26 December 2006: Doom9.net (http://www.doom9.net/) is a popular 6-year-old video site that proclaims itself “the definitive DVD backup resource.” Serious hackers who rip DVDs or re-author video and care about quality converge in Doom9’s forums, to discourse with an international community that includes real experts. On this day, a new Doom9 member pseudonamed muslix64 submitted his (her) first post to the Decryption forum at Doom9 (http://forum.doom9.net/showthr...): the program BackupHDDVD (http://rapidshare.com/files/11...), “a tool to decrypt an AACS protected movie that you own, so you can play it back later using an HD DVD player software”, together with the program source code, a FAQ, and an intriguing YouTube video of BackupHDDVD in action (http://www.cdr.cz/a/20159).

AACS stands for “Advanced Access Content System”, a copy protection scheme adopted by both HD DVD and Blu-ray, the competing optical disk formats for high definition DVD that are promoted by two big consortia representing virtually all name-brand hardware manufacturers, software publishers, and movie studios. AACS encrypts the content of films, and licenses decryption “keys” to the manufacturers of set-top (hardware) and computer (software) DVD players. Every hi-def DVD disk contains all the decryption keys for licensed players, with one unique key per player model. In theory, if a decryption key for a particular player is cracked, the ability of that player to decrypt future titles can be revoked (or changed by a firmware or software update) without affecting other players. The entire concept has always been deemed impractical, because it penalizes blameless owners of the cracked player, rendering their equipment useless without an upgrade, and it stigmatizes the manufacturer. Few consortia members believed revocation would ever happen. They signed on to AACS because they thought it was unbreakable.

muslix64 was pithy: “I was not aware of anyone having [beaten AACS], so I did.” Reaction at Doom9 during the next month stretched over thousands of posts. Fraternal concern emerged first, prompted by the two prosecutions of a Norwegian high school student, Jon Lech Johansen a.k.a. DVD Jon, who broke CSS, the “Content Scrambling System” that secured first-generation DVDs; and by the intimidation, allegedly by Macrovision, of Lightning UK, who authored the splendid DVD Decrypter tool and subsequently went underground in 2005. Doom9 seems to operate in perpetual anxiety about DMCA, the U.S. “Digital Millennium Copyright Act”, which criminalizes nearly all measures to circumvent copyright protection, including the dissemination of technology. Most members of Doom9 believe that it is their right to make copies, for their personal use, of media they own. Not surprisingly, Doom9 is alert to every industry deceit, e.g. the recent PR move to rename DRM (“Digital Rights Management”, or copy protection) to DCE, “Digital Consumer Enablement”.

XStylus: “Make sure you’ve taken appropriate measures to protect your identity, muslix64. You’ve done great work, and I’d hate to see you become another victim in the DRM battle.”
Hajj_3: “Yes, protect your identity and IP. Use proxies, firewalls etc etc... They will indeed hunt him down. I dont want this guy to end up in jail for 5 yrs, he’s done a great job.”
Devinator: “I agree. Not only would the people behind draconian copy protection BS sue you, they would disappear you if they thought they could get away with it.”
Dukey: “Should have posted the source from an Internet cafe or library or something. Then don’t have to worry about getting caught by IP/ISP.”

DeepBeepMeep: It doesn’t look like what [muslix64] has released contains any Title key. It ... has been deliberately replaced with [zeroes]... The real exploit lies in extracting the Title key from the memory of the software player. It is quite likely that if we had one Title key it shouldn’t be hard to get the others as long as the player is not considered compromised. But unless the author of this program releases [his] key extractor,... we are almost at the same point as before. All the information to write [muslix64’s code] is available publicly.
Deihmos: Did anyone confirm this working? It does not look that way, so is this a hoax or is it real?
Wookie Groomer: This has to be a hoax since it appears not a single person in the entire world except the original poster is claiming this works or can confirm anything. Let’s see some proof. A fancy edited You Tube Video is worthless without at least one key to test for ourselves.

