Notes on my journey to get a working Content Decryption Module (CDM)

This post is the first in what has become a series about decrypting internet streamed videos 'Decryption: The Temple of Doom'
'Decryption: The Dungeon of Despair' and Decryption: The Last Crusade The information herein is not original to me, but culled from experts in this forum and elsewhere, as I have made a journey from a confused and bewildered newbie to being able to download a few videos. I have no experience of getting the stuff behind pay-walls, but the principles of encryption and decryption are much the same everywhere.

This section is relevant if you have an unlocked physical Android device
Note if you do not have access to a physical device then a virtual device can also be made to give up its CDM see Dumping-Your-own-L3-CDM-with-Android-Studio[/URL] However, be aware CDMs released from virtual devices appear to fail on some sites. See https://forum.videohelp.com/threads/407099-Vdocipher-decryption-key-retrieval/page2#post2678869

Getting Your Own Content Decryption Module from a Rooted Android Device

I chose a cheap Android TV box T95 S1 2Gb/16Gb at £29.99 from Amazon.

Download a frida-server from https://github.com/frida/frida/releases

I had success with frida-server-15.1.17-android-arm.xz - the latest release - although I tried many other releases along the way.

[Rooted Phone? An edit and aside]
Selecting which Frida-server to use is an issue. You need to know the width of the data registers in your machine, 32 or 64 bit. (More and more later devices are 64 bit). Also, you need to know the instruction set it uses. Both these details are inside the file-names of the Frida-server alternatives from which you will select the correct one.

Find out which architecture your phone has from here. https://www.devicespecifications.com Let's assume we have a Pixel 4 XL. Type your phone name into the search field and OK.


[Attachment 72613 - Click to enlarge]

The results for the Pixel 4 XL show the above from which we can see it is a 64-bit machine and has an ARMv8-A instruction set. We remember 64 and 'arm'. Search Frida-server releases for a server filename containing 64 and 'arm'. to match our example. frida-server-16.1.2-android-arm64.xz is listed. (If the latest release does not show Frida Server click on 'Assets' for an earlier release.
[/edit and aside]

adb via USB cable does not work between a PC and the Android TV box; you’ll need to connect over wifi.
Code:
adb connect <box-ip-address>
and accept the link request to the Android box displayed on the T95 screen

I tried using Frida from Google play store and that is perhaps an easy way to get the server software on the machine but I had problems with it and reverted to hand loading the frida-server and running it from SuperUser.

Code:
adb push frida-server-15.1.17-android-arm /sdcard/
Code:
adb shell
Move the server so it can be run
Code:
mv /sdcard/fridaserver-15.1.17-android-arm /data/local/tmp/
Starting the frida-server first explicitly become super-user and clear any user environment variables active by including a hyphen after su.
Code:
su -
Give execute program privileges
Code:
chmod +x /data/local/tmp/fridaserver-15.1.17-android-arm
Start the server
Code:
/data/local/tmp/fridaserver-15.1.17-android-arm &
Check it's running..
Code:
ps | grep frida
That will give you a process number to kill it with later if you need to.
Code:
kill ####
Dumper – download from https://github.com/wvdumper/dumper and extract.
To work Dumper needs python modules for:- frida, protobuf and pycryptodome. The Python modules are installed with
Code:
python pip install frida protobuf==3.20.3 pycryptodome
Dumper is a python program to extract the CDM keys; it talks to the frida-server on the Android box. There is much misdirection about which pythons to use. I spent a day setting up a virtual machine and running pythons 3.6, 3.7 and 3.9 all to no avail.
The latest python on my daily driver machine 3.10.2 finally worked but it perhaps because of the wrinkles of timing everything right.
Code:
python dump-keys.py
will run the software when ready.

Prepare android-tv-box; update chrome to the latest version the Play-Store has
On the TV box start the updated Chrome browser and open https://bitmovin.com/demos/drm; let the page load and then close chrome. Next time Chrome is started it will automatically load this page with widevine protected content.

I think timing and sequence are important; from memory a few days after getting keys from my CDM
  1. Reboot the android box
  2. reboot your PC and from the PC
  3. adb connect <android-tv-ip>
  4. adb shell
  5. su -
  6. chmod +x /data/local/tmp/frida-server-15.1.17-android-arm
  7. /data/local/tmp/frida-server-15.1.17-android-arm
  8. optional; check running ps | grep frida
  9. on the android tv box start Chrome
  10. and immediately on the Pc start dumper: python dump-keys.py
  11. wait for "hooks completed" to appear on the screen then load the page to play the movie. (Or if the page is already loaded hold 'shift' down while clicking the browser refresh icon)
Mine then dumped after days of trying. Misdirection read here suggested stopping and starting the playing movie; I think keys are shared from Chrome and the bitmovin site as soon as the page loads. So stopping and starting the movie when playing just wastes everyone's time.

