[HN Gopher] Widevine decryption with Ghidra stymied by transform... ___________________________________________________________________ Widevine decryption with Ghidra stymied by transform complexity Author : throwawaybutwhy Score : 123 points Date : 2021-08-01 12:21 UTC (10 hours ago) (HTM) web link (github.com) (TXT) w3m dump (github.com) | bawolff wrote: | From the repo | | > In the end, I only extracted about half of the RSA key. | | Not a cryptographer, but i thought half the rsa key was all you | needed with coopersmith's attack. | bubuanabelas wrote: | DRM consumes more energy annually than Bitcoin (needs to be fact | checked) so breaking it and distributing the decrypted media is a | favor to the environment and humanity. | londons_explore wrote: | Every time this is broken, am I right in saying all encrypted | media needs to be re-encrypted with the updated version of | widevine? | baybal2 wrote: | > Every time this is broken, am I right in saying all encrypted | media needs to be re-encrypted with the updated version of | widevine? | | Yes, but so far no big Netflix-like website did it. It's a | credible guess that all encrypted L1 content long been | downloaded, and is just waiting decryption (NF used to use HTTP | to serve encrypted files in the open, without any API wall some | years ago) | Mindwipe wrote: | No. The media is encrypted with Common Encryption regardless. | | This is only about key management. | nyuszika7h wrote: | No. Once Google revokes an old version of the CDM, the servers | will refuse to issue a license for that version. The license | basically contains encrypted keys for the content. If you | already saved the decrypted keys for a specific content, you | will be able to decrypt it even after the revocation, but you | won't be able to get the keys for any new content with that | version anymore. | | We're not (yet) at the point where actual content keys are | rotated frequently, because that sounds like a lot of effort | though technologies exist for this already, they're just not in | widespread use. | numpad0 wrote: | By this point everyone would agree that platforms that | eliminate all piracy dies. So they'll send out couple DMCAs | until it's sufficiently unknown and that'll be all. | ramshanker wrote: | So in the end, Widevine complexity won. For now. I have always | thought that obfuscation is easier to undo. It is the underlying | MATH which is difficult. The best anti-cheat are Math heavy than | the instruction trickery. Though both are present simultaneously. | azalemeth wrote: | From the repo: | | >It is my honest opinion that DRM is a malignant tumor growing | upon various forms of media, and that people that either | implement or enforce implementation are morally repugnant and do | no good to society. With that in mind, I was sad to learn in May | 2021 that the original extension would soon be rendered obsolete. | | I really can't agree more. I don't use, and never have, services | that require DRM. I buy my games from gog.com and itch.io and the | like, get media from free-to-air television and state | broadcasters, and buy music either from the artist or from good | and reputable music labels like hyperion.co.uk. I buy books in a | dead-tree form, or as DRM-free PDFs. I will simply not buy, use, | or support DRM and I occasionally tell firms that I am not giving | them business because of their inane corporate decisions. | | This might seem like a hard rant, but all of these binary blobs | can be broken with varying degree of difficulty -- as this | person's work shows -- because _DRM is fundamentally pointless_. | It 's such a waste of human endeavor! Think how many CPU cycles | are burnt doing this! Estimate what the total cost of HDCP + | Widevine + DRM etc is on the planet! It is pointless, insulting, | and frustrating! | | </rant>. | jshwlkr wrote: | I believe you meant https://www.hyperion-records.co.uk/ | azalemeth wrote: | I did -- thank you and apologies for getting it wrong. | MikeUt wrote: | The point of DRM isn't to prevent piracy, but to control | manufacturers, who cannot legally break DRM, so they have to | comply with whatever the DRM licensing cartel demands. | | Prevent screenshots, prevent skipping ads, prevent recording | (remember VHS recorders?), enforce region locking.. so many | legal activities can be effectively made illegal, since | manufacturers cannot both support DRM, and offer these options. | siliconc0w wrote: | "because DRM is fundamentally pointless" | | I dunno, it gave this person a lot of trouble and the result is | maybe a very narrow victory that doesn't practically matter? | And this is the lowest level of widevine security - L3 which is | basically assumed to be owned. Good luck with L1 which uses | trusted compute primitives. DRM has won. | | And I'm saying this as someone who agrees DRM is a threat to | society as we're taking things that the world