So close to getting my tools working, encountering some minor errors

[Ninjachado]

Hi all, I've been trawling all over the forums and am really close to getting my encryption keys from the notaghost tool mentioned in other threads. I'm hoping you guys can help guide where I'm going wrong.

The test video is on NPOstart, link:

Code:

https://www.npostart.nl/hoogvliegers/11-01-2020/VPWON_1290576

I'd love to eventually get all the episodes in this series. But here's where I'm starting.

I've gotten the mpd:

Code:

https://nl-ams-p14-am3.cdn.streamgate.nl/eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJleHAiOjE2NDEyNzA0MDksInVyaSI6Ilwvdm9kXC9ucG9cL3VzcFwvVEVTVFwvbnBvXC9kYXNoX2NlbmNcL1ZQV09OXzEyOTA1NzZcL1ZQV09OXzEyOTA1NzZfdjE2MzI5MDY0ODcuaXNtIiwiY2xpZW50X2lwIjoiMTAzLjEzNy4xMi4xODkiLCJ2aWV3ZXIiOiIxZTlmZGMwZmFkZjI2M2ExNTBiNTA0NDE2MTRlNWNjYzE1ODM4Njk3IiwicmlkIjoiNDhjNDBmNSJ9.rih4xuojpvV4WxICSRk7uVCJayMbuPdqO351nlLBeFw/vod/npo/usp/TEST/npo/dash_cenc/VPWON_1290576/VPWON_1290576_v1632906487.ism/stream.mpd

I've used yt-dlp to get the encypted mp4 and m4a.

So then I go to get the encrypton key. I've already installed the script to get the PSSH:

Code:

AAAAXHBzc2gAAAAA7e+LqXnWSs6jyCfc1R0h7QAAADwIARIQBxNPjoxaFEYbA8VnUil4ZBoIdXNwLWNlbmMiGEJ4TlBqb3hhRkVZYkE4Vm5VaWw0WkE9PSoAMgA=

And I believe I have found the widevine license link, this is where I'm unsure because there were several options. This is the only option that had a header and a payload tab, however, so I think I'm correct.
License link:

Code:

https://npo-drm-gateway.samgcloud.nepworldwide.nl/authentication

License Headers:

Code:

accept: */*
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
cache-control: no-cache
content-length: "5399"
origin: https://start-player.npo.nl
pragma: no-cache
referer: https://start-player.npo.nl/
sec-fetch-dest: empty
sec-fetch-mode: cors
sec-fetch-site: cross-site
sec-gpc: 1
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36
x-custom-data: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJucG8iLCJpYXQiOjE2NDEzNTY2NDYsImRybV90eXBlIjoid2lkZXZpbmUiLCJsaWNlbnNlX3Byb2ZpbGUiOiJ3ZWIiLCJjbGllbnRfaXAiOiI0NS4yNDguNzcuMTU4In0.72u7I6ISeFRN6lGptvXttgkOK-bhAq8iaMxrlJgu9Xo

I've also watched the guide videos, and they tell me the only info from the headers I need is:

Code:

accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
content-length: "5399"
origin: https://start-player.npo.nl
referer: https://start-player.npo.nl/
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36

But when I run the tool, I get "Error 404: 400 Bad Request"
I do not know why.
If I use the longer header info above, I get "Error 404: 401 Authorization Required" instead.

I tried to look in the "payload" tab to see if there was a json, but that data is all garbled and encoded, so I can't pull anything from it like the guide video says I should be able to. Am I missing another script that will read that? Possibly?

I even attempted to run the api script in my machine, thinking maybe I needed to do that, but when I run:

Code:

curl https://www.npostart.nl/hoogvliegers/11-01-2020/VPWON_1290576 -d "{\"license\": \"https://npo-drm-gateway.samgcloud.nepworldwide.nl/authentication",\"pssh\":\"AAAAXHBzc2gAAAAA7e+LqXnWSs6jyCfc1R0h7QAAADwIARIQBxNPjoxaFEYbA8VnUil4ZBoIdXNwLWNlbmMiGEJ4TlBqb3hhRkVZYkE4Vm5VaWw0WkE9PSoAMgA="}" -H 'Referer:https://start-player.npo.nl/'

I get this error message:

Code:

Invoke-WebRequest : Cannot bind parameter 'Headers'. Cannot convert the "Referer:https://start-player.npo.nl/" value
of type "System.String" to type "System.Collections.IDictionary".
At line:1 char:296
+ ... YkE4Vm5VaWw0WkE9PSoAMgA="}" -H 'Referer:https://start-player.npo.nl/'
+                                    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidArgument: (:) [Invoke-WebRequest], ParentContainsErrorRecordException
    + FullyQualifiedErrorId : CannotConvertArgumentNoMessage,Microsoft.PowerShell.Commands.InvokeWebRequestCommand

So that API seems totally unuseable for me, and I don't know why either.

