Decryption and the Temple of Doom

[marioeivissa]

@By29: to add to what Angela said, before doing anything else you can give a try to the function names here: https://github.com/lollolong/dumper/blob/main/Helpers/script.js and add them to your script.js.

one by one??? and rebooting the device when we are trying each one?

anyway using pycdc for linux always same result BAD magic!!! so never can decode libwvhidl.so properly, any idea for this?


but the point is i got dump my vontarx4 with the diazole dumper, just putting inside the rest of modules than 3 post ago someone give us, before with the only 6 or 7 were inside, didnt work for me

[A_n_g_e_l_a]

anyway using pycdc for linux always same result BAD magic!!! so never can decode libwvhidl.so properly, any idea for this?

pydc decompiles python binary code, libwvhidl.so is a C 'Shared Object' library. You need a hex editor for .so files - if using linux -try ImHex .

[marioeivissa]

anyway using pycdc for linux always same result BAD magic!!! so never can decode libwvhidl.so properly, any idea for this?

pydc decompiles python binary code, libwvhidl.so is a C 'Shared Object' library. You need a hex editor for .so files - if using linux -try ImHex .

thanks bella!!!i will

[ar1sh]

i easily got the keys for this https://www.tg4.ie
but i cannot get keys for my concerned videos, vdocipher sucks.
plz help
[Attachment 78221 - Click to enlarge]

[white_snake]

i easily got the keys for this https://www.tg4.ie
but i cannot get keys for my concerned videos, vdocipher sucks.
plz help
[Attachment 78221 - Click to enlarge]

In your developer tools elements tab look for the player.vdocipher url and post it or send via pm.

[dark76]

hello. Weeks ago I dumped a cdm using andoid studio and it works but looks like some sites need a "real" one. I tried the procedure gently provided by Angela and there's no way I can dump an old android box I have (A1 plus), the only rooted android I have. So my question is this: does it work on android 6?
I have read all the 18 pages and looks like a guy had a similar box like mine (architecture: armeabi-v7a. I'm using the frida server from github named simply android arm). He solved downgrading on pc his frida-tools. I tried the same but without having any progress. I tried many different dumpers, starting from the original one linked in this guide to the one recently talked by lollolong which seems to have a better handling of the function names.
So basically I boot the android box, i do the "adb connect", I do "adb root" (that's not in the guide but otherwise i have some error), adb shell, su - , mv /sdcard/frida-server-16.2.1-android-arm /data/local/tmp/,
chmod +x /data/local/tmp/frida-server-16.2.1-android-arm, /data/local/tmp/frida-server-16.2.1-android-arm &. Then I open Chrome with https://bitmovin.com/demos/drm. I wait that the page is loaded. On pc I do "python dump_keys.py"


2024-05-08 06:01:35 PM - main - 32 - INFO - Connected to A1 PLUS
2024-05-08 06:01:35 PM - main - 33 - INFO - Scanning all processes
2024-05-08 06:01:37 PM - main - 39 - INFO - Functions hooked, now open the DRM stream test on Bitmovin from your Android device! https://bitmovin.com/demos/drm

then on the box i do shift and refresh on https://bitmovin.com/demos/drm but nothing happens. I tried many variants and something like 50 times in the last 3 hours and I begin to think that maybe it doesn't work on Android 6... I mean, I'm noob, but usually not THAT noob... Anyone has any idea?

[A_n_g_e_l_a]

hello. Weeks ago I dumped a cdm using andoid studio and it works but looks like some sites need a "real" one. I tried the procedure gently provided by Angela and there's no way I can dump an old android box I have (A1 plus), the only rooted android I have. So my question is this: does it work on android 6?
I have read all the 18 pages and looks like a guy had a similar box like mine (architecture: armeabi-v7a. I'm using the frida server from github named simply android arm). He solved downgrading on pc his frida-tools. I tried the same but without having any progress. I tried many different dumpers, starting from the original one linked in this guide to the one recently talked by lollolong which seems to have a better handling of the function names.
So basically I boot the android box, i do the "adb connect", I do "adb root" (that's not in the guide but otherwise i have some error), adb shell, su - , mv /sdcard/frida-server-16.2.1-android-arm /data/local/tmp/,
chmod +x /data/local/tmp/frida-server-16.2.1-android-arm, /data/local/tmp/frida-server-16.2.1-android-arm &. Then I open Chrome with https://bitmovin.com/demos/drm. I wait that the page is loaded. On pc I do "python dump_keys.py"


