|Doom + Decryption - DigitalRightsManagement = Serenity
26 December 2006: Doom9.net (http://www.doom9.net/) is a popular 6-year-old video site that proclaims itself “the definitive DVD backup resource.” Serious hackers who rip DVDs or re-author video and care about quality converge in Doom9’s forums, to discourse with an international community that includes real experts. On this day, a new Doom9 member pseudonamed muslix64 submitted his (her) first post to the Decryption forum at Doom9 (http://forum.doom9.net/showthr...): the program BackupHDDVD (http://rapidshare.com/files/11...), “a tool to decrypt an AACS protected movie that you own, so you can play it back later using an HD DVD player software”, together with the program source code, a FAQ, and an intriguing YouTube video of BackupHDDVD in action (http://www.cdr.cz/a/20159).
AACS stands for “Advanced Access Content System”, a copy protection scheme adopted by both HD DVD and Blu-ray, the competing optical disk formats for high definition DVD that are promoted by two big consortia representing virtually all name-brand hardware manufacturers, software publishers, and movie studios. AACS encrypts the content of films, and licenses decryption “keys” to the manufacturers of set-top (hardware) and computer (software) DVD players. Every hi-def DVD disk contains all the decryption keys for licensed players, with one unique key per player model. In theory, if a decryption key for a particular player is cracked, the ability of that player to decrypt future titles can be revoked (or changed by a firmware or software update) without affecting other players. The entire concept has always been deemed impractical, because it penalizes blameless owners of the cracked player, rendering their equipment useless without an upgrade, and it stigmatizes the manufacturer. Few consortia members believed revocation would ever happen. They signed on to AACS because they thought it was unbreakable.
muslix64 was pithy: “I was not aware of anyone having [beaten AACS], so I did.” Reaction at Doom9 during the next month stretched over thousands of posts. Fraternal concern emerged first, prompted by the two prosecutions of a Norwegian high school student, Jon Lech Johansen a.k.a. DVD Jon, who broke CSS, the “Content Scrambling System” that secured first-generation DVDs; and by the intimidation, allegedly by Macrovision, of Lightning UK, who authored the splendid DVD Decrypter tool and subsequently went underground in 2005. Doom9 seems to operate in perpetual anxiety about DMCA, the U.S. “Digital Millennium Copyright Act”, which criminalizes nearly all measures to circumvent copyright protection, including the dissemination of technology. Most members of Doom9 believe that it is their right to make copies, for their personal use, of media they own. Not surprisingly, Doom9 is alert to every industry deceit, e.g. the recent PR move to rename DRM (“Digital Rights Management”, or copy protection) to DCE, “Digital Consumer Enablement”.
XStylus: “Make sure you’ve taken appropriate measures to protect your identity, muslix64. You’ve done great work, and I’d hate to see you become another victim in the DRM battle.”With underdog/outlaw bravado, Doom9 members generally share fierce, principled objections to copy protection of any sort. Copy protection prevents legitimately-purchased discs from playing with the best quality on each and every hardware due to various inflections of DRM, AACS, HDCP, etc. Region coding infuriates Doom9; the rationale, that movies are released on different dates around the globe, seems to them merely an excuse to charge different prices in different economies, and to force some consumers to buy the same disk several times. Moreover, it is the legitimate consumer who pays extra for these technologies, which are unwanted by player manufacturers and even dealers. Everyone understands that by preventing consumers from converting content between formats, the industry ensures that a constant revenue stream can be extracted from the same product, as users upgrade from Betamax to VHS to LaserDisc to DVD to hi-def DVD to the latest/greatest technology. Members complain that whereas copyrights have sunset provisions, copy protection mechanisms never expire, and thereby inhibit free use perpetually. They argue that the real target of copyright holders should be the Ukrainian and Chinese pirates who flood markets with fake disks, not consumers sharing with their family or tinkering with their computers.
Hajj_3: “Yes, protect your identity and IP. Use proxies, firewalls etc etc... They will indeed hunt him down. I dont want this guy to end up in jail for 5 yrs, he’s done a great job.”
Devinator: “I agree. Not only would the people behind draconian copy protection BS sue you, they would disappear you if they thought they could get away with it.”
Dukey: “Should have posted the source from an Internet cafe or library or something. Then don’t have to worry about getting caught by IP/ISP.”
