This commit is contained in:
hyugogirubato
2025-01-19 18:46:40 +01:00
parent 0f3ab497e8
commit f45cd6e681
6 changed files with 0 additions and 0 deletions
+68
View File
@@ -0,0 +1,68 @@
# Challenge
To extract unencrypted challenges using KeyDive and HTTP Toolkit, you can follow this comprehensive guide. Assumes familiarity with both KeyDive and HTTP Toolkit, focusing on their integration for extracting unencrypted challenges effectively.
### Extract Unencrypted Challenges
#### 1. Prepare HTTP Toolkit
- Start [HTTP Toolkit](https://httptoolkit.com/) on your machine.
- Ensure it's configured to intercept HTTP and HTTPS traffic from your Android device. HTTP Toolkit provides detailed instructions on how to set this up based on your operating system.
#### 2. Set Up Environment
- Have an Android device with Widevine L3 DRM content that you want to analyze.
- Ensure the device is rooted or has adb access to interact with KeyDive and HTTP Toolkit effectively.
#### 3. Configure KeyDive
- Ensure KeyDive is set up to run on your Android device. This involves:
- Installing KeyDive on your device via Magisk or another suitable method.
- Running KeyDive with the necessary configurations to intercept DRM-related requests.
#### 4. Intercept Traffic with HTTP Toolkit
- Use HTTP Toolkit to intercept traffic between your Android device and the DRM server when DRM content is accessed or played.
- HTTP Toolkit provides a user-friendly interface to view and analyze intercepted requests and responses.
#### 5. Extract Unencrypted Challenges
- Identify HTTP requests related to DRM challenges in HTTP Toolkit.
- Extract unencrypted challenge data from intercepted requests using HTTP Toolkit's inspection tools.
- Note down the necessary parameters or tokens that are part of the DRM challenge.
#### 6. Analyze and Use Data
- Once you have extracted the unencrypted challenge data, analyze it to understand the structure and content.
- Use this data for further research, analysis, or integration into your DRM extraction workflows.
### Example Workflow
1. **Start HTTP Toolkit:**
- Open HTTP Toolkit and ensure interception is enabled for your device's network traffic.
2. **Run KeyDive:**
- Execute KeyDive on your Android device, ensuring it intercepts DRM-related requests.
3. **Access DRM Content:**
- Access DRM-protected content on your device that triggers DRM challenge requests.
4. **Intercept Requests:**
- Use HTTP Toolkit to intercept HTTP requests related to DRM challenges.
5. **Extract Challenge Data:**
- Inspect intercepted requests in HTTP Toolkit to extract unencrypted challenge data.
6. **Use Extracted Data:**
- Use the extracted data with KeyDive by running:
```shell
keydive --device <DEVICE_ID> --challenge path/to/challenge
```
Replace `path/to/challenge` with the actual path to the extracted challenge data file.
### Additional Tips
- **Using Frida Scripts for SSL Pinning Bypass:** If your Android device is rooted but encountering SSL pinning issues, consider using Frida scripts such as [Android SSL Pinning](https://codeshare.frida.re/@hyugogirubato/android-ssl-pinning/). These scripts are designed to bypass SSL certificate pinning implemented by applications, allowing tools like HTTP Toolkit to capture and analyze HTTPS traffic effectively.
- **Device ID Extraction Issues:** If KeyDive encounters difficulties extracting the device ID directly, consider these methods as a workaround when direct device ID extraction is not feasible or successful.
By integrating KeyDive with HTTP Toolkit, you can streamline the process of extracting unencrypted challenges from DRM-protected content on Android devices, facilitating research and analysis in digital rights management.
