Decryption: The Dungeon of Despair

[moaBoBmArLeY]

But in my case (in the real world), it returns only [<Response [403]>]

Code:

print(response.text)

[PSXman_uk]

I have this error I'm trying to iron out from the script

v 4.4
#
# A_n_g_e_l_a 26:07:2023
#
'''
This program is a generic boltdns.net downloader.


'rm' is not recognized as an internal or external command,
operable program or batch file.
Invalid parameter(s)
RESET { SESSION }

Im also looking at changing the download directory from output to downloads in one directory higher than the WKS-Keys dir ive tried \downloads puts it in the rout of my hard disk im on Windows if that makes much difference

Thanks for looking and a great tutorial

[A_n_g_e_l_a]

'''
This program is a generic boltdns.net downloader.


'rm' is not recognized as an internal or external command,
operable program or batch file.
Invalid parameter(s)

I wrote those scripts in the hope that people might use them as a starting point on a journey to learn to code. It now seems I was very naive. No matter.

The line in question has a linux command which fails on Windows. I didn't realise that when the script was written and these days would write the code such that it works on both window and linux.

To answer your question 'rm' stands for remove and calling it in linux deletes files. The Windows command if I recall is 'del' so hopefully a substitution of del for rm will correct your issue. Secondly reset doesn't exist in Windows, it appears, so just delete that line - it only blanks and refreshes the terminal window. These are the last three lines of code:-

Code:

    os.system("rm -f ./output/*.m4a  ./output/*.srt ./output/*.mp4 ./output/*.ts") 
os.system("reset") # N_m3u8DL-RE sometimes leaves terminal unable to print text
exit(0)

I've updated the file for you https://files.videohelp.com/u/301890/boltgeneric.py

[PSXman_uk]

Thank you i am trying to learn but am finding it a bit hard seeing as the last time i coded was on an Amiga and at my age you lose a few grey cells thank you very much for looking at it for me I appreciate it.

[A_n_g_e_l_a]

Thank you i am trying to learn but am finding it a bit hard seeing as the last time i coded was on an Amiga and at my age you lose a few grey cells thank you very much for looking at it for me I appreciate it.

You give up too easily! I'm late 70's and first coded in BASIC on a BBC Micro. I started python two years ago. The brain is like a gymnasium; the more you exercise in it the better it is for you.

[PSXman_uk]

@A_n_g_e_l_a food for thought I'll take that on board and carry on thanks again

[Karoolus]

Thank you i am trying to learn but am finding it a bit hard seeing as the last time i coded was on an Amiga and at my age you lose a few grey cells thank you very much for looking at it for me I appreciate it.

You could always run the script from inside WSL

[Ademir]

The script still work? I'm getting this error after paste curcl as posix

Traceback (most recent call last):
File "D:\vdocypher\angel.py", line 369, in <module>
key_results = get_key(pssh, lic_url)
^^^^^^^^^^^^^^^^^^^^^^
File "D:\vdocypher\angel.py", line 188, in get_key
raise e
File "D:\vdocypher\angel.py", line 186, in get_key
license_response.raise_for_status()
File "C:\Python312\Lib\site-packages\httpx\_models.py", line 761, in raise_for_status
raise HTTPStatusError(message, request=request, response=self)
httpx.HTTPStatusError: Client error '400 Bad Request' for url 'https://license.vdocipher.com/auth'
For more information check: https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/400

[A_n_g_e_l_a]

The script still work? I'm getting this error after paste curcl as posix

Traceback (most recent call last):
File "D:\vdocypher\angel.py", line 369, in <module>
key_results = get_key(pssh, lic_url)
^^^^^^^^^^^^^^^^^^^^^^
File "D:\vdocypher\angel.py", line 188, in get_key
raise e
File "D:\vdocypher\angel.py", line 186, in get_key
license_response.raise_for_status()
File "C:\Python312\Lib\site-packages\httpx\_models.py", line 761, in raise_for_status
raise HTTPStatusError(message, request=request, response=self)
httpx.HTTPStatusError: Client error '400 Bad Request' for url 'https://license.vdocipher.com/auth'
For more information check: https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/400

Yes it does but recent changes to Chrome Browser means it only works for Firefox Browser. And if you keep attempting vdocipher, without getting a 200 OK response, you will get your CDM revoked.

