FHD playback / UHD listing

jgimness commented 6 years ago

I see a commented out HighDef parameter, is that what enables Ultra HD listings to be retrieved? Any info would be appreciated.

Varstahl commented 5 years ago

VMP is disabled since your files aren't signed so it probably doesn't bother to enable privacy mode, although it really still should use privacy mode... Chromium will act the same way, probably.

Makes sense, but it still makes my head spin.

BTW what version of ChromeCDM are you using in Kodi? Version number of widevinecdm.dll

At the moment from the test I'm using the 4.10.1196.0 that is fetched by Firefox (which probably will never work). The version Kodi fetches is 1.4.9.1088.

aers commented 5 years ago

At the moment from the test I'm using the 4.10.1196.0 that is fetched by Firefox (which probably will never work). The version Kodi fetches is 1.4.9.1088.

Okay this is fine, Amazon will block anything below 1.4.9.1029. (after November 1st, they will block anything below 4.10.1185.0).

If unencrypted client ID requests from your custom build of Firefox get 1080p on Amazon then your issue isnt service certs.

Can you post a license request with unencrypted client id from a successful playback of 1080p in your browser and also one from a failure from Kodi? base64 is fine or just the binary file. Use the same video please.

Also, when it fails in Kodi, does it return a license and then fail to play afterwards, or just not return a license at all? If it does return a license post the licenses too.

Varstahl commented 5 years ago

service certificate

At least now I know why I had the "CAQ= is Server Certificate" in the back of my head all the time. Glad I'm not completely crazy.

If unencrypted client ID requests from your custom build of Firefox get 1080p on Amazon then your issue isnt service certs.

The playback from a compiled Firefox report as playing in 1080p, and the logs show that it's not VMP. Which is also the reason why I decided to dismiss the idea after finding it out.

Can you post a license request with unencrypted client id from a successful playback of 1080p in your browser and also one from a failure from Kodi? base64 is fine or just the binary file. Use the same video please.

Signed Firefox build:

CAQ=: CAUSwgUKvAIIAxIQCuQRtZRasVgFt7DIvVtVHBi17OSpBSKOAjCCAQoCggEBAKU2UrYVOSDlcXajWhpEgGhqGraJtFdUPgu6plJGy9ViaRn5mhyXON5PXmw1krQdi0SLxf00FfIgnYFLpDfvNeItGn9rcx0RNPwP39PW7aW0Fbqi6VCaKWlR24kRpd7NQ4woyMXr7xlBWPwPNxK4xmR/6UuvKyYWEkroyeIjWHAqgCjCmpfIpVcPsyrnMuPFGl82MMVnAhTweTKnEPOqJpxQ1bdQvVNCvkba5gjOTbEnJ7aXegwhmCdRQzXjTeEV2dO8oo5YfxW6pRBovzF6wYBMQYpSCJIA24ptAP/2TkneyJuqm4hJNFvtF8fsBgTQQ4TIhnX4bZ9imuhivYLa6HsCAwEAAToPYW1hem9uLmNvbS1wcm9kEoADETQD6R0H/h9fyg0Hw7mj0M7T4s0bcBf4fMhARpwk2X4HpvB49bJ5Yvc4t41mAnXGe/wiXbzsddKMiMffkSE1QWK1CFPBgziU23y1PjQToGiIv/sJIFRKRJ4qMBxIl95xlvSEzKdt68n7wqGa442+uAgk7CXU3uTfVofYY76CrPBnEKQfad/CVqTh48geNTb4qRH1TX30NzCsB9NWlcdvg10pCnWSm8cSHu1d9yH+2yQgsGe52QoHHCqHNzG/wAxMYWTevXQW7EPTBeFySPY0xUN+2F2FhCf5/A7uFUHywd0zNTswh0QJc93LBTh46clRLO+d4RKBiBSj3rah6Y5iXMw9N9o58tCRc9gFHrjfMNubopWHjDOO3ATUgqXrTp+fKVCmsGuGl1ComHxXV9i1AqHwzzY2JY2vFqo73jR3IElr6oChPIwcNokmNc0D4TXtjE0BoYkbWKJfHvJJihzMOvDicWUsemVHvua9/FBtpbHgpbgwijFPjtQF9Ldb8Swf
RQST: CAES6ysScQpvClkIARIQr9eKaJLrSluqx+2ZReWEFRoGYW1hem9uIjVjaWQ6ajc3SmJFeVZRVG11M1dNOWtoSTNnZz09LHI5ZUthSkxyU2x1cXgrMlpSZVdFRlE9PSoCU0QyABABGhB/hbmTRrE1x7j8wOxWK0g2GAEg4Inj4QUwFULrKgoPYW1hem9uLmNvbS1wcm9kEhAK5BG1lFqxWAW3sMi9W1UcGrAohz7fDPRAzvpgfAd8fu6FdwzenP32cm/Gky6ZI8dREX1VsL2ADYX6XMo8iwACQIPKJ9GPKXK9XKuQwa/Rg2o79k2zW3MJuQX3I8+7oaLgI/P3LJLzdOMMDrsRljlB0Qm8HtcF/EGrx7bNRqzZgiPWTwC0NVt+YcTz9Fe3VS8PQar40RLiCesWBY/FHGkqHBR5KaRafY6GyhVxzpaIEhCSEpNgHjjeMXyXQbK6f/JSN5Boe3AWGHyWX+5O1UkOciO7fUhKzPMUXDiUjH26q4R1DrqmNSHzZlncRhiirLxbScmfLVut8bgFcz9hMwPVVfPqB37qHeBp+hj0X0OMeM23BoTA/H4WsoXahIz+LtiiYRz557TPjIrZKRBNvfAVEi2aHiSjWt2fz6fReOBnRLcPY7vOjZJtvz3ylI6gMI48bxL8rHtcUon/MS5n60Gn2BWBK8o4AQFuN5p3MOXU/+HcpHjrAUy0mI87fib+xi3AREgimAhaIL1shCCCbaO+fo5C2zTsqdqMx/MEVWaJFuxzVDKuxtmCxqtz+8xjGg0wakkeIjJt/GFFz5Ui+RT9RcEwhTxCCORz8467drpwUoK3KmofxC62/M6hHEkQp7IalMgAa429GY4JliOeyWRPdYY0iRGspWnxo/CpdDbiOsY/5T+6vxtVTbKojmKtyAQVplKLQxVXjMt/0RHxI3Fau/Ncqe2sedhqji+dbzgGdsJyIrNyuzaR/FKPo+mpQiUuBQuunurj6wNNUX0VB0dmd3JXEtFgQPSEoBhuNzdw/yxz9JXRzmI38Gm6w3yezB57o1ryfso8Q7WGyGXPFNQ4Vo/thvDVGhqxIyrNZ2z3MGP/2chsYDoiIJUye+UrkHd9FhltEpFdQfO8gKjBVZwZcg8jXY+ayVHzOThg/+/a4Ld2bAOF3USlM+UgL/zfy7+E31TAsyYpbgXFa535RwIlXez8oKXhsnq13KMV2ZT2dt5Pw47u5qCeWd/Kpc/P0te2ia+40mexR5+OdaHY89ce+MjxcEZh7NOI/nOOXapv83KDbDNvS2TiG0e2ZJIHAJeTOxpXTFTYBDMzGJqgMM5p9b5QzLQ7BadNzeOz8v7H8qcPphUNdEA53VL2d9AkYdWaB8ParVfIrekksEKjwfshDFgAPR5vgsna48s9jPImF3GU1At5v41MJWW7Mi9t60hC3xq13SfQsyBfhYJ24ZHqJYtBAKZiQlR0C49JTzQSqdHnzb6O4tkRN8vnKV5u/oSUQPaSLqul00RacBilyF+leKlfTmHLqC0KY53rMA+F6Re/5MBIB4d8OU/w9drpZb/l1s2CQhy0UUt1tNqJJ3LPgJUYLjFyPGuNVYhTbIKYmL9AnjENTEOiwdL/YGhvgWAdPxfveFGorwTFjHDqWwS25win0y7XyLYYYqJ+KdrRRQHI6NYH6zKJwJ+FtR1wRCdl43EFSsiJ17paFQLw3+rKM6FuK45R+zhnR1ZRqVECEqCkBWoF8srKKMW/kDkRzrQ/TUpc1iE5HOP2KBRoomUT8kLqZpOfhst94f3IS4DOUwqsfsBa3uUX3DLkfyc0ofl1oMzkNvB5jwqhQ/hreLCiRRzOQoBRdajV58k8tIll8p2gSGvWW12QurtEFsQ3dJad3afK9cGfZ5TutkUZRH67MFJHHdrdCRn5rhCylkumgLto0yJmN7ciapDeMa3OPQ8UlhdR6bxcyiDM8ZooQkW2RA6+YuDFxOCbUzS3fT6yy2FtExiFObmETIPzC1DlZuAFAArpnDh1SvC3ME1H8DyNTMd8TB2CUnxG9jVZ0+LO/VfX4GN/TPng8BaWaFEJfOcyFV1mGEIfHaPDg/Suf0lFFgYfNh7UYYIY4s8M+/6xaL0XMUAxPQigQFUUFkY0gJVvnQk79On2aVqUTAOincjVdtYLhdjaVph6HZWQpx7vM88utBeSMAsyMzKVMH7txQKfFkesuoRRgr/fZ7ziBClSLwntttBvd+5jsn10l2Oxtfb1HL1BmirVm+nHO0DCvueqbzMBV1lr0QYtaI0SjaX3igTtDfR2IUlN7dff6AzHCd0il8LWS9LbCWnUaQivLi6etwzUPAA/OGP61kAT1lmMIIujAopielJfFP6+Mq9gcRPB2pifut54uCEapdKudv0+UBK0Fy7HQ1gVBIZ5+2sUjD05XYXQ88wh/fVYJmXX3eatw5erOgKNmzwrO8SGnnUPDpmtIL+AtS/eLclXI2r+AQXraP+RgQd31suxS1e3g6zG4C95Uyidg+/XJvmrsXcfRUpkRoSBTY93u/K1gDZ+eMak4ZFBUVW3gWvb3JbO6ubf7yJ+fz2bGEK/vNjN4e+9mxh2ZXRdv2RYBuSIivdWt4349mjNu7DU8QDSAizRt/off3cp7ABc4Bn8gE+4ZCHmMQ2IkPsPKoP3yHMibCQ7K0pYZQGr+7FWJ3YTGAEnSkdl41Rke7ruQfbPlXiUyi+1rMVATLzIpSegBpBbdLXWevBAy/AidRUAoBuoKATicQ0AZd6JySK15QzzgLyOdoytFZMRLNjdP4V5EepFLTAIUPgQ69YspiUEZXIAtCjckpTvhCqxX1i1js00y3PwxA8czgejq9CYH1HCc9SuhBgrAyU0T7Mx00tDgtu4NxZ5YGgvIxLA1gqGKBbQoRiDTv9Hnq3ia1668wn2xH22PPzX5ygXxc90qpfo910IY8kHJ8x/1fUJMwzioJUkbZMV89CXwR9eIuhvKnRNqUPXPojCYcdMblFsKAKcuwy3g723BX/nG0yaTdm9AyiFWRdIMLoN3/xJJPLcGbMQNfUXfGrHISRU/4UKN2SIuABoU/XkmjfY9/FgaWJwjLhF0Fv9lHQEnXJlMOiZQSWZdrvyqJqIQPpj3WcBIMprTZ745P135SNhzwFwgmosWklFQLzLDrx8P95nvmxfxgF1n5BQyRxgzj4riqyMth+rSH28QXiK+B4CKHPjDk+e6pgw4nBBWLZQZNUqzMy/5t4T6Ykc6TyxIzTIt163X30qJBbDwc6g6g/f+/YvBloPZjEsQuqmBi9cmHkSmaovwiqo2yz2YJ/wQaO0ssfSiWAgCLgX3EKO7IvQ2wo2Wx6VrIzLtFqrjycDI3OhEsB3pQuTxTKQ093F3c2kdP0nrfSn+9nRQDR+gWNtT3Obbud19H8MaCPMHTO6OBSRozsJzKzMy2N9R48BCTCgvhpFq2XAeoLAiv6l0g0TQVdBeL3ihih0rVP4Q5quMpGHo/4DxesO+nyzepfi3aXtfkLzOSulOrL1khR0UyskSTbohl3Iyybk3g4o4trZKlpHYNeANEsF1vUBAhXNt+HCPPHsrAS8Q00pKUbcVxUAcuAZlKJ56oRe0HB4H19CQVdvqbRHMoepQ9PR2/zCnBWJkKamDXY6CvEOEfS2Nn63esBxafSOU7jTcuETHMQbDbtRIvUPigYm1hLi9PXfJEUyoJdfn2tItU++8ZCH0TvHtivZp3Mzvre55aFzCovYIXTuPJfEwGAtgqv3ss9DAVGrd5ONNwnLPZzPCd3BMpnTcA9Qu4svZ9qW7dPilXpM8o0RUrdYrapcIYccwV74HBFv+XgqAjZULDdxetp4RiLak8vhF7q86QpU08OCYZYW/A9CNnlKuotCJxe61fiIAuSYH1vPdFKgBwdg7X3ZEIQd5nptwyGRr9T7/MJ51RB/p1Y8cLmksF/rmvb5bLyRGiuhCDNhT1yON8vR4bFBqDnR263zIbI3Ax1hPc5pmil0vJMelfmXfe/8SpOqYRR4pfXq3nXLPuYLnyy2gACrTnlL2jvH+XQIZtiAZFgGnlwF8vFON4HmHTW2yHNirU0GhmgbAkGmfYc6YkMzi1kS7X8TSypOh7+Bf5AKEmJAJdtsxHf3xKljFOs7p92LOBM+BuWubLEKW/LbSdfvNqhHycLFLY59l3gOCQ7eemdYFbbVHJ4CwoFnhefUdMVgrODYXYs/ayYFOfKyrijLYo7AzcPaO3cxq1mLouKe5dW2P9D5t2DuDFewz+u7Z1alfTJ5TNzycQkFK2JTMz2ENqojK+lwBZtQLWEqNWxURU8lrzwloLd38x69VtZDAMVQAULOGG1q7qUcAAds6oNK8/OnkldDYsgVW8y72RX1ZYcQscuG0P3jQA4KlbVWC0GBJW+1/PbegNg53KfOOHj/mUpp/eXBnDDgSmSZ2rW+nqUPYgwvjNU6BTmTwRaS+G+vX4OW2DTFx+mSfgkkGb6MefY5lS9Kn6NjcdVIZzq1J9x4LHFhjp9ubuqvkf4DZyRLMoAlpe3rdD3W9IxlMu6/gL2MwNb2QAflXLNN8Xyg3OUPi0qgkwjZCyllNsI8JEH5LDChX6BHQ6GOCnwnmC8lMh1zYP0auHB+DoDaF1Qw89TvY0ZMFWlPHy5BYPhsu8kRAFJ6IHojHE8OpcV1ncKBQcgtvgX5IIJdzlfYCYMLvk6AsUJJMS+S+NVZdchpWTCLQC0seJJIl9hL6tUhhyQ1s/Er1CCesIUfZREJnRbzsd5368dv7iJLML+eAgGQ5oJlh6jqlUF5tONi5FGJ4bPE/a8W6PbZcKAmIQ0AKct+nYfbolGF6v2fTOCdVxV8XTAHWy73vXqu/hMOXIa7LjxUmPG7+xQQKWQWOQAw6wGEOsw2CcJzFFmgRB7Tk+c5KHq2TCzif01/zcgSvKmRvplIE903oP2vN6a2K1gdwKQtXkPBU+Tzr9W7Pj6GGoSPK9kAAbkF/gI5TnKzWoUCex0F26LIRCTz3rWWwrXAgOUnrHp3SVd7+gopHSoasUoepLI3/iOZfUZOWua2rbRWg1KoG7XMRvYc0WD32Py49OLJsUBHpkqsdlpxN9KP51gy2kSKd/nN8LWRIggD2gWxT+jwbjvBhSz2yON4GgoBX5zR2UC97CATPuyrEI2Q9jCntXUYQY/1hBA7a/Ghdvl630lVSyJkhla1Ul8NdkHLKgNXwGSvoOtcQVST/hRByNdipJPlE3Zffu/qcupOQzJ6sB31Tm9Vn9RPWJ/U/U/5kmfhuktkLoZgVpVKzCXJbIS5RxatigYM8ahpkdKLFqtlMREJfNuAfJpgz9RhDZVyrvKOrJfjeY46QkZYbOtxo6MSnv6excp7ZgpZq1U5IjVIhYpxO6ITCZui1WJh9H7FheIEpAVQ1gQXQvmSi/zkaG8ukta6NcRzJsbJ1qzF5CFJwSmgJ9W2b1jxj+tqonv8R7nBqinIxPW6Hzeuty5N6pNwsed4EVOs7jgb9MgVRrsveqECEgTgByW2lvkcnz73Lfv5Ntjo12+SJjtAZkmgUBdRi1lAYVVGbOwApMWKkF9CFVCpXloU2lSFg1ZMwzcABbUo5vFVj0DJVwrgtqGLdMH4Hh7cVUtx71Xt7BvpbR54kHbbC2Sw/C1rFkm+EWbGUtnRTBoqMJny6JIiBT//dxwuY8Uy2qhoxJNL4fYs6GinHJIa+kI5zH844f53pJuzJMLtTCmJfn3GZLLHIIykPtcMw2XLMNBy8BTlOyjVdnS2O5jmZxM9TAi+0FxCAJmI7dHyDkCE5uhmvO1RVvoanHNNZYz08XREP1YH4B/o80VEtxPKiHK+R6+AXeZWC5ZJRd4RKfuuD4ap3WTR45uLmemRdOEikMc1eG6SlWdaQf+VThQbaHVNNfCWJBAU1EeJi1uaYyKokaLMrecMZhPgGsYYbhrIzQC3/Y4JzcdBMZSS0ZoQ6jQvTYBJy411IuTxqjZmt9oIwhvSYSO0+tTdEvuvwrlHc+Z5wrNh9efS5jFbWRuCH3BKwrb3NMrgMCaqUAnF+SCb683KYo+JXdA19ZqgQOT1k1ghOahYpP3ujI/H34RgUTF2g1lyY/v2kdHTwBpbf3TgVDQq0hsZtLGD6iZVZK02rNxT8+IYjDShVRhuDjrSoqwgDUEkqvB1J4SBY36luNNSA5d5hvR99z4VjANIVt8dOEPBCQ0TOInvOt5GrNetFKUPCOzmuun3VFoYmvaLDIFOo29MxAqhXj/Qjx/rMkj1VvV3JJWvOIYlALtyl5fNTKfPgygYp1NXzJdpvy+3c3r6E7uooXBR8HSroOzbOjXA4VmfDeLJrLDcUNKVgr2eNAWtVSr4909L4WYxTUNGIKRFJAzEbNBti6y/c0lk2ZyGQb3IF8eQ2YTwcI2RPczeT9gJEfOUNvejN+9T/GIgx30Rx7lHhCTy5dyLtooJ8+1BUCKH9blzyYRT1bX/Ce/T5hh3Z9Ujg2JZWSDn1TQY9ghq+/YGKlQRcywYManvS+K4tAm+c1EoKaLqTRsxcrWeelJMCP+zDnBDzzNxF4NmBfLdg56JG9XMQqw+ngDWhQwdV0ChAEZ23v88Mt+oqOrJmzLIoExz8LT4Pr38fcJo/Mv4AZh8qbwpkabzbfjmlcVNITyVNDa5U3gglYv1ttwcbjcjtHrO78jfttjbrNCARx90/7szIIJA72AV4mFE89h63LCYChDWjr8eIGtLGrX30dp21m293rl//ikWO+jxzIlgrlAPcIYU8leJV0KM3Vm7qnTovgJ10HA7SbkA39OKYjTq/jopceq7jUHiCdUyivjIUlvaFjbW/dKrC/5V/p37gvlUT3Q7g8Qh2I8e1fBVJxIhKPPW7eUkqNlgI2cdrPdfu6RuoCsiawi9GO24NUjnUABjv9fz/Lqn/R6Z71+9TGA0B1VXzL+YlLpmKuj2WmY/wOg0Z/N9xP8QYNBGtemVgpOBG4U8oBBhTGLGwP8CKrE5od/JkqPLXl81fMVak5UGKu5L/LElqkFPPcIyZ657sMYKuqus0/tx2vMUUbY9pfSyw/DT79oxeebEHewTjeym3e8QX0loyc3UooI20sc7/y5pu4WNXvYN8BfSGS4MTtIDhySw+64k/9F+WZRw1I4cqZlCnHAiEAtZbC2To+9NDFGzbacMtDkqgAJlw4/YThUqumpqH4o0irtkXhhqZ1qKHkNA07ZdI8mJxUydSr4/5hSo82tZCdGxXm8jiwg5bO2kzJxnqa9FE4lVOy2VAyrunu3mOi9uVSNgNB2miANQjR/1xelY0yFY3rx+W61gpRWrpmKTeCAOeLjsmDDpTgdkiy9yOI6KMAuNrb0YNvZeieJEpjcpX+MdobAzgYBGnJ57Rm5LP/8upoOliceWYN1Z+6EmUbI/CeRtcoloU7Oi0kRzf06fRPpuzUrqs/K10I9HmHro1bzobjE1jntTIGkzF4hVxy2QfzjqrcyHifzE++Opwpqa1VpGUsPF89ZzWujFVBrFctRmmjw1GoACOdJ+SEh2QPFZCO38SXLlstWCr3uoYYgPROIxA0pLljK0GoDwKRhZX0fiKTIofUwRSioaZffDHEA/KjJcnYpj+IX1sVQ2obrMN5uNVTdSe567kVpVZ/Ldo5LM588XkhN3HMr1jTDpOzE2/eup2hmNf0ymN+Ghfe43mY0LZMLeI/+Y4Nt7l+8S6Acf5E71nAiv8SjhCk6t5RBSlCRJhE20+KVJAIEy7A13qDVGfDFRgy+L2i1l56W+SuXtJmxYRzjN8GJsV4DsCaaFjyZJaYn4IKC5I+xtw2zrJt0nQoaAYhlPhaQPJfLaXqfr5A6sHQFevjTET/Scp9RqHplcd932JA==
RESP: CAIS6AIKIAoQf4W5k0axNce4/MDsVitINhII2glvUpoBk9cgASgAEhYIARAAGAAoADD/6A84AEIASABQAFgAGlYKEI++yWxMlUE5rt1jPZISN4ISEPdEN5FWTPjFIHFyp6AonH8aIOdcCTe9kU3kgSBfoVOc+yM4H7tCYsa+GW5TiqqdvRRzIAIoATICCAA6BggBECogABpyChCv14pokutKW6rH7ZlF5YQVEhAKKW7YLWp+F4p1Q8TcwcGWGiAJQf0Wq0Vu38J451Ufae3SrFwVIitr87VO9EbDEFvwYSACKAIyAggAOgYIARAqIABSCggAEL/eHxoCCABSDgjA3h8Q/////w8aAggBGlYKELdw1bS7a1lNr5hYRarpql8SEGDmtESrla46LD5CQaNfvUcaIO9aT9gwRQxjgTX+SZ58+mAE3fbqU6KCTAazGudj9AcfIAIoATICCAE6BggBECogACDgiePhBTgAUAIaIC7gttm1ojGfqfncoxtBx+CDdTN/gfsHjFADHk2Ej64TIoACR5fRCU12Y+mGNMLaAXAJEVL7YOpMXOVeH1eqWgpXJtfgRbl9L8fITgPYuO05zc1GMKn+9R00E14MY1SSNwBde8aiF+WkAkvTHR6YIff1n17PDCKFG8fr0KXMgVCtJb6bYspto7ITfq+6wE4L/NuS+IleHr5ZKFZHAYRTM7jAeW9SbBxa2/LsUtPJP9+UdN1erkquRBhaLNe2RHnuWDF12USge0cI5sHAZLdk8j82FzFcZHrfux/nv6RSsVH5up0pSxfBzKF4qd99a9AxnyX2G8l+atNW606EisDBPtNrwhb5jW7VJ6UVa8n2Rg11W03nT7oUW3JQtPhb/+XtgoXR+A==
{
    "id":{
        "requestId":"f4W5k0axNce4/MDsVitINg==",
        "sessionId":"2glvUpoBk9c=",
        "type":"STREAMING",
        "version":0
    },
    "policy":{
        "canPlay":true,
        "canPersist":false,
        "canRenew":false,
        "playbackDurationSeconds":"0",
        "licenseDurationSeconds":"259199",
        "renewalRecoveryDurationSeconds":"0",
        "renewalServerUrl":"",
        "renewalDelaySeconds":"0",
        "renewalRetryIntervalSeconds":"0",
        "renewWithUsage":false
    },
    "key":[{
        "id":"j77JbEyVQTmu3WM9khI3gg==",
        "iv":"90Q3kVZM+MUgcXKnoCicfw==",
        "type":"CONTENT",
        "level":"SW_SECURE_CRYPTO",
        "requiredProtection":{
            "hdcp":"HDCP_NONE"
        },
        "requestedProtection":{
            "hdcp":"HDCP_V1",
            "cgmsFlags":"CGMS_NONE",
            "disableAnalogOutput":false
        }
    },{
        "id":"r9eKaJLrSluqx+2ZReWEFQ==",
        "iv":"Cilu2C1qfheKdUPE3MHBlg==",
        "type":"CONTENT",
        "level":"SW_SECURE_DECODE",
        "requiredProtection":{
            "hdcp":"HDCP_NONE"
        },
        "requestedProtection":{
            "hdcp":"HDCP_V1",
            "cgmsFlags":"CGMS_NONE",
            "disableAnalogOutput":false
        },
        "videoResolutionConstraints":[{
            "minResolutionPixels":0,
            "maxResolutionPixels":519999,
            "requiredProtection":{
                "hdcp":"HDCP_NONE"
            }
        },{
            "minResolutionPixels":520000,
            "maxResolutionPixels":4294967295,
            "requiredProtection":{
                "hdcp":"HDCP_V1"
            }
        }]
    },{
        "id":"t3DVtLtrWU2vmFhFqumqXw==",
        "iv":"YOa0RKuVrjosPkJBo1+9Rw==",
        "type":"CONTENT",
        "level":"SW_SECURE_CRYPTO",
        "requiredProtection":{
            "hdcp":"HDCP_V1"
        },
        "requestedProtection":{
            "hdcp":"HDCP_V1",
            "cgmsFlags":"CGMS_NONE",
            "disableAnalogOutput":false
        }
    }],
    "licenseStartTime":"1547224288",
    "protectionScheme":0,
    "platformVerificationStatus":"PLATFORM_SOFTWARE_VERIFIED"
}

