Well, since i was interested in HD DVD , i am now interested in blueray.
I bought an 800$ (CAD) Blueray burner and bought the "Lord of War " movie and will be working on this (for a while i guess).
PowerDVD BD doesn't play the movie properly AT ALL (looks like when you have a defective pipeline in your video card).
WinDVD plays it just fine, and i'm about to go through the memory with WinHEX.

Here is what the directory structure looks like:

Volume in drive E is LOGICAL_VOLUME_ID
Volume Serial Number is 3C05-DB57

Directory of E:\

05/31/2006 05:21 AM <DIR> BDMV
05/31/2006 05:21 AM <DIR> AACS
05/31/2006 05:21 AM <DIR> CERTIFICATE
0 File(s) 0 bytes

Directory of E:\BDMV

05/31/2006 05:18 AM 180 index.bdmv
05/31/2006 05:18 AM 33,714 MovieObject.bdmv
05/31/2006 05:21 AM <DIR> PLAYLIST
05/31/2006 05:21 AM <DIR> CLIPINF
05/31/2006 05:21 AM <DIR> STREAM
05/31/2006 05:21 AM <DIR> AUXDATA
05/31/2006 05:21 AM <DIR> META
05/31/2006 05:21 AM <DIR> BDJO
05/31/2006 05:21 AM <DIR> JAR
05/31/2006 05:21 AM <DIR> BACKUP
2 File(s) 33,894 bytes

Directory of E:\BDMV\PLAYLIST

05/31/2006 05:18 AM 470 00000.mpls
05/31/2006 05:18 AM 234 00001.mpls
05/31/2006 05:18 AM 216 00002.mpls
05/31/2006 05:18 AM 232 00003.mpls
05/31/2006 05:18 AM 159,954 00004.mpls
05/31/2006 05:18 AM 168 00005.mpls
6 File(s) 161,274 bytes

Directory of E:\BDMV\CLIPINF

05/31/2006 05:18 AM 65,924 00000.clpi
05/31/2006 05:18 AM 292 00005.clpi
05/31/2006 05:18 AM 824 00001.clpi
05/31/2006 05:18 AM 2,016 00002.clpi
05/31/2006 05:18 AM 940 00003.clpi
05/31/2006 05:18 AM 612 00004.clpi
05/31/2006 05:18 AM 292 00006.clpi
05/31/2006 05:18 AM 396 00007.clpi
8 File(s) 71,296 bytes

Directory of E:\BDMV\STREAM

05/31/2006 05:17 AM 22,602,240,000 00000.m2ts
05/31/2006 05:18 AM 4,546,560 00005.m2ts
05/31/2006 05:17 AM 142,307,328 00001.m2ts
05/31/2006 05:17 AM 372,750,336 00002.m2ts
05/31/2006 05:18 AM 167,755,776 00003.m2ts
05/31/2006 05:18 AM 61,009,920 00004.m2ts
05/31/2006 05:18 AM 1,419,264 00006.m2ts
05/31/2006 05:18 AM 7,127,040 00007.m2ts
8 File(s) 23,359,156,224 bytes

Directory of E:\BDMV\BACKUP

05/31/2006 05:18 AM 180 index.bdmv
05/31/2006 05:18 AM 33,714 MovieObject.bdmv
05/31/2006 05:21 AM <DIR> PLAYLIST
05/31/2006 05:21 AM <DIR> CLIPINF
05/31/2006 05:21 AM <DIR> BDJO
2 File(s) 33,894 bytes

Directory of E:\BDMV\BACKUP\PLAYLIST

05/31/2006 05:18 AM 470 00000.mpls
05/31/2006 05:18 AM 234 00001.mpls
05/31/2006 05:18 AM 216 00002.mpls
05/31/2006 05:18 AM 232 00003.mpls
05/31/2006 05:18 AM 159,954 00004.mpls
05/31/2006 05:18 AM 168 00005.mpls
6 File(s) 161,274 bytes

Directory of E:\BDMV\BACKUP\CLIPINF

05/31/2006 05:18 AM 65,924 00000.clpi
05/31/2006 05:18 AM 292 00005.clpi
05/31/2006 05:18 AM 824 00001.clpi
05/31/2006 05:18 AM 2,016 00002.clpi
05/31/2006 05:18 AM 940 00003.clpi
05/31/2006 05:18 AM 612 00004.clpi
05/31/2006 05:18 AM 292 00006.clpi
05/31/2006 05:18 AM 396 00007.clpi
8 File(s) 71,296 bytes

Directory of E:\AACS

05/31/2006 05:18 AM 1,048,576 MKB_RO.inf
05/31/2006 05:18 AM 1,048,576 MKB_RW.inf
05/31/2006 05:18 AM 1,048,576 ContentRevocation.lst
05/31/2006 05:18 AM 65,536 Unit_Key_RO.inf
05/31/2006 05:18 AM 192 Content000.cer
05/31/2006 05:18 AM 2,048 CPSUnit00001.cci
05/31/2006 05:18 AM 1,571 mcmf.xml
05/31/2006 05:21 AM <DIR> DUPLICATE
05/31/2006 05:18 AM 950,552 ContentHash000.tbl
8 File(s) 4,165,627 bytes

Directory of E:\AACS\DUPLICATE

05/31/2006 05:18 AM 1,048,576 MKB_RO.inf
05/31/2006 05:18 AM 1,048,576 MKB_RW.inf
05/31/2006 05:18 AM 1,048,576 ContentRevocation.lst
05/31/2006 05:18 AM 65,536 Unit_Key_RO.inf
05/31/2006 05:18 AM 192 Content000.cer
05/31/2006 05:18 AM 2,048 CPSUnit00001.cci
05/31/2006 05:18 AM 1,571 mcmf.xml
05/31/2006 05:18 AM 950,552 ContentHash000.tbl
8 File(s) 4,165,627 bytes

