What's wrong with my video !?

[sibhus]

Hello,

Sorry for my little english, i try to explain my problem.

I try to take replay, i use ffmpeg / N_m3u8DL-RE / Shaka-Packager

If i understand, my replay are protected by widevine L1, i download all and doesn't look have an error but when start video i have problem (video look like crypted, and no sound).


[Attachment 81120 - Click to enlarge]


Could someone help me, I've read the forum a lot and I feel like I'm doing the right thing, I don't understand why this is happening to me.
I didn't post a green link to the stream or any information (I can give them in PM) because I already created a treadh where I have everything, but it was never published by the admins !

[2nHxWW6GkN1l916N3ayz8HQoi]

Out of curiosity, do the keys you have match with the default kids found in the manifest? Maybe you're trying to decrypt the wrong track.

[sibhus]

Out of curiosity, do the keys you have match with the default kids found in the manifest? Maybe you're trying to decrypt the wrong track.

Do you agree that what you call the manifest is the dash.mpd file?

I add the dash.mpd in attachement.

I use the PSSH

Code:

AAAAknBzc2gAAAAA7e+LqXnWSs6jyCfc1R0h7QAAAHISEAEA2/PJ0ryC9qRkDjRjLgESEAEBXW4EVS9Chm1MT9jzAQQSEAECq2munveakPKt7VhkC1oSEAED2vBaTV+jRy7GPjJj5+8SEAEEIELeNzFINZIfpraQ+WISEAEFdljTHkHSO3xV+GPSZPxI49yVmwY=

I use the Licence Server :

Code:

https://busy.any-any.prd.api.discomax.com/drm-proxy/any/drm-proxy/drm/license/widevine?keygen=playready&drmKeyVersion=1&auth=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHBpcmF0aW9uVGltZSI6IjIwMjQtMDgtMDFUMTc6NTk6MTEuODIzMzA3NzY2WiIsImVkaXRJZCI6IjM4NmQ1OWUwLThiMjItNDRlOC05N2Y0LTA5YTk2YTQyN2I4MSIsImFwcEJ1bmRsZSI6ImJlYW0iLCJwbGF0Zm9ybSI6IndlYiIsInVzZXJJZCI6IlVTRVJJRDpib2x0OmM3ZTFhZDc0LTg1OGQtNGE5Ny1hZDFkLWQ1YzQxOTBjMDUzNCIsInByb2ZpbGVJZCI6IlBST0ZJTEVJRDFhYjQyNDI0LTQyYTEtNDRlNC05ZDhiLTcwYTJkMjA2NDlkNSIsImRldmljZUlkIjoiNGM4ZTEzYmQtY2Y3My00ZjBhLTgyZGQtNmQyOGY0NGYxNzRkIiwic3NhaSI6dHJ1ZSwic3RyZWFtVHlwZSI6ImZ1bGxldmVudHJlcGxheSJ9.uRCSFgp_4ovVq8oTHWYJc5hPnjjxeCvoDVDCnlOl3jw&x-wbd-tenant=beam&x-wbd-user-home-market=emea

And header :

Code:

{'user-agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36'}

I use it on cdrm-project and found 6 key on results.

Code:

0100dbf3c9d2bc82f6a4640e34632e01:ee19657d454d7df4c1fe4c25f5da7117
01015d6e04552f42866d4c4fd8f30104:3e2378103ef7446dc28a9edd18344f6a
0102ab69ae9ef79a90f2aded58640b5a:b91bbe46ced5d410bfa92d459a5ac70d
0103daf05a4d5fa3472ec63e3263e7ef:00000000000000000000000000000000
01042042de37314835921fa6b690f962:00000000000000000000000000000000
01057658d31e41d23b7c55f863d264fc:00000000000000000000000000000000

I try with the first key, don't work (video play but no video (look crypted like the picture i share) and don't audio.
I try second time with the last key (look like used by the 1080p stream, and same result.

Second time i use this command

Code:

N_m3u8DL-RE.exe "https://fly.olympics.prd.media.max.com/r/dash.mpd?f.audioCodec=heaac&f.audioTrack=en%7Cprogram&f.audioTrack=sv%7Cprogram&f.audioTrack=zxx%7Cprogram&r.duration=7321.600000&r.keymod=2&r.main=0&r.manifest=bolt-glo-prod%2F386d59e0-8b22-44e8-97f4-09a96a427b81%2Fpackager-mp4-cenc%2Fmain.mpd&r.origin=cfc%7Cprd-wbd-emea-vod-olympics&x-wbd-tenant=beam&x-wbd-user-home-market=emea" --save-name test -M format=mkv --use-shaka-packager --key 01057658d31e41d23b7c55f863d264fc:00000000000000000000000000000000

First time i use use same command but without shaka-packer, but with mp4decrypt is slow.

In two time have no error on the cmd.

