[Release] WidevineFetch - Keys from just the License URL; Any Lic. Wrapping

[larley]

maybe for you, but for many users here like me, this goal it's very hard ...
so, if you implement the script to get the key, amazing, otherwise rakuten will remain unsolved for us

The script I provided does the hard part, which requires reverse engineering of the Android App. That's what I did.
All you have to do now is to go through the very often explained solution of getting the keys. It's literally everywhere, for example in the decryption tutorials by Angela in the Sticky threads. Or use this: https://github.com/devine-dl/pywidevine?tab=readme-ov-file#usage

[whs912km]

yes remain unsolved. tried but no luck. thanks anyway for your support

[2nHxWW6GkN1l916N3ayz8HQoi]

yes remain unsolved

You are talking only nonsense. If you even took a look at the sticky threads, you would have found, not only a downloader, but also the code for you to copy paste. You want everything spoon fed to you lol, at least be true to yourself and don't pretend otherwise

Code:

import re
from urllib.parse import urlparse, parse_qs, urljoin

import requests

import json

from pywidevine import PSSH, Device, Cdm


# Metadata URL RegEx: https://gizmo\.rakuten\.tv/.*/avod/streamings.*

def filter_dict(
        dictionary: dict,
        keys: list
) -> dict:
    return dict(
        (k, v)
        for k, v in dictionary.items()
        if k in keys
    )


def create_metadata(
        metadata: str,
        metadata_body
) -> tuple[str, dict, dict] | None:
    try:
        parsed_body = json.loads(metadata_body)
    except Exception:
        return

    parsed_url = urlparse(metadata)
    query = parse_qs(parsed_url.query)

    url = urljoin(metadata, parsed_url.path)

    params = {
        "device_identifier": "android",
        **filter_dict(
            query,
            [
                'classification_id'
            ]
        )
    }

    json_body = {
        "player": "android:DASH-CENC",
        "device_stream_video_quality": "HD",
        **filter_dict(
            parsed_body,
            [
                "hdr_type",
                "audio_quality",
                "content_id",
                "audio_language",
                "video_type",
                "device_serial",
                "content_type",
                "subtitle_language",
            ]
        )
    }

    return url, params, json_body


def create_manifest(metadata: str, metadata_body):
    if new_metadata := create_metadata(metadata, metadata_body):
        url, params, json_body = new_metadata
    else:
        return

    metadata_request = requests.post(
        url=url,
        params=params,
        json=json_body
    )
    if metadata_request.status_code != 200:
        return

    return metadata_request.json().get('data', {}).get('stream_infos', [{}])[0].get('url')


def create_license(metadata: str, metadata_body):
    if new_metadata := create_metadata(metadata, metadata_body):
        url, params, json_body = new_metadata
    else:
        return

    metadata_request = requests.post(
        url=url,
        params=params,
        json=json_body
    )
    if metadata_request.status_code != 200:
        return

    return metadata_request.json().get('data', {}).get('stream_infos', [{}])[0].get('license_url')

if __name__ == '__main__':
    url = input("gizmo url: ")
    json_string = input("json string: ")

    manifest = create_manifest(url, json_string)
    print(manifest)
    license_url = create_license(url, json_string)
    print(license_url)

    pssh = str(min(re.findall(
        r'<cenc:pssh\b[^>]*>(.*?)</cenc:pssh>',
        requests.get(manifest).content.decode()
    ), key=len))

    pssh = PSSH(pssh)
    device = Device.load("device_wvd_file.wvd")
    cdm = Cdm.from_device(device)
    session_id = cdm.open()
    challenge = cdm.get_license_challenge(session_id, pssh)

    licence = requests.post(license_url, data=challenge)
    licence.raise_for_status()
    cdm.parse_license(session_id, licence.content)

    for key in cdm.get_keys(session_id):
        print(f"[{key.type}] {key.kid.hex}:{key.key.hex()}")

    cdm.close(session_id)

Output:

Code:

https://prod-kami.wuaki.tv/v1/delivery/dash/avod/61cd9037-392f-4ac8-9296-572856989577.mpd
https://prod-kami.wuaki.tv/v1/licensing/wvm/7dc64863-845b-473f-9c14-25910a906646?uuid=7dc64863-845b-473f-9c14-25910a906646
[SIGNING] 00000000000000000000000000000000:76c51160d4bf1d8c61b49fb0962f2f12202ca22ca2917654fc11c139e142dd7ba38d35049a9b1c786326facc58babe551cf26b7d3a829890e0c02733e2f7fbe3
[CONTENT] e858050ae6505ebf723824aaaac165e3:0ab133fa9a00f82837bb1f1e023823f4

Local file needed cdm wvd: "device_wvd_file.wvd"

[whs912km]

You are talking only nonsense. If you even took a look at the sticky threads, you would have found, not only a downloader, but also the code for you to copy paste. You want everything spoon fed to you lol, at least be true to yourself and don't pretend otherwise

thanks for your script (and work fine for me), but your words are harsh and for nothing.
with 'unsolved' i meant referring to myself and there are many other users here in the forum in the same situation as me: it's not easy for us to understand how/what to do
previous inputs given by the larley allowed me to reach the mpd goal but the second step for the key was more hard for me to obtain. and yes, in the end i wait ready script. never denied this

[2nHxWW6GkN1l916N3ayz8HQoi]

No problem. Glad it works. I suppose I misinterpreted your comment. My bad, it happens. I still can't comprehend why is it so hard to just copy-paste code. You don't write a single line and just let others do the heavy lifting. Unless an author makes it bad on purpose, all python scripts can be read since they are structured ok and most importantly, are written in english. Compared to other programming languages, python is a joke when it comes to reading.

I'm not talking about being able to comprehend what each line does in a script and how, but you can easily understand what each section of a code is doing by just looking at what names are used (license, pssh, manifest, etc.). On top of that you can use chatgpt to understand the code for you and also to indicate what code to copy and where. Most of these problems are already automated in the current year.

For example, in the previous script, I just dropped a lot of lines straight from the pywidevine github

[whs912km]

well, i appreciate your comment.

anyway thanks for your ready script. cheers

[whs912km]

just another little details: no need to go on curlconverter.com and add curlbash

from gizmo url (filter 'streamings?') go to payload tab, on Request payload click on view source and you get ready json string value to add on py script (this for browser chromium based)


[Attachment 81674 - Click to enlarge]

for FF from gizmo url (in POST) go to Request tab and tick raw data

always thanks to 2nHxWW6GkN1l91 for the full ready script

[whs912km]

from wonderful script by larley (or Pepe integration too) i can find mpd with 540 max only. but from browser i can get another mpd also with 720p
so why larley script can find 540 only? maybe because for 720 need L1 and for 540 L3 is enough ?

[larley]

720p needs VMP and 540p is for Android devices that do not have L1

[whs912km]

so you are saying the same thing I said in my post: for 540 L3 is enough, for 720 need L1 CDM. confirm that ?

[larley]

yes...

[Germania]

deleted - sorry wrong

[2nHxWW6GkN1l916N3ayz8HQoi]

720p needs VMP and 540p is for Android devices that do not have L1

I understand there's a difference between VMP and L1. But from the average user's perspective, L1 is of course unobtainable. But what about VMP? Is it obtainable? Or a dead end as well?

[larley]

You might've heard that there was a leaked 'device_vmp_blob' once, which has now been revoked. I believe it was being used by AnyStream to get 1080p on Amazon/freevee on Browsers (because PCs don't have the ability to do hardware level decryption/video processing).
A VMP blob file is just protobuf data, containing hashes/signatures of chrome executables/DLLs. I don't know how you can get these but I believe they can be derived from existing Chrome files.
They probably (?) work with Android CDMs, but are meant to be used with Chrome CDMs (cuz browser)

[2nHxWW6GkN1l916N3ayz8HQoi]

So basically, a dead end as well. Shame. Thanks for the explanation though

I believe it was being used by AnyStream to get 1080p on Amazon/freevee on Browsers

I saw some other guy claiming AS was paying for playready APIs. No idea how much of that is true, but it was an interesting claim

[larley]

Custom module support
You can now create custom modules of you'd like to alter the inputs of the program or create your own payload reader/replacer.
Take a look at the documentation here if you're interested.

