hyugogirubato / keydive Goto Github PK

Apart from the bin and pem files, theres a third wvd file created when extracting from sdk emu. google_sdk_gphone64_x86_64_xxxx_xxxxxxxxx_xxxxxx_l3.wvd

Is this somehow important that I need to keep? Or can it be deleted?

Resolved

Good morning everyone, I am stuck here, how can I continue,Can somebody help me? thank you

Can I please get your teleram or mail?

I need to collaborate to work on a project to fetch and mimic play integrity tokens
I did some research and figured out it is something we can achieve. I'm just lacking skills to continue that hooking part in gms like u did in liboemcrypto. I'll be waiting for your response.

Thank you

Hi, I installed Magisk Frida (the module) and I tried to dump CDM keys, but I get this:

🤔

So basically when I provide the functions.xml then it gives this error

But when I remove that functions as stated in #2 then I get this
It is basically using the SDK 30 by default is that the issue? Or what?

This error is 4 times coz everytime I tried to play video (in this case 4 times) it gave the same error

I want to get my keys from the bin file to use it with mp4decrypt and ytdlp. Is this possible?

After playing the DRM content the key gets printed to the terminal (RSA private key) but the files aren't being created at all.
It prints the key and [D] Script: Function getPrivateKey() at 0x74fa4d9f80 but client_id.bin and private_key.pem aren't created.

• Device: SM-A546E
• Android: SDK 34 (arm64-v8a).
• Vendor: CDM version: 18.0.0
• Vendor: OEM Crypto API: 18
• KeyDive: Process: 1132 (android.hardware.drm-service.widevine)
• Win10 x64

Edit: tested on other device (sdk 31, cdm 16.1.0) and it worked perfectly!

I have encountered a problem again, I'm a Xiaomi phone, the current software detection is L1, the use of the document provides a mask plug-in to disable L1, but the disable failed, The device is stuck on the startup screen, Fortunately, the brick saving plugin is installed, how to solve the problem?

Hi, I used the scripts from https://github.com/sim0n00ps/L3-Dumping and change few things for being automatic with a single batch file, what do you think? The setup is that same from the repository I shared. I'm not used to do this so it's the best I can do. It happens the script can block itself to the Frida Server starting, just restarting the script solve the issue.

@echo off

::Script source: https://github.com/sim0n00ps/L3-Dumping

echo.
echo.
echo ####################################################
echo #                                                  #
echo #                KeyDive script                    #
echo #       Widevine L3 Extractor for Android          #
echo #                                                  #
echo #                                                  #
echo #          PHONE MUST BE ROOTED TO WORK.           #
echo #                                                  #
echo ####################################################
echo.
echo.


set /P c=Do you want to install requirements.txt[Y/N]?
if /I "%c%" EQU "Y" goto :install_python_requirements
if /I "%c%" EQU "N" goto :keydive


:install_python_requirements
echo.
echo #################################
echo #                               #
echo #  Installing requirements.txt  #
echo #                               #
echo #################################
echo.
echo A new window will open for requirements.txt in 5 sec. Once everything installs, you can close the window.
timeout /t 5 > nul
start cmd /k pip install -r requirements.txt
pause


:KeyDive

::Frida Server initialization
echo.
echo.
echo ###########################
echo #                         #
echo #  Starting Frida Server  #
echo #                         #
echo ###########################
echo.
echo.

set adb_path="YOUR PATH TO adb.exe HERE"
set frida_server_name=YOUR FRIDA SERVER VERSION HERE

cd /d "C:\platform-tools"

%adb_path% push %frida_server_name% /sdcard

echo su > commands.txt
echo mv /sdcard/%frida_server_name% /data/local/tmp >> commands.txt
echo chmod +x /data/local/tmp/%frida_server_name% >> commands.txt
echo /data/local/tmp/%frida_server_name% >> commands.txt
%adb_path% shell < commands.txt
del commands.txt


::KeyDive start
echo.
echo.
echo ####################
echo #                  #
echo #     KeyDive      #
echo #                  #
echo ####################
echo.
echo.

set "folder_path=YOUR PATH HERE"

set "python_script=keydive.py"

cd /d "%folder_path%"

python "%python_script%"

