Migration

.gitignore

@@ -0,0 +1,133 @@
+# Byte-compiled / optimized / DLL files
+__pycache__/
+*.py[cod]
+*$py.class
+
+# C extensions
+*.so
+
+# Distribution / packaging
+.Python
+build/
+develop-eggs/
+dist/
+downloads/
+eggs/
+.eggs/
+lib/
+lib64/
+parts/
+sdist/
+var/
+wheels/
+pip-wheel-metadata/
+share/python-wheels/
+*.egg-info/
+.installed.cfg
+*.egg
+MANIFEST
+
+# PyInstaller
+#  Usually these files are written by a python script from a template
+#  before PyInstaller builds the exe, so as to inject date/other infos into it.
+*.manifest
+*.spec
+
+# Installer logs
+pip-log.txt
+pip-delete-this-directory.txt
+
+# Unit test / coverage reports
+htmlcov/
+.tox/
+.nox/
+.coverage
+.coverage.*
+.cache
+nosetests.xml
+coverage.xml
+*.cover
+*.py,cover
+.hypothesis/
+.pytest_cache/
+
+# Translations
+*.mo
+*.pot
+
+# Django stuff:
+*.log
+local_settings.py
+db.sqlite3
+db.sqlite3-journal
+
+# Flask stuff:
+instance/
+.webassets-cache
+
+# Scrapy stuff:
+.scrapy
+
+# Sphinx documentation
+docs/_build/
+
+# PyBuilder
+target/
+
+# Jupyter Notebook
+.ipynb_checkpoints
+
+# IPython
+profile_default/
+ipython_config.py
+
+# pyenv
+.python-version
+
+# pipenv
+#   According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control.
+#   However, in case of collaboration, if having platform-specific dependencies or dependencies
+#   having no cross-platform support, pipenv may install dependencies that don't work, or not
+#   install all needed dependencies.
+#Pipfile.lock
+
+# PEP 582; used by e.g. github.com/David-OConnor/pyflow
+__pypackages__/
+
+# Celery stuff
+celerybeat-schedule
+celerybeat.pid
+
+# SageMath parsed files
+*.sage.py
+
+# Environments
+.env
+.venv
+env/
+venv/
+ENV/
+env.bak/
+venv.bak/
+
+# Spyder project settings
+.spyderproject
+.spyproject
+
+# Rope project settings
+.ropeproject
+
+# mkdocs documentation
+/site
+
+# mypy
+.mypy_cache/
+.dmypy.json
+dmypy.json
+
+# Pyre type checker
+.pyre/
+
+# dumper
+license_request.bin
+key_dumps

Helpers/Device.py

@@ -0,0 +1,88 @@
+import os
+import logging
+import base64
+import frida
+from Crypto.PublicKey import RSA
+from Helpers.wv_proto2_pb2 import SignedLicenseRequest
+
+
+class Device:
+    def __init__(self):
+        self.logger = logging.getLogger(__name__)
+        self.saved_keys = {}
+        self.frida_script = open(
+            './Helpers/script.js',
+            'r',
+            encoding="utf_8"
+        ).read()
+        self.widevine_libraries = [
+            'libwvhidl.so'
+        ]
+        self.usb_device = frida.get_usb_device()
+        self.name = self.usb_device.name
+
+    def export_key(self, key, client_id):
+        save_dir = os.path.join(
+            'key_dumps',
+            f'{self.name}',
+            'private_keys',
+            f'{client_id.Token._DeviceCertificate.SystemId}',
+            f'{str(key.n)[:10]}'
+        )
+
+        if not os.path.exists(save_dir):
+            os.makedirs(save_dir)
+
+        with open(os.path.join(save_dir, 'client_id.bin'), 'wb+') as writer:
+            writer.write(client_id.SerializeToString())
+
+        with open(os.path.join(save_dir, 'private_key.pem'), 'wb+') as writer:
+            writer.write(key.exportKey('PEM'))
+        self.logger.info('Key pairs saved at %s', save_dir)
+
+    def on_message(self, msg, data):
+        if 'payload' in msg:
+            if msg['payload'] == 'private_key':
+                key = RSA.import_key(data)
+                if key.n not in self.saved_keys:
+                    self.logger.debug(
+                        'Retrieved key: \n\n%s\n',
+                        key.export_key().decode("utf-8")
+                    )
+                self.saved_keys[key.n] = key
+            elif msg['payload'] == 'device_info':
+                self.license_request_message(data)
+            elif msg['payload'] == 'message_info':
+                self.logger.info(data.decode())
+
+    def license_request_message(self, data):
+        self.logger.debug(
+            'Retrieved build info: \n\n%s\n',
+            base64.b64encode(data).decode('utf-8')
+        )
+        root = SignedLicenseRequest()
+        root.ParseFromString(data)
+        public_key = root.Msg.ClientId.Token._DeviceCertificate.PublicKey
+        key = RSA.importKey(public_key)
+        cur = self.saved_keys.get(key.n)
+        self.export_key(cur, root.Msg.ClientId)
+
+    def find_widevine_process(self, process_name):
+        process = self.usb_device.attach(process_name)
+        script = process.create_script(self.frida_script)
+        script.load()
+        loaded_modules = []
+        try:
+            for lib in self.widevine_libraries:
+                loaded_modules.append(script.exports.getmodulebyname(lib))
+        finally:
+            process.detach()
+            return loaded_modules
+
+    def hook_to_process(self, process, library):
+        session = self.usb_device.attach(process)
+        script = session.create_script(self.frida_script)
+        script.on('message', self.on_message)
+        script.load()
+        script.exports.hooklibfunctions(library)
+        return session

