View Profile
View Forum Posts
Private Message
Hey guys,
I have been trying to dump a CDM from 2 devices that I have, both are rooted and I haven't had much luck on either.
One is a google Pixel 3 XL
[Attachment 72803 - Click to enlarge]
I downloaded libwvhidl@1.3.so and grabbed out the function names and added them to script.js but I still haven't had any luck.
When running dump_keys I get
The second is a Samsung SM-A528BPHP Code:2023-07-31 08:02:17 PM - Helpers.Scanner - 75 - DEBUG - {
"from": "android.hardware.drm@1.3-service.widevine",
"message": "OEMSecurityLevel",
"payload": {
"Level": "L1"
}
}
[Attachment 72804 - Click to enlarge]
I get a lot more debug messages on the samsung phone but still doesn't write the keys
PHP Code:2023-07-31 08:31:52 PM - Helpers.Scanner - 75 - DEBUG - {
"from": "android.hardware.drm@1.3-service.widevine",
"message": "OEMCrypto_GetProvisioningMethod",
"payload": {
"Method": "OEMCrypto_OEMCertificate"
}
}
2023-07-31 08:31:52 PM - Helpers.Scanner - 75 - DEBUG - {
"from": "android.hardware.drm@1.3-service.widevine",
"message": "OEMCryptoVersion",
"payload": {
"Version": 16
}
}
2023-07-31 08:31:52 PM - Helpers.Scanner - 75 - DEBUG - {
"from": "android.hardware.drm@1.3-service.widevine",
"message": "OEMSecurityLevel",
"payload": {
"Level": "L3"
}
}
2023-07-31 08:31:52 PM - Helpers.Scanner - 75 - DEBUG - {
"from": "android.hardware.drm@1.3-service.widevine",
"message": "OEMSecurityLevel",
"payload": {
"Level": "L3"
}
}
2023-07-31 08:31:52 PM - Helpers.Scanner - 75 - DEBUG - {
"from": "android.hardware.drm@1.3-service.widevine",
"message": "OEMCrypto_Terminate_Status: OEMCrypto_SUCCESS"
}
2023-07-31 08:31:52 PM - Helpers.Scanner - 75 - DEBUG - {
"from": "android.hardware.drm@1.3-service.widevine",
"message": "OEMCrypto_Terminate_Status: OEMCrypto_SUCCESS"
}
2023-07-31 08:31:52 PM - Helpers.Scanner - 75 - DEBUG - {
"from": "android.hardware.drm@1.3-service.widevine",
"message": "OEMCrypto_Terminate_Status: OEMCrypto_SUCCESS"
}
2023-07-31 08:31:54 PM - Helpers.Scanner - 75 - DEBUG - {
"from": "android.hardware.drm@1.3-service.widevine",
"message": "OEMCrypto_Initialize"
}
2023-07-31 08:31:54 PM - Helpers.Scanner - 75 - DEBUG - {
"from": "android.hardware.drm@1.3-service.widevine",
"message": "OEMCryptoVersion",
"payload": {
"Version": 16
}
}
2023-07-31 08:31:54 PM - Helpers.Scanner - 75 - DEBUG - {
"from": "android.hardware.drm@1.3-service.widevine",
"message": "OEMCrypto_BuildInformation: OEMCrypto Level3 Code 22589 May 28 2021 19:37:19"
}
2023-07-31 08:31:54 PM - Helpers.Scanner - 75 - DEBUG - {
"from": "android.hardware.drm@1.3-service.widevine",
"message": "OEMCrypto_Initialize"
}
2023-07-31 08:31:54 PM - Helpers.Scanner - 75 - DEBUG - {
"from": "android.hardware.drm@1.3-service.widevine",
"message": "OEMCrypto_IsInApp",
"payload": {
"in_app": true
}
}
2023-07-31 08:31:54 PM - Helpers.Scanner - 75 - DEBUG - {
"from": "android.hardware.drm@1.3-service.widevine",
"message": "OEMCrypto_Initialize"
}
2023-07-31 08:31:54 PM - Helpers.Scanner - 75 - DEBUG - {
"from": "android.hardware.drm@1.3-service.widevine",
"message": "OEMCryptoVersion",
"payload": {
"Version": 16
}
}
2023-07-31 08:31:54 PM - Helpers.Scanner - 75 - DEBUG - {
"from": "android.hardware.drm@1.3-service.widevine",
"message": "OEMCrypto_GetProvisioningMethod",
"payload": {
"Method": "OEMCrypto_Keybox"
}
}
2023-07-31 08:31:54 PM - Helpers.Scanner - 75 - DEBUG - {
