Seems to just depend on Android version from what I've seen.I've read that one could modify wvdumper for devices not supported out of the box, but I haven't understood how.
?Do you know if any of the following is either factory rooted or easy to root, and then if Frida and wvdumper will work
Check xda forums.
I believe there is root for a few of them however anything updated often isn't rootable you need to not have latest updates.
I'm pretty sure I've seen some updates about the Chromecast being rootable but 2020 or 2021 software. I believe all those exploits are software based so as I mentioned you can't have an updated device.
Also not sure the existing leaked script works to dump L3 at or above android 11 even with making modifications to the js
Try StreamFab Downloader and download from Netflix, Amazon, Youtube! Or Try DVDFab and copy Blu-rays! or rip iTunes movies!
+ Reply to Thread
Results 151 to 180 of 513
Thread
-
-
Word of warning if you haven't done this before about using it after you've attempted a dump: if you cant afford to brick the device - dont use it. There's a good chance you may if you are a first timer as things can, and do go wrong.
The device suggested by Angela is not only very cheap its also pre-rooted. (There will still be the older model available in some stores and marketplaces.)Last edited by codehound; 3rd Oct 2022 at 10:23.
-
I've rooted/modded many Android smartphones (and Windows Mobile devices before that!) and I'm aware of the risks, but I second your warning, thank you!
-
But your on getwvkeys asking "I'm new to the thing and there's something I need help with. On my first attempt I can't find the MPD, so can't find the PSSH. Can someone help me understand how it works?"
You'll get booted on there for asking basic wv stuff thats non-getwvkeys related.
And without your own cdm....
If you need help with the basics, just ask or discord me. Or vegeta, Angela, Lomero, LZAA, Cedric or Elcap. We all had to learn (still learning)Last edited by codehound; 3rd Oct 2022 at 17:57.
-
What I'm saying is that I'm new to DRM decrypting, but not to Android rooting and flashing.
But I thank you very much for your invitation to DM you on Discord. I'm quite tech-savvy but indeed I need some help with the basics of Widevine.
In the meantime I hope that I'll find an alternative Android TV box and that I'll be able to share my findings with the community. -
Hi all
I've tried the instructions exactly as described, with the same device mentioned (T95 S1, Android 7).
It seems to find libmediadrm successfully:
Code:Helpers.Scanner - 87 - INFO - Running libmediadrm.so at 0xefd4b000
Code:Hooks has been completed
-
Waste of time changing Python. Did you follow the instructiosn or your own riff on the instructions - like python versions?
It does work. It has worked for many people. It may take many attempts. When at the hooks completed stage try refreshing the page with 'shift' while mouse clicking refresh - that will cause a full page re-load and your completed hooks into the processes running may capture what you need. Use bitmovin! -
-
-
Okay, got it to work.
I checkedCode:adb logcat
After settingCode:setenforce 0
Thanks for the assist -
-
-
This may fall outside the scope of what's doable currently, but I'm having my own trouble getting my device keys. I've gotten my hands on a T95 box but I think of a different brand than the recommended S1 model, plus it has Android 10 on it. That said, it is rooted and I successfully got Frida Server 15.1.17 working on it as root, and the updated version of the dumper for Android 10/11/12 does seem to communicate successfully with the box and has the right prerequisites installed, but doesn't proceed from where it says "Functions Hooked, load the DRM stream test on Bitmovin!"
My understanding is some of this can be a bit finnicky and it can be a question of luck or timing in terms of how to load the bitmovin demo site and the dump_keys.py script relative to one-another. There definitely seems to be some sort of communication going on, though, as the Widevine DRM video loads and plays successfully, and if I load the script while the demo video is playing it does cause playback to error out when it hooks into various functions; if I refresh the Chrome page while holding shift I can play the video fine but get no reaction from the dumper script. In fact the script never responds even if I do something drastic like shut down frida-server. Here's what I've noted:
There is no message about hooking into anything if Chrome is closed, it just asks to load the site but never shows anything from there no matter what I do in terms of opening Chrome and going to the bitmovin site. If Chrome is open before I load the script, it hooks into a variety of things including libwvhidl.so, lowidrgv and a bunch of what appears to be randomly named things.
Is it just a matter of constantly trying until the planets align, or is there other stuff I could investigate to get this dump to work? I tried the "setenforce 0" command mentioned earlier but still nothing, have tried a few dozen times now. Thanks. -
Pretty much. Planets aligned and feet in a bucket of seaweed certainly makes a difference!
You might try another site with DRM media to prevent boredom! And you've have set the CDM_VERSION in script.js in the Helpers folder? I'm not sure how necessary that is though. The app 'DRM Info' will tell you the value if you haven't set it already.
Many, many tries may be needed. I started afresh each time on an older box and it took a few days having a few tries and coming back another time. There are many reports that the new dumper with a better script.js is working well - but not for everyone. I tried getting an Android Emulator to dump over the weekend with no luck either - but i did see more that just Hooks completed.
