HTTP 403 Access Denied (Binge)

[CrymanChen]

PSSH:

Code:

AAAAOHBzc2gAAAAA7e+LqXnWSs6jyCfc1R0h7QAAABgSEHLHJBslQkY0l8BLZBKlRPtI49yVmwY=

License:

Code:

https://drm.content.foxtel.com.au/licenseServer/widevine/v1/foxtelott/license?contentId=c9907c9e-7ff3-4754-b2e6-ce956df6f197-MD168042-AVC-1680366151

Headers:

Code:

headers = {
    'authority': 'drm.content.foxtel.com.au',
    'accept': '*/*',
    'accept-language': 'zh-CN,zh;q=0.9,en;q=0.8',
    'authorization': 'Bearer eyJraWQiOiI3a0UxeCt4bE5xbFJabHNaMm9NeStQNnlBckU9IiwidHlwIjoiSldUIiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiJhdXRoMHw2M2RlNTk2MGExMjllZGNkNjAxY2VkMDAiLCJodHRwOlwvXC9mb3hzcG9ydHMuY29tLmF1XC9tYXJ0aWFuX2lkIjoiYXV0aDB8NjNkZTU5NjBhMTI5ZWRjZDYwMWNlZDAwIiwiaHR0cDpcL1wvaXJkZXRvLmNvbVwvY29udHJvbFwvanRpIjoiNjI2NDZiMWQtYTkxNS00MDI1LTg5OGQtMzZiMTdmNWRlNGFkIiwiaXNzIjoiaHR0cHM6XC9cL3Rva2Vuc2VydmljZS5zdHJlYW1vdGlvbi5jb20uYXVcLyIsImh0dHA6XC9cL2lyZGV0by5jb21cL2NvbnRyb2xcL2FpZCI6ImZveHRlbG90dCIsImd0eSI6InBhc3N3b3JkIiwiYXVkIjpbInN0cmVhbW90aW9uLmNvbS5hdSIsImh0dHBzOlwvXC9wcm9kLW1hcnRpYW4uYXUuYXV0aDAuY29tXC91c2VyaW5mbyJdLCJodHRwczpcL1wvdmltb25kXC9lbnRpdGxlbWVudHMiOlt7InN0cmVhbWNvdW50IjoyLCJhZF9zdXBwb3J0ZWQiOmZhbHNlLCJzdm9kIjoiNCIsInF1YWxpdHkiOiI0ayJ9XSwiYXpwIjoicE04N1RVWEtRdlNTdTkzeWRSakRUcUJnZFllQ2JkaFoiLCJzY29wZSI6Im9wZW5pZCBwcm9maWxlIGVtYWlsIGFkZHJlc3MgcGhvbmUgb2ZmbGluZV9hY2Nlc3MgIHVzZXI6cGhvbmVfdmVyaWZpZWQiLCJodHRwOlwvXC9pcmRldG8uY29tXC9jb250cm9sXC9lbnQiOlt7ImVwaWQiOiJXZWJfQVJFU18yVUhEIiwiYmlkIjoiQkFTSUMifV0sImV4cCI6MTcwNjI3Njk2NSwiaWF0IjoxNzA2Mjc2NjY1LCJqdGkiOiJiMDczM2ZhMS1lZTJjLTQ1YmItYjUwYS0zYTBiOTRmZWUwYzIiLCJodHRwczpcL1wvYXJlcy5jb20uYXVcL3N0YXR1cyI6eyJ1cGRhdGVkX2F0IjoiMjAyMy0xMi0xOFQxMjozMTo1MS4wOTFaIiwicHB2X2V2ZW50cyI6W10sImFjY291bnRfc3RhdHVzIjoiQUNUSVZFX1NVQlNDUklQVElPTiIsInN1Yl9hY2NvdW50X3N0YXR1cyI6IlBBWUlOR19TVUJTQ1JJUFRJT04ifX0.GHo-TiadJLJ5EA8UfTyFHxXXVJGGcd-iy0DPi7Xa0IEbUuU6pjfllnQvd2s8lptl_1hhIDRdyVKgVzYkHgV3nvqUEHDVJzrgHJQ-OaS9-dAQyK6v1jinzJ2RyXXNA1AoL-HbfCBRnHbnSBeBOEbbr8KWbNEDNFuJzqxR2mgCOz3kY7otWdF47g7LuTunGhoDuXrsXJrr__09CfPBDFXN3ufE6Qy_A12y9H8v07HjM9nG1AZPgn9-s_VldGCvp8rBSbhSLTuUJ67Z93G4ov8unRgs63Fn6yyNHRWGuCMJl-mRAzLvLLEtFB3gs_tOj_R592vDu7v8OKhq50h_Smf_Cw',
    'cache-control': 'no-cache',
    'dnt': '1',
    'origin': 'https://binge.com.au',
    'pragma': 'no-cache',
    'referer': 'https://binge.com.au/shows/show-celebrity-family-feud!9926/season-season-7!15525',
    'sec-ch-ua': '"Not A(Brand";v="99", "Google Chrome";v="121", "Chromium";v="121"',
    'sec-ch-ua-mobile': '?0',
    'sec-ch-ua-platform': '"Windows"',
    'sec-fetch-dest': 'empty',
    'sec-fetch-mode': 'cors',
    'sec-fetch-site': 'cross-site',
    'user-agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36',
    'content-type': 'application/x-www-form-urlencoded',
}