could otherwise | have for free and denying it them so we can instead charge a | small % for it. So we're intelligent enough to build this kind | of technical sophistication but we are unable/unwilling to | figure out a different model for financing it. | grishka wrote: | DRM is always pointless because the content has to be | converted to analog form at some point. So, it gets decrypted | in the DistrustZone, decompressed, then encrypted again | before it goes over HDCP to your display, which then decrypts | it to show it on the screen. Couldn't you capture the LVDS | signal that the display panel receives? And even if you don't | do that, isn't every version of HDCP cracked already so you | could use a capture card instead? | wmf wrote: | The last bastion of DRM is forensic watermarking (so they | can trace the leaked video back to your device) and key | revocation (so your device won't play any new content). | These techniques are so complex that they aren't used much. | grishka wrote: | So they trace the ripped video file to a particular | throwaway account that was registered with a prepaid | card, then what? And if you're determined enough, you | could as well rip multiple copies on behalf of multiple | accounts and average out the pixel colors. | wmf wrote: | The idea is to revoke the device, not the account. | throwaway525142 wrote: | > you could as well rip multiple copies on behalf of | multiple accounts and average out the pixel colors. | | Can you show that this can reliable get rid of the | fingerprinting? This particular method could be countered | by only including the fingerprint info in a few random | frames, then you'd be able to retrieve the account info | of _all_ the accounts that participated in ripping. I don | 't think finding a method to counter any sort of | fingerprinting is as easy as "just averaging the pixels". | azalemeth wrote: | It's my understanding that most schemes actually use very | low frequency encoding with a large amount of error | robustness built in (probably involving Haar wavelets) in | order to maximize the probability that it survives re- | encoding. Still, these schemes are not faultless: if you | have two devices, and are knowledgeable enough to break | the DRM twice for the same content, you're probably smart | enough to take the md5 and shasum of the resulting | bitstreams and diff them. Any discrepancy results in | signal processing transforms until they have the same | hashes... | conradev wrote: | Isn't it also incompatible with the distribution model? | Because personalizing video for every customer is hard to | scale for companies that rely on reducing cloud costs | wmf wrote: | The watermarking is done during playback, not | distribution. | sblom wrote: | I took conradev to mean "the model of distributing the | same content to everyone via traditional (passive) CDN". | | Movie theater watermarking is done during playback, but | if Netflix was going to do watermarking, it would have to | be done prior to delivery of streamed bits or it would be | susceptible to the same "it's just software" attacks as | any other local software-only approach to DRM. | magila wrote: | If you know where to look L1 content can be readily | downloaded, including the original 4K streams. As usual the | net effect of DRM is to make the paid service inferior to | piracy. That's not what I would call "wining". | elcritch wrote: | In theory DRM could be mathematically perfect. However DRM | relies on actual implementations both in software and | hardware and shares a lot with broader security. Software | implementations can have bugs but it's relatively easy to | ship fixes. The hardware level however is where it becomes | very difficult to ensure a valid implementation of "secure | compute" or "trusted zones" which are key to DRM and | general security, particularly from an agent with physical | access. It costs money to ship new fixed hardware, if it's | even possible. Then even if a given hardware implementation | is correct there are ways to physically glitch the hardware | to skip the checks. ESP32 chips had an issue like that | where the hardware encryption was correct but simply | "glitching" the voltage at the correct time could cause the | processor to skip the encryption check entirely [1]. It's | very difficult and costly to make hardware immune to all | such attacks. Small seemingly unrelated physical details | can become novel ways to break the encryption system (like | specter). | | Ultimately I've come to believe that DRM and it's cousin of | system security is an economic game. So DRM useless in that | it will probably be cracked after some time, but that time | can translate to revenues or control until that point. It | depends on how much money you have to throw at either | hardening and cracking systems. It'll likely become harder | (i.e. more expensive) in the future to crack hardware DRM | in the future as the technology becomes more sophisticated | and classes of vulnerability are discovered and mitigated. | But then the cracks become more valuable both for anti-DRM | or anti-security. | | 1: https://raelize.com/blog/espressif-systems- | esp32-bypassing-s... | toxik wrote: | I don't understand how it can ever be secure unless you let | some DRM representatives basically come and do inspections. | | Fundamentally, you are going to show a video and play an | audio stream. Fundamentally, it can be recaptured perfectly | because it must be displayed and played perfectly. There is | simply no way around it. DRM can only make life hard for | the regular Joes. | nyuszika7h wrote: | I don't know why you're being downvoted, you're right. | There are plenty of TrustZone exploits that allow | extraction of L1 keys. | R0b0t1 wrote: | For now, at least. It is possible they fix all issues. | kristofferR wrote: | Not really, since that would entail breaking playback on | current devices/firmwares. | | They can only try again next time (for 8K?). | anonuser123456 wrote: | Broken TZ does not mean the algorithms are broken, only | that exploits exist to bypass TZ. Fixing the exploits | doesn't break anything about the algorithms for decode / | decrypt. | kristofferR wrote: | I'm not sure what in my comment you were disagreeing to. | Fixing the exploits would entail requiring a software | update/breaking unupdatable devices. | wmf wrote: | Yep. I remember when Blu-ray "required" Windows Vista | because it had better DRM APIs then a few months later | the studios gave in and allowed playback on XP... which | was immediately cracked. Ultimately you have to meet | customers where they are which is old devices. | R0b0t1 wrote: | Until current broken devices fall out of use. Eventually, | all devices might be secure. | realusername wrote: | Except that people who exploit L1 just never reveal how | they do it, good luck with that. | | That's the beauty of the asymmetry against DRM, only a | single decoded file (which will always happen) is enough | for seeding to everybody. | 10000truths wrote: | > This might seem like a hard rant, but all of these binary | blobs can be broken with varying degree of difficulty -- as | this person's work shows -- because DRM is _fundamentally | pointless_. | | I think that this ease of circumventing DRM is actually an | indirect, but major, reason why movie theaters will never | really go away. Online streaming new movie releases is great | for direct-to-consumer business, but it comes with the risk of | losing control of your distribution due to ease of piracy. Why | would a frugal person pay $30 for "premier access" to a new | movie on Disney+ when they can just go to Pirate Bay and | torrent a perfect-quality rip for free? It's much easier to | keep AMC Theatres in line than a global network of average | Joes. | pornel wrote: | DRM is not about piracy. Content producers know that all | their content ends up on PirateBay anyway, and know DRM | causes them support costs and lost customers. | | For content distributors DRM is still worth in because of the | power it gives them in dictating how the content can be | viewed. They can demand hardware manufacturers to give them | prominent placement, or be blocked. They can sell the same | content over and over again for every screen type and | platform individually, with rules and prices at maximum each | will bear. They can set their own rules, instead of relying | on general provisions of the copyright law. | 10000truths wrote: | But the point is that DRM _doesn 't_ give content producers | power over how content can be viewed. I could, if I wanted, | go on The Pirate Bay and torrent Black Widow for free, and | watch it however, wherever, whenever I want, regardless of | whatever DRM Disney+ has on their streaming. It doesn't | matter whether hardware manufacturers are restricted from | displaying DRM content, because they can be bypassed | entirely. | wincy wrote: | I used to go to the movie theatres all the time and spend | $30+ to see a movie in the Dolby Digital Experience and the | like, but it's easier for me to pirate than it is for me to | sign up for whatever streaming service and watch a movie | there. They're always available immediately after release in | the highest quality. | marcodiego wrote: | Hmmm... Would love if this allows me watch netflix using a fully | FLOSSed arm sbc. | baybal2 wrote: | The point of semi-unusable DRMed crap when L1 released keep | getting WEB-DLed? | | Very likely it's not the Shield now which leaks L1, but an | actual key recovery because they get the stream even before it | gets watermarked in the secure domain. | | My guess, it's Qualcomm's debugging TZ applets. They cannot | really revoke keys because they will take down a giant amount | of Snapdragon based handsets for which manufacturers don't | bother to put a single OTA. | | This is also likely why Netflix uses such a silly restrictions | as refusing to run on old Android version numbers on some | Snapdragon handsets, which are easily root bypassable. | step21 wrote: | What's L1? web-dls I have seen are always relatively low | resolution, so at least it protects fullhd or 4k. | baybal2 wrote: | Widevine L1 - the hardware DRM in ARM trustzone with | individual keys for each chip. | nyuszika7h wrote: | 1080p WEB-DLs are very common if you're in the right | places, but even public trackers should have plenty. 