Above all, every Doom9 member was well aware — and they wonder whether savvy AACS licensees were not also aware — that once decryption keys were licensed to software players (i.e. to computer programs), AACS was indeed doomed. During computer processing, keys must be exposed and the content decrypted, otherwise it can’t be played. With skill, patience, and adequate cyber power, any data manipulated by a computer can be intercepted and captured — it is simply a question of time and resources. In 2001, Dutch cryptographer Niels Ferguson discovered that HDCP, the “High-bandwidth Digital Content Protection” system, is “fatally flawed”. HDCP is a cryptographic system developed by Intel that encrypts video on the DVI bus, which is used to connect digital video cameras and DVD players with digital TVs, etc. The aim of HDCP, like AACS, is to disallow perfect copying of digital video content, by encrypting the signal. Ferguson estimated that “an experienced [programmer] can recover the HDCP master key in about 2 weeks using 4 computers and 50 HDCP displays. Once you know the master key, you can decrypt any movie, impersonate any HDCP device, and even create new HDCP devices that will work with the ‘official’ ones. This is really, really bad news for a security system. If this master key is ever published, HDCP will provide no protection whatsoever. The flaws in HDCP are not hard to find.” In a bitter statement about the erosion of freedom of speech and penalization of whistleblowers, Ferguson suppressed his own research, not only because he feared arrest if he tried to enter the United States, but also because “the USA is apt to apply its own laws way beyond its own borders.”
Ferguson had reason to fear the long arm of American power — and this was before 9/11. A Russian programmer named Dmitri Sklyarov, who lived in Moscow, wrote for his Russian employer a routine that enabled users of an Adobe eBook Reader to disable restrictions that the publisher of an electronic book formatted for Adobe’s reader might have imposed — for example, to inhibit the conversion of ebook text to speech, for sightless users. Sklyarov’s program was legal in Russia and most of the world, and his employer sold it over the Internet. In 2001, Sklyarov visited Las Vegas to deliver a lecture about weaknesses in Adobe electronic book software. Adobe alerted the FBI, and Sklyarov spent 30 days in the slammer for violations of the DMCA, which outlaws technologies “designed to circumvent other technologies that protect copyrighted material — law protecting software code protecting copyright.” A year and a half later, after being confined to northern California, Sklyarov was acquitted on all counts in this first criminal prosecution under the DMCA. Meanwhile, Russia’s equivalent of the FBI instructed all Russian researchers to avoid American conferences.
Princeton Professor Edward Felton got a similar shock earlier in 2001. His research team had defeated SDMI, the “Secure Digital Music Initiative”, a protection technology which, for example, limited the number of copies that may be made of a recording. Felton was about to publish his results at the International Information Hiding Workshop Conference, when the Recording Industry Association of America (RIAA) threatened him with a lawsuit under DMCA. Felton withdrew his publication one day before the conference and countered by suing the RIAA. A year later, his suit was dismissed in Federal Court after the Justice Dep’t. and RIAA reversed their position, now proclaiming that “everyone benefits from research into the vulnerabilities of security mechanisms.” Felton was disappointed: he wanted an enforceable court ruling that government and industry could never again threaten publishers of scientific research.
Doom9 members knew that it had taken 2 full years to break protection on lo-def (480p) DVDs. Surely hi-def DVDs would be more challenging. As they tried to understand and use muslix64’s tool, skepticism predominated: “Is this for real? Can anyone test this?”
DeepBeepMeep: It doesn’t look like what [muslix64] has released contains any Title key. It ... has been deliberately replaced with [zeroes]... The real exploit lies in extracting the Title key from the memory of the software player. It is quite likely that if we had one Title key it shouldn’t be hard to get the others as long as the player is not considered compromised. But unless the author of this program releases [his] key extractor,... we are almost at the same point as before. All the information to write [muslix64’s code] is available publicly.
Deihmos: Did anyone confirm this working? It does not look that way, so is this a hoax or is it real?
Wookie Groomer: This has to be a hoax since it appears not a single person in the entire world except the original poster is claiming this works or can confirm anything. Let’s see some proof. A fancy edited You Tube Video is worthless without at least one key to test for ourselves.
