Dumping Your own L3 CDM with Android Studio

[Chopssuey]

Hello i'm having issues with dumper main action



Im using frida-server-17.2.4-android-x86_64 and phyton 3.12 from MS.

Thank your for the help.

[use a name]

Hello i'm having issues with dumper main action


[Attachment 87531 - Click to enlarge]

Im using frida-server-17.2.4-android-x86_64 and phyton 3.12 from MS.

Thank your for the help.

Read the whole thread. Many people have already had this problem.

Paste this in the global scope of Dumper's scripts.js. The bottom of the file is fine.

Code:

rpc.exports = {
inject: inject
};

Dumper hasn't been updated in over four years and these things tend to stop working. It's unclear if Dumper can even be used with current versions of Android Studio etc. You may have to experiment for yourself (only recommended if you have advanced knowledge of computing topics) or wait for someone to post a full tutorial on using KeyDive with Android Studio. We're lucky as many talented people care as much as they do, given that they're going tet-a-tet with some of the smartest engineers in the world (in theory).

[voice_]

Done this two years ago and wanted to try again.
And say many thanks, the original post still works.

Definitely good to read carefully and pay attention to which phone to select, Android, and especially frida version (and to make sure they match). It's all explained very easy here.

Cheers,

[use a name]

Done this two years ago and wanted to try again.
And say many thanks, the original post still works.

Definitely good to read carefully and pay attention to which phone to select, Android, and especially frida version (and to make sure they match). It's all explained very easy here.

Cheers,

You still managed to get the original instructions to work? Wow. What OS are you running and what version of Android Studio? How did you work around the fact that Android Studio won't (officially) let you use a Pixel 9 with API28 anymore? What AVD model did you use? Thanks and congrats!



By the way, little secondhand advice for anyone trying to use KeyDive instead: definitely don't try to mix it with the processes described in this thread like I did at first. Start from scratch, as I said in my much longer post. You'll still need Frida but you don't need to limit yourself to Pixel 3XL, 9.0, 28. In fact, you shouldn't do that. KeyDive was released after Pie and designed for more recent versions of Android. Don't fight that fact. It hints at what versions you should be using in its readme.

[vidblue]

Does anyone know how to download HD content using this method? Thanks

[ytdlhelp]

Does anyone know how to download HD content using this method? Thanks

Content downloading itself doesn't depend on the CDM, decryption is. And each website decides whether to have additional keys for HD content (some use a single key for everything including HD and 4K), and whether such keys are provided for the extracted CDM, however it seems for almost all free content, L3 CDM works, though some websites require physical device CDM. To attempt to get decryption keys, you need to use OpenWV or WidevineProxy2.

[robbie362]

Hi guys!

So, I've spent most of the time yesterday and then earlier today, only to end up on that dump Hook completed thing that doesn't do anything.

Long story short, what works is to use KeyDive.

I still followed the 2025 instructions here:

Pixel 4 XL (no google play) api 34 in Android Studio.

(also tried pixel 3 xl api 28 but doesn't seem to work).

- Use the latest Frida.
- Add ADB platform tools to environment path

then:
pip install keydive

and

keydive -kw -a player

then back in the android app, click that bottom right icon > Provision widevine.

DONE!


[Attachment 87648 - Click to enlarge]

I thank everyone in this forum and KeyDive, I finally have my own CDM. Ciao!

[use a name]

(also tried pixel 3 xl api 28 but doesn't seem to work).

I thought this might have become a problem. I'm going to remove it from my original post so as not to mislead anyone.

Pixel 3XL, 9.0, 28 is, it seems, the right option if you're still trying to use Dumper from the original instructions (or, preferably, find a version of Android Studio that still allows a Pixel 9 with Pie). If you're using KeyDive, it then becomes a hinderance. It may not even be possible. KeyDive was written after Pie/9.0.

Congrats and thanks for posting your experience/advice.


Note to all: FOR KEYDIVE, USE ANDROID 12+ WITH A 3x API AND A DEVICE DESIGNED FOR THAT PAIR. Trying to restrict yourself to API <= 28 and Pie is only necessary for Dumper, which is now outdated but can still work. KeyDive is seemingly the easier solution now. All options should be without Play Store (still an easily selectable image option in Android Studio).

