How To Dump L3 CDM From Android Device's (ONLY Talk About Dumping L3 CDMS)

[darkw4v3]

Android 10 with oemcrypto 15 works fine. At least it has for me, multiple times.

Well done (multiple times)

Oh, hello Mr Snark. Too proud to be corrected I see.

[[ss]vegeta]

Do you know how to find the dynamic function?

Yes.

[krsentai]

Hey guys, I'm elated to say I can get it to dump a license_request.bin, but still no client_id or private_key files. All I get in the terminal is the following:
https://pastebin.com/qrcH1pPU
I'm running Android 10.0 with OEMCrypto 15, which worked out much better than Android 7.0 with OEMCrypto 11 by virtue of getting past "Hooks Completed" at all, but I'm still stuck. Any ideas?

[laynoto]

Hey guys, I'm elated to say I can get it to dump a license_request.bin, but still no client_id or private_key files. All I get in the terminal is the following:
https://pastebin.com/qrcH1pPU
I'm running Android 10.0 with OEMCrypto 15, which worked out much better than Android 7.0 with OEMCrypto 11 by virtue of getting past "Hooks Completed" at all, but I'm still stuck. Any ideas?

Try with different python version (3.9) and install frida-server from play store.

You can read above posts try with oemcrypto v13 or lower version.

[krsentai]

Try with different python version (3.9) and install frida-server from play store.

You can read above posts try with oemcrypto v13 or lower version.

I can't seem to get frida-server from the Play Store to work. I click "download server", but when I try to start it it just gives "Not yet installed. You need install server first".

[Sorenb]

have you got magisk install on your phone? And have you got magisk frida install too? https://github.com/Magisk-Modules-Repo/magisk-frida not sure what the playstore app is, when I dumped keys I used the magisk module.

[laynoto]

Try with different python version (3.9) and install frida-server from play store.

You can read above posts try with oemcrypto v13 or lower version.

I can't seem to get frida-server from the Play Store to work. I click "download server", but when I try to start it it just gives "Not yet installed. You need install server first".

Wait a few minutes it takes time to download. I tried with magisk module frida-server but not worked for me. So advised this methıd but other members succeeded with magisk module give a try to it.

[DeesDaSilva]

Do you know how to find the dynamic function?

Yes.

Hi, can you help me? I only get the key_boxes.

[[ss]vegeta]

Hi, can you help me? I only get the key_boxes.

Maybe.
The file I need so I can help you should be somewhere on your phone.
The usual name of the file is libwvhidl.so in rare cases, it could be something else. The size is almost always around 3.3 megabytes
Use a root file explorer app and try to find libwvhidl.so on your phone.
Or use this

Code:

adb shell
su
cp vendor/lib64/libwvhidl.so /data/local/tmp
adb pull /data/local/tmp/libwvhidl.so

or this

Code:

adb shell
su
cp vendor/lib/libwvhidl.so /data/local/tmp
adb pull /data/local/tmp/libwvhidl.so

and then find a way to send it to me.

Or, whatever, it's time for all of you to try doing it urself.
Basically, you open that file with Notepad and search for "oemcrypto_le".
The 2nd find of "oemcrypto_le" should come to this

[Attachment 63108 - Click to enlarge]
The "gibberish" above oemcrypto_le

Code:

aubxesnu bscwumyx covmuybg cuxpfige eraviosd euoobbxy gunfzzhu hzfgrcal lqsrlehr meopfgvt mtylmzom oucdfqff pldrclfq psyprwmh pyxylqvw qxkjmvcw sxmfafok udanauth vajorhmx ycrdjvyl

are the dynamic functions that should be replaced in the first line of script.js located in dumper/helpers folder.
And then you try again and that's it.