Hey guys,
It went fine when streaming on Chrome, but it always returned an 403 when sending a POST using Python.
Have checked that my CDM are indeed working, as well as the PSSH is right.

P.S.

Manifest:

Code:

https://vod-avc-drm7-cf.foxtelgroupcdn.net.au/out/v1/bef8fab1423346f8875c2e3c5207e43d/b5d724ada4494ebbb8bd55489ea091aa/545bda3186e148d586c7e9d72422b834/index.mpd?aws.manifestfilter=trickplay_height%3A1-2

IP restriction: Australian IP needed.

I remember I could get the key without a problem in early 2023. But not anymore now.

[CrymanChen]

Proof:

[Attachment 76480 - Click to enlarge]

[shellcmd]

it likes kayosport, i think they opened tls fingerprint.

[CrymanChen]

Ah, yes, it belongs to kayosport.

But I have no idea about the TLS fingerprint you mentioned.

[stabbedbybrick]

Yes, they use TLS fingerprinting. Which basically means that the server rejects libraries like requests and httpx. The simplest way around it is to use something pycURL or similar.

[Obo]

... like maybe https://pypi.org/project/curl-cffi/ - which can impersonate chrome110. I've not tested this myself though.

[stabbedbybrick]

... like maybe https://pypi.org/project/curl-cffi/ - which can impersonate chrome110. I've not tested this myself though.

Probably an even better choice since it's much easier to use. And if you get the beta, you have access to chrome120:

Code:

pip install curl_cffi --upgrade --pre

[CrymanChen]

Yes, using curl_cffi is OK.

main codes:

Code:

from curl_cffi import requests
...
widevine_license = requests.post(url=..., data=..., headers=..., impersonate="chrome110")

[ringy9]

Any ideas please

module 'curl_cffi.requests' has no attribute 'POST'

[CrymanChen]

Any ideas please

module 'curl_cffi.requests' has no attribute 'POST'

Maybe in lowercase?

POST -> post

[billybanana]

Yes, using curl_cffi is OK.

main codes:

Code:

from curl_cffi import requests
...
widevine_license = requests.post(url=..., data=..., headers=..., impersonate="chrome110")

Do you have a working script that you care to share ?

[ringy9]

Hi I know this is somewhat vague, but I'm trying to run a python script that is using curl_cffi and after pressing enter, all I get is d' ' ? I have tried googling and I see mentions of being perhaps a token issue or something to do with bytes. As I said, vague but I thought someone may have come across something similar.