Directory of E:\CERTIFICATE

05/31/2006 05:21 AM <DIR> BACKUP
0 File(s) 0 bytes

Total Files Listed:
56 File(s) 23,368,020,406 bytes
16 Dir(s) 0 bytes free

--------------------------------------------

I hope i have some other people to help out with this...
We need to kick DRM in the butt ! :)

It wouldn't be too hard to modify BackupHDDVD to recognize the BD file structure. Just change a few things here and there, I don't see why it wouldn't work.

hey guys my first post :-) , i have a bluray burner too the "lg gbw-h10n" i have the german version of "ICE AGE II" as a bluray movie. its same powerdvd does not work :-( on Analog Monitor , WINDVD works for me fine to!!

i uploaded the directory structe of the movie to an upload center
LINK (http://www.file-upload.net/download-180669/ice.txt.html) my movie has more files then Janvitos movie .


i search the memory dump for .bdmv i think die index.bdmv its the same as VPLST000.XPL i found the .bmdv many times in memory.

sorry for the bad English writing :-) cant write good English :D

when i can help any one to cracking BD i am here :-)

Your best bet looks like Unit_Key_RO.inf in the AACS directory.

My Unit_Key_RO.inf is almost empty (full of zeros). Theres a few ones at the begining, and then a few lines below theres a 16 byte string.

i check my Unit_Key_RO.inf of ice age II pal german , its the same many 00 then some bytes , and then many 00 :-D

I have uploaded a WinHEX memory dump of the playback of "Lord of War" Blueray movie for the ones interested.

Here is the link:

* deleted for scecurity reasons *

Enjoy !

Alright. Here's an update on the situation with blueray.

I've been reading the documents concerning AACS and the blueray format.
There are a lot of interesting things in there but it seems that we're gonna have a harder time with this than HD DVD.

First of all, it seems like the blueray format has a tendency to only use 1 key instead of many.
This might be a problem when trying to search the memory dumps since we are looking for a single 128 bit key rather than 8, 11 or even 60.
Just to let you know, the blueray format employs the term "CPS Unit Key" rather than "Title Key" but both are the same.
They also talk about Volume Unique Key which means they most likely also use it.

One of the other major drawback would be the lack of clues residing inside the CPS Unit Key File (Title Key File).
The Title Key File for the HD DVD format has plain text strings (such as VPLST000.XPL) but the CPS Unit Key File has none.
The file is mostly comprised of zeros and the encrypted key.

In the end of the line, we pretty much will have to follow a different path than we did with HD DVD.

Another important matter, and a question i will dare ask, are the keys for blueray in WinDVD's memory ?
Unfortunately i cannot check PowerDVD's memory because the program tells me my graphics driver is not HDCP compliant (although i can playback blueray movies through WinDVD just fine).
I also tried a most recent version of PowerDVD but this one doesn't seem to playback video properly as i get sound, but really ugly / scrambled-like video.

I will continue to work on this like i did with HD DVD.

@janvitos, what tft screen you have? but you can playback hd-dvd or?

good luck with blu-ray cracking ;-)

I have a 37" 1080p (DVI / VGA) screen.
It's currently plugged through VGA since the DVI port is not HDCP compliant.

oh so thats a tv and not only a tft pc screen..
i got a non-hdcp tft screen and it works fine (hddvd). What says the cyberlink bd/hd advisor to your pc system?

It says my graphics driver is not compatible.
I believe i have the most recent Catalyst driver (7.1) and the problem might be that the PowerDVD version that shipped with the blueray drive doesn't recognize the drivers.

i don't got a bd-drive, but i got the catalyst driver 7-1_xp_dd_40211 and powerdvd ultra and bd advisor says that everythings ok!
which blu-ray powerdvd version you have?

The LG version that came with the drive.
As i said above, the newer standalone version doesn't play the movie well at all.

In less that 24 hours, without any Blu-Ray equipment, but with the help of Janvitos, I managed to decrypt and play a Blu-Ray media file using my known-plaintext attack...

The file from the movie "Lord of war", play well with VideoLan.

Janvitos gave me few files on the BD disc and a memory dump...

Note that I don't address BD+. The file don't seem to be BD+ protected.

I will keep you informed If I found anything new...

You can have a look at that file at:

http://rapidshare.com/files/12497232/00007decrypted.m2ts.html

Yeah!!!!!
Way to roll, muslix64! Kick ass!!
can't wait till the drives drop down in price though.

PWNZ0RZ!

The nice thing about Bu-ray is that DD+ tracks are coded differently than for HD-DVD, namely that they contain a DD-compatible core, i.e. ripped DD+ tracks from Blu-ray titles should play fine with conventional A/52 (a.k.a AC3) audio decoders.

Amazing.

Muslix64 should be served and protected by the freedom-loving HDCP-hating people of the world!

BR is now doing there encodes with the VC-1 codec aswell like hd-dvd does. these are mpeg2 files i assume yes?

BR is now doing there encodes with the VC-1 codec aswell like hd-dvd does. these are mpeg2 files i assume yes?

no
VC-1 is a WMV-9 type file

BR is now doing there encodes with the VC-1 codec aswell like hd-dvd does. these are mpeg2 files i assume yes?
Some are VC1, some are MPEG4, most are MPEG2.

DHCP-hating people of the world!

Why do you hate DHCP? It's what allows you to connect your home network to the internet!

