Closed alitteration closed 4 years ago
yoshimo
commented
4 years ago If you already had a handshake done before using the mitm proxy , mtm uses the wrong key material. You need to reset your state im chrome. Log out clear the storage and cookies , then start mitmproxy and login again
alitteration
commented
4 years ago @ yoshimo, Thanks, but I've already did clear cookies for Netflix.
Should I clear cookies globally for chrome or maybe just start a new profile?
Also, do I expect to see the requests/responses processed and decrypted in the log ? or how should I do it after having the new Client Pubkey?
yoshimo
commented
4 years ago Iirc the key is in local storage not a classic cookie. You might have to clear that separately.
nohajc
commented
4 years ago Personally, I find it easier to start a new browser profile. You don't have to destroy your everyday session and it's reliable.
You should certainly see all the decrypted messages in log and be able to play videos normally.
On the other hand, if it really does not work, it could be a bug or it could be that Netflix changed something in their protocol. I can check later today if it still works for me.
alitteration
commented
4 years ago Personally, I find it easier to start a new browser profile. You don't have to destroy your everyday session and it's reliable.
You should certainly see all the decrypted messages in log and be able to play videos normally.
On the other hand, if it really does not work, it could be a bug or it could be that Netflix changed something in their protocol. I can check later today if it still works for me.
Indeed that worked fine after switching to a separate profile, much obliged. I was wondering if there is a way someone can decrypt appbot requests from Android. I guess they use different encrypt but it would be great to actually able to see the requests/responses made.
nohajc
commented
4 years ago I was wondering if there is a way someone can decrypt appbot requests from Android. I guess they use different encrypt but it would be great to actually able to see the requests/responses made.
It is possible if you can find a way to reliably hook this API: https://developer.android.com/reference/android/media/MediaDrm.CryptoSession
It could also be done at native level but then you would be dealing with private AOSP API (which can change between versions) or vendor specific code (at the OEMCrypto level).
Apart from being public API, MediaDrm also abstracts away widevine levels, so it would probably be best to hook these Java calls. I have no experience with that though.
The bottom line is, you probably need a rooted device with modified system (something like xposed framework?) and your code running directly on it to capture the decrypted traffic.
Not to mention the official Netflix app is doing SafetyNet checks to detect OS tampering.
alitteration
commented
4 years ago I was wondering if there is a way someone can decrypt appbot requests from Android. I guess they use different encrypt but it would be great to actually able to see the requests/responses made.
It is possible if you can find a way to reliably hook this API: https://developer.android.com/reference/android/media/MediaDrm.CryptoSession
It could also be done at native level but then you would be dealing with private AOSP API (which can change between versions) or vendor specific code (at the OEMCrypto level).
Apart from being public API, MediaDrm also abstracts away widevine levels, so it would probably be best to hook these Java calls. I have no experience with that though.
The bottom line is, you probably need a rooted device with modified system (something like xposed framework?) and your code running directly on it to capture the decrypted traffic.
Not to mention the official Netflix app is doing SafetyNet checks to detect OS tampering.
I had a very tiny experience with Frida and in the past, I used it to hook to some library of some APK.
I'm not sure about that one, but I shall give it a try and let you know.
If that was done probably, Would that let those requests show in a decrypted format?
Indeed I have Xposed [ with some modules ] with MAGISK hide which safely makes me able to view contents on Netflix and bypass the SafetyNet checks without any issues and got the right modules needed to unpin some SSL native functions and had some luck with many other apps.
Do you have an E-mail to send you some logs to or anywhere else for an easier talk?
alitteration
commented
4 years ago I was wondering if there is a way someone can decrypt appbot requests from Android. I guess they use different encrypt but it would be great to actually able to see the requests/responses made.
It is possible if you can find a way to reliably hook this API: https://developer.android.com/reference/android/media/MediaDrm.CryptoSession
It could also be done at native level but then you would be dealing with private AOSP API (which can change between versions) or vendor specific code (at the OEMCrypto level).
Apart from being public API, MediaDrm also abstracts away widevine levels, so it would probably be best to hook these Java calls. I have no experience with that though.
The bottom line is, you probably need a rooted device with modified system (something like xposed framework?) and your code running directly on it to capture the decrypted traffic.
Not to mention the official Netflix app is doing SafetyNet checks to detect OS tampering.
Hello, I have been trying to hook to the API you suggested. I noticed that the first appbot request was HTTP, not HTTPs, I'm still not able to hook to it probably tho.
Are there any other APIs that might help?
Thanks
nohajc
commented
4 years ago Well, if you can hook encrypt and decrypt, then you have access to the payload before and after it is encrypted/decrypted. These calls should be used to process all MSL requests.
Anyway, since this is unrelated to the original issue, I'm closing it. You can reach me via my git email address (found in every commit authored by me).
Hello,
I'm trying to see the MSL requests in chrome and the .log file shows:
And I see in CMD some errors like ::
` [::1]:61510: POST https://www.netflix.com/api/shakti/va61a784d/pathEvaluator?drmSystem=widevine&isWatchlistEnabl
calBoxArtEnabled=true&falcor_server=0.1.0&withSize=true&materialize=true << 200 OK 1.43k [::1]:61992: clientconnect Addon error: Traceback (most recent call last): File "msl_decrypt.py", line 257, in request iv = b64decode(payload["iv"]) KeyError: 'iv'
[::1]:61989: GET https://www.netflix.com/undefined << 302 Found 0b [::1]:61997: clientconnect [::1]:61510: POST https://www.netflix.com/nq/msl_v1/cadmium/pbo_manifests/%5E1.0.0/router?reqAttempt=1&reqPriori << 200 OK 2.95k [::1]:61828: clientdisconnect [::1]:61992: POST https://www.netflix.com/api/shakti/va61a784d/pathEvaluator?drmSystem=widevine&isWatchlistEnabl calBoxArtEnabled=true&falcor_server=0.1.0&withSize=true&materialize=true << 200 OK 1.89k Addon error: Traceback (most recent call last): File "msl_decrypt.py", line 257, in request iv = b64decode(payload["iv"]) KeyError: 'iv'
Please keep in mind while the mitmproxy is running, no movies or shows would play in chrome and I end up with an error : https://i.imgur.com/lwjDBB6.jpg
Is it normal to not be able to actually play anything?
Also, It would be nice if you can explain how can I decrypt those requests to be able to see them after acquiring that info as I have no idea how to replace the Client pubkey and I see no data in the .log file.
Thanks!