PS : I'm on core i7 6700K and use chrome. I read a different place where the 1080p stream cannot be played on my machine due to hardware. So the stream sent when I read the video is limited to 720p if I understand correctly.
But can I still recover the 1080p stream with my PC, decrypt it or do I absolutely need hardware that supports L1 widevine for it to work?

Thanks for your help.

[2nHxWW6GkN1l916N3ayz8HQoi]

A media content is made up of video track and audio track. You don't have only 1 key ALL the time. In your particular case you have different keys for different resolutions, and also different keys for different tracks (video/audio). You can see that by searching and analyzing the "cenc:default_KID" in your manifest mpd content in notepad to see what matches with what key.

In your N_m3u8DL-re command just drop all of the keys, doesn't matter if you don't use them all. You can then select what to download/decrypt manually in the terminal.

Code:

N_m3u8DL-RE.exe "https://fly.olympics.prd.media.max.com/r/dash.mpd?f.audioCodec=heaac&f.audioTrack=en%7Cprogram&f.audioTrack=sv%7Cprogram&f.audioTrack=zxx%7Cprogram&r.duration=7321.600000&r.keymod=2&r.main=0&r.manifest=bolt-glo-prod%2F386d59e0-8b22-44e8-97f4-09a96a427b81%2Fpackager-mp4-cenc%2Fmain.mpd&r.origin=cfc%7Cprd-wbd-emea-vod-olympics&x-wbd-tenant=beam&x-wbd-user-home-market=emea" --save-name test -M format=mkv --use-shaka-packager --key 01057658d31e41d23b7c55f863d264fc:00000000000000000000000000000000 --key 01042042de37314835921fa6b690f962:00000000000000000000000000000000 --key 0103daf05a4d5fa3472ec63e3263e7ef:00000000000000000000000000000000 --key 0102ab69ae9ef79a90f2aded58640b5a:b91bbe46ced5d410bfa92d459a5ac70d --key 01015d6e04552f42866d4c4fd8f30104:3e2378103ef7446dc28a9edd18344f6a --key 0100dbf3c9d2bc82f6a4640e34632e01:ee19657d454d7df4c1fe4c25f5da7117

Now let's see what you can't really decrypt right now (without actually downloading through trial and error). You have 3 keys that after the ":" you only have zeroes. So you can't use them. Let's search in the manifest each key (only the first 8 characters).

01057658 ->

Code:

<AdaptationSet mimeType="video/mp4" id="3" segmentAlignment="true" contentType="video">
      <ContentProtection schemeIdUri="urn:mpeg:dash:mp4protection:2011" cenc:default_KID="01057658-d31e-41d2-3b7c-55f863d264fc" value="cenc"></ContentProtection>
     ... etc ...
      <Representation bandwidth="9429453" codecs="avc1.64002a" frameRate="50" height="1080" id="avc-sdr-1080p-50fps-92000kbps" width="1920"></Representation>
    </AdaptationSet>

So 1080p can't be decrypted. And the other 2 keys bring nothing in the notepad thus they're irrelevant. So by putting all the keys now and selecting max 720p, you can download your video with both video and audio tracks working.

As for how to get 1080p you need a L1 cdm. cdrm project uses only L3. Maybe someone with an L1 can help you in private because you won't find one publicly unless you buy it or learn how to get one yourself by exploiting niche devices.

[sibhus]

Okay, thanks for this explanation.

I have a few questions about what you're saying :

1°) I see in the manifest that it is Widevine, but how do you know that it is version L1, L2 or L3?

2°) Why does the license server send keys if they are of no use?

3°) This is the first time I've seen a command line with multiple key appends. Is it necessary if it serves no purpose? Isn't it better to just put the one that matches in the manifest? Or does it need all the keys to be able to decrypt?

[Germania]

how do you know that it is version L1, L2 or L3?

You used L3 and three Keys are missing:

Code:

0103daf05a4d5fa3472ec63e3263e7ef:00000000000000000000000000000000
01042042de37314835921fa6b690f962:00000000000000000000000000000000
01057658d31e41d23b7c55f863d264fc:00000000000000000000000000000000

You have Audio, SD + HD (?) - but no FHD

[2nHxWW6GkN1l916N3ayz8HQoi]

1°) I see in the manifest that it is Widevine, but how do you know that it is version L1, L2 or L3?

This is more of a wild guess to be honest. What matters is that it's definitely not L3. Otherwise you'd have gotten your keys.

2°) Why does the license server send keys if they are of no use?

I'm not that knowledgeable to answer this question. Sorry. Maybe someone else can shed some light.

3°) This is the first time I've seen a command line with multiple key appends. Is it necessary if it serves no purpose? Isn't it better to just put the one that matches in the manifest? Or does it need all the keys to be able to decrypt?

