search

hyugogirubato / KeyDive

Extract Widevine L3 keys from Android devices effortlessly, spanning multiple Android versions for DRM research and education.
https://pypi.org/project/keydive/
MIT License
316 stars 66 forks source link

Keydive stuck on Starting DRM Player Launch Process #38

Closed Fxzzi closed 5 days ago

Fxzzi commented 1 week ago 
$ keydive -w --functions $HOME/Downloads/func.xml -v

2024-10-14 19:04:32 [I] KeyDive: Version: 2.0.9
2024-10-14 19:04:32 [I] Core: Device: Pixel 7 (32091FDH200459)
2024-10-14 19:04:32 [I] Core: SDK API: 34
2024-10-14 19:04:32 [I] Core: ABI CPU: arm64-v8a
2024-10-14 19:04:32 [I] Core: Script loaded successfully
2024-10-14 19:04:32 [I] KeyDive: Watcher delay: 1s
2024-10-14 19:04:32 [D] KeyDive: Analysing...
2024-10-14 19:04:32 [W] Core: Library not found: libwvaidl.so
2024-10-14 19:04:32 [I] Core: Library: android.hardware.drm-service.widevine (/apex/com.google.android.widevine/bin/hw/android.hardware.drm-service.widevine)
2024-10-14 19:04:32 [D] Script: Hooked (0x5ecbd93f60): wvcdm::Properties::UsePrivacyMode
2024-10-14 19:04:33 [D] Script: Hooked (0x5ecbdd1c70): wvcdm::CdmLicense::PrepareKeyRequest
2024-10-14 19:04:33 [D] Script: Hooked (0x5ecbe5a410): zgtjmxko
2024-10-14 19:04:33 [I] Script: Library liboemcrypto.so was not found
2024-10-14 19:04:33 [I] KeyDive: Process: 831 (android.hardware.drm-service.widevine)
2024-10-14 19:04:33 [I] KeyDive: Successfully hooked

I've attempted to use my own extracted widevine functions xml, as well as one provided for my device here: https://forum.videohelp.com/threads/414789-KeyDive-Beyond-Android-SDK-33

MagiskFrida running, server running, tested with pidof frida-server which successfully returned pid. L1 was also reverted back to L3 with liboemcrypto disabler.

Playing widevine video, whether through chrome, firefox, bitmovin, disney+, nothing seems to start the extraction. Here I can provide the XML I extracted from my device: android.hardware.drm-service.widevine.xml.zip

Fxzzi commented 1 week ago

got a bit further by running keydive with drm video running, and then refreshing. here are the verbose logs:

keydive -d 32091FDH200459 -w --functions $HOME/android.hardware.drm-service.widevine.xml -v
2024-10-14 19:08:11 [I] KeyDive: Version: 2.0.9
2024-10-14 19:08:11 [I] Core: Device: Pixel 7 (32091FDH200459)
2024-10-14 19:08:11 [I] Core: SDK API: 34
2024-10-14 19:08:11 [I] Core: ABI CPU: arm64-v8a
2024-10-14 19:08:11 [I] Core: Script loaded successfully
2024-10-14 19:08:11 [I] KeyDive: Watcher delay: 1s
2024-10-14 19:08:11 [D] KeyDive: Analysing...
2024-10-14 19:08:11 [W] Core: Library not found: libwvaidl.so
2024-10-14 19:08:11 [I] Core: Library: android.hardware.drm-service.widevine (/apex/com.google.android.widevine/bin/hw/android.hardware.drm-service.widevine)
2024-10-14 19:08:11 [D] Script: Hooked (0x5ecbd936e8): wvcdm::Properties::UsePrivacyMode
2024-10-14 19:08:11 [D] Script: Hooked (0x5ecbdcca84): wvcdm::CdmLicense::PrepareKeyRequest
2024-10-14 19:08:11 [D] Script: Hooked (0x5ecbe58cbc): ehmduqyt
2024-10-14 19:08:11 [I] Script: Library liboemcrypto.so was not found
2024-10-14 19:08:11 [I] KeyDive: Process: 831 (android.hardware.drm-service.widevine)
2024-10-14 19:08:11 [I] KeyDive: Successfully hooked
2024-10-14 19:08:17 [D] Script: [+] onEnter: UsePrivacyMode
2024-10-14 19:08:17 [D] Script: [-] onLeave: UsePrivacyMode
2024-10-14 19:08:17 [D] Script: [+] onEnter: UsePrivacyMode
2024-10-14 19:08:17 [D] Script: [-] onLeave: UsePrivacyMode
2024-10-14 19:08:17 [D] Script: [+] onEnter: PrepareKeyRequest
2024-10-14 19:08:17 [D] Script: [+] onEnter: UsePrivacyMode
2024-10-14 19:08:17 [D] Script: [-] onLeave: UsePrivacyMode
2024-10-14 19:08:17 [D] Script: [-] onLeave: PrepareKeyRequest
2024-10-14 19:08:17 [D] Cdm: Failed to set challenge data: Error parsing message
2024-10-14 19:08:17 [D] Cdm: Receive client id: 

{
  "application_name": "com.android.chrome",
  "origin": "73AFE289899F92630A7FEC75D2D53007",
  "package_certificate_hash_bytes": "8P1sW0EPJcslw7UzRsiXL64w+O50Ed+RBICtay1g24M=",
  "company_name": "Google",
  "model_name": "Pixel 7",
  "architecture_name": "arm64-v8a",
  "device_name": "panther",
  "product_name": "panther",
  "build_info": "google/panther/panther:14/AP2A.240905.003/12231197:user/release-keys",
  "widevine_cdm_version": "18.0.0@341113000",
  "oem_crypto_security_patch_level": "0",
  "oem_crypto_build_information": "{\"soc_vendor\":\"L3_28613\",\"soc_model\":\"ARM 64 bit\",\"ta_ver\":\"18.1.0+May  1 2023_06:32:58_\",\"uses_opk\":false,\"tee_os\":\"none\",\"tee_os_ver\":\"0.0.0\",\"form_factor\":\"L3\",\"implementer\":\"Widevine\",\"fused\":false}"
}
hyugogirubato commented 5 days ago

As we were able to discuss on discord, your problem was linked to a bad private saved function. With your help I was able to identify the problem and correct this bad function. However, to prevent this type of problem from occurring again in other use cases I added a new option -s or --skip which allows this automatic detection and hook to be passed "like ci" function had not yet been registered.