[DeesDaSilva]

Here's the file https://drive.google.com/file/d/1fx_lSYtxTLLmqyYTS6OKDcA0wS3VfXRp/view?usp=sharing

I tried to do myself, here is what i tried, it didn't worked.

const KNOWN_DYNAMIC_FUNC = ['ulns', 'cwkfcplc', 'dnvffnze', 'kgaitijd', 'polorucp','bmelqtyh', 'calloc', 'djoadccl', 'exit', 'fdisjieh','getpagesize','free','igrqajte','iwwfrw gy','jlifludb','kyshuvom','lfrcssmv','luosbvkw','m alloc','memcpy','memmove','memset','mmap','mojnbkt r','mprotect','mrfnyifb','munmap','nvbdvvpj','ozdw hvco','pjzsjcqb','qksprdjf','rcdtibgn','srvntsue', 'sscanf','syscall','time','uname','vvkwbdal','xkrc uagn','ypyxfjba','fread_unlocked','foxsiucw','zdud yati'];

[[ss]vegeta]

'memcpy','memmove','memset','mmap'

From what I understand, this means your OEM Crypto API version is bigger than 13 in which this vulnerability is fixed.
I had a guy once sending me a file like this, I tried removing these "proper sounding" functions but I think it didn't work, it's not that easy I guess. Or I didn't figure out which are the "proper" and "not proper" ones.

[giorey]

Hello I tried to dump my moto onevision is l3 cmd v15 I run frida and script I loaded the script but I just get a license_request.bin what I'm doing wrong since the rsa cert is not exported?

Edit: Found the libwvhidl.so replaced the dynamics on scripts and still getting license_request.bin file only.

Can someone help please.

[T33V33]

Hello I tried to dump my moto onevision is l3 cmd v15 I run frida and script I loaded the script but I just get a license_request.bin what I'm doing wrong since the rsa cert is not exported?

Edit: Found the libwvhidl.so replaced the dynamics on scripts and still getting license_request.bin file only.

Can someone help please.

Read the post directly above yours? The vunrability is fixed in OEM Crypto API versions higher than 13. You need to downgrade to get you version =>13

[codehound]

Android 10 with oemcrypto 15 works fine. At least it has for me, multiple times.

Well done (multiple times)

Oh, hello Mr Snark. Too proud to be corrected I see.

If you read advice from multiple people you will see the vulnerability has been patched in versions above 13.

So again, well done to you for cracking oempcrypto v15. (Multiple times).

[supersport]

Hello ,, please help for what wrong

Code:

AAAATHBzc2gAAAAA7e+LqXnWSs6jyCfc1R0h7QAAACwiJGI5ZjYwMjM4LTYyYzEtNTQ2OC04NDFlLTEzZjU1MTYxM2VjM0jj3JWbBg==

Code:

https://sg-sg-sg.astro.com.my:9443/vgemultidrm/v1/widevine/license

Accept: */*
Accept-Encoding: gzip, deflate, br
accept-language: en
authorization: Bearer eyJhbGciOiJIUzI1NiJ9.eyJpYXQiOjE2NDM0NjcwMTcsInN1Y iI6IjgwMDE1MDA4IiwiYXVkIjoiaXZwLnNlc3Npb25ndWFyZCI sImV4cCI6MTY0MzQ3NzgxNywic2Vzc2lvbl9kYXRhIjp7InNlc 3Npb24iOnsiY29tbXVuaXR5IjoiTWFsYXlzaWEgTGl2ZSIsImJ 1c1VuaXRJZCI6IkFTVFJPIiwic2NvcGUiOiJicm93c2UgcGxhe WJhY2siLCJ1cElkIjoiODAwMTUwMDhfMCIsImRldklkIjoiODA wMTUwMDguODVjODg4ZWYtYzU2Ni00NGI5LWI5NDYtZmExMWQ4Y zE2MDY2IiwicmVnaW9uIjoiUE9TVFBBSUQiLCJjbWRjUmVnaW9 uIjoiODAwMDAiLCJkZXZpY2VGZWF0dXJlcyI6WyJBQlIiLCJQR VJTT05BTC1DT01QVVRFUiIsIlVOTUFOQUdFRCIsIkRBU0giLCJ XVi1EUk0iLCJTZWNvbmRTY3JlZW4iXSwiY21kY0RldmljZVR5c GUiOiJQQyIsImRldmljZVR5cGUiOiJDT01QQU5JT04iLCJ0ZW5 hbnQiOiJrIiwic29sdXRpb25JZCI6ImsiLCJ0ZW5hbnRJZCI6I kFTVFJPIiwiZ3Vlc3RNb2RlIjpmYWxzZSwiaGhJZCI6IjgwMDE 1MDA4In0sImhoSGFzaCI6NDgsImNvbW11bml0eSI6Ik1hbGF5c 2lhIExpdmUifSwic2NvcGUiOiJicm93c2UgcGxheWJhY2siLCJ 0b2tlbl90eXBlIjoiYWNjZXNzX3Rva2VuIiwic3NhX2p0aSI6I mJyb3dzZXIiLCJjbGllbnRfaWQiOiJicm93c2VyIiwianRpIjo iNzFlMzcxMGItYmMwMy00Yjg2LTllZDAtNTkzYjlhZTA2YjYxI n0.ECaa03LkOOGp51gEju6Fc8ymz-2TV5XCt1S86AahigA
cache-control: no-cache , no-store
Connection: keep-alive
Content-Length: 6056
content-type: application/json
Host: sg-sg-sg.astro.com.my:9443
Origin: https://astrogo.astro.com.my
Referer: https://astrogo.astro.com.my/
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="96", "Google Chrome";v="96"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-site
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36

