mirror of
https://github.com/hyugogirubato/KeyDive.git
synced 2026-07-15 18:40:02 +02:00
add new js key
This commit is contained in:
+29
-9
@@ -12,12 +12,13 @@ This document explains the internal workings of KeyDive, including key concepts
|
|||||||
| `private_key` | RSA private key used for DRM content decryption and authentication. |
|
| `private_key` | RSA private key used for DRM content decryption and authentication. |
|
||||||
| `keybox` | Device-specific key storage blob containing keys for DRM operations. |
|
| `keybox` | Device-specific key storage blob containing keys for DRM operations. |
|
||||||
| `certificate` | Device OEM certificate chain for verifying keys and trust. |
|
| `certificate` | Device OEM certificate chain for verifying keys and trust. |
|
||||||
|
| `encryption_context` | Session-specific message context used to derive AES/CMAC keys for provisioning and media. |
|
||||||
|
|
||||||
## Script Execution Flow
|
## Script Execution Flow
|
||||||
|
|
||||||
The core extraction logic is implemented in a Frida hook script injected into Widevine CDM processes. The following sequence diagram illustrates the general flow, including options for player choice and output formats:
|
The core extraction logic is implemented in a Frida hook script injected into Widevine CDM processes. The following sequence diagram illustrates the general flow, including options for player choice and output formats:
|
||||||
|
|
||||||
````
|
````text
|
||||||
+----------------+ +------------------+ +---------------------+ +------------------+
|
+----------------+ +------------------+ +---------------------+ +------------------+
|
||||||
| Start Script | | Select Player | | Provisioning Method | | Extraction Steps |
|
| Start Script | | Select Player | | Provisioning Method | | Extraction Steps |
|
||||||
+----------------+ +------------------+ +---------------------+ +------------------+
|
+----------------+ +------------------+ +---------------------+ +------------------+
|
||||||
@@ -60,26 +61,45 @@ These values are automatically detected at runtime to determine the correct extr
|
|||||||
|
|
||||||
The `challenge` is a critical blob of data sent during provisioning or license acquisition. KeyDive can:
|
The `challenge` is a critical blob of data sent during provisioning or license acquisition. KeyDive can:
|
||||||
|
|
||||||
- Intercept it during DRM playback.
|
* Intercept it during DRM playback.
|
||||||
- Accept an external file via the `--challenge` argument.
|
* Accept an external file via the `--challenge` argument.
|
||||||
|
|
||||||
This challenge contains the encrypted request for keys or certificates and is essential for key extraction workflows.
|
This challenge contains the encrypted request for keys or certificates and is essential for key extraction workflows.
|
||||||
|
|
||||||
|
### Encryption Context
|
||||||
|
|
||||||
|
The `encryption_context` is a byte sequence intercepted from CDM session messages, typically unique per provisioning
|
||||||
|
session.
|
||||||
|
|
||||||
|
It is used to derive:
|
||||||
|
|
||||||
|
* `enc` key: for AES-CBC decryption of RSA private keys or media keys
|
||||||
|
* `auth_1` and `auth_2` keys: for HMAC or CMAC authentication of messages
|
||||||
|
|
||||||
|
This context plays a central role in:
|
||||||
|
|
||||||
|
* Reconstructing derived AES keys during Keybox or OTA provisioning
|
||||||
|
* Verifying responses and signing requests
|
||||||
|
* Securely decrypting the RSA private key in post-provisioning stages
|
||||||
|
|
||||||
|
The context is usually extracted from specific intercepted Widevine function arguments and stored alongside other
|
||||||
|
credentials.
|
||||||
|
|
||||||
### Client ID & Private Key
|
### Client ID & Private Key
|
||||||
|
|
||||||
Both the `client_id` and `private_key` are extracted from the intercepted CDM functions. They are:
|
Both the `client_id` and `private_key` are extracted from the intercepted CDM functions. They are:
|
||||||
|
|
||||||
- Required for device emulation or license response reconstruction.
|
* Required for device emulation or license response reconstruction.
|
||||||
- Automatically exported to formats like `client_id.bin`, `private_key.pem`, and `.wvd`.
|
* Automatically exported to formats like `client_id.bin`, `private_key.pem`, and `.wvd`.
|
||||||
|
|
||||||
## Advanced Options & Debugging
|
## Advanced Options & Debugging
|
||||||
|
|
||||||
The advanced command-line options allow:
|
The advanced command-line options allow:
|
||||||
|
|
||||||
- Overriding automatic provisioning detection.
|
* Overriding automatic provisioning detection.
|
||||||
- Injecting Ghidra-extracted symbol maps via `--symbols`.
|
* Injecting Ghidra-extracted symbol maps via `--symbols`.
|
||||||
- Forcing use of unencrypted challenges (`--unencrypt`) for debugging or fallback workflows.
|
* Forcing use of unencrypted challenges (`--unencrypt`) for debugging or fallback workflows.
|
||||||
- Extracting optional blobs like the Widevine keybox or certificates.
|
* Extracting optional blobs like the Widevine keybox or certificates.
|
||||||
|
|
||||||
These are primarily useful for development, debugging, or supporting less common device models.
|
These are primarily useful for development, debugging, or supporting less common device models.
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user