Unsigned Firefox build:

RQST: CAEShwwKhwsIARLrCQquAggCEhClyhWoPPCtgXQVfBFcDxnYGI22zdcFIo4CMIIBCgKCAQEA2DxCBE3/fBHAY5ifNYsmscwz87WfTDSXioACDSOb/rRr8L9RgfFFe/+3N0LOyiPPcwxHPwkzozwOPD1Qu3Edh+cobj3Pk7z+xjqi31hg/9ZIUB2suiSSz5ReLbv6MmlLYC01rUxqiGMGTfnjFlu19mcI4ckd0CivfrMXwW61ExZ4vlcQyTqX4TaiqcCM2n/bU9SL0YPSik87yDMszizz5MeaWgavJr9c3bU58W/7bN9SE4ZzosVYYzK8aMy6TXayI2HJ/i/zAdClYaJYL2ARGQqcNqhHSlPVabDb72O/xbPHpquT+LG6n0KkSOC6H2P+XQJS3mhfEODmq3IFCXUHHQIDAQABKOI7EoACj1gIxEnhc/5Bv/QfqsL/UAlTju0ie5Wjiw4RQ8lolRQ6xqOw3rOuQm60ALRFyr2e8NlKM/5u6hwYw1VOvbtg3jH53cB+PSOC16XyleELU9tWAXLiNR5TH0XMipgBQpxesUVBdcY4LTy5ZCuxwYfSmZ3x8fqS584uCCEoWqPx/+YUeUJb4VMdqyTd6EgRFp70mFgb83TE3W4wb1LSuLfuZQuqZgeaB6x+7T4HlgGW7GjQotAaeHYzk7cxjSEZDscXQRsh3/puNohVfkO0mx/ul/fYyQGwfT3WXW7Ee7cb7h0IJACZ5m1tjOmjmIGM/yuBiaR+KHJzEffcTkUVAC7mzBq0BQquAggBEhBTPD046AWb9VpLdNIONjAuGPyC5MsFIo4CMIIBCgKCAQEAwsB00VQL7FwCYFJ3VD7Ryj1sWtAIE4fd3B7SoLtxnZyquZUBqPNMSw3dBGACTXX56o/GO/7swFvgUlBcHuZmYxlR+fSgPZXsdqw9XsHQeQcWss+N3IwNDSKBD3hpFEEYNu4t1ZEAxoSsEr5WPFfeqgpfag6MqaRVmkD0bmGi3yCjvtg0tMwFQf2BOAAha/gTZ7N0KxFrIDcX8GUQiUUKI4l/4cvJwMOXDVNPXThvJk8GI2tpikMfApPwD+tCb6R6EfSeYt9rY0d5b2xRf5n6jx0TfzNsMz/MLxu5B9EGquvTkCWt6pJTi3uYrRG2ri7NqtGzhqPJ7VnFGW9CGJw54QIDAQABKOI7EoADcR7dmMcXcyCMLxGbm71P7EI4BmVShv3wUuLRTNDFFbSp8RhCLCXCxQnh+Gx4AnFewHTCGxqVzLfEukL5YG/sZCyNXxmjBjRqXIABumjUUZjTNjMHus6g8h1dMmQHc7e8Twi7TeYk7XLdmzB9OZZ0VC+sSmoWyh5M+psdzOTiGmHtjFVwiKpPbX6ceaqgi/XMDk3wz/V6TgfjbLJgn4aCRFXA7/5ow9Cez/pFygkK9+/DkIgC2fo4uQ9uLWnuhs8cm46yb87+y8wcrEETXuvsIS90pnjpvc094UzuY6T4e0ACql+zf/P0Cqdu+ZEZTjQpXuVgSZpdDfNoG6Z9EMlP6yz5D1uTEyCyvsYzIA1cFwE69rcUCH6EJ4+LYf2pl+9cmXUKbiBeUrCAfdK82ih+xaEYsTNBI1biUd1WPy0kzOVCA/4HeN7XfmDsAa/4XGod2IxDXXjWcLKPNllv6RGYIlvMKcDSquElyS9kVKr12Zz7+dvh0zjq9R2Y5xsSN7VUGhsKEWFyY2hpdGVjdHVyZV9uYW1lEgZ4ODYtMzIaFgoMY29tcGFueV9uYW1lEgZHb29nbGUaFwoKbW9kZWxfbmFtZRIJQ2hyb21lQ0RNGhgKDXBsYXRmb3JtX25hbWUSB1dpbmRvd3MaIwoUd2lkZXZpbmVfY2RtX3ZlcnNpb24SCzQuMTAuMTE0Ni4wMggIABAAGAEgARJxCm8KWQgBEhCPvslsTJVBOa7dYz2SEjeCGgZhbWF6b24iNWNpZDpqNzdKYkV5VlFUbXUzV005a2hJM2dnPT0scjllS2FKTHJTbHVxeCsyWlJlV0VGUT09KgJTRDIAEAEaEGmF60CJUlos6PvdoxlOJVIYASC9xvzhBTAVGoACaCDPuJ86j9hRgQ0whPkdEKkVLycD+dcEkqQZcd2/bw3ODjtvXLZSGyc+3vvSFtegC/Pf4ND1qTFwiahPR9deEcZGrIPDDgunG2bZqHEpelZa3YFTCS99vWcTqTybzXCPJpVGb39rhp0P7+t3vH+Hch9xK5FY+3m3k4onkIKjOx+3J9MJtnAqv8KfYI4G3d8jWs4qN79IhYyQUeOUgVKJfqkYTuAXHj+7Uc/DanHbZ86Ue2H9HyWUki2zEaHdfsrchDqawH47uoD5LVtHqz3osTsXk+rm2PhLWq2Ag55upK6B1H41hSIgATaibQbw1CZuuXPEfly1l2WyI+YOUKoOHA==
RESP: CAIS6AIKIAoQaYXrQIlSWizo+92jGU4lUhIIq+u7I0FAfMcgASgAEhYIARAAGAAoADD/6A84AEIASABQAFgAGlYKEI++yWxMlUE5rt1jPZISN4ISENvl6xktnffotxlU7BeBMt4aIMDg+x1P+zedOr9n6fjjq2Punlta3Geyt7w26HU7QSHLIAIoATICCAA6BggBECogABpyChCv14pokutKW6rH7ZlF5YQVEhC2Y2POhRWvJ03ztCS2e2O0GiAXN2qI4vgdS91jk4vAYTje4+uPSLUfyObiZ3YDR4diACACKAIyAggAOgYIARAqIABSCggAEL/eHxoCCABSDgjA3h8Q/////w8aAggBGlYKELdw1bS7a1lNr5hYRarpql8SEPAQ1CRDPmLgXw3hZ1xDemwaIBqUQtDtHZr9M0+Fj0fq0eTQ3Q3UgMockMW/izniT7lSIAIoATICCAE6BggBECogACC9xvzhBTgAUAAaIJFRnnXysNrN5gpot+zZ/CcmIViRjlADWJnBI0zFWFocIoACbko1gWM70eGvMAtHltWQPd8q1PFP5xpOgI8DLttlxiXYWzDY3brDduagJWPt1ygBhIs/xNA9Fbsi9Vm3+g+/U773Jc0QDt0WpTV26xZG5NugCIti7ySVkUfYr7WKVfuJ3TvgVC5hPqmYF749eTNRsxljUYvXU6QUUMGMAlMzIp7AsPAwRIpVaARijjv3rKhavfPjC6ChgnGNsw6HVrxEyqBSnKe82TR1XNUfk2mLgeBZfpRji+cCeDzCm4n/sT7E+Yqm8ozUVfbQyGBbZTpukl+tXXIvDY2MYyvjblulrdYxYqNVCPnLyW0p+LGDD4xXbEcNqlgmIlvk4Kn6VH4o8g==
{
    "id":{
        "requestId":"aYXrQIlSWizo+92jGU4lUg==",
        "sessionId":"q+u7I0FAfMc=",
        "type":"STREAMING",
        "version":0
    },
    "policy":{
        "canPlay":true,
        "canPersist":false,
        "canRenew":false,
        "playbackDurationSeconds":"0",
        "licenseDurationSeconds":"259199",
        "renewalRecoveryDurationSeconds":"0",
        "renewalServerUrl":"",
        "renewalDelaySeconds":"0",
        "renewalRetryIntervalSeconds":"0",
        "renewWithUsage":false
    },
    "key":[{
        "id":"j77JbEyVQTmu3WM9khI3gg==",
        "iv":"2+XrGS2d9+i3GVTsF4Ey3g==",
        "type":"CONTENT",
        "level":"SW_SECURE_CRYPTO",
        "requiredProtection":{
            "hdcp":"HDCP_NONE"
        },
        "requestedProtection":{
            "hdcp":"HDCP_V1",
            "cgmsFlags":"CGMS_NONE",
            "disableAnalogOutput":false
        }
    },{
        "id":"r9eKaJLrSluqx+2ZReWEFQ==",
        "iv":"tmNjzoUVrydN87QktntjtA==",
        "type":"CONTENT",
        "level":"SW_SECURE_DECODE",
        "requiredProtection":{
            "hdcp":"HDCP_NONE"
        },
        "requestedProtection":{
            "hdcp":"HDCP_V1",
            "cgmsFlags":"CGMS_NONE",
            "disableAnalogOutput":false
        },
        "videoResolutionConstraints":[{
            "minResolutionPixels":0,
            "maxResolutionPixels":519999,
            "requiredProtection":{
                "hdcp":"HDCP_NONE"
            }
        },{
            "minResolutionPixels":520000,
            "maxResolutionPixels":4294967295,
            "requiredProtection":{
                "hdcp":"HDCP_V1"
            }
        }]
    },{
        "id":"t3DVtLtrWU2vmFhFqumqXw==",
        "iv":"8BDUJEM+YuBfDeFnXEN6bA==",
        "type":"CONTENT",
        "level":"SW_SECURE_CRYPTO",
        "requiredProtection":{
            "hdcp":"HDCP_V1"
        },
        "requestedProtection":{
            "hdcp":"HDCP_V1",
            "cgmsFlags":"CGMS_NONE",
            "disableAnalogOutput":false
        }
    }],
    "licenseStartTime":"1547641661",
    "protectionScheme":0,
    "platformVerificationStatus":"PLATFORM_UNVERIFIED"
}

Kodi with the Inputstream.Helper downloaded Widevine CDM:

RQST: CAEShgwKhgsIARLrCQquAggCEhAZj62gkJOXXXaMFkjqJD0tGNqb5MsFIo4CMIIBCgKCAQEA5ErxleIO2jsTG/3iGdvRLuL/EU73oLS+dGCvrSXynYRgOCo8uXkrIgoPZ0kCWK3JIcoUezix7w8yC2W5AmbyJ/af9Nq1Tyj8lMAIj14RWioXCAOxo+nH0wcz3lXQ9xdnLDCyO32Q2ieSR6ztFfn7f3U0FqOMkXloUKQhGTeqskuIz1PS8oIPVdgLQuASseQfSF8joOo4el64pAu70nGq0mxQhPWqxbVmSmwK6ll1hERLwRqeWaeWvWl+BsmPBATzvvCzavyP/INLd0jk25tYwB8fdskUTGa4EsEy1/m1jbYHKYV0KyPJ4HhceITPeRc7yEfLurwfsZxB3mcjxP9PCQIDAQABKOI7EoACgLrYCAjdgUp4LCRVy8bDxl/UL2YW91D7VTCMOmCpfRYShnBSgNJ7Lyl/ZPWwmo0Um4kbt3/j0gHh6c0w8S2mFE/cE9J9O4L7ud4YgdDInh6LRzvlJ0XGt6c8uxY05Cp85C+VLp7HW9WIGL4S3MhT5jQkfPSOiKCNEC5gtaUmFdrNNMvXUH3OSyX68r+IXs3eBsyBV1mSdJYfFqHyB8zWAX4RWghgEhWVL8TQ2o4Ahji7vSvbrZydZsSA8mswIvfpL3AN+iD+Dc9090DObj5hNIyBA9vEIbCNENPpTLSvBb1eaH7XQG7Z2SvPofDBO8h8RD5ewQfRF/kgidgkhVT2Uhq0BQquAggBEhBTPD046AWb9VpLdNIONjAuGPyC5MsFIo4CMIIBCgKCAQEAwsB00VQL7FwCYFJ3VD7Ryj1sWtAIE4fd3B7SoLtxnZyquZUBqPNMSw3dBGACTXX56o/GO/7swFvgUlBcHuZmYxlR+fSgPZXsdqw9XsHQeQcWss+N3IwNDSKBD3hpFEEYNu4t1ZEAxoSsEr5WPFfeqgpfag6MqaRVmkD0bmGi3yCjvtg0tMwFQf2BOAAha/gTZ7N0KxFrIDcX8GUQiUUKI4l/4cvJwMOXDVNPXThvJk8GI2tpikMfApPwD+tCb6R6EfSeYt9rY0d5b2xRf5n6jx0TfzNsMz/MLxu5B9EGquvTkCWt6pJTi3uYrRG2ri7NqtGzhqPJ7VnFGW9CGJw54QIDAQABKOI7EoADcR7dmMcXcyCMLxGbm71P7EI4BmVShv3wUuLRTNDFFbSp8RhCLCXCxQnh+Gx4AnFewHTCGxqVzLfEukL5YG/sZCyNXxmjBjRqXIABumjUUZjTNjMHus6g8h1dMmQHc7e8Twi7TeYk7XLdmzB9OZZ0VC+sSmoWyh5M+psdzOTiGmHtjFVwiKpPbX6ceaqgi/XMDk3wz/V6TgfjbLJgn4aCRFXA7/5ow9Cez/pFygkK9+/DkIgC2fo4uQ9uLWnuhs8cm46yb87+y8wcrEETXuvsIS90pnjpvc094UzuY6T4e0ACql+zf/P0Cqdu+ZEZTjQpXuVgSZpdDfNoG6Z9EMlP6yz5D1uTEyCyvsYzIA1cFwE69rcUCH6EJ4+LYf2pl+9cmXUKbiBeUrCAfdK82ih+xaEYsTNBI1biUd1WPy0kzOVCA/4HeN7XfmDsAa/4XGod2IxDXXjWcLKPNllv6RGYIlvMKcDSquElyS9kVKr12Zz7+dvh0zjq9R2Y5xsSN7VUGhsKEWFyY2hpdGVjdHVyZV9uYW1lEgZ4ODYtNjQaFgoMY29tcGFueV9uYW1lEgZHb29nbGUaFwoKbW9kZWxfbmFtZRIJQ2hyb21lQ0RNGhgKDXBsYXRmb3JtX25hbWUSB1dpbmRvd3MaIgoUd2lkZXZpbmVfY2RtX3ZlcnNpb24SCjEuNC45LjEwODgyCAgAEAAYASABEnEKbwpZCAESEK/XimiS60pbqsftmUXlhBUaBmFtYXpvbiI1Y2lkOmo3N0piRXlWUVRtdTNXTTlraEkzZ2c9PSxyOWVLYUpMclNsdXF4KzJaUmVXRUZRPT0qAlNEMgAQARoQxMIPzM1DVYbcWcWT4/zW/hgBIOPJ/OEFMBUagAKSwtuGZVmOGzgRiXICnGHXVNPZsoZgtMiOGL5hMCJDOOwMHDjsFj53XWCAxFazGG2qdU4muV9urUFSsPaSQuaiqwMLtm8xIkhKLjYrvEesHwkBcW9YmciUczwOii0KbSTQVFom1Fi+YIzt1vwsWfbxcx3UtzhwIPE1cwQCg8KnsmOFSjMkUI+k9BEUMfjnPccnHABeSZDwss7ehLksWBd2jbQkwRFvA3HyIjv4318jOKqhYNKR8g0otTDzH+tchruEaOcOVrzXVyQLrutlDwVZrn67yF63tcRb5gO2ok5+FKeD85Xtz69yG3hx6y6uaMf0O1Iuzkp3z3pjyNImKVBD
RESP: CAIS6AIKIAoQxMIPzM1DVYbcWcWT4/zW/hIIeMIpKZHlIUggASgAEhYIARAAGAAoADD/6A84AEIASABQAFgAGlYKEI++yWxMlUE5rt1jPZISN4ISEK4riVmZJPz8Ezd55h9l+UoaICMYjht43KF+Uc2nyQdHyYfW0Dc32FfE/MjoS8ar0qbRIAIoATICCAA6BggBECogABpyChCv14pokutKW6rH7ZlF5YQVEhD0L/upmCD1EBnVHV1YVws/GiBXypDlOLWp3vgX9YSBk7eQzGrQVIqBFxY6YcLIR3k9EiACKAIyAggAOgYIARAqIABSCggAEL/eHxoCCABSDgjA3h8Q/////w8aAggBGlYKELdw1bS7a1lNr5hYRarpql8SEOAAd25HPZbmU2iT6PazDo4aIAmvERqRB1hBO9lXW91Sawd4IpGH+ffOUpXgk1fv8a8NIAIoATICCAE6BggBECogACDjyfzhBTgAUAAaIL//zXVVCezRgHISSQBbyI/EbE8l+JqxviYsLK/cNVIGIoACBiPpHmeZ2hiv4BO18uay0awVDmviq77oTqgHBRN/cBSLTh5Z6CKPiq2OX/p1H2wDpI3FF7wTLBLmWTe5edafwZijtST7HT4RZI332lau+EYk3S75WC7q+mxvB6/xWSP2aL76T5uTlHFbVL8/nx5V07cbMgki6XIeG9iLzD7Yet1MP8eAOj4lkQC43DJaHCDNxb5NKfVfRwexmhr/OAw3hi/YtGkxb4I8+hUSEA1mJ/7NsgRBHUwsYTUV4wL18JrnHSaQGlMAaT0/OuinwUTbzbdIjGvUGAi6Lo3vNRgHVtST5koFscumf0XvJj9Q5RIixia27zlKofBeVWBhVUfvHQ==
{
    "id":{
        "requestId":"xMIPzM1DVYbcWcWT4/zW/g==",
        "sessionId":"eMIpKZHlIUg=",
        "type":"STREAMING",
        "version":0
    },
    "policy":{
        "canPlay":true,
        "canPersist":false,
        "canRenew":false,
        "playbackDurationSeconds":"0",
        "licenseDurationSeconds":"259199",
        "renewalRecoveryDurationSeconds":"0",
        "renewalServerUrl":"",
        "renewalDelaySeconds":"0",
        "renewalRetryIntervalSeconds":"0",
        "renewWithUsage":false
    },
    "key":[{
        "id":"j77JbEyVQTmu3WM9khI3gg==",
        "iv":"riuJWZkk/PwTN3nmH2X5Sg==",
        "type":"CONTENT",
        "level":"SW_SECURE_CRYPTO",
        "requiredProtection":{
            "hdcp":"HDCP_NONE"
        },
        "requestedProtection":{
            "hdcp":"HDCP_V1",
            "cgmsFlags":"CGMS_NONE",
            "disableAnalogOutput":false
        }
    },{
        "id":"r9eKaJLrSluqx+2ZReWEFQ==",
        "iv":"9C/7qZgg9RAZ1R1dWFcLPw==",
        "type":"CONTENT",
        "level":"SW_SECURE_DECODE",
        "requiredProtection":{
            "hdcp":"HDCP_NONE"
        },
        "requestedProtection":{
            "hdcp":"HDCP_V1",
            "cgmsFlags":"CGMS_NONE",
            "disableAnalogOutput":false
        },
        "videoResolutionConstraints":[{
            "minResolutionPixels":0,
            "maxResolutionPixels":519999,
            "requiredProtection":{
                "hdcp":"HDCP_NONE"
            }
        },{
            "minResolutionPixels":520000,
            "maxResolutionPixels":4294967295,
            "requiredProtection":{
                "hdcp":"HDCP_V1"
            }
        }]
    },{
        "id":"t3DVtLtrWU2vmFhFqumqXw==",
        "iv":"4AB3bkc9luZTaJPo9rMOjg==",
        "type":"CONTENT",
        "level":"SW_SECURE_CRYPTO",
        "requiredProtection":{
            "hdcp":"HDCP_V1"
        },
        "requestedProtection":{
            "hdcp":"HDCP_V1",
            "cgmsFlags":"CGMS_NONE",
            "disableAnalogOutput":false
        }
    }],
    "licenseStartTime":"1547642083",
    "protectionScheme":0,
    "platformVerificationStatus":"PLATFORM_UNVERIFIED"
}

Varstahl commented 5 years ago

I was just checking the licenses back, so basically all these problems are due to the fact that there's no proper setup for HDCP_V1 (1088x464=504832, shy of ~15k pixels from the HDCP requirement).

Edit: granted, request encryption is still desirable, but still… also @aers if keyType=SERVICE_CERTIFICATE doesn't indicate the certificate to be used in the SSC, do you know what it is?

aers commented 5 years ago

Yes, that's exactly whats happening. CDM is checking for HDCP and failing, so it wont run decrypt routine. There is no issue here with your requests to Amazon or the version or anything, the license Kodi is getting contains all the proper keys. I didn't actually know someone had the protobuf for License available to decode publicly :)

And that is the SSC. That image is from the CAQ= request, right? That's what you need to provide to the CDM via SetServerCertificate to enable encrypted client IDs. As binary data, not b64, of course.

The CAQ= message is just this, in terms of the Widevine protobuf messaging format:

SignedMessage, type = SERVICE_CERTIFICATE_REQUEST, all other fields blank

or binary data "08 04", since type=04 is SERVICE_CERTIFICATE_REQUEST :)

For ChromeCDM privacy mode this needs to happen:

make request to Amazon for MPD
make request to Amazon for service cert
call SetServerCertificate with cert
call CreateSessionAndGenerateRequest with init_data (PSSH), generated request is now encrypted

(yes, Chrome CDM adapter code calls it Server cert, when widevine spec calls it Service cert, some miscommunication here :P)

peak3d commented 5 years ago

@Varstahl for kodi simply pass the b64 encoded server certificate using the listitem property Edit: I still believe that the information from the FileIo object are still required for the workflow.

aers commented 5 years ago

Uh can you tell what file its reading because its probably the signature files for VMP. Which you cannot have for Kodi.

(widevinecdm.dll.sig, chrome.dll.sig, chrome.exe.sig, chrome_child.dll.sig on Chrome)

Varstahl commented 5 years ago

And that is the SSC. That image is from the CAQ= request, right? That's what you need to provide to the CDM via SetServerCertificate to enable encrypted client IDs. As binary data, not b64, of course.

Yes, that is from the CAQ= challenge request. I don't think I can avoid passing the b64 though, since it's in the license response. Or maybe you just mean "take the response, b64 decode it and pass the response license binary blob"? It's still not implemented in IS.A but I can try that.

or binary data "08 04", since type=04 is SERVICE_CERTIFICATE_REQUEST :)

Yay, I'm just stubborn, not stupid.

@Varstahl for kodi simply pass the b64 encoded server certificate using the listitem property

I did, but it didn't change anything. ~It's not used within IS.A I think. At least unless I'm looking at the wrong tree, there's no SetServerCertificate.~

I still believe that the information from the FileIo object are still required for the workflow.

As I'm using PrimeVideo.com and not Amazon.TLDs I'm not sure we're experiencing the same things. I haven't encountered any FileIo as far as I can tell, so far.

peak3d commented 5 years ago

@aers I have to recompile newer windows version tonight. Unfortunately the file is inside sandboxed FS storage, this one is not nice to read

aers commented 5 years ago

Yes, that is from the CAQ= challenge request. I don't think I can avoid passing the b64 though, since it's in the license response. Or maybe you just mean "take the response, b64 decode it and pass the response license binary blob"? It's still not implemented in IS.A but I can try that.