pause
endlocal

2024-08-08 11:31:21 [I] KeyDive: Version: 2.0.8
2024-08-08 11:31:22 [I] Core: Device: Pixel 3 (891X04AHR)
2024-08-08 11:31:23 [I] Core: SDK API: 28
2024-08-08 11:31:23 [I] Core: ABI CPU: arm64-v8a
2024-08-08 11:31:23 [I] Core: Script loaded successfully
2024-08-08 11:31:23 [I] KeyDive: Watcher delay: 2.0s
2024-08-08 11:31:23 [D] KeyDive: Analysing...
2024-08-08 11:31:23 [I] Core: Library: libwvhidl.so (/vendor/lib64/libwvhidl.so)
2024-08-08 11:31:23 [D] Script: Hooked (0x7ba0d58674): bnomcggp
2024-08-08 11:31:23 [D] Script: Hooked (0x7ba0cc3414): _ZN5wvcdm10Properties23GetCdmClientPropertySetERKNSt3__112basic_stringIcNS1_11char_traitsIcEENS1_9allocatorIcEEEE
2024-08-08 11:31:23 [D] Script: Hooked (0x7ba0d58794): bmmodzuz
2024-08-08 11:31:23 [D] Script: Hooked (0x7ba0d58af8): birbsmsd
2024-08-08 11:31:23 [D] Script: Hooked (0x7ba0d588c8): vzonshxu
2024-08-08 11:31:23 [D] Script: Hooked (0x7ba0d5a6e8): qtwoquvu
2024-08-08 11:31:23 [D] Script: Hooked (0x7ba0cc35c8): _ZN5wvcdm10Properties14UsePrivacyModeERKNSt3__112basic_stringIcNS1_11char_traitsIcEENS1_9allocatorIcEEEE
2024-08-08 11:31:23 [D] Script: Hooked (0x7ba0d58894): pafundwz
2024-08-08 11:31:23 [D] Script: Hooked (0x7ba0d596d4): ffclmzgx
2024-08-08 11:31:23 [D] Script: Hooked (0x7ba0d5ab98): ncmqbmbc
2024-08-08 11:31:23 [D] Script: Hooked (0x7ba0d5a054): nisionfx
2024-08-08 11:31:23 [D] Script: Hooked (0x7ba0d522b8): _ZN5wvdrm8hardware3drm4V1_18widevine11WVDrmPlugin20CdmIdentifierBuilder20getOemcryptoDeviceIdEPNSt3__112basic_stringIcNS6_11char_traitsIcEENS6_9allocatorIcEEEE
2024-08-08 11:31:23 [D] Script: Hooked (0x7ba0d591ac): aucgueyc
2024-08-08 11:31:23 [D] Script: Hooked (0x7ba0d59bf0): uyeqpizj
2024-08-08 11:31:23 [D] Script: Hooked (0x7ba0d58714): ezlwnpmd
2024-08-08 11:31:23 [D] Script: Hooked (0x7ba0d5aab8): ypyubjuo
2024-08-08 11:31:23 [D] Script: Hooked (0x7ba0c5ee5c): ZN5wvcdm10CdmLicense17PrepareKeyRequestERKNS_18InitializationDataENS_14CdmLicenseTypeERKNSt3__13mapINS5_12basic_stringIcNS5_11char_traitsIcEENS5_9allocatorIcEEEESC_NS5_4lessISC_EENSA_INS5_4pairIKSC_SC_EEEEEEPSC_SM
2024-08-08 11:31:23 [D] Script: Hooked (0x7ba0d5a9ec): frugjfxz
2024-08-08 11:31:23 [D] Script: Hooked (0x7ba0d58870): dvynlnsn
2024-08-08 11:31:23 [D] Script: Hooked (0x7ba0d58f6c): kkjmrxxp
2024-08-08 11:31:23 [D] Script: Hooked (0x7ba0d5883c): fsnjtqti
2024-08-08 11:31:23 [D] Script: Hooked (0x7ba0d58d38): plzfrxzg
2024-08-08 11:31:23 [I] Script: Library liboemcrypto.so was not found
2024-08-08 11:31:23 [I] KeyDive: Process: 852 ([email protected])
2024-08-08 11:31:23 [I] KeyDive: Successfully hooked

This is the run log,The log shows "Library liboemcrypto.so was not found"

hello. First of all, thank you so much for developing the program. This may be a bit of a rude question as I don't know much about this field, but when I try to extract the key, I keep getting the above error. How do I fix it?
Thank you for reading and thank you again for developing this program.

I have my phone rooted with Magisk. I have Frida too. When I try this script I have the following error:
"2024-07-07 17:53:24 [E] Core: unable to access process with pid 719"

How can I solve this?

Would it be possible to add an 'upgrade' function via pip.

I want to use it internally in android somehow because the app detects frida and usb debugging. It's very intensely obfuscated and I tried to play video somehow by turning on dev options in the middle of the video but no luck.
It would be better if an xposed module would be created to look the android framework directly or any other executable for Android itself. Or isn't it possible?