+272
View File
@@ -0,0 +1,272 @@
drm_serial_number: "\341we\354N\267\362\353`\024;\002\277\025\312\267"
deprecated_status: DEPRECATED_VALID
device_info {
system_id: 6172
soc: "HiSilicon 3798M"
manufacturer: "Coolech"
model: "K-Q"
device_type: "tv"
security_level: LEVEL_2
provisioning_method: FACTORY_KEYBOX
}
status: STATUS_RELEASED
drm_serial_number: ""w\376\333\250|\273\003p\343\350\3533\334\013K"
deprecated_status: DEPRECATED_VALID
device_info {
system_id: 7999
soc: "HiSilicon 3798MV100"
manufacturer: "SmarDTV"
model: "DIP4090"
device_type: "stb"
security_level: LEVEL_2
provisioning_method: FACTORY_KEYBOX
}
status: STATUS_RELEASED
drm_serial_number: "\010\017P\315\237\r\315n\371\313\003\276\023R\247Z"
deprecated_status: DEPRECATED_VALID
device_info {
system_id: 9173
soc: "HiSilicon 3798MV100"
manufacturer: "SmarDTV"
model: "DIP4090"
device_type: "stb"
security_level: LEVEL_2
provisioning_method: FACTORY_KEYBOX
}
status: STATUS_RELEASED
drm_serial_number: "F7\271J^\335EW\201\336\031\362\322\325\307\205"
deprecated_status: DEPRECATED_VALID
device_info {
system_id: 6053
soc: "MTK8639"
manufacturer: "MeeBoss"
model: "M100"
device_type: "tv"
model_year: 2015
security_level: LEVEL_2
provisioning_method: FACTORY_KEYBOX
}
status: STATUS_RELEASED
drm_serial_number: "\301f\217\310\273\243~\272\250$\327\264\205N\200["
deprecated_status: DEPRECATED_VALID
device_info {
system_id: 6054
soc: "MTK8639"
manufacturer: "MeeBoss"
model: "M150"
device_type: "tv"
model_year: 2015
security_level: LEVEL_2
provisioning_method: FACTORY_KEYBOX
}
status: STATUS_RELEASED
drm_serial_number: "9\320n=\330\203=\237\326\005\335\252M\317\271\364"
deprecated_status: DEPRECATED_VALID
device_info {
system_id: 5860
soc: "Intel Z2520"
manufacturer: "Micromax"
model: "P666"
device_type: "phone"
model_year: 2014
security_level: LEVEL_2
provisioning_method: FACTORY_KEYBOX
}
status: STATUS_RELEASED
drm_serial_number: "\223n5V\033\3040\266\025\212\223\025)\360\231\377"
deprecated_status: DEPRECATED_VALID
device_info {
system_id: 6765
soc: "bcm"
manufacturer: "Roku"
model: "3600"
device_type: "video dongle"
security_level: LEVEL_2
provisioning_method: FACTORY_KEYBOX
}
status: STATUS_RELEASED
drm_serial_number: "\222\322h*\003xo\310\240\367\356\034\021\3034\273"
deprecated_status: DEPRECATED_VALID
device_info {
system_id: 6950
soc: "BCM"
manufacturer: "Roku"
model: "4200"
device_type: "video dongle"
model_year: 2015
security_level: LEVEL_2
provisioning_method: FACTORY_KEYBOX
}
status: STATUS_RELEASED
drm_serial_number: "\007\351\241\014\017k\205^\0301\227l\352`f\353"
deprecated_status: DEPRECATED_VALID
device_info {
system_id: 8083
soc: "BCM7218"
manufacturer: "Roku"
model: "2700"
device_type: "video dongle"
security_level: LEVEL_2
provisioning_method: FACTORY_KEYBOX
}
status: STATUS_RELEASED
drm_serial_number: "\300\031\010\314\303\347R\316m\W\272\307,\307\350"
deprecated_status: DEPRECATED_VALID
device_info {
system_id: 8252
soc: "BCM"
manufacturer: "Roku"
model: "4200"
device_type: "video dongle"
security_level: LEVEL_2
provisioning_method: FACTORY_KEYBOX
}
status: STATUS_RELEASED
drm_serial_number: "\236\360\025d\302\344O\026W0\001BzIV\331"
deprecated_status: DEPRECATED_VALID
device_info {
system_id: 8253
soc: "BCM"
manufacturer: "Roku"
model: "3500"
device_type: "video dongle"
security_level: LEVEL_2
provisioning_method: FACTORY_KEYBOX
}
status: STATUS_RELEASED
drm_serial_number: "\315Q\220l\253\352\026\177\262\374\314\365nu\361D"
deprecated_status: DEPRECATED_VALID
device_info {
system_id: 8254
soc: "BCM"
manufacturer: "Roku"
model: "2xxx"
device_type: "video dongle"
security_level: LEVEL_2
provisioning_method: FACTORY_KEYBOX
}
status: STATUS_RELEASED
drm_serial_number: "!cj<WP\344_\274\334\252\304\3474\003\215"