LOS ANGELES (Reuters) - The companies behind an encryption system for high-definition DVDs are looking into a hacker’s claim that he has cracked the code protecting the new discs from piracy, a spokesman for one of the companies said Thursday. A hacker known as muslix64 posted on the Internet details of how he unlocked the encryption, known as the Advanced Access Content System, which prevents high-definition discs from illegal copying by restricting which devices can play them. The AACS system was developed by companies including Walt Disney Co., Intel Corp., Microsoft Corp., Toshiba Corp. and Sony Corp. to protect high-definition formats, including Toshiba’s HD-DVD and Sony’s Blu-ray. muslix64 posted a video and decryption codes showing how to copy several films, including Warner Bros’ Full Metal Jacket and Universal Studios’ Van Helsing, on a popular hacker Internet blog and a video-sharing site. The hacker also promised to post more source code on Jan. 2 that will allow users to copy a wider range of titles. A spokesman for one of the AACS companies, who declined to have the company identified, said they were aware of it and were looking into the claims, but would not elaborate.Days passed, with no further word from muslix64. He had promised new code on 2 January. Members were antsy.
Zag: The problem is that he gave very little information (nothing really) regarding how to obtain the Title keys. All he said was: “I won’t explain it in detail. Read the AACS doc first. You will understand. The Title keys are located on the disk in encrypted form, but for a content to be played, it has to be decrypted! So where is the decrypted version of the Title key? Think about it... ”
30 December: Mass and industry media (http://www.betanews.com/articl...) start to track the story intensively. PC Magazine: “It was supposed to be unbreakable; a next-gen DRM solution. Yet a hacker named muslix64 is now claiming he has cracked the Advanced Access Content System (AACS)...”
2 January 2007: Still no word from muslix64.
Hellreaper: muslix64 will either...Then muslix64 reappeared, to “clarify some points” and announce his impending disappearance:
...never post in here again
...or tell you soon that there were some problems with the program and that you will have to wait until xx.xx.2007.
Face the truth, it took about two years until DVD keys were extracted. If he/she had really done it, she/he [would] release the key extraction method. The program with the weakness would have been withdrawn or changed, no doubt, but it also would have been seriously verified that someone found a way to compromise the whole encryption/decryption process (not AACS itself). A real hacker/cracker is interested in releasing proof, not in releasing videos. You don’t get scene credits for releasing videos.
Setting the record straight.The doubters were not assuaged.
I spent the last few days reading a lot of articles on BackupHDDVD, reading a lot of people’s post/comments on various websites... Here is a list of affirmations I have seen lately:
Affirmation 1: You did not break AACS, just the player
My comment: I did not break AACS, but I find a way to decrypt movies and I have bypassed all the revocation system. Not that bad...
Affirmation 2: The BackupHDDVD circumvention tool won’t last long
My comment: As long as insecure players will exist, it will last... And insecure players will always exist, in fact you can extract keys from any player! Some players are just easier to extract the key from. Being lazy, I prefer to extract keys from an insecure player than a secure one. And the AACS spec says “Device keys must be protected!” but they did not said that about Volume key, fatal mistake!
Affirmation 3: The keys can easily be revoked.
My comment: What keys are you talking about? As I stated before, there is no such thing as “Title key revocation” and “Volume key revocation”. If someone publishes only Volume keys, there is no way to know from which player these keys were extracted, making the revocation system useless. They can do content revocation, but to revoke what? All movies before 2007? They can do player revocation, so I will just change the player I’m using, big deal...
So what is the AACS revocation system good at?
It is good for that scenario: Someone post on the net, a tool that do the complete decryption automatically. Of course the program use stolen Device keys from an official player. They (AACS and friends) will eventually get their hands on this program, look at the Device keys and revoke them. Making that player unable to play new titles. But the author of this program can pre-extract a bunch of Device keys from different players and release them, one at the time, when the previous one have been blacklisted. The AACS spec says “Device keys must be protected!” so I suppose they put more effort in protecting these keys then the Volume key in memory.
Affirmation 4: BackupHDDVD is nothing, only one person out of a million have the technical skills to extract keys.
My comment: BackupHDDVD is a proof of concept.
Few skilled persons can do massive Volume key extraction, and send the keys to a central server on the internet. Then, they create an easy to use decryption program, with a nice GUI that do online key recovery. That way, my father and your father can backup movies. Or they can send the keydb.cfg file on P2P networks (BitTorrent, E-Mule, etc..). See the problem now?