What do you mean it "serves no purpose"? I just told you that there's different keys for video/audio. So you definitely need more than 1 key. For audio you have this:

Code:

    <AdaptationSet mimeType="audio/mp4" segmentAlignment="true" lang="sv" contentType="audio">
      <ContentProtection schemeIdUri="urn:mpeg:dash:mp4protection:2011" cenc:default_KID="0100dbf3-c9d2-bc82-f6a4-640e34632e01" value="cenc"></ContentProtection>
      ...etc...
      <Representation audioSamplingRate="48000" bandwidth="77908" codecs="mp4a.40.5" id="audio-sv-aac64-sv"></Representation>
    </AdaptationSet>

So "0100dbf3c9d2bc82f6a4640e34632e01:ee19657d454d7df4 c1fe4c25f5da7117" is only used for audio. If you use only that, you only get audio decrypted but video remains encrypted.

You can put 100 --key commands to your N_m3u8DL-RE. It doesn't matter, the tool is gonna use what's relevant for decrypting by comparing the kid value. As for why it's better putting them all, it's because it is faster. I've gotten sometimes 7 keys for some videos. What do you prefer, manually checking the key for your wanted resolution? Or letting N_m3u8DL-RE handle it automatically.

[Germania]

Look here


[Attachment 81126 - Click to enlarge]

[larley]

1.) If 1080p is available in the browser (probably, because it can be seen in the manifest) then you won't be dealing with L1 but rather with L3 and Verified Media Path. This is a way of making higher resolutions available on browsers while also being more secure.
A Verified Media Path thing consists of a file (device_vmp_blob) which is binary protobuf data of the FileHashes widevine protocol field. When parsed, they'll something like this:

Code:

{
    "signer": "MIIEcTCCAtmgAwIBAgIQZ1VlPDvDp/YE2WFGKriLajANBgkqhkiG9w0BAQsFADB9MQswCQYDVQQGEwJVUzETMBEGA1UECAwKV2FzaGluZ3RvbjERMA8GA1UEBwwIS2lya2xhbmQxDzANBgNVBAoMBkdvb2dsZTERMA8GA1UECwwIV2lkZXZpbmUxIjAgBgNVBAMMGXdpZGV2aW5lLWNvZGVzaWduLXJvb3QtY2EwIBcNMTcwMTI0MjM0MTE4WhgPMjExNjEyMzEyMzQxMThaMHkxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMREwDwYDVQQHDAhLaXJrbGFuZDEPMA0GA1UECgwGR29vZ2xlMREwDwYDVQQLDAhXaWRldmluZTEeMBwGA1UEAwwVd2lkZXZpbmUtdm1wLWNvZGVzaWduMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuzJGv5o4lWXnBC25k6ncJHKKsex7Xu2t+PoC1JL3Ee8wGiXXSEEa3BlzQSJEyHH6PTaXyOyFpCOvSsBOD5mNC6EX1Sb8AGs7BCu8Ch88eEaTmLF/x+suQjgPKVP/HrzZbxazfENp1kbtQTYbjBLBSpEAEc3iEBhZ78c0lgF7yjV1hTlO/+DdPfOdxOEj7U2CzXPtRiFqw2YlJmxkjlLDE70/IU90QIYYFwC3zyPchWYdwqxPE41b9VavcDB5DguQw6Er0N3ztolTzqNdlBYD+qxNyT3ZObKkBj7KDiC6F5mHG/rX8z7CkzqPDaG/MXRshBuW9++mqGBEL2PXEWr9GwIDAQABo28wbTAdBgNVHQ4EFgQUTLLXGmND7rtFoNhS6G7vgwDvJLAwHwYDVR0jBBgwFoAUyj3Yjg90V3/QmtnhIb9C+yNVKYYwCQYDVR0TBAIwADALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwMwDQYJKoZIhvcNAQELBQADggGBAL0iQfA2Am4AXM73+1kQ/Nq9mh1G0jot/l0s5J01Uv3gETHv7wM0YGXDhPEVH3J84c4YNbkFx2MPx95VsttoAOFuOjVUJcXQoWjkrxksSCTBWEIcim5i4+u17b5kE4+qIpWPm+Aw/QgIwBeAJf2UV56d9hg7s/XeDMo2TgpHGTN7yermjcT+N7uv+JlqrlBEmyn9ZiM5iQSqe15f2Yj4hMrj00/Oov3XGPtmtRcKi3MXd3T1NRVDLmtiSpUDed1d8BMp8dKfasC0qI/iTslGg2R/tnm04gMF65ulv7w/49yjhY3UcG47aMGMFKVGwQAr7M0mlvWzSL1fMrlq7QYHjlcuMiZg4kbvNs7fiR61kwEiIuv2e2QGbT2DcPcxbkd6H5GeP5VhNtKdtjxDqWJkQ8XCTqN1Br4tcG8RrhCsYUVZbl/Gs3CydVIi/xBvXGYCFOfHkzeOLZHYUjTBIGa1XUdaylhttbDeQGUTrCpiX/EGeW44AEC8oscKUZTHfk3fqA==",
    "signatures": [
        {
            "filename": "chrome.exe",
            "testSigning": false,
            "SHA512Hash": "VH/6lq++CgF+APCZCt4VZeFhW3ySlw7krU1d6BPOOH3o2LfQc0r+S+94hvkTQbJDhJVr0WOgRpbT4PnE/tJzGw==",
            "mainExe": true,
            "signature": "t+6EwMOwOMv2H5BbVBcKouoXamekMJJ6EGnveqDXg6VjYa51aMVZiPKOb3lbcQOPQW4/ui7hBgi8cc9EeIIBJ8RsrbLUbn1KTMEIi1t2rUXYfdg648ASS4DAjvu0gzlKg5SXtOTeDsTRjgCmtoUh++OfHpdNaA2Y1n1u9rQvqgSlrRUiujvZXgfsU9yhzMnZZDD6LSpS5Y/pdQZhGmSi/JNrdqsOUl6Mp6xSQppWiYTAyr94BMD8r4PutKfrHFfFs1ha5flolhHr9+GvrsVzccPkmC9H+X0WjZn4/kgstpJYKwq8rMlGYS3QlO54lCvebOn1+eIfo69gkbfA3pn2Nw=="
        },
        {
            "filename": "chrome.dll",
            "testSigning": false,
            "SHA512Hash": "ZK7VTlMHQ08rfj5wWtHPKUMMOBQ+Q0CtvEVi8K9i08ES48ia7jr4dAmf7UlJ1NqQV0wS5CC1c7wk7wBzdgIs1A==",
            "mainExe": false,
            "signature": "nYeE+rp3hIbYZ3sfWGXIbzBfAlfu/CaQXVcVj7EAFVY/cq5jPPTcs/RkPwQl68UdwqGbXUdwnJCpSVMfKhCACalV/zOlN4jVtruvBRbnfrxsPhfvwQCZ45sBpy0dyFuH5JqrlXzF5KEkzvyBKtn08Zq7KePwRsKzThzsi8y0uN5A7u36I1sYeZXtvzjrUD47hI8Zkp53CfmmgfAXPRiw95Mh7zU3kWNAaEO9rmxtysZcjGnBjIj9TDRYJxMgiA4ECn5u+YWy6+n/V8rxazLKtYn6KeMaZ/ShK6GdII+nwfwJQFkmdfe2VVBLU5a71BYPowx8wVLNK+MTGJvTgTDPDg=="
        },
        {
            "filename": "chrome_child.dll",
            "testSigning": false,
            "SHA512Hash": "Nn5YKuo8UOGrMkGf45jUZXixnu+s8t8fVWmVNZCPl9ZKvJcG1b3F3gAGZZXTXWcjgoaymdE/r6HHEh9zezFUug==",
            "mainExe": false,
            "signature": "GmENlSS+ZzFHWqCDg/uL9G4cQdKkqf7ZKnl7YcdLFJi+f638jzwvGjKwaN4hFqgiICf8M1JUCBsX88abD50dCYu9B7pRxg+h/IebqEffjWp6F4wwD9hsaa3DtFAlM4hbQhyNFZk5+28I8VssyTVXXuXJXpIMslxM4qV2nhyJ/gP9iLLLsyNJRUHGlcLKoAHvsD47/dIJDWRCSKHqOGNwGKiITMZRFzbdnzb/ySZglAYrqQ25iMiVXNPLzmpLv+dR2btXMalGhvEHzZKS5nbFQWrxLcIoAq5tDMw7phT/myolTZGq+cH943pWTMfI1zBGtfsy7GgFojy/PVU3r/bBbg=="
        },
        {
            "filename": "widevinecdmadapter.dll",
            "testSigning": false,
            "SHA512Hash": "Sth++ieGKp6L4Y6IQ0ppADtTBSqmcGt7wB6knOMHllfeP5eMy0Dse5fhnqy6EmBSMUJOn/Iypuy5AWM2Zs2nug==",
            "mainExe": false,
            "signature": "D+l1Gy0No2ehkvrFxe/Nn9TiDD69mZEGi7SFVdfrMX/C1ttDrsB75ZcxtB2K65CNgl9ZyCozAiiwyT5TWGiy3NOsRX7rBTtkcyex3kdRAJIFDkqWwX3yjhGfce3sn/AZv9xuWcLdAMzhKHjKHJjUt7AAFfUdBrHYSv29ucj1Jbidrv8dFjLEQeCsjNuOUX+jS1LOyRiGdygasoYmz5pSaG1dQxip3ymy2kErox8nZb+cv7Xwz/hzd1jNxsHtR3oYuMkV9HZV4gatLOg5PgweOy+gy7zaBayJxCUmCBG44LZTrvTdOEfBP8EN23ZS3ztnygZXt0gRwJleZjYHp7MqbQ=="
        },
        {
            "filename": "widevinecdm.dll",
            "testSigning": false,
            "SHA512Hash": "SubXCykTBsji9Q9OkWS79peR4aadScpqvO0ByE3zPM7GPA9NisgF1Yqz+GL/ruERKLscKmTnpWy5wt+Iy1t5Qg==",
            "mainExe": false,
            "signature": "gP28gsLFTMebiUuKX/uuqo/mK9j4xN82SXvTVF15dl9DulGXa7SFCJnp/PAC8Pe5JlhVeIy+ibcwh8rErBKo0cakze78Spy0oYpEOMDXKD5gyo09Cn1GX5zTKkr7JTkM1D8R6uUebEjA7d7oyOgOQC0Jcfwh1RoA9LCkEwuUimX9Brm+LI3vqfwYsaBD8/Fye8QC7H3R8oj8IBgkRzsErV0GLQvYlhg6XDaBM75Hcq8MYKDpu9D5ffYSal1lgTArkMJo5RFEKE/o1ZwiUkImRjliEuKVe9vz5gzNtXu0C9jtBwU0Dl/NyOFxzOqeNbN9gmIPYDPPCe9OQUDyB04LBg=="
        }
    ]
}