The license response for '0804' IS the service cert, its not actually a license :)

https://ybin.me/p/7a4b85be6c992dab#I2RLfIt4ZZfZpwEyu+cUe5F1BvPeadswVnyVeXUWbBU=

With HDCP issue I dunno its been 2 years since i looked at wvdecrypter code (since old days of original version on libertydev's github in 2016), I dunno if its even possible to 'enable' HDCP in ChromeCDM without using browser. Kodi would need to support enabling HDCP, because then CDM will query and see it. I guess.

Varstahl commented 5 years ago

The license response for '0804' IS the service cert, its not actually a license :)

Yeah, I expressed myself poorly, what I meant is that in theory the JSON value associated with widevine2License.license can't be parsed to extract the keyId without the widevine verification toolset, so I assume you meant take the response, decode it into binary form and pass the blob to the function. Poor wording, sorry.

https://ybin.me/p/7a4b85be6c992dab#I2RLfIt4ZZfZpwEyu+cUe5F1BvPeadswVnyVeXUWbBU=

Great, that's one thing clear at least.

I dunno if its even possible to 'enable' HDCP in ChromeCDM without using browser

Wish I knew more myself.

Edit: also I just went back and retraced the service certificate issue. @peak3d Yes, in the code it seems used, but that didn't change the fact that the license request was not signed.

Varstahl commented 5 years ago

Recompiled IS.A and checked the logs, but

  NOTICE: Creating InputStream
   DEBUG: ADDON: Dll Initializing - InputStream Adaptive
   DEBUG: Loading settings for plugin://plugin.video.amazon-test/?mode=PrimeVideo_Browse&path=root-!!-Watchlist-!!-Film-!!-0RZECTRBZS9IAHQ8A88PBMXQBK
   DEBUG: SECTION:LoadDLL(C:\Users\Varstahl\AppData\Roaming\Kodi\addons\inputstream.adaptive\inputstream.adaptive.dll)
   DEBUG: Thread BackgroundLoader start, auto delete: false
    INFO: AddOnLog: InputStream Adaptive: SetVideoResolution (1920 x 1080)
   DEBUG: AddOnLog: InputStream Adaptive: Open()
   DEBUG: AddOnLog: InputStream Adaptive: found inputstream.adaptive.license_key: [not shown]
   DEBUG: AddOnLog: InputStream Adaptive: found inputstream.adaptive.license_type: com.widevine.alpha
   DEBUG: AddOnLog: InputStream Adaptive: found inputstream.adaptive.manifest_type: mpd
   DEBUG: AddOnLog: InputStream Adaptive: found inputstream.adaptive.server_certificate: [not shown]
   DEBUG: AddOnLog: InputStream Adaptive: found inputstream.adaptive.stream_headers: user-agent=Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:64.0) Gecko/20100101 Firefox/64.0

with a valid server certificate still doesn't encrypt.

peak3d commented 5 years ago

@Varstahl for what reason you need to recompile is.a ?

Varstahl commented 5 years ago

@Varstahl for what reason you need to recompile is.a ?

No reason whatsoever. I set up a fast way on my development machine to easily have updated binaries, since I wanted to poke around the server certificate issue. The recompiled version is straight from the master branch though, so feel free to disregard that, I didn't actually touch the code yet.

peak3d commented 5 years ago

Ok, just wanted to make sure that you don't implement already existing features

aers commented 5 years ago

The only thing I can think of is that it's rejecting the service cert for some reason. You would have to have a way to check the Promise result for that, I think.

peak3d commented 5 years ago

Yes could be, @Varstahl you can add some

client_->CDMLog("Text");

inside these 3 methods: https://github.com/peak3d/inputstream.adaptive/blob/master/wvdecrypter/cdm/media/cdm/cdm_adapter.cc#L452-L468

Varstahl commented 5 years ago

Question. shouldn't SetServerCertificate and the subsequent CreateSessionAndGenerateRequest have the same promiseId? Because as it stands SSC is always called with a promiseId=0 https://github.com/peak3d/inputstream.adaptive/blob/master/wvdecrypter/wvdecrypter.cpp#L437.

Yes could be, @Varstahl you can add some client_->CDMLog("Text"); inside these 3 methods

SetServerCertificate
  DEBUG: AddOnLog: InputStream Adaptive: VARSTAHL: OnRejectPromise
CreateSessionAndGenerateRequest
  DEBUG: AddOnLog: InputStream Adaptive: VARSTAHL: OnResolveNewSessionPromise
  DEBUG: AddOnLog: InputStream Adaptive: CDMMessage: 3 arrived!

  DEBUG: AddOnLog: InputStream Adaptive: VARSTAHL: OnResolvePromise

I'll check the content of the certificate.

peak3d commented 5 years ago

This is lazyness, each call should become a unique id so you can reference in resolve / reject to the request (its async)

Edit: Can you post the server_certificate b64 string you pass to is.a ?

Varstahl commented 5 years ago

Edit: Can you post the server_certificate b64 string you pass to is.a ?

It's here in the first code block, as CAQ=.

Edit: I've double-checked that the b64 string is the same one as passed to IS.A. Also the decoded string matches the length that it's supposed to match. So, assuming b64_decode in helpers.cpp works properly ~(which I didn't check yet)~, it's either one of the following:

we are messing something up with the requests
widevine won't accept anything from non verified binaries (possible, if not probable).

After all, come to think of it, if Widevine was to accept any service cert coming its way, wouldn't that mean that by forging a server cert one could use the publicly available wv tools on the fly to decrypt the VW VMP data? That would also explain why firefox/chromecdm, after being recompiled, won't even bother asking the service certificate in the first place.

Varstahl commented 5 years ago

So, to sum up the situation:

Encrypted client id is forbidden by Widevine.
Resolutions higher than 1088x464 is forbidden by HDCP_V1.
I wasted a week chasing the impossible.

Which means that if I want to watch a 1080p movie off amazon servers on Kodi, I can download the encrypted DASH, let a bruteforcer run overnight, get the decryption key, reassemble the mp4 automatically and watch it to my heart's content. But if I want to do it legitimately without breaking the DRM, I can't. Reminds me a lot of videogames DRMs, they do nothing to stop piracy but hinder legitimate use. Which brings us back to the point of DRMs being stupid.

I guess I'll go study HDCP for the sake of it, since I learnt quite a bit from this journey. Thanks a lot to you both, @aers and @peak3d, much appreciated :)

aers commented 5 years ago

They're 128bit AES keys you're gonna be brute-forcing for more than a night. :P

Amazon used to only require HDCP for movies and not show episodes, but I guess they do for all content now?

Varstahl commented 5 years ago

They're 128bit AES keys you're gonna be brute-forcing for more than a night. :P

There are multiple attack approaches nowadays that can help break even RSA in a manner of hours. It all depends on the algorithm and the ability to parallel process.

Amazon used to only require HDCP for movies and not show episodes, but I guess they do for all content now?

Still does ~afaik, the limit is only for movies. Unless they changed something overnight~.

aers commented 5 years ago

Oh I didn't even know that was the context for this discussion. Its always been that way then.

mirh commented 5 years ago

So.. I bend down to master reversers. Very quickly I just wanted to apologize for my forgetting above, that you don't need "system DRM" if you ship yours in the apk.. Which is sad because it means any kind of "quick" support will have to rely on the system indeed (though, hurray, on the other hand SL2000 still isn't into "impossible even in principle" territory?)

Just for the very records of you all gentlemen then.. I just tried my monitor over the famously as free and unprotected as you can get VGA, and the aforementioned prime video from firefox was still giving me HD.

Varstahl commented 5 years ago

Just for the very records of you all gentlemen then.. I just tried my monitor over the famously as free and unprotected as you can get VGA, and the aforementioned prime video from firefox was still giving me HD.

"disableAnalogOutput":false. Unless we're going back to VGA support for Kodi… it's working as expected. Digital gets protected, analogues gets a free pass. Remember that it's Widevine that decides how to show it to monitor. So, in theory, if you disconnect your monitors and connect a VGA to your graphic card (or maybe to your Intel GPU?) it should work. For anyone else, unless/until Kodi/IS.A support HDCP, it won't.

Which has me curious, but in all reality, shouldn't HDCP really only consist in supporting Intel's hardware passthrough, through CDM_Proxy?

BTW, I didn't give up, I'm just exhausted by a week of reversing, and supporting HDCP is kind of more complicated than simply "fetching stream X or certificate Y".

mirh commented 5 years ago

(I'm not sure why kodi would need something special to support vga cables) EDIT: I understood now you meant the other way around

Anyway, well it seems for some dank reason they seem to call already a day with CGMS protection on here. But I'm digressing now. Good luck.

Varstahl commented 5 years ago

I'm not sure why kodi would need something special to support vga cables

Playback over VGA from Kodi should already work, unless it needs the chrome_cdm proxy stuff, I'm not sure.

peak3d commented 5 years ago

@Varstahl the server_certificate you picked from trace is meant to be passed to UpdateSession(). I could believe that this binary blob is not valid for SetServerCertificate() as we do if you pass it through listitem property.

Still the big question is what happens before the first call to force widevine to request the certificate. Coulkd be that PSSH from file is modified / appended in the js player.

Have you compared the PSSH init data from what is fed in FF and what is fed in is.a ? is.a writes a file called [HEX].init in the cdm folder

Edit: I f*** up my windows server during chromium compilation -> need some time to set up the device again

Varstahl commented 5 years ago

I haven't touched anything yet past the point I last wrote an update, I focused a bit on the immediate problems the addon had elsewhere. I was also interested in checking the implementation differences (if any) between Firefox and Chromium, so at the moment I'm setting up the workspace for the latest, so I can poke & prod at my leasure.

Still the big question is what happens before the first call to force widevine to request the certificate. Could be that PSSH from file is modified / appended in the js player.

The only way to know for sure would be to break the anti-debug embedded in the widevinecdm.dll, attach a debugger and sniff the API calls. In part I did, but without breaking the anti-reversing techniques wvcdm refuses to work properly.

As a side note, @peak3d, if you want to actively debug the issue, I could probably set up a private proxy server for Widevine authentication, in a while. MPD & data streams don't require authentication, so that shouldn't be a problem.

