VideoHelp Forum

+ Reply to Thread
Page 6 of 8
FirstFirst ... 4 5 6 7 8 LastLast
Results 151 to 180 of 226
Thread
  1. Member
    Join Date
    Dec 2021
    Location
    Spain
    Search Comp PM
    I've read that one could modify wvdumper for devices not supported out of the box, but I haven't understood how.
    Seems to just depend on Android version from what I've seen.

    Do you know if any of the following is either factory rooted or easy to root, and then if Frida and wvdumper will work
    ?

    Check xda forums.
    I believe there is root for a few of them however anything updated often isn't rootable you need to not have latest updates.
    I'm pretty sure I've seen some updates about the Chromecast being rootable but 2020 or 2021 software. I believe all those exploits are software based so as I mentioned you can't have an updated device.

    Also not sure the existing leaked script works to dump L3 at or above android 11 even with making modifications to the js
    Quote Quote  
  2. Originally Posted by Romano2K View Post

    Anyway I'd like to get my own CDM keys.

    But the suggested T95 S1 is out of stock in my country, and anyway I wanted to know if other people have had success with other Android TV boxes. While I'm at it, I'd rather buy a branded and modern model that I'll keep using after extracting keys.
    Word of warning if you haven't done this before about using it after you've attempted a dump: if you cant afford to brick the device - dont use it. There's a good chance you may if you are a first timer as things can, and do go wrong.

    The device suggested by Angela is not only very cheap its also pre-rooted. (There will still be the older model available in some stores and marketplaces.)
    Last edited by codehound; 3rd Oct 2022 at 10:23.
    Discord codehound#0348
    Quote Quote  
  3. I've rooted/modded many Android smartphones (and Windows Mobile devices before that!) and I'm aware of the risks, but I second your warning, thank you!
    Quote Quote  
  4. Originally Posted by Romano2K View Post
    I've rooted/modded many Android smartphones (and Windows Mobile devices before that!)
    But your on getwvkeys asking "I'm new to the thing and there's something I need help with. On my first attempt I can't find the MPD, so can't find the PSSH. Can someone help me understand how it works?"

    You'll get booted on there for asking basic wv stuff thats non-getwvkeys related.

    And without your own cdm....

    If you need help with the basics, just ask or discord me. Or vegeta, Angela, Lomero, LZAA, Cedric or Elcap. We all had to learn (still learning)
    Last edited by codehound; 3rd Oct 2022 at 17:57.
    Discord codehound#0348
    Quote Quote  
  5. What I'm saying is that I'm new to DRM decrypting, but not to Android rooting and flashing.

    But I thank you very much for your invitation to DM you on Discord. I'm quite tech-savvy but indeed I need some help with the basics of Widevine.

    In the meantime I hope that I'll find an alternative Android TV box and that I'll be able to share my findings with the community.
    Quote Quote  
  6. Hi all

    I've tried the instructions exactly as described, with the same device mentioned (T95 S1, Android 7).

    It seems to find libmediadrm successfully:

    Code:
    Helpers.Scanner - 87 - INFO - Running libmediadrm.so at 0xefd4b000
    But it just sits on

    Code:
    Hooks has been completed
    I've tried various different python versions to no avail. Anyone have an idea on what to try?
    Quote Quote  
  7. Waste of time changing Python. Did you follow the instructiosn or your own riff on the instructions - like python versions?

    It does work. It has worked for many people. It may take many attempts. When at the hooks completed stage try refreshing the page with 'shift' while mouse clicking refresh - that will cause a full page re-load and your completed hooks into the processes running may capture what you need. Use bitmovin!
    Quote Quote  
  8. Originally Posted by A_n_g_e_l_a View Post
    Waste of time changing Python. Did you follow the instructiosn or your own riff on the instructions - like python versions?
    I followed the instructions precisely, of course! Only after trying a few times with no success, did I try different python versions and such.
    Quote Quote  
  9. Originally Posted by A_n_g_e_l_a View Post
    When at the hooks completed stage try refreshing the page with 'shift' while mouse clicking refresh
    Okay, i'll go fetch my keyboard.. been doing it all with the crappy remote... thanks
    Quote Quote  
  10. Okay, got it to work.

    I checked
    Code:
    adb logcat
    and noted a lot of permission errors from Frida which seemed to be related to selinux.

