Widevine DRM enabled for streams

[maturd]

Please check the FAQ and search existing issues before you submit a new one!

Describe the bug Whatever live feed I try to open (MPV, IINA, VLC) I only get a grey screen with no audio. If I try to copy to clipboard and open the link in Safari I don't get a video there too but it download a .mpd file that is unplayable.

To Reproduce Steps to reproduce the behavior:

1. Select any live feed 2. Try to open it with any player or copy the link to open it in a browser

Expected behaviour Play feed

Screenshots If applicable, add screenshots to help explain your problem.

F1TV account plan Pro Account. No VPN

Desktop (please complete the following information):

• macOS
• Brew
• 2.7.0

Logs If applicable please provide the relevant portion of your logs. You can find them by running f1viewer -logs.

[nicholascw]

Same thing here. Gray screen, flood of ffmpeg errors together with some 404 error from F1viewer itself when playing the Australian GP Practice 1 LIVE.

[pizza461]

Yes, unfortunately this seems to be a problem with DRM, which they have started implementing. That really sucks, because there is no fix.

Better explained by the creator of Race Control (which also suffers from this problem):

https://github.com/robvdpol/RaceControl/issues/413

[destroy-everything]

What a shame, I had my own build that I could watch from my Ipad , the only reason is use it is because the f1 player is so terrible and using f1viewer proxy ensures I always get 4k. Now the mpd file doesnt open in safari and on VLC / MPV just a grey screen with garbled vertical lines.

[destroy-everything]

To whom it may concern, **** you! Seriously I know F1 is reading this, at least before you disable this app make the IOS app workable , its so terrible I will be happy if you get rid of the adaptive quality that never works even on my 10Gig connection. When I use custom players I can watch in 4k without a hitch.

[pizza461]

1080p50 is the highest quality, my friend.

But I agree, we need the 3rd party players! This is so not right xD

[DoeEensGek]

https://www.bento4.com/documentation/mp4decrypt/ From the index.mpd ContentProtection schemeIdUri="urn:mpeg:dash:mp4protection:2011" value="cenc" cenc:default_KID="1*****5-2**6-4***4-B**7-4*********7" xmlns:cenc="urn:mpeg:cenc:2013"

Don't have much time, but think there are still some options. But they make it harder.

[enginefeeder101]

Same here. MPD files with no audio and 'gray' video....

[arpiecodes]

https://www.bento4.com/documentation/mp4decrypt/ From the index.mpd ContentProtection schemeIdUri="urn:mpeg:dash:mp4protection:2011" value="cenc" cenc:default_KID="1*****5-2**6-4***4-B**7-4*********7" xmlns:cenc="urn:mpeg:cenc:2013"

Don't have much time, but think there are still some options. But they make it harder.

Sorry to say but this method still requires a way to actually get the master content key from Widevine DRM to make it work.

Basically, the media is encrypted using a static key. This key is processed by Widevine CDM (content decryption module) on the client device by talking with the Widevine server or doing some secret key stuff (this part is typically heavily obfuscated so difficult to reverse engineer) and actually performs the AES-128 CTR decryption on the content so the master key does not leak.

If you can get the content's master key (there used to be ways, Google it - Widevine had a huge 'security issue' not too long ago which allowed extracting the master keys by chrome extension (!), but now it's very hard again) you can decrypt the content without doing the Widevine stuff (its actually built-in for some players, including ffmpeg). That's also how those 'illegal streaming websites' keep on popping up using the actual CDN of the streaming service itself. But then again; this assumes those master content keys are not random and they never change..

Alternatively, instead of trying to find the master keys skipping Widevine completely, you may be able to implement some version of the CDM library like https://gist.github.com/ruario/3c873d43eb20553d5014bd4d29fe37f1 and then make a wrapper that calls the library to use the decryption part, the same way they do it for Kodi; https://github.com/emilsvennesson/script.module.inputstreamhelper/blob/master/lib/inputstreamhelper/widevine/widevine.py. But I wouldn't get my hopes up. It will be painstakingly hard.

[pvanb]

But I agree, we need the 3rd party players! This is so not right xD

I see what you did there 💥🎧💥

[notarobot1337]

Let's say I had the keys (completely possible and it's one WV master key), anyone aware of any players for Mac that support playback with key? Something like the adaptive.license plugin for Kodi?

[CastorSmith89]

Is this a global issue or a european issue due to DSGVO? Just observed that If I start a screenshot tool like greenshot the stream in the webbrowser of F1TV get black to prevent screenshots from the screen. I expect this is something regarding Copyright (Urheberrecht) which is huge changed in DSGVO.