[Ademir]

The script still work? I'm getting this error after paste curcl as posix

Traceback (most recent call last):
File "D:\vdocypher\angel.py", line 369, in <module>
key_results = get_key(pssh, lic_url)
^^^^^^^^^^^^^^^^^^^^^^
File "D:\vdocypher\angel.py", line 188, in get_key
raise e
File "D:\vdocypher\angel.py", line 186, in get_key
license_response.raise_for_status()
File "C:\Python312\Lib\site-packages\httpx\_models.py", line 761, in raise_for_status
raise HTTPStatusError(message, request=request, response=self)
httpx.HTTPStatusError: Client error '400 Bad Request' for url 'https://license.vdocipher.com/auth'
For more information check: https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/400

Yes it does but recent changes to Chrome Browser means it only works for Firefox Browser. And if you keep attempting vdocipher, without getting a 200 OK response, you will get your CDM revoked.

That's a problem cause i am actually using firefox

[A_n_g_e_l_a]

You've checked with an easy site to make sure everything is installed ok?

[Ademir]

You've checked with an easy site to make sure everything is installed ok?

Yes, I tried with some easy sites and work perfectly. Maybe the script need to change some detail and I have no idea which

[A_n_g_e_l_a]

See https://forum.videohelp.com/threads/415130-Errors-Decrypting-VdoCipher-Keys#post2741590 for reply.

[JustSomeMotion]

Hello guys, just a question- I have downloaded some .mp4 video files from the Microsoft Store. Is it possible to remove the DRM from those .mp4 files from Microsoft Store? These files can only be played on the "Movies & TV" app in Windows. So is there any chance to remove DRM, or is there nothing that can be done with these specific files?

[A_n_g_e_l_a]

Hello guys, just a question- I have downloaded some .mp4 video files from the Microsoft Store. Is it possible to remove the DRM from those .mp4 files from Microsoft Store? These files can only be played on the "Movies & TV" app in Windows. So is there any chance to remove DRM, or is there nothing that can be done with these specific files?

Two things.
1. your question has nothing to do with this thread - so don't post here.
2. If ever you do post, some nebulous question about Microsoft and DRM will never get answers.
Give details - web url for the video at the very least.
Say what you've tried.
Say if you have a means of decrypting or are you begging for keys.
Have I said don't post here?

[IrishMarty]

This is so good. Can stop using CDRM project now.

Here is the grand-daddy of l3s, this L3.py gets everything.
It is a bold claim but any site that uses widevine and uses an mpd and cURL for its media delivery and encryption communications - this will download it.

[A_n_g_e_l_a]

This is so good. Can stop using CDRM project now?

Thanks and yes you should.

[arakelov2]

Hi!

Fist of all, a BIG THANKS A_n_g_e_l_a for your great guides and for all the stuff I'm discovering and learning.

Your "Noob Starter Pack" hellyes6.zip is just wonderful. Just in a week I was able to build a fresh new Ubuntu 24.04 in VirtualBox (the old 20.04 I usually work on was complaining with too old versions of Python modules and upgrading to 3.12 broke some things, so I decided to carry on a clean environment), install everything and make it work with the 'demo' sites of your guides (bitmovin.com/demos/drm and www.tg4.ie). It got the keys and downloaded the videos!

But now I moved to another site where things seem to get more difficult. With curlconverter I inspected the cURL of (what I think is) the POST call with the license request and I found that inside there are cookies = { .. }, headers = { .. }, params = { .. } and data = { .. }. And it seems that the interesting part is inside this data (I'm deleting a lot of it, it's quite long):

Code:

data = {
    'widevine2Challenge': 'CAESzwwK...***DELETED***',
    'includeHdcpTestKeyInLicense': 'true',
}

Well, looking at the copied cURL, before pasting it into curlconverter, this comes from something that says: --data-raw 'widevine2Challenge=CAESzwwK... (etc)

The thing is that when I run allhell3.py and I paste this cURL, it fails (I'm masking some parts with · not to reveal sensitive info):

Code:

Headers: {'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:129.0) Gecko/20100101 Firefox/129.0', 'Accept': '*/*', 'Accept-Language': 'ca,en-US;q=0.7,en;q=0.3', 'Accept-Encoding': 'gzip, deflate, br, zstd', 'Content-Type': 'application/x-www-form-urlencoded', 'Origin': 'https://www.··········.com', 'Connection': 'keep-alive', 'Referer': 'https://www.··········.com/', 'Cookie': 'session-id=261-·······-9967622; session-id-time=2082787201l; i18n-prefs=USD; lc-main-av=en_US; ubid-main-av=259-·······-1407026; session-token="FqU8rh96XJQX1/pY8OqdJjDzVP5EP·················long··············fGxNzWPeycNIXo7F/DM="; av-timezone=Europe/Madrid; x-main-av="i1F0W2HszC2eVvyiut1JC3UQUFJ@org8c5KoMAJDCjhLbZ60ah0JyAs3wHRsSwpE"; at-main-av=Atza|IwEBINF6avHNeQloJcZeNLPnzn6erraNUNJruZlvfD74········long··············xLYXn7EbZ6ELaPS6MY0MJ1G6Eaxas; sess-at-main-av="sJCmDL0GYPrXMGT···········zgeLaZgEwC2njJK0="; av-profile=cGlkPWFtem4xLmFjdG9yLnBl·························wPTE3MjY4NTA0NDM3NDcmdmVyc2lvbj12MQ.g6iVNXF_Cqf················cmF3AAAAAPgWC9WfHH8iB-olH_E9xQ', 'Sec-Fetch-Dest': 'empty', 'Sec-Fetch-Mode': 'cors', 'Sec-Fetch-Site': 'same-site', 'Pragma': 'no-cache', 'Cache-Control': 'no-cache'}
Data:
Traceback (most recent call last):
  File "/home/arakelov/Programes/HellYesGui/allhell3.py", line 430, in <module>
    key_results = get_key(pssh, lic_url)
                  ^^^^^^^^^^^^^^^^^^^^^^
  File "/home/arakelov/Programes/HellYesGui/allhell3.py", line 196, in get_key
    raise e
  File "/home/arakelov/Programes/HellYesGui/allhell3.py", line 194, in get_key
    license_response.raise_for_status()
  File "/usr/lib/python3/dist-packages/httpx/_models.py", line 759, in raise_for_status
    raise HTTPStatusError(message, request=request, response=self)
httpx.HTTPStatusError: Server error '500 Server Error' for url 'https://·········.··········.com/cdp/catalog/GetPlaybackResources?deviceID=···(long)
For more information check: https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/500

Even though I'm not a Python expert I went inside allhell3.py to see what was going on around line 194 and I found that it's just after the httpx.post call. Just before the call I printed the passed parameters license_url, payload and headers. For your information, this was the result:

Code:

license_url = https://·········.··········.com/cdp/catalog/GetPlaybackResources?deviceID=···(long, as before)

payload = b'\x08\x01\x12\xee\x0e\n\xd8\r\x08···(a lot of hex stuff)

headers = {'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:129.0) Gecko/20100101 Firefox/129.0', 'Accept': '*/*', 'Accept-Language': 'ca,en-US;q=0.7,en;q=0.3', 'Accept-Encoding': 'gzip, deflate, br, zstd', 'Content-Type': 'application/x-www-form-urlencoded', 'Origin': 'https://www.··········.com', 'Connection': 'keep-alive', 'Referer': 'https://www.··········.com/', 'Cookie': 'session-id=261-·······-9967622; session-id-time=2082787201l; i18n-prefs=USD; lc-main-av=en_US; ubid-main-av=259-·······-1407026; session-token="FqU8rh96XJQX1/pY8OqdJjDzVP5EP·················long··············fGxNzWPeycNIXo7F/DM="; av-timezone=Europe/Madrid; x-main-av="i1F0W2HszC2eVvyiut1JC3UQUFJ@org8c5KoMAJDCjhLbZ60ah0JyAs3wHRsSwpE"; at-main-av=Atza|IwEBINF6avHNeQloJcZeNLPnzn6erraNUNJruZlvfD74········long··············xLYXn7EbZ6ELaPS6MY0MJ1G6Eaxas; sess-at-main-av="sJCmDL0GYPrXMGT···········zgeLaZgEwC2njJK0="; av-profile=cGlkPWFtem4xLmFjdG9yLnBl·························wPTE3MjY4NTA0NDM3NDcmdmVyc2lvbj12MQ.g6iVNXF_Cqf················cmF3AAAAAPgWC9WfHH8iB-olH_E9xQ', 'Sec-Fetch-Dest': 'empty', 'Sec-Fetch-Mode': 'cors', 'Sec-Fetch-Site': 'same-site', 'Pragma': 'no-cache', 'Cache-Control': 'no-cache'}

Interestingly, even though the data-raw section contains the string 'CAES', it seems not to be detected by none of the three regex searchs just above, so this piece of code

