Dumping Your own L3 CDM with Android Studio

[Obo]

Continue with "Decryption and the Temple of Doom", and thereafter "Decryption: The Dungeon of Despair", followed by "Decryption: The Last Crusade". If you've worked through these three threads - read at least the initial post - you know what to do with the files.

[LittleSoldier]

[Attachment 78894 - Click to enlarge]

what to do with these files please?

Refer "Beyond WKS-KEYS" thread to know how to generate .wvd file from these two files

[IPTV1010]

C:\Users\hello\Downloads\dumper-main\dumper-main>python dump_keys.py
2024-05-08 08:36:23 PM - root - 16 - INFO - Connected to Android Emulator 5554
2024-05-08 08:36:23 PM - root - 17 - INFO - scanning all processes for the following libraries
Traceback (most recent call last):
File "C:\Users\hello\Downloads\dumper-main\dumper-main\dump_keys.py", line 18, in <module>
for process in device.enumerate_processes():
^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "C:\Users\hello|AppData\Local\Programs\Python\Pyth on312\Lib\site-packages\frida\core.py", line 86, in wrapper
return f(*args, **kwargs)
^^^^^^^^^^^^^^^^^^
File "C:\Users\hello\AppData\Local\Programs\Python\Pyth on312\Lib\site-packages\frida\core.py", line 887, in enumerate_processes
return self._impl.enumerate_processes(**kwargs) # type: ignore
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
frida.PermissionDeniedError: unable to access process with pid 606 due to system restrictions; try `sudo sysctl kernel.yama.ptrace_scope=0`, or run Frida as root

how to solve this issue?

[Karoolus]

C:\Users\hello\Downloads\dumper-main\dumper-main>python dump_keys.py
2024-05-08 08:36:23 PM - root - 16 - INFO - Connected to Android Emulator 5554
2024-05-08 08:36:23 PM - root - 17 - INFO - scanning all processes for the following libraries
Traceback (most recent call last):
File "C:\Users\hello\Downloads\dumper-main\dumper-main\dump_keys.py", line 18, in <module>
for process in device.enumerate_processes():
^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "C:\Users\hello|AppData\Local\Programs\Python\Pyth on312\Lib\site-packages\frida\core.py", line 86, in wrapper
return f(*args, **kwargs)
^^^^^^^^^^^^^^^^^^
File "C:\Users\hello\AppData\Local\Programs\Python\Pyth on312\Lib\site-packages\frida\core.py", line 887, in enumerate_processes
return self._impl.enumerate_processes(**kwargs) # type: ignore
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
frida.PermissionDeniedError: unable to access process with pid 606 due to system restrictions; try `sudo sysctl kernel.yama.ptrace_scope=0`, or run Frida as root

how to solve this issue?

are you running it as root?

[IPTV1010]

yeah i have got the files , actually i used a diff device model which was old ,i tried with pixel 6 as specified i have got the files.

[Kaba]

https://github.com/hyugogirubato/KeyDive New dumper tested with Android 13 real device and android studio works really well.

First, i have to analyze the elf file with Gira, correct ? But witch file ?
I only found widevine.mdt, widevine.b00, widevine.b01, widevine.b02, widevine.b03 on my device.

I think, this are the wrong ones. Witch is the correct one ?

[white_snake]

First, i have to analyze the elf file with Gira, correct ? But witch file ?
I only found widevine.mdt, widevine.b00, widevine.b01, widevine.b02, widevine.b03 on my device.

I think, this are the wrong ones. Witch is the correct one ?

You only need to do that if you're dumping from Android 14 (and only if you're dumping a 18.0.0+ version CDM, I believe). If that is the case, KeyDive's output will tell you the library file to pull from your device, for example:

Code:

[I] Cdm: Library: android.hardware.drm-service.widevine (/apex/com.google.android.widevine/bin/hw/android.hardware.drm-service.widevine)

[Kaba]

thx.

there I have one question, when I tried different times, why the received device privat key is always different ?

[mobihen87]

Hi

First of all, great guide!
I've managed to get it work. I'm getting a result like: (see pic)
that shows the message with a long key and a signature, but the folder private-keys not created for me, also tried to show hidden files and folders but nothing.
how do I get those 2 files?

P.S
I'm on Mac

[keep_it_breezy]

Hi

First of all, great guide!
I've managed to get it work. I'm getting a result like: (see pic)
that shows the message with a long key and a signature, but the folder private-keys not created for me, also tried to show hidden files and folders but nothing.
how do I get those 2 files?

P.S
I'm on Mac

Are you on an arm or an intel mac?

[mobihen87]

yes, on MacBook Air M2

[keep_it_breezy]

yes, on MacBook Air M2

If I remember correctly, for me anyway (this was a while back), I couldn't get the MacOS Arm version of Android studio to correctly dump keys because it uses either Arm android, or arm emulated x86 virtual devices. I in the end had to do it on an x86 machine. Happy to shoot you over an emulated CDM though if you need.