Why do you hate DHCP? It's what allows you to connect your home network to the internet!


LOL, got caught on my first post. Of course I meant HDCP, thanks for pointing it.

wow very great muslix64!!! :-) i have BD to when i can help you dont hesitate to contact me :-)

I just love this part :D

I'm really enjoying this. Somehow it feels like victory...

file works fine (1920x1080) :)

Some are VC1, some are MPEG4, most are MPEG2.

Most are still mpeg2? That is awfully depressing...


What will muslix64 accomplish next?

In less that 24 hours, without any Blu-Ray equipment, but with the help of Janvitos, I managed to decrypt and play a Blu-Ray media file using my known-plaintext attack...


Congratulations for you and Janvitos :-)

And a lot of thanks :thanks:

I managed to decrypt and play a Blu-Ray media file using my known-plaintext attack...

if you can give some details about the fingerprint bytes and their offset from the volume key i can edit my memory searcher app to dump the volume key for BD's from windvd as its playing. :)

Many people ask me more details about the known-plaintext attack. This is a very basic, but powerfull crypto attack that I have used to decrypt both format.

After reading posts of people trying to get the keys in memory, I realized, I have a different way of looking into the problem.

A lot of people try to attack the software, I'm attacking the data!

So I spent more time analysing the data, to look for patterns or something special to mount my known-plaintext attack. Because I know the keys are unprotected in memory, I can skip all the painfull process of code reversal.

I don't have any Blu-Ray equipment but I was able to recover the keys anyways... because I had access to a memory dump file and a media file.


To give you an example, let's take the Blu-Ray case.

First, I had to read the documentation about the media file format.

In the case of Blu-Ray, the media files are divided in blocks called "Aligned unit". Let's simply call them "Unit" for short. A Unit is a block of 6144 bytes. The first 16 bytes are unencrypted, and the rest are encrypted using AES in CBC mode.

A unit is composed of 32 blocks called "MPEG source packet". Each packet is 192 bytes long. The first 16 bytes of the first MPEG source packet of a Unit are decrypted.

Just to see the decrypted part of the packet, I have printed a few. Have a look:

D13BF428474000100000B0110000C100
D13C5DE84710111C6E3468D1861B8D1A
D13CC7A84710111CE3468D1861B8D1A3
D13D31684710111C1A346186E3468D18
D13D9B284710111C6186E3468D1861B8
D13E04E84710111C8D1861B8D1A34618
D13E6EA84710111CD1861B8D1A346186
D13ED8684710111C186E3468D1861B8D
D14D57924710111CFCC810FE80107F08
D14DC1524710111C1007647E401C002E
D14E2B124710111C8001880350400300
D14E94D24710111C007690DE581426A3
D14EFE924710111C80800E8081F9E081
D14F68524710111CA01300C007408C00
D14FD2124710111C005200B002E00D49

Do you see something special? Do you see any pattern?

The first byte is always D1 and the 5th byte is always 47. Can we use that to mount the known-plaintext attack? Of course!

Because we know we have multiple MPEG source packet inside a Unit, we know the decrypted version of the unit at position 192 will probably look like the sequences shown above.

In most cases, the know-plaintext attack is in fact a guessed-plaintext attack. We "assume" the data will look like something we "guessed" when decrypted. Most of the time, it works!

Knowing that, all you have to do, is to write a small program that scan a memory dump file, that comes from of a software player while it was playing the movie. The key is in that file, you have to locate it.

You just have to decrypt the first 2 MPEG source packets of the first unit until, you find a key that decrypt to something like:

D1??????47?????????????????????? at position 192.

That's it!

I also do something similar for the HD-DVD format.

Once you know the value and the position of the key in memory, you can do like people are doing here. Use "memory landmark" to locate the key.

Any questions?

So if the memory dump is 2mb, you would try every 128bit section,stepping up one byte at at time
So you would only have to run the decrypt algorithm (up to) 2 million times.

To look for a pattern, did you use a non-decrypted source
or looked in mem dump for decrypted file?

That is correct. But to speed things up, I discard keys that don't make sense. Like all zeros, for example.

For a pattern, I look in the decrypted portion (first 16 bytes of each unit) of the encrypted media file.

That is correct. But to speed things up, I discard keys that don't make sense. Like all zeros, for example.

For a pattern, I look in the decrypted portion (first 16 bytes of each unit) of the encrypted media file.

You can probably discard any potential key with any 0s at all. It's very unlikely they'd appear in a key.

By chance, is the 5th byte "0A" in Lord of War?

No, it's 47. My example is "Lord of war". Sorry I did not mention it.
This is from the file 00007.m2ts, not the main movie.

In less that 24 hours, without any Blu-Ray equipment, but with the help of Janvitos, I managed to decrypt and play a Blu-Ray media file using my known-plaintext attack...

The file from the movie "Lord of war", play well with VideoLan.

Janvitos gave me few files on the BD disc and a memory dump...

Note that I don't address BD+. The file don't seem to be BD+ protected.

I will keep you informed If I found anything new...

OT
Ops, I did it again...
I played with some files, decrypted them well... Ohh baby, baby...
/OT

I guess we'll be seeing BD+ soon enough, what's the information on this? Is it bit by bit protection or is it encryption based?

Great work BTW...