Varstahl commented 5 years ago

I'm sorry for the delay, but I've had quite a few workstation problems of my own. Plus, Chromium is refusing to properly load Widevine despite my best efforts. I might drop Chromium altogether and just get the data off Firefox. I'll compare the PSSH data as soon as these toolchains start to collaborate…

Varstahl commented 5 years ago

Have you compared the PSSH init data from what is fed in FF and what is fed in is.a ? is.a writes a file called [HEX].init in the cdm folder

At first glance everything seems quite the same:

Full PSSH as reported by Firefox:
00000000  00 00 02 8C 70 73 73 68 00 00 00 00 9A 04 F0 79  ...Œpssh....š.ðy
00000010  98 40 42 86 AB 92 E6 5B E0 88 5F 95 00 00 02 6C  ˜@B†«’æ[àˆ_•...l
00000020  6C 02 00 00 01 00 01 00 62 02 3C 00 57 00 52 00  l.......b.<.W.R.
00000030  4D 00 48 00 45 00 41 00 44 00 45 00 52 00 20 00  M.H.E.A.D.E.R. .
00000040  78 00 6D 00 6C 00 6E 00 73 00 3D 00 22 00 68 00  x.m.l.n.s.=.".h.
00000050  74 00 74 00 70 00 3A 00 2F 00 2F 00 73 00 63 00  t.t.p.:././.s.c.
00000060  68 00 65 00 6D 00 61 00 73 00 2E 00 6D 00 69 00  h.e.m.a.s...m.i.
00000070  63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 2E 00  c.r.o.s.o.f.t...
00000080  63 00 6F 00 6D 00 2F 00 44 00 52 00 4D 00 2F 00  c.o.m./.D.R.M./.
00000090  32 00 30 00 30 00 37 00 2F 00 30 00 33 00 2F 00  2.0.0.7./.0.3./.
000000A0  50 00 6C 00 61 00 79 00 52 00 65 00 61 00 64 00  P.l.a.y.R.e.a.d.
000000B0  79 00 48 00 65 00 61 00 64 00 65 00 72 00 22 00  y.H.e.a.d.e.r.".
000000C0  20 00 76 00 65 00 72 00 73 00 69 00 6F 00 6E 00   .v.e.r.s.i.o.n.
000000D0  3D 00 22 00 34 00 2E 00 30 00 2E 00 30 00 2E 00  =.".4...0...0...
000000E0  30 00 22 00 3E 00 3C 00 44 00 41 00 54 00 41 00  0.".>.<.D.A.T.A.
000000F0  3E 00 3C 00 50 00 52 00 4F 00 54 00 45 00 43 00  >.<.P.R.O.T.E.C.
00000100  54 00 49 00 4E 00 46 00 4F 00 3E 00 3C 00 4B 00  T.I.N.F.O.>.<.K.
00000110  45 00 59 00 4C 00 45 00 4E 00 3E 00 31 00 36 00  E.Y.L.E.N.>.1.6.
00000120  3C 00 2F 00 4B 00 45 00 59 00 4C 00 45 00 4E 00  <./.K.E.Y.L.E.N.
00000130  3E 00 3C 00 41 00 4C 00 47 00 49 00 44 00 3E 00  >.<.A.L.G.I.D.>.
00000140  41 00 45 00 53 00 43 00 54 00 52 00 3C 00 2F 00  A.E.S.C.T.R.<./.
00000150  41 00 4C 00 47 00 49 00 44 00 3E 00 3C 00 2F 00  A.L.G.I.D.>.<./.
00000160  50 00 52 00 4F 00 54 00 45 00 43 00 54 00 49 00  P.R.O.T.E.C.T.I.
00000170  4E 00 46 00 4F 00 3E 00 3C 00 4B 00 49 00 44 00  N.F.O.>.<.K.I.D.
00000180  3E 00 62 00 4D 00 6D 00 2B 00 6A 00 35 00 56 00  >.b.M.m.+.j.5.V.
00000190  4D 00 4F 00 55 00 47 00 75 00 33 00 57 00 4D 00  M.O.U.G.u.3.W.M.
000001A0  39 00 6B 00 68 00 49 00 33 00 67 00 67 00 3D 00  9.k.h.I.3.g.g.=.
000001B0  3D 00 3C 00 2F 00 4B 00 49 00 44 00 3E 00 3C 00  =.<./.K.I.D.>.<.
000001C0  43 00 48 00 45 00 43 00 4B 00 53 00 55 00 4D 00  C.H.E.C.K.S.U.M.
000001D0  3E 00 41 00 53 00 59 00 4B 00 68 00 4D 00 78 00  >.A.S.Y.K.h.M.x.
000001E0  56 00 45 00 70 00 59 00 3D 00 3C 00 2F 00 43 00  V.E.p.Y.=.<./.C.
000001F0  48 00 45 00 43 00 4B 00 53 00 55 00 4D 00 3E 00  H.E.C.K.S.U.M.>.
00000200  3C 00 4C 00 41 00 5F 00 55 00 52 00 4C 00 3E 00  <.L.A._.U.R.L.>.
00000210  68 00 74 00 74 00 70 00 73 00 3A 00 2F 00 2F 00  h.t.t.p.s.:././.
00000220  70 00 72 00 6C 00 73 00 2E 00 61 00 74 00 76 00  p.r.l.s...a.t.v.
00000230  2D 00 65 00 75 00 2E 00 61 00 6D 00 61 00 7A 00  -.e.u...a.m.a.z.
00000240  6F 00 6E 00 2E 00 63 00 6F 00 6D 00 2F 00 63 00  o.n...c.o.m./.c.
00000250  64 00 70 00 3C 00 2F 00 4C 00 41 00 5F 00 55 00  d.p.<./.L.A._.U.
00000260  52 00 4C 00 3E 00 3C 00 2F 00 44 00 41 00 54 00  R.L.>.<./.D.A.T.
00000270  41 00 3E 00 3C 00 2F 00 57 00 52 00 4D 00 48 00  A.>.<./.W.R.M.H.
00000280  45 00 41 00 44 00 45 00 52 00 3E 00 00 00 00 79  E.A.D.E.R.>....y
00000290  70 73 73 68 00 00 00 00 ED EF 8B A9 79 D6 4A CE  pssh....íï‹©yÖJÎ
000002A0  A3 C8 27 DC D5 1D 21 ED 00 00 00 59 08 01 12 10  £È'ÜÕ.!í...Y....
000002B0  8F BE C9 6C 4C 95 41 39 AE DD 63 3D 92 12 37 82  .¾ÉlL•A9®Ýc=’.7‚
000002C0  1A 06 61 6D 61 7A 6F 6E 22 35 63 69 64 3A 6A 37  ..amazon"5cid:j7
000002D0  37 4A 62 45 79 56 51 54 6D 75 33 57 4D 39 6B 68  7JbEyVQTmu3WM9kh
000002E0  49 33 67 67 3D 3D 2C 72 39 65 4B 61 4A 4C 72 53  I3gg==,r9eKaJLrS
000002F0  6C 75 71 78 2B 32 5A 52 65 57 45 46 51 3D 3D 2A  luqx+2ZReWEFQ==*
00000300  02 53 44 32 00                                   .SD2.

[HEX].init for the same video:
00000000  08 01 12 10 AF D7 8A 68 92 EB 4A 5B AA C7 ED 99  ....¯×Šh’ëJ[ªÇí™
00000010  45 E5 84 15 1A 06 61 6D 61 7A 6F 6E 22 35 63 69  Eå„...amazon"5ci
00000020  64 3A 6A 37 37 4A 62 45 79 56 51 54 6D 75 33 57  d:j77JbEyVQTmu3W
00000030  4D 39 6B 68 49 33 67 67 3D 3D 2C 72 39 65 4B 61  M9khI3gg==,r9eKa
00000040  4A 4C 72 53 6C 75 71 78 2B 32 5A 52 65 57 45 46  JLrSluqx+2ZReWEF
00000050  51 3D 3D 2A 02 53 44 32 00                       Q==*.SD2.

As far as I can tell, aside the random data changing with every request, the init feels the same, at least in the final part. I haven't analysed the full PSSH as read by Kodi, so I don't know if the PlayReady information is discarded by IS.A or by the server.

For what it concerns the CAQ= request, both the signed and unsigned Firefox have roughly the same Widevine proxy calls, except for the fact that after receiving the init data, the signed Firefox requests the CAQ=, while the unsigned doesn't.

Firefox's logs are split and not really easily readable, I've put together an aggregator of sorts, but being asynchronous even within a single thread, comparing two logs is proving quite the challenge. Hopefully I can find a bit more about this tomorrow.

(inb4, plot twist, the HD streams are encrypted with PlayReady *faints*)

Edit: formatted the PlayReady init to combat my migrain while reading the above

<WRMHEADER
    xmlns="http://schemas.microsoft.com/DRM/2007/03/PlayReadyHeader" version="4.0.0.0">
    <DATA>
        <PROTECTINFO>
            <KEYLEN>16</KEYLEN>
            <ALGID>AESCTR</ALGID>
        </PROTECTINFO>
        <KID>aIrXr+uSW0qqx+2ZReWEFQ==</KID>
        <CHECKSUM>v45+UVynPLQ=</CHECKSUM>
        <LA_URL>https://prls.atv-eu.amazon.com/cdp</LA_URL>
    </DATA>
</WRMHEADER>

aers commented 5 years ago

Don't worry, there's no difference between PlayReady & Widevine streams, the keys are shared, the DRM is just responsible for key exchange and protection.

The Playready part is discarded, the PSSH format is something like this:

int32 size int32 magic ('pssh') int32 ???? (padding maybe) uuid schemeId (widevine is edef8ba9-79d6-4ace-a3c8-27dcd51d21ed, playready is 9a04f079-9840-4286-ab92-e65be0885f95) int32 size of init_data rest is init_data

If you're curious whats actually in the init data for Widevine itself, I believe the protobuf's in one of the 20 widevine pdfs you linked above, actually..

algorithm: AESCTR key_id: "\257\327\212h\222\353J[\252\307\355\231E\345\204\025" provider: "amazon" content_id: "cid:j77JbEyVQTmu3WM9khI3gg==,r9eKaJLrSluqx+2ZReWEFQ==" track_type_deprecated: "SD" policy: ""

For what it concerns the CAQ= request, both the signed and unsigned Firefox have roughly the same Widevine proxy calls, except for the fact that after receiving the init data, the signed Firefox requests the CAQ=, while the unsigned doesn't.