LOS ANGELES (Reuters) - The companies behind an encryption system for high-definition DVDs are looking into a hacker’s claim that he has cracked the code protecting the new discs from piracy, a spokesman for one of the companies said Thursday. A hacker known as muslix64 posted on the Internet details of how he unlocked the encryption, known as the Advanced Access Content System, which prevents high-definition discs from illegal copying by restricting which devices can play them. The AACS system was developed by companies including Walt Disney Co., Intel Corp., Microsoft Corp., Toshiba Corp. and Sony Corp. to protect high-definition formats, including Toshiba’s HD-DVD and Sony’s Blu-ray. muslix64 posted a video and decryption codes showing how to copy several films, including Warner Bros’ Full Metal Jacket and Universal Studios’ Van Helsing, on a popular hacker Internet blog and a video-sharing site. The hacker also promised to post more source code on Jan. 2 that will allow users to copy a wider range of titles. A spokesman for one of the AACS companies, who declined to have the company identified, said they were aware of it and were looking into the claims, but would not elaborate.

Zag: The problem is that he gave very little information (nothing really) regarding how to obtain the Title keys. All he said was: “I won’t explain it in detail. Read the AACS doc first. You will understand. The Title keys are located on the disk in encrypted form, but for a content to be played, it has to be decrypted! So where is the decrypted version of the Title key? Think about it... ”

Hellreaper: muslix64 will either...
...never post in here again
...or tell you soon that there were some problems with the program and that you will have to wait until xx.xx.2007.
Face the truth, it took about two years until DVD keys were extracted. If he/she had really done it, she/he [would] release the key extraction method. The program with the weakness would have been withdrawn or changed, no doubt, but it also would have been seriously verified that someone found a way to compromise the whole encryption/decryption process (not AACS itself). A real hacker/cracker is interested in releasing proof, not in releasing videos. You don’t get scene credits for releasing videos.

Setting the record straight.
I spent the last few days reading a lot of articles on BackupHDDVD, reading a lot of people’s post/comments on various websites... Here is a list of affirmations I have seen lately:

Affirmation 1: You did not break AACS, just the player
My comment: I did not break AACS, but I find a way to decrypt movies and I have bypassed all the revocation system. Not that bad...

Affirmation 2: The BackupHDDVD circumvention tool won’t last long
My comment: As long as insecure players will exist, it will last... And insecure players will always exist, in fact you can extract keys from any player! Some players are just easier to extract the key from. Being lazy, I prefer to extract keys from an insecure player than a secure one. And the AACS spec says “Device keys must be protected!” but they did not said that about Volume key, fatal mistake!

Affirmation 3: The keys can easily be revoked.
My comment: What keys are you talking about? As I stated before, there is no such thing as “Title key revocation” and “Volume key revocation”. If someone publishes only Volume keys, there is no way to know from which player these keys were extracted, making the revocation system useless. They can do content revocation, but to revoke what? All movies before 2007? They can do player revocation, so I will just change the player I’m using, big deal...

So what is the AACS revocation system good at?
It is good for that scenario: Someone post on the net, a tool that do the complete decryption automatically. Of course the program use stolen Device keys from an official player. They (AACS and friends) will eventually get their hands on this program, look at the Device keys and revoke them. Making that player unable to play new titles. But the author of this program can pre-extract a bunch of Device keys from different players and release them, one at the time, when the previous one have been blacklisted. The AACS spec says “Device keys must be protected!” so I suppose they put more effort in protecting these keys then the Volume key in memory.

Affirmation 4: BackupHDDVD is nothing, only one person out of a million have the technical skills to extract keys.
My comment: BackupHDDVD is a proof of concept.

Picture this:
Few skilled persons can do massive Volume key extraction, and send the keys to a central server on the internet. Then, they create an easy to use decryption program, with a nice GUI that do online key recovery. That way, my father and your father can backup movies. Or they can send the keydb.cfg file on P2P networks (BitTorrent, E-Mule, etc..). See the problem now?

Affirmation 5: You can extract keys from software player on personal computer but not on hardware player.
My comment: It’s easier to extract keys from software player, but it also possible to extract keys from hardware player (the set-top box in your living room!)

Conclusion:
The attack I describe in “Affirmation 4” is not here yet, but it’s coming. So I give MPAA and AACS a head start. Start to think what you can do about that.
To totally block this attack, they need to put different keys on every disk! Now, they only have different keys for different movies. I don’t know about the manufacturing process of the disk. This solution may not be possible.
The best they can do, is doing shorter manufacturing run of a particular movie, so it would be difficult to get your hand on every “pressing” of a movie.