I'm still working on the integration to demand additional information from the user.

Chrome impersonation is now also supported.

[pui_ling]

Hi,

I am trying this with https://www.youku.tv but I am getting this error.


[Attachment 81703 - Click to enlarge]

This is the video https://www.youku.tv/v/v_show/id_XNjQxMjc1MDM3Mg==.html?s=cabcaab0cd6048468251&spm=a2h...QxMjc1MDM3Mg==

If you can let me know what I might be doing wrong please. I am new to trying to get keys to decrypt videos.

Thank you

[larley]

I've created a module for YOUKU and also updated the documentation, so be sure to get the latest version.
Your module can be found in the modules directory.

YOUKU was sending its request data as URL params in the body, not behind the URL. Pretty cursed

[javidial]

Has anybody make this work with M+? I know the header can't be copied and pasted. It needs to request the video, get the header and return the key at the same time because the header only works one time only, so by playing the video, the header won't work after that. Not sure if I'm making sense.

Good work!

[larley]

Try blocking the license URL

[Attachment 81763 - Click to enlarge]

You may have to edit the filter after you've created it if the token is in the URL

[MastersTR]

Hi,

I am trying this with https://www.youku.tv but I am getting this error.


[Attachment 81703 - Click to enlarge]

This is the video https://www.youku.tv/v/v_show/id_XNjQxMjc1MDM3Mg==.html?s=cabcaab0cd6048468251&spm=a2h...QxMjc1MDM3Mg==

If you can let me know what I might be doing wrong please. I am new to trying to get keys to decrypt videos.

Thank you

[Attachment 81764 - Click to enlarge]


works with the new WidevineFetch. tested
download and pip install -r requirements.txt
Install new content plugins
and run it

[senkron24]

Hi,

I am trying this with https://www.youku.tv but I am getting this error.


[Attachment 81703 - Click to enlarge]

This is the video https://www.youku.tv/v/v_show/id_XNjQxMjc1MDM3Mg==.html?s=cabcaab0cd6048468251&spm=a2h...QxMjc1MDM3Mg==

If you can let me know what I might be doing wrong please. I am new to trying to get keys to decrypt videos.

Thank you

[Attachment 81764 - Click to enlarge]


works with the new WidevineFetch. tested
download and pip install -r requirements.txt
Install new content plugins
and run it

thank you for testing and give a feed back perfekto

this tool its so genial i like it so cool thanks to the owner ...

[mobihen87]

Hi

great job!
I'm trying to get the keys, I've got the files:
client_id.bin
google_sdk_gphone64_arm64_17.0.0_5e7753b1_28924_l3 .wvd
private_key.pem


I've put those into the CDM here folder, but when I'm trying to get the key, I need to manually put the PSSH.. where do I get it from?
"all I want" is to get the key and key id to use udemy downloader...


Thanks for the help and support

[larley]

You shouldn't have to if you didn't block the URL. Did you accidentally copy the first request instead of the second? If not, then show the error (if there is one)

[mobihen87]

I was able to show the key finally. got it from a udemy video.
when trying to download with udemy-downloader, it says that it can't decrypt the drm video..
what is wrong..?
Also, what is the output format? KID:KVALUE ?

[larley]

Yes, the output format is key_id:key, but I can't help you with the downloader. All I can say is that it should work

[mobihen87]

Yes, the output format is key_id:key, but I can't help you with the downloader. All I can say is that it should work

right, can you tell if the bearerToken and cookie are the same thing?

[larley]

No, they're not. A bearer token is just a token, and a cookie is a place where a website could store such tokens

[mobihen87]

You shouldn't have to if you didn't block the URL. Did you accidentally copy the first request instead of the second? If not, then show the error (if there is one)

I don't know how to get the correct request.
I'm in Udemy in Chrome but I don't see what URL should I copy as fetch to get the correct key for the course.

This is course specific key, right? like, every course have other key? or it changes with the session?

[larley]

Didn't you say that you already got the key for the video?

The key should be different for every video, yes. It really depends on their security if they want to roll the keys per session, but I don't think they do