Android 10 is certainly doable! -
OK I did make one odd discovery.
I rolled back to an earlier version of that script and got some progress, I got a much cleaner set of hooks including PrepareKeyRequest and UsePrivacyMode. This time, when I refreshed and played the video, I immediately got DEBUG: Retrieved key followed by a lengthy key (I'm not sure if this is in theory all I would need). However, the script then failed with what appear to be some Python errors ending in AttributeError: 'NoneType' object has no attribute 'n'.
I was able to update to Frida Server 16.0.1, including updating the python components on the PC's end, but still have the same issue. Not sure if it's a python script code issue or something else. I'll have a look at script.js, although I did check my DRM and it's correct for Android 10 (CDM 15). -
-
That's where it gets weird, though. So here's a more detailed breakdown of what's happening:
- Most recent version of the script, from 3 days ago, seems to hook into randomly named functions, about 30 in all, and I don't think actually intercepts what it should be intercepting correctly as a result so it never responds to the key being loaded through Chrome.
Code:2022-10-10 04:39:34 PM - Helpers.Device - 56 - INFO - Hooking libwvhidl.so at 0xab208000 2022-10-10 04:39:34 PM - Helpers.Device - 56 - INFO - Hooked lowidrgv at 0xab3accd5 2022-10-10 04:39:34 PM - Helpers.Device - 56 - INFO - Hooked jwfhubxj at 0xab3acb41 2022-10-10 04:39:35 PM - Helpers.Device - 56 - INFO - Hooked gsxkjifu at 0xab3ad01d 2022-10-10 04:39:35 PM - Helpers.Device - 56 - INFO - Hooked hznjcdnw at 0xab3acad1 2022-10-10 04:39:35 PM - Helpers.Device - 56 - INFO - Hooked bmhdajlc at 0xab3ae19d 2022-10-10 04:39:35 PM - Helpers.Device - 56 - INFO - Hooked cmzcexfb at 0xab4a1524 2022-10-10 04:39:35 PM - Helpers.Device - 56 - INFO - Hooked atbbttgc at 0xab3ac789 2022-10-10 04:39:35 PM - Helpers.Device - 56 - INFO - Hooked sqainylf at 0xab3ac9e5 2022-10-10 04:39:35 PM - Helpers.Device - 56 - INFO - Hooked rhtqbhpx at 0xab3ac911 2022-10-10 04:39:35 PM - Helpers.Device - 56 - INFO - Hooked qqdhbbli at 0xab3ace8d 2022-10-10 04:39:35 PM - Helpers.Device - 56 - INFO - Hooked ggzbboev at 0xab3ae115 2022-10-10 04:39:35 PM - Helpers.Device - 56 - INFO - Hooked _ZN5wvcdm10CdmLicense17PrepareKeyRequestERKNS_18InitializationDataENS_14CdmLicenseTypeERKNSt3__13mapINS5_12basic_stringIcNS5_11char_traitsIcEENS5_9allocatorIcEEEESC_NS5_4lessISC_EENSA_INS5_4pairIKSC_SC_EEEEEEPSC_SM_ at 0xab2d9469 2022-10-10 04:39:35 PM - Helpers.Device - 56 - INFO - Hooked sidbkfkn at 0xab3adb99 2022-10-10 04:39:35 PM - Helpers.Device - 56 - INFO - Hooked iizttqvt at 0xab3acaf9 2022-10-10 04:39:35 PM - Helpers.Device - 56 - INFO - Hooked bqoddeag at 0xab3ad8a9 2022-10-10 04:39:35 PM - Helpers.Device - 56 - INFO - Hooked _ZN5wvcdm10Properties14UsePrivacyModeERKNSt3__112basic_stringIcNS1_11char_traitsIcEENS1_9allocatorIcEEEE at 0xab32def1 2022-10-10 04:39:35 PM - Helpers.Device - 56 - INFO - Hooked ycfidvov at 0xab3ad551 2022-10-10 04:39:35 PM - Helpers.Device - 56 - INFO - Hooked oezgjqgm at 0xab3acb11 2022-10-10 04:39:35 PM - Helpers.Device - 56 - INFO - Hooked ykndkmro at 0xab3ac865 2022-10-10 04:39:35 PM - Helpers.Device - 56 - INFO - Hooked yvnaonxx at 0xab3ae035 2022-10-10 04:39:35 PM - Helpers.Device - 56 - INFO - Hooked bacptgax at 0xab4a6240 2022-10-10 04:39:35 PM - Helpers.Device - 56 - INFO - Hooked ypjgcauj at 0xab3ad1d5 2022-10-10 04:39:35 PM - Helpers.Device - 56 - INFO - Hooked kqzqahjq at 0xab3ae2ed 2022-10-10 04:39:35 PM - Helpers.Device - 56 - INFO - Hooked psjgupwz at 0xab3ae291
Code:2022-10-10 04:41:28 PM - Helpers.Device - 57 - DEBUG - Retrieved key: (LENGTHY RANDOM TEXT WAS HERE) Traceback (most recent call last): File "C:\Users\localadmin\AppData\Local\Programs\Python\Python310\lib\site-packages\frida\core.py", line 418, in _on_message callback(message, data) File "C:\Users\localadmin\Downloads\dumper-main\Helpers\Device.py", line 49, in on_message self.license_request_message(data) File "C:\Users\localadmin\Downloads\dumper-main\Helpers\Device.py", line 63, in license_request_message self.export_key(cur, root.Msg.ClientId) File "C:\Users\localadmin\Downloads\dumper-main\Helpers\Device.py", line 28, in export_key f'{self.name}/private_keys/{system_id}/{str(key.n)[:10]}' AttributeError: 'NoneType' object has no attribute 'n'
Last edited by washizu; 10th Oct 2022 at 16:01.
