View Profile
View Forum Posts
Private Message
I have forked the wvdumper/dumper script and updated it to support L3 extraction on Android 9, 10, 11 and 12 and have successfully extracted the key from these android versions, but have so far only tested CDM versions 14, 15, 16 and 16.1.
https://github.com/Diazole/dumper
p.s. once the functions have been hooked, you just need to load the Bitmovin player and click load to dump the keys - https://bitmovin.com/demos/drm
Update:
Thank you to dark125 for the suggestion of looping through the function names (even though you sent me a different file to the one you were dumping). The script no longer requires you to provide the function name yourself and instead hooks to every a-z function essentially brute-forcing.
I have also successfully dumped Android 9 CDM 14.
Closed Thread
Results 1 to 30 of 46
-
Last edited by Diazole; 7th Oct 2022 at 07:28.
-
Well done sir.
-
thank you it can be useful
-
this is great, so now android 7-12 is covered by dumpers, good job
-
Great stuff. Well done!
-
Tested and working on Android 10
Thanks again for your contribution
-
Android 11 with oemcrypto 16 works fine.
Thanks.
-
Thank you <3
Worked for me
-
Does anyone know how to dump or extract Chrome CDM?
-
Hi Thanks for your job!!"
Last edited by marktwain; 31st Oct 2022 at 05:25.
-
Thank you. I will try it for Android 9 CDM 14.0 as soon as possible.
For a Nokia phone with a half-dead battery.
-
What might it mean if this updated script only displays rsakey in console, and does nothing after that?
only the output following 'Retrieved key' is displayed (rsakey) in console;
self.logger.debug(
'Retrieved key: \n\n%s\n',
android 12, oemcdm 16Last edited by DrNumands; 20th Dec 2022 at 14:02.
-
Installed drminfo app, cdm version is 16.1.0, not 16. Tried the command line argument to set to 16.1.0.
The updated script has less debug reporting than the original script. Would it be possible to update the original script while keeping its original structure (including scanner.py), in order to support cdm 16.1.0? Using the minimum of edits to the original, what would it take?Last edited by DrNumands; 21st Dec 2022 at 07:25.
-
Yes, my fork has less debug reporting because I removed the irrelevant debug logs, you can add them back yourself if you think they will help you (I highly doubt they will).
Are you providing a function name/does the output state what your function name might be?
-
Thanks for the reply. Changing to a different version of chrome allowed your fork to work. The video was playing fine with the other version of chrome, but I guess the browser version is important for use with the script.
-
Originally Posted by Diazole
[Attachment 68317 - Click to enlarge]
Stuck here on android 10,11
-
Hey, do you have any script for dumping valid keyboxes?Originally Posted by Diazole
It seems like, the keybox that wvdumper script dumps is not valid and can not be provisioned by google.
-
Send me your libwvhidl.so file, you can use this post to retrieve it - https://forum.videohelp.com/threads/404219-How-To-Dump-L3-CDM-From-Android-Device-s-(O...e6#post2646150Originally Posted by Beluga
[Attachment 68317 - Click to enlarge]
Stuck here on android 10,11Last edited by Diazole; 26th Dec 2022 at 16:15.
-
Can I PM that file to you?Originally Posted by Diazole
-
What do you mean?Originally Posted by JerryDevis
Last edited by Diazole; 26th Dec 2022 at 16:16.
-
Although the script works, the output does not state what the function name might be. I see others have posted logs where such output (of the likely function name) is shown.Originally Posted by Diazole
How might I determine which is the working function name? If I provide a function name on the command line, does the script no longer attach to all of the functions and brute force them all? It only checks the one function name specified?
If so, I could go through all of the function names, specifying them one at a time on the command line, and the one that works is the actual function name?
-
Correct.Originally Posted by DrNumands
You can find your unique function name by reverse engineering the libwvhidl.so file.
You can certainly do that but that would be rather time consuming or you can send me the file and i'll provide you with the function name. I thought you had already dumped your keys?Originally Posted by DrNumands
-
da820PmcEXBMWNDoveRRdcR9y0BB+3hwCAmii6eZpBmc2AUQVd wL4w==
-----END RSA PRIVATE KEY-----
2022-12-31 05:52:33 PM - Helpers.Device - 48 - DEBUG - Retrieved key:
-----BEGIN RSA PRIVATE KEY-----
YltEcnu3m4qMxHPoCrX0/96MSKcFcNE6rI9P1Fw4F0iZM7q0rJ0WEXOtolBNVayZ
on Android 12
dump_keys.py --cdm-version '16.0.0' shows above keys and stuck...
dump_keys.py --cdm-version '16.0.1' just shows functions and stuck .... main - 24 - INFO - Functions Hooked, load the DRM stream test on Bitmovin!
-
PM me your libwvhidl.soOriginally Posted by hasmevask
-
sent check pmOriginally Posted by Diazole
PM me your libwvhidl.soOriginally Posted by hasmevask
-
Does not work for me. I have a rooted Pixel 3 with Android 12.
I am running frida-server-16.0.8-android-arm64 as root.
This is all I see when running your script:
Code:> python dump_keys.py --cdm-version 16.1.0 2022-12-31 01:49:29 PM - main - 25 - INFO - Connected to Pixel 3 2022-12-31 01:49:29 PM - main - 26 - INFO - Scanning all processes android.hardware.drm@1.0-service android.hardware.drm@1.3-service.widevine android.hardware.drm@1.4-service.clearkey drmserver 2022-12-31 01:49:31 PM - main - 34 - INFO - Functions Hooked, load the DRM stream test on Bitmovin!
Opening https://bitmovin.com/demos/drm in Chrome, then loading and playing the video does not provoke additional output. The EME section on the demo page confirms widevine is supported on my device.
-
Your function name is 'crhqcdet'.Originally Posted by hasmevask
Let me know how you get onCode:dump_keys.py --function-name 'crhqcdet'
-
function name is correct. thanks it stuck there alsoOriginally Posted by Diazole
Your function name is 'crhqcdet'.Originally Posted by hasmevask
Let me know how you get onCode:dump_keys.py --function-name 'crhqcdet'
but job done by your dumper onlyCode:Helpers.Device - 56 - INFO - Hooked crhqcdet at 0xf6a42a09 main - 24 - INFO - Functions Hooked, load the DRM stream test on Bitmovin
thanks again for your hard work and valuable work and time share
-
Force quit chrome and restart your device, then try again
![[ss]vegeta's Avatar](customavatars/avatar177118_5.gif){kind=avatar}
Similar Threads
-
Optimal Method For Dumping Audio, Video, and VBI In Near-Perfect Sync?
By JaycieErysdren in forum Capturing and VCRReplies: 2Last Post: 6th Sep 2024, 10:29 -
How To Dump L3 CDM From Android Device's (ONLY Talk About Dumping L3 CDMS)
By Dannyboi in forum Video Streaming DownloadingReplies: 226Last Post: 1st Mar 2022, 03:34 -
How To Dump L1 CDM From Android Device's (ONLY Talk About Dumping L1 CDMS)
By mintolik in forum Video Streaming DownloadingReplies: 13Last Post: 20th Feb 2022, 14:33 -
Android Players vs LavFilters-MadVR? Looking to go to Android BOX
By therock003 in forum Software PlayingReplies: 3Last Post: 20th Jul 2018, 11:11 -
Android:i want to play this channel in vlc android application (vlc.apk)
By sam jack in forum Newbie / General discussionsReplies: 5Last Post: 16th Oct 2017, 16:10