Decryption

This section is relevant for both methods of obtaining a CDM

Ok with keys dumped what do you do with them? A hack!! Find a key generator and replace their CDM with yours!
Find WKS-KEYS https://files.videohelp.com/u/301890/WKS-KEYS.zip and unpack
[EDIT September 2023] WKS-KEYS is now updated to protobuf==4.x.x and is compatible with pywidvine being install too. Just keep any python scripts that use the global pywidevine module out of the WKS-KEYS folder. [/EDIT]

Locate WKS-KEYS/pywidevine/L3/cdm/devices/android-generic/
Two files to be replaced:- device-client-id-blob and device-private-key.

Dumper stored the android-tv-box keys in key-dumps/MBOXprivate-keys//xxxx/xxxxxxxx/client-id-bin and private-key-pem these two replace in name and body the ones in WKS-KEYS. The *bin becomes the blob (binary large object)

Now, in theory you have a working CDM and can generate your own keys. I found an encrypted video to download, located the request headers saved as a cURL and encoded into python here:- https://curlconverter.com/. I put them in headers.py in the WKS-KEYS folder. Eventually when I tried to decrypt keys I got an error about the key length being wrong. Some WiseHead wrote in their experience it was because the CDM was not working --- uurgh!!

So I slept on the problem and realised that the servers we ‘attack’ try to repel us. But bitmovin.com/demos.drm is there to help.

So I checked my keys were working there;-
Code:
https://bitmovin-a.akamaihd.net/content/art-of-motion_drm/mpds/11331.mpd
this link loaded in a browser will show PSSH keys between <cenc: pssh> html markup and

Code:
https://cwip-shaka-proxy.appspot.com/no_auth
is the license. Edit: 2 Oct 2022 this URL has changed since March and the correct version is above.

Running
Code:
python l3.py
and plugging in the PSSH and licence gave me:-
Code:
--key 0294b9599d755de2bbf0fdca3fa5eab7:3bda2f40344c7def614227b9c0f03e26
--key 639da80cf23b55f3b8cab3f64cfa5df6:229f5f29b643e203004b30c4eaf348f4
Taadaa!! I nearly fell off my chair

I downloaded the video:-
Code:
yt-dlp –allow-unplayable https://bitmovin-a.akamaihd.net/content/art-of-motion_drm/mpds/11331.mpd
that gave two files an mp4 video and m4a audio encrypted.

Decrypted with mp4decrypt -from https://www.bento4.com/downloads/
Code:
mp4decrypt –key 0294b9599d755de2bbf0fdca3fa5eab7:3bda2f40344c7def614227b9c0f03e26 <infile.mp4> <outfile.mp4>
Note: 2 October 2022
The license url has changed and also when testing I got back 5 keys:


[Attachment 67047 - Click to enlarge]

It is unusual, but RTE.ie gives 5 keys too! If you need to deal with more than one set of keys, just chain them one after the other, as below.
Code:
mp4decrypt --key ccbf5fb4c2965be7aa130ffb3ba9fd73:9cc0c92044cb1d69433f5f5839a159df --key 9bf0e9cf0d7b55aeb4b289a63bab8610:90f52fd8ca48717b21d0c2fed7a12ae1 --key eb676abbcb345e96bbcf616630f1a3da:100b6c20940f779a4589152b57d2dacb --key 0294b9599d755de2bbf0fdca3fa5eab7:3bda2f40344c7def614227b9c0f03e26 --key 639da80cf23b55f3b8cab3f64cfa5df6:229f5f29b643e203004b30c4eaf348f4 encrypted_input.mp4 decrypted_output.mp4
Do the same for the audio file and you then need to combine the audio and video into one playable stream with ffmpeg. It comes installed on my Linux distro.
Code:
ffmpeg -i decrypted.mp4 -i decrypted.m4a -vcodec copy -acodec copy your_movie.mp4
Edit January 2023
A good alternative to bitmovin.com
Bitmovin.com has become a bit problematic for first-time key-grabbers; it spoofs a license url that returns 'success' in a json packet and the real licence is harder to spot, although it is given above. And additionally, you need to deal with 5 keys, 4 of which are useless.

