Danacus
/
cdm-tools-dumperv2
mirror of https://CDM-Project.com/cdm-tools/dumperv2.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Migration

This commit is contained in:
TPD94 2022-10-21 18:32:10 -04:00
commit b8e4135539
7 changed files with 3772 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

133
.gitignore vendored Normal file
View File

@ -0,0 +1,133 @@
# Byte-compiled / optimized / DLL files
__pycache__/
*.py[cod]
*$py.class
# C extensions
*.so
# Distribution / packaging
.Python
build/
develop-eggs/
dist/
downloads/
eggs/
.eggs/
lib/
lib64/
parts/
sdist/
var/
wheels/
pip-wheel-metadata/
share/python-wheels/
*.egg-info/
.installed.cfg
*.egg
MANIFEST
# PyInstaller
# Usually these files are written by a python script from a template
# before PyInstaller builds the exe, so as to inject date/other infos into it.
*.manifest
*.spec
# Installer logs
pip-log.txt
pip-delete-this-directory.txt
# Unit test / coverage reports
htmlcov/
.tox/
.nox/
.coverage
.coverage.*
.cache
nosetests.xml
coverage.xml
*.cover
*.py,cover
.hypothesis/
.pytest_cache/
# Translations
*.mo
*.pot
# Django stuff:
*.log
local_settings.py
db.sqlite3
db.sqlite3-journal
# Flask stuff:
instance/
.webassets-cache
# Scrapy stuff:
.scrapy
# Sphinx documentation
docs/_build/
# PyBuilder
target/
# Jupyter Notebook
.ipynb_checkpoints
# IPython
profile_default/
ipython_config.py
# pyenv
.python-version
# pipenv
# According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control.
# However, in case of collaboration, if having platform-specific dependencies or dependencies
# having no cross-platform support, pipenv may install dependencies that don't work, or not
# install all needed dependencies.
#Pipfile.lock
# PEP 582; used by e.g. github.com/David-OConnor/pyflow
__pypackages__/
# Celery stuff
celerybeat-schedule
celerybeat.pid
# SageMath parsed files
*.sage.py
# Environments
.env
.venv
env/
venv/
ENV/
env.bak/
venv.bak/
# Spyder project settings
.spyderproject
.spyproject
# Rope project settings
.ropeproject
# mkdocs documentation
/site
# mypy
.mypy_cache/
.dmypy.json
dmypy.json
# Pyre type checker
.pyre/
# dumper
license_request.bin
key_dumps

88
Helpers/Device.py Normal file
View File

@ -0,0 +1,88 @@
import os
import logging
import base64
import frida
from Crypto.PublicKey import RSA
from Helpers.wv_proto2_pb2 import SignedLicenseRequest
class Device:
def __init__(self):
self.logger = logging.getLogger(__name__)
self.saved_keys = {}
self.frida_script = open(
'./Helpers/script.js',
'r',
encoding="utf_8"
).read()
self.widevine_libraries = [
'libwvhidl.so'
]
self.usb_device = frida.get_usb_device()
self.name = self.usb_device.name
def export_key(self, key, client_id):
save_dir = os.path.join(
'key_dumps',
f'{self.name}',
'private_keys',
f'{client_id.Token._DeviceCertificate.SystemId}',
f'{str(key.n)[:10]}'
)
if not os.path.exists(save_dir):
os.makedirs(save_dir)
with open(os.path.join(save_dir, 'client_id.bin'), 'wb+') as writer:
writer.write(client_id.SerializeToString())
with open(os.path.join(save_dir, 'private_key.pem'), 'wb+') as writer:
writer.write(key.exportKey('PEM'))
self.logger.info('Key pairs saved at %s', save_dir)
def on_message(self, msg, data):
if 'payload' in msg:
if msg['payload'] == 'private_key':
key = RSA.import_key(data)
if key.n not in self.saved_keys:
self.logger.debug(
'Retrieved key: \n\n%s\n',
key.export_key().decode("utf-8")
)
self.saved_keys[key.n] = key
elif msg['payload'] == 'device_info':
self.license_request_message(data)
elif msg['payload'] == 'message_info':
self.logger.info(data.decode())
def license_request_message(self, data):
self.logger.debug(
'Retrieved build info: \n\n%s\n',
base64.b64encode(data).decode('utf-8')
)
root = SignedLicenseRequest()
root.ParseFromString(data)
public_key = root.Msg.ClientId.Token._DeviceCertificate.PublicKey
key = RSA.importKey(public_key)
cur = self.saved_keys.get(key.n)
self.export_key(cur, root.Msg.ClientId)
def find_widevine_process(self, process_name):
process = self.usb_device.attach(process_name)
script = process.create_script(self.frida_script)
script.load()
loaded_modules = []
try:
for lib in self.widevine_libraries:
loaded_modules.append(script.exports.getmodulebyname(lib))
finally:
process.detach()
return loaded_modules
def hook_to_process(self, process, library):
session = self.usb_device.attach(process)
script = session.create_script(self.frida_script)
script.on('message', self.on_message)
script.load()
script.exports.hooklibfunctions(library)
return session