Affirmation 5: You can extract keys from software player on personal computer but not on hardware player.
My comment: It’s easier to extract keys from software player, but it also possible to extract keys from hardware player (the set-top box in your living room!)
The attack I describe in “Affirmation 4” is not here yet, but it’s coming. So I give MPAA and AACS a head start. Start to think what you can do about that.
To totally block this attack, they need to put different keys on every disk! Now, they only have different keys for different movies. I don’t know about the manufacturing process of the disk. This solution may not be possible.
The best they can do, is doing shorter manufacturing run of a particular movie, so it would be difficult to get your hand on every “pressing” of a movie.
When they design AACS, they assume people will look for the Device keys. I don’t care about Device keys. I do care about Volume key. Having the Device keys mean that you have to re-implements all the complex crypto and do the full AACS process. I leave all this dirty job to the player and recover only the Volume key.
There is 3 important things in cryptography:
1-Private key protection
2-Private key protection
3-Private key protection
Did I break AACS? I don’t know. What do you think?
I’m not going to work on this anymore, I’m taking a vacation!...
This may be my last post here.
I’m going to have a rest for a while.
Take care everyone and wish me good luck!
lazyn00b: **** Sorry, but without even one working key this is nothing but speculation. Sure, the BackupHDDVD program looks nice, but without verifiable proof that a Volume key has been actually been extracted, this is nothing to get excited about. Frankly, I now suspect that the youtube video is a hoax, and that muslix64 is just hoping against hope that some superhacker out there will figure out where PowerDVD HD hides the keys.noclip went a bit further:
You could say things like “I needed to use a debugger” or “I just looked at a memory dump” and you wouldn’t be breaking any law. Thanks and all, but it’s a little bit suspicious of you to deliberately avoid saying anything at all. Are you or have you ever been a Sony supports Blu-ray, which has not one but two levels of encryption, giving rise to speculation that muslix64 is a Blu-ray mole, coercing HD DVD partners into the Blu-ray camp. Hundreds of posts ensue, opining about the hiding place of the crucial keys. rmtaibo: “It’s a puzzle that muslix64 invited us to join...” Frustration mounts.
member of the Communist employee of the Sony Corporation?”
ridesideways: i can’t believe there is so much speculation and hype about this HD-DVD decrypter that muslix64 has written. all the guy did was write an implementation of an AACS decrypter in java, and he posted the source code. THIS IS NOT A DIFFICULT THING TO DO FOLKS—YOU CAN DOWNLOAD THE DAMN SPEC FROM A PUBLIC WEBSITE FOR GODS SAKE. since i am a software engineer, i would write same damn program in a week too, and so could every other software engineer in the world worth his salt. ah but there is more to the story. muslix64 goes on to claim that he’s extracted Volume keys from his HD-DVD disks— now that is one hell of a claim and actually takes some skill. BUT HE PROVIDES NOT ONE SHRED OF PROOF THAT HE’S ACTUALLY DONE THIS. anyone with a camcorder could make a you-tube movie with a blacked-out text screen where one claims to have secret Volume keys. until someone provides real evidence that they can reliably extract Volume keys from an HD-DVD player, this whole damn thread is all one gigantic waste of time.So who is muslix64, anyway? (http://www.hdnowonline.com/Com...)
muslix64: i wrote an aacs decrypter.
muslix64: and i’ve extracted Volume keys from my HD-DVD’s
me: wow that’s amazing, show me.
Mtz: musli > ilsum = “A function that counts the total number of true values in a vector declared LOGICAL. It returns zero if the number of elements, N, is less than one.” Even if all this is a fake, this guy is smart.
10 January: Frank Kao stumbles on a key.
To see muslix64’s Java code, I noticed that muslix64 did not do a very complex task. But now, so many people start dump PowerDVD’s memory and trace PowerDVD’s code, but we still cannot do the same thing as muslix64. Why? In the FAQ, muslix64 said he has two players and he found the key in the memory. So I give up trace PowerDVD’s code and try to dump WinDVD’s memory. Wa, I can found the Title key in the WinDVD’s memory and use this key to rip the movie. You should be curious about why I know this is a Title key. I just put the value into BackupHDDVD.Hmmm.
Now, I realize the whole muslix64’s story.
Warren: Care to enlighten us on how to find keys in WinDVD then Frank? Breakpoint addresses and instructions on how to find the key from there would be nice.