Helpers/script.js

@@ -0,0 +1,156 @@
+const CDM_VERSION = ''
+
+// The TextEncoder/Decoder API isn't supported so it has to be polyfilled.
+// Taken from https://gist.github.com/Yaffle/5458286#file-textencodertextdecoder-js
+function TextEncoder() {
+}
+
+TextEncoder.prototype.encode = function (string) {
+    var octets = [];
+    var length = string.length;
+    var i = 0;
+    while (i < length) {
+        var codePoint = string.codePointAt(i);
+        var c = 0;
+        var bits = 0;
+        if (codePoint <= 0x0000007F) {
+            c = 0;
+            bits = 0x00;
+        } else if (codePoint <= 0x000007FF) {
+            c = 6;
+            bits = 0xC0;
+        } else if (codePoint <= 0x0000FFFF) {
+            c = 12;
+            bits = 0xE0;
+        } else if (codePoint <= 0x001FFFFF) {
+            c = 18;
+            bits = 0xF0;
+        }
+        octets.push(bits | (codePoint >> c));
+        c -= 6;
+        while (c >= 0) {
+            octets.push(0x80 | ((codePoint >> c) & 0x3F));
+            c -= 6;
+        }
+        i += codePoint >= 0x10000 ? 2 : 1;
+    }
+    return octets;
+}
+
+function getPrivateKey(address) {
+    Interceptor.attach(ptr(address), {
+        onEnter: function (args) {
+            if (!args[6].isNull()) {
+                const size = args[6].toInt32();
+                if (size >= 1000 && size <= 2000 && !args[5].isNull()) {
+                    const buf = args[5].readByteArray(size);
+                    const bytes = new Uint8Array(buf);
+                    // The first two bytes of the DER encoding are 0x30 and 0x82 (MII).
+                    if (bytes[0] === 0x30 && bytes[1] === 0x82) {
+                        try {
+                            const binaryString = a2bs(bytes)
+                            const keyLength = getKeyLength(binaryString);
+                            const key = bytes.slice(0, keyLength);
+                            send('private_key', key);
+                        } catch (error) {
+                            console.log(error)
+                        }
+                    }
+                }
+            }
+        }
+    });
+}
+
+// nop privacy mode.
+// PrivacyMode encrypts the payload with the public key returned by the license server which we don't want.
+function disablePrivacyMode(address) {
+    Interceptor.attach(address, {
+        onLeave: function (retval) {
+            retval.replace(ptr(0));
+        }
+    });
+}
+
+function prepareKeyRequest(address) {
+    Interceptor.attach(ptr(address), {
+        onEnter: function (args) {
+            switch (CDM_VERSION) {
+                case '14.0.0':
+                case '15.0.0':
+                case '16.0.0':
+                    this.ret = args[4];
+                    break;
+                case '16.1.0':
+                    this.ret = args[5];
+                    break;
+                default:
+                    this.ret = args[4];
+                    break;
+            }
+        },
+        onLeave: function () {
+            if (this.ret) {
+                const size = Memory.readU32(ptr(this.ret).add(Process.pointerSize))
+                const arr = Memory.readByteArray(this.ret.add(Process.pointerSize * 2).readPointer(), size)
+                send('device_info', arr);
+            }
+        }
+    });
+}
+
+function hookLibFunctions(lib) {
+    const name = lib['name'];
+    const baseAddr = lib['base'];
+    const message = 'Hooking ' + name + ' at ' + baseAddr;
+
+    send('message_info', new TextEncoder().encode(message))
+
+    Module.enumerateExportsSync(name).forEach(function (module) {
+        try {
+            let hookedModule;
+            if (module.name.includes('UsePrivacyMode')) {
+                disablePrivacyMode(module.address);
+                hookedModule = module.name
+            } else if (module.name.includes('PrepareKeyRequest')) {
+                prepareKeyRequest(module.address);
+                hookedModule = module.name
+            } else if (module.name.match(/^[a-z]+$/)) {
+                getPrivateKey(module.address);
+                hookedModule = module.name
+            }
+
+            if (hookedModule) {
+                const message = 'Hooked ' + hookedModule + ' at ' + module.address;
+                send('message_info', new TextEncoder().encode(message));
+            }
+        } catch (e) {
+            console.log("Error: " + e + " at F: " + module.name);
+        }
+    });
+}
+
+function getModuleByName(lib) {
+    return Process.getModuleByName(lib);
+}
+
+function a2bs(bytes) {
+    let b = '';
+    for (let i = 0; i < bytes.byteLength; i++)
+        b += String.fromCharCode(bytes[i]);
+    return b
+}
+
+function getKeyLength(key) {
+    let pos = 1 // Skip the tag
+    let buf = key.charCodeAt(pos++);
+    let len = buf & 0x7F; // Short tag length
+
+    buf = 0;
+    for (let i = 0; i < len; ++i)
+        buf = (buf * 256) + key.charCodeAt(pos++);
+    return pos + Math.abs(buf);
+}
+
+rpc.exports.hooklibfunctions = hookLibFunctions;
+rpc.exports.getmodulebyname = getModuleByName;

README.md

@@ -0,0 +1,38 @@
+The original repo can be found at https://github.com/Diazole/dumper
+
+# Dumper
+
+Dumper is a Frida script to dump L3 CDMs from any Android device.
+
+## ** IMPORTANT **
+The function parameters can differ between CDM versions. The default is [4] but you may have to change this for your specific version.
+
+* `CDM_VERSION` can be retrieved using a DRM Info app.
+
+## Requirements
+Use pip to install the dependencies:
+
+`pip3 install -r requirements.txt`
+
+## Usage
+
+* Enable USB debugging
+* Start frida-server on the device
+* Execute dump_keys.py
+* Start streaming some DRM-protected content
+
+## Known Working Versions
+* Android 9
+    * CDM 14.0.0
+* Android 10
+    * CDM 15.0.0
+* Android 11
+    * CDM 16.0.0
+* Android 12
+    * CDM 16.1.0
+
+## Temporary disabling L1 to use L3 instead
+A few phone brands let us use the L1 keybox even after unlocking the bootloader (like Xiaomi). In this case, installation of a Magisk module called [liboemcrypto-disabler](https://github.com/umylive/liboemcrypto-disabler) is necessary.
+
+## Credits
+Thanks to the original author of the code.

dump_keys.py

@@ -0,0 +1,30 @@
+#!/usr/bin/env python3
+
+import time
+import logging
+from Helpers.Device import Device
+
+logging.basicConfig(
+    format='%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(message)s',
+    datefmt='%Y-%m-%d %I:%M:%S %p',
+    level=logging.DEBUG,
+)
+
+
+def main():
+    logger = logging.getLogger("main")
+    device = Device()
+    logger.info('Connected to %s', device.name)
+    logger.info('Scanning all processes')
+
+    for process in device.usb_device.enumerate_processes():
+        if 'drm' in process.name:
+            for library in device.find_widevine_process(process.name):
+                device.hook_to_process(process.name, library)
+    logger.info('Functions Hooked, load the DRM stream test on Bitmovin!')
+
+
+if __name__ == '__main__':
+    main()
+    while True:
+        time.sleep(1000)

requirements.txt

@@ -0,0 +1,3 @@
+frida
+protobuf == 3.19.3
+pycryptodome