cut the HEADERS to

Accept-Encoding: gzip, deflate, br
accept-language: en
cache-control: no-cache , no-store
Connection: keep-alive
Content-Length: "6056"
content-type: application/json
Origin: https://astrogo.astro.com.my
Referer: https://astrogo.astro.com.my/
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36

and try on https://getwvkeys....

Error 404: <!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>Error Page</title> <style> h1 { width: 100%; text-align: center; } </style> </head> <body> <h1> 401 Unauthorized </h1> <hr> </body> </html>

thank you

[TonyChocolonely]

Hello ,, please help for what wrong

authorization: Bearer eyJhbGciOiJIUzI1NiJ9.eyJpYXQiOjE2NDM0NjcwMTcsInN1Y iI6IjgwMDE1MDA4IiwiYXVkIjoiaXZwLnNlc3Npb25ndWFyZCI sImV4cCI6MTY0MzQ3NzgxNywic2Vzc2lvbl9kYXRhIjp7InNlc 3Npb24iOnsiY29tbXVuaXR5IjoiTWFsYXlzaWEgTGl2ZSIsImJ 1c1VuaXRJZCI6IkFTVFJPIiwic2NvcGUiOiJicm93c2UgcGxhe WJhY2siLCJ1cElkIjoiODAwMTUwMDhfMCIsImRldklkIjoiODA wMTUwMDguODVjODg4ZWYtYzU2Ni00NGI5LWI5NDYtZmExMWQ4Y zE2MDY2IiwicmVnaW9uIjoiUE9TVFBBSUQiLCJjbWRjUmVnaW9 uIjoiODAwMDAiLCJkZXZpY2VGZWF0dXJlcyI6WyJBQlIiLCJQR VJTT05BTC1DT01QVVRFUiIsIlVOTUFOQUdFRCIsIkRBU0giLCJ XVi1EUk0iLCJTZWNvbmRTY3JlZW4iXSwiY21kY0RldmljZVR5c GUiOiJQQyIsImRldmljZVR5cGUiOiJDT01QQU5JT04iLCJ0ZW5 hbnQiOiJrIiwic29sdXRpb25JZCI6ImsiLCJ0ZW5hbnRJZCI6I kFTVFJPIiwiZ3Vlc3RNb2RlIjpmYWxzZSwiaGhJZCI6IjgwMDE 1MDA4In0sImhoSGFzaCI6NDgsImNvbW11bml0eSI6Ik1hbGF5c 2lhIExpdmUifSwic2NvcGUiOiJicm93c2UgcGxheWJhY2siLCJ 0b2tlbl90eXBlIjoiYWNjZXNzX3Rva2VuIiwic3NhX2p0aSI6I mJyb3dzZXIiLCJjbGllbnRfaWQiOiJicm93c2VyIiwianRpIjo iNzFlMzcxMGItYmMwMy00Yjg2LTllZDAtNTkzYjlhZTA2YjYxI n0.ECaa03LkOOGp51gEju6Fc8ymz-2TV5XCt1S86AahigA

Error 404: <!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>Error Page</title> <style> h1 { width: 100%; text-align: center; } </style> </head> <body> <h1> 401 Unauthorized </h1> <hr> </body> </html>

thank you

You get a 401 Unauthorized status code which well, probably means you are not authorized to do the request. I see you cut the headers such that you don't include that authorization token which probably is the issue. So try it again with the authorization header included. (This probably even is the only header actually required for it to work).