Frank Kao: Now, I can realize why muslix64 do not talk any more. This topic is too sensitive. I just want to say “muslix64 did not lie”. You can do it by yourself, and then you will find everything you want.
11 January: muslix64 reappeared from “vacation”.
Hint: Do you know about “known-plaintext attack”?Some senior members of Doom9 start to bare their fangs — cautiously.
It takes only few seconds to my keyfinder tool to locate the key in the memory dump file using the known-plaintext attack.
You don’t have to mess with tracing/debugging the code. Just dump the memory...
Janvitos: muslix64, without disrespect, i would like to know why you are giving us everything but precise information and how you believe this might help us out in the long run. I am no assembly programmer myself, and have been following this thread since the beginning, but have found little if no help with the “clues” you have been providing. In my understanding, you are trying to make a riddle out of this, which is, in my opinion, throwing people on different tracks and not necessarily “helping” out.Dim bulbs light above several programmers – a careful read of the full thread suggests that four or five participants, and probably a number of lurkers who chime in later, have caught on.
Hajj_3: muslix64, are the keys located at the same place each time? give us some more clues please!
Cyber1: I may be oldschool, but I think that many of todays young people want everything “served on a plate”... Personally I think muslix64 gave too many clues.
12 January: The dam breaks. Anger erupts after somebody posts a 16-line “riddle” at pastebin.com (http://pastebin.com/853659):
LordSloth, who provided the URL to the riddle, is summarily censured by a prickly moderator at Doom9, for irrelevance and obscurity.
2/Reavers are bad mmmmkay...Google 4TW!
Mark Twain Intermediate School
Restaurant & Lounge
Celtic Designs Dover Pictorial
Science Online Special Feature
Link Building Strategies
Dawson's Creek Music Guide Decisions
ways to market your small or solo business
Olivia Quinn Food Stamp Leaver
He-Man: ??? Are you sure you gave the right link?... it doesn’t seem to have any relation HD-DVD encryption.What does it mean?
Janvitos: I think some people are messing around with us. I followed that link too and get nothing relevant. Please ban the ignorants.
setarip_old: LordSloth: As an outside observer, having absolutely no involvement in the activity being pursued in this thread (although I'm certainly interested in its eventual outcome), I must say it's disconcerting to see you trying to make a “game” out of the loosely cooperative effort [of] the other posters to this thread. I'd suggest that if you have discovered a legitimate, meaningful “piece of the puzzle”, you should simply present it here - so that others can advance their combined efforts...
LordSloth: Yes the link is correct. It’s a scavenger hunt of some sort! And since I had to go through the trouble of following it myself, I’m not going to post the answer directly. I mean what fun would that be? Don’t get me wrong, I don’t take some sick pleasure in making others follow the same path I did. But it did seem the safest way to share the information.
setarip_old [lighting up]: I'd speculate you'd have to convert those to hex...
The first Google search result for each line in the riddle supplies one byte of a 16-byte decryption key:
Mark Twain Intermediate School => Mark Twain I.S. 239 for the Gifted & Talented
Restaurant & Lounge => 33 Restaurant & Lounge
Cent => 50 Cent
Celtic Designs Dover Pictorial => Amazon.com: 159 Celtic Designs (Dover Pictorial Archive Series ...
Science Online Special Feature => 125th Anniversary Issue: Science Online Special Feature
and so forth. Thus:
What movie is this a key for? EF 21 32 9F 7D 83 8D 9A 70 56 88 2D BF 66 5C D5
Decimal -> Hexadecimal
239 -> EF
033 -> 21
050 -> 32
159 -> 9F
125 -> 7D
131 -> 83
141 -> 8D
154 -> 9A
112 -> 70
086 -> 56
136 -> 88
045 -> 2D
191 -> BF
102 -> 66
092 -> 5C
213 -> D5
Answer: Title 2 of Serenity. Clues: “2/Reavers”, genetic mutants from another planet in the film.
The floodgates open:
Janvitos: I can confirm the following value “EF21329F7D838D9A7056882DBF665CD5” to be in WinDVD memory after playback of the movie Serenity.Within hours, keys for 30 films were revealed. A few days later, that number rose to 150, representing the majority of released HD DVD titles. Most disks decrypted readily and played beautifully.
Will continue to research this and update you with results.
luders: So this so far.....