As far as I can tell, I have everything necessary to generate the keys, and they are in the right places. Is that custom data important somehow? Is it a json or proxy info I need? Is there a formatting mistake I've made?

[lomero]

I've also watched the guide videos, and they tell me the only info from the headers i need is:

Code:

accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
content-length: "5399"
origin: https://start-player.npo.nl
referer: https://start-player.npo.nl/
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36

x-custom-data is payload. why don't have put this data after see a video guide?

[TonyChocolonely]

Hi,

For npostart (and NLZiet) the only header you actually need is "X-Custom-Data". Although you still might want to include the others if you want, but are not required for it to work.

Further, I am not sure why, but I haven't been able to get the tool by NotAGhost working for npostart / NLZiet but have for some other sites. Using my own CDM with WKS-key, just with that X-Custom-Data header, license server and the PSSH I am able to get the keys.

[Ninjachado]

I've also watched the guide videos, and they tell me the only info from the headers i need is:

Code:

accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
content-length: "5399"
origin: https://start-player.npo.nl
referer: https://start-player.npo.nl/
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36

x-custom-data is payload. why don't have put this data after see a video guide?

I actually did include it in the json field during a few trials as I was trying to figure out what was wrong because it looked similar, but the tool still didn't work (still returned a 404: 400 Bad Request error whether I did it or not), so I assumed I was wrong. The video guide on Ghost's tool didn't show what to do with a source that had this custom-data field.

[Ninjachado]

Hi,

For npostart (and NLZiet) the only header you actually need is "X-Custom-Data". Although you still might want to include the others if you want, but are not required for it to work.

Further, I am not sure why, but I haven't been able to get the tool by NotAGhost working for npostart / NLZiet but have for some other sites. Using my own CDM with WKS-key, just with that X-Custom-Data header, license server and the PSSH I am able to get the keys.

Okay, I'm going to sound really dumb here. I went and found the latest build of WKS-Key...but I have no idea how to install it or what to do with it. I just have a zip file full of python files. I tried to just point python at the directory, or asked scoop to install from the directory, but they both just give me errors. Python says there is no __main__ module in the directory. I've learned a half million other tools to get this far, I don't mind learning wks-keys as well, but I cant use it if I can't install it.

[TonyChocolonely]

Okay, I'm going to sound really dumb here. I went and found the latest build of WKS-Key...but I have no idea how to install it or what to do with it. I just have a zip file full of python files. I tried to just point python at the directory, or asked scoop to install from the directory, but they both just give me errors. Python says there is no __main__ module in the directory. I've learned a half million other tools to get this far, I don't mind learning wks-keys as well, but I cant use it if I can't install it.

You should just run "python3 l3.py", it will then most likely throw some errors for missing packages which you will have to install with pip.

That however is the not the main obstacle, in order to use it you need a working widevine L3 CDM (the one included in the version you downloaded has been revoked by google). In order to get that you will need an (older) android phone, for more details you can look here.

If you really just want that season I could help you out by getting the keys / downloading the episodes for you.

[Ninjachado]

You should just run "python3 l3.py", it will then most likely throw some errors for missing packages which you will have to install with pip.

That however is the not the main obstacle, in order to use it you need a working widevine L3 CDM (the one included in the version you downloaded has been revoked by google). In order to get that you will need an (older) android phone, for more details you can look here.

If you really just want that season I could help you out by getting the keys / downloading the episodes for you.

I knew the CDM would be the next obstacle, but I already possessed old android phones, so I was cautiously optimistic, so I was moving one layer at a time. However, it is beginning to seem like the CDM might be a bit too much of a hassle to get on my own, and that I'll stick to using the notaghost tool on sites it will function on.

As for WSK-Keys: I tried to install l3.py and it did indeed kick up a bunch of requests to install, but it's now stuck in a loop. It tells me it needs a 'google' module. I tell pip to install said module. It does. Then I run the command again, and it says I still need the 'google' module. So I uninstalled my google module. Reinstalled it. Ran it again. Still says I need a 'google' module.