[arpiecodes]

Let's say I had the keys (completely possible and it's one WV master key), anyone aware of any players for Mac that support playback with key? Something like the adaptive.license plugin for Kodi?

If you have the master keys, you should use a player that supports CENC decrypting (common encryption, AES-128 CTR) with the key. Alternatively, you could use ffplay/ffmpeg to open the stream, then pipe the audio/video output to another player of your choice (see https://stackoverflow.com/questions/44939166/ffmpeg-how-to-produce-mp4-cenc-common-encryption-videos/44949160#44949160 -decryption_key argument).

You can also let ffmpeg write the stream into an UDP Multicast group, so you can also access it from other players in your network. Or to an RTMP stream for example.

[notarobot1337]

https://stackoverflow.com/questions/44939166/ffmpeg-how-to-produce-mp4-cenc-common-encryption-videos/44949160#44949160

Unfortunately not that easy as it falls over once it starts pulling the mp4 segments (HTTP Error 400, Bad Request), I'm guessing it's missing some header information, I'll have a play about with it further and report back

[arpiecodes]

Unfortunately not that easy as it falls over once it starts pulling the mp4 segments (HTTP Error 401), I'm guessing it's missing some header information, I'll have a play about with it further and report back

IIRC streams gotten through f1viewer might give you a 401 if the kid GET argument is missing (it seems the value does not really matter, even empty works in my testing).

Might be easier to copy a link from a browser session into ffmpeg and see if that works? Or changing the user-agent from ffmpeg to something less trivial to block. :-)

EDIT: Nevermind above. I see what you mean now. DASH streaming is protected by setting a cookie from the manifest request forward. I guess you need cookies support in ffmpeg (which does not exist), or a proxy that adds the cookies for you. You could also try to put the cookies in manually by looking at the cookies set for your browser session.

[notarobot1337]

Ok with one massive line into FFplay with all the headers it attempts to play but I'm getting 'Option decryption_key not found', perhaps I need a different version of FFplay, again I'll report back.

[arpiecodes]

Ok with one massive line into FFplay with all the headers it attempts to play but I'm getting 'Option decryption_key not found', perhaps I need a different version of FFplay, again I'll report back.

Guess you need the module 'crypto' built in. Which might also require building from source. ffmpeg -protocols should tell you if your version has the crypto protocol built-in.

[notarobot1337]

it has the crypto module, I'll build a new version

[notarobot1337]

sooo close

So FFmpeg starts doing its thing, then spits out a ton of these...

Stream mapping: Stream #0:5 -> #0:0 (copy) Stream #0:6 -> #0:1 (copy) Press [q] to stop, [?] for help [dash @ 0x7fb417004280] No longer receiving stream_index 02 bitrate=347523.4kbits/s speed=0.0237x [dash @ 0x7fb417004280] No longer receiving stream_index 1 [dash @ 0x7fb417004280] No longer receiving stream_index 2 [dash @ 0x7fb417004280] No longer receiving stream_index 3 [dash @ 0x7fb417004280] No longer receiving stream_index 4 [NULL @ 0x7fb41704fc80] illegal reordering_of_pic_nums_idc 17 [NULL @ 0x7fb41704fc80] non-existing PPS 1 referenced [NULL @ 0x7fb41704fc80] non-existing PPS 2 referenced [NULL @ 0x7fb41704fc80] non-existing PPS 1 referenced [NULL @ 0x7fb41704fc80] non-existing PPS 42 referenced [NULL @ 0x7fb41704fc80] non-existing PPS 2 referenced [NULL @ 0x7fb41704fc80] non-existing PPS 7 referenced [NULL @ 0x7fb41704fc80] non-existing PPS 2 referenced [NULL @ 0x7fb41704fc80] non-existing PPS 1 referenced [NULL @ 0x7fb41704fc80] non-existing PPS 2 referenced

[arpiecodes]

Those warnings could also well be non-fatal. For example; sometimes in the stream audio tracks can be added or removed dynamically, depending on the broadcast. In such case, track indexes might change.

Does it actually produce a playable video/audio output if you try to write it to a file?

Maybe you can try -ss 0 to have it start at the beginning of the broadcast/stream?

[notarobot1337]

Those warnings could also well be non-fatal. For example; sometimes in the stream audio tracks can be added or removed dynamically, depending on the broadcast. In such case, track indexes might change.

Does it actually produce a playable video/audio output if you try to write it to a file?