[use a name]

Does anyone know how to download HD content using this method? Thanks

Content downloading itself doesn't depend on the CDM, decryption is. And each website decides whether to have additional keys for HD content (some use a single key for everything including HD and 4K), and whether such keys are provided for the extracted CDM, however it seems for almost all free content, L3 CDM works, though some websites require physical device CDM. To attempt to get decryption keys, you need to use OpenWV or WidevineProxy2.

Good answer and useful links.

HD/4K (i.e. content quality but, more than anything, value) only increases the chances of stronger or lower-level encryption and more browser-level obfuscation. They're not technically linked.

There's a hierarchy: L3 from an VM < L3 from a physical device < L2 (largely unused but can be treated as basically L1) < L1. Usually VM vs physical is undetermined (I'd be interested in an example of one that does make the distinction) due to the additional effort relative to the low number of L3 bypassers.

If you're asking this kind of question, acquiring an L1 key pair is beyond your current ability. There are no public tutorials, AFAIK, on extracting a key because these are software-hardware interface exploits, rather than just sniffing. As soon as someone makes an L1 vulnerability public, it's fixed very quickly. And there's no public software for making use of L1 keys because you're not expected to have one. If you do, you're expected to be able to writer your own scraper/extractor for the content. These are the kind of things that scene groups develop to make their WEB-DLs and then guard jealously (and the quantity of WEBRip content proves how hard it can be for even the experts). These targets are your Amazons and Netflixes. Security is a lot better today than it was when I figured out how to download unlimited music from iTunes in the mid '00s and during the early days of Netflix et al. (Though still complete garbage when it comes to personal data, as evidenced by the obscene number of often unsalted MD5-hashed or even unencrypted database leaks. Tech companies don't seem to care about your data security, only those of their large corporate partners.)

Though if you don't feel capable of acquiring an L3 WV key and then running CLI scripts to make use of it, StreamFab Downloader (advertised on this forum) apparently does all the L3 stuff and potentially more. It advertises itself as having scene-level capabilities and with the pricetag to match. I have no idea how well it works as it's far outside my price range but I'd be fascinated to hear from someone who has tried it. MakeMKV looks like it should be crappy adware based on the website and claims made but it's actually excellent, so who knows? (Things might've moved on but last I heard, it was still the only effective free BD ripper.)

[ytdlhelp]

Good answer and useful links.

HD/4K (i.e. content quality but, more than anything, value) only increases the chances of stronger or lower-level encryption and more browser-level obfuscation. They're not technically linked.

There's a hierarchy: L3 from an VM < L3 from a physical device < L2 (largely unused but can be treated as basically L1) < L1. Usually VM vs physical is undetermined (I'd be interested in an example of one that does make the distinction) due to the additional effort relative to the low number of L3 bypassers.

If you're asking this kind of question, acquiring an L1 key pair is beyond your current ability. There are no public tutorials, AFAIK, on extracting a key because these are software-hardware interface exploits, rather than just sniffing. As soon as someone makes an L1 vulnerability public, it's fixed very quickly. And there's no public software for making use of L1 keys because you're not expected to have one. If you do, you're expected to be able to writer your own scraper/extractor for the content. These are the kind of things that scene groups develop to make their WEB-DLs and then guard jealously (and the quantity of WEBRip content proves how hard it can be for even the experts). These targets are your Amazons and Netflixes. Security is a lot better today than it was when I figured out how to download unlimited music from iTunes in the mid '00s and during the early days of Netflix et al. (Though still complete garbage when it comes to personal data, as evidenced by the obscene number of often unsalted MD5-hashed or even unencrypted database leaks. Tech companies don't seem to care about your data security, only those of their large corporate partners.)

Though if you don't feel capable of acquiring an L3 WV key and then running CLI scripts to make use of it, StreamFab Downloader (advertised on this forum) apparently does all the L3 stuff and potentially more. It advertises itself as having scene-level capabilities and with the pricetag to match. I have no idea how well it works as it's far outside my price range but I'd be fascinated to hear from someone who has tried it. MakeMKV looks like it should be crappy adware based on the website and claims made but it's actually excellent, so who knows? (Things might've moved on but last I heard, it was still the only effective free BD ripper.)