When they design AACS, they assume people will look for the Device keys. I don’t care about Device keys. I do care about Volume key. Having the Device keys mean that you have to re-implements all the complex crypto and do the full AACS process. I leave all this dirty job to the player and recover only the Volume key.

There is 3 important things in cryptography:

1-Private key protection
2-Private key protection
3-Private key protection

Did I break AACS? I don’t know. What do you think?

I’m not going to work on this anymore, I’m taking a vacation!...
This may be my last post here.
I’m going to have a rest for a while.
Take care everyone and wish me good luck!

lazyn00b: **** Sorry, but without even one working key this is nothing but speculation. Sure, the BackupHDDVD program looks nice, but without verifiable proof that a Volume key has been actually been extracted, this is nothing to get excited about. Frankly, I now suspect that the youtube video is a hoax, and that muslix64 is just hoping against hope that some superhacker out there will figure out where PowerDVD HD hides the keys.

You could say things like “I needed to use a debugger” or “I just looked at a memory dump” and you wouldn’t be breaking any law. Thanks and all, but it’s a little bit suspicious of you to deliberately avoid saying anything at all. Are you or have you ever been a member of the Communist employee of the Sony Corporation?”

ridesideways: i can’t believe there is so much speculation and hype about this HD-DVD decrypter that muslix64 has written. all the guy did was write an implementation of an AACS decrypter in java, and he posted the source code. THIS IS NOT A DIFFICULT THING TO DO FOLKS—YOU CAN DOWNLOAD THE DAMN SPEC FROM A PUBLIC WEBSITE FOR GODS SAKE. since i am a software engineer, i would write same damn program in a week too, and so could every other software engineer in the world worth his salt. ah but there is more to the story. muslix64 goes on to claim that he’s extracted Volume keys from his HD-DVD disks— now that is one hell of a claim and actually takes some skill. BUT HE PROVIDES NOT ONE SHRED OF PROOF THAT HE’S ACTUALLY DONE THIS. anyone with a camcorder could make a you-tube movie with a blacked-out text screen where one claims to have secret Volume keys. until someone provides real evidence that they can reliably extract Volume keys from an HD-DVD player, this whole damn thread is all one gigantic waste of time.

let’s recap:
muslix64: i wrote an aacs decrypter.
me: *yawn*
muslix64: and i’ve extracted Volume keys from my HD-DVD’s
me: wow that’s amazing, show me.
muslix64: no
me: *yawn*

Mtz: musli > ilsum = “A function that counts the total number of true values in a vector declared LOGICAL. It returns zero if the number of elements, N, is less than one.” Even if all this is a fake, this guy is smart.

To see muslix64’s Java code, I noticed that muslix64 did not do a very complex task. But now, so many people start dump PowerDVD’s memory and trace PowerDVD’s code, but we still cannot do the same thing as muslix64. Why? In the FAQ, muslix64 said he has two players and he found the key in the memory. So I give up trace PowerDVD’s code and try to dump WinDVD’s memory. Wa, I can found the Title key in the WinDVD’s memory and use this key to rip the movie. You should be curious about why I know this is a Title key. I just put the value into BackupHDDVD.
Now, I realize the whole muslix64’s story.

Warren: Care to enlighten us on how to find keys in WinDVD then Frank? Breakpoint addresses and instructions on how to find the key from there would be nice.

Frank Kao: Now, I can realize why muslix64 do not talk any more. This topic is too sensitive. I just want to say “muslix64 did not lie”. You can do it by yourself, and then you will find everything you want.

Hint: Do you know about “known-plaintext attack”?
It takes only few seconds to my keyfinder tool to locate the key in the memory dump file using the known-plaintext attack.
You don’t have to mess with tracing/debugging the code. Just dump the memory...

Janvitos: muslix64, without disrespect, i would like to know why you are giving us everything but precise information and how you believe this might help us out in the long run. I am no assembly programmer myself, and have been following this thread since the beginning, but have found little if no help with the “clues” you have been providing. In my understanding, you are trying to make a riddle out of this, which is, in my opinion, throwing people on different tracks and not necessarily “helping” out.
Hajj_3: muslix64, are the keys located at the same place each time? give us some more clues please!