Maybe you can try -ss 0 to have it start at the beginning of the broadcast/stream?

Excellent explanation, I sent the output to a local rtmp server so I could watch the stream as it came in, unfortunately it just gave a green screen however the bitrate, resolution and fps were all correct, which leads me to believe the code is correct except for how it's handling the WVkey, so next I'll dump it to a .mp4 and see if mp4decrypt can process it. I'm 99% certain the key is correct as it matches up to the KID etc and I've obtained keys using the same method many times before.

[arpiecodes]

For some weird reason, the HLS variant (if you use Safari as playback client) seems to be unencrypted again now for Qualifying Australia..

I also noticed it uses the same kid. So if DASH does not work, it might be possible to use the same key for the HLS variant as they are usually encrypted using the same content key within the same origin.

EDIT: Nevermind, this is probably just the content moving from 'restart' (e.g. recording of the live stream) to 'video-on-demand' after processing. However I noticed kid 1042, which might be interesting to try with a future live stream. Though that probably won't really work.

Above comment about trying HLS if the kid matches does still stand, though.

[notarobot1337]

the WV kid is what I'm referring to from within the mpd, from what I've tested so far they seem to use 1 kid, pssh and master key for all streams and it changes daily. Am I right in thinking the HLS url is the same but with m3u8 extension?

EDIT: Yeah the m3u8's play any, they're not using DRM encryption.

[arpiecodes]

Usually, there is one master content key (the same origin software is usually responsible for encrypting and packaging HLS/DASH variants of the same source).

The DRM system is actually only in charge of giving you the correct content decryption key, it does not really do more than that (but in reality it has to because it cannot risk to leak the master key, so hardware/software implementations usually also take care of decryptingthe media and securely playing back the video - which is why you cannot screenshot/record the framebuffer output as it's virtually not there and using a 'secure' path to the graphics card).

Thanks to CENC (=Common Encryption) standard almost all streaming formats could in theory use the same encryption method. Usually, it is quite common that content is using the same master key across all streaming formats. But, these are all assumptions of course.

Am I right in thinking the HLS url is the same but with m3u8 extension?

Also unable to check right now as the platform does not seem to deliver the URL's for the actual 'live' stream variants anymore, just the replay versions, which makes comparing them hard..

EDIT: Yeah the m3u8's play any, they're not using DRM encryption.

I guess when they 'archive' something as 'replay' content, they are using another way of serving the content. In Chrome, it also gives you a HLS type stream. This content hasn't got any DRM on it indeed.

Though, when a broadcast is 'live', they seem to use Fairplay on the HLS stream. Which is Apple's Widevine responsible of giving the client the key. Which might coincidentally be the same CENC key you extracted from the DASH WV stream.

[arpiecodes]

The real problem however is that sharing the master content key is actually considered circumventing 'effective' DRM which is illegal to do in most countries. Having said that, kinda in it to see if you can get it working. Which would be awesome. But still, not really practically usable for a typical f1viewer user.

[notarobot1337]

it can be scripted to work with F1viewer or at least that's my intent, now I'm just waiting for streams offered in the new format to test with,

[jackmillu]

Still not working here, verry bad guy's..... any idea how to slove the issue for live F1.. to watch back works just live not...

[notarobot1337]

Ok, so I've managed to get it to pull/push the feed with the relevant header info etc. BUT I can't find a version of ffmpeg for Mac that supports the -decryption_key operation before the input :-/ Anyone good with ffmpeg? Or is there anyway to pass the mpd with key to VLC?

[CastorSmith89]

I have the same issue for windows. Or can I pull the the current repo and build for windows and this will work? Issue 236 is linked to this issue as well and this was opened for windows as well.

[jackmillu]

I try it on Macbook and Windows both same issue... LIVE EVENTS DON'T WORK... ANY SOLUTION GUYS...

[user2705]

Ok, so I've managed to get it to pull/push the feed with the relevant header info etc. BUT I can't find a version of ffmpeg for Mac that supports the -decryption_key operation before the input :-/ Anyone good with ffmpeg? Or is there anyway to pass the mpd with key to VLC?

try with ffmpeg full version from this site: https://www.gyan.dev/ffmpeg/builds/

[howlett]

Ok, so I've managed to get it to pull/push the feed with the relevant header info etc. BUT I can't find a version of ffmpeg for Mac that supports the -decryption_key operation before the input :-/ Anyone good with ffmpeg? Or is there anyway to pass the mpd with key to VLC?