Yes, privacy mode is enabled probably due to VMP being enabled, so it has to request the service certificate to encrypt the client ID.

Varstahl commented 5 years ago

Yeah, those were pretty much my conclusions as well, but was worth the time to actually check. Given that the service certificate isn't needed after all, the only question which comes to mind (disregarding the questions whose answers would see the need to break the WidevineCDM.dll protection for the sake of doing it) is how does Firefox create the "hardware proxy" (I think that's how it's called, internally) that allows video reproduction even with recompiled sources. If we could figure that out and re-implement it in IS.A, we're golden.

aers commented 5 years ago

I'm sorry, I don't understand what hardware proxy you mean? The reason compiled Firefox works is its passing the "is HDCP enabled" check. Since Amazon doesn't enforce the use of VMP the signature stuff doesn't matter, that part is correct.

peak3d commented 5 years ago

@Varstahl if you have played the same movie, pssh initdata should not vary. Not sure what the content_id is (if it is fixed or not), but now that we know that there are differences in pssh data (for widevine) it could be that the key of UHD streams is already in the manifet request.

aers commented 5 years ago

For Amazon, content_id is extra key IDs base64'd, you can verify this by looking at the license key IDs compared to the content_id. This is why the license has 3 key IDs even though the init data only supports one key ID. Providers can do whatever they want with content_id field.

peak3d commented 5 years ago

Great info! So then the question is if the extra KID's are necessary for decrypting UHD streams (??) Because pssh for the same movie should be static (except amazon does magic in JS code) or simply provides streams with different initialization data, I would first look why its not identical.

Interesting would be hardcoded sending the FF pssh to the license server and look if maybe the server_certificate request appears automatically first....

Edit: I remember from earlier times that you had to pass "IncludeHDCPkey" or similiar into the GetPlaybackResources URL. I never did things with that, but leads into the direction we're searching here

aers commented 5 years ago

4K streams use different keysets but the key IDs for those will be in the pssh of a MPD containing 4K content, that's not an issue.

mirh commented 5 years ago

Lol, please. Bruno is already going crazy for HD. Put 4K aside for the moment.

peak3d commented 5 years ago

:-) yes, @Varstahl should try to limit web browser to smaller resolution (best possible same as used in kodi) Comparing apples and pies is not much fun. From current pov I see 2 things:

1.) pssh initdata differs because the GetPlaybackRecource request / other session things are invalid. IIRC there is a calling home loop in amazon which tells amazon secrets about the current device (??)

2.) VMP (not yet clear what it is) is detected via file access (what I'm hunting for, unfortunately currently blocked by other kodi issues)

aers commented 5 years ago

1.) pssh initdata differs because the GetPlaybackRecource request / other session things are invalid. IIRC there is a calling home loop in amazon which tells amazon secrets about the current device (??)

initdata shouldn't vary for a given stream+quality level, its just a list of keyids to request in the license, this init data is actually included in the stream .mp4 itself as well.

2.) VMP (not yet clear what it is) is detected via file access (what I'm hunting for, unfortunately currently blocked by other kodi issues)

Sorry, I didn't realize you don't understand what VMP is.

VMP stands for verified media path. It is applicable only to browsers (and, specifically, "ChromeCDM", which is the widevinecdm.dll used by Chrome, Firefox, and other browsers, currently, although the spec requires all browser-based implementations support it). It's a way for the service provider (Amazon, Netflix, etc) to verify that the client's browser and ChromeCDM are not compromised in any way. The way it does this is pretty simple: there are signature files included with Chrome, Firefox, etc. releases that are signed by Google's VMP cert. The content of those signature files, along with some data gathered by ChromeCDM as it runs, is sent to the server in the license request, allowing the service provider to verify your browser and CDM are unmodified.

The ".sig" files in your Chrome install (chrome.dll.sig, chrome.exe.sig, chrome_child.dll.sig, widevinecdm.dll.sig) are these signature files.

In addition, VMP requires the use of "privacy mode", aka "encrypted client ID", which triggers a request to the server of 08 04 in order to get the service cert. This allows the VMP data to be encrypted so no one can easily sniff traffic and see what exactly is included in VMP data.

This is actually irrelevant for Amazon because Amazon does not require VMP for their content to work - this is why compiled versions of Chromium and Firefox still work.

The file access that you're detecting is probably checking for .sig files. In order for VMP to work while using Kodi + ChromeCDM you'd need a signature file for at the very least the Kodi exe itself which is impossible to get.

mirh commented 5 years ago

~~How is electron....~~ Ok nvm, separate licensing agreements are required. Couldn't you hook/load some whatever big enough subset of signed dlls to get VMP working though? (and wouldn't netflix already be requiring it?)

aers commented 5 years ago

The CDM decides which exes and dlls need to be signed, including the main process itself, which wouldn't be chrome or firefox when you're using kodi, now would it? :)

Based on the time in which VMP appeared in ChromeCDM it seems like a direct response to the original wvdecrypt code, btw. :)

Anyway I don't know if Netflix enforces it, but presumably they don't, if the kodi plugin works on desktop.

Varstahl commented 5 years ago

I'm sorry, I don't understand what hardware proxy you mean?

In one of the sources (possibly Firefox?) there was code relative to (roughly) WidevineCDM Proxy with some sort of "secure context for Intel", or something of the sort. If I'm correct that's the code to enable HDCP secure context for Widevine to reproduce the video into. Going off the top of my head, so take everything with a grain of salt.

@Varstahl if you have played the same movie, pssh initdata should not vary.

From my logs, pointing at the same video, the "total" bytestream passed changes each and every time, with each and every request. I need some serious sleep so I didn't really look into it too much, but I can assure you that I can provide at least half a dozen of "init data" that each change slightly between themselves. What doesn't change is the init_data of Widevine's PSSH.

Lol, please. Bruno is already going crazy for HD. Put 4K aside for the moment.

Q_Q Wish I kept up with my reverse engineering challenges. My old brain's exploding :D

:-) yes, @Varstahl should try to limit web browser to smaller resolution (best possible same as used in kodi)

All the platforms try to reproduce the same movie with an upper limit of 1080p. Not that it matters until we fix HDCP, but yeah.

1.) pssh initdata differs because the GetPlaybackRecource request / other session things are invalid.

The binary blob differs, the widevine initdata field inside the PSSH doesn't at least in my small tests.

IIRC there is a calling home loop in amazon which tells amazon secrets about the current device (??)

There is a query somewhere that takes device capabilities, I don't remember the endpoint atm though.

VMP is detected via file access

Couldn't you hook/load some whatever big enough subset of signed dlls to get VMP working though?

The file access that you're detecting is probably checking for .sig files. In order for VMP to work while using Kodi + ChromeCDM you'd need a signature file for at the very least the Kodi exe itself which is impossible to get.

If I understood what he meant then yes, it's probably the bundle of signature files.

D/GMP AnswerStartPlugin CDM host paths=(…\widevinecdm.dll,…\widevinecdm.dll.sig),
                                       (…\plugin-container.exe,…\plugin-container.exe.sig),
                                       (…\firefox.exe,…\firefox.exe.sig),
                                       (…\xul.dll,…\xul.dll.sig)

So, without having the dll reversed (but with a "that's what I'd do" mentality), when the WidevineCDM is loaded, it start looking up its parents(/siblings?), Firefox.exe, xul.dll, plugin-container.exe and of course itself. Each of them must be signed (the PGP .sig you find along with the executables), and the results of the checks (or the signature bundle, or whatever it is) is sent somewhere.

So, to enable VMP, one would either crack WidevineCDM open or do some esoteric stuff, such as loading Firefox as a hidden window, inject a DLL through one of the undetectable methods (there are plenty), and then proxy the Widevine calls between the two applications. It's really stupid though, especially since it's useless in this context.

Anyway I don't know if Netflix enforces it, but presumably they don't, if the kodi plugin works on desktop.

I've studied Netflix a bit (passively, I don't have a Netflix account), but as far as I can tell they have an easily accessible endpoint, with none of the problems Amazon streams has. And we're still having it good, because I read Google's "recommended settings" for Widevine encryption and it made me shiver (L1 for freakin' 720p? Are you kidding me?)

aers commented 5 years ago

In one of the sources (possibly Firefox?) there was code relative to (roughly) WidevineCDM Proxy with some sort of "secure context for Intel", or something of the sort. If I'm correct that's the code to enable HDCP secure context for Widevine to reproduce the video into. Going off the top of my head, so take everything with a grain of salt.

I want to say this is prep for using hardware secured keys to support L1 in ChromeCDM via modern Intel CPU+iGPU the same way Edge supports SL3000 Playready on KabyLake+.

In this case the CDM would be proxying everything out to a hardware decrypt+decode+playback that never touches unsecured memory.

Theres some stuff about this in the CDM adapter source iirc. But dont quote me on this one because I honestly don't know :)

And we're still having it good, because I read Google's "recommended settings" for Widevine encryption and it made me shiver (L1 for freakin' 720p? Are you kidding me?)

No serious service will lock everyone out of HD on PCs (yet), so don't worry... Google doesn't even enforce L1 on paid HD Youtube content unless as far as I know :P

Varstahl commented 5 years ago

Not sure, along with Intel there were comments about supporting other stuff like DX11 contexts (which I interpreted as DirectX 11, could be absolutely wrong). I'll have to check later today, I'll fill my Dr. Who Tardis cup full of tea, take the magnifying glass, and start the investigations.

ghoshben commented 5 years ago

I did some investigation and the conclution is if the content has HDR as WELL as UHD then adding deviceVideoQualityOverride=UHD&deviceHdrFormatsOverride=Hdr10 will provide 4k UHD HDR minefeast

URL

Varstahl commented 5 years ago

What the heck, when I tested it a few days ago it was not working. Did they fix it in yesterday's updates? Let me test it.

ghoshben commented 5 years ago

u can acess UHD using this method if and and only if the content is avalable in both UHD & HDR else it wont work

Sandmann79 / xbmc

FHD playback / UHD listing #51