Cyber1: I may be oldschool, but I think that many of todays young people want everything “served on a plate”... Personally I think muslix64 gave too many clues.

2/Reavers are bad mmmmkay...Google 4TW!

Mark Twain Intermediate School
Restaurant & Lounge
Cent
Celtic Designs Dover Pictorial
Science Online Special Feature
Link Building Strategies
Starlifter
Solar periodicity
Dawson's Creek Music Guide Decisions
Duncan's F
ways to market your small or solo business
WBFF
Olivia Quinn Food Stamp Leaver
Dalmations
CITI FM
Skippyslist

He-Man: ??? Are you sure you gave the right link?... it doesn’t seem to have any relation HD-DVD encryption.
Janvitos: I think some people are messing around with us. I followed that link too and get nothing relevant. Please ban the ignorants.
setarip_old: LordSloth: As an outside observer, having absolutely no involvement in the activity being pursued in this thread (although I'm certainly interested in its eventual outcome), I must say it's disconcerting to see you trying to make a “game” out of the loosely cooperative effort [of] the other posters to this thread. I'd suggest that if you have discovered a legitimate, meaningful “piece of the puzzle”, you should simply present it here - so that others can advance their combined efforts...
LordSloth: Yes the link is correct. It’s a scavenger hunt of some sort! And since I had to go through the trouble of following it myself, I’m not going to post the answer directly. I mean what fun would that be? Don’t get me wrong, I don’t take some sick pleasure in making others follow the same path I did. But it did seem the safest way to share the information.
setarip_old [lighting up]: I'd speculate you'd have to convert those to hex...

Mark Twain Intermediate School => Mark Twain I.S. 239 for the Gifted & Talented
Restaurant & Lounge => 33 Restaurant & Lounge
Cent => 50 Cent
Celtic Designs Dover Pictorial => Amazon.com: 159 Celtic Designs (Dover Pictorial Archive Series ...
Science Online Special Feature => 125th Anniversary Issue: Science Online Special Feature

Decimal -> Hexadecimal
------- -----------
239 -> EF
033 -> 21
050 -> 32
159 -> 9F
125 -> 7D
131 -> 83
141 -> 8D
154 -> 9A
112 -> 70
086 -> 56
136 -> 88
045 -> 2D
191 -> BF
102 -> 66
092 -> 5C
213 -> D5

Janvitos: I can confirm the following value “EF21329F7D838D9A7056882DBF665CD5” to be in WinDVD memory after playback of the movie Serenity.
Will continue to research this and update you with results.

luders: So this so far.....
0000000000000000000000000000000000000000=Serenity |T|MM/DD/YY|2-EF21329F7D838D9A7056882DBF665CD5

Janivitos: Luders, replace the 0s with the SHA1 of the VTKF000.AACS file, which is “C8A57242AF4CB5C0D7848BDA10821F984DC656E0”

LordSloth: Now after I followed that crypted scavenger hunt and got the 2nd T[itle]K[ey], I searched for the key in WinDVD’s memory...and guess what I found...
The entire Title Key table decrypted!!!!
That’s right....the next 16 bytes after the 2nd key is the 3rd key and so on...
Enjoy!

Janivitos: Alright, this is good news.
The key “EF21329F7D838D9A7056882DBF665CD5” is the 2nd key which decrypts the file UNILOGO.EVO from the movie Serenity. This is *CONFIRMED* and *WORKING*.

Here are all the keys for Serenity:
1-31325529846E19E90D88F414DA7D1661
2-EF21329F7D838D9A7056882DBF665CD5
3-46BE356597AD71BFFADEDA14FE335B64
4-8906E3E8B05EEC17E594E98D42C913FE
5-0F998F1C0C7FEB30381C01F135FBE8E9
6-97895F12C018845C9CDCE95DFF4101DF
7-6C005DA9DAA97E168129753319D748A1
8-0608D2628A9FE952398B0FB432BDB6B1
9-A24471CC766C6E7F7F56DB560CCD31E5
10-6EC977757A9E8AC378CC680770874E33
11-55962EA8084BF5135CB2ED5A5E795233

Here are the keys for KingKong:
1-7D743D3C92652CC16B66D9CB87F6D132
2-70B71C6E767E213AEB7456985BAAD8A4
3-4BC362995030035312A5B6030D76C817
4-A019B5101E904A700A44F056B7EB3579
5-896AB02D3D77554EABCE3CCE931DA39D
6-BEC07637E9C4EFA1F70FED6891DB277B
7-1DC0D276F2C5B9FCFDE1414C5002BAAB
8-BC7EB577D1936818AEB9241F024DE681

To find these keys, my best advice would be to search your memory for “VPLST000.XPL” and they will be near one of the instances of it.
Now we have to find the Volume keys for a lot less trouble.

