add new js key

This commit is contained in:
hyugogirubato
2025-06-14 16:10:27 +02:00
parent 8ed3eccf01
commit 30677c0ab5
+35 -15
View File
@@ -12,12 +12,13 @@ This document explains the internal workings of KeyDive, including key concepts
| `private_key` | RSA private key used for DRM content decryption and authentication. | | `private_key` | RSA private key used for DRM content decryption and authentication. |
| `keybox` | Device-specific key storage blob containing keys for DRM operations. | | `keybox` | Device-specific key storage blob containing keys for DRM operations. |
| `certificate` | Device OEM certificate chain for verifying keys and trust. | | `certificate` | Device OEM certificate chain for verifying keys and trust. |
| `encryption_context` | Session-specific message context used to derive AES/CMAC keys for provisioning and media. |
## Script Execution Flow ## Script Execution Flow
The core extraction logic is implemented in a Frida hook script injected into Widevine CDM processes. The following sequence diagram illustrates the general flow, including options for player choice and output formats: The core extraction logic is implemented in a Frida hook script injected into Widevine CDM processes. The following sequence diagram illustrates the general flow, including options for player choice and output formats:
```` ````text
+----------------+ +------------------+ +---------------------+ +------------------+ +----------------+ +------------------+ +---------------------+ +------------------+
| Start Script | | Select Player | | Provisioning Method | | Extraction Steps | | Start Script | | Select Player | | Provisioning Method | | Extraction Steps |
+----------------+ +------------------+ +---------------------+ +------------------+ +----------------+ +------------------+ +---------------------+ +------------------+
@@ -26,15 +27,15 @@ The core extraction logic is implemented in a Frida hook script injected into Wi
| | | | | | | |
|--(option: -a web)----->| Launch Bitmovin player | | |--(option: -a web)----->| Launch Bitmovin player | |
| | | | | | | |
| | |---Check provisioning_method-->| | | |---Check provisioning_method-->|
| | | | | | | |
| | |<--Send challenge data---------| | | |<--Send challenge data---------|
| | | | | | | |
| | |---Extract client_id---------->| | | |---Extract client_id---------->|
| | |---Extract private_key-------->| | | |---Extract private_key-------->|
| | |---Extract keybox (optional)-->| | | |---Extract keybox (optional)-->|
| | | | | | | |
| | |---Export data to output dir-->| | | |---Export data to output dir-->|
| | | | | | | |
| | | | | | | |
V V V V V V V V
@@ -60,26 +61,45 @@ These values are automatically detected at runtime to determine the correct extr
The `challenge` is a critical blob of data sent during provisioning or license acquisition. KeyDive can: The `challenge` is a critical blob of data sent during provisioning or license acquisition. KeyDive can:
- Intercept it during DRM playback. * Intercept it during DRM playback.
- Accept an external file via the `--challenge` argument. * Accept an external file via the `--challenge` argument.
This challenge contains the encrypted request for keys or certificates and is essential for key extraction workflows. This challenge contains the encrypted request for keys or certificates and is essential for key extraction workflows.
### Encryption Context
The `encryption_context` is a byte sequence intercepted from CDM session messages, typically unique per provisioning
session.
It is used to derive:
* `enc` key: for AES-CBC decryption of RSA private keys or media keys
* `auth_1` and `auth_2` keys: for HMAC or CMAC authentication of messages
This context plays a central role in:
* Reconstructing derived AES keys during Keybox or OTA provisioning
* Verifying responses and signing requests
* Securely decrypting the RSA private key in post-provisioning stages
The context is usually extracted from specific intercepted Widevine function arguments and stored alongside other
credentials.
### Client ID & Private Key ### Client ID & Private Key
Both the `client_id` and `private_key` are extracted from the intercepted CDM functions. They are: Both the `client_id` and `private_key` are extracted from the intercepted CDM functions. They are:
- Required for device emulation or license response reconstruction. * Required for device emulation or license response reconstruction.
- Automatically exported to formats like `client_id.bin`, `private_key.pem`, and `.wvd`. * Automatically exported to formats like `client_id.bin`, `private_key.pem`, and `.wvd`.
## Advanced Options & Debugging ## Advanced Options & Debugging
The advanced command-line options allow: The advanced command-line options allow:
- Overriding automatic provisioning detection. * Overriding automatic provisioning detection.
- Injecting Ghidra-extracted symbol maps via `--symbols`. * Injecting Ghidra-extracted symbol maps via `--symbols`.
- Forcing use of unencrypted challenges (`--unencrypt`) for debugging or fallback workflows. * Forcing use of unencrypted challenges (`--unencrypt`) for debugging or fallback workflows.
- Extracting optional blobs like the Widevine keybox or certificates. * Extracting optional blobs like the Widevine keybox or certificates.
These are primarily useful for development, debugging, or supporting less common device models. These are primarily useful for development, debugging, or supporting less common device models.