[DannGamerz]

(This probably even is the only header actually required for it to work).

That is not right because i know that site requires json headers. So the script need editing and doesnt works at notaghost website. The server request need inspection to know how the server make the request.

[giorey]

Hello I tried to dump my moto onevision is l3 cmd v15 I run frida and script I loaded the script but I just get a license_request.bin what I'm doing wrong since the rsa cert is not exported?

Edit: Found the libwvhidl.so replaced the dynamics on scripts and still getting license_request.bin file only.

Can someone help please.

Read the post directly above yours? The vunrability is fixed in OEM Crypto API versions higher than 13. You need to downgrade to get you version =>13

Oh I see thanks, sorry thought it was possible to do it on v15, well will see if I have another device with v13

[filipino]

any guide for dumped on an android vmware or virtualbox machine?

[varwffoc]

Android 10 with oemcrypto 15 works fine. At least it has for me, multiple times.

Well done (multiple times)

Oh, hello Mr Snark. Too proud to be corrected I see.

If you read advice from multiple people you will see the vulnerability has been patched in versions above 13.

So again, well done to you for cracking oempcrypto v15. (Multiple times).

Its not fixed, its possible to crack up to oemcrypto version 15. You just need to find the right function (one function, not all of them like [ss]vegeta said). I have dumped from Android 11 with oemcrypto version 15 using this method.

[[ss]vegeta]

(one function, not all of them like [ss]vegeta said)

Shame on him, he has no idea what he is talking about.

[codehound]

Its not fixed, its possible to crack up to oemcrypto version 16. You just need to find the right function (one function, not all of them like [ss]vegeta said). I have dumped from Android 11 with oemcrypto version 16 using this method.

...

[naim2007]

Its not fixed, its possible to crack up to oemcrypto version 16. You just need to find the right function (one function, not all of them like [ss]vegeta said). I have dumped from Android 11 with oemcrypto version 16 using this method.[/QUOTE]

More stupid shit are comes.
waiting for smart ass to dump from android v12 oem 17

[codehound]

Addendum, I have been sent 'proof' which I am now examining that oemcrypto v15 is possible.

I will post back findings.

[EatThis]

I haven't tested Android 11 because I don't have one I want to test with. But about 10-15 days ago it worked fine with Android 10 with OEMCryto v15 after locating the right function, about 1-2 other user I've assisted with the L3 build version or system id 22585 which is often found on Android 10, have been able to do it as well. I doubt a change of this library which is usually written into a read-only section of the phone system file would take place without some OTA update, then again I am not an expect with how OTA updates are deployed. If anything, it may be happening on a OEM basis, some vendor had released updates that patch it and some haven't. But overall Android 6-10 seems to be functional in my trials after identifying the function.

Other cases can also be user's error. The user in question keep saying they don't get the private keys. But what does the log says?

[andrewzhong]

Android 10 with oem15 for sure can be extracted. I have extract it although the system id is an older one.

[k2000]

I already extracted my L3 key wondering where you see the oemcrypto version?.

[lomero]

if you have already extract on your pc see info with CDM-Device-Checker

if you want see info from your phone use DRM Info app for android

[k2000]

if you have already extract on your pc see info with CDM-Device-Checker

if you want see info from your phone use DRM Info app for android

Thanks

[zeosle]

Hi,

My L3 is now dumped. I want to use it to get decryption keys from channel 4 (all4) and channel 5 (my5). How do I get keys from channel 4 and how do I get 1080p encrypted videos from channel 5? I can get channel 5 keys, but not the 1080p encrypted videos to decrypt. You can inbox or respond here, kindly.