Notes on my journey to get a working Content Decryption Module (CDM)
I chose a cheap Android TV box T95 S1 2Gb/16Gb at £29.99 from Amazon.
Download a frida-server from https://github.com/frida/frida/releases
I had success with frida-server-15.1.17-android-arm.xz - the latest release - although I tried many other releases along the way.
adb via USB cable does not work between a PC and the Android TV box; you’ll need to connect over wifi..and accept the link request to the Android box displayed on the T95 screenCode:adb connect <box-ip-address>
I tried using Frida from Google play store and that is perhaps an easy way to get the server software on the machine but I had problems with it and reverted to hand loading the frida-server and running it from SuperUser.
Code:adb push frida-server-15.1.17-android-arm /sdcard/move the server so it can be runCode:adb shell
Starting the frida-server first explicitly become super-user and clear any user environment variables active by including a hyphen after su.Code:mv /sdcard/fridaserver-15.1.17-android-arm /data/local/tmp/
Give execute program privilegesCode:su -
start the serverCode:chmod +x /data/local/tmp/fridaserver-15.1.17-android-arm
check its running..Code:/data/local/tmp/fridaserver-15.1.17-android-arm
That will give you a process number to kill it with later if you need to.Code:ps | grep frida
Dumper – download from https://github.com/wvdumper/dumper and extract.Code:kill ####
To work Dumper needs python modules for:- frida, protobuf and pycryptodome . The Python modules are installed withDumper is a python program to extract the CDM keys; it talks to the frida-server on the Android box. There is much misdirection about which pythons to use. I spent a day setting up a virtual machine and running pythons 3.6 , 3.7 and 3.9 all to no avail.Code:python pip install frida protobuf==3.20.3 pycryptodome
The latest python on my daily driver machine 3.10.2 finally worked but it perhaps because of the wrinkles of timing everything right.
will run the software when ready.Code:python dump-keys.py
Prepare android-tv-box; update chrome to the latest version the Play-Store has
On the TV box start the updated Chrome browser and open https://bitmovin.com/demos/drm; let the page load and then close chrome. Next time Chrome is started it will automatically load this page with widevine protected content.
I think timing and sequence are important; from memory a few days after getting keys from my CDM
Mine then dumped after days of trying. Misdirection read here suggested stopping and starting the playing movie; I think keys are shared from Chrome and the bitmovin site as soon as the page loads. So stopping and starting the movie when playing just wastes everyone's time.
- Reboot the android box
- reboot your PC and from the PC
- adb connect <android-tv-ip>
- adb shell
- su -
- chmod +x /data/local/tmp/frida-server-15.1.17-android-arm
- optional; check running ps | grep frida
- on the android tv box start Chrome
- and immediately on the Pc start dumper: python dump-keys.py
- wait for "hooks completed" to appear on the screen then load the page to play the movie. (Or if the page is already loaded hold 'shift' down while clicking the browser refresh icon)
Ok with keys dumped what do you do with them? A hack!! Find a key generator and replace their keys with yours!
Find WKS-KEYS https://anonfiles.com/XdUbwepdve/WKS-KEYS_rar and unpack
Two files to be replaced:- device-client-id-blob and device-private-key.
Dumper stored the android-tv-box keys in key-dumps/MBOXprivate-keys//xxxx/xxxxxxxx/client-id-bin and private-key-pem these two replace in name and body the ones in WKS-KEYS. The *bin becomes the blob (binary large object)
Now, in theory you have a working CDM and can generate your own keys. I found an encrypted video to download, located the request headers saved as a cURL and encoded intp python here:- https://curlconverter.com/ . I put them in headers.py in the WKS-KEYS folder. Eventually when I tried to decrypt keys I got an error about the key length being wrong. Some WiseHead wrote in their experience it was because the CDM was not working --- uurgh!!
So I slept on the problem and realised that the servers we ‘attack’ try to repel us. But bitmovin.com/demos.drm is there to help.
So I checked my keys were working there;-
this link loaded in a browser will show PSSH keys between <cenc: pssh> html markup andCode:https://bitmovin-a.akamaihd.net/content/art-of-motion_drm/mpds/11331.mpd
is the license. Edit: 2 Oct 2022 this URL has changed since March and the correct version is above.Code:https://cwip-shaka-proxy.appspot.com/no_auth
runningand plugging in the PSSH and licence gave me:-Code:python l3.py
Taadaa!! I nearly fell off my chairCode:--key 0294b9599d755de2bbf0fdca3fa5eab7:3bda2f40344c7def614227b9c0f03e26 --key 639da80cf23b55f3b8cab3f64cfa5df6:229f5f29b643e203004b30c4eaf348f4
I downloaded the video:-
that gave two files an mp4 video and m4a audio encrypted.Code:yt-dlp –allow-unplayable https://bitmovin-a.akamaihd.net/content/art-of-motion_drm/mpds/11331.mpd
Decrypted with mp4decryt -from https://www.bento4.com/downloads/
Note: 2 October 2022Code:mp4decrypt –key 0294b9599d755de2bbf0fdca3fa5eab7:3bda2f40344c7def614227b9c0f03e26 <infile.mp4> <outfile.mp4>
The license url has changed and also when testing I got back 5 keys :
[Attachment 67047 - Click to enlarge]
It is unusual, but RTE.ie gives 5 keys too! If you need to deal with more than one set of keys, just chain them one after the other, as below.
Do the same for the audio file and you then need to combine the audio and video into one playable stream with ffmpeg. It comes installed on my Linux distro.Code:mp4decrypt --key ccbf5fb4c2965be7aa130ffb3ba9fd73:9cc0c92044cb1d69433f5f5839a159df --key 9bf0e9cf0d7b55aeb4b289a63bab8610:90f52fd8ca48717b21d0c2fed7a12ae1 --key eb676abbcb345e96bbcf616630f1a3da:100b6c20940f779a4589152b57d2dacb --key 0294b9599d755de2bbf0fdca3fa5eab7:3bda2f40344c7def614227b9c0f03e26 --key 639da80cf23b55f3b8cab3f64cfa5df6:229f5f29b643e203004b30c4eaf348f4 encrypted_input.mp4 decrypted_output.mp4
That’s all I know and now I am off to see if I can do it for real. I may be away for some time!!Code:ffmpeg -i decrypted.mp4 -i decrypted.m4a -vcodec copy -acodec copy your_movie.mp4
It seems there is now a Dumper version that with a bit of work from you will get keys for other Androids - all the way up to Android 12 is claimed. They all need to be rooted of course and doing it on your daily driver phone is never a good idea. You will lose L1 on your phone when you root (though Xiaomi possibly not).
I have not tested these. See https://github.com/Diazole/dumper Direct your questions to the author on this.
When you have digested the above and got your CDM, tried a few keys, The Dungeon of Despair awaits your pleasure!!
Please follow netiquette and ask your questions here in this thread, so all may benefit.
+ Reply to Thread
Results 1 to 30 of 226
Last edited by A_n_g_e_l_a; 4th Dec 2022 at 06:40. Reason: added addendum; added protobuf version - thanks kenyard. headers
wow great discover ...
better late than never
Did you try using Netflix? I made first attempts with bitmovin demos in Chrome and using amazon app on some boxes and phones with no result, but using Netflix succeeded quickly.
Enviado desde mi Redmi Note 4 mediante Tapatalk
I have just used my cdm in the defunct narrowvine-reborn and it only bloody works!!! Off to watch some videos..
Thanks for documenting, in detail. Important for future reference, when needed.
just wanted to say, great write up
widevine reborn does not decrypt even with an Android CDM L3.My can download .
It might not do everything and headers may be a problem; but it does work. You cannot just replace the CDM. You need to configure narrowvine-reborn.py and another file I cannot remember the name of. But you will see it when narrowvine complains.
I got it to work with this https://player.stv.tv/episode/48d2/sony-commons. No header problems here.
[edit 6 April 2022]
The video link above has had an upgrade to its manifest. The manifest now loads around 17 part video and audio files. Most of them are adverts. You can tell the 'updated' manifests as the start will be ssai. Yt-dlp will now fail with simple configurations.
The link above is not a good one to practice on now - find somewhere else.
Last edited by A_n_g_e_l_a; 6th Apr 2022 at 09:38. Reason: download link now pointing to a difficult manifest
Same here, most of my stuff is based of Narrowvine-reborn, it needs some custom stuff here and there and it probably isn't the best solution out there but it is all I had when I got into this stuff.
A great guide for beginners. That's exactly what the forum needs. (instead of "hey bro, gimme the keys" messages)
I won't use these methods but I want to thank Angela.
Unfortunately I sold my Android TV Box (with 9.0) last year and I'm afraid to root my Android 9.0 phone (there's a high risk about its camera functionality after root).
Great guide, I finally got this working with a T95 S1 TV box.
The TV box T95 S1 is android version 7. I think I read that it all works up to Android 9. Perhaps others can confirm?
Last edited by A_n_g_e_l_a; 5th Apr 2022 at 13:33.
Last edited by codehound; 5th Apr 2022 at 15:37.Discord codehound#0348
The cdm by itself is not the answer to udemy / vdo as people have told you in numerous threads. You will not stumble on the answer to this, you need to understand the process of the website and the calls and responses.