Janivitos: Luders, replace the 0s with the SHA1 of the VTKF000.AACS file, which is “C8A57242AF4CB5C0D7848BDA10821F984DC656E0”
LordSloth: Now after I followed that crypted scavenger hunt and got the 2nd T[itle]K[ey], I searched for the key in WinDVD’s memory...and guess what I found...
The entire Title Key table decrypted!!!!
That’s right....the next 16 bytes after the 2nd key is the 3rd key and so on...
Janivitos: Alright, this is good news.
The key “EF21329F7D838D9A7056882DBF665CD5” is the 2nd key which decrypts the file UNILOGO.EVO from the movie Serenity. This is *CONFIRMED* and *WORKING*.
Here are all the keys for Serenity:
Here are the keys for KingKong:
To find these keys, my best advice would be to search your memory for “VPLST000.XPL” and they will be near one of the instances of it.
Now we have to find the Volume keys for a lot less trouble.
LordSloth: Volume Unique keys are located +0x13C0 after the 2nd Title key location
So to recap... Search for VPLST000.XPL in WinDVD’s memory (4th occurrence) and from that offset.
+0x0181 is the Decrypted T[itle]K[ey] table
+0x1571 is the Volume Unique Key
Granted these may vary from system to system and disc to disc.
Janvitos: I believe the offsets vary from movie to movie and computer to computer.
LordSloth: Looks like Janvitos confirmed they do since they don’t match what I posted. But just look somewhere around that region and you should be able to locate the T.K. table and the V.U.K..
Jerky-san: LOL! holy crap, the keys are flying... are the Volume keys in the same place every time? Or do they vary?
Janvitos: Serenity Volume Unique Key: D075568AE6BB0B3F85446927B3794C28
KingKong Volume Unique Key: 802F78B1B20D1183638D84E1A96D6EDD
12 Monkeys Volume Unique Key: 2662C05B5238B0C50BD1BDF693223712
The_ByteMaster: Unless the content gets revoked, the newer player will always have to determine the Volume Unique Key to decrypt the Title Keys. So unless your Serenity, King Kong and whatever else is compromised gets revoked, you *know* that at some point your new player will have to use that key. This will help to a large extent in compromising the new player (which will, in turn, compromise even more content). This is an avalanche that is hard to stop.
woah!: well i was missing the SHA1 hash number and now king king is working on a non-HDCP vcard in powerdvd... amazing stuff guyz...
dont know how long this will work but hats off to all of you that know your stuff.
Found valid HD-DVD source.
Look for this movie in my database
Found movie: KING KONG
Start backup on Fri Jan 12 20:00:13 PST 2007
Scaning video directory
Processing BLACK.EVO key = 3
Processing DELOGO.EVO key = 5
Processing MAINMENU.EVO key = 1
Processing MENULOOP.EVO key = 1
Processing SCREENSAVER.EVO key = 6
Processing UCONTROL.EVO key = 7
Processing UNILOGO.EVO key = 2
Processing FEATURE_1.EVO key = 4
oddball: Dammit guys it’s 4:25am here and I don’t want to go to bed this is so damned exciting!
merlin7777: Ha! Drink some coffee, take some artificial adrenaline, whatever you can do stay with us!
Okay, so what is the next step? Coding a program to do this automatically for us non-debugger smart people?
setarip_old: As an outside observer, I’d like to congratulate those of you who have actively participated (and are still participating) in this remarkable accomplishment – and also in such a remarkably short period of time!
What is most impressive to me is how foreshortened the effort became once the teamwork truly started amongst you.
If I wore a hat, it would be off to all of you – Great Work
calinb: I’ve been looking for a reason to learn a “modern” programming language – having been more of an assembly and C guy in the past. I’m sure others will whiz right past me in developing new tools and features but I could add this command line Volume Unique Key option, if there’s interest. (I feel like I should contribute something – damn day job had me shut down during most of this action!)
hajj_3: yeah Calinb, create an updated version of this and release the sourcecode, even if it is commandline, someone can then create a GUI version from it by knowing the sourcecode.
calinb: Okay...but I gotta get some sleep first. There are so many excellent programmers around here and this thread is moving so fast, someone will have probably beaten me to it by the time I awaken.
zeroprobe: can anyone confirm [whether] decrypted Title keys are the same regardless of which player is used?