deprecated_status: DEPRECATED_VALID
device_info {
system_id: 8353
soc: "bcm"
manufacturer: "Roku"
model: "x2400"
device_type: "video dongle"
security_level: LEVEL_2
provisioning_method: FACTORY_KEYBOX
}
status: STATUS_RELEASED
drm_serial_number: "\345\364\353#\335q\342u\301\005\301t\274\374\035\372"
deprecated_status: DEPRECATED_VALID
device_info {
system_id: 8354
soc: "bcm"
manufacturer: "Roku"
model: "3400"
device_type: "video dongle"
security_level: LEVEL_2
provisioning_method: FACTORY_KEYBOX
}
status: STATUS_RELEASED
drm_serial_number: "\224\374s\220\304`U.A\231B\254TJ\306\335"
deprecated_status: DEPRECATED_VALID
device_info {
system_id: 6966
soc: "MSD6485"
manufacturer: "UMC"
model: "BLA-43-134M-XX"
device_type: "tv"
security_level: LEVEL_2
provisioning_method: FACTORY_KEYBOX
}
status: STATUS_RELEASED
drm_serial_number: "\026\337Z]\347f\274\253\371\2325\215\2212(("
deprecated_status: DEPRECATED_VALID
device_info {
system_id: 6975
soc: "MSD6486"
manufacturer: "UMC"
model: "SHARP-6486-S6-XX"
device_type: "tv"
security_level: LEVEL_2
provisioning_method: FACTORY_KEYBOX
}
status: STATUS_RELEASED
drm_serial_number: "\2620\361Q\327\232\211a\240\001\332\313R\244sp"
deprecated_status: DEPRECATED_VALID
device_info {
system_id: 7321
soc: "MSD6486"
manufacturer: "UMC"
model: "ETE-6486-S6-XX"
device_type: "tv"
security_level: LEVEL_2
provisioning_method: FACTORY_KEYBOX
}
status: STATUS_RELEASED
drm_serial_number: "\226\300\340\001\365\000B\323\205\177\317\006&\341\334`"
deprecated_status: DEPRECATED_VALID
device_info {
system_id: 1070321
soc: "Qualcomm SM4350"
manufacturer: "HMD Global"
model: "TTG"
device_type: "phone"
model_year: 2021
security_level: LEVEL_1
provisioning_method: FACTORY_KEYBOX
}
status: STATUS_RELEASED
+75
View File
@@ -0,0 +1,75 @@
# Widevine and DRM Glossary
This document serves as a resource for understanding Widevine Digital Rights Management (DRM), its ecosystem, and associated terminology. The links and descriptions provided aim to help readers navigate the technical and procedural aspects of Widevine and DRM systems more effectively.
---
## **Widevine Digital Rights Management (DRM)**
Widevine is a leading DRM technology developed by Google, designed to protect video content and ensure secure delivery across a wide range of devices. It supports various security levels, enabling seamless integration with content providers while safeguarding intellectual property.
---
### **Core Concepts and Terms**
#### **Certified Widevine Implementation Partner (CWIP)**
The [CWIP program](https://support.google.com/widevine/answer/2938263?hl=en) ensures that individuals and organizations are equipped to install, configure, and troubleshoot Widevine DRM systems effectively. Key objectives of this program include:
- Teaching candidates to implement Widevine systems with precision.
- Enhancing satisfaction for integrators and end-users.
- Ensuring trust among content owners.
#### **Widevine Device Certificate Status List (DCSL)**
The [Widevine DCSL](https://developers.google.com/widevine/drm/overview) provides a detailed list of certified devices, including:
- **System ID**: A unique identifier for devices using Widevine.
- **Security Level**: Defines the degree of hardware-based protection (e.g., L1, L2, or L3).
- **Provisioning Method**: How keys and certificates are deployed (e.g., Factory Keybox).
- **Device Type**: Identifies whether a device is a phone, set-top box, TV, etc.
---
### **Key Technical Terms**
#### **Security Levels (L1, L2, L3)**
Widevine security levels determine the degree of protection applied to content playback:
- **L1**: Uses Trusted Execution Environment (TEE) for all decryption and processing.