    After setting
    Code:
    setenforce 0
    to change selinux to permissive, it worked first time.

    Thanks for the assist
    Quote Quote  
  11. Originally Posted by cslcm View Post
    Okay, got it to work.

    ....and noted a lot of permission errors from Frida which seemed to be related to selinux.
    Did you not run frider-server as root?
    Quote Quote  
  12. Yes I did, I don't know why selinux was intefering.
    Quote Quote  
  13. Originally Posted by cslcm View Post
    Yes I did, I don't know why selinux was intefering.
    OK that's another useful tweak; thanks.
    Quote Quote  
  14. This may fall outside the scope of what's doable currently, but I'm having my own trouble getting my device keys. I've gotten my hands on a T95 box but I think of a different brand than the recommended S1 model, plus it has Android 10 on it. That said, it is rooted and I successfully got Frida Server 15.1.17 working on it as root, and the updated version of the dumper for Android 10/11/12 does seem to communicate successfully with the box and has the right prerequisites installed, but doesn't proceed from where it says "Functions Hooked, load the DRM stream test on Bitmovin!"

    My understanding is some of this can be a bit finnicky and it can be a question of luck or timing in terms of how to load the bitmovin demo site and the dump_keys.py script relative to one-another. There definitely seems to be some sort of communication going on, though, as the Widevine DRM video loads and plays successfully, and if I load the script while the demo video is playing it does cause playback to error out when it hooks into various functions; if I refresh the Chrome page while holding shift I can play the video fine but get no reaction from the dumper script. In fact the script never responds even if I do something drastic like shut down frida-server. Here's what I've noted:

    There is no message about hooking into anything if Chrome is closed, it just asks to load the site but never shows anything from there no matter what I do in terms of opening Chrome and going to the bitmovin site. If Chrome is open before I load the script, it hooks into a variety of things including libwvhidl.so, lowidrgv and a bunch of what appears to be randomly named things.

    Is it just a matter of constantly trying until the planets align, or is there other stuff I could investigate to get this dump to work? I tried the "setenforce 0" command mentioned earlier but still nothing, have tried a few dozen times now. Thanks.
    Quote Quote  
  15. Originally Posted by washizu View Post

    Is it just a matter of constantly trying until the planets align, or is there other stuff I could investigate to get this dump to work? I tried the "setenforce 0" command mentioned earlier but still nothing, have tried a few dozen times now. Thanks.
    Pretty much. Planets aligned and feet in a bucket of seaweed certainly makes a difference!
    You might try another site with DRM media to prevent boredom! And you've have set the CDM_VERSION in script.js in the Helpers folder? I'm not sure how necessary that is though. The app 'DRM Info' will tell you the value if you haven't set it already.
    Many, many tries may be needed. I started afresh each time on an older box and it took a few days having a few tries and coming back another time. There are many reports that the new dumper with a better script.js is working well - but not for everyone. I tried getting an Android Emulator to dump over the weekend with no luck either - but i did see more that just Hooks completed.
    Android 10 is certainly doable!
    Quote Quote  
  16. OK I did make one odd discovery.

    I rolled back to an earlier version of that script and got some progress, I got a much cleaner set of hooks including PrepareKeyRequest and UsePrivacyMode. This time, when I refreshed and played the video, I immediately got DEBUG: Retrieved key followed by a lengthy key (I'm not sure if this is in theory all I would need). However, the script then failed with what appear to be some Python errors ending in AttributeError: 'NoneType' object has no attribute 'n'.

    I was able to update to Frida Server 16.0.1, including updating the python components on the PC's end, but still have the same issue. Not sure if it's a python script code issue or something else. I'll have a look at script.js, although I did check my DRM and it's correct for Android 10 (CDM 15).
    Quote Quote  
  17. Originally Posted by washizu View Post
    OK I did make one odd discovery.

    I rolled back to an earlier version of that script and got some progress, I got a much cleaner set of hooks including PrepareKeyRequest and UsePrivacyMode. This time, when I refreshed and played the video, I immediately got DEBUG: Retrieved key followed by a lengthy key (I'm not sure if this is in theory all I would need). However, the script then failed with what appear to be some Python errors ending in AttributeError: 'NoneType' object has no attribute 'n'.