As you can see, they contain hashes of the chrome executables, so the License Server can verify that the request is coming from a real browser.
L1 is Android only and operates on the Trusted Execution Environment, which is a phyical chip inside your phone that handles video decryption and video processing. When using L2, video decryption is handled inside the TEE, and video processing is handled on a software level.

2.)
The License Server receives a challenge that is generated by the CDM, which contains either PSSH Data, Init Data or a WebM Key ID (see here). This is what my new downloader is making use of. The License Server will return all of the keys matching the Key IDs inside the PSSH, etc. (only if you fulfill the per-key requirements like VMP for some keys). What I cannot tell you is why they're even inside that PSSH in the first place.

I've also mapped out the Keys for a better understanding:

Code:

Manifest (cenc:default_KID)      Key                              Content Type
01015d6e04552f42866d4c4fd8f30104:3e2378103ef7446dc28a9edd18344f6a 180p-576p
0102ab69ae9ef79a90f2aded58640b5a:b91bbe46ced5d410bfa92d459a5ac70d 720p
01057658d31e41d23b7c55f863d264fc:00000000000000000000000000000000 1080p
0100dbf3c9d2bc82f6a4640e34632e01:ee19657d454d7df4c1fe4c25f5da7117 audio-zxx-aac64-zxx
0100dbf3c9d2bc82f6a4640e34632e01:ee19657d454d7df4c1fe4c25f5da7117 audio-en-aac64-en
0100dbf3c9d2bc82f6a4640e34632e01:ee19657d454d7df4c1fe4c25f5da7117 audio-sv-aac64-sv

Derived from the PSSH, but not specified in the manifest:
0103daf05a4d5fa3472ec63e3263e7ef:00000000000000000000000000000000
01042042de37314835921fa6b690f962:00000000000000000000000000000000

[sibhus]

I thought that the stream was decrypted once the sound and video were combined and that a single key was enough. I thought it mainly protected the video (having the lesson alone is of little use )

You are right, I will use all the keys if the programs know how to use them, you shouldn't take any risks. Wise remark!

Merci beaucoup pour votre aide et le temps pris.
Thank you very much for your help and the time taken.

1°) I see in the manifest that it is Widevine, but how do you know that it is version L1, L2 or L3?

This is more of a wild guess to be honest. What matters is that it's definitely not L3. Otherwise you'd have gotten your keys.

2°) Why does the license server send keys if they are of no use?

I'm not that knowledgeable to answer this question. Sorry. Maybe someone else can shed some light.

3°) This is the first time I've seen a command line with multiple key appends. Is it necessary if it serves no purpose? Isn't it better to just put the one that matches in the manifest? Or does it need all the keys to be able to decrypt?

What do you mean it "serves no purpose"? I just told you that there's different keys for video/audio. So you definitely need more than 1 key. For audio you have this:

Code:

    <AdaptationSet mimeType="audio/mp4" segmentAlignment="true" lang="sv" contentType="audio">
      <ContentProtection schemeIdUri="urn:mpeg:dash:mp4protection:2011" cenc:default_KID="0100dbf3-c9d2-bc82-f6a4-640e34632e01" value="cenc"></ContentProtection>
      ...etc...
      <Representation audioSamplingRate="48000" bandwidth="77908" codecs="mp4a.40.5" id="audio-sv-aac64-sv"></Representation>
    </AdaptationSet>

So "0100dbf3c9d2bc82f6a4640e34632e01:ee19657d454d7df4 c1fe4c25f5da7117" is only used for audio. If you use only that, you only get audio decrypted but video remains encrypted.