LordSloth: Volume Unique keys are located +0x13C0 after the 2nd Title key location
So to recap... Search for VPLST000.XPL in WinDVD’s memory (4th occurrence) and from that offset.
+0x0181 is the Decrypted T[itle]K[ey] table
+0x1571 is the Volume Unique Key
Granted these may vary from system to system and disc to disc.

Janvitos: I believe the offsets vary from movie to movie and computer to computer.

LordSloth: Looks like Janvitos confirmed they do since they don’t match what I posted. But just look somewhere around that region and you should be able to locate the T.K. table and the V.U.K..

Jerky-san: LOL! holy crap, the keys are flying... are the Volume keys in the same place every time? Or do they vary?

Janvitos: Serenity Volume Unique Key: D075568AE6BB0B3F85446927B3794C28
KingKong Volume Unique Key: 802F78B1B20D1183638D84E1A96D6EDD
12 Monkeys Volume Unique Key: 2662C05B5238B0C50BD1BDF693223712

The_ByteMaster: Unless the content gets revoked, the newer player will always have to determine the Volume Unique Key to decrypt the Title Keys. So unless your Serenity, King Kong and whatever else is compromised gets revoked, you *know* that at some point your new player will have to use that key. This will help to a large extent in compromising the new player (which will, in turn, compromise even more content). This is an avalanche that is hard to stop.

woah!: well i was missing the SHA1 hash number and now king king is working on a non-HDCP vcard in powerdvd... amazing stuff guyz...
dont know how long this will work but hats off to all of you that know your stuff.

Code:
Testing source
Found valid HD-DVD source.
Look for this movie in my database
Found movie: KING KONG
Start backup on Fri Jan 12 20:00:13 PST 2007
Scaning video directory
Processing BLACK.EVO key = 3
Processing DELOGO.EVO key = 5
Processing MAINMENU.EVO key = 1
Processing MENULOOP.EVO key = 1
Processing SCREENSAVER.EVO key = 6
Processing UCONTROL.EVO key = 7
Processing UNILOGO.EVO key = 2
Processing FEATURE_1.EVO key = 4

oddball: Dammit guys it’s 4:25am here and I don’t want to go to bed this is so damned exciting!

merlin7777: Ha! Drink some coffee, take some artificial adrenaline, whatever you can do stay with us!
Okay, so what is the next step? Coding a program to do this automatically for us non-debugger smart people?

setarip_old: As an outside observer, I’d like to congratulate those of you who have actively participated (and are still participating) in this remarkable accomplishment – and also in such a remarkably short period of time!
What is most impressive to me is how foreshortened the effort became once the teamwork truly started amongst you.
If I wore a hat, it would be off to all of you – Great Work

calinb: I’ve been looking for a reason to learn a “modern” programming language – having been more of an assembly and C guy in the past. I’m sure others will whiz right past me in developing new tools and features but I could add this command line Volume Unique Key option, if there’s interest. (I feel like I should contribute something – damn day job had me shut down during most of this action!)

hajj_3: yeah Calinb, create an updated version of this and release the sourcecode, even if it is commandline, someone can then create a GUI version from it by knowing the sourcecode.

calinb: Okay...but I gotta get some sleep first. There are so many excellent programmers around here and this thread is moving so fast, someone will have probably beaten me to it by the time I awaken.

zeroprobe: can anyone confirm [whether] decrypted Title keys are the same regardless of which player is used?
If so, is that not game over, [because] we know what to look for on any updated software player?

jackchen: yes, every software and hardware player will always decrypt the Title key table and then get the same result. But AACS can revoke these titles so that you won’t be able to play these disks any more. But that will be a critical impact since there are already so many titles released in the field.