If you would be kind enough to download them I'd greatly appreciate it. Don't feel obligated though.

[maicdy]

As for WSK-Keys: I tried to install l3.py and it did indeed kick up a bunch of requests to install, but it's now stuck in a loop. It tells me it needs a 'google' module. I tell pip to install said module. It does. Then I run the command again, and it says I still need the 'google' module. So I uninstalled my google module. Reinstalled it. Ran it again. Still says I need a 'google' module.

try pip3 install google (make sure you have updated pip)

[[ss]vegeta]

I've also watched the guide videos, and they tell me the only info from the headers I need is:

I'm sorry if my video brought a bad conclusion like this. This wasn't "told" anywhere in the video. It's just that, that site, requires only those, or maybe even less, or maybe even none!
Different sites might require different headers, some might require none!

It tells me it needs a 'google' module. I tell pip to install said module. It does. Then I run the command again, and it says I still need the 'google' module. So I uninstalled my google module. Reinstalled it. Ran it again. Still says I need a 'google' module.

The fix for this should be the first result for a google search of "no module named google".

[codehound]

As for WSK-Keys: I tried to install l3.py and it did indeed kick up a bunch of requests to install, but it's now stuck in a loop. It tells me it needs a 'google' module. I tell pip to install said module. It does. Then I run the command again, and it says I still need the 'google' module. So I uninstalled my google module. Reinstalled it. Ran it again. Still says I need a 'google' module.

try pip3 install google (make sure you have updated pip)

No such module......

Code:

pip install google-api-python-client

Your next error will be "no module named cyptodome"

Code:

pip install pycryptodomex

[DistractedCactus]

Hi,
Further, I am not sure why, but I haven't been able to get the tool by NotAGhost working for npostart / NLZiet but have for some other sites. Using my own CDM with WKS-key, just with that X-Custom-Data header, license server and the PSSH I am able to get the keys.

I am running into the same issue, getting a 401 response code when using NotAGhost's tool. Would you be willing to provide some hints for manually getting keys without using this web tool? So far I know how to get the PSSH, mpd stream, license URL, how to download an encrypted stream and how to decrypt that stream given a key. Also, I've extracted a CDM from an Android phone using wvdumper/dumper but I don't know where to go from here.

[TonyChocolonely]

[QUOTE=DistractedCactus;2649223]

Hi,
I am running into the same issue, getting a 401 response code when using NotAGhost's tool. Would you be willing to provide some hints for manually getting keys without using this web tool? So far I know how to get the PSSH, mpd stream, license URL, how to download an encrypted stream and how to decrypt that stream given a key. Also, I've extracted a CDM from an Android phone using wvdumper/dumper but I don't know where to go from here.

You need to download a tool to get the keys such as WKS-keys and replace the standard (revoked) CDM with your own. Then you have to install the required python dependencies, put the required headers in the headers.py file and then just call python3 l3.py which asks you for the PSSH and licence server.

[DistractedCactus]

[QUOTE=TonyChocolonely;2649297]

Hi,
I am running into the same issue, getting a 401 response code when using NotAGhost's tool. Would you be willing to provide some hints for manually getting keys without using this web tool? So far I know how to get the PSSH, mpd stream, license URL, how to download an encrypted stream and how to decrypt that stream given a key. Also, I've extracted a CDM from an Android phone using wvdumper/dumper but I don't know where to go from here.

You need to download a tool to get the keys such as WKS-keys and replace the standard (revoked) CDM with your own. Then you have to install the required python dependencies, put the required headers in the headers.py file and then just call python3 l3.py which asks you for the PSSH and licence server.

Thanks for the response. This is what I've tried, however the license server keeps returning 401 unauthorized. I'm not sure what to put for `x-custom-data`, simply copy pasting the value from a browser doesn't work. About half of it seems to be json, the other half incomprehensible binary data.

[gnodde]

x-custom-data is added as a request(post) header, and is some base64 encoded string starting with ey...... that is all that should be needed for NPO to get a valid license.
You can find it on the API page (the page where the MPD is shown as well, and it is under a key called httpRequestHeaders.
it's one of the requests to start-player.npo.nl requests and calls something called streams

I havent got it to work with getwvkeys and I don't use WKS-Keys so can't help you configure that, but with a valid L3 CDM and the x-custom-data correctly added it should work fine.

