Dumping Your own L3 CDM with Android Studio

[streetf22]

Sorry for my grammar, hopefully it will be undersoodable.
If you’re using a Mac and you’ve managed to follow all the steps but only the key_boxes directory is created (without the private_keys directory), you should do the following:
1. Pull the libwvhidl.so file from your device:

Code:

adb pull /vendor/lib64/libwvhidl.so

2. Use nm to inspect exported symbols:

Code:

nm -gD libwvhidl.so

You will get output like this:

Code:

000000000017de28 T tfayzalk
                 U time@LIBC
000000000017f6f0 T umsygtib
                 U unlink@LIBC
000000000017f23c T vauxqowp
000000000017dbe8 T vlezovbp
000000000017daac T vngfjbek
                 U vsnprintf@LIBC
00000000001802a0 T vyxlkkyb
000000000017e504 T ydihlccg

3. Add these symbol names to the KNOWN_DYNAMIC_FUNC array in dumper/Helpers/script.js. The updated first line should look like this:

Code:

const KNOWN_DYNAMIC_FUNC = ['ulns', 'cwkfcplc', 'dnvffnze', 'kgaitijd', 'polorucp', 'vauxqowp', 'vlezovbp', 'vngfjbek', 'vyxlkkyb', 'ydihlccg'];

4. Run the process again. This time, the private_key directory will be generated with the correct files.

credit to This GitHub comment

[leophir]

Thank you very much for this tutorial it worked using a different DRM website and a Pixel 3 XL running Android API 28.

Can you tell me how you proceeded ? Like in some other cases the dump_keys Python Skript did not work. How did you do it?

I've really followed the instructions with the help of ChatGPT because I'm not comfortable with python. The only changes I've made are the ones listed above.

[JBR2001]

Someone could tell me where the problem may be, he's been trying to load the bitmovin page all the time and he always restarts.

[leophir]

Someone could tell me where the problem may be, he's been trying to load the bitmovin page all the time and he always restarts.

Bitmovin was an impossible issue for me because of CloudFlare not liking a virtual device legitimately. I had to use another streaming page using widevine in my country to trigger the DRM and the tool.

[JBR2001]

which one did you use?

[leophir]

which one did you use?

A rapid Google search pointed to this page: https://reference.dashif.org/dash.js/latest/samples/drm/widevine.html
The website I've used requires a French IP and a paid account.

[streetf22]

Someone could tell me where the problem may be, he's been trying to load the bitmovin page all the time and he always restarts.

I had the same issue. What worked for me was this:
1. On the virtual device, open Google and search for “bitmovin”.
2. Go to the main bitmovin.com site — if the first result doesn’t work, scroll down and look for another bitmovin.com link.
3. Once you’re on the main page, manually add /demos/drm to the URL.
4. If it still doesn’t work, try closing everything, on the virtual device, and repeating the steps — it should eventually work.

[v4mp3t4]

Hi Guys,
from long time i read and try to understand but i lost the way

i succesfull got client_id and key.pem over frida and dumper py

succesfull create device.wvd

succesfull pssh

succesfull download mp4 contents

i follow many thrends around about decrypt over ffmpeg but i not understand ;-( someone can help?

[InvalidUser]

Sorry for my grammar, hopefully it will be undersoodable.
If you’re using a Mac and you’ve managed to follow all the steps but only the key_boxes directory is created (without the private_keys directory), you 4. Run the process again. This time, the private_key directory will be generated with the correct files.
...
credit to This GitHub comment

Thank you so much for posting this! I was completely stuck.

And thank you, OP, for the updated post!

[DoomDash]

I'm sure I'm making a dumb mistake, but on the step in the updated 2025 instructions "On the next window popping up, go to the second tab called x86 Images, then scroll down until you find Android Pie, API28, x86_64, Android Pie (Google APIs), and click the down arrow to download it:", I'm not getting the same screen in the screenshot, instead get this:

[Attachment 87100 - Click to enlarge]

What am I missing here - thanks for any help or suggestions!

[InvalidUser]

What am I missing here - thanks for any help or suggestions!

I couldn't get this to work with anything higher than a Pixel 3 XL. And that gave me fits (using API 28) until I switched to API 29. That said, I'm working on a mac, so maybe there are subtle differences between this and the PC version.

Regardless, the mistake you're making (in the picture you attached, which I marked up below) is that you are going with the default system image, which for your device, is API 36 or something like that. Click on the dropdown box (where it gives you the choice of API, see red arrow) and select something earlier. If you're still finding nothing, then try clicking the "show unsupported" checkbox at the bottom (red arrow #2). If all else fails, then change your device to something that actually supported that API -- eg, the pixel 3 XL.



[Attachment 87101 - Click to enlarge]



One final note, I had trouble getting chrome to work with that image, so I just loaded the web page using a shell command. This seemed to work great, and since many of the images I tested didn't even come with chrome installed, I thought it might be a useful thing to add to the discussion (not necessarily for you, but for anyone else who runs into this issue). The command I used was:

Code:

adb shell am start -a android.intent.action.VIEW -d "https://bitmovin.com/demos/drm"

(Or, if you have trouble with bitmovin, a good alternative site was "https://shaka-player-demo.appspot.com/demo/")

[Navii3]

Wow, what a process and tutorial!

[Navii3]

I use an anti-detect browser with a fake UA. Can i set up this tool using the spoofed UA data or does it need to be my real?

[m7king]

I followed all steps carefully and it all went well until running the python script. The script connects to my emulated device but in the end I get this error:

frida.ServerNotRunningError: unable to connect to remote frida-server: closed

I have not closed my frida terminal and it's still running in the background. If anyone know any fix, please let me know. I would be really thankful for any help.

[InvalidUser]

frida.ServerNotRunningError: unable to connect to remote frida-server: closed

Any chance the version of Frida running on the emulated phone is different from the one that you downloaded to your machine? That seems like the most likely culprit.

Alternatively, if you didn't see the previous comment (quoted below) there's a specific version of frida that seems to work best with this (or at least it did for me):

Change your version of frida.

pip install frida==16.5.2

[utilitysnail]

If anyone ever gets this error


[Attachment 87163 - Click to enlarge]

when trying to dump the keys, you have to add

rpc.exports = {
inject: inject
};

to the bottom of "script.js" in the "Helpers" folder

[mrbloodstone]

FYI i had major issues using dumper due to multiple function error's. I have spent 4 hours working on it and I finally got the dumps. I will say if you are using Windows and have basic to intermediate IT knowledge use Google Gemini not chatgpt when troubleshooting any errors. It was miles better. Helped me understand and troubleshoot dumper, frida, javascript and android errors than chatgpt. The hooker function was giving an error when running the key dump for example. Gemini helped me re-write the entire function. I will say it took some time as it did spin other error's but Gemini literally helped me get to each step until I finally got the key dumps. It even helped me find the exact answer to an error that was not specific by making a debug js file and loading that under dumper which allowed it to pinpoint one of the problems and solve it. To be honest Gemini helping me rewrite functions that were generating errors may have helped but that may have not been the problem from the beginning. It could have been the latest version of Frida I was using (apologies if this has been mentioned. I didn't think about Frida being the problem until I started thinking about until the end).

Virtual Phone Model: Pixel3xl
OS: Android 9 (x86_x64)
Frida Version: Frida 16.1.4 and Frida 16.1.4 android x86_x64


Hope this helps anyone in the future

[m7king]

frida.ServerNotRunningError: unable to connect to remote frida-server: closed

Any chance the version of Frida running on the emulated phone is different from the one that you downloaded to your machine? That seems like the most likely culprit.

Alternatively, if you didn't see the previous comment (quoted below) there's a specific version of frida that seems to work best with this (or at least it did for me):

Change your version of frida.

pip install frida==16.5.2

I have checked if the frida version and frida server version is the same or not for more than 5 times now. I still have the same error.

[kevinsheeks]

Hello folks,

This post will revisite the famous Dumping Your own L3 CDM with Android Studio, but updated for 2025.

This will be written from the perspective of a Linux user, but you can translate it easily for Windows.

Prerequisites

This assumes you have a PC with a x86_64 processor (AMD or Intel), either with Linux or Windows. It is possible to do it under ARM64 but I don't have such machine available.

Step 1: softwares needed

• Install adb-studio from https://developer.android.com/studio

It is available for Windows and Linux and will allow us to create a virtual android.

On Linux, you can use Flatpak:

Code:

flatpak install com.google.AndroidStudio

or Snap

Code:

sudo snap install android-tools

It is in the AUR for Arch users:

Code:

sudo pacman -S android-studio

• Install Android platform-tools

On linux, it's eitheir:

Code:

sudo dnf install android-tools

Code:

sudo apt install android-tools-adb

Code:

sudo pacman -S android-sdk-platform-tools

On Windows, grab it from https://developer.android.com/tools/releases/platform-tools and extract the zip to an easily accessible directory.

• Install python3

If you're on Linux, it is most likely already installed, if not I assume you know how to install it. On Windows, you can get it from https://www.python.org/downloads/windows/ or from a package manager like Chocolatey.

• Install frida

In a command line, type:

Code:

pip install frida frida-tools

Please note the version number of frida (currently it is 16.6.6).
On Windows, after installing Python, I think you can go to the Start menu, then Python, and launch a command line there to type that command.

• Download the frida-server corrresponding to your Frida version at https://github.com/frida/frida/releases
  • Click either "Show all assets" or "Assets" under the release corresponding to the version of Frida you have (usually the last one if you just installed Frida)
  • Search for frida-server-XX.X.X-android-x86_64.xz and download it. Please make sur to use the Android, x86_64 version.
  • Extract the file with your favorite archive extractor. On Windows, you can use 7zip.
  • Rename the extracted file to frida-server
• Download the utility to dump the keys

On linux, if you have git, you can git clone https://github.com/wvdumper/dumper in a directory easiy accessible.
On Windows or Linux, you can also just download the archive from https://github.com/wvdumper/dumper/archive/refs/heads/main.zip. In that case, just extract the zip afterward.

• Install Protobuf 3.20.0

In a command line, type:

Code:

pip install --force-reinstall -v "protobuf==3.20.0"

We use this specific version to use the dump keys utility.
On Windows, after installing Python, I think you can go to the Start menu, then Python, and launch a command line there to type that command.

Step 2: creating a virtual Android device

• Launch Android Studio
  
  On Linux, go to the extracted android-studio/bin/ and launch ./studio.sh
  
  If you have installed any other way, there is probably a shorcut somewhere to start it.
• We will then create the virtual device. First follow the first startup wizard:
  
  
  
  
  
  
• After everything is downloaded, just create a new project and select No activity:
  
  
  
• Select API28 ("Pie"; Android 9.0):
  
  
  
• After the project is created, click on the Device Manager icon on the right toolbar:
  
  
  
• Then click on the "+" button and Create Virtual Device:
  
  
  
• Select an Android device like Pixel 9 Pro XL for example:
  
  
  
• On the next window popping up, go to the second tab called x86 Images, then scroll down until you find Android Pie, API28, x86_64, Android Pie (Google APIs), and click the down arrow to download it:
  
  
  
  In any case, do not select any images more recent than Android Pie/API28 or we won't be able to root it.
  Select x86_64 if you have an AMD or Intel processor. If you are on ARM64, go to the 3rd tab to download the same image for ARM64.
  Do not download images where it says Google Play in the Target column.
• Wait for the image to download:
  
  
  
• After the download is finished, scroll down again to select Android Pie, API28, x86_64, Android Pie (Google APIs) that you've just downloaded and click Next:
  
  
  
• Click Finish on the following window:
  
  
  
• Then click the Start arrow to load the virtual Android device we've just created:
  
  
  
• Wait a bit, you should have soon a Android device ready like this:
  
  

Step 3: copy frida-server and start it

On Linux, type the following command in a terminal, in the directory where you have extracted frida-server:

Code:

adb root
adb push frida-server /data/local/tmp/
adb shell
chmod 755 /data/local/tmp/frida-server
/data/local/tmp/frida-server &

On Windows, open a command line (cmd) then go to the directory where you extracted adb.exe from the platform-tools, and do the same:

Code:

adb.exe root
adb.exe push /path/to/extracted/frida-server /data/local/tmp/
adb.exe shell
chmod 755 /data/local/tmp/frida-server
/data/local/tmp/frida-server &

Note, on both Windows and Linux, you can change directory with cd path/to/the/directory and go to the parent directory with cd ..

In any case, do not close that terminal window.

Step 4: start dump_keys.py

On Linux, open a new terminal, go to the directory where you extracted or cloned dumper, and launch

Code:

python dump_keys.py

On Windows, after installing Python, I think you can go to the Start menu, then Python, and launch a command line there. Then use the command cd path/to/the/dumper/directory to go to the correct directory, than launch

Code:

python dump_keys.py

The program is starting, when it is ready, you should see something like

Code:

2025-02-09 06:09:31 AM - root - 25 - INFO - Hooks completed

Step 5: load a webpage with DRM on the virtual device

Launch Chrome on the virtual phone (do not sign in). Then go to the following URL: https://bitmovin.com/demos/drm

Click Allow when prompted to play protected content:



Then click Load and play the video:



Step 6: copy the keys

In the background, dump_keys should have been doing its work:



In the directory where you have cloned or extracted dumper, you should have the following directories: key_dumps/Android Emulator XXXX/private_keys/XXXX/

In this directory, you can have one or more folder with a number, and inside them you will find two files:
- client_id.bin
- private_key.pem

(do not share them)

Copy or backup them to a safe place.

You can now stop the virtual device, quit Android studio, stop dump_keys.py (Ctrl+C) and close adb too.

Step 7: Profit!

thank you so much

[Jarsky]

Has anyone had trouble getting this to work now? I've used it before just fine.
I just set it all up again; but im not able to get past the CF page for any sites behind CF (including bitmovin); and i've tried about 10 different dash mpd players with no luck. the videos that have played; im not sure if they have DRM as I dont see any change on dumper-main and no Android Emulator directory created.

Think its to do with the outdate version of Pi (API28); but if I try and use Pixel 9 in the above post its using API35+.
If I try and use that again I don't see any movement on dumper-main


[Attachment 87291 - Click to enlarge]

[rogerwaters]

Has anyone had trouble getting this to work now? I've used it before just fine.
I just set it all up again; but im not able to get past the CF page for any sites behind CF (including bitmovin); and i've tried about 10 different dash mpd players with no luck. the videos that have played; im not sure if they have DRM as I dont see any change on dumper-main and no Android Emulator directory created.

Think its to do with the outdate version of Pi (API28); but if I try and use Pixel 9 in the above post its using API35+.
If I try and use that again I don't see any movement on dumper-main


[Attachment 87291 - Click to enlarge]

I am in the same boat, able to do all the steps except dumper doesn't seem to do anything. :/

[fuoadco]

plz some help .. what i missssssssing here
[Attachment 87389 - Click to enlarge]

[TUNGLINWU]

Sorry, if I select Pixel 9 can't select api 28 now, only 35 or higher.

By the way, dumper is not run. STOP IN hooks completed

[maantairo]

Hi, I searched on Google for an older version of Android Studio because the current versions only support Android 12 and above, while the older ones still allow Android 9. I installed it and everything was fine at first, but my C: drive is only 100GB and had 12.5GB of free space. Due to lack of space, I had to move the SDK folder to my D: drive, which has 1TB, because the mobile device wouldn’t start otherwise.

After that, everything worked fine and I was able to use the device without any issues. I followed the steps in the guide, but when I got to the end and ran "python dump_keys.py", I got the errors shown in the screenshot. The "hooks completed" message does not appear, and I cannot get the key_dumps folder.

Does anyone know why this is happening and can help me, please?


[Attachment 87441 - Click to enlarge]

[InvalidUser]

Sorry, if I select Pixel 9 can't select api 28 now, only 35 or higher.

Many of us (see posts above) couldn't get the Pixel 9 to work with the old (Android Pie) system image. But that's fine, just follow the same instructions but look for a device that *does* work with API 28 (or 29 works also).

This would include things like the Pixel 3 XL, Pixel 3a, Pixel 2XL, etc.

[Scudsworth]

I have managed to complete the process until the hooks part successfully.

However dumper_main is not producing any output.

I am using Pisel 3XL with Api 29. Frida-tools 13.0.3 and Frida : 16.5.2 with up to date Frida Server (17.1.5)

Any workaround?

[TUNGLINWU]

Sorry, if I select Pixel 9 can't select api 28 now, only 35 or higher.

Many of us (see posts above) couldn't get the Pixel 9 to work with the old (Android Pie) system image. But that's fine, just follow the same instructions but look for a device that *does* work with API 28 (or 29 works also).

This would include things like the Pixel 3 XL, Pixel 3a, Pixel 2XL, etc.

I use it, but I meet error like #804 ERROR.

[Blacksiren]

I have managed to complete the process until the hooks part successfully.

However dumper_main is not producing any output.

I am using Pisel 3XL with Api 29. Frida-tools 13.0.3 and Frida : 16.5.2 with up to date Frida Server (17.1.5)

Any workaround?

Use KeyDive instead, works flawlessly even with API 36(Android 16) , also use same version of frida client and server, based on your post you are using mismatched versions, 16.5.2 ≠ 17.1.5.

[use a name]

Aghhhh. I used to be a computer scientist before I got long COVID with terrible brain fog and now I can't even do this. Plus I'm exhausted from trying. I started at 6PM and it's now.. whatever time it is now (5AMish).

I followed every step in the original guide. After a half-hour of housekeeping to make the ~25GB required, I ran up against the new rearrangement of Android Studio discussed in other posts, so I created five different machines with varying versions and API levels. I then ran into the same problems as another few posters with ADB push, chmod, and executing binaries to get Frida working. I eventually sorted it out. Protip: trailing slashes (or not) present a problem as adb shell isn't particularly well-programmed IMO; just keep trying different combinations until something works and set chmod 777 recursively because it's not like you're securing a server (and make sure you don't mix up "temp" and "tmp" as in the guide). Also, feel free to cd around instead of typing full dir names.

Then I fell headfirst into the same problem everyone else is now having with Dumper. I reached the same conclusion as the very helpful poster who also figured this out (the following must be pasted in the global scope of Dumper's scripts.js; the bottom of the file is fine):

Code:

rpc.exports = {
inject: inject
};

It does force Dumper to work. Or at least forces it to the end phase:

2025-06-20 11:11:34 PM - root - 25 - INFO - Hooks completed
(I'd already been up for hours more than intended at this point. Nice quads timestamp, btw.)

From there, I thought I'd cracked it. But no matter what I opened, I was either stonewalled by Cloudflare or finding that playing WV-encrypted content didn't work (I tried a few plain old <video>s, successfully, albeit tediously slowly, to be sure). I tried Chrome; I tried Webview; I tried Firefox just to get a different engine in there. I tried several different VMs/configs. Nothing. I was sometimes getting errors suggesting I didn't have any level of DRM/EME support (weird, huh? Anyone else run into this?). All of the messing around in AVDs was painfully slow - we're talking a minute to open a browser - as I have an ancient i3 laptop with 8GB of RAM.

So then I saw that the new solution is KeyDive and naturally I followed the lead. It seemed promising. I had to resolve a Python packaging conflict between Dumper and KeyDive. Note: Dumper flat out requires protobuf 1.8.0 (for complex reasons that'll never be fixed) whereas KeyDive requires a much newer version (essentially the most recent). You might want to use venvs if you're going down this rabbit hole, even if they're not technically required on Windows. This isn't the only pip conflict you might encounter.

My heart sunk upon performing the suggested steps for KeyDive and finding the following:
2025-06-21 02:57:32 [W] Cdm: L1 provisioning deactivation appears incomplete. Consider using a web dump or forcibly terminating the process to ensure proper disabling.
2025-06-21 02:57:33 [C] keydive: 'oem_crypto_build_information'
2025-06-21 02:57:33 [I] keydive: Exiting

I wasn't sure what "oem_crypto_build_information" meant (beyond the obvious, but there's no context) but the result, overall, made sense: why would an official Android VM have L1 completely disabled? Sure, Android emulation is software but that doesn't mean L1 can't be emulated to an extent. Or, at least, it can behave as if it's emulating hardware crypto. So then I went in search of ways to disable L1 DRM on an AVD. Naturally, I immediately tried killing the DRM processes in an adb shell, using the & operator to ensure I got them all at once, but they just kept respawning (kinda like Search Indexer or many system processes in any modern Windows). I did some brief research into Android's DRM processes but they're poorly documented and I wasn't entirely sure which ones I needed to kill (no permutation of any of the promising ones would stay dead anyway).