You can put 100 --key commands to your N_m3u8DL-RE. It doesn't matter, the tool is gonna use what's relevant for decrypting by comparing the kid value. As for why it's better putting them all, it's because it is faster. I've gotten sometimes 7 keys for some videos. What do you prefer, manually checking the key for your wanted resolution? Or letting N_m3u8DL-RE handle it automatically.

[sibhus]

If I understand correctly the L1 is developed for Android, but for what reasons would you be? We need more high resolution on PCs than on small devices such as tablets or smartphones ?

I'm going to go see your new downloader, it seems very interesting to me.

Thank you very much for your intervention, it is always good to learn things for a beginner like me.

1.) If 1080p is available in the browser (probably, because it can be seen in the manifest) then you won't be dealing with L1 but rather with L3 and Verified Media Path. This is a way of making higher resolutions available on browsers while also being more secure.
A Verified Media Path thing consists of a file (device_vmp_blob) which is binary protobuf data of the FileHashes widevine protocol field. When parsed, they'll something like this:

Code:

{
    "signer": "MIIEcTCCAtmgAwIBAgIQZ1VlPDvDp/YE2WFGKriLajANBgkqhkiG9w0BAQsFADB9MQswCQYDVQQGEwJVUzETMBEGA1UECAwKV2FzaGluZ3RvbjERMA8GA1UEBwwIS2lya2xhbmQxDzANBgNVBAoMBkdvb2dsZTERMA8GA1UECwwIV2lkZXZpbmUxIjAgBgNVBAMMGXdpZGV2aW5lLWNvZGVzaWduLXJvb3QtY2EwIBcNMTcwMTI0MjM0MTE4WhgPMjExNjEyMzEyMzQxMThaMHkxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMREwDwYDVQQHDAhLaXJrbGFuZDEPMA0GA1UECgwGR29vZ2xlMREwDwYDVQQLDAhXaWRldmluZTEeMBwGA1UEAwwVd2lkZXZpbmUtdm1wLWNvZGVzaWduMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuzJGv5o4lWXnBC25k6ncJHKKsex7Xu2t+PoC1JL3Ee8wGiXXSEEa3BlzQSJEyHH6PTaXyOyFpCOvSsBOD5mNC6EX1Sb8AGs7BCu8Ch88eEaTmLF/x+suQjgPKVP/HrzZbxazfENp1kbtQTYbjBLBSpEAEc3iEBhZ78c0lgF7yjV1hTlO/+DdPfOdxOEj7U2CzXPtRiFqw2YlJmxkjlLDE70/IU90QIYYFwC3zyPchWYdwqxPE41b9VavcDB5DguQw6Er0N3ztolTzqNdlBYD+qxNyT3ZObKkBj7KDiC6F5mHG/rX8z7CkzqPDaG/MXRshBuW9++mqGBEL2PXEWr9GwIDAQABo28wbTAdBgNVHQ4EFgQUTLLXGmND7rtFoNhS6G7vgwDvJLAwHwYDVR0jBBgwFoAUyj3Yjg90V3/QmtnhIb9C+yNVKYYwCQYDVR0TBAIwADALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwMwDQYJKoZIhvcNAQELBQADggGBAL0iQfA2Am4AXM73+1kQ/Nq9mh1G0jot/l0s5J01Uv3gETHv7wM0YGXDhPEVH3J84c4YNbkFx2MPx95VsttoAOFuOjVUJcXQoWjkrxksSCTBWEIcim5i4+u17b5kE4+qIpWPm+Aw/QgIwBeAJf2UV56d9hg7s/XeDMo2TgpHGTN7yermjcT+N7uv+JlqrlBEmyn9ZiM5iQSqe15f2Yj4hMrj00/Oov3XGPtmtRcKi3MXd3T1NRVDLmtiSpUDed1d8BMp8dKfasC0qI/iTslGg2R/tnm04gMF65ulv7w/49yjhY3UcG47aMGMFKVGwQAr7M0mlvWzSL1fMrlq7QYHjlcuMiZg4kbvNs7fiR61kwEiIuv2e2QGbT2DcPcxbkd6H5GeP5VhNtKdtjxDqWJkQ8XCTqN1Br4tcG8RrhCsYUVZbl/Gs3CydVIi/xBvXGYCFOfHkzeOLZHYUjTBIGa1XUdaylhttbDeQGUTrCpiX/EGeW44AEC8oscKUZTHfk3fqA==",
    "signatures": [
        {
            "filename": "chrome.exe",
            "testSigning": false,
            "SHA512Hash": "VH/6lq++CgF+APCZCt4VZeFhW3ySlw7krU1d6BPOOH3o2LfQc0r+S+94hvkTQbJDhJVr0WOgRpbT4PnE/tJzGw==",
