Ungoogled layer breaks Chromium DRM reading

[squid-f]

Describe the bug Can't play video on disneyplus.com Potential DRM related issue. It works fine with the Chromium version, ungoogled-chromium is built on the top of.

To Reproduce Steps to reproduce the behavior:

1. Go to https://www.disneyplus.com/
2. Obviously, you need an account to sign in
3. Click on Play for any movie
4. An error message is displayed: Error. Contact Disney+ support (error code 83)

Expected behavior The movie starts

Environment (please complete the following information):

• OS/Platform and version: Linux, Mageia 8 x86_64
• ungoogled-chromium version: 98.0.4758.80

Additional context Package built on the top of the official Chromium package of Mageia. Chromium works fine. Flag enable_widevine=true is set. Codecs are installed. Widevine is packaged as well.

Console log attached, complaining about DRM_SYSTEM_ACCESS_FAILED: www.disneyplus.com-1644315641401.log

Another user has confirmed the same issue with Amazon Prime video.

Ungoogled-chromium version on Flatpak exhibits the same behavior, both for Disney+ and Prime.

Is it the expected behavior?

[squid-f]

Hi
I renamed the title to reflect more the context. Playing DRM content in Chromium works. I used the same Chromium base to add ungoogled-chromium on the top of. Then, the same DRM content cannot be played anymore. I can help to debug it, if you guide me a little. What are the patches which might impact DRM reading? Could it be related to the url replacement list? Or would it be more related to other part of the code?

[networkException]

I'll look into this in a few hours, until then you could maybe try building without domain substitution

[squid-f]

I'll look into this in a few hours, until then you could maybe try building without domain substitution

I have tried already to un-substitute google and chromium items from the regex list and to remove any libdrm items from the substitution list. It didn't help. I can try to remove everything if you think it can help. I will do it in 2 hours, except if you have another idea since then.

[squid-f]

Hi. Just tested a new package with the domain substitution step fully removed (i.e. domain_substitution.py not run). No luck ; it didn't restore the DRM play. Domain substitution is not the blocking point, or not alone, at least.

[PF4Public]

No luck

Could be some of the patches then?

[squid-f]

Hi. New update.

I tried to restore MEI_preload by:

sed -i "/disable-mei-preload.patch/d" patches/series
sed -i "/mei_preload/d" pruning.list
sed -i "/mei_preload/d" domain_substitution.list

Unsuccessful...

I am willing to keep testing, but I am in a kind of shooting-in-the-dark mode. I don't know enough what is required for the DRM validation with the server.

Would anyone be able to give me some hints on where to look at, to narrow down the scope?

[wchen342]

Widevine had always been a problem in the past and I've never been able to get it to work personally. I know for some vendors they have a separate contract with Google so they are provided with a particular (I guess signed, haven't look into it too much) version of widevine, but for us we cannot do that.

[ruamegatrader]

I'm curious though, because the error quotes specifically, "contact Disney" and ask what is "error code 83" - maybe if they say what they're expecting on their end? Are you able to do that? It would narrow the problem down. The disney log looks like it's looping? Maybe because an expected response is missing and it retries?

[squid-f]

Hi. Code 83 is a vague error pointing towards browser compatibility ; I have seen also things around localization. Another user has experimented the same issue with Prime video. I do think it is more general than some specific streaming providers. I have monitored the console messages. Please, have a look at the log file attached in the initial post, reporting also

HTTP error: status code 403, net::ERR_HTTP_RESPONSE_CODE_FAILURE
hls-player.js:1 10:10:13.253 HLSPlayer[1] Profile not provided or missing userAgent; use legacy detection

I will try a new build this weekend with a real Google api key, instead of a void one.

Any new idea is welcome meanwhile, of course.

[squid-f]

Hi. News. I just built a new package, using a Google API key + removing anything containing drm from the pruning.list and domain_substitution.list

sed -i "/drm/d" pruning.list
sed -i "/drm/d" domain_substitution.list

No luck... Any idea?

[PF4Public]

Well, if you know for sure that Chromium works and Ungoogled-Chromium doesn't, you could do the bisect-like thing by step-by-step disabling things that differ Ungoogled-Chromium from Chromium and rebuilding it. I suppose only patches remain to be investigated.

[squid-f]

Hi I have not tried yet to fully remove the pruning.list; also, I have tried only to remove Google filter from domain_regx.list Then, there are about 100 patches. It takes about 2 hours to build the package. It is going to be quite a job to test them one by one! But if nobody is able to help me to narrow down which one, I might give it a try. I am a bit concern by the risk of a combination of impacting parameters; we'll see...