4K is | slightly less common but does also happen, with frequency | depending on the streaming service. | gruez wrote: | >so at least it protects fullhd or 4k. | | Not really. Popular streaming-exclusive shows often get | 1080p versions released within a few hours, and the 2160p | versions released within a few days. | nyuszika7h wrote: | Lately Google has mostly stopped revoking whole devices. | Instead, when someone extracts a key from a device and it | leaks publicly, they just revoke that one specific device's | key. That improves the experience for legitimate users, but | also means the person who extracted the key can just go buy | another device of the same model and use the same exploit to | extract a new working key. | grishka wrote: | Are these keys unique per-device? | wmf wrote: | Yes. | vladvasiliu wrote: | I've never really looked long into these things, but now that | most GPUs do the actual video decoding, how come it's still not | possible to use Linux or any random OS? Isn't the GPU supposed | to somehow guarantee that it only sends the decrypted stream to | a compliant screen? Isn't this the point of HDCP? | | When this was done in software, I understand that open source | decoders could have been modified to pipe the clear stream to | disk, but now the software basically just hands the encrypted | blob to a "trusted" hardware decoder. | | Or am I missing something? | MaXtreeM wrote: | Linux is not the issue here but ARM processor as OP said. | First DRM library for ARM came only earlier this year so | finally I am able to play DRM content on Raspberry Pi 4 in | Chromium but I am not going to because chromium is painfully | slow and plugin maintainers have figured out how to play | Netflix in Kodi. | | edit: DRM library still doesn't get to "fully FLOSSed" | vladvasiliu wrote: | So then Netflix et al.'s requirement of Windows or macOS in | order to play high definition video is purely artificial on | x86? | | Last time I checked (a few months ago) they didn't even | support Chrome (either Windows or Mac) for UHD, they | required Safari, Edge or their own Windows app. | jeroenhd wrote: | The UHD restriction is not a technical one. Content | producers and the rest of the media industry has strict | requirements about streaming. UHD content uses | proprietary DRM systems from Microsoft and Apple that are | considered more secure than WideVine, which is why those | browsers are permitted to watch 4k. | | You can't watch UHD content on Edge for Linux, for | example, because the necessary DRM isn't implemented. | wmf wrote: | Between the video decoder and the screen is the display | server (e.g. Xorg or GNOME Shell) which is untrusted. | vladvasiliu wrote: | This wasn't my understanding. If the decoding happens in | hardware, I wouldn't have expected the decoded video to be | passed back to the display server to be sent back again to | the GPU and out to the screen. | | My understanding was that there was some kind of | compositing going on, in hardware, where the display server | would tell the GPU to display the output between some | coordinates, but the server itself wouldn't know what the | actual output would be. | | Here is the libva documentation which seems to support | this: http://intel.github.io/libva/group__api__prot.html | detaro wrote: | actual title: _Trying to extract Widewine key: A journey to | FaIlUrE_ | classified wrote: | The bad font on GitHub makes "FaIlUrE" look like "FallUrE". I | thought it must have been a typo. | zinekeller wrote: | Bad Windows font, probably. It's just using the default | system fonts, which in case of Segoe UI doesn't employ caps | for I. Ironically, Segoe (just Segoe, the reference font) | _do_ have caps on I. | classified wrote: | I stand corrected (I didn't look up the CSS, can't do that | in Safari on iPad). That leaves room for improvement in my | browser's default font then. | zinekeller wrote: | Note that system fonts usually can't be overridden in | browsers, you need to inject custom CSS with the | override. | YetAnotherNick wrote: | Can someone explain what's the point of DRM for video streaming | when you can do screen recording so easily. It could make sense | in books and games but why is netflix such a heavy proponent for | it? ___________________________________________________________________ (page generated 2021-08-01 23:01 UTC)