-
See post #167!
How's your python? Error messages are a bit inscrutable but likely indicates nothing returned when it expected something.
Did I say see post #167? -
-
-
The reason you're getting a "cleaner" hook message is because the message was previously hardcoded and the script now returns the module name that was actually hooked.
The reason the old version of the script is only hooking those two functions is because you haven't updated the "DYNAMIC_FUNCTION_NAME", it's an empty string by default. If you want to use the older version, you will need to find the correct function name and update this variable.
The output you've provided for the new script is what I would expect. It's hooked every function it believes it could be (a-z regex).
If you look at the source you will see that "UsePrivacyMode" is hooked so it can be overridden with a no-operation return value to prevent the payload from being encrypted with the server certificate. The "PrepareKeyRequest" function is used to retrieve your device information (blob). The final function that needs to be hooked is used to retrieve your private key. This function is unique to the "libwvhidl.so" on your device however, other devices may have the same build version of this file which means they will also have the same function name. There is only 1 correct function name out of the "30" that have been hooked.
I was initially against hooking every function like this because I believed the lib had trap functions that would prevent the key from being dumped when hooked (I was unable to dump a key when hooking one of the "trap" functions) however, others appear to have had better luck, and I haven't had an issue since so I thought it may have been a red herring. If you PM me your "libwvhidl.so" file, I will provide you with the correct function name.
Restart your device > run Frida as root > run the script > load the bitmovin drm test page on chrome and click load
You can also kill Frida, kill the script, force stop chrome (hold down on the app > force stop) and then start frida > start the script > load the drm test site -
Good to know, thank you for the information. I'll keep trying with the latest version of the script. So far I haven't gotten it to actually do anything after requesting the Bitmovin site to be loaded, I guess because it's not getting the full key dump (similar to why the earlier version errors out). Might have just not gotten the luck yet, or this box is doing something weird.
Is there any point in trying different versions of frida/frida-server/frida-tools or does it not create a difference for what's going on here? -
You need to use the Frida server that was built for your architecture, presumably https://github.com/frida/frida/releases/download/15.2.2/frida-server-15.2.2-android-arm64.xz, I don't believe the version matters.
I will look at adding some debug statements to the script to make it easier to figure out what's going on, you could modify your local version to do the same. I will also add the option to override the a-z regex to allow you to provide the correct function name in case there are trap functions. -
After analyzing your libwvhidl.so file I can see that your architecture is x86 ARM - use https://github.com/frida/frida/releases/download/16.0.1/frida-server-16.0.1-android-arm.xz.
The function name you need is 'kqzqahjq'.
Either modify the latest version of the script if you know what you're doing or use the older version and update DYNAMIC_FUNCTION_NAME.
Code:const DYNAMIC_FUNCTION_NAME = 'kqzqahjq'
Or restart your device and do the above. -
Great! Ran it through the older version of the script with that DFN you provided and it seems to have worked, got a client_id.bin and private_key.pem file, 2 kilobytes each.
Thank you very much for your help! -
Could we dump rsa key using emulator(it's showing that it has widevine cdm) ?
-
Yes, people do. Use an emulator without Google Play and be sure to root the device. Don't emulate anything too modern. I tried and found the most up to date version of Magisk didn't allow system access. So choose a Magisk before TopJohnWu, its creator, decamped to Google Inc.
-
-
Similar Threads
-
widevine decryption help
By birbal1 in forum Video Streaming DownloadingReplies: 2Last Post: 5th Dec 2021, 11:11 -
Help with video download and decryption
By herschel in forum Video Streaming DownloadingReplies: 4Last Post: 26th Jul 2021, 05:31 -
How do I get the decryption key
By Bakekalu in forum Video Streaming DownloadingReplies: 6Last Post: 5th Jul 2021, 02:25 -
Cloudfront video download, decryption?
By Md_95 in forum Newbie / General discussionsReplies: 7Last Post: 5th Apr 2020, 08:53 -
Question about decryption of .m2ts files
By mwalimu in forum Blu-ray RippingReplies: 8Last Post: 23rd Jun 2019, 15:47