Hellreaper: In theory, this is about collecting and archiving keys.
With this weakness, you could find out the keys from all HD-DVDs released within [the past] 18 months.
Then you would have to find another weakness, because newer HD-DVDs wouldn’t work with the old software player. (even if it wasn’t compromised)

zeroprobe: someone already mentioned they found a Title key in powerdvd. The only way [AACS] can have a good chance at stopping this is blacklisting every single hddvd released thus far.

noclip: In case you’re having trouble finding the keys, search for the second occurrence of:
file:///required/
and scroll down until you see something in the sea of 00s, that’s the T[itle]K[ey] block. Scroll down some more and the V[olume]K[ey] will be there.

SBeaver: I Googled and found this:
“Swiss-based Ph.D. Student Solves 48-bit
Key in RSA Data Security’s Secret-Key Challenge; Search rate by 3,500 computers reaches 1.5 trillion keys per hour”
Note that this was from 1997...

arnezami: Brute forcing these [keys] is not really an option (and not really required). But I believe we may be able to reduce [the calculation] much further so it can be very easily guessed.

arnezami: Wooow. I think I did it.
Processing Key found!!!
More info later.
To be sure I need to confirm my finding...
Yeah I’m happy...

arnezami [again, 50 minutes later]: YES YES YES!! It works!
I’m going to take some rest now (I need it). But will tell all later.
Here is the Processing Key which should work on all HD DVD discs (and maybe even Blu-Ray discs) released so far:

Code:
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
Save it. Store it. Regards.

hd1080p: Congrats everybody for the thrill of witnessing how DRM was defeated. February 11, 2007 is a day to be remembered.
I predict that movies will one day be liberated without DRM and we are all going to loose all the fun and excitement.
Fairuse wins!!
PS. As in [Lord of the Rings], this is the KEY(RING) to conquer all!!
It is better than the real movie show. You are a genius!!
Now, we have to find the processing key for Blu-ray to help out HD-DVD market position. Movie studios may just stop releasing new movies on HD-DVDs. There should be a level playing field for the competing formats.

jokin: Awesome awesome work.

evdberg: I made a small program that implements [arnezami’s key]. It works perfectly fine, and I am amazed that this one Processing Key every time works on the very first c-value (of 512 available)...

arnezami: Thanks you all. Its been a pleasure.
Some of you are interested in how I retrieved the Media and Processing Keys. I will tell what i did.
Most of the time I spend studying the AACS [specifications]. A good understanding of how things worked have helped me greatly in knowing what to find in the first place (and how to recognize something)...
I went back to my original idea: do a bottom-up approach. So first I tried to find the Media Key... No luck.
This was frustrating: all kinds of information was in the memdump but not the Media Key (I sort of assumed/hoped it would [be]). I made several memdumps at different moments but nada, nothing. After throwing it all away I remembered I still had a “corrupt” memdump from WinHex (it failed to finish because WinHex said the memory had changed). It was really small compared to the other [memdumps] so I didn’t have much hope. But: voila! I found it. Which finally gave me hope I was going in the right direction.
There were just two major problems left: how do you detect the Processing Key and if its not in memory how do you find it at all?... Then I realized why I first didn’t find the Media Key: it was removed from memory after the Volume ID was retrieved and the Volume Unique Key calculated. I also saw that in my “corrupt” memdump the V.U.K., Volume ID, Media Key, and Title Key MAC were all closely clustered in memory: in the first 50Kb (of the entire multi megabyte file!) but there were large empty parts around it. Almost as if it was cleaned up.
This gave me an idea: what I wanted to do is “record” all changes in this part of memory during startup of the movie. Hopefully I would catch something interesting. In the end I did something a little more efficient: I used the HD-DVD V.U.K. extractor (thanks ape!) and adapted it to slow down the software player (while scanning its memory continuously) and at the very moment the Media Key (which I now knew: my bottom-up approach really paid off here) was detected it halted the player. I then made a memdump with WinHex. I now had the feeling I had something.
And I did. Not surprisingly the very first C-value was a hit. I then checked if everything was correct, asked for confirmation, and here we are.
Hope you enjoyed the ride. I’m thinking about a proof of concept proggy which does all the steps (from Processing Key to C-value to Media Key to Volume ID to V.U.K.)... But the most important part is done: we have a Processing Key.