[PF4Public]

It takes about 2 hours to build the package. It is going to be quite a job to test them one by one!

You could mimic the bisect strategy: divide amount of patches roughly in half, apply them. Test if anything changed. No changes → divide the remaining number of patches in half and repeat. Something changed → divide the number of applied patches in half and un-apply them. Repeat until one or several patches remain. There is a downside to it: if two or more patches are to blame, they could get into separate batches :(

… nobody is able to help me to narrow down …

I'm afraid not many of us use widevine to begin with. Let alone with ungoogled-chromium.

[squid-f]

@PF4Public the bisect strategy is indeed a good idea. I was also thinking about looking at the patch origins to remove / apply them by some kind of blocks. Stay tuned ;) :)

[dkebler]

@networkException asked me to post that I have widevine working in Version 98.0.4758.102 elosten unportable. I run this script after each upgrade and it grabs and installs the widevine directory from chrome into my ungoogle chromium install. This is a bash script for linux only with ungoogled chromium installed at /usr/bin/chromium and /usr/lib/chromium/WidevineCdm but could be adapted.

https://gist.github.com/dkebler/b90ca57ac481a428dcb6cbbd1e36553d

[squid-f]

Thanks @dkebler I'll give it a try then as well.

[squid-f]

Hi. Some news: as I can install Chromium and Ungoogle-Chromium side-by-side, I tried to locate widevine. I found a folder ~/.config/chromium/WidevineCdm/ containing, apparently, a sort of extension; there is 4.10.2391.0/manifest.json inside:

{
  "manifest_version": 2,
  "update_url": "https://clients2.google.com/service/update2/crx",
  "name": "WidevineCdm",
  "description": "Widevine Content Decryption Module",
  "version": "4.10.2391.0",
  "minimum_chrome_version": "68.0.3430.0",
  "x-cdm-module-versions": "4",
  "x-cdm-interface-versions": "10",
  "x-cdm-host-versions": "10",
  "x-cdm-codecs": "vp8,vp09,avc1,av01",
  "x-cdm-persistent-license-support": false,
  "x-cdm-supported-encryption-schemes": [
    "cenc",
    "cbcs"
  ],
  "icons": {
    "128": "imgs/icon-128x128.png",
    "16": "imgs/icon-128x128.png"
  },
  "platforms": [
    {
      "arch": "x64",
      "os": "linux",
      "sub_package_path": "_platform_specific/linux_x64/"
    }
  ]
}

I do have also a folder ~/.config/ungoogle-chromium/WidevineCdm but it is empty. So, I copied ~/.config/chromium/WidevineCdm/* into ~/.config/ungoogle-chromium/WidevineCdm And, "tada", it works; I can now have access to the streaming content of disneyplus.com

I am assuming a WidevineCdm content is downloaded during the first launch. Could anyone confirm my understanding? If so, I need to understand what does block it. I am rebuilding ungoogle-chromium with google removed from domain_regex.list I thought I have done that already, but I might have overlooked something.

[PF4Public]

I am assuming a WidevineCdm content is downloaded during the first launch. Could anyone confirm my understanding?

Cannot tell you how it is with other distributions, but Gentoo packages widevine into chrome-binary-plugins which should be installed and I just create a symlink for it to work: https://github.com/PF4Public/gentoo-overlay/blob/dfd691d894fd9712b721a300aea4832338fd29a8/www-client/ungoogled-chromium/ungoogled-chromium-100.0.4896.75_p1.ebuild#L1261

use widevine && dosym WidevineCdm/_platform_specific/linux_x64/libwidevinecdm.so /usr/$(get_libdir)/chromium-browser/libwidevinecdm.so

[UnixPhonez]

netflix doesn't work either nor does spotify

[exful3]

Widevine content broken on Netflix, Disney+, and widevine demo/testing sites after updating my browser. I reinstalled the plugin, and it is detected, but getting errors when trying to load DRM content. My mistake! This was a problem with a release build from a third party. If you experience this and use third party builds, check for updates!

[squid-f]

netflix doesn't work either nor does spotify

I don't have a Netflix subscription. However, I confirm Disney+ and Spotify (free account) keep working, with the procedure I indicated here above: https://github.com/Eloston/ungoogled-chromium/issues/1831#issuecomment-1094061018

[nilslindemann]

(I guess this fits here, let me know if it doesn't)

Videos also do not play on n-tv (it still worked a few days ago). I get the error message SOURCE_STREAM_TYPE_NOT_SUPPORTED. Same here. I have enabled "Sites can play protected content" under chrome://settings/content/protectedContent. (I am on Linux Mint, and it works in Chromium)

Edit: since the latest update (120.0.6099.109) it works again. Thanks a ton!