Code:

    if data:
        # deal with sites that need to return data with the challenge
        if match := re.search(r'"(CAQ=.*?)"', data):  # fix for windows
            challenge = data.replace(match.group(1), base64.b64encode(challenge).decode())
        elif match := re.search(r'"(CAES.*?)"', data):
            challenge = data.replace(match.group(1), base64.b64encode(challenge).decode())
        elif match := re.search(r'=(CAES.*?)(&.*)?$', data):
            b64challenge = base64.b64encode(challenge).decode()
            quoted = urllib.parse.quote_plus(b64challenge)
            challenge = data.replace(match.group(1), quoted)

is not executed at all. I have no idea if this is normal...
Even more, the "data" variable seems to be empty! So forget the 'CAES' search, it doesn't even enter the first if.

Then I searched where the "data" comes from and found it's built when parsing the cURL (lines 250-253). I put prints to find that

Code:

data_match = <re.Match object; span=(3143, 3155), match="--data-raw '">
raw_prefix = None
data =

Again, I have no idea if this is normal...

Any help will be greatly appreciated!
Best wishes.

[A_n_g_e_l_a]

Well, looking at the copied cURL, before pasting it into curlconverter, this comes from something that says: --data-raw 'widevine2Challenge=CAESzwwK... (etc)

The thing is that when I run allhell3.py and I paste this cURL, it fails (I'm masking some parts with · not to reveal sensitive info):

Anyone who mentions curlconverter.com when talking about allhell3 has me seriously concerned.
I assume you have arrived at the end of Dungeon of Despair having read it all. Well done; it is not an easy read.

For you and one other let me clear up the difference between l3.py and (all)hell3.py.

L3 takes for input three things

1. pssh
2. License URL
3. headers - found by importing a file called headers.py in l3.py. headers.py contains the SELECTED results of a lookup of the license URL at curlconverter.com

hell3 takes for input two things

1. mpd URL
2. License cURL (you obtain the license cURL directly from the browser)

Make sure you are using the correct attributes when calling each process. But in general use (all)hell3(gui).py has replaced l3.py

Now let me deal with the widevinechallenge - in your case it starts with 'CAES..'

The widevinechallenge is constructed data that contains the pssh and the public-key of the BROWSER's CDM, encrypted with the public-key of the license server.

It is of no use to us, for it is the BROWSER's response to get keys from the license server. We need to make our own widevinechallenge using OUR CDM to get our own keys.

So generally what is inside the widevinechallenge may be discarded. In the edited license cURL below, as an example, this particular site includes, as part of the widevine data-bundle, extra data - "releasePid":"11X9eqDq1HEc" which need returning to the license server to prove our bona-fides and confirm the video we want.

Code:

curl 'https://widevine.entitlement.eu.theplatform.com/wv/web/ModularDrm?token=eyJhbGciOiJSUzUxMiJ9.'
 -X POST -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:130.0) Gecko/20100101 Firefox/130.0' -H 'Accept: */*' -H 'Accept-Language: en-GB,en;q=0.5' -H 'Accept-Encoding: gzip, deflate, br, zstd'
 -H 'Origin: https://www.rte.ie' 
-H 'DNT: 1' 
-H 'Connection: keep-alive'
 -H 'Sec-Fetch-Dest: empty' 
-H 'Sec-Fetch-Mode: cors' 
-H 'Sec-Fetch-Site: cross-site' 
-H 'Priority: u=4' 
--data-raw '{"getWidevineLicense":{"releasePid":"11X9eqDq1HEc","widevineChallenge":"CAES..."}}'

The regex will find the releasePid and discard the rest. The string starting CAES from the browser is dicarded but a new windevinechallenge is constructed using OUR CDM, and in this example the releasePid data.

You got a 500 server status code. Which means whatever you sent the server couldn't make sense of it broke the server's program,

The HTTP status code 500 is a generic error response. It means that the server encountered an unexpected condition that prevented it from fulfilling the request. This error is usually returned by the server when no other error code is suitable.

Only general help may be given if you do not provide the video url in your question. If allhell3.py is fed the correct data it will give you keys. Sometimes sites take steps to stop you presenting the correct data - timeouts and pre-shared-one-use-tokens being prime offenders.

[arakelov2]

Anyone who mentions curlconverter.com when talking about allhell3 has me seriously concerned.

Oh don't worry, I just use curlconverter.com to see more clearly the data that being sent, but I don't copy anything from there to allhell3.

I assume you have arrived at the end of Dungeon of Despair having read it all. Well done; it is not an easy read.