Best regards!

hi muslix,

this example is blueray specific (.m2ts i assume), do evob's have a similar pattern (1st/5th byte)?

if i understood correctly, this attack is possible because the container ruins the whole encryption scheme. as written in the specs, some bytes at known positions (16bytes every 6144bytes) have to be written non-encrypted. how could they allow that potions of these plain values keep occurring at known positions (every 192bytes) in *encrypted* data?
while i consider the aacs system safe, who developed the evob/m2ts container?

damnit, which crypto expert did tell the studios that their data is safe with aacs? thats no reason to fire, thats a reason to get shot. well ok, ill take that back, happy we are where we are.

lets see how bd+ works out for them

regards

This is blueray specific. It's different for EVOB. But it's the same concept. Guessing plaintext values...

Secure crypto is all about key protection. I cannot do this attack if the keys are protected in memory.

hi muslix,

this example is blueray specific (.m2ts i assume), do evob's have a similar pattern (1st/5th byte)?

if i understood correctly, this attack is possible because the container ruins the whole encryption scheme. as written in the specs, some bytes at known positions (16bytes every 6144bytes) have to be written non-encrypted. how could they allow that potions of these plain values keep occurring at known positions (every 192bytes) in *encrypted* data?
while i consider the aacs system safe, who developed the evob/m2ts container?

damnit, which crypto expert did tell the studios that their data is safe with aacs? thats no reason to fire, thats a reason to get shot. well ok, ill take that back, happy we are where we are.

lets see how bd+ works out for them

regards

I think thier mistake is to allow software players... There are chips for HD format that has layers of hack protections inside thier CPU core (and handles the keys in the memory of the CPU, making hacks like the xbox hack very hard), using such chips would make HD-DVD and BluRay really safe...

You can probably discard any potential key with any 0s at all. It's very unlikely they'd appear in a key.

Looking at the current list of VUKs it appears a majority have one 0 in them. Bot none have 00.

192 bytes are TS packet. Normal TS packet has 188 bytes, with 47 as leading sync byte. m2ts adds 4 bytes timestamp before the sync byte. Actually 47 is always there(TS spec), but D1 is not guaranteed, since it is only timestamp, it could be any value, but timestamp won't change too quickly between adjacent TS packet, and D1 is MSB byte.

For EVOB, there is similiar pattern. 00 00 01 BA, then system clock reference , per 2048 bytes(program stream packet). For more details, read ISO13818-1.

PS: muslix64, thanks for your excellent job :-)

Looking at the current list of VUKs it appears a majority have one 0 in them. Bot none have 00.

I guess that what he mean is a byte.
And mostly always represented as two digits when displayed as hex

Hex is just a text string and it would be really hard to decode it to unicode (decimal)
if it was not even pairs unless you split each number with a ,
(A, 10, 4, F) = '0A10040F' and that would defeat the purpose as you could use dec is the first place.

decimal 0, hex 00 , Binary 00000000

This is blueray specific. It's different for EVOB. But it's the same concept. Guessing plaintext values...

Secure crypto is all about key protection. I cannot do this attack if the keys are protected in memory.

It is a dead certainty that any future revisions of software players (with new player keys) will have the disc AACS keys obfuscated to the extent where only top crackers (think scene release groups) will be able to wade their way through the spaghetti code.

Amateur slueths will be shut out of direct key retrieval soon (amateur programmers working on WinDVD let us in the door anyway).

Anyone know for what this AES keys in the PowerDVD BD Edition are ?
The are located @ .\PowerDVD\NavFilter\key\

Seeing as how alot of people own PS3 and you can run linux on a PS3. It should be possible to decrypt my blu-ray discs from the PS3 correct (with a java decryption program)? This would work out great.

Seeing as how alot of people own PS3 and you can run linux on a PS3. It should be possible to decrypt my blu-ray discs from the PS3 correct (with a java decryption program)? This would work out great.



you're talking of some type of method like this, right? http://www.hdtvblogger.com/?p=39 (has yet to be confirmed though...)

It is a dead certainty that any future revisions of software players (with new player keys) will have the disc AACS keys obfuscated

The people at windvd did sure make a blunder.

If it wanted to keep the keys in memory, just a simple
left roll circular before saving it and a right roll circular when
it's back in the cpu registry would have stopped us to find it.

Now that we know a alot of keys, we would have to use a debugger in the next version of player that stops when a register have the known key (it most be in the register at least one time)

So we could apply a patch that write this register to some known space in memory.

I think the mainprob atm is UDF 2.5 for linux ? Is there an update out ?

I think thier mistake is to allow software players... There are chips for HD format that has layers of hack protections inside thier CPU core (and handles the keys in the memory of the CPU, making hacks like the xbox hack very hard), using such chips would make HD-DVD and BluRay really safe...

I believe you are wrong here.
Almost any hardware player can be read out (including the RAM state) with chip relevant "debugger" tool (same as EPROM programmer but more advanced.
Of course this is not for amatures but still can be done.

I believe you are wrong here.
Almost any hardware player can be read out (including the RAM state) with chip relevant "debugger" tool (same as EPROM programmer but more advanced.
Of course this is not for amatures but still can be done.

No, I am not...

No, I am not...

It could be done, but if they use a custom chip that needs a special debugger that only "people who need to know" can get hold of.
And only after and signing a non-disclosure forms when it's will be a little harder.

The people at windvd did sure make a blunder.

If it wanted to keep the keys in memory, just a simple
left roll circular before saving it and a right roll circular when
it's back in the cpu registry would have stopped us to find it.

Now that we know a alot of keys, we would have to use a debugger in the next version of player that stops when a register have the known key (it most be in the register at least one time)

So we could apply a patch that write this register to some known space in memory.

Now that muselix has 1 set of *Correct* keys for a BD disc, it will be trivial to find the keys for any other disc in memory unless the Software DVD player guys get into some heavy obfuscation. Even then, the key has to be in memory at some point, even if its only for a few cpu cycles. You can always put that BD disc with the known keys in and search the memory continually for those keys. Even if they move they keys around in memory continually, one could reverse engineer the algorithm that does this. At this point it is a cat and mouse game.