            "mainExe": true,
            "signature": "t+6EwMOwOMv2H5BbVBcKouoXamekMJJ6EGnveqDXg6VjYa51aMVZiPKOb3lbcQOPQW4/ui7hBgi8cc9EeIIBJ8RsrbLUbn1KTMEIi1t2rUXYfdg648ASS4DAjvu0gzlKg5SXtOTeDsTRjgCmtoUh++OfHpdNaA2Y1n1u9rQvqgSlrRUiujvZXgfsU9yhzMnZZDD6LSpS5Y/pdQZhGmSi/JNrdqsOUl6Mp6xSQppWiYTAyr94BMD8r4PutKfrHFfFs1ha5flolhHr9+GvrsVzccPkmC9H+X0WjZn4/kgstpJYKwq8rMlGYS3QlO54lCvebOn1+eIfo69gkbfA3pn2Nw=="
        },
        {
            "filename": "chrome.dll",
            "testSigning": false,
            "SHA512Hash": "ZK7VTlMHQ08rfj5wWtHPKUMMOBQ+Q0CtvEVi8K9i08ES48ia7jr4dAmf7UlJ1NqQV0wS5CC1c7wk7wBzdgIs1A==",
            "mainExe": false,
            "signature": "nYeE+rp3hIbYZ3sfWGXIbzBfAlfu/CaQXVcVj7EAFVY/cq5jPPTcs/RkPwQl68UdwqGbXUdwnJCpSVMfKhCACalV/zOlN4jVtruvBRbnfrxsPhfvwQCZ45sBpy0dyFuH5JqrlXzF5KEkzvyBKtn08Zq7KePwRsKzThzsi8y0uN5A7u36I1sYeZXtvzjrUD47hI8Zkp53CfmmgfAXPRiw95Mh7zU3kWNAaEO9rmxtysZcjGnBjIj9TDRYJxMgiA4ECn5u+YWy6+n/V8rxazLKtYn6KeMaZ/ShK6GdII+nwfwJQFkmdfe2VVBLU5a71BYPowx8wVLNK+MTGJvTgTDPDg=="
        },
        {
            "filename": "chrome_child.dll",
            "testSigning": false,
            "SHA512Hash": "Nn5YKuo8UOGrMkGf45jUZXixnu+s8t8fVWmVNZCPl9ZKvJcG1b3F3gAGZZXTXWcjgoaymdE/r6HHEh9zezFUug==",
            "mainExe": false,
            "signature": "GmENlSS+ZzFHWqCDg/uL9G4cQdKkqf7ZKnl7YcdLFJi+f638jzwvGjKwaN4hFqgiICf8M1JUCBsX88abD50dCYu9B7pRxg+h/IebqEffjWp6F4wwD9hsaa3DtFAlM4hbQhyNFZk5+28I8VssyTVXXuXJXpIMslxM4qV2nhyJ/gP9iLLLsyNJRUHGlcLKoAHvsD47/dIJDWRCSKHqOGNwGKiITMZRFzbdnzb/ySZglAYrqQ25iMiVXNPLzmpLv+dR2btXMalGhvEHzZKS5nbFQWrxLcIoAq5tDMw7phT/myolTZGq+cH943pWTMfI1zBGtfsy7GgFojy/PVU3r/bBbg=="
        },
        {
            "filename": "widevinecdmadapter.dll",
            "testSigning": false,
            "SHA512Hash": "Sth++ieGKp6L4Y6IQ0ppADtTBSqmcGt7wB6knOMHllfeP5eMy0Dse5fhnqy6EmBSMUJOn/Iypuy5AWM2Zs2nug==",
            "mainExe": false,
            "signature": "D+l1Gy0No2ehkvrFxe/Nn9TiDD69mZEGi7SFVdfrMX/C1ttDrsB75ZcxtB2K65CNgl9ZyCozAiiwyT5TWGiy3NOsRX7rBTtkcyex3kdRAJIFDkqWwX3yjhGfce3sn/AZv9xuWcLdAMzhKHjKHJjUt7AAFfUdBrHYSv29ucj1Jbidrv8dFjLEQeCsjNuOUX+jS1LOyRiGdygasoYmz5pSaG1dQxip3ymy2kErox8nZb+cv7Xwz/hzd1jNxsHtR3oYuMkV9HZV4gatLOg5PgweOy+gy7zaBayJxCUmCBG44LZTrvTdOEfBP8EN23ZS3ztnygZXt0gRwJleZjYHp7MqbQ=="
        },
        {
            "filename": "widevinecdm.dll",
            "testSigning": false,
            "SHA512Hash": "SubXCykTBsji9Q9OkWS79peR4aadScpqvO0ByE3zPM7GPA9NisgF1Yqz+GL/ruERKLscKmTnpWy5wt+Iy1t5Qg==",
            "mainExe": false,
            "signature": "gP28gsLFTMebiUuKX/uuqo/mK9j4xN82SXvTVF15dl9DulGXa7SFCJnp/PAC8Pe5JlhVeIy+ibcwh8rErBKo0cakze78Spy0oYpEOMDXKD5gyo09Cn1GX5zTKkr7JTkM1D8R6uUebEjA7d7oyOgOQC0Jcfwh1RoA9LCkEwuUimX9Brm+LI3vqfwYsaBD8/Fye8QC7H3R8oj8IBgkRzsErV0GLQvYlhg6XDaBM75Hcq8MYKDpu9D5ffYSal1lgTArkMJo5RFEKE/o1ZwiUkImRjliEuKVe9vz5gzNtXu0C9jtBwU0Dl/NyOFxzOqeNbN9gmIPYDPPCe9OQUDyB04LBg=="
        }
    ]
}