Yes I did (also the Temple of Doom!) but I need to do it again as there are parts that I need to understand better. I'm just a noob!
But I get the difference between l3.py and (all)hell3.py (at least regarding the input data it takes each one).

Now let me deal with the widevinechallenge - in your case it starts with 'CAES..'

The widevinechallenge is constructed data that contains the pssh and the public-key of the BROWSER's CDM, encrypted with the public-key of the license server.

It is of no use to us, for it is the BROWSER's response to get keys from the license server. We need to make our own widevinechallenge using OUR CDM to get our own keys.

So generally what is inside the widevinechallenge may be discarded. In the edited license cURL below, as an example, this particular site includes, as part of the widevine data-bundle, extra data - "releasePid":"11X9eqDq1HEc" which need returning to the license server to prove our bona-fides and confirm the video we want.

Code:

curl 'https://widevine.entitlement.eu.theplatform.com/wv/web/ModularDrm?token=eyJhbGciOiJSUzUxMiJ9.'
 -X POST -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:130.0) Gecko/20100101 Firefox/130.0' -H 'Accept: */*' -H 'Accept-Language: en-GB,en;q=0.5' -H 'Accept-Encoding: gzip, deflate, br, zstd'
 -H 'Origin: https://www.rte.ie' 
-H 'DNT: 1' 
-H 'Connection: keep-alive'
 -H 'Sec-Fetch-Dest: empty' 
-H 'Sec-Fetch-Mode: cors' 
-H 'Sec-Fetch-Site: cross-site' 
-H 'Priority: u=4' 
--data-raw '{"getWidevineLicense":{"releasePid":"11X9eqDq1HEc","widevineChallenge":"CAES..."}}'

The regex will find the releasePid and discard the rest. The string starting CAES from the browser is dicarded but a new windevinechallenge is constructed using OUR CDM, and in this example the releasePid data.

Thanks a lot for clarifying all this! It was a big help for understanding all the process.

You got a 500 server status code. Which means whatever you sent the server couldn't make sense of it broke the server's program,

I discovered something: pasting the same mpd URL + License cURL to allhell3.py and allhell3gui.py produced different errors: the first, as I said, returned a 500 server error, while the GUI version said

"Could not parse license_message as SignedMessage, Error parsing message".

So I debugged it and I found that, in allhell3.py, if the variable curl_command is longer than 4096 bytes, it gets truncated (mine is 5706 bytes long!). So the server is receiving something trimmed and (I think) it causes the 500 error. On the other hand, the GUI version captures correctly all the 5706 bytes of the cURL. Look at the difference:

allhell3.py:

Code:

data_match = <re.Match object; span=(3143, 3155), match="--data-raw '">
raw_prefix = None
data =

allhell3gui.py:

Code:

data_match = <re.Match object; span=(3143, 5706), match="--data-raw 'widevine2Challenge=CAESzwwKvAsIARKeCg>
raw_prefix = '
data = widevine2Challenge=CAESzwwK... blah blah blah ...2B8jF%2F&includeHdcpTestKeyInLicense=true

To understand better the cause of the "Could not parse license_message as SignedMessage" error, I put a print(license_response.content) and I found these details:

Code:

b'{"errorsByResource":{"Widevine2License":{"downstreamReason":"untrusted_device","errorCode":"PRS.Dependency.DRM.Widevine.UnsupportedCdmVersion","message":"Cannot complete request.","type":"PRSWidevine2LicenseDeniedException"}},"returnedTitleRendition":{"asin":"·····.dv.gti.4ebbc57a-ac58-0a2c-·············ad","assetBundleVideoQuality":"HD","audioQuality":"Stereo","contentId":"·····.dv.vcid.175e6567-498f-46a6-···············7979","pid":"com.······.playback.object.vod.42FC0E05-C2D2-43CE-8E3E-20C0B8C21156","selectedEntitlement":{"benefit":"PRIME","consumptionExpiration":"1727135750531","entitlementType":"PRIME_SUBSCRIPTION","grantedByCustomerId":"A2··········5S"},"titleId":"·····.dv.gti.4ebbc57a-ac58-0a2c-····-f6ac6eb4c3ad","videoMaterialType":"Feature","videoQuality":"HD","videoResolution":"1080p"}}\n'

(some parts masked with ···)