As long as you can access 100% of the memory on your computer as you wish, no DRM scheme will ever be totally secure.

Hence the reason people are pushing the "TPM" chips soo much. They are the only thing that will make DRM much more resistant to local attacks.


Anyway keep up the good work guys.

I think this dispels any rumors as to muselix's intentions as well, you guys are too harsh.

It could be done, but if they use a custom chip that needs a special debugger that only "people who need to know" can get hold of.
And only after and signing a non-disclosure forms when it's will be a little harder.

I'm talking about doubble layer processors, where you have one security processor and one main processor... But ofcourse if you could get past the security processor then you could do some debugging... Maybe you could get past it with some HNO3...

Sorry for the OT, now back to topic...

Best regards!

As long as you can access 100% of the memory

The CPU's registry is not part of the memory.
Think of it as internal memory buffer.

So you would have to do registry dump and
probably a 1000 times before you do it at the exact right moment.

And it would only a part of the 128bit key in the registry.
probably a 32bit big-endian, if that what the AACS calc uses.

It could be split up to different registrys at the same time that would make it a little easier.
But that is depending how the compiler handles calculation.
Or if the code was writted in Assembly code for more direct control.

The CPU's registry is not part of the memory.
Think of it as internal memory buffer.

So you would have to do registry dump and
probably a 1000 times before you do it at the exact right moment.

And it would only a part of the 128bit key in the registry.
probably a 32bit big-endian, if that what the AACS calc uses.

It could be split up to different registrys at the same time that would make it a little easier.
But that is depending how the compiler handles calculation.
Or if the code was writted in Assembly code for more direct control.

I'm a CS major, I know what registers are...

It's not hard to peek at reg / stack values while in a debugger. Nor is it hard to print out registry values just like you do with a memory dump..

Also in order to get a value into a register don't you have to move it from memory into a register? (mov XXXXXXXX,$EAX)

Obviously you can manipulate it once in there, but that data has to exist somewhere before it goes into mem.

Obviously you can manipulate it once in there, but that data has to exist somewhere before it goes into mem.

But next software player version of windvd would not be allowed
to keep any calculated keys in memory without doing some
manipulation to it first (roll circular left 1bit in this simplified example)

And during play back
line1: Load 32bit word from mem to registry a
line2: roll circular right 1bit on reg a
line3: now use reg a to do some calculation.
line4: clear reg a

A debugger could now stop between line 2 and 3 as registry a now matches some known part of the key.

It sure make it a lot easier to hunt down the code and and
figure out what manipulation they are doing.

Now any memory dump key finder would just have to do the same manipulation to get it work.

If we never had access to un-manipulation keys it probably could take years to reverse engineer powerdvd or windvd.
But thanks to people at windvd we do have that.

But next software player version of windvd would not be allowed
to keep any calculated keys in memory without doing some
manipulation to it first (roll circular left 1bit in this simplified example)

And during play back
line1: Load 32bit word from mem to registry a
line2: roll circular right 1bit on reg a
line3: now use reg a to do some calculation.
line4: clear reg a

A debugger could now stop between line 2 and 3 as registry a now matches some known part of the key.

It sure make it a lot easier to hunt down the code and and
figure out what manipulation they are doing.

Now any memory dump key finder would just have to do the same manipulation to get it work.

If we never had access to un-manipulation keys it probably could take years to reverse engineer powerdvd or windvd.
But thanks to people at windvd we do have that.

I agree, I think we were saying the same things just different ways.

This release is not for everyone! This is only for those who wants to experiment with early version of Blu-ray decryption.

Known limitations:

Don't support BD+
Don't support Volume unique key
Only support one CPS unit key per disc
I don't clear the HDMV_copy_control_descriptor in the stream
Don't have any FAQ or document so far...

You have to provide your own CPS unit key.

The playback seems to work with VideoLan

Because I don't have any Blu-ray equipment, I will need the help of the community to go further with Blu-ray decryption.

I have only test this with one video file...

Stay tuned!

Link:
http://www.sendspace.com/file/yvylle

i tested the other file from the disc that brings up the copy rights and it played perfect fine.

Amazing work....

Just shows ya that both parties are sorta looking at one another going uh its your fault!

Thanks muslix64 , i will work on this and let you know the results.

Thanks !

Muslix, would you please use an XML file to store keys, as per this thread (http://forum.doom9.org/showthread.php?t=121002)?

XML for next version...

This is absolutely hilarious - to all those people saying he was trying to sabotage one camp or the other, eat your words and come publicly apoligize.

Arent the new disc encrypted with SHA-1?

I just read this... at slashdot..
http://it.slashdot.org/article.pl?sid=07/01/20/1936257&from=rss

Chinese Prof Cracks SHA-1 Data Encryption Scheme
Which means.. that the formats are both compromised.. on more then 1 way.

Thanks for not disappearing after proving yourself, muslix :cool: ;)

Many thanks muslix64. This is where it starts getting interesting.

Arent the new disc encrypted with SHA-1?

I just read this... at slashdot..
http://it.slashdot.org/article.pl?sid=07/01/20/1936257&from=rss

Chinese Prof Cracks SHA-1 Data Encryption Scheme
Which means.. that the formats are both compromised.. on more then 1 way.
That article is misleading and is based off a report from months ago. Basically you can create 2 files that hash to the same value. It does nothing for decrypting.

That article is misleading and is based off a report from months ago. Basically you can create 2 files that hash to the same value. It does nothing for decrypting.