- **L2**: Partially relies on the TEE but may use additional secure layers.
- **L3**: Relies entirely on software-based protection, typically for devices without TEE.
#### **Provisioning Methods**
The way keys and certificates are securely delivered to devices:
- **Factory Keybox**: Embedded during manufacturing to ensure hardware-level security.
- **Device Provisioning**: Post-manufacturing certificate injection.
#### **Content Encryption**
Widevine utilizes standardized encryption methods, typically AES (Advanced Encryption Standard), to secure video streams.
#### **DRM Key Types**
- **Content Key**: Used to decrypt protected content.
- **License Key**: Issued by the DRM license server to authorize content playback.
---
### **Security Vulnerabilities and Updates**
#### **CVE-2024-36971**
[Learn More](https://thehackernews.com/2024/08/google-patches-new-android-kernel.html)
A critical vulnerability in the Android kernel exploited in the wild. Google released a patch to address this issue, highlighting:
- The importance of maintaining up-to-date systems.
- Potential risks of targeted attacks using DRM components.
#### **Patching Processes**
Widevine relies on regular updates to mitigate vulnerabilities. This includes:
- Firmware updates for device security components.
- Collaboration with OEMs to ensure ecosystem-wide fixes.
---
### **Further Resources**
- **Widevine Overview**: [Google Developers Documentation](https://developers.google.com/widevine/drm/overview)
- **Understanding DRM**: [Wikipedia - Digital Rights Management](https://en.wikipedia.org/wiki/Digital_rights_management)
- **Android Security Bulletins**: [Google Security Updates](https://source.android.com/security/bulletin)
---
### **Conclusion**
This glossary aims to centralize essential Widevine and DRM-related terms, helping researchers, integrators, and developers understand the ecosystem. For those working with Widevine or exploring DRM technologies, these resources are foundational to a secure and efficient implementation.
+94
View File
@@ -0,0 +1,94 @@
# Functions
To utilize custom functions with KeyDive, particularly when extracting Widevine L3 DRM keys from Android devices, you might need to generate a `functions.xml` file using Ghidra. This file helps KeyDive accurately identify necessary functions within the Widevine library, facilitating a more efficient extraction process. Below is a step-by-step guide on how to create a `functions.xml` file using Ghidra:
### Retrieving Library Binary from Device Using ADB
#### 1. Identify Library Path with KeyDive
Run KeyDive to detect the library path on the Android device:
```shell
keydive --device <DEVICE_ID>
```
Replace `<DEVICE_ID>` with the ID of your Android device connected via ADB.
#### 2. Copy Library to `/data/local/tmp`
Once KeyDive has detected the library path, proceed to copy the library from its detected location to `/data/local/tmp` on the device. This requires root access, so use `su` to switch to root:
```shell
adb -s <DEVICE_ID> shell
su
cp /path/to/detected/library /data/local/tmp
```
Replace `/path/to/detected/library` with the actual path detected by KeyDive.
#### 3. Adjust Permissions
Set the correct permissions for the copied library to ensure access:
```shell
chown shell:shell /data/local/tmp/library_name
```
Replace `library_name` with the name of the library file.
#### 4. Download Library to Local Machine
Download the library from `/data/local/tmp` to your local machine using ADB:
```shell
adb -s <DEVICE_ID> pull /data/local/tmp/library_name /path/on/your/local/machine
```
Replace `<DEVICE_ID>` with your device ID and `/path/on/your/local/machine` with the destination path on your local machine where you want to save the library.
### Extracting functions with Ghidra
#### 1. Preparing Ghidra
Ensure you have Ghidra installed on your system. If not, download it from the [Ghidra project page](https://ghidra-sre.org/) and follow the installation instructions.
#### 2. Importing the ELF Binary
- Launch Ghidra and start a new project (or open an existing one).
- Import the ELF binary file (e.g., the Widevine CDM library from the Android device) by navigating to `File` > `Import File` and selecting the binary.
- Choose the default options for the import settings, unless you have specific requirements.
#### 3. Analyzing the Binary
- Once the binary is imported, double-click on it in the project window to open it in the CodeBrowser tool.
- Begin the analysis by navigating to `Analysis` > `Auto Analyze` from the top menu.