2024-05-08 06:01:35 PM - main - 32 - INFO - Connected to A1 PLUS
2024-05-08 06:01:35 PM - main - 33 - INFO - Scanning all processes
2024-05-08 06:01:37 PM - main - 39 - INFO - Functions hooked, now open the DRM stream test on Bitmovin from your Android device! https://bitmovin.com/demos/drm

then on the box i do shift and refresh on https://bitmovin.com/demos/drm but nothing happens. I tried many variants and something like 50 times in the last 3 hours and I begin to think that maybe it doesn't work on Android 6... I mean, I'm noob, but usually not THAT noob... Anyone has any idea?

Please understand I recovered my CDM 2 years ago and my memory of that is written down at page 1.

In your case it might be Android 6 that is the issue. You should at least be seeing messages from dumper - 'like hooks completed'. The other thing I noticed was the order; as I recall, you need to fire-up Chrome with the bitmovin link in the address bar but without a page loaded. Then you start Dumper and finally load the bitmovin page. But, as I say, dumper should show screen messages whatever happens. Is dumper actually running on the PC? And the PC dumper version is not arm but suitable for you PC's architecture?

As for your assertion that some sites need a Real CDM; Amazon Netflix restrict L3 to SD quality; most other sites don't appear to bother unless you are trying to rip from sites selling courses.

[Flippi]

@dark76 try to find if it's possible to upgrade your device to android 7 and then try again.

[white_snake]

hello. Weeks ago I dumped a cdm using andoid studio and it works but looks like some sites need a "real" one. I tried the procedure gently provided by Angela and there's no way I can dump an old android box I have (A1 plus), the only rooted android I have. So my question is this: does it work on android 6?

I've been told that KeyDive works on Android 6, might be worth a try.

[dark76]

@White_snake: that did it! this keydive script is quite easy to use and it dumped the private_key.pem and the client_id.bin at first try on my old android 6 box, thank you!

@A_n_g_e_l_a effectively, I was thinking to one of the "unmentionable" sites, someone said a "real" CDM was preferable but if you say it doesn't work, I believe. Thanks also to you

[stupid.345]

Hi there; could someone please help me with this Android 14 device (Xiaomi Redmi Note 13 Pro Plus)? I am running a custom rom, but I have verified that the DRM content works.

Code:

(env) ➜  KeyDive git:(main) python3 keydive.py -aw --functions /Users/REDACTED/android.hardware.drm-service.widevine.xml
2024-05-26 23:42:56 [I] KeyDive: Version: 1.0.8
2024-05-26 23:42:56 [I] Cdm: Device: 23090RA98G (GQX4EUFEAMEI79VW)
2024-05-26 23:42:56 [I] Cdm: SDK API: 34
2024-05-26 23:42:56 [I] Cdm: ABI CPU: arm64-v8a
2024-05-26 23:42:56 [I] Cdm: Script loaded successfully
2024-05-26 23:42:56 [D] Cdm: Analysing... (android.hardware.drm-service.widevine)
2024-05-26 23:42:56 [D] Cdm: Analysing... (android.hardware.drm-service.widevine)
2024-05-26 23:42:56 [D] Cdm: Analysing... (mediaserver)
2024-05-26 23:42:57 [I] Vendor: CDM version: 18.0.0
2024-05-26 23:42:57 [I] Vendor: OEM Crypto API: 18
2024-05-26 23:42:57 [I] KeyDive: Process: 1124 (android.hardware.drm-service.widevine)
2024-05-26 23:42:57 [I] Cdm: Library: android.hardware.drm-service.widevine (/vendor/bin/hw/android.hardware.drm-service.widevine)
2024-05-26 23:42:57 [E] Script: Insufficient functions hooked
2024-05-26 23:42:57 [C] KeyDive: Failed to hook into the Widevine process
2024-05-26 23:42:57 [I] KeyDive: Exiting

I extracted the functions from /vendor/bin/hw/android.hardware.drm-service.widevine in Ghidra, and I am running liboemcryptodisabler.
Am I missing something?