This is basic math. With infinite possible inputs and finite possible outputs two different inputs can produce the same output.

Arent the new disc encrypted with SHA-1?

nope, they're encrypted with aes

each 3 sectors (3*2048 bytes) starts with a non-encrypted 16 byte seed. using this seed and the "cps unit key" (read: title key) your're able to decrypt the remainder of 6128 bytes.

1st step uses an aes 1way function
2nd step is aes in cbc mode

see 2.1.3 in AACS_Spec_Common_0.91.pdf and 3.10.1 in AACS_Spec_BD_Prerecorded_0.912.pdf

regards

Ah, great news if this turns out to work for every disc. :D Actually makes me want to go buy more original discs, because I can be sure I'll be able to watch them on my hardware without having to spend loads buying new kit which supports the rights restrictions! Bonus.


<this space reserved for future sage words, for now just sits back and waits for the HD-DVD/BD mudslinging contest to pick back up again>

Ah, great news if this turns out to work for every disc. :D Actually makes me want to go buy more original discs, because I can be sure I'll be able to watch them on my hardware without having to spend loads buying new kit which supports the rights restrictions! Bonus.

Exactly! I'll race you over to amazon HD/BR DVD section shop till you drop! Those protectionist guy's just don't get it. I just spent a $100 bucks on 5 disc's plus shipping of course.

Thanks for all your help guy's.

I'll be right behind you as soon as the dual format drives start coming out, and get more affordable (Christmas 2007 I hope :cool: ). Maybe Star Wars will be out on HD Disc by then.

I have a beautiful 23" Sony LCD Monitor that I spent more than $1500 on two years ago. I'm not about to replace it just because it doesn't have HDCP!

All this really makes me sorry I never got seriously into computer programming. I would love to be able to help you guys out with this stuff. Sadly though, I'm confined to the sidelines for now. Go Team!

just wanted to add really, i don't think any company that designes software to playback HD-DVD and blueray can get done, in fact the company behind AACS, said it can't be broke no matter what, unless of course there admitting that a simple playback software has broken a multi billion dollar encryption,

and the fact is, i don't think they can stopsoftware makers supporting this format, because the world is made with different laws all around the globe, they may be able to stop america, or japan, but there will be other countries that they can't stop because of legislation in that country, and by doing so would risk there format being banned in that country,

so the fact is software developers making programs that support these new format can't really be told what to do, and i'm sure there argument would be, "this format is suppose to be the strongest protected format on the planet" and righly said,


oh, i'm glad your doing blueray, as they have just done a press release, and they are ripping into HD DVD big time, pretty much slagging them of in so many words, because of HD DVD's weaknesses, jesus, i can't believe that they are so cock sure of themselves thinking there format won't be beet,

to all would be crackers, go get blueray, the over confident ba**ards, blueray thinks they can't be beet, and it's probably because of there secret weapon BD+.

Ah, great news if this turns out to work for every disc. :D Actually makes me want to go buy more original discs, because I can be sure I'll be able to watch them on my hardware without having to spend loads buying new kit which supports the rights restrictions! Bonus.


<this space reserved for future sage words, for now just sits back and waits for the HD-DVD/BD mudslinging contest to pick back up again>


Talk about losses for the industry.

As of muslik64 supposed intensions some dickhead wrote, I said it was a BS from the start ( I have a post I can link to if anybody cares).

muslix64 is our hero, we need to love and protect him and make a way to give him BD and HD players so he can either continue to help us or just lay back and enjoy life..:D

just wanted to add really, i don't think any company that designes software to playback HD-DVD and blueray can get done, in fact the company behind AACS, said it can't be broke no matter what, unless of course there admitting that a simple playback software has broken a multi billion dollar encryption,

and the fact is, i don't think they can stopsoftware makers supporting this format, because the world is made with different laws all around the globe, they may be able to stop america, or japan, but there will be other countries that they can't stop because of legislation in that country, and by doing so would risk there format being banned in that country,

so the fact is software developers making programs that support these new format can't really be told what to do, and i'm sure there argument would be, "this format is suppose to be the strongest protected format on the planet" and righly said,


oh, i'm glad your doing blueray, as they have just done a press release, and they are ripping into HD DVD big time, pretty much slagging them of in so many words, because of HD DVD's weaknesses, jesus, i can't believe that they are so cock sure of themselves thinking there format won't be beet,

to all would be crackers, go get blueray, the over confident ba**ards, blueray thinks they can't be beet, and it's probably because of there secret weapon BD+.

If they implement BD+, they will lose the war right away for the reasons too obvious to mention.

muslix, do you have an address I could mail a donation to? I don't have Paypal but I'd really like to help you with the whole getting a Blu-ray player thing, because this is awesome.

Also, I can post my XML class for C++ if anyone wants it. It reads and writes XML files nicely, very clean readable code etc. I know I should just put it on my web site at some point but, well, that's on a biiiiig todo list. :-p

FYI, it's quite possible for a program to prevent you from reading its memory, at least using conventional methods. They can mark ranges of memory as protected, and ReadProcessMemory() will refuse to read them. Of course, there are other ways to go about reading memory...

Hi, sorry for off topic but it is so nice that I can't resist !
Oups, I did it again!
<img src="images/smilies/biggrin.gif" border="0" alt="" title="Big Grin" class="inlineimg" />
:)

Most are still mpeg2? That is awfully depressing...


What will muslix64 accomplish next?

He will save the Earth from aliens !

Janvitos, Muslix64 : Guys, I like what you did so much !

He will save the Earth from aliens !