For some reason, I was unable to read the message before I clicked quote. Edit: turned out to be ad blocker issue.

On examples of websites which discriminate virtual CDMs, see Spotify, VdoCipher (these two don't provide keys at all) and YouTube Movies (restricts access to most movies to 480p, also discriminates ChromeCDM the same way, which is uncommon).

For making use of L1 keys, the same software would work (because there isn't anything special in license requests themselves), except maybe you also need to add extension code to make the browser accept higher robustness values in EME call, if some website only works with L1 and nothing else. The true concern is how to do it without getting the CDM blocked for suspicious activity.

As for release groups, it is said that these days they use PlayReady SL3000 instead. There are many leaked CDMs that aren't blocked as widely as on Widevine, and they also can be reprovisioned unlimited times. Can't check if they actually work on paid streaming services, as I am never going to fund these DRM supporters.

[Mallikarjun1995]

Dumping your own l3 cdm with android studio.

Is it still working now?

[1v0live]

Hello @cedric8528, thanks so much for this thread! I am new here and i have encountered some problems running adb.exe shell.

emu64xa:/ $ su
/system/bin/sh: su: inaccessible or not found
127|emu64xa:/ $ mv /sdcard/frida-server-17.2.11-android-x86 /data/local/tmp
emu64xa:/ $ chmod +x /data/local/tmp/frida-server-17.2.11-android-x86
emu64xa:/ $ /data/local/tmp/frida-server-17.2.11-android-x86
/system/bin/sh: /data/local/tmp/frida-server-17.2.11-android-x86: No such file or directory

I can't figure out what is the problem. First with the su command and then with the last command.
I have read almost the whole thread but couldn't find this specific info. My frida server version is the same version as the one installed.

[robbie362]

I can't figure out what is the problem. First with the su command and then with the last command.
I have read almost the whole thread but couldn't find this specific info. My frida server version is the same version as the one installed.

You seem to be following the original from page 1? Try the one from page 26 which is for 2025. That worked for me except I have to use keydive since I can't make dumper work.

[1v0live]

Thanks for the headsup robbie362. This thread is very long and somewhat confusing.

I could only select API 28 Pie (which if i understood correctly is necessary to being able to root the device) if i choose at maximum a Pixel 3a XL, but i saw in screenshots that was not the case for other users. Why?
My windows when configuring a virtual device also look substantially different from the ones in screenshots.

[robbie362]

Thanks for the headsup robbie362. This thread is very long and somewhat confusing.

I could only select API 28 Pie (which if i understood correctly is necessary to being able to root the device) if i choose at maximum a Pixel 3a XL, but i saw in screenshots that was not the case for other users. Why?
My windows when configuring a virtual device also look substantially different from the ones in screenshots.

API 28 Pie is... only because the original Dumper only works with this.

If you scroll up to my comment above, I used keydive with Pixel 4 XL (no google play) api 34 in Android Studio.

[1v0live]

"No google play" you mean the "android open source" option in services?

robbie362, I followed your above post and finally ADB is working, thanks.

Now i am a little lost after keydive. I don't find "Provision widevine".

[weiLahw9]

"No google play" you mean the "android open source" option in services?

robbie362, I followed your above post and finally ADB is working, thanks.

Now i am a little lost after keydive. I don't find "Provision widevine".

It's in the Kaltura DRM test app. Or just play a drm protected video in the browser.

[robbie362]

"No google play" you mean the "android open source" option in services?

robbie362, I followed your above post and finally ADB is working, thanks.

Now i am a little lost after keydive. I don't find "Provision widevine".

After you run this: keydive -kw -a player and when you go back to your Android app, you will see the DRM test app installed and you have to click the Provision widevine in there.

Or as per @weiLahw9, just play any drm protected video in the browser so that keydive can do its work.