[shellcmd]

Hi I know this is somewhat vague, but I'm trying to run a python script that is using curl_cffi and after pressing enter, all I get is d' ' ? I have tried googling and I see mentions of being perhaps a token issue or something to do with bytes. As I said, vague but I thought someone may have come across something similar.

if you do it totally manually, the Bearer token in license header expired after 5 minutes. usually it's enough if you live in AUS.

[ringy9]

if you do it totally manually, the Bearer token in license header expired after 5 minutes. usually it's enough if you live in AUS.

I am definitely running within 5 minute period

[breadcomb]

I am getting 400 error when using curl_cffi for license request and 403 error when using standard requests. Can anyone see the issue??

Code:

PSSH_VALUE = 'AAAAMnBzc2gAAAAA7e+LqXnWSs6jyCfc1R0h7QAAABISEPVyVqk6REC1i/2su82H4yk='
token = 
video_id = 5036703
res = requests.post(
    url='https://api.stan.com.au/concurrency/v1/streams?jwToken={}&programId={}&stanName=Stan-AndroidTV&quality=ultra&format=dash'.format(token, video_id),
    headers={
    "jwToken": token,
    "format": "json",
    "capabilities.drm": "widevine",
    "videoCodec": 'h265' 
    },
    impersonate="chrome110"
)




data = res.json()
keyId = data['media']['drm']['keyId']
license_token = data['media']['drm']['customData']
mpdurl = data['media']['videoUrl'].split('?')[0]
license_url = data['media']['drm']['licenseServerUrl'] + f'?specConform=true&jwToken={token}'

headers = {
    'Accept': '*/*',
    'Accept-Encoding': 'gzip, deflate, br, zstd',
    'Accept-Language': 'en-US,en;q=0.9',
    'dt-custom-data': 
}


pssh = PSSH(PSSH_VALUE)
device = Device.load(WVD_FILE)
cdm = Cdm.from_device(device)
session_id = cdm.open()
challenge = cdm.get_license_challenge(session_id, pssh)

licence = requests.post(url=license_url, headers=headers, data=challenge, impersonate="chrome120")
licence.raise_for_status()

cdm.parse_license(session_id, licence.content)
for key in cdm.get_keys(session_id):
    print(f"[{key.type}] {key.kid.hex}:{key.key.hex()}")
cdm.close(session_id)

[2nHxWW6GkN1l916N3ayz8HQoi]

Use code tags to format your script. Otherwise it gets messed up with additional spaces added in long strings.

[stabbedbybrick]

@breadcomb:

I'd highly recommend you to remove any tokens when posting scripts. Some of them contain sensitive information.

[larley]

That's an issue somebody using WidevineFetch reported. I'd be happy if we could find a solution, as I also wasn't able to get keys from stan.

[shellcmd]

stan use drmtoday, not now?

[billybanana]

Binge works with WidevineGuesser but I've just about given up with the whole Binge/Kayo/Foxtel circus nowadays. They run very aggressive bots that will get your account closed the minute they identify anything the least bit unusual. Even running singe thread downloads spread way out has cost me numerous accounts in the last 12 months.

[larley]

stan use drmtoday, not now?

Yes, it's confusing. I can't get keys from them even though they're 'just' using DRMToday

[shellcmd]

sounds weird, which license url you used? original one

Code:

https://lic.drmtoday.com/license-proxy-widevine/cenc/

or with params one?

Code:

https://lic.drmtoday.com/license-proxy-widevine/cenc/?specConform=true

i tested a few month ago with original license url(which i suggest) and parse json response, it worked with stan. i cant remember if i used an AUS vpn, probably not.

[larley]

I mainly tried around with the 'specConform' one, but also tried the one without. Could try and see if it still works?

[shellcmd]

yes, can give a try, just a pssh and dt-custom-data

[larley]

Do you still have access to the site? So we could compare our results

[shellcmd]

no, i used other people's account, he had changed pw. and yes for the safe as stablebrick said, dont post custom-data on forum

[larley]

@shellcmd
How can I contact you privately? I got permission to share a stan account with you

[shellcmd]

discord is ok. I just need you send me a pssh and dt-custom-data to get the keys, no need login. just a test, if I failed, means they maybe made some changes.