Do you mean aliens from hollywood? (http://www.theofficialjohncarpenter.com/pages/themovies/tl/tl.html):)
http://www.theofficialjohncarpenter.com/data/movies/titles/tlti.jpg

muslix, do you have an address I could mail a donation to? I don't have Paypal but I'd really like to help you with the whole getting a Blu-ray player thing, because this is awesome.This is most irregular and I would ask you to be more sensitive in asking such questions. If muslix64 wanted donations, he'd set up some methodology, I am sure.

As well, think please! The whole encrypting world would be after muslix64, just as viodentia has been sued.

Let's stick to the topic please.

Regards

I guess the whole US film industry is already after him and they set any goverment organisation into motion to spy on him from now :p

If they implement BD+, they will lose the war right away for the reasons too obvious to mention.

No obvious enough for me, it would seem. I checked the wikipedia entry on BD+ but I'd still like someone to explain BD+ to me.

hey!

i copied the complete contest of the /BDMV/ folder to my hd ( from an original BD movie) then i putted the decryted files from the tool in to the stream folder and over write the old files.

then i opend the folder with windvd , and it works :-) i have the orignal BD menu structure :-).



http://s6.bilder-hosting.de/img/Z4J19.png

wow great news @mrazzido ! i think i buy a blu-ray burner next month ;-)

wow great news @mrazzido ! i think i buy a blu-ray burner next month ;-)

Me too, as long as it is below $200, seems unfair to pay more for BD than HD. :D

tomorrow i try a bit per bit copy on bd-re & db-r

Thats great news!!

Too bad the cheapest burner is $499 on fleaBay :\

I have a Sony and a Liteon Blu-ray burner, with about 20 BD titles and 30 free disk. Also a TDK Double layer disc.
I can do a lot of experiment.

I have a Sony and a Liteon Blu-ray burner, with about 20 BD titles and 30 free disk. Also a TDK Double layer disc.
I can do a lot of experiment.

Sounds great! You don't have Talladega Nights by any chance? If so, could you please post the key's so i can try out backupbluray on my PS3 ?

Aerox - please don't cross post and please keep to the topic.

Regards

First of all thanks where thanks is due to muslix and janvitos. Thanks so much for all your hard work :D

I had a few questions since I am in the preparation stage here:

What version of Win DVD and Power DVD are being used?

What blu-ray burner is best for purchase (LG or Sony)?

Thanks...

@repdetect2 - use search - this has been mentioned quite a bit.

As well, "what's best" is very subjective - beauty is in the eye of the beholder.

Regards

Awesome :) I wonder if they are just talking out their ass when they talk about BD+

Hmm, so on my SWAT BD .iso, i would require someone else to get me the key(s), decrypt the files, and then windvd should be able to play them?

Time for more google-ads, i mean bdkeys.com ?

I begin my backup test from the 5th element BD to a blank BD25.

The M2TS are decrypted but I think that we need to decrypt also others file /menu & navigation). The Samsung player doesn't play the disc.

So everything works? scene selections, subtitles, and extras?



hey!

i copied the complete contest of the /BDMV/ folder to my hd ( from an original BD movie) then i putted the decryted files from the tool in to the stream folder and over write the old files.

then i opend the folder with windvd , and it works :-) i have the orignal BD menu structure :-).



http://s6.bilder-hosting.de/img/Z4J19.png

dont know if all works i upload a small video here (http://www.file-upload.net/download-183110/videooo.avi.html) i switch in some menus.


subtitles works , scene selection works. and i test some extras.


btw.

the movie ist not complete ripped!! the tools decrypt all the files but the big movie file stopped @~2gb.

Janvitos had the same problem.

So i do some other experiments.

I try with the Fifth Element & PowerDVD tell me that some file are stil encrypted with AACS. If i try to playback che single M2TS everythink is ok, but I can't see navigation & menu structure.

And I also try to backup about 6 movies, but it's impossible to backup the entire movie M2TS, the software hang @ about 2 Gb.

@ dvdguru

try windvd i had problems with powerdvd.

copy the complete contest of the /BDMV/ directory. (without encrytped stream files ;) ) to your HD . then copy the Decrypted files to /bdmv/STREAM/ .

then open windvd and the folder from hd . dont know the english option to open the disc from hd here is a screenshotPicture (http://s6.bilder-hosting.de/img/3FVMW.png)


yeah we have the sample problem only~2gb ripped :-(.

Now I'm trying to burn the BDMV directory with the decrypted M2TS on a blank blu-ray.

35 minutes @ the end.

I'm tring to modify the source code of the ripper to scan every file of the source disc and not only the m2ts files.

Burning finished. The Samsung player reject the disc like PowerDVD: some content are still AACS encrypted.

I found my firts fault: I don't have to burn the AACS subdirectory.

The Samsung player still reject this disc (but I can play a BDAV movie that i produce with cyberlink powerproducer)

Another news: Samsung Blu-ray player can't play BDMV on BD-R or BD-RE, so now I try on the Panasonic BD-10. This is the cause of the fault. (ps: i still have problem of 2 Gb m2ts rip, and now I try several disc)

good luck dvdguru.

no
VC-1 is a WMV-9 type file
The good thing with Blu-Ray in regards to the backing up issue, is that the Blu-Ray encoded streams are formated the same as how satellite streams are.

So, if you can unencrypt the Blu-Ray discs, you can play them with just about any of the public domain or shareware stream players on the market. This includes the VC1 and AVC encodes, as long as you have the right codecs installed.

HD DVD uses different "wrappers" for the streams, so you require an HD DVD specific player, like Power DVD or Win DVD.