[1v0live]

Hello @cedric8528, thanks so much for this thread! I am new here and i have encountered some problems running adb.exe shell.

emu64xa:/ $ su
/system/bin/sh: su: inaccessible or not found
127|emu64xa:/ $ mv /sdcard/frida-server-17.2.11-android-x86 /data/local/tmp
emu64xa:/ $ chmod +x /data/local/tmp/frida-server-17.2.11-android-x86
emu64xa:/ $ /data/local/tmp/frida-server-17.2.11-android-x86
/system/bin/sh: /data/local/tmp/frida-server-17.2.11-android-x86: No such file or directory

I can't figure out what is the problem. First with the su command and then with the last command.
I have read almost the whole thread but couldn't find this specific info. My frida server version is the same version as the one installed.

I am still getting an error on that last line. how is that supposed to not give an error if a folder structure like that was not created beforehand?

[nickomaru]

run the test command
ls -la /data/local/tmp/frida-server-17.2.11-android-x86

or
ls -la /data/local/tmp/

[Jarsky]

Thank you for the fix using keydive. For those that are struggling.

Install Android Studio.
Install the Android Studio SDK for API34
In Android Studio go to File > Settings > Language & Frameworks > Android SDK
Select Android 14 API Level 34
This should install to your %localappdata%\Android\Sdk\ folder


[Attachment 87960 - Click to enlarge]

Create a new Pixel 4 XL device


[Attachment 87961 - Click to enlarge]

Use API 34 and select Google APIs Intel x86_64 Atom System Image
Create the device


[Attachment 87962 - Click to enlarge]

On your system install Python3 (im using 3.13)
Open CMD Prompt and Install frida-tools and keydive

Code:

pip install frida frida-tools keydive

When frida & frida-tools installs; check what version it is, and download the corresponding server version
Mine was 17.2.4 so I downloaded frida-server-17.2.4-android-x86_64.xz
Extract the archive so you have the binary

Next setup ADB so it is an Environmental Path
Open System > Advanced system settings > Environmental variables...
In User or System variables; select Path and Edit..
Enter the path to your Android SDK's "platform-tools" folder


[Attachment 87963 - Click to enlarge]

Reboot for the environment variable to take effect.
Open cmd and test its working by typing 'adb --version'


[Attachment 87964 - Click to enlarge]

Next we follow the same rooting and frida-server steps
Make sure the device is powered on in Android Studio

Check adb can see the emulated device

Code:

adb devices

Then root it; push frida-server and run it

Code:

adb root
adb push frida-server-17.2.4-android-x86_64 /sdcard

adb shell
mv /sdcard/frida-server_yourversion /data/local/tmp/frida-server
chmod 755 /data/local/tmp/frida-server
/data/local/tmp/frida-server &

Now open another cmd prompt window in the folder you want to save the files
Run keydive with this command

Code:

keydive -kw -a player

Look at your device and you will see the app open on the phone and a pink icon in the bottom corner
Click the icon then "Provision Widevine"


[Attachment 87965 - Click to enlarge]

You should see it successfully connect

Code:

2025-07-26 08:24:58 [I] keydive: Version: 3.0.5
2025-07-26 08:24:58 [I] Remote: Connected to device: Android Emulator 5556 (emulator-5556)
2025-07-26 08:24:58 [I] Remote: SDK API: 34
2025-07-26 08:24:58 [I] Remote: ABI CPU: x86_64
2025-07-26 08:24:58 [I] Core: Preparing DRM player: Kaltura Device Info (com.kaltura.kalturadeviceinfo)
2025-07-26 08:25:00 [I] Core: Starting application: Kaltura Device Info (com.kaltura.kalturadeviceinfo)
2025-07-26 08:25:01 [I] Core: Watcher delay: 1.0s
2025-07-26 08:25:01 [I] Core: Detected process: 420 (android.hardware.drm-service.widevine)
2025-07-26 08:25:02 [I] Core: Library found: android.hardware.drm-service.widevine (/apex/com.google.android.widevine/bin/hw/android.hardware.drm-service.widevine)
2025-07-26 08:25:02 [I] Core: Successfully attached hook to process: 420
2025-07-26 08:25:07 [I] Cdm: Received encrypted keybox:

Then it should display your output keys


[Attachment 87966 - Click to enlarge]


The keys output path is relative to your current working directory..so whichever folder you were in when you ran keydive.
Copy them as needed

[Jarsky]

Hello @cedric8528, thanks so much for this thread! I am new here and i have encountered some problems running adb.exe shell.

emu64xa:/ $ su
/system/bin/sh: su: inaccessible or not found
127|emu64xa:/ $ mv /sdcard/frida-server-17.2.11-android-x86 /data/local/tmp
emu64xa:/ $ chmod +x /data/local/tmp/frida-server-17.2.11-android-x86
emu64xa:/ $ /data/local/tmp/frida-server-17.2.11-android-x86
/system/bin/sh: /data/local/tmp/frida-server-17.2.11-android-x86: No such file or directory

I can't figure out what is the problem. First with the su command and then with the last command.
I have read almost the whole thread but couldn't find this specific info. My frida server version is the same version as the one installed.

I am still getting an error on that last line. how is that supposed to not give an error if a folder structure like that was not created beforehand?

Just use adb root; instead of trying to use su in the shell

Code:

adb root
adb push frida-server-17.2.11-android-x86 /sdcard
adb shell
mv /sdcard/frida-server-17.2.11-android-x86 /data/local/tmp/frida-server
chmod 755 /data/local/tmp/frida-server
/data/local/tmp/frida-server &

Also I notice you're using the x86 build. If you're using Android x86_64; then use the x86_64 frida-server

HTML Code:

adb shell                                                                                                                    
emu64xa:/ # mv /sdcard/frida-server /data/local/tmp/
emu64xa:/ # chmod 755 /data/local/tmp/frida-server
emu64xa:/ # /data/local/tmp/frida-server &
[1] 7039

[1v0live]

Thank you so much, it was exactly it. Now with x86_64 version it does not give error. I totally neglected that.

But Keydive gives the following error on repeat:

Expected library not found: libwvdrmengine.so
Widevine library not located yet. Retrying...

When i try to provision Widevine, it fails.

[albertleroi]

Hello, could you please tell me exactly where Dumper is blocking?

Does it stop when launching the Frida hook (before detecting Widevine)?

Or during the key extraction (when parsing the license)?

Do you get an error message or does it just hang?

The more details you can give (logs or screenshot), the easier it will be to help you

[xanime]

Hello i'm having issues with dumper main action


[Attachment 87531 - Click to enlarge]

Im using frida-server-17.2.4-android-x86_64 and phyton 3.12 from MS.

Thank your for the help.

Read the whole thread. Many people have already had this problem.

Paste this in the global scope of Dumper's scripts.js. The bottom of the file is fine.

Code:

rpc.exports = {
inject: inject
};

Dumper hasn't been updated in over four years and these things tend to stop working. It's unclear if Dumper can even be used with current versions of Android Studio etc. You may have to experiment for yourself (only recommended if you have advanced knowledge of computing topics) or wait for someone to post a full tutorial on using KeyDive with Android Studio. We're lucky as many talented people care as much as they do, given that they're going tet-a-tet with some of the smartest engineers in the world (in theory).

I completed and played the video but the files did not appear.
[Attachment 88209 - Click to enlarge]

[1v0live]

Hello, could you please tell me exactly where Dumper is blocking?

Does it stop when launching the Frida hook (before detecting Widevine)?

Or during the key extraction (when parsing the license)?

Do you get an error message or does it just hang?

The more details you can give (logs or screenshot), the easier it will be to help you

Sorry for taking so much time to reply. I have been busy lately and also kind of frustrated by this.
that error was when running: keydive -kw -a player

I am following the instructions on here: https://forum.videohelp.com/threads/408031-Dumping-Your-own-L3-CDM-with-Android-Studio...28#post2777509

but now i tried again and i get another error that was not before.
when running: mv /sdcard/frida-server /data/local/tmp
i get: mv: /data/local/tmp/frida-server: Text file busy

also, can someone rec another testpage like that bitmovin that no longer exists?