agt:~/Programming/gits/KeyDive$ py keydive.py -a -d 2729xxxxx42 --functions /home/agt/android.hardware.drm-service.widevine2.xml
2024-05-31 11:20:19 [I] KeyDive: Version: 1.0.8
2024-05-31 11:20:19 [I] Cdm: Device: Pixel 6a (272xxxxx142)
2024-05-31 11:20:19 [I] Cdm: SDK API: 34
2024-05-31 11:20:19 [I] Cdm: ABI CPU: arm64-v8a
2024-05-31 11:20:19 [I] Cdm: Script loaded successfully
2024-05-31 11:20:19 [D] Cdm: Analysing... (android.hardware.drm-service.widevine)
2024-05-31 11:20:19 [D] Cdm: Analysing... (android.hardware.drm-service.widevine)
2024-05-31 11:20:20 [D] Cdm: Analysing... (mediaserver)
2024-05-31 11:20:20 [I] Vendor: CDM version: 18.0.0
2024-05-31 11:20:20 [I] Vendor: OEM Crypto API: 18
2024-05-31 11:20:20 [I] KeyDive: Process: 965 (android.hardware.drm-service.widevine)
2024-05-31 11:20:20 [I] Cdm: Library: android.hardware.drm-service.widevine (/apex/com.google.android.widevine/bin/hw/android.hardware.drm-service.widevine)
2024-05-31 11:20:20 [D] Script: Hooked (0x565c2aa6e8): wvcdm::Properties::UsePrivacyMode
2024-05-31 11:20:20 [D] Script: Hooked (0x565c2e3a84): wvcdm::CdmLicense::PrepareKeyRequest
2024-05-31 11:20:20 [D] Script: Hooked (0x565c36fa00): ocnywnen
2024-05-31 11:20:20 [I] KeyDive: Successfully hooked. To test, play a DRM-protected video: https://bitmovin.com/demos/drm
2024-05-31 11:20:20 [I] KeyDive: Starting DRM player launch process...
2024-05-31 11:20:22 [C] Script: No data for device info, invalid argument position
2024-05-31 11:20:22 [I] KeyDive: Exiting

keydive repeatedly gets stuck here. Chrome launches with bitmovin and exits. Error message is "No data for device info, invalid argument position"
functions.zip

I have downgraded from L1 to L3 using oemcryptodisabler but somehow it still cannot hook to the process. It seems like it can't even find the process(?)

Also attached here is my function.xml file
function.zip

what makes keydive unable to do so?

Hi. I'm getting the error in the title and I'm not too sure how to proceed. What should I do to troubleshoot?

Android 12

It's on my phone.

31: (16, '16.0.1', '[email protected]', '[email protected]')

Newer versions don't work, older versions do

I installed ghidra but where can I find the elf binary to load onto it? Searched for 'widevine' and 'elf' in program folder and sdk but cannot find it. The functions.md does not hint at where it can be found.

2024-04-28 02:32:27 [I] KeyDive: Version: 1.0.5
2024-04-28 02:32:27 [I] Cdm: Device: Android Emulator 5554 (emulator-5554)
2024-04-28 02:32:28 [I] Cdm: SDK API: 34
2024-04-28 02:32:28 [I] Cdm: ABI CPU: x86_64
2024-04-28 02:32:29 [I] Cdm: Script loaded successfully
2024-04-28 02:32:30 [D] Cdm: Analysing... (android.hardware.drm-service.widevine)
2024-04-28 02:32:31 [D] Cdm: Analysing... (android.hardware.drm-service.widevine)
2024-04-28 02:32:31 [D] Cdm: Analysing... (mediaserver)
2024-04-28 02:32:32 [I] Vendor: CDM version: 18.0.0
2024-04-28 02:32:32 [I] Vendor: OEM Crypto API: 18
2024-04-28 02:32:34 [I] KeyDive: Process: 399 (android.hardware.drm-service.widevine)
2024-04-28 02:32:34 [I] Cdm: Library: android.hardware.drm-service.widevine (/apex/com.google.android.widevine/bin/hw/android.hardware.drm-service.widevine)
2024-04-28 02:32:34 [D] Script: Hooked (0x56dd4893ff60): wvcdm::Properties::UsePrivacyMode
2024-04-28 02:32:34 [D] Script: Hooked (0x56dd4897dc70): wvcdm::CdmLicense::PrepareKeyRequest
2024-04-28 02:32:34 [D] Script: Hooked (0x56dd48a06410): zgtjmxko
2024-04-28 02:32:34 [I] KeyDive: Successfully hooked. To test, play a DRM-protected video: https://bitmovin.com/demos/drm
2024-04-28 02:33:28 [D] Script: Function getPrivateKey() at 0x56dd48a06410
2024-04-28 02:33:29 [D] Cdm: Retrieved key:
2024-04-28 02:34:02 [I] Cdm: Dumped client ID: device\Android Emulator 5554\private_keys\28615\2912315519\client_id.bin
2024-04-28 02:34:02 [I] Cdm: Dumped private key: device\Android Emulator 5554\private_keys\28615\2912315519\private_key.pem
2024-04-28 02:34:03 [I] KeyDive: Exiting

i didnt get clear keys

Hi, everything goes right until I get this error (I just updated in the version 1.0.5, the folder name is not important)

Hi everyone, I am stuck here. How can I continue. Can somebody help me? thank you!