Can we capture network and get the Widevine key?

[anphunl]

I am learning the way to get the Widevine key to decrypt the video.

I got the CDM files, include client_id.bin, private_key.pem and also created wvd file.
But the request to Widevine server is complex and it changes from time to time, so it's difficult to simulate.

With the network capture, I can see the Widewine request, include header, the body and also the return response.
My question is: Can we use that captured data and the CDM files to decode the request and get session id and other information, then again decode the response to get keys? Or do we have the way to hook that process inside Android and print out the decrypted keys?

Thank you very much!

[aqzs]

You can't do that since the challenge isn't generated by pywidevine but your browser CDM.
Share the license curl here.
Everything can be reproduced even fastevo payload encoded one or vudu websocket one.

[shellcmd]

no, you cant handle the challenge and response from browser if you have no Chrome CDM.

usually we capture the request and write it to a python script and use the challenge from ourself CDM, send request and parse the response use CDM again.

[anphunl]

You can't do that since the challenge isn't generated by pywidevine but your browser CDM.
Share the license curl here.
Everything can be reproduced even fastevo payload encoded one or vudu websocket one.

Thank you for your quick response.
The request includes custom-data that change from time to time, I tried to use that same data and got ban from DRM server.

Let me decompile the app to find out the way. Is it posible?

[anphunl]

no, you cant handle the challenge and response from browser if you have no Chrome CDM.

usually we capture the request and write it to a python script and use the challenge from ourself CDM, send request and parse the response use CDM again.

I forgot to mention, I got the CDM files and network capture at the same time with Android simulator (use keydive to get CDM and tool to capture network), so they all belong to 1 Widevine request.

[aqzs]

The request includes custom-data that change from time to time, I tried to use that same data and got ban from DRM server.

Let me decompile the app to find out the way. Is it posible?

Is it a webapp or mobile app ? You have to figure out from where the custom data come from. Try base64 decode, maybe it's a HASH signature or maybe AES encrypted data.
Sharing more infos would help us to help you. Reversing a mobile app isn't an easy task.

I forgot to mention, I got the CDM files and network capture at the same time with Android simulator (use keydive to get CDM and tool to capture network), so they all belong to 1 Widevine request.

You don't need to capture a CDM with a special request, bitmovin one will give the same result as another. Which tool did you use to capture the network ? You can't be root on emulator (I may be wrong but I never managed to be root on emulator and install custom cert that would allow me to SSL proxy httpS requests)

[anphunl]

The request includes custom-data that change from time to time, I tried to use that same data and got ban from DRM server.

Let me decompile the app to find out the way. Is it posible?

Is it a webapp or mobile app ? You have to figure out from where the custom data come from. Try base64 decode, maybe it's a HASH signature or maybe AES encrypted data.
Sharing more infos would help us to help you. Reversing a mobile app isn't an easy task.

It's Android app and I already decode the custom-data with Base64 to see the JSON object. It's something like this:

Code:

{
  "userId": "125458",
  "sessionId": "eyJhbGciOiJIUzI1NiJ9.eyJqdGkiOiIyNTA1MzUyOTAiLCJzZGkiOiJ7XCJ1c2VyXCI6XCIyNTA1MzUyOTBcIixcIm1lcmNoYW50XCI6XCJ2aWV0dGVsdmFzXCIsXCJhc3NldFwiOlwidnR2Y2FiM19oZF81MGZwc1wifSIsImlhdCI6MTcyNDkyMzAxNSwiZXhwIjoxNzI1NTIzMDE1fQ.eeYjyqPd1pQiTL0z9YxRnhg9g8eaJm9y2PO-eHgnUd8",
  "reqId": "df1a606a-1d52-d605-cff9-32c3bc268176",
  "deviceInfo": "{\"signature\":\"C7E1E476CBC1AB070EAE801654D3A064853F4AD3\",\"appVersionCode\":426,\"appVersion\":\"4.2.1\"}"
}

I think the reqId is changed from request to request.

[aqzs]

It's Android app and I already decode the custom-data with Base64 to see the JSON object. It's something like this:

Code:

{
  "userId": "125458",
  "sessionId": "eyJhbGciOiJIUzI1NiJ9.eyJqdGkiOiIyNTA1MzUyOTAiLCJzZGkiOiJ7XCJ1c2VyXCI6XCIyNTA1MzUyOTBcIixcIm1lcmNoYW50XCI6XCJ2aWV0dGVsdmFzXCIsXCJhc3NldFwiOlwidnR2Y2FiM19oZF81MGZwc1wifSIsImlhdCI6MTcyNDkyMzAxNSwiZXhwIjoxNzI1NTIzMDE1fQ.eeYjyqPd1pQiTL0z9YxRnhg9g8eaJm9y2PO-eHgnUd8",
  "reqId": "df1a606a-1d52-d605-cff9-32c3bc268176",
  "deviceInfo": "{\"signature\":\"C7E1E476CBC1AB070EAE801654D3A064853F4AD3\",\"appVersionCode\":426,\"appVersion\":\"4.2.1\"}"
}

I think the reqId is changed from request to request.

sessionId might change but should be okay for a minute. reqId might be returned by the API and unique. deviceInfo is probably static (I hope so, signature are painful to reverse)

[anphunl]

sessionId might change but should be okay for a minute. reqId might be returned by the API and unique. deviceInfo is probably static (I hope so, signature are painful to reverse)

And the response from Widewine request is also a JSON object, and it get the encrypted liciense from JSON, then use a native library to decode it to real liciense. So alot of hard work here.