Last edited by codehound; 5th Apr 2022 at 16:32.Discord codehound#0348
It would be more logical of my time to reverse engineer the widevine DRM engine which isn't so hard to do. It's similar to cracking/breaking keyed softwares, just that I need to dump decryption keys. Basically I click a video (no need to clown around with the license requests which children here do) and voila, decryption keys. Oddly enough "Udemy.com" actually have some fascinating courses which teaches you noobs fundamental reverse engineering down to assembly language to do these kinds of stuffs.
Reverse engineering is fun, it's like solving a puzzle with some detective and investigation mindset.
You can use Hex Rays' IDA Pro bundle to get busy at it... good luck spending thousands for it. But obviously everyone here would torrent it out.
Maybe Ghidra could be a free alternative... last time I heard about Ghidra, it was good news that it's able to help reverse engineers crack softwares.
Last edited by codehound; 5th Apr 2022 at 18:20.Discord codehound#0348
Thanks for reminding me only low IQ lurks around here who doesn't even know what "English" is and loves to clown around with servers. No fool, I didn't deliberately ask to make it into an Udemy topic, just asked a simple question which it's answer could've been "yes" or "no". Get over with it, go chew on a different topic.
Thanks for commenting in my thread. However it appears no-one knows the answers you seek. Isn't udemy a subscription or pay site? And doesn't that make asking for information about gaining access to the site against this forum's rules? I wouldn't want you to upset anybody!
I wrote this thread in a spirit of being helpful; do you think you could subscribe to that ideal, for me, and leave out the unpleasant vitriol in the comments you make? I'm sure you are a nice man, and indeed have something useful to say; but I guess you've been having a few bad days. I know a man of your ability, as you told us, could make short work of reverse engineering binary code so I'm sure, if you really tried, you could access the site yourself quite easily. Perhaps, if the moderators are looking the other way, you might even return and, in your own thread, show everybody how you did it.
However reverse engineering down to the machine code is extremely time consuming, could take day(s) or even week(s) to crack anything.
It's like drawing a map and writing details of a "New World" from scratch.
It all boils down to what it's worth cracking. With my time and effort, I could make more money spending those time in "cracking" with other resources.
Cracking widevine DRM so that I can download paid courses is simply ridiculous and laughable, losing thousands based on my time for something that is not worth it.
I do not understand what makes people think I am being "frustrated" for not being able to easily download Udemy content.
Screen capture is working very well for me, it is a win-win, I learn the course as I screen capture.
I originally assumed that people found a way in downloading and decrypt DRM videos easily, but after sending few days on this site, it seems that the low level software engineers at google (Widevine) have done some phenomenal job in perfecting their DRM engine. Its so effective that widevine makes it extremely difficult and near impossible for web devs to pirate content.
Hence I find it super silly how web devs here are finding silly ways to get by widevine.
Anyhow, if I have the "luxury" to spend some "hobby" time, I'll definitely get involved in cracking widevine. But as of now I guess I have no choice but to screen capture (which isn't a big deal). I personally hate python, curl and other languages and also hate the idea that one needs to "chit chat" with web severs. The only things I would rather spend time to crack are low level languages since it is more meaningful.
LMAO, the only answer suited to most drm related threads here. and maybe this thread too. Too much grammar and less googling is the cause , it seems XD
Hence I find it super silly how web devs here are finding silly ways to get by widevine
ways so silly that a great linux hacker like you could not understand even after all this time, there are literally codes left in pieces in some places here, but no I HaTe PyThOn, cuz its too much for me to understand, or even trying to understand.
Last edited by PUOPUO; 8th Apr 2022 at 05:48.
Yea silly kids like you doesn't know the difference between a wannabe "linux hacker" and someone who does low level reverse engineering, it absolutely has nothing to do with Linux or what not.
I don't even use linux, don't have the time to do all the childish "hacking" loaded on youtube. I use Unix (FreeBSD/MacOS) (You obviously don't even know the difference between Linux/Unix). Anyways, keep staying busy with python, it's better for low level hardware/software engineer folks to keep getting paid more than all the high level python dev kids.
The more you stay busy with "python" and clowning around with "servers" the more google's low level software engineers will keep you kids frustrated for not being able to pirate DRM content and begging your souls for help on this forum.
Theres a good reason why "pyhton" wasn't used to create widevine's DRM software same goes for creating "chrome". Your computers, phones, routers, internets and etc all functions because of low level c/c++ NOT because of python.
The best "pirates" or "hackers" doesn't even waste their time playing around with python. (Yes theres a difference between a "pirate" and a "hacker")
My username has "linux" just so that I can tell you that I do not even use it.
doesnt look like im the the one begging for udemy around lol
gimme gimme udemy