If so, is that not game over, [because] we know what to look for on any updated software player?
jackchen: yes, every software and hardware player will always decrypt the Title key table and then get the same result. But AACS can revoke these titles so that you won’t be able to play these disks any more. But that will be a critical impact since there are already so many titles released in the field.
Hellreaper: In theory, this is about collecting and archiving keys.
With this weakness, you could find out the keys from all HD-DVDs released within [the past] 18 months.
Then you would have to find another weakness, because newer HD-DVDs wouldn’t work with the old software player. (even if it wasn’t compromised)
zeroprobe: someone already mentioned they found a Title key in powerdvd. The only way [AACS] can have a good chance at stopping this is blacklisting every single hddvd released thus far.
noclip: In case you’re having trouble finding the keys, search for the second occurrence of:
file:///required/and scroll down until you see something in the sea of 00s, that’s the T[itle]K[ey] block. Scroll down some more and the V[olume]K[ey] will be there.
Members now had a fairly reliable, if labor-intensive, hunt & peck method for discovering the keys needed to decrypt one HD DVD title. It was cumbersome, involved memory dumps and special software, and it didn’t always work; moreover there was no safe venue for a shared, public database of the Volume and/or Title Keys, accessible to ordinary unsophisticated users, which would not be swiftly shut down by DCMA. Still, AACS secrets were cascading out.
The Volume Key and Title Key are low-level keys in the authentication chain: from one of these keys, you can derive the other. But there are also higher order keys, which supersede all these low-level keys. Chief among them are the Media Key, with a different number embedded in each model of DVD player; and the true overlord, the Processing Key — a common number shared by all players. If Doom9 hackers published a Media Key, any user could decrypt any DVD simply by using that player; but AACS administrators would soon revoke the player’s license, disabling the player entirely after it tried to play one newer DVD containing new authentication keys and a new player revocation list. Henceforth ripping would become a cat and mouse game, with ever-shifting keys and incessant security updates to software, just like Windows XP. However, if Doom9 members published the Processing Key but kept the Media Key secret, AACS would have to revoke all players to preserve copy protection. The real goal of Doom9 hackers is an end to copy protection, full stop; so the Processing Key — presumed so deeply buried and thoroughly protected within the AACS code that discovery would take years — became the faint star toward which a few hackers steered. With the Processing Key, any user could decrypt without memory dumps or sniffing or anything special. Decryption, in short, could be easily repackaged as a standard desktop application.
SBeaver: I Googled and found this:As Doom9 members share long strings of numbers that they discover in memory dumps, some worry that they might inadvertently reveal a unique ID within their own hardware, which could expose their personal identity.
“Swiss-based Ph.D. Student Solves 48-bit
Key in RSA Data Security’s Secret-Key Challenge; Search rate by 3,500 computers reaches 1.5 trillion keys per hour”
Note that this was from 1997...
arnezami: Brute forcing these [keys] is not really an option (and not really required). But I believe we may be able to reduce [the calculation] much further so it can be very easily guessed.
arnezami: Wooow. I think I did it.Three months later, arnezami offered a final, polished version of his program to extract all keys (http://forum.doom9.net/showthr...). With that flourish, he too disappeared.
Processing Key found!!!
More info later.
To be sure I need to confirm my finding...
Yeah I’m happy...
arnezami [again, 50 minutes later]: YES YES YES!! It works!
I’m going to take some rest now (I need it). But will tell all later.
Here is the Processing Key which should work on all HD DVD discs (and maybe even Blu-Ray discs) released so far:
Save it. Store it. Regards.
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
hd1080p: Congrats everybody for the thrill of witnessing how DRM was defeated. February 11, 2007 is a day to be remembered.
I predict that movies will one day be liberated without DRM and we are all going to loose all the fun and excitement.
PS. As in [Lord of the Rings], this is the KEY(RING) to conquer all!!
It is better than the real movie show. You are a genius!!
Now, we have to find the processing key for Blu-ray to help out HD-DVD market position. Movie studios may just stop releasing new movies on HD-DVDs. There should be a level playing field for the competing formats.
jokin: Awesome awesome work.
evdberg: I made a small program that implements [arnezami’s key]. It works perfectly fine, and I am amazed that this one Processing Key every time works on the very first c-value (of 512 available)...
arnezami: Thanks you all. Its been a pleasure.