[mobihen87]

Thanks

Will try with intel Mac

after I get those keys, I use it as is with udemy downloader?

[FoxRefire]

I have added to Keydive the ability to automatically open a Bitmovin demo and generate a WVD.

I have currently sent a PR to the owner and am waiting for a response.

My changes can be found here.
https://github.com/hyugogirubato/KeyDive/pull/10/files

Code:

-a, --auto            Open Bitmovin’s demo automatically
-w, --wvd             Generate WVD

Example

Code:

python keydive.py -aw

This automatically open Bitmovin's demo without user's interaction and generates wvd automatically

[popedagoat]

I have added to Keydive the ability to automatically open a Bitmovin demo and generate a WVD.

I have currently sent a PR to the owner and am waiting for a response.

My changes can be found here.
https://github.com/hyugogirubato/KeyDive/pull/10/files

Code:

-a, --auto            Open Bitmovin’s demo automatically
-w, --wvd             Generate WVD

Example

Code:

python keydive.py -aw

This automatically open Bitmovin's demo without user's interaction and generates wvd automatically

hey i had a problem with the script unable to find widevine (i'll put the screenshot). i've been trying using different of system images from Pie to UpsideDownCake and the problem still present. i followed the instruction mentioned on the link provided but it didn't seem to mention any widevine unable stuff on the link. could you help me with this?

[vidblue]

Thank you cedric8528 for sharing the wonderful guide.

I followed the instructions but for some reason the keys won't generate. Anyone know or have an idea about the probable cause?

I've Frida 16.2.5 and Frida-tools 12.4.2 installed. The DRM video https://bitmovin.com/demos/drm does play though.
Device Pixel 6 API 28. Both command windows are active and I see no errors there.

Edit: Looking at the debug of dump_keys.py, I see this message and not sure if this is the cause of the trouble.

2024-05-24 08:51:13 AM - Helpers.Scanner - 82 - INFO - Running libwvhidl.so at 0xeaac0000
2024-05-24 08:51:13 AM - Helpers.Scanner - 75 - DEBUG - {
"from": "Dynamic Function",
"message": "L3 RSA Key export function found: cwkfcplc"
}

The last line has this message "Hooks completed"

Thanks

[white_snake]

hey i had a problem with the script unable to find widevine (i'll put the screenshot). i've been trying using different of system images from Pie to UpsideDownCake and the problem still present. i followed the instruction mentioned on the link provided but it didn't seem to mention any widevine unable stuff on the link. could you help me with this?

Make sure you use an Android image with the Google API or the Play Store.

Thank you cedric8528 for sharing the wonderful guide.

I followed the instructions but for some reason the keys won't generate. Anyone know or have an idea about the probable cause?

I've Frida 16.2.5 and Frida-tools 12.4.2 installed. The DRM video https://bitmovin.com/demos/drm does play though.
Device Pixel 6 API 28. Both command windows are active and I see no errors there.

Edit: Looking at the debug of dump_keys.py, I see this message and not sure if this is the cause of the trouble.

2024-05-24 08:51:13 AM - Helpers.Scanner - 82 - INFO - Running libwvhidl.so at 0xeaac0000
2024-05-24 08:51:13 AM - Helpers.Scanner - 75 - DEBUG - {
"from": "Dynamic Function",
"message": "L3 RSA Key export function found: cwkfcplc"
}

The last line has this message "Hooks completed"

Thanks

Use KeyDive to dump the CDM instead of the old dumper.

[vidblue]

Use KeyDive to dump the CDM instead of the old dumper.

Thanks. Installed KeyDive and requirements but I still don't see the keys created.

PS C:\Users\cccccc\Downloads\KeyDive-main> python3.11.exe .\keydive.py
2024-05-24 20:42:14 [I] KeyDive: Version: 1.0.8
2024-05-24 20:42:15 [I] Cdm: Device: Android Emulator 5554 (emulator-5554)
2024-05-24 20:42:15 [I] Cdm: SDK API: 28
2024-05-24 20:42:15 [I] Cdm: ABI CPU: x86
2024-05-24 20:42:15 [I] Cdm: Script loaded successfully
2024-05-24 20:42:15 [D] Cdm: Analysing... (android.hardware.drm@1.1-service.widevine)
2024-05-24 20:42:15 [D] Cdm: Analysing... (mediadrmserver)
2024-05-24 20:42:16 [D] Cdm: Analysing... (mediadrmserver)
2024-05-24 20:42:16 [D] Cdm: Analysing... (mediaserver)
2024-05-24 20:42:17 [I] Vendor: CDM version: 14.0.0
2024-05-24 20:42:17 [I] Vendor: OEM Crypto API: 14
2024-05-24 20:42:17 [I] KeyDive: Process: 1645 (android.hardware.drm@1.1-service.widevine)
2024-05-24 20:42:17 [I] Cdm: Library: libwvhidl.so (/vendor/lib/libwvhidl.so)
2024-05-24 20:42:17 [D] Script: Hooked (0xeac0a480): _ZN5wvcdm10Properties14UsePrivacyModeERKNSt3__112b asic_stringIcNS1_11char_traitsIcEENS1_9allocatorIc EEEE
2024-05-24 20:42:17 [D] Script: Hooked (0xeab93350): _ZN5wvcdm10CdmLicense17PrepareKeyRequestERKNS_18In itializationDataENS_14CdmLicenseTypeERKNSt3__13map INS5_12basic_stringIcNS5_11char_traitsIcEENS5_9all ocatorIcEEEESC_NS5_4lessISC_EENSA_INS5_4pairIKSC_S C_EEEEEEPSC_SM_
2024-05-24 20:42:17 [D] Script: Hooked (0xeaccd020): cwkfcplc
2024-05-24 20:42:17 [I] KeyDive: Successfully hooked. To test, play a DRM-protected video: https://bitmovin.com/demos/drm