[DistractedCactus]

It's indeed base64, actually 2 separate base64 encoded strings separated by dots followed by something else. I won't post an example here in case it contains private info (even though imo very unlikely).
The first part decodes to:

Code:

{"typ":"JWT","alg":"HS256"}

The second part roughly decodes to:

Code:

{"iss":"npo","iat":1645741926,"drm_type":"widevine","license_profile":"web","client_ip":"<insert ip here>"}

Just a timestamp and client info, nothing important.

The last part is what's confusing me. It's 43 characters, not base64 (contains _-). It's not tied to a video, simply refreshing the page makes it do the request with a new set of "random" characters.

Your clue that it is included in the start-player.npo.nl/video/<id>/streams response is actually very helpful. While the request requires the first two json data bits, it doesn't require the random data bit and seems to introduce it for the first time. Once I figure out what other parameters the streams request requires, I should be able to change WKS-Keys to perform this additional request before doing its main thing.

[gnodde]

that last bit is probably the crc / hash for the HS256 part of the B64 string.
that is what makes it impossible to change that base64 strings as any change you make inside without knowing the secret for the HS256 part impossible.
but no changes are needed if you use the one from the start-player.npo.nl

[k2000]

WKS-KEYS

Headers

Code:

headers = {
    'authority': 'npo-drm-gateway.samgcloud.nepworldwide.nl',
    'sec-ch-ua': '" Not A;Brand";v="99", "Chromium";v="98", "Google Chrome";v="98"',
    'x-custom-data': 'eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJucG8iLCJpYXQiOjE2NDU3NzI2NjIsImRybV90eXBlIjoid2lkZXZpbmUiLCJsaWNlbnNlX3Byb2ZpbGUiOiJ3ZWIiLCJjbGllbnRfaXAiOiIxODUuMTg3LjI0My43MSJ9.ddInV-6QZaDJxVESxCxfb7xKeCee9_9LS3012wsQkAQ',
    'sec-ch-ua-mobile': '?0',
    'user-agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36',
    'sec-ch-ua-platform': '"Windows"',
    'accept': '*/*',
    'origin': 'https://start-player.npo.nl',
    'sec-fetch-site': 'cross-site',
    'sec-fetch-mode': 'cors',
    'sec-fetch-dest': 'empty',
    'referer': 'https://start-player.npo.nl/',
    'accept-language': 'fr-FR,fr;q=0.9,en-US;q=0.8,en;q=0.7,es;q=0.6',
}

pssh

Code:

AAAAXHBzc2gAAAAA7e+LqXnWSs6jyCfc1R0h7QAAADwIARIQBxNPjoxaFEYbA8VnUil4ZBoIdXNwLWNlbmMiGEJ4TlBqb3hhRkVZYkE4Vm5VaWw0WkE9PSoAMgA=

License

Code:

https://npo-drm-gateway.samgcloud.nepworldwide.nl/authentication

Keys

Code:

--key 07134f8e8c5a14461b03c56752297864:69c9ec8c55dc340059ed0b131eedbba2

[Shadowz]

It's indeed base64, actually 2 separate base64 encoded strings separated by dots followed by something else. I won't post an example here in case it contains private info (even though imo very unlikely).
The first part decodes to:

Code:

{"typ":"JWT","alg":"HS256"}

The second part roughly decodes to:

Code:

{"iss":"npo","iat":1645741926,"drm_type":"widevine","license_profile":"web","client_ip":"<insert ip here>"}

Just a timestamp and client info, nothing important.

The last part is what's confusing me. It's 43 characters, not base64 (contains _-). It's not tied to a video, simply refreshing the page makes it do the request with a new set of "random" characters.

Your clue that it is included in the start-player.npo.nl/video/<id>/streams response is actually very helpful. While the request requires the first two json data bits, it doesn't require the random data bit and seems to introduce it for the first time. Once I figure out what other parameters the streams request requires, I should be able to change WKS-Keys to perform this additional request before doing its main thing.

That is how JWTokens work (https://jwt.io/) its a sha or rsa -hashed verify field using secret/salt

If you knew their secret you could create your own requests, but that is the point of it that you cant forge them.

Anyway, like any other hash the only way to 'crack' it is brute-force and that becomes more or less impossible if and when they use the suggested secret length.
Some sites have been known for creating the token on client side and if thats the case you can absolutely get the secret, but if its in a server side response, your probably out of luck