156
Helpers/script.js Normal file
View File

@ -0,0 +1,156 @@
const CDM_VERSION = ''
// The TextEncoder/Decoder API isn't supported so it has to be polyfilled.
// Taken from https://gist.github.com/Yaffle/5458286#file-textencodertextdecoder-js
function TextEncoder() {
}
TextEncoder.prototype.encode = function (string) {
var octets = [];
var length = string.length;
var i = 0;
while (i < length) {
var codePoint = string.codePointAt(i);
var c = 0;
var bits = 0;
if (codePoint <= 0x0000007F) {
c = 0;
bits = 0x00;
} else if (codePoint <= 0x000007FF) {
c = 6;
bits = 0xC0;
} else if (codePoint <= 0x0000FFFF) {
c = 12;
bits = 0xE0;
} else if (codePoint <= 0x001FFFFF) {
c = 18;
bits = 0xF0;
}
octets.push(bits | (codePoint >> c));
c -= 6;
while (c >= 0) {
octets.push(0x80 | ((codePoint >> c) & 0x3F));
c -= 6;
}
i += codePoint >= 0x10000 ? 2 : 1;
}
return octets;
}
function getPrivateKey(address) {
Interceptor.attach(ptr(address), {
onEnter: function (args) {
if (!args[6].isNull()) {
const size = args[6].toInt32();
if (size >= 1000 && size <= 2000 && !args[5].isNull()) {
const buf = args[5].readByteArray(size);
const bytes = new Uint8Array(buf);
// The first two bytes of the DER encoding are 0x30 and 0x82 (MII).
if (bytes[0] === 0x30 && bytes[1] === 0x82) {
try {
const binaryString = a2bs(bytes)
const keyLength = getKeyLength(binaryString);
const key = bytes.slice(0, keyLength);
send('private_key', key);
} catch (error) {
console.log(error)
}
}
}
}
}
});
}
// nop privacy mode.
// PrivacyMode encrypts the payload with the public key returned by the license server which we don't want.
function disablePrivacyMode(address) {
Interceptor.attach(address, {
onLeave: function (retval) {
retval.replace(ptr(0));
}
});
}
function prepareKeyRequest(address) {
Interceptor.attach(ptr(address), {
onEnter: function (args) {
switch (CDM_VERSION) {
case '14.0.0':
case '15.0.0':
case '16.0.0':
this.ret = args[4];
break;
case '16.1.0':
this.ret = args[5];
break;
default:
this.ret = args[4];
break;
}
},
onLeave: function () {
if (this.ret) {
const size = Memory.readU32(ptr(this.ret).add(Process.pointerSize))
const arr = Memory.readByteArray(this.ret.add(Process.pointerSize * 2).readPointer(), size)
send('device_info', arr);
}
}
});
}
function hookLibFunctions(lib) {
const name = lib['name'];
const baseAddr = lib['base'];
const message = 'Hooking ' + name + ' at ' + baseAddr;
send('message_info', new TextEncoder().encode(message))
Module.enumerateExportsSync(name).forEach(function (module) {
try {
let hookedModule;
if (module.name.includes('UsePrivacyMode')) {
disablePrivacyMode(module.address);
hookedModule = module.name
} else if (module.name.includes('PrepareKeyRequest')) {
prepareKeyRequest(module.address);
hookedModule = module.name
} else if (module.name.match(/^[a-z]+$/)) {
getPrivateKey(module.address);
hookedModule = module.name
}
if (hookedModule) {
const message = 'Hooked ' + hookedModule + ' at ' + module.address;
send('message_info', new TextEncoder().encode(message));
}
} catch (e) {
console.log("Error: " + e + " at F: " + module.name);
}
});
}
function getModuleByName(lib) {
return Process.getModuleByName(lib);
}
function a2bs(bytes) {
let b = '';
for (let i = 0; i < bytes.byteLength; i++)
b += String.fromCharCode(bytes[i]);
return b
}
function getKeyLength(key) {
let pos = 1 // Skip the tag
let buf = key.charCodeAt(pos++);
let len = buf & 0x7F; // Short tag length
buf = 0;
for (let i = 0; i < len; ++i)
buf = (buf * 256) + key.charCodeAt(pos++);
return pos + Math.abs(buf);
}
rpc.exports.hooklibfunctions = hookLibFunctions;
rpc.exports.getmodulebyname = getModuleByName;

3324
Helpers/wv_proto2_pb2.py Normal file
View File

File diff suppressed because one or more lines are too long

38
README.md Normal file
View File

@ -0,0 +1,38 @@
The original repo can be found at https://github.com/Diazole/dumper
# Dumper
Dumper is a Frida script to dump L3 CDMs from any Android device.
## ** IMPORTANT **
The function parameters can differ between CDM versions. The default is [4] but you may have to change this for your specific version.
* `CDM_VERSION` can be retrieved using a DRM Info app.
## Requirements
Use pip to install the dependencies:
`pip3 install -r requirements.txt`
## Usage
* Enable USB debugging
* Start frida-server on the device
* Execute dump_keys.py
* Start streaming some DRM-protected content
## Known Working Versions
* Android 9
* CDM 14.0.0
* Android 10
* CDM 15.0.0
* Android 11
* CDM 16.0.0
* Android 12
* CDM 16.1.0
## Temporary disabling L1 to use L3 instead
A few phone brands let us use the L1 keybox even after unlocking the bootloader (like Xiaomi). In this case, installation of a Magisk module called [liboemcrypto-disabler](https://github.com/umylive/liboemcrypto-disabler) is necessary.
## Credits
Thanks to the original author of the code.

30
dump_keys.py Normal file
View File

@ -0,0 +1,30 @@
#!/usr/bin/env python3
import time
import logging
from Helpers.Device import Device
logging.basicConfig(
format='%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(message)s',
datefmt='%Y-%m-%d %I:%M:%S %p',
level=logging.DEBUG,
)
def main():
logger = logging.getLogger("main")
device = Device()
logger.info('Connected to %s', device.name)
logger.info('Scanning all processes')
for process in device.usb_device.enumerate_processes():
if 'drm' in process.name:
for library in device.find_widevine_process(process.name):
device.hook_to_process(process.name, library)
logger.info('Functions Hooked, load the DRM stream test on Bitmovin!')
if __name__ == '__main__':
main()
while True:
time.sleep(1000)

3
requirements.txt Normal file
View File

@ -0,0 +1,3 @@
frida
protobuf == 3.19.3
pycryptodome