As you can see, they contain hashes of the chrome executables, so the License Server can verify that the request is coming from a real browser.
L1 is Android only and operates on the Trusted Execution Environment, which is a phyical chip inside your phone that handles video decryption and video processing. When using L2, video decryption is handled inside the TEE, and video processing is handled on a software level.

2.)
The License Server receives a challenge that is generated by the CDM, which contains either PSSH Data, Init Data or a WebM Key ID (see here). This is what my new downloader is making use of. The License Server will return all of the keys matching the Key IDs inside the PSSH, etc. (only if you fulfill the per-key requirements like VMP for some keys). What I cannot tell you is why they're even inside that PSSH in the first place.

I've also mapped out the Keys for a better understanding:

Code:

Manifest (cenc:default_KID)      Key                              Content Type
01015d6e04552f42866d4c4fd8f30104:3e2378103ef7446dc28a9edd18344f6a 180p-576p
0102ab69ae9ef79a90f2aded58640b5a:b91bbe46ced5d410bfa92d459a5ac70d 720p
01057658d31e41d23b7c55f863d264fc:00000000000000000000000000000000 1080p
0100dbf3c9d2bc82f6a4640e34632e01:ee19657d454d7df4c1fe4c25f5da7117 audio-zxx-aac64-zxx
0100dbf3c9d2bc82f6a4640e34632e01:ee19657d454d7df4c1fe4c25f5da7117 audio-en-aac64-en
0100dbf3c9d2bc82f6a4640e34632e01:ee19657d454d7df4c1fe4c25f5da7117 audio-sv-aac64-sv

Derived from the PSSH, but not specified in the manifest:
0103daf05a4d5fa3472ec63e3263e7ef:00000000000000000000000000000000
01042042de37314835921fa6b690f962:00000000000000000000000000000000

[2nHxWW6GkN1l916N3ayz8HQoi]

I will use all the keys if the programs know how to use them, you shouldn't take any risks

It'd be nice if N_m3u8DL-RE had a feature like "-sv best:decryptable", where it automatically picks the best track that you can decrypt with the current keys. That way you wouldn't need to look at the kids and you could just cancel the download if the picked resolution was too low. At the moment the tool only has "-sv best" as an option but it's useless in your case.

PS: You can quote previous comments and shorten them like I did to avoid repeating walls of text.

[larley]

If I understand correctly the L1 is developed for Android, but for what reasons would you be? We need more high resolution on PCs than on small devices such as tablets or smartphones ?

I'm not really sure why they even created L1 back in the days. I can't think of a way you would've streamed 4K video on an Android Device (i guess we have the FireTV Stick 4K, etc. nowadays). Maybe because VMP didn't exist yet?
The reason we don't have this level of protection on PCs (aka. Browsers) is because you can't make a browser so secure, and a hardware chip on a Mainboard would introduce compatibility issues. So you'll need to lock all of that processing away inside its own chip (the TEE), which will be downgraded to L3 (the CDM, not the chip, and also not always, like with Xiaomi devices) when trying to gain root access (which could give you access to the TEE)

[sibhus]

I must have made a mistake because my last message does not appear.
Thank you for the help, I understood the problem. So from the first download I was in the correct mode (but incomplete since I only used one key).
I have two final questions if anyone knows the answer.

1°) Currently I use CDRM-Project 2.0 (and I have another site like this one which also works the same). I would like to know if it is possible to recover the keys by ourselves via a command line? (I would like to know if there is a possibility with a command to query the server so that it sends the keys).

2°) Is there a way today to recover the stream in 1080p (see 4K, because in my opinion the Olympics are filmed in 4K) and obtain the decryption key or is this simply impossible currently?

[larley]

1)
Try WidevineFetch (see my signature)

2)
Yes, but not accessible to the public