From ff72e33a285b4b09e44b2dddab980ec227d623bf Mon Sep 17 00:00:00 2001 From: hyugogirubato <65763543+hyugogirubato@users.noreply.github.com> Date: Sat, 14 Jun 2025 18:47:35 +0200 Subject: [PATCH] add oem cert priv key research --- keydive/keydive.js | 35 ++++++++++++++++++++++++++++++++--- 1 file changed, 32 insertions(+), 3 deletions(-) diff --git a/keydive/keydive.js b/keydive/keydive.js index 4afea24..74dc980 100644 --- a/keydive/keydive.js +++ b/keydive/keydive.js @@ -536,6 +536,35 @@ function OEMCrypto_GetKeyData(address) { }); } +function CryptoSession_LoadCertificatePrivateKey(address) { + /* + wvcdm::CryptoSession::LoadCertificatePrivateKey + + Args: + args[1]: const CryptoWrappedKey& private_key + Return: + retval: wvcdm::CdmResponseType + */ + Interceptor.attach(address, { + onEnter: function (args) { + print(Level.DEBUG, '[+] onEnter: CryptoSession::LoadCertificatePrivateKey'); + this.privateKeyPtr = args[1]; + // Call OEMCrypto_GetOEMPublicCertificate before OEMCrypto_LoadDeviceRSAKey (old) + // Call OEMCrypto_GetOEMPublicCertificate before OEMCrypto_LoadDRMPrivateKey (new) + // Called from LoadPrivateOrLegacyKey + }, + onLeave: function (retval) { + print(Level.DEBUG, '[-] onLeave: CryptoSession::LoadCertificatePrivateKey'); + console.log(hexdump(this.privateKeyPtr, { + offset: 0, + length: 128, + header: true, + ansi: true + })); + } + }); +} + function OEMCrypto_ProvisioningMethod(address) { /* wvcdm::OEMCrypto_GetProvisioningMethod @@ -779,9 +808,9 @@ const hookLibrary = (name, dynamic) => { OEMCrypto_GetDeviceID(funcAddr); } else if (['_oecc04', '_lcc04'].some(n => funcName === n)) { OEMCrypto_GetKeyData(funcAddr); - // TODO: Check the keybox implementation on SDK 36 - // TODO: Interception of the certificate's private key - // Call OEMCrypto_GetOEMPublicCertificate before OEMCrypto_LoadDRMPrivateKey + // TODO: Intercept the private key of OEM device certificate + //} else if (['CryptoSession', 'LoadCertificatePrivateKey'].every(n => funcName.includes(n))) { + // CryptoSession_LoadCertificatePrivateKey(funcAddr); // Provisioning Interception } else if (['_oecc49', '_lcc49'].some(n => funcName === n)) {