Or, testing with another combination of mpd URL + License cURL,

Code:

b'{"errorsByResource":{"Widevine2License":{"message":"Cannot complete request.","type":"PRSWidevine2LicenseDeniedException"}},"returnedTitleRendition":{"asin":"·····.dv.gti.4ebbc57a-ac58-············-f6ac6eb4c3ad","assetBundleVideoQuality":"HD","audioQuality":"Stereo","contentId":"·····.dv.vcid.175e6567-498f-·····-df5e49797979","pid":"com.······.playback.object.vod.42FC0E05-·········-8E3E-20C0······6","selectedEntitlement":{"benefit":"PRIME","consumptionExpiration":"1727135876142","entitlementType":"PRIME_SUBSCRIPTION","grantedByCustomerId":"A2·············5S"},"titleId":"·····.dv.gti.4ebbc57a-ac58-········-f6ac6eb4c3ad","videoMaterialType":"Feature","videoQuality":"HD","videoResolution":"1080p"}}\n'

(some parts masked with ···)

Only general help may be given if you do not provide the video url in your question.

I think I can't because it's a paid site (surely you guess it even with the masking). Your general help will be enough and it's really appreciated.

Best regards.

[A_n_g_e_l_a]

So I debugged it and I found that, in allhell3.py, if the variable curl_command is longer than 4096 bytes, it gets truncated (mine is 5706 bytes long!). So the server is receiving something trimmed and (I think) it causes the 500 error. On the other hand, the GUI version captures correctly all the 5706 bytes of the cURL. Look at the difference:

Use Firefox as your browser - it doesn't truncate. But that truncation doesn't really matter as it is the tail end of the widevineChallenge; we replace it with our CDM Challenge. Remember the license cURL is parsed by by software and not sent to the server as is. Headers are extracted; the licenceURL is extracted; meaningful data is extracted and finally a new CDM challenge is created.

Stop trying to over-think things. You are making an assumption there is an error in code. None have been found so far. AllHell3 is a tool that works perfectly well for over 2500 users. But like all tools there is a need for skill on the part of the user. The tool is working fine, so pay attention to what the browser sends before it asks for a license. .

'Untrusted device' is concerning. The site probably needs an L1 CDM if it is Canal. We only have L3 - so all bets are off!

[larley]

@A_n_g_e_l_a:
L1 does not exist on browsers, as there's no secure execution environment anywhere. Browsers only have one CDM, and that's the ChromeCDM.

@arakelov2:
It looks like you're trying to get keys from Amazon Prime, which will require a ChromeCDM for 1080p. You have to downgrade the manifest to 480p to get a different PSSH.
WidevineFetch has a module for doing that, check my signature.

[A_n_g_e_l_a]

@A_n_g_e_l_a:
L1 does not exist on browsers, as there's no secure execution environment anywhere. Browsers only have one CDM, and that's the ChromeCDM.

]


Of course, and ooh look I can play the Confused Old Lady trope now can't I?

[larley]

I should cut back the contact

[A_n_g_e_l_a]

I should cut back the contact

What? You mean stop giving you the chance to play Mr Puff?

[larley]

No, to save myself from helping you

[A_n_g_e_l_a]

No, to save myself from helping you

Oh, that just needs will power.

[larley]

So you don't want to be helped?

[arakelov2]

Ok, maybe I didn't explain myself well. I'll try again:

Use Firefox as your browser - it doesn't truncate.

I DO use Firefox from the beggining. And who is truncating is not the browser: what I copy to the clipboard as cURL, I paste it into any text editor and I can see the full string.

But that truncation doesn't really matter [...]

I beg to differ.
If there are two programs (allhell3.py and allhell3gui.py) that take the same input and they are supposed "to do the same", and one fails with a 500 server error and the other goes beyond (at least saying "untrusted device" hidden somewhere), means that something is going different inside them, doesn't it?

Stop trying to over-think things. You are making an assumption there is an error in code. None have been found so far. AllHell3 is a tool that works perfectly well for over 2500 users. But like all tools there is a need for skill on the part of the user. The tool is working fine, so pay attention to what the browser sends before it asks for a license. .

I'm not over-thinking, I'm just wondering why two programs with equal inputs produce different outputs, provided both programs do essentially the same.
Is there an error in the code? Well, call it an error, a bug, or simply something that can be improved: after some investigation, I found that this truncation at 4095 bytes (plus the Ctrl+D char) is the standard behavior of the Linux kernel (https://stackoverflow.com/questions/77973107/how-can-i-read-more-than-4096-bytes-from-...erminal-on-lin). This behavior doesn't happen in allhell3gui.py because the line curl_command = self.curl_text.toPlainText().strip() reads the input from a nice window instead of the TTY.