If you share what you have, we can all try to work on it if you'd like? We could probably hotwire in a drm tester.. https://bitmovin.com/demos/drm or such

[notarobot1337]

I'm not sure I can share here, what I have is the Widevine Keys etc that can be used to decrypt the video etc (I can explain this is private message etc), but it just requires pssh, licence server and headers including tokens etc.

So in order to grab and parse the mpd you just need to add the headers (can be found via dev tools), so what I need to complete this is a way to then insert the keys into playback via ffplay/ffmpeg but at the moment all versions of ffmpeg I've tried with the -decryption_key xxxxxx control give an unknown output error.

I'm sure someone with knowledge of ffmpeg should be able to help here.

Or if someone is good with scripting this, we could download the mp4/m4a segments, decrypt with mp4decrypt and then pipe out the decrypted files. I've seen this done with other services.

[howlett]

it looks like mpd uses "--demuxer-lavf-o=decryption_key=" as the option. I think ffplay takes the decryption_key argument, not sure about ffmpeg?

[howlett]

ffmpeg does take the decryption_key argument. It is fussy about the ordering thought. It seems it needs to be after the -i argument and the -decryption_key does not have a = after it. Hope that helps

[notarobot1337]

I now need to wait again to get a valid MPD to test with, unfortunately they seem to move the replays to the older system that works just fine, unless anyone has a valid mpd url from today?

[ricky732]

@notarobot1337 no unfortunately there isn't any mpd link, we have to wait till Imola.. What's the way to contact you via private message? Can't find the option on github! 😂

[notarobot1337]

I might use the same username on Telegram....

[crisgsm33]

@notarobot1337 There is an .mpd link, at Post-Race Show Australia, if you want to test with.

[callumparr]

I now need to wait again to get a valid MPD to test with, unfortunately they seem to move the replays to the older system that works just fine, unless anyone has a valid mpd url from today?

wish could go back to the Schumacher days where we could test whenever we wanted.

[notarobot1337]

@notarobot1337 There is an .mpd link, at Post-Race Show Australia, if you want to test with.

Thank you.

So upon testing I was able to grab the video from the mp4, decrypt it and play it back in VLC https://snipboard.io/aMCDo4.jpg <--- as shown here.

So I have everything needed for a live stream to work, this then leads me back to not having the correct syntax when using FFmpeg, so if anyone has experience with this please let me know, as we can script this into the F1viewer app and I can go back to having my front room as race control during the live events, using the official app is painful at best.

EDIT: Also before anyone comments 'where's the audio in that screenshot?' I didn't merge the files back together as I know for sure that'll work.

[crisgsm33]

Unfortunately, I'm not good at syntax for FFmpeg either, maybe the developer can help us by implementing Widevine code directly into the application, both for live stream and download.

[notarobot1337]

Unfortunately, I'm not good at syntax for FFmpeg either, maybe the developer can help us by implementing Widevine code directly into the application, both for live stream and download.

That's extremely doubtful, but perhaps he could make it so users could add their own legit CDM and it work through the process?

For now I'd be happy just scripting it to run from within F1viewer with no actual ties to the app (if legality is an issue)

[crisgsm33]

By the way, yesterday's token was no longer valid today, it seems that it also changes randomly.

[crisgsm33]

That's exactly what I meant about implementation, legality must be taken into account, but we could get around this by introducing an additional field where we could enter the key, each of us in our own way.

[notarobot1337]

By the way, yesterday's token was no longer valid today, it seems that it also changes randomly.

They expire every 24 hours, that part is controlled via HMAC

[notarobot1337]

That's exactly what I meant about implementation, legality must be taken into account, but we could get around this by introducing an additional field where we could enter the key, each of us in our own way.

First things first lets get it to stream live, if ffmpeg doesn't support 'on the fly' decryption then we could find something that does, or the really long method would be to script it to download segments, decrypt then then create a new stream with the decrypted segments.

[crisgsm33]

By the way, yesterday's token was no longer valid today, it seems that it also changes randomly.

They expire every 24 hours, that part is controlled via HMAC

In my case it was unchanged from Saturday until today.

[notarobot1337]

By the way, yesterday's token was no longer valid today, it seems that it also changes randomly.

They expire every 24 hours, that part is controlled via HMAC

In my case it was unchanged from Saturday until today.

Not sure on that then, from experience it's been 24hours for me

[crisgsm33]

This is the smallest problem, I would say, Bento4-SDK needs to be integrated into the script, the order of events being download, decrypt, play...

[crisgsm33]

The script could also extract the token automatically, without our intervention, using the Firefox library.