- In the "Auto Analysis" window, ensure all relevant analyzers are selected, especially those related to symbol and function discovery. Click "Analyze" to start the process.
- Wait for the analysis to complete, which may take some time depending on the binary's size and complexity.
#### 4. Exporting Functions as XML
- After analysis, navigate to `File` > `Export Program...`.
- In the "Export Program" window, choose the "XML" format from the dropdown menu.
- Click "Options" and ensure that only the "Functions" option is selected. This step is crucial as it filters the export to include only the functions necessary for KeyDive, making the XML file more manageable and relevant.
- Choose a destination for the `functions.xml` file and confirm the export.
#### 5. Using the Functions with KeyDive
Once you have the `functions.xml` file:
- Ensure KeyDive is set up according to its documentation.
- When running KeyDive, use the `--functions` argument to specify the path to your `functions.xml` file. For example:
```shell
keydive --device <DEVICE_ID> --functions /path/to/functions_x86.xml
```
- Proceed with the key extraction process as detailed in KeyDive's usage instructions.
### Additional Tips
- **Understanding Functions:** The `functions.xml` file maps function names and variables within the Widevine CDM library, enabling KeyDive to correctly identify and hook into specific processes for key extraction.
- **Ghidra Compatibility:** Ensure your version of Ghidra supports the binary format you're analyzing. Newer versions of Ghidra typically offer better support for a wide range of binary formats.
- **Analysis Depth:** While a full analysis is recommended, you can customize the analysis options based on your understanding of the binary and the functions you are specifically interested in. This can significantly reduce analysis time.
- **Security Considerations:** Be aware of the security implications of extracting and handling DRM keys. Always comply with legal restrictions and ethical guidelines when using tools like KeyDive and Ghidra for reverse engineering.
By following these steps, you can generate a `functions.xml` file that aids in the effective use of KeyDive for
educational, research, or security analysis purposes.
+56
View File
@@ -0,0 +1,56 @@
# Offline DRM Key Extraction for Axinom Content
This project focuses on extracting DRM keys offline from streams protected by Axinom DRM. It involves patching an open-source application to customize stream definitions, disabling network connectivity checks, and optionally bypassing SSL pinning. Additionally, it includes steps for handling device provisioning requests using a fake server.
## Prerequisites
- Android Studio SDK to modify and build the APK.
- Frida setup on your device/emulator for runtime instrumentation.
- HTTP Toolkit for intercepting and modifying network traffic.
- Basic understanding of Android development and network protocols.
## Setup
### Step 1: Patch the APK
1. Clone the repository of the open-source app you intend to patch.
2. Modify the apps source code to:
- Define the correct stream URL.
- Disable any network connectivity checks in the app. For example, bypass methods that check for active internet connections.
```shell
python3 builder_mobile.py
```
3. Build the modified APK and install it on your Android device or emulator.
```shell
python3 patcher.py
```
### Step 2: Bypass SSL Pinning (if necessary)
If the app implements SSL pinning, follow the steps below to bypass it using Frida:
1. Ensure Frida is installed on your device or emulator.
2. Use the script provided in the [Frida-CodeShare repository](https://github.com/hyugogirubato/Frida-CodeShare/tree/main/scripts/android-pinning) to intercept SSL pinning methods dynamically.
3. Run the script using the command:
```
frida -D "DEVICE_ID" -l "pinning.js" -f "PACKAGE_NAME"
```
Replace `"DEVICE_ID"` with your device or emulator ID and `"PACKAGE_NAME"` with the package name of your patched app.
### Step 3: Setup Fake Server for Provisioning
1. Setup a Python server to mimic the license server. This server should always respond with a 302 redirect loop, essentially providing an infinite timeout.
```shell
python3 app.py
```
2. Implement the fake server with endpoints required for the DRM license and provisioning requests.
### Step 4: Use HTTP Toolkit
1. Install and set up HTTP Toolkit on your PC.
2. Import predefined rules to simulate the static responses needed for the app, like `manifest.mpd`.
3. Direct your app traffic through HTTP Toolkit to manipulate the responses as needed.
## Running the App
Launch the patched app on your device. Since the network checks are disabled, and the app is configured to use the fake server responses, it should function without real internet access, allowing for offline DRM key extraction.