Some of you are interested in how I retrieved the Media and Processing Keys. I will tell what i did.
Most of the time I spend studying the AACS [specifications]. A good understanding of how things worked have helped me greatly in knowing what to find in the first place (and how to recognize something)...
I went back to my original idea: do a bottom-up approach. So first I tried to find the Media Key... No luck.
This was frustrating: all kinds of information was in the memdump but not the Media Key (I sort of assumed/hoped it would [be]). I made several memdumps at different moments but nada, nothing. After throwing it all away I remembered I still had a “corrupt” memdump from WinHex (it failed to finish because WinHex said the memory had changed). It was really small compared to the other [memdumps] so I didn’t have much hope. But: voila! I found it. Which finally gave me hope I was going in the right direction.
There were just two major problems left: how do you detect the Processing Key and if its not in memory how do you find it at all?... Then I realized why I first didn’t find the Media Key: it was removed from memory after the Volume ID was retrieved and the Volume Unique Key calculated. I also saw that in my “corrupt” memdump the V.U.K., Volume ID, Media Key, and Title Key MAC were all closely clustered in memory: in the first 50Kb (of the entire multi megabyte file!) but there were large empty parts around it. Almost as if it was cleaned up.
This gave me an idea: what I wanted to do is “record” all changes in this part of memory during startup of the movie. Hopefully I would catch something interesting. In the end I did something a little more efficient: I used the HD-DVD V.U.K. extractor (thanks ape!) and adapted it to slow down the software player (while scanning its memory continuously) and at the very moment the Media Key (which I now knew: my bottom-up approach really paid off here) was detected it halted the player. I then made a memdump with WinHex. I now had the feeling I had something.
And I did. Not surprisingly the very first C-value was a hit. I then checked if everything was correct, asked for confirmation, and here we are.
Hope you enjoyed the ride. I’m thinking about a proof of concept proggy which does all the steps (from Processing Key to C-value to Media Key to Volume ID to V.U.K.)... But the most important part is done: we have a Processing Key.
16 April: AACS announced the revocation of the PowerDVD and WinDVD software players. All owners were instructed to upgrade their software immediately, and told that they would not be able to play any disks released after May 2007.
17 April: Charles S. Sims of Proskauer Rose LLP, lawyers for AACS, sent cease and desist notices to Google and subsequently to other U.S. website owners, “demanding” under provisions of DMCA that they remove information about the Doom9 exploits which, according to Sims, constituted illegal “circumvention devices”. Among the recipients were Digg.com and Slashdot, which moved on 1 May to comply — DMCA “Safe Harbor” provides that websites which act promptly to remove illegal hosted content are not penalized.
A user revolt ensued, with repercussions still growing. Digg users drowned the Digg board in messages containing the magic number, disguised within shopping lists, song lyrics, poems, and tattooage; printed on T-shirts, screensavers, movie posters. Next day, Digg backed down and bent to the will of its users: “You’d rather see Digg go down fighting than bow down... We hear you, and effective immediately we won’t delete stories or comments containing the code and will deal with whatever the consequences might be.” Despite Google’s own takedown order, the BBC reported that after the cyber-riot at Digg, a Google search returned 700,000 pages containing the full numeric Processing Key, compared with 9,410 results three days earlier.
From the standpoint of authoritarians, the flood of user-generated content really means that there is so much undifferentiated noise on the Net that nobody knows where or what to hear. An illusion of ever-enlarging freedom is prolonged, even burnished, while truly important speech simply gets lost in the tumult of talk. How shall corporate interests and government, lawmakers specifically, react when users unexpectedly do rise up and demand new rules? An anecdotal review of legal commentators on the Web suggests that most think Digg’s legal position is weak. Stay tuned.
17 May 2007: Software publisher SlySoft, based in the West Indies, announced that AnyDVD, it’s hi-def DVD duplicator, has already cracked the refreshed AACS keys — a full week before the first HD DVD pressings with these new codes reach retail stores.
© 2018 rj of DemosNews
May 22, 2007 at 4:29pm
Genre: Technology (Hardware)
Tags: doom, aacs, drm, dmca, copy, protection, hi-def, dvd, free, speech
|Sara Hartley fascinating to overhear the dialogue as a fly on the wall, p...
Share Doom + Decryption - DigitalRightsManagement = Serenity: