Dumping L3 from Android 10, 11 and 12

[hasmevask]

Force quit chrome and restart your device, then try again

Thank you again for your work and time, check pm

[DrNumands]

dump_keys.py --cdm-version '16.0.1' just shows functions and stuck .... main - 24 - INFO - Functions Hooked, load the DRM stream test on Bitmovin!

Sure your version is 16.0.1 (as above) and not 16.1.0?

[TheRedBee]

Hello, thanks for your work, a test video loads and play well on the browser providing the license server and mpd url,
but it still says " Functions Hooked, load the DRM stream test on Bitmovin!" and no other output ?

In other words I don't get any keys but video load

DRM info app says 15.0.0

[Diazole]

Send me your libwvhidl.so file, you can use this post to retrieve it - https://forum.videohelp.com/threads/404219-How-To-Dump-L3-CDM-From-Android-Device-s-(O...e6#post2646150

[Dannyboi]

anyone dumped l1 cdms yet? ifso DM thanks

[hasmevask]

which device ?and same as asked to you

https://forum.videohelp.com/threads/407196-Dumping-L3-from-Android-10-11-and-12/page2#post2676912

can send me also that libwvhidl.so file if possible?

[TheRedBee]

Hello,

I am using genwvkeys at the moment, because I was unable to get keys from Android device (but would prefer to)

I included all the "rubbish" in the dump script without success...
My device is Android studio Emulator, currently API 29 but I can change that

Here is the file

https://files.videohelp.com/u/304364/libwvhidl.so

Thank you

[Diazole]

Hello,

I am using genwvkeys at the moment, because I was unable to get keys from Android device (but would prefer to)

I included all the "rubbish" in the dump script without success...
My device is Android studio Emulator, currently API 29 but I can change that

Here is the file

https://files.videohelp.com/u/304364/libwvhidl.so

Thank you

Code:

python3 .\dump_keys.py --function-name 'ofskesua'

[TheRedBee]

Hello,

I am using genwvkeys at the moment, because I was unable to get keys from Android device (but would prefer to)

I included all the "rubbish" in the dump script without success...
My device is Android studio Emulator, currently API 29 but I can change that

Here is the file

https://files.videohelp.com/u/304364/libwvhidl.so

Thank you

Code:

python3 .\dump_keys.py --function-name 'ofskesua'

Thanks ! I don't know how you found it ?
By the way, I get results but not a "key", only context, message, signature..

Edit: my windevine version is 15.0 ,if I understand correctly, it has been patched ?
I can downgrade the phone as it is a virtual device

[Diazole]

Thanks ! I don't know how you found it ?
By the way, I get results but not a "key", only context, message, signature..

Edit: my windevine version is 15.0 ,if I understand correctly, it has been patched ?
I can downgrade the phone as it is a virtual device

No CDM version is patched.

Please can you post the output of the dumper?

[A_n_g_e_l_a]

...updated it to support L3 extraction on Android 9, 10, 11 and 12 ...

You say Android 12 works; is that Android x86_64 using libwvaidl.so?

[Diazole]

...updated it to support L3 extraction on Android 9, 10, 11 and 12 ...

You say Android 12 works; is that Android x86_64 using libwvaidl.so?

I've only tested x86 Android 12

[TheRedBee]

Thanks ! I don't know how you found it ?
By the way, I get results but not a "key", only context, message, signature..

Edit: my windevine version is 15.0 ,if I understand correctly, it has been patched ?
I can downgrade the phone as it is a virtual device

No CDM version is patched.

Please can you post the output of the dumper?

Oh, my bad, I placed the function name in the wrong place, now I have a client_id and private_key files !

I can now follow the tuto
would you mind sharing how you find the exact function name among the others ?

Thanks !

Edit: I got a keys ! Perfect

[A_n_g_e_l_a]

Thanks ! I don't know how you found it ?...
... you mind sharing how you find the exact function name among the others ?
Perfect

Yes I bristled at the need to send a file to someone else. Anyway with a bit of thought I sorted out my own function name for Android 11 Pixel Pro 6.

At post #37 someone sends off their file to daddy; daddy responds at #38.

So now I have an original libwvhidl.so file and I know the function-name is ofskesua. Time to breakout a hex-editor. I hate these things; the last time I tangled was to remove DRM from an Aviation GPSs data-update 20 years ago before the manufacturer got serious.

Anyway, this time I'm using Linux and found ImHex - 'A hex editor for reverse engineers' - from my my Linux distro's software suggestions.

I opened the hex editor and loaded the foreign libwvhidl.so and searched for the string 'ofskesua' and found this:

[Attachment 68594 - Click to enlarge]
'ofskesua' is there among a number of other 8 byte strings. But note above is is a memorable string 'mprotect'.

So now I fired up my emulator and opened a command shell to use adb.

Code:

adb root
adb shell
find / libwvhidl.so | grep libwvhidl.so

responded with /vendor /lib/libwvhidl.so - so now I am able to get the library file off the machine

Code:

exit

from shell
and

Code:

adb pull /vendor/lib/libvwhidl.so  .

will pull it off the emulator and save it in the working folder, ready to open in your own hex editor.

I did just that and searched for 'mprotect' as noted earlier and got this:-

[Attachment 68597 - Click to enlarge]
Highlighted is a list of 8 byte strings. Formatted they look like this:-

Code:

newgesel
ppsniaij < dumped keys
qcbptsjn
qedguzms
qqokgjjb   
ridxbjbf

Luck was on my side as I chose 'ppsniaij' for my first attempt with Android 11 on an emulated Pixel Pro 6.

Code:

python dump_keys.py --function-name 'ppsniaij'

I note that Dumper-main Helper folder has a javascript file - script.js - with the function names it uses. I see no reason why putting the list we just obtained in there wouldn't work, although I have not tried it.

[Attachment 68598 - Click to enlarge]

So now we are no longer infantilized. Bye daddy.

[Diazole]

At post #37 someone sends off their file to daddy; daddy responds at #38.

So now we are no longer infantilized. Bye daddy.

What is your problem?

I help the community by providing a method to dump keys from the latest android devices and this is how you act?

How might I determine which is the working function name? If I provide a function name on the command line, does the script no longer attach to all of the functions and brute force them all? It only checks the one function name specified?

Correct.

You can find your unique function name by reverse engineering the libwvhidl.so file.

If so, I could go through all of the function names, specifying them one at a time on the command line, and the one that works is the actual function name?

You can certainly do that but that would be rather time consuming or you can send me the file and i'll provide you with the function name. I thought you had already dumped your keys?

Did you read this? Do you think I enjoy asking people to send me their file so I can help them?

Did you know that the script provides you with every possible function name, so you don't need to dump the file?

You can run the script with every function name function until it works, but you will more than likely have to force quit chrome or restart the device on every attempt. This was clearly stated here https://forum.videohelp.com/threads/404994-Decryption-and-the-Temple-of-Doom/page6#post2669744.

I note that Dumper-main Helper folder has a javascript file - script.js - with the function names it uses. I see no reason why putting the list we just obtained in there wouldn't work, although I have not tried it.

It won't work because there are "trap" functions as stated above, which when hooked will prevent you from dumping your key until you restart your device.

From now on, everyone can ask you to help them.

[A_n_g_e_l_a]

snipped

Having a bad day?