From 30677c0ab53048493e8875bf61906569d7f4447d Mon Sep 17 00:00:00 2001 From: hyugogirubato <65763543+hyugogirubato@users.noreply.github.com> Date: Sat, 14 Jun 2025 16:10:27 +0200 Subject: [PATCH] add new js key --- DEVELOPERS.md | 50 +++++++++++++++++++++++++++++++++++--------------- 1 file changed, 35 insertions(+), 15 deletions(-) diff --git a/DEVELOPERS.md b/DEVELOPERS.md index 2d1c28b..39d3e94 100644 --- a/DEVELOPERS.md +++ b/DEVELOPERS.md @@ -12,12 +12,13 @@ This document explains the internal workings of KeyDive, including key concepts | `private_key` | RSA private key used for DRM content decryption and authentication. | | `keybox` | Device-specific key storage blob containing keys for DRM operations. | | `certificate` | Device OEM certificate chain for verifying keys and trust. | +| `encryption_context` | Session-specific message context used to derive AES/CMAC keys for provisioning and media. | ## Script Execution Flow The core extraction logic is implemented in a Frida hook script injected into Widevine CDM processes. The following sequence diagram illustrates the general flow, including options for player choice and output formats: -```` +````text +----------------+ +------------------+ +---------------------+ +------------------+ | Start Script | | Select Player | | Provisioning Method | | Extraction Steps | +----------------+ +------------------+ +---------------------+ +------------------+ @@ -26,15 +27,15 @@ The core extraction logic is implemented in a Frida hook script injected into Wi | | | | |--(option: -a web)----->| Launch Bitmovin player | | | | | | -| | |---Check provisioning_method-->| +| | |---Check provisioning_method-->| | | | | -| | |<--Send challenge data---------| +| | |<--Send challenge data---------| | | | | -| | |---Extract client_id---------->| -| | |---Extract private_key-------->| -| | |---Extract keybox (optional)-->| +| | |---Extract client_id---------->| +| | |---Extract private_key-------->| +| | |---Extract keybox (optional)-->| | | | | -| | |---Export data to output dir-->| +| | |---Export data to output dir-->| | | | | | | | | V V V V @@ -60,26 +61,45 @@ These values are automatically detected at runtime to determine the correct extr The `challenge` is a critical blob of data sent during provisioning or license acquisition. KeyDive can: -- Intercept it during DRM playback. -- Accept an external file via the `--challenge` argument. +* Intercept it during DRM playback. +* Accept an external file via the `--challenge` argument. This challenge contains the encrypted request for keys or certificates and is essential for key extraction workflows. +### Encryption Context + +The `encryption_context` is a byte sequence intercepted from CDM session messages, typically unique per provisioning +session. + +It is used to derive: + +* `enc` key: for AES-CBC decryption of RSA private keys or media keys +* `auth_1` and `auth_2` keys: for HMAC or CMAC authentication of messages + +This context plays a central role in: + +* Reconstructing derived AES keys during Keybox or OTA provisioning +* Verifying responses and signing requests +* Securely decrypting the RSA private key in post-provisioning stages + +The context is usually extracted from specific intercepted Widevine function arguments and stored alongside other +credentials. + ### Client ID & Private Key Both the `client_id` and `private_key` are extracted from the intercepted CDM functions. They are: -- Required for device emulation or license response reconstruction. -- Automatically exported to formats like `client_id.bin`, `private_key.pem`, and `.wvd`. +* Required for device emulation or license response reconstruction. +* Automatically exported to formats like `client_id.bin`, `private_key.pem`, and `.wvd`. ## Advanced Options & Debugging The advanced command-line options allow: -- Overriding automatic provisioning detection. -- Injecting Ghidra-extracted symbol maps via `--symbols`. -- Forcing use of unencrypted challenges (`--unencrypt`) for debugging or fallback workflows. -- Extracting optional blobs like the Widevine keybox or certificates. +* Overriding automatic provisioning detection. +* Injecting Ghidra-extracted symbol maps via `--symbols`. +* Forcing use of unencrypted challenges (`--unencrypt`) for debugging or fallback workflows. +* Extracting optional blobs like the Widevine keybox or certificates. These are primarily useful for development, debugging, or supporting less common device models.