This Irish site - mainly Gaelic language - is easy for beginners - and is reported as available from Europe and the USA and I expect everywhere.
So here is the sequence:-
  1. Site URL
    Code:
    https://www.tg4.ie/en/player/online-boxsets/play/?pid=6281115686001&series=An%20Cuan&genre=Faisneis
  2. MPD - describes the media and how to get it.
    Developer Tools (F12 in your browser) select Network tab and enter 'mpd' in the filter box. Then start the video. Copy the url. It will look similar to this, BUT DO NOT USE THIS ONE, get a fresh copy. as it carries a token, which needs to be fresh each use.
    Code:
    https://manifest.prod.boltdns.net/manifest/v1/dash/live-baseurl/bccenc/1555966122001/982ce523-a4b1-4a94-91c6-c7a9a8b082f8/6s/manifest.mpd?fastly_token=NjNlNjNlYzhfN2YyY2QxMGFjMzMzMDY0ZGE2ZjFiYzY3ZDViMzI3YmQxMjM0ZWVhMzgyMjVkNmY1YzE0NzJlNDUwMGUyNTg1NA==
  3. PSSH found by inspecting the contents of mpd. Network tab - filter on 'mpd' click on the link and look under 'Response' for a string starting AAAA
    Code:
    AAAAVnBzc2gAAAAA7e+LqXnWSs6jyCfc1R0h7QAAADYIARIQ8hNTzeGOTayckD5Lc4sBSBoNd2lkZXZpbmVfdGVzdCIIMTIzNDU2NzgyB2RlZmF1bHQ=
    PSSH remains the same for this media.
  4. License URL - found by filtering on 'lic' in Network tab of Developer Tools carries a token which needs to be fresh each use. It looks similar to this - BUT DO NOT USE THIS ONE, get a fresh copy.
    Code:
    https://manifest.prod.boltdns.net/license/v1/cenc/widevine/1555966122001/982ce523-a4b1-4a94-91c6-c7a9a8b082f8/f21353cd-e18e-4dac-9c90-3e4b738b0148?fastly_token=NjNlNGRjNDhfMzJmMTZhMWVmMmVlYTM1OTdmZTk4NjI0ZTI1M2E5ODYzZTY0NDAyOGEwZTc5MzVhYzkyZDNkZGNmNmY4OWJiNA==
  5. Download encrypted files:
    Code:
    yt-dlp –allow-unplayable -o myEncryptedvideo.mp4 <your MPD url found at item 2>
  6. Individually decrypt the audio and video streams using mp4decrypt and the keys you have just obtained!
    Code:
    mp4decrypt --key f21353cde18e4dac9c903e4b738b0148:e564eb646db649ea07e85700765d2349 <myEncryptedvideo.mp4> <myvideo.mp4>
    Code:
    mp4decrypt --key f21353cde18e4dac9c903e4b738b0148:e564eb646db649ea07e85700765d2349 <myEncryptedvideo.m4a> <myvideo.m4a>
  7. Merge audio and video with ffmpeg
    Code:
    ffmpeg -i myvideo.mp4 -i myvideo.m4a -vcodec copy -acodec copy myWatchableMovie.mp4

Addendum:
It seems there is now a Dumper version that with a bit of work from you will get keys for other Androids - all the way up to Android 12 is claimed. They all need to be rooted of course and doing it on your daily driver phone is never a good idea. You will lose L1 on your phone when you root (though Xiaomi possibly not).
I have not tested these. See https://github.com/Diazole/dumper Direct your questions to the author on this.

When you have digested the above and got your CDM, tried a few keys, The Dungeon of Despair awaits your pleasure!! And if that isn't enough for you then Downloading-and-Decryption-on-your-Android-Phone might occupy your mind for a while.

Annex:

October 2023
Running python scripts in a special Python environment.

Python has a problem. After lots of script downloads and installing all the necessary module or extra libraries to make the script run you can arrive at a situation where one script needs a 'pip install mybigmodule==10.2.21' but you have another script on your system that must use mybigmodule<=9.5.0. So if you follow the direction for one script it stops the other from working.

The solution is to create a named python environment in which to run the first script and another named environment to run the second.

It is done like this and credit to Sorenb for the write-up:
Create a venv (a virtual environment) on Linux/Macos
Code:
python3 -m venv env
- here the virtual environment is simply called 'env'
For Windows
Code:
py -m venv env
The 'env' needs to be activated
Linux/Macos
Code:
source env/bin/activate
Windows
Code:
.\env\Scripts\activate
Now your terminal or command window will show 'env' to remind you that you are using a Python Environment.
When you close the command window you close the environment. It is still there but next time you need to re-activate with the activate command above.

