How does the scene obtain L1 keyboxes in quantity?

[deploysprout]

Streamers use A/B forensic watermarking and traitor tracing probabilistic codes which scale as the square of the number of traitors, to put an invisible watermark of the keybox public key into the content stream of every single subscriber.

So unless every member of the scene has 100s of stolen accounts with 100s of L1 keyboxes (to be able to execute a successful collusion attack on the codes for some length of time) and the logistics to utilize them all to download every movie/episode they intend to release without getting caught managing them all, it means they burn a keybox every few days (or even sooner depending on how automated the blacklisting process is).

Is there money in it for the scene groups? Even if they are exploiting some vulnerability that allows them to extract keyboxes from specific lines of hardware they would still need to buy them and manually process them. Would make for a labor intensive and expensive hobby?

Did an insider from an OEM leak the CA signing key to someone who can generate an endless supply of keyboxes and sell it to them cheaply?

What are some other possibilities?

Edit:

For large-scale per-viewer, implement a content identification strategy that allows you to trace back to specific clients, such as per-user session-based watermarking. With this approach, media is conditioned during transcoding and the origin serves a uniquely identifiable pattern of media segments to the end user. A session to a user-mapping service receives encrypted user ID information in the header or cookies of the request context and uses this information to determine the uniquely identifiable pattern of media segments to serve to the viewer. This approach requires multiple distinctly watermarked copies of content to be transcoded, with a minimum of two sets of content for A/B watermarking. Forensic watermarking also requires YUV decompression, so encoding time for 4K feature length content can take upwards of 20 hours. DRM service providers in the AWS Partner Network (APN) are available to aid in the deployment of per-viewer content forensics.

https://docs.aws.amazon.com/wellarchitected/latest/streaming-media-lens/detective-controls.html

[Goku73]

Very few people use L1s; most use SL3000 playready, which can be reprovisioned even if burned. Some sites, seeing that many people use the same CDM playready key, ban some of them over time, but only for their own site. However, new ones that work always come out. For this reason, some streaming sites no longer accept PlayReady protection but only Widevine for higher resolutions (e.g., NowTV), forcing users to use L1, at least those who have the option.

[deploysprout]

Very few people use L1s; most use SL3000 playready, which can be reprovisioned even if burned. Some sites, seeing that many people use the same CDM playready key, ban some of them over time, but only for their own site. However, new ones that work always come out. For this reason, some streaming sites no longer accept PlayReady protection but only Widevine for higher resolutions (e.g., NowTV), forcing users to use L1, at least those who have the option.

Similar to L1, SL3000 requires a private key and certificate in the TEE: https://learn.microsoft.com/en-us/playready/overview/developing-sl3000-products

I'm not familiar with PlayReady but from my understanding that L1 cannot be reprovisioned (in the TEE), If SL3000 can, surely it would require TEE remote attestation which Microsoft can deny if they revoke the fused EK in the TEE?

Most of the people here break DRM for their personal use so this topic doesn't apply to them, but for the groups that share p2p WEB-DLs they have to contend with the watermarking and revocations of their CDM keys regularly. How are they able to afford to lose so many and still function?

[notaghost]

Yes they have keyboxes in bulk and yes they burn keyboxes on popular release (blacklist) . Money is involved sometimes but mostly they do it for the love of the game.

[larley]

TVs and other embedded devices include both the certificate chain and matching group key somewhere in the firmware. Though sometimes encrypted, these can be extracted somewhat easily, completely bypassing the security of a TEE.
The group key is the ECC private key to the second-to-leaf-most certificate in the chain and can be used to attach a new leaf certificate. This process is not officially called "re-provisioning" by Microsoft, but just a term I came up with for the pyplayready CLI. Re-provisioning will stop working if the license server chooses to revoke the certificate one level below the leaf certificate (usually called the device certificate), because we don't own the private key that was used to link it to the chain.
Microsoft Edge on the other hand uses remote provisioning to obtain its certificate and signing/encryption keys.

[deploysprout]

TVs and other embedded devices include both the certificate chain and matching group key somewhere in the firmware. Though sometimes encrypted, these can be extracted somewhat easily, completely bypassing the security of a TEE.
The group key is the ECC private key to the second-to-leaf-most certificate in the chain and can be used to attach a new leaf certificate. This process is not officially called "re-provisioning" by Microsoft, but just a term I came up with for the pyplayready CLI. Re-provisioning will stop working if the license server chooses to revoke the certificate one level below the leaf certificate (usually called the device certificate), because we don't own the private key that was used to link it to the chain.
Microsoft Edge on the other hand uses remote provisioning to obtain its certificate and signing/encryption keys.

But you need to physically extract this from the TV. And then after uploading a Netflix flick the cert gets added to the revocation lists.
How is this sustainable?

Is it because they hesitate to revoke the certs of victims? I would imagine it would make things awkward when your expensive 4K TV can't play 4K anymore because the repair shop stole your cert and sold it to pirates. But if that happens then the pirate will have a golden cert and can defeat DRM with impunity, so what does actually happen?

[larley]

Microsoft is either terribly slow or reluctant to add devices to the revocation list. There are currently only 43 key digests in the list and all of the ones I was able to check were device certificates, not leaf certificates.
Bigger platforms handle the revocation themselves

[deploysprout]

Bigger platforms handle the revocation themselves

But if PlayReady reprovisions regularly then those revocations don't stick? For L1 every license server gets the KeyBox public key (effectively a static 'fingerprint' of the fused private key) from the licenseRequest.
That is not the case with PlayReady, right?

[throwaway474754]

Bigger platforms handle the revocation themselves

But if PlayReady reprovisions regularly then those revocations don't stick? For L1 every license server gets the KeyBox public key (effectively a static 'fingerprint' of the fused private key) from the licenseRequest.
That is not the case with PlayReady, right?

this is why "rights holders" don't like PlayReady.

microsoft took that control from them

microsoft can tie your reprovisioned certs to your fused TEE identity, if you overdo it thats how you get them to revoke it

most times you cant reprovision because you never had the fused secret to begin with, the stolen cert gets revoked and the one you stole it from reprovisions and gets back to normal

[larley]

But if PlayReady reprovisions regularly then those revocations don't stick? For L1 every license server gets the KeyBox public key (effectively a static 'fingerprint' of the fused private key) from the licenseRequest.
That is not the case with PlayReady, right?

Well there is no KeyBox in PlayReady but all a normal PR License Server has is the Revocation List and an Allow List to bypass revocation.

[deploysprout]

But if PlayReady reprovisions regularly then those revocations don't stick? For L1 every license server gets the KeyBox public key (effectively a static 'fingerprint' of the fused private key) from the licenseRequest.
That is not the case with PlayReady, right?

Well there is no KeyBox in PlayReady but all a normal PR License Server has is the Revocation List and an Allow List to bypass revocation.

When you contact the microsoft servers to reprovision the cert (as is apparently required, do they expire?) what do you provide microsoft? do you need to perform remote attestation (TEE)?

[larley]

When you create a (leaf) certificate you can specify an expiry timestamp, which is actually 0xFFFFFFFF by default.

Remote provisioning is different for SL2000 and SL3000, but this topic hasn't really been explored enough yet, so I don't know what the PR is sending to the server.