"from": "android.hardware.drm@1.3-service.widevine",
"message": "OEMCrypto_BuildInformation: Build Information: API_Version: 16.3 LibOEMCrypto_Version: 1.49 TA_Version: 1.81"
}
2023-07-31 08:31:54 PM - Helpers.Scanner - 75 - DEBUG - {
"from": "android.hardware.drm@1.3-service.widevine",
"message": "OEMCryptoVersion",
"payload": {
"Version": 16
}
}
2023-07-31 08:31:54 PM - Helpers.Scanner - 75 - DEBUG - {
"from": "android.hardware.drm@1.3-service.widevine",
"message": "OEMCryptoVersion",
"payload": {
"Version": 16
}
}
2023-07-31 08:31:54 PM - Helpers.Scanner - 75 - DEBUG - {
"from": "android.hardware.drm@1.3-service.widevine",
"message": "OEMCrypto_GetProvisioningMethod",
"payload": {
"Method": "OEMCrypto_OEMCertificate"
}
}
2023-07-31 08:31:54 PM - Helpers.Scanner - 75 - DEBUG - {
"from": "android.hardware.drm@1.3-service.widevine",
"message": "OEMSecurityLevel",
"payload": {
"Level": "L1"
}
}
2023-07-31 08:31:54 PM - Helpers.Scanner - 75 - DEBUG - {
"from": "android.hardware.drm@1.3-service.widevine",
"message": "OEMCryptoVersion",
"payload": {
"Version": 16
}
}
2023-07-31 08:31:54 PM - Helpers.Scanner - 75 - DEBUG - {
"from": "android.hardware.drm@1.3-service.widevine",
"message": "OEMSecurityLevel",
"payload": {
"Level": "L3"
}
}
2023-07-31 08:31:54 PM - Helpers.Scanner - 75 - DEBUG - {
"from": "android.hardware.drm@1.3-service.widevine",
"message": "OEMCrypto_GetDeviceID",
"payload": {
"Status": "OEMCrypto_SUCCESS",
"Length": 32,
"DeviceId": "4953454356565656625159565a646775524575486b56527459526b7547436d00"
}
}
2023-07-31 08:31:54 PM - Helpers.Scanner - 60 - DEBUG - processing device id
2023-07-31 08:31:54 PM - Helpers.Scanner - 75 - DEBUG - {
"from": "android.hardware.drm@1.3-service.widevine",
"message": "OEMCrypto_GetDeviceID",
"payload": {
"Status": "OEMCrypto_ERROR_SHORT_BUFFER",
"Length": 32,
"DeviceId": ""
}
}
2023-07-31 08:31:54 PM - Helpers.Scanner - 60 - DEBUG - processing device id
2023-07-31 08:31:54 PM - Helpers.Scanner - 75 - DEBUG - {
"from": "android.hardware.drm@1.3-service.widevine",
"message": "OEMCrypto_GetProvisioningMethod",
"payload": {
"Method": "OEMCrypto_OEMCertificate"
}
}
2023-07-31 08:31:54 PM - Helpers.Scanner - 75 - DEBUG - {
"from": "android.hardware.drm@1.3-service.widevine",
"message": "OEMCryptoVersion",
"payload": {
"Version": 16
}
}
2023-07-31 08:31:54 PM - Helpers.Scanner - 75 - DEBUG - {
"from": "android.hardware.drm@1.3-service.widevine",
"message": "OEMSecurityLevel",
"payload": {
"Level": "L3"
}
}
2023-07-31 08:31:54 PM - Helpers.Scanner - 75 - DEBUG - {
"from": "android.hardware.drm@1.3-service.widevine",
"message": "OEMSecurityLevel",
"payload": {
"Level": "L3"
}
}
2023-07-31 08:31:54 PM - Helpers.Scanner - 75 - DEBUG - {
"from": "android.hardware.drm@1.3-service.widevine",
"message": "OEMCrypto_BuildInformation: OEMCrypto Level3 Code 22589 May 28 2021 19:37:19"
}
2023-07-31 08:31:54 PM - Helpers.Scanner - 75 - DEBUG - {
"from": "android.hardware.drm@1.3-service.widevine",
"message": "OEMSecurityLevel",
"payload": {
"Level": "L3"
}
}
2023-07-31 08:31:54 PM - Helpers.Scanner - 75 - DEBUG - {
"from": "android.hardware.drm@1.3-service.widevine",
"message": "OEMSupportedCertificates: OEMCrypto_Supports_RSA_2048bit"
}
Any help on what I am doing wrong would be greatly appreciated
+ Reply to Thread
Results 1 to 6 of 6
-
-
when you find a right way to dump l1 from your phone, let me know !