generic_x86_arm:/ # /data/local/tmp/frida-server-16.2.5-android-x86

[white_snake]

Thanks. Installed KeyDive and requirements but I still don't see the keys created.

I suggest you force quit your browser before trying again (and maybe restart frida), or just cold boot the emulator. You can also try with a different browser and/or different video.

[vidblue]

I suggest you force quit your browser before trying again (and maybe restart frida), or just cold boot the emulator. You can also try with a different browser and/or different video.

Thanks. I deleted the emulator and created a new one. It worked. I think it worked this time because I did get the playing protected video "allow/block" warning which I didn't get earlier for some reason.

Now on the next project to learn how to make use of these keys

[logosng]

why i step to run Python dump_keys.py,this don't runing dump_keys.py??

[juan]

why i step to run Python dump_keys.py,this don't runing dump_keys.py??

try to open the dump_keys in a different Python interpreter , or in Visual studio . lets see if the py file is corrupted or not .
And make sure you install the requirement.txt

[GiddyFish]

Hi
I'm having a spot of bother trying to Execute frida-server!
No such file or directory

As can be seen from bellow the frida-server is in the tmp directory and has read write executable permisions

Code:

C:\Users\XXXXXX\AppData\Local\Android\Sdk\platform-tools>adb.exe shell
emu64xa:/ $ su
emu64xa:/ # mv /sdcard/frida-server-16.2.5-android-x86 /data/local/tmp/
emu64xa:/ # chmod +x /data/local/tmp/frida-server-16.2.5-android-x86
emu64xa:/ # /data/local/tmp/frida-server-16.2.5-android-x86
/system/bin/sh: /data/local/tmp/frida-server-16.2.5-android-x86: No such file or directory
126|emu64xa:/ # ls -l /data/local/tmp/
total 55208
-rwxrwx--x 1 u0_a172 media_rw 56528216 2024-05-30 16:46 frida-server-16.2.5-android-x86
emu64xa:/ #

Hoping someone advise

[juan]

try with elevated privileges

emu64xa:/ $ su
emu64xa:/ # mv /sdcard/frida-server-16.2.5-android-x86 /data/local/tmp/
emu64xa:/ # chmod +x /data/local/tmp/frida-server-16.2.5-android-x86
emu64xa:/ # su -c /data/local/tmp/frida-server-16.2.5-android-x86

[imvin]

hello guys ..
why dumper suddenly not working ,
....phyton dump_keys.py

....phyton dump_keys.py

any idea ?

[juan]

hello guys ..
why dumper suddenly not working ,
....phyton dump_keys.py

....phyton dump_keys.py

any idea ?

CMD > pip list .. check protobuf version if version 4XXX,
pip uninstall protobuf
pip install protobuf==3.20.0

[juan]

You should stop using the old DUMPER .
Just use KEYDIVE.
and the make sure the requirements.txt , is in your "pip list"

[imvin]

You should stop using the old DUMPER .
Just use KEYDIVE.
and the make sure the requirements.txt , is in your "pip list"

oke , Thank you.

[GiddyFish]

try with elevated privileges

emu64xa:/ $ su
emu64xa:/ # mv /sdcard/frida-server-16.2.5-android-x86 /data/local/tmp/
emu64xa:/ # chmod +x /data/local/tmp/frida-server-16.2.5-android-x86
emu64xa:/ # su -c /data/local/tmp/frida-server-16.2.5-android-x86

Code:

emu64xa:/ # su -c /data/local/tmp/frida-server-16.2.5-android-x86
su: invalid uid/gid '-c'

getting-error-while-using-su-command

suggsts su 0

Code:

|emu64xa:/ # su 0 /data/local/tmp/frida-server-16.2.5-android-x86
su: failed to exec /data/local/tmp/frida-server-16.2.5-android-x86: No such file or directory

[juan]

used this :
emu64xa:/ # su -c "sh /data/local/tmp/frida-server-16.2.5-android-x86

[Attachment 79474 - Click to enlarge]
Tested and work