'venv' creates a folder env there it stores all the 'extra' modules you download to run a script. If you no longer want the environment - just delete the 'env' folder.

Now following the above method you can create as many environments as needed to keep each library of scripts safely apart from each other on your system.

Just remember to start the necessary environment before running your script.

WKS-KEYS is slowly being replaced in popularity by the use of a pip module 'pywidevine'
It all works much the same as with WKS-KEYS except you can run your scripts from anywhere. The python commands to get the pywidevine module to cough-up keys is different but all that is transparent to most users who just want to run scripts.

Instead of having to run your python scripts in the WKS-KEYS folder and use the path to pywidevine's decryption facilities within, you can now set up a means of using pywidevine from anywhere on your system.

You do this by first creating a WideVine Descriptor file (wvd) which contains the details of where the device_private_key and the device_client_blob may be found.

But first activate your python env or create a new one for pywidevine related scripts,

Install pywidevine. Pywidevine omits to install yaml a needed library so we do that at the same time
Code:
pip install pywidevine pyaml
Then, with your chosen env on command prompt line, navigate to the folder where your key and blob are located.

First make a folder where the descriptor file can be created
Code:
mkdir WVD
then:-
Code:
pywidevine create-device -k device_private_key -c device_client_id_blob -t ANDROID -l3 -o WVD
for me it responded
/home/angela/Programming/WKS-KEYS/pywidevine/L3/cdm/devices/emulator_1/WVD/google_aosp_on_ia_emulator_14.0.0_d6xxxxx4_l3.wvd

[Attachment 74182 - Click to enlarge]
It works the same on linux and Windows

Now when you wish to run a script that does not use WKS-KEYS you activate the environment pywidevine is installed in and install any scripts plus its required modules. They are functionally separate from anything outside the env(iroment).
Most scripts that use a wvd file to access your key and blob will need to know its location.

Mine now looks like this for an emulator key/blob /home/angela/Programming/WKS-KEYS/pywidevine/L3/cdm/devices/emulator_1/WVD/google_aosp_on_ia_emulator_14.0.0_d6ixxxxxx64_l3.w vd

Now you need an l3.py to use for simple keys
PHP Code:
[CODE]
from pywidevine.cdm import Cdm
from pywidevine.device import Device
from pywidevine.pssh import PSSH
import requests

headers = {
    'Accept''*/*'
}

# prepare pssh
# pssh = PSSH("AAAAVnBzc2gAAAAA7e+LqXnWSs6jyCfc1R0h7QAAADYIARIQSOe5B5JcTV2gbw07SycC7xoNd2lkZXZpbmVfdGVzdCIIMTIzNDU2NzgyB2RlZmF1bHQ=")
pssh input("PSSH? ")
pssh PSSH(pssh)
lic_url input("License URL? ")

# load device
# for example
# device = Device.load(r"/home/angela/Programming/WKS-KEYS/pywidevine/L3/cdm/devices/emulator_1/WVD/google_aosp_on_ia_emulator_14.0.0_xxxxxc_4464_l3.wvd")
device Device.load(r"<enter your path to the wvd file you have created. here>")

# load cdm
cdm Cdm.from_device(device)

# open cdm session
session_id cdm.open()

# get license challenge
challenge cdm.get_license_challenge(session_idpssh)

# send license challenge (assuming a generic license server SDK with no API front)
licence requests.post(lic_urlheaders=headersdata=challenge)
licence.raise_for_status()

# parse license challenge
cdm.parse_license(session_idlicence.content)

# print keys
for key in cdm.get_keys(session_id):
    # print(f"[{key.type}] {key.kid.hex}:{key.key.hex()}")
    if key.type == 'CONTENT':
        print(f"\n--key {key.kid.hex}:{key.key.hex()}")

# close session, disposes of session data
cdm.close(session_id)
[/CODE
That's all I know!

Please follow netiquette and ask your questions here in this thread, so all may benefit.

Some 18 months after posting this my python coding has improved to the extent I can now produce AIO single, series or part-series downloaders with a site search function.

https://forum.videohelp.com/threads/411684-ITVX-Revisited
https://forum.videohelp.com/threads/411591-STV-Revisiting-the-Downloader
[URL="https://forum.videohelp.com/threads/411726-My5-paying-a-visit"]https://forum