[FoxRefire]

Hi there; could someone please help me with this Android 14 device (Xiaomi Redmi Note 13 Pro Plus)? I am running a custom rom, but I have verified that the DRM content works.

Code:

(env) ➜  KeyDive git:(main) python3 keydive.py -aw --functions /Users/REDACTED/android.hardware.drm-service.widevine.xml
2024-05-26 23:42:56 [I] KeyDive: Version: 1.0.8
2024-05-26 23:42:56 [I] Cdm: Device: 23090RA98G (GQX4EUFEAMEI79VW)
2024-05-26 23:42:56 [I] Cdm: SDK API: 34
2024-05-26 23:42:56 [I] Cdm: ABI CPU: arm64-v8a
2024-05-26 23:42:56 [I] Cdm: Script loaded successfully
2024-05-26 23:42:56 [D] Cdm: Analysing... (android.hardware.drm-service.widevine)
2024-05-26 23:42:56 [D] Cdm: Analysing... (android.hardware.drm-service.widevine)
2024-05-26 23:42:56 [D] Cdm: Analysing... (mediaserver)
2024-05-26 23:42:57 [I] Vendor: CDM version: 18.0.0
2024-05-26 23:42:57 [I] Vendor: OEM Crypto API: 18
2024-05-26 23:42:57 [I] KeyDive: Process: 1124 (android.hardware.drm-service.widevine)
2024-05-26 23:42:57 [I] Cdm: Library: android.hardware.drm-service.widevine (/vendor/bin/hw/android.hardware.drm-service.widevine)
2024-05-26 23:42:57 [E] Script: Insufficient functions hooked
2024-05-26 23:42:57 [C] KeyDive: Failed to hook into the Widevine process
2024-05-26 23:42:57 [I] KeyDive: Exiting

I extracted the functions from /vendor/bin/hw/android.hardware.drm-service.widevine in Ghidra, and I am running liboemcryptodisabler.
Am I missing something?

Do you use THIS disabler?
The ones in Magisk-Modules-Repo doesn't work with the latest Magisk/KernelSU.
If the module is working properly, the security level in the DRM Info app should show L3.

[stupid.345]

Do you use THIS disabler?
The ones in Magisk-Modules-Repo doesn't work with the latest Magisk/KernelSU.
If the module is working properly, the security level in the DRM Info app should show L3.

I did use hzy132's fork of the project, and the DRM Info app says that it is L3 rather than L1, and media plays fine on the device. I'm not entirely sure, but I may have extracted functions from the wrong binary. KeyDive only says "e.g., the Widevine CDM library from the Android device", but doesn't tell the name of the file.

[FoxRefire]

Do you use THIS disabler?
The ones in Magisk-Modules-Repo doesn't work with the latest Magisk/KernelSU.
If the module is working properly, the security level in the DRM Info app should show L3.

I did use hzy132's fork of the project, and the DRM Info app says that it is L3 rather than L1, and media plays fine on the device. I'm not entirely sure, but I may have extracted functions from the wrong binary. KeyDive only says "e.g., the Widevine CDM library from the Android device", but doesn't tell the name of the file.

Could you send CDM binary and XML here or PM?

[stupid.345]

android.hardware.drm-service.widevine.xml XML
android.hardware.drm-service.widevine.zip Binary

[white_snake]

I did use hzy132's fork of the project, and the DRM Info app says that it is L3 rather than L1, and media plays fine on the device. I'm not entirely sure, but I may have extracted functions from the wrong binary. KeyDive only says "e.g., the Widevine CDM library from the Android device", but doesn't tell the name of the file.

You got the right one, it's specified here in your log:

Code:

2024-05-26 23:42:57 [I] Cdm: Library: android.hardware.drm-service.widevine (/vendor/bin/hw/android.hardware.drm-service.widevine)

[FoxRefire]

[Attachment 79411 - Click to enlarge] XML

[Attachment 79412 - Click to enlarge] Binary

It looks like this binary is corrupted.
CDM binaries should normally have a file size of about 2.5 MB, but this one is only 15.4 KB.
Try adb pull again.
If this not work, run `adb shell ls -la /vendor/bin/hw/` and send console output

[stupid.345]

I pulled the binary again, and the size was again 16KB.