The Blu-ray encoded stream are encoded imo like AVC-HD, you need Elecard Mpeg Player with AVC pack if you want to play H264 format.

The Blu-ray encoded stream are encoded imo like AVC-HD, you need Elecard Mpeg Player with AVC pack if you want to play H264 format.
From what I have read most (if not all?) Blu-Ray movies are still MPEG2 encoded.
This is also the reason why tests shows the same movie available on both Blu-Ray and HD DVD has better picture quality on HD DVD than Blu-Ray Because HD DVD's are always VC-1 encoded and VC-1 is a better CODEC than MEPG2.

Yes, sure. At the moment we have 99% Mpeg2 but if you use Elecard Player with AVC pack you are 100% sure that you can play in HD every M2ts file.

This release is not for everyone! This is only for those who wants to experiment with early version of Blu-ray decryption.

Known limitations:

Don't support BD+
Don't support Volume unique key
Only support one CPS unit key per disc
I don't clear the HDMV_copy_control_descriptor in the stream
Don't have any FAQ or document so far...

You have to provide your own CPS unit key.

The playback seems to work with VideoLan

Because I don't have any Blu-ray equipment, I will need the help of the community to go further with Blu-ray decryption.

I have only test this with one video file...

Stay tuned!

Link:
http://www.sendspace.com/file/li9x37
Thanks for this, muslix.

How come you do not yet support the Volume Unique Key? It seems that this utility would not soves its end goal unless we start to find some VUKs, since the Title keys so far are only good for a few specific files...

Any thoughts?

I just saw this post online - Here are some Bluray Volume Unique Keys that have been reported:

Lord of War
CPS unit key : 07AD32DEC15BDA7F2263A5E9025D9185
Volume Unique key : C7149A7F4CC8E31C00E1C61CABE4595E

Goodfellas *WORKING*
CPS Unit Key: 49445D1F8ACCE0CC713DC168A93446D6
Volume Unique Key: 3490648EFF01012B5F554B3A3FDDC50C

5th Element
CPS Unit Key: 990596AB09F9932BB546C2235655D3E7
Volume Unique Key: 810562E69B417609A078C925E7FC24B2

The Devil's Rejects
CPS Unit Key: 043B1093978E743B6591020CF2F905B0
Volume Unique Key: 9921F244D33538C0E129E59CA0E8AA89

Terminator 2
CPS Unit Key: 61B0F7CCFB372F34BC729AE68575DD91
Volume Unique Key: 6D812383CEBFBEE2CF588C5588EC15C6

Corpse Bride
CPS Unit Key: 7EEE1A969D636F0A567A2DB236377E2A
Volume Unique Key: DB41AF50CBF9CD672B2730B666301C95

Was in a news story here:

http://www.fixxx.dk/

@hdhell, they got the keys from this site! look at the thread "Blu-Ray Volume Keys".

Uhm, i need help on configuration of "CPSKey.cfg" file.
There is the HASH for the identification of the disk, and then i don't know if i need the CPS unit key or the volume unit key.


; Key database file for BluRay, pre-alpha version MM/DD/YY
B868CF7C280021D928B7EB9FF4047059085FF505=Lord of war |00/00/00|07AD32DEC15BDA7F2263A5E9025D9185
828C70988616E14EFE5471CA582BC4B2AF7E59D7=Quinto Elemento |00/00/00|810562E69B417609A078C925E7FC24B2


Is this file correct?

@hdhell, they got the keys from this site! look at the thread "Blu-Ray Volume Keys".

:) Thanks - I figured as much! :) I have been away for a few days.

Can I suggest that the persons running the aacskeys and hdkeys websites start adding the BD keys to their sites as well?

Has anyone gotten a complete BD disc to decode properly yet, or are they still only having limited success with portions of the discs?

Still limitations. 2 Gb file, after a chapter the software halt.

Still limitations. 2 Gb file, after a chapter the software halt.
Does anyone know why?

Is this only on test files dumped from a PS3, or is this also the case on files produced from PC drives?

Also, inregards to this question http://forum.doom9.org/showpost.php?p=941589&postcount=8 - what are the chances of a little program for the PS3 to allow the average user to decode a disc and back it up to their PC via the network connection?

PC drive. :cool:

Backup of 5th Element on a blank blu ray works on Samsung BD1000 !!!!!

As I said, this is an Alpha release, so its buggy... I know...

I don't have any Blu-ray equipment to do proper testing. I need your help!

I don't support volume key, because I'm not there yet.

To do more testing we need to find a Blu-ray movie with more than one CPS unit key per disc. Did someone find one?

If all movies have only one CPS Unit key, we are fine for now to use that key to decrypt... (instead of volume key)

Can we just leave a Blu-Ray drive under a stone in a public park somewhere for you? :)

Good one! ;-)

BTW, Here is a new version:

http://www.sendspace.com/file/yvylle

i have only one bd movie here tommorow i get more , i watched then if there are more keys.

Good one! ;-)

BTW, Here is a new version:

http://www.sendspace.com/file/yvylle

I can confirm that this is good.
Ripped an entire movie.

thx muslix64 it workx!!! good work!!

hi muslix, i can't test it at the moment.. can you tell me what do you changed in the new version?
@dvdguru what burning program you used? give us details please..

best regards

File buffering and reading process was buggy... There is still some bugs that needs to be fixed. (Alpha version!)

Can we just leave a Blu-Ray drive under a stone in a public park somewhere for you? :)

That's kinda what I had in mind when I asked if there was somewhere I could send a donation. I really want to help with this, but I have neither $800 nor a BD drive. (In fact I swore off buying from Sony ages ago after the rootkit incident, and haven't done