I have forked the wvdumper/dumper script and updated it to support L3 extraction on Android 9, 10, 11 and 12 and have successfully extracted the key from these android versions, but have so far only tested CDM versions 14, 15, 16 and 16.1.
https://github.com/Diazole/dumper
p.s. once the functions have been hooked, you just need to load the Bitmovin player and click load to dump the keys - https://bitmovin.com/demos/drm
Update:
Thank you to dark125 for the suggestion of looping through the function names (even though you sent me a different file to the one you were dumping). The script no longer requires you to provide the function name yourself and instead hooks to every a-z function essentially brute-forcing.
I have also successfully dumped Android 9 CDM 14.
Closed Thread
Results 1 to 30 of 46
-
Last edited by Diazole; 7th Oct 2022 at 07:28.
-
Thank you. I will try it for Android 9 CDM 14.0 as soon as possible.
For a Nokia phone with a half-dead battery.
-
What might it mean if this updated script only displays rsakey in console, and does nothing after that?
only the output following 'Retrieved key' is displayed (rsakey) in console;
self.logger.debug(
'Retrieved key: \n\n%s\n',
android 12, oemcdm 16Last edited by DrNumands; 20th Dec 2022 at 14:02.
-
Installed drminfo app, cdm version is 16.1.0, not 16. Tried the command line argument to set to 16.1.0.
The updated script has less debug reporting than the original script. Would it be possible to update the original script while keeping its original structure (including scanner.py), in order to support cdm 16.1.0? Using the minimum of edits to the original, what would it take?Last edited by DrNumands; 21st Dec 2022 at 07:25.
-
[Attachment 68317 - Click to enlarge]
Stuck here on android 10,11
-
Send me your libwvhidl.so file, you can use this post to retrieve it - https://forum.videohelp.com/threads/404219-How-To-Dump-L3-CDM-From-Android-Device-s-(O...e6#post2646150
Last edited by Diazole; 26th Dec 2022 at 16:15.
-
Although the script works, the output does not state what the function name might be. I see others have posted logs where such output (of the likely function name) is shown.
How might I determine which is the working function name? If I provide a function name on the command line, does the script no longer attach to all of the functions and brute force them all? It only checks the one function name specified?
If so, I could go through all of the function names, specifying them one at a time on the command line, and the one that works is the actual function name?
-
Correct.
You can find your unique function name by reverse engineering the libwvhidl.so file.
You can certainly do that but that would be rather time consuming or you can send me the file and i'll provide you with the function name. I thought you had already dumped your keys?
-
da820PmcEXBMWNDoveRRdcR9y0BB+3hwCAmii6eZpBmc2AUQVd wL4w==
-----END RSA PRIVATE KEY-----
2022-12-31 05:52:33 PM - Helpers.Device - 48 - DEBUG - Retrieved key:
-----BEGIN RSA PRIVATE KEY-----
YltEcnu3m4qMxHPoCrX0/96MSKcFcNE6rI9P1Fw4F0iZM7q0rJ0WEXOtolBNVayZ
on Android 12
dump_keys.py --cdm-version '16.0.0' shows above keys and stuck...
dump_keys.py --cdm-version '16.0.1' just shows functions and stuck .... main - 24 - INFO - Functions Hooked, load the DRM stream test on Bitmovin!
-
Does not work for me. I have a rooted Pixel 3 with Android 12.
I am running frida-server-16.0.8-android-arm64 as root.
This is all I see when running your script:
Code:> python dump_keys.py --cdm-version 16.1.0 2022-12-31 01:49:29 PM - main - 25 - INFO - Connected to Pixel 3 2022-12-31 01:49:29 PM - main - 26 - INFO - Scanning all processes android.hardware.drm@1.0-service android.hardware.drm@1.3-service.widevine android.hardware.drm@1.4-service.clearkey drmserver 2022-12-31 01:49:31 PM - main - 34 - INFO - Functions Hooked, load the DRM stream test on Bitmovin!
Opening https://bitmovin.com/demos/drm in Chrome, then loading and playing the video does not provoke additional output. The EME section on the demo page confirms widevine is supported on my device.
-
function name is correct. thanks it stuck there also
Code:Helpers.Device - 56 - INFO - Hooked crhqcdet at 0xf6a42a09 main - 24 - INFO - Functions Hooked, load the DRM stream test on Bitmovin
thanks again for your hard work and valuable work and time share
Similar Threads
-
Optimal Method For Dumping Audio, Video, and VBI In Near-Perfect Sync?
By JaycieErysdren in forum Capturing and VCRReplies: 2Last Post: 6th Sep 2024, 10:29 -
How To Dump L3 CDM From Android Device's (ONLY Talk About Dumping L3 CDMS)
By Dannyboi in forum Video Streaming DownloadingReplies: 226Last Post: 1st Mar 2022, 03:34 -
How To Dump L1 CDM From Android Device's (ONLY Talk About Dumping L1 CDMS)
By mintolik in forum Video Streaming DownloadingReplies: 13Last Post: 20th Feb 2022, 14:33 -
Android Players vs LavFilters-MadVR? Looking to go to Android BOX
By therock003 in forum Software PlayingReplies: 3Last Post: 20th Jul 2018, 11:11 -
Android:i want to play this channel in vlc android application (vlc.apk)
By sam jack in forum Newbie / General discussionsReplies: 5Last Post: 16th Oct 2017, 16:10