re-assembled these into unfragmented NALUs. Per the RFC, every NALU has a “type value” indicating which part of the video it carries. In Zoom’s case, all of the NALU values had been set to zero, which is invalid per the RFC, so we suspected that the NALU payload was a format bespoke to Zoom.