I focused on these three processes:
media 1596 1 15452 4956 binder_th+ f4fdcb39 S android.hardware.drm[at]1.0-service
media 1597 1 20732 4604 binder_th+ 79221b17f317 S android.hardware.drm[at]1.1-service.clearkey
media 1598 1 25656 7884 binder_th+ eefa4b39 S android.hardware.drm[at]1.1-service.widevine

Realising that I'd need to kill them at the kernel boot level and looking for a more permanent solution, I found the Magisk module liboemcryptodisabler... Now, I just had to find a way of rooting an AVD -- or at least leading Magisk and associated su apps into believing I was running a rooted device so that they would install and run liboem. I used to be a pretty competent hacker with several commercial products cracked (purely for fun) but I've never messed around much with Android beyond flashing a new ROM or whatever, so this was never my area of expertise. I wrote some basic Android 2.1 (IIRC) software at uni but I haven't even flashed a phone in a decade. I wasn't expecting my quest to take me down the road of advanced Android again.

Okay, so then I found rootAVD. After spending a good 15 minutes parsing its terrible UX, readme, and non-standard syntax (great tool BTW, just ugly; those lines that look like examples at the bottom of stdout are actually results), I was on my way to running it on the ramdisk.img that I felt was my best chance (Pixel 3 XL, 9.0, 28). After several stalls on "[*] Searching for pre installed Magisk Apps", I figured out that you have to uninstall any existing Magisk APK to prevent hangs. For liboem, you apparently also need Magisk v27.0, not the latest v29.0 (note: you also need the module MagiskFrida in order to gain Frida's hooking powers at boot). Anyway, after removing Magisk, rootAVD did what it promised: a whole heap of stuff before auto-"rebooting" my VM. But however it works, it isn't clean because I had to remove a file lock on my VM (which I had to find through Process Hacker) before I could start it again. I don't know why you'd be replicating my odyssey of failure but you need to remove %USERPROFILE% or ~/.android/avd/<avd_name>/.lock

Anyway, I eventually got it running again and.. nothing had changed in Magisk. It didn't claim to be rooted. At this point, I realised I was going to be stuck in bed for days after the effort I'd already put into this. I considered doing it on bare metal but I wondered if my £30 Android Go phone would even fit the bill for rooting. The amount of effort required to root my model with the backup/restore it entails was not worth the risk of failure -- and there seems to be some debate as to whether it's even possible. Plus I'd just be chasing sunk costs. All I wanted to do was save some football matches as I like taking them to hospital appointments. Most are on services like iPlayer, ITVX, All4 etc. It's not like I wanted to become a big pirate. I pay for ITVx. ******* fantastic. (HDCP bypass and capture cards aren't an option for me for the same reason as recording them: I don't have a cable sub/DVR box/TV. And good capture cards are way out of my price range.)

There's probably some pathway to success if you're more persistent than I can afford to be. As a starting point, if you're switching between Dumper or KeyDive, I'd suggest creating a clean VM before doing the other. I still think Pixel 3 XL, 9.0, 28 is the best option in current Android Studio. You could try an earlier version of Studio but the newest version is labelled 2024 - before the second tutorial with screenshots of a completely different layout - so it suggests there's some dynamic Google Play Update type shenanigans going on behind the scenes (which, ofc, CEF/web-based apps allow). If you're going to try an old version, it'd probably have to be quite a bit older -- maybe go back to when Pie was new.

Thanks to the two main posters for the excellent, detailed guides and the experts who chipped in with top notch advice. The tutorials were easy to follow (especially the second one) but breaking changes and incompatibilities etc. have arisen in the software that makes this process currently a total mess (or, at least, with my setup and system, it is). There are large threads on this forum focused on using hardware + KeyDive and software + Dumper but, as far as I can tell, no such corpus on using KeyDive in Android Studio.

I surrender. I just had to vent, and I was logging my process and progress for reference anyway. If you feel incompetent, maybe my story will cheer you up. I'm supposed to be an expert and I failed. And maybe someone will learn something useful. I don't think I did anything particularly wrong -- I just didn't have the luck, skill, and stamina to bypass the obstacles. Congrats to everyone who manage[s|d] it!

[Chopssuey]

Hello i'm having issues with dumper main action


[Attachment 87531 - Click to enlarge]

Im using frida-server-17.2.4-android-x86_64 and phyton 3.12 from MS.

Thank your for the help.