I changed your code to read the cURL from the clipboard:

Code:

import pyperclip
[...]
    # get cURL from user
    # print("Next.\n1. Paste your cURL of license request.\n2. Press Ctrl-D (Linux) or Ctrl-Z (Windows) to save it.")
    input("Next, copy your cURL of license request from the browser. Press intro when you are sure that it's in your clipboard.")

    # multi OS support for getting hidden multi-line input from different browsers
    # cURL = get_hidden_input("cURL? ")
    cURL = pyperclip.paste()

Now, at least, the error raised is the same as in allhell3gui.py!

Code:

Traceback (most recent call last):
  File "/home/arakelov/.local/lib/python3.12/site-packages/pywidevine/cdm.py", line 407, in parse_license
    signed_message.ParseFromString(license_message)
google.protobuf.message.DecodeError: Error parsing message

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/home/arakelov/Programes/HellYesGui/allhell3.py", line 434, in <module>
    key_results = get_key(pssh, lic_url)
                  ^^^^^^^^^^^^^^^^^^^^^^
  File "/home/arakelov/Programes/HellYesGui/allhell3.py", line 213, in get_key
    cdm.parse_license(session_id, license_content)
  File "/home/arakelov/.local/lib/python3.12/site-packages/pywidevine/cdm.py", line 411, in parse_license
    raise InvalidLicenseMessage(f"Could not parse license_message as a SignedMessage, {e}")
pywidevine.exceptions.InvalidLicenseMessage: Could not parse license_message as a SignedMessage, Error parsing message

Inspecting the contents of the variable license_content, I see again:

Code:

license_content = b'{"errorsByResource":{"Widevine2License":{"downstreamReason":"untrusted_device","errorCode":"PRS.Dependency.DRM.Widevine.UnsupportedCdmVersion",...

So I changed the CDM: renamed the device.wvd to something different and copied another .wvd from inside a zip named REAL-CDM-L3-main.zip, dowloaded from some thread I don't remember now...
Run it again and... TADAAAAA!!!

Code:

license_content = b'\x08\x02\x12\xc5\x04\n0\n 23AB8371000000000100000000000000\x12\x08\xb9\xc0-O\x16\xe6X\x83 \x01(\x00\x12"\x08\x01\x10\x00\x18\x00 \xff\xe8\x0f(\xff\xe8\x0f0\xff\xe8\x0f8\x00B\x00H\x00P\x00X\x00`\x00p\x00x\x01\x1a\x96\x01\n\x10\xb7p\xd5\xb4\xbbkYM\xaf\x98XE\xaa\xe9\xaa_\x12\x10\x96N\xa4mv(\xc0\xaa\rfl<M\x0b5\x83\x1a \x01\x95\xf9K%\xd1\xb6O\xd7\xb9\xbc\r`\x1ehZ\xbb\x18`DBYj\xc9\xe9\\}4\xd9hw\xae \x02(\x012\x08\x08\x01\x10*\x18\x00 \x00:\x08\x08\x01\x10*\x18\x00 \x00B4\n \x9a5\xc7.F6\x1d\xb5\x17Kt\x9f\x91\xdd\x89~nl\x837a\xa4\xc7\xb0yU\x03\xa4G\x05\xba^\x12\x10\xe2\xcc\x9b\xc6`!g\xe8_\xde\xa9E\xb6\xe3\x0cEb\x00\x1a\xb2\x01\n\x10\x98qUZ\xbc\x93D\x03\xa0\x10\x87 =\x8f_L\x12\x10^d\xdf\x16\xb1\x81!\xa7\xf9\x93\xe2\xcb#\xee\x01C\x1a \x01-\x03N\xec<\xf9\xc4\x9e|"\xf4k>a\rPR%\x81\xeb\xf26\x15\xcb\xa5\xb9m\x00\x86e] \x02(\x022\x08\x08\x00\x10*\x18\x00 \x00:\x08\x08\x01\x10*\x18\x00 \x00B4\n \xbd\x19\xc2"\x040\x95\xb4\xb2\xae\xbb\x0eg\xa4\x9b]]\x84\xfbl\xa1\xcb\xa1\xd2\x01\x9f\x19|\xb3\xdf\xb3\xa0\x12\x10r\xe0+\x06w\r<\xd1\xb8\x12}\xb9n\xfc\x11\xfaR\n\x08\x00\x10\xbf\xde\x1f\x1a\x02\x08\x00R\x0e\x08\xc0\xde\x1f\x10\xff\xff\xff\xff\x0f\x1a\x02\x08\x01b\x00\x1a\x96\x01\n\x10\xb3\xd7i\xf7\xf3\xa1G3\xbd\xd5\xf1\xcb\xf4!I\x82\x12\x10\xfe*\xb0&\xc4\xf2N\xc9\x98c\xe7\xc8\xa5<s\xe4\x1a \xae\xf5\xb2\xe3\xdc\x00T\xbb\x88\xed\xf6E\xbe5Y0D\x06{\x86%\xdc.s\x07\xd8q\xed\xc1^\xa5[ \x02(\x012\x08\x08\x00\x10*\x18\x00 \x00:\x08\x08\x01\x10*\x18\x00 \x00B4\n \xd5|\xe4~\xa4X\x8e\xaf\x98#\xb8\xe2\r\xfec\x01X\xa8P\xf3\x1c}\xebZ\xe5\x908%\xf1\x9eBa\x12\x10q\x0f\xb5\x86\x7f\x06=\xd7\xd6\xdeS\xf00\xc5S\xfeb\x00 \xba\xde\xc1\xb7\x068\x00\x1a ,\x05\'\x0e7\x9cs\x7f\x03{7\x1a\xcf\xd2\xf02\xb5\x83T\xcb\x8b\xdaL\x15;@\xde\x0b\x86\xa5\xe7\xcd"\x80\x02\x10\x14\xe3\x1656\x13\x95\xdap\xd0\x95mt\xb3\x95\xc3N\xa7\x98K\x8a\x1f\x80\xc7\xf2\xe1\x0ey\xa30\xe1\xdc\'M\x068\xc0\xebH\x07W\xfe\xad\x1a\x0f\xf2\xe8\x9a\xdedP\xe5\xef\x04\xc2\'\xbe\xc3\x81\xf8\xa2\xff\xd6:\xe5\x14\xbe\x8fpq\t\xea\xb1\xa6\x05\x8c_\x9c\xc5S\xfb\xe5\xedW\x8e|\xc4s\xd9\x07H\x9c\xd5\xeeJ\x0e3a\xf2u(7\x08\x0f\x8b\xcd\xa2\xe7j\xec\xcb\xcf\x1bm\x84\x83H\xff\xc5\xa6\x92Q*<*\xe5\xc7\x96:W\x19:\x9eE\x1d\xf8/\xcc3\x90\xce,$\xe5\xebU\xfd3\xa0\xfd\x1d\x81\x89W?\x1eq\\\xdc\xce\xf6\x0b\x9f\xaf\xdd/!\xc0\\\xe6\xa1\'#\x88!\xd9\x9e:>\xeb\x19\x84\xd8\x83\xeb\x1b\x92\xbe\xfa\x17\xfa%\xa5\xeb`ze^@f\x90t~\xc9\xd4r\xd7IWv\xa4qA\xf9^J=\xda\x1b\xda\xf2\\\x15\t\x1b\xb3+6\xc0\x1af\xe4\x9b4\xd3u/\x82\xbe\xee`\x98\x17\xc1\x1a\xa7\x16\xef2\xc3\x83>\xb0\xafo:\x08\n\x0618.0.1@\x01X\x00'

--key b770d5b4bb6b594daf985845aae9aa5f:b0cb46d2d31cf044bc73db71e9865f6f
--key 9871555abc934403a01087203d8f5f4c:91a95991b50e4994ef08643475fc12b5
--key b3d769f7f3a14733bdd5f1cbf4214982:78c14333680fcd3143a0050c880b89d4

Save Video as?

@arakelov2:
It looks like you're trying to get keys from Amazon Prime, which will require a ChromeCDM for 1080p. You have to downgrade the manifest to 480p to get a different PSSH.
WidevineFetch has a module for doing that, check my signature.

Yes, it's Prime Video. Well indeed the problem came both from the data truncation and also from the CDM.
Yesterday I tested your WidevineFetch. WORKS LIKE A CHARM, HUGE THANKS!!
(I confess that the idea of reading from the clipboard came from your app!)

A_n_g_e_l_a, in the world of video streaming downloading, as I said, I'm just a noob (even though I've been working as an IT engineer for more than 10 years). You're an expert but don't get upset; even the most awesome software, like yours, has bugs room for improvement.
Yes, all tools need for skill on the part of the user. I think I proved I have it.

Best regards.