    I was able to update to Frida Server 16.0.1, including updating the python components on the PC's end, but still have the same issue. Not sure if it's a python script code issue or something else. I'll have a look at script.js, although I did check my DRM and it's correct for Android 10 (CDM 15).
    Stick with the newer dumper it is known to work with Android 10.
    Quote Quote  
  18. Originally Posted by A_n_g_e_l_a View Post
    Stick with the newer dumper it is known to work with Android 10.
    That's where it gets weird, though. So here's a more detailed breakdown of what's happening:

    - Most recent version of the script, from 3 days ago, seems to hook into randomly named functions, about 30 in all, and I don't think actually intercepts what it should be intercepting correctly as a result so it never responds to the key being loaded through Chrome.

    Code:
    2022-10-10 04:39:34 PM - Helpers.Device - 56 - INFO - Hooking libwvhidl.so at 0xab208000
    2022-10-10 04:39:34 PM - Helpers.Device - 56 - INFO - Hooked lowidrgv at 0xab3accd5
    2022-10-10 04:39:34 PM - Helpers.Device - 56 - INFO - Hooked jwfhubxj at 0xab3acb41
    2022-10-10 04:39:35 PM - Helpers.Device - 56 - INFO - Hooked gsxkjifu at 0xab3ad01d
    2022-10-10 04:39:35 PM - Helpers.Device - 56 - INFO - Hooked hznjcdnw at 0xab3acad1
    2022-10-10 04:39:35 PM - Helpers.Device - 56 - INFO - Hooked bmhdajlc at 0xab3ae19d
    2022-10-10 04:39:35 PM - Helpers.Device - 56 - INFO - Hooked cmzcexfb at 0xab4a1524
    2022-10-10 04:39:35 PM - Helpers.Device - 56 - INFO - Hooked atbbttgc at 0xab3ac789
    2022-10-10 04:39:35 PM - Helpers.Device - 56 - INFO - Hooked sqainylf at 0xab3ac9e5
    2022-10-10 04:39:35 PM - Helpers.Device - 56 - INFO - Hooked rhtqbhpx at 0xab3ac911
    2022-10-10 04:39:35 PM - Helpers.Device - 56 - INFO - Hooked qqdhbbli at 0xab3ace8d
    2022-10-10 04:39:35 PM - Helpers.Device - 56 - INFO - Hooked ggzbboev at 0xab3ae115
    2022-10-10 04:39:35 PM - Helpers.Device - 56 - INFO - Hooked _ZN5wvcdm10CdmLicense17PrepareKeyRequestERKNS_18InitializationDataENS_14CdmLicenseTypeERKNSt3__13mapINS5_12basic_stringIcNS5_11char_traitsIcEENS5_9allocatorIcEEEESC_NS5_4lessISC_EENSA_INS5_4pairIKSC_SC_EEEEEEPSC_SM_ at 0xab2d9469
    2022-10-10 04:39:35 PM - Helpers.Device - 56 - INFO - Hooked sidbkfkn at 0xab3adb99
    2022-10-10 04:39:35 PM - Helpers.Device - 56 - INFO - Hooked iizttqvt at 0xab3acaf9
    2022-10-10 04:39:35 PM - Helpers.Device - 56 - INFO - Hooked bqoddeag at 0xab3ad8a9
    2022-10-10 04:39:35 PM - Helpers.Device - 56 - INFO - Hooked _ZN5wvcdm10Properties14UsePrivacyModeERKNSt3__112basic_stringIcNS1_11char_traitsIcEENS1_9allocatorIcEEEE at 0xab32def1
    2022-10-10 04:39:35 PM - Helpers.Device - 56 - INFO - Hooked ycfidvov at 0xab3ad551
    2022-10-10 04:39:35 PM - Helpers.Device - 56 - INFO - Hooked oezgjqgm at 0xab3acb11
    2022-10-10 04:39:35 PM - Helpers.Device - 56 - INFO - Hooked ykndkmro at 0xab3ac865
    2022-10-10 04:39:35 PM - Helpers.Device - 56 - INFO - Hooked yvnaonxx at 0xab3ae035
    2022-10-10 04:39:35 PM - Helpers.Device - 56 - INFO - Hooked bacptgax at 0xab4a6240
    2022-10-10 04:39:35 PM - Helpers.Device - 56 - INFO - Hooked ypjgcauj at 0xab3ad1d5
    2022-10-10 04:39:35 PM - Helpers.Device - 56 - INFO - Hooked kqzqahjq at 0xab3ae2ed
    2022-10-10 04:39:35 PM - Helpers.Device - 56 - INFO - Hooked psjgupwz at 0xab3ae291
    - The version prior to that one, from 6 days ago, seems to hook in correctly (only hooks into three things: libwvhidl.so, PrepareKeyRequest and UsePrivacyMode), seems to get the key, but then errors out as follows:

    Code:
    2022-10-10 04:41:28 PM - Helpers.Device - 57 - DEBUG - Retrieved key: (LENGTHY RANDOM TEXT WAS HERE)
    Traceback (most recent call last):
      File "C:\Users\localadmin\AppData\Local\Programs\Python\Python310\lib\site-packages\frida\core.py", line 418, in _on_message
        callback(message, data)
      File "C:\Users\localadmin\Downloads\dumper-main\Helpers\Device.py", line 49, in on_message
        self.license_request_message(data)
      File "C:\Users\localadmin\Downloads\dumper-main\Helpers\Device.py", line 63, in license_request_message
        self.export_key(cur, root.Msg.ClientId)
      File "C:\Users\localadmin\Downloads\dumper-main\Helpers\Device.py", line 28, in export_key
        f'{self.name}/private_keys/{system_id}/{str(key.n)[:10]}'
    AttributeError: 'NoneType' object has no attribute 'n'
    Last edited by washizu; 10th Oct 2022 at 16:01.
    Quote Quote  
  19. See post #167!

    How's your python? Error messages are a bit inscrutable but likely indicates nothing returned when it expected something.

    Did I say see post #167?
    Quote Quote  
  20. Originally Posted by A_n_g_e_l_a View Post
    See post #167!

    How's your python? Error messages are a bit inscrutable but likely indicates nothing returned when it expected something.

    Did I say see post #167?
    Yes, this is the Diazole dumper, updated 3 days ago. Or is there another dumper I should be using instead?
    Quote Quote  
  21. Originally Posted by washizu View Post
    . Or is there another dumper I should be using instead?
    No. keep on trying - give the processes time after hooks completed and vary your approach. Kill frida after each attempt and restart the process afresh. I hooked the same functions on 10 with an emulator. Just keep on keeping on...
    Quote Quote  
  22. Originally Posted by washizu View Post
    I rolled back to an earlier version of that script and got some progress, I got a much cleaner set of hooks including PrepareKeyRequest and UsePrivacyMode. This time, when I refreshed and played the video, I immediately got DEBUG: Retrieved key followed by a lengthy key (I'm not sure if this is in theory all I would need). However, the script then failed with what appear to be some Python errors ending in AttributeError: 'NoneType' object has no attribute 'n'.
    The reason you're getting a "cleaner" hook message is because the message was previously hardcoded and the script now returns the module name that was actually hooked.

    Originally Posted by washizu View Post
    That's where it gets weird, though. So here's a more detailed breakdown of what's happening:

    - Most recent version of the script, from 3 days ago, seems to hook into randomly named functions, about 30 in all, and I don't think actually intercepts what it should be intercepting correctly as a result so it never responds to the key being loaded through Chrome.

    - The version prior to that one, from 6 days ago, seems to hook in correctly (only hooks into three things: libwvhidl.so, PrepareKeyRequest and UsePrivacyMode), seems to get the key, but then errors out as follows:
    The reason the old version of the script is only hooking those two functions is because you haven't updated the "DYNAMIC_FUNCTION_NAME", it's an empty string by default. If you want to use the older version, you will need to find the correct function name and update this variable.

    The output you've provided for the new script is what I would expect. It's hooked every function it believes it could be (a-z regex).

    If you look at the source you will see that "UsePrivacyMode" is hooked so it can be overridden with a no-operation return value to prevent the payload from being encrypted with the server certificate. The "PrepareKeyRequest" function is used to retrieve your device information (blob). The final function that needs to be hooked is used to retrieve your private key. This function is unique to the "libwvhidl.so" on your device however, other devices may have the same build version of this file which means they will also have the same function name. There is only 1 correct function name out of the "30" that have been hooked.