Output of ls -lah /vendor/bin/hw/:

Code:

total 5.7M
drwxr-x--x 4 root shell 3.4K 2009-01-01 01:00 .
drwxr-x--x 7 root shell 5.7K 2009-01-01 01:00 ..
-rwxr-xr-x 1 root shell  19K 2009-01-01 01:00 android.hardware.audio.service.mediatek
-rwxr-xr-x 1 root shell  11K 2009-01-01 01:00 android.hardware.bluetooth@1.1-service-mediatek
-rwxr-xr-x 1 root shell  11K 2009-01-01 01:00 android.hardware.boot@1.2-service
-rwxr-xr-x 1 root shell  36K 2009-01-01 01:00 android.hardware.cas@1.2-service-lazy
-rwxr-xr-x 1 root shell 144K 2009-01-01 01:00 android.hardware.drm-service.clearkey
-rwxr-xr-x 1 root shell  15K 2009-01-01 01:00 android.hardware.drm-service.widevine
-rwxr-xr-x 1 root shell  37K 2009-01-01 01:00 android.hardware.dumpstate-service.xiaomi
-rwxr-xr-x 1 root shell  11K 2009-01-01 01:00 android.hardware.gatekeeper@1.0-service
-rwxr-xr-x 1 root shell  11K 2009-01-01 01:00 android.hardware.gnss-service.mediatek
lrwxr-xr-x 1 root shell   85 2009-01-01 01:00 android.hardware.graphics.allocator@4.0-service-mediatek -> /vendor/bin/hw/mt6886/android.hardware.graphics.allocator@4.0-service-mediatek.mt6886
lrwxr-xr-x 1 root shell   70 2009-01-01 01:00 android.hardware.graphics.allocator@4.0-service-mediatek.mt6886 -> mt6886/android.hardware.graphics.allocator@4.0-service-mediatek.mt6886
-rwxr-xr-x 1 root shell  86K 2009-01-01 01:00 android.hardware.graphics.composer@2.1-service
-rwxr-xr-x 1 root shell 131K 2009-01-01 01:00 android.hardware.graphics.composer@2.3-service
-rwxr-xr-x 1 root shell 156K 2009-01-01 01:00 android.hardware.graphics.composer@2.4-service
-rwxr-xr-x 1 root shell 115K 2009-01-01 01:00 android.hardware.graphics.composer@3.1-service
-rwxr-xr-x 1 root shell 3.2M 2009-01-01 01:00 android.hardware.health-service.example
-rwxr-xr-x 1 root shell 229K 2009-01-01 01:00 android.hardware.identity-service.mitee@4.0
-rwxr-xr-x 1 root shell  20K 2009-01-01 01:00 android.hardware.ir-service.example
-rwxr-xr-x 1 root shell  28K 2009-01-01 01:00 android.hardware.lights-service.mediatek
-rwxr-xr-x 1 root shell 8.0K 2009-01-01 01:00 android.hardware.media.c2@1.2-mediatek
-rwxr-xr-x 1 root shell  15K 2009-01-01 01:00 android.hardware.media.c2@1.2-mediatek-64b
-rwxr-xr-x 1 root shell  15K 2009-01-01 01:00 android.hardware.media.omx@1.0-service
-rwxr-xr-x 1 root shell  29K 2009-01-01 01:00 android.hardware.memtrack-service.mediatek
-rwxr-xr-x 1 root shell 795K 2009-01-01 01:00 android.hardware.neuralnetworks-shim-service-mtk
-rwxr-xr-x 1 root shell 795K 2009-01-01 01:00 android.hardware.neuralnetworks-shim-service-mtk-lazy
-rwxr-xr-x 1 root shell  90K 2009-01-01 01:00 android.hardware.secure_element@1.2-service-mediatek
-rwxr-xr-x 1 root shell  99K 2009-01-01 01:00 android.hardware.security.keymint@2.0-service.mitee
-rwxr-xr-x 1 root shell 112K 2009-01-01 01:00 android.hardware.sensors-service.multihal
-rwxr-xr-x 1 root shell  11K 2009-01-01 01:00 android.hardware.thermal@2.0-service.mtk
-rwxr-xr-x 1 root shell 101K 2009-01-01 01:00 android.hardware.usb-aidl-service.mediatekv1.0
-rwxr-xr-x 1 root shell  28K 2009-01-01 01:00 android.hardware.usb.gadget-service.mediatekv1.1
-rwxr-xr-x 1 root shell 569K 2009-01-01 01:00 android.hardware.wifi@1.0-service-lazy
lrwxr-xr-x 1 root shell   63 2009-01-01 01:00 arm.mali.platform-service.mediatek -> /vendor/bin/hw/mt6886/arm.mali.platform-service.mediatek.mt6886
lrwxr-xr-x 1 root shell   22 2009-01-01 01:00 camerahalserver -> mt6886/camerahalserver
-rwxr-xr-x 1 root shell 1.1M 2009-01-01 01:00 hostapd
drwxr-x--x 2 root shell  129 2009-01-01 01:00 mt6886
drwxr-x--x 2 root shell   27 2009-01-01 01:00 mt6985
-rwxr-xr-x 1 root shell  15K 2009-01-01 01:00 mtkfusionrild
-rwxr-xr-x 1 root shell  49K 2009-01-01 01:00 tetheroffloadservice
-rwxr-xr-x 1 root shell  11K 2009-01-01 01:00 vendor.dolby.hardware.dms@2.0-service
-rwxr-xr-x 1 root shell  11K 2009-01-01 01:00 vendor.dolby.media.c2@1.0-service
-rwxr-xr-x 1 root shell  24K 2009-01-01 01:00 vendor.mediatek.hardware.aee@1.1-service
-rwxr-xr-x 1 root shell  24K 2009-01-01 01:00 vendor.mediatek.hardware.gnss.batching-service
-rwxr-xr-x 1 root shell  24K 2009-01-01 01:00 vendor.mediatek.hardware.mmagent@1.1-service
-rwxr-xr-x 1 root shell  11K 2009-01-01 01:00 vendor.mediatek.hardware.mmlpq@V1-service
-rwxr-xr-x 1 root shell  11K 2009-01-01 01:00 vendor.mediatek.hardware.mms@1.7-service
-rwxr-xr-x 1 root shell  24K 2009-01-01 01:00 vendor.mediatek.hardware.mtkpower@1.0-service
-rwxr-xr-x 1 root shell  24K 2009-01-01 01:00 vendor.mediatek.hardware.mtkpower_applist-service.mediatek
-rwxr-xr-x 1 root shell  11K 2009-01-01 01:00 vendor.mediatek.hardware.nvram@1.1-service
-rwxr-xr-x 1 root shell  11K 2009-01-01 01:00 vendor.mediatek.hardware.nwk_opt@1.0-service
-rwxr-xr-x 1 root shell  11K 2009-01-01 01:00 vendor.mediatek.hardware.pq_aidl-service
-rwxr-xr-x 1 root shell  20K 2009-01-01 01:00 vendor.qti.sla.service@1.0-service
-rwxr-xr-x 1 root shell 361K 2009-01-01 01:00 vendor.xiaomi.cit.wifi@1.0-service
-rwxr-xr-x 1 root shell  28K 2009-01-01 01:00 vendor.xiaomi.hardware.cld@1.0-service
-rwxr-xr-x 1 root shell  11K 2009-01-01 01:00 vendor.xiaomi.hardware.displayfeature@1.0-service
-rwxr-xr-x 1 root shell  33K 2009-01-01 01:00 vendor.xiaomi.hardware.dtool@1.0-service
-rwxr-xr-x 1 root shell  50K 2009-01-01 01:00 vendor.xiaomi.hardware.micharge@1.0-service
-rwxr-xr-x 1 root shell  66K 2009-01-01 01:00 vendor.xiaomi.hardware.mimd@1.0-service
-rwxr-xr-x 1 root shell  38K 2009-01-01 01:00 vendor.xiaomi.hardware.misys@1.0-service
-rwxr-xr-x 1 root shell  34K 2009-01-01 01:00 vendor.xiaomi.hardware.misys@2.0-service
-rwxr-xr-x 1 root shell  42K 2009-01-01 01:00 vendor.xiaomi.hardware.misys@3.0-service
-rwxr-xr-x 1 root shell  16K 2009-01-01 01:00 vendor.xiaomi.hardware.misys@4.0-service
-rwxr-xr-x 1 root shell  42K 2009-01-01 01:00 vendor.xiaomi.hardware.secure_element@1.2-service
-rwxr-xr-x 1 root shell  16K 2009-01-01 01:00 vendor.xiaomi.hardware.videoservice@1.0-service
-rwxr-xr-x 1 root shell  16K 2009-01-01 01:00 vendor.xiaomi.hidl.minet@1.0-service
-rwxr-xr-x 1 root shell  16K 2009-01-01 01:00 vendor.xiaomi.hidl.miwill@1.0-service
-rwxr-xr-x 1 root shell  16K 2009-01-01 01:00 vendor.xiaomi.sensor.communicate@1.0-service
-rwxr-xr-x 1 root shell  11K 2009-01-01 01:00 vtservice_hidl
-rwxr-xr-x 1 root shell 3.0M 2009-01-01 01:00 wpa_supplicant

[FoxRefire]

Run following command and use found binary if it has 2.5MB file size

Code:

adb shell "find . 2>/dev/null | grep android.hardware.drm-service.widevine"

If you cannot find the 2.5 MB file by this command, try looking for the file "android.hardware.drm-V1-ndk.so" as well.

Code:

adb shell "find . 2>/dev/null | grep android.hardware.drm-V1-ndk.so"

When I loaded this 16KB binary in Ghidra, this library was listed as a dependency, so I assumed that the CDM processing was actually done here.

[Attachment 79419 - Click to enlarge]
Once the file is found, pull it as well and add it to the Ghidra project. Try extracting the function again in this state.

[stupid.345]

Hi, I tried to extract the file and the functions, but the binary is still very small, 750KB.

The binary and the functions are attached here. android.hardware.drm-V1-ndk.so.zip

How did you access the list of dependencies in Ghidra though?

[FoxRefire]

Hi, I tried to extract the file and the functions, but the binary is still very small, 750KB.

The binary and the functions are attached here.
[Attachment 79420 - Click to enlarge]

How did you access the list of dependencies in Ghidra though?

Dependencies are shown in the Symbol tree in the left sidebar of CodeBrowser.

They are also displayed in the popup when a file is imported.

It looks like CDM's functionality has been split into multiple binaries and the obfuscation method seems to have been updated.

This is probably due to the fact that your device is fairly new and defaults to Android 14 from the factory.

Sorry, I am still a novice when it comes to reverse engineering so I cannot offer any further advice.

If you go to the Keydive repository and make an issue with the appropriate information, the repository owner may be able to help you since he seems to be familiar with reverse engineering such as Frida.

[videre]

Thank you A_n_g_e_l_a. There is no better guide for a beginner. There is a tiny error in your original post that took me a while to resolve, thanks to others on this forum (https://forum.videohelp.com/threads/414741-mp4decrypt-unexpected-argument-error#post2737711). In the first mention of mp4decrypt, there is an en dash, where there should be a hyphen/minus. Or two hyphen/minus characters - that maybe depends on the OS or version of mp4decrypt. Copy/pasting that led to some time wasting for me. Maybe you can correct that with an edit.

Code:

mp4decrypt –key 0294b9599d755de2bbf0fdca3fa5eab7:3bda2f40344c7def614227b9c0f03e26  <infile.mp4>  <outfile.mp4>

should be

Code:

mp4decrypt --key 0294b9599d755de2bbf0fdca3fa5eab7:3bda2f40344c7def614227b9c0f03e26  <infile.mp4>  <outfile.mp4>

[A_n_g_e_l_a]

Thank you A_n_g_e_l_a. There is no better guide for a beginner. There is a tiny error in your original post that took me a while to resolve, thanks to others on this forum (https://forum.videohelp.com/threads/414741-mp4decrypt-unexpected-argument-error#post2737711). In the first mention of mp4decrypt, there is an en dash, where there should be a hyphen/minus. Or two hyphen/minus characters - that maybe depends on the OS or version of mp4decrypt. Copy/pasting that led to some time wasting for me. Maybe you can correct that with an edit.

Code:

mp4decrypt –key 0294b9599d755de2bbf0fdca3fa5eab7:3bda2f40344c7def614227b9c0f03e26  <infile.mp4>  <outfile.mp4>

should be

Code:

mp4decrypt --key 0294b9599d755de2bbf0fdca3fa5eab7:3bda2f40344c7def614227b9c0f03e26  <infile.mp4>  <outfile.mp4>

Brilliant message thanks. Correcting it now.

[marioeivissa]

Hi, I tried to extract the file and the functions, but the binary is still very small, 750KB.

The binary and the functions are attached here.
[Attachment 79420 - Click to enlarge]

How did you access the list of dependencies in Ghidra though?

Dependencies are shown in the Symbol tree in the left sidebar of CodeBrowser.

They are also displayed in the popup when a file is imported.

It looks like CDM's functionality has been split into multiple binaries and the obfuscation method seems to have been updated.

This is probably due to the fact that your device is fairly new and defaults to Android 14 from the factory.

Sorry, I am still a novice when it comes to reverse engineering so I cannot offer any further advice.

If you go to the Keydive repository and make an issue with the appropriate information, the repository owner may be able to help you since he seems to be familiar with reverse engineering such as Frida.

hi mate are you the owner of the project foxrefire/wvg?????

[FoxRefire]

hi mate are you the owner of the project foxrefire/wvg?????

Yes what?

[A_n_g_e_l_a]

Run following command and use found binary if it has 2.5MB file size

Code:

adb shell "find . 2>/dev/null | grep android.hardware.drm-service.widevine"

This command was very helpful locating my Pixel's android.hardware.drm-service.widevine. Only I always like to be in shell - just habit - so ran the find command directly. It needed the shell to be super user; 'su' issued first, then followed by find, found two locations to pull the binary from the phone.

Use of Ghidra was necessary for my Pixel running Android 14. Many script runs, after producing a functions.xml, failed with 'No data for device info, invalid argument position'.

Eventually, I found I needed to check every checkbox for analyse options in Ghidra to produce a functions.xml before keydive.py would produce an output.

Additionally I had a 'No data for device info, invalid argument position' when running keydive.py. A bit of trial and error editing the integer in line 143 in keydive.js (with help from hyugogirubato, thanks) eventually avoided the error.
But I think, without too much hassle, it would be to easiest to observe output from keydive.py after running alternates, 1 through 7, for the int on line 143 of keydive.js, if you get similar errors

[marioeivissa]

hi mate are you the owner of the project foxrefire/wvg?????

Yes what?

very very nice project mate, goog job, i was asking you in the issues sections about some questions, you always answer, very nice man

[Vanka]

Good afternoon all, first I wanted to thank you all for your efforts to share your knowledge and educate someone like me, who have not even heard about most of these tools and technologies discussed here. I don't have any background in computers and programming, but I have managed to learn a lot about the technologies in place in these weeks. My biggest issue: lack of general background knowlege of programming. I am committed to use this experience to learn more about programming in the coming years, and this is what is all about (rather education as opposed to a need to download a particular video). Unfortuantely, I have run into a wall earlier this week and I am confused on what to do next. Step by step, I have obtained CDM keys from the emulated devices, then I was able to extract PSSH keys, license URL, MPD linke, create headers and parallely I have learned how to download encrypted files using N_m3u8DL-RE. I literally stuck at the point when I need to run a WKS or Pywidevine script with the inputs I have to get the KEY. And here where I am confused. I have one simple question: what is the version of WKS or Pywidevine script that you use currently that works for you? Do you use it in Windows or on MacOS? I tried different packages on both system, and every time I have a different error. So, i want to go a step back and ask you , when you put all the inputs in SCRIPT to generate the KEY, what Script to do use today and , if possible, give me a link to download it... Many thanks!

[Vanka]

And just as I wrote this, i have managed to generate my first key with the very first version of WSK... The questions above are hence irrelevant. I will take time to study how that was possible, but first fruits taste soo good! Thank you all!!!

[keep_it_breezy]

And just as I wrote this, i have managed to generate my first key with the very first version of WSK... The questions above are hence irrelevant. I will take time to study how that was possible, but first fruits taste soo good! Thank you all!!!

You're a success story! Great job with your persistence, happy for you.