dump l1 it's very hard ... more easy with l3 -
I am also looking for ways to get a new Pixel device to dump an L3.
Would be willing to do so even if "L1 will be lowered to L3 automatically".
Edit: By the way, which OS are you using right now? Over 10? -
I'm also interested in dumping an L1, so keep me in the loop!
-
It is interesting that the Widevine CDMs in both phones report L1, despite being rooted. I thought, certainly with Pixels, that L1 was lost as soon as the phone was rooted?
The L1 CDM is held firmware in a Trusted Execution Environment (TEE) on the phone and nothing to do with the libwvhidl.so library held in software.
So despite all the posts above to the contrary I assume you just want an L3 to dump.
That little clause is probably at the heart of the issue. Which function names did you get? And did you try them one by one or all in a bunch? I might re-visit the whole process of function name extraction and have another go. Even search around for function names for those phones people have used to to get them to dump. I have some memory of dumping an Android 10 from an emulator and using function names one by one. For some reason I hit the right one first go.I downloaded libwvhidl@1.3.so and grabbed out the function names and added them to script.js but I still haven't had any luckLast edited by A_n_g_e_l_a; 1st Aug 2023 at 03:33.
-
Thanks for you reply.Originally Posted by A_n_g_e_l_a
Yes I was trying to dump L3 but I am puzzled as to why it shows as L3 still.
I haven't tried dumping each function individually but I did check the dump key script and added each function name to hooking array but didn't seem to make much difference.
I threw in libwvhidl@1.3.so into a debugger and I think they function that I am after is kigyobsg (I don't have much experience in Widevine keys) but it is one of the only functions which looks like it has a decryption routine (see image).
[Attachment 72875 - Click to enlarge]
As I said I only had a 2 min look. I am happy to share the file with you if you would like to take a look and give some insight.
I did a quick string dump of the binary and the files I was hooking as below (minus the standard C libraries)
[Attachment 72876 - Click to enlarge]
Quote
Similar Threads
-
Dumping Your own L3 CDM with Android Studio
By cedric8528 in forum Video Streaming DownloadingReplies: 844Last Post: 26th Oct 2025, 06:21 -
Dumping L3 CDM with Android Studio on AndroidTV - Need Assistance
By elhouari1988 in forum Video Streaming DownloadingReplies: 26Last Post: 15th Mar 2024, 08:42 -
Dumping L3 from Android 10, 11 and 12
By Diazole in forum Video Streaming DownloadingReplies: 45Last Post: 9th Jan 2023, 08:13 -
How To Dump L3 CDM From Android Device's (ONLY Talk About Dumping L3 CDMS)
By Dannyboi in forum Video Streaming DownloadingReplies: 226Last Post: 1st Mar 2022, 04:34 -
How To Dump L1 CDM From Android Device's (ONLY Talk About Dumping L1 CDMS)
By mintolik in forum Video Streaming DownloadingReplies: 13Last Post: 20th Feb 2022, 15:33