    I was initially against hooking every function like this because I believed the lib had trap functions that would prevent the key from being dumped when hooked (I was unable to dump a key when hooking one of the "trap" functions) however, others appear to have had better luck, and I haven't had an issue since so I thought it may have been a red herring. If you PM me your "libwvhidl.so" file, I will provide you with the correct function name.

    Restart your device > run Frida as root > run the script > load the bitmovin drm test page on chrome and click load

    You can also kill Frida, kill the script, force stop chrome (hold down on the app > force stop) and then start frida > start the script > load the drm test site
    Quote Quote  
  23. Good to know, thank you for the information. I'll keep trying with the latest version of the script. So far I haven't gotten it to actually do anything after requesting the Bitmovin site to be loaded, I guess because it's not getting the full key dump (similar to why the earlier version errors out). Might have just not gotten the luck yet, or this box is doing something weird.

    Is there any point in trying different versions of frida/frida-server/frida-tools or does it not create a difference for what's going on here?
    Quote Quote  
  24. You need to use the Frida server that was built for your architecture, presumably https://github.com/frida/frida/releases/download/15.2.2/frida-server-15.2.2-android-arm64.xz, I don't believe the version matters.

    I will look at adding some debug statements to the script to make it easier to figure out what's going on, you could modify your local version to do the same. I will also add the option to override the a-z regex to allow you to provide the correct function name in case there are trap functions.
    Quote Quote  
  25. After analyzing your libwvhidl.so file I can see that your architecture is x86 ARM - use https://github.com/frida/frida/releases/download/16.0.1/frida-server-16.0.1-android-arm.xz.

    The function name you need is 'kqzqahjq'.

    Either modify the latest version of the script if you know what you're doing or use the older version and update DYNAMIC_FUNCTION_NAME.

    Code:
    const DYNAMIC_FUNCTION_NAME = 'kqzqahjq'
    Remember to kill Frida, kill the script, force stop chrome and then run Frida as root > start the script > load the drm test page on chrome and click load.

    Or restart your device and do the above.
    Quote Quote  
  26. Great! Ran it through the older version of the script with that DFN you provided and it seems to have worked, got a client_id.bin and private_key.pem file, 2 kilobytes each.

    Thank you very much for your help!
    Quote Quote  
  27. Member
    Join Date
    Oct 2022
    Location
    sri lanka
    Search Comp PM
    Could we dump rsa key using emulator(it's showing that it has widevine cdm) ?
    Quote Quote  
  28. Originally Posted by portalme View Post
    Could we dump rsa key using emulator(it's showing that it has widevine cdm) ?
    Yes, people do. Use an emulator without Google Play and be sure to root the device. Don't emulate anything too modern. I tried and found the most up to date version of Magisk didn't allow system access. So choose a Magisk before TopJohnWu, its creator, decamped to Google Inc.
    Quote Quote  
  29. Member
    Join Date
    Oct 2022
    Location
    sri lanka
    Search Comp PM
    Originally Posted by A_n_g_e_l_a View Post
    Originally Posted by portalme View Post
    Could we dump rsa key using emulator(it's showing that it has widevine cdm) ?
    Yes, people do. Use an emulator without Google Play and be sure to root the device. Don't emulate anything too modern. I tried and found the most up to date version of Magisk didn't allow system access. So choose a Magisk before TopJohnWu, its creator, decamped to Google Inc.
    I'm using android studio emulator and it succeeded with root but not starting frida server properly
    Quote Quote  
  30. Originally Posted by portalme View Post
    Originally Posted by A_n_g_e_l_a View Post
    Originally Posted by portalme View Post
    Could we dump rsa key using emulator(it's showing that it has widevine cdm) ?
    Yes, people do. Use an emulator without Google Play and be sure to root the device. Don't emulate anything too modern. I tried and found the most up to date version of Magisk didn't allow system access. So choose a Magisk before TopJohnWu, its creator, decamped to Google Inc.
    I'm using android studio emulator and it succeeded with root but not starting frida server properly
    I got a bit further than that. I did say that rooting is a problem with limitations to Magisk. It can report root but not grant privileges in system. Using rootAVD? search github or xda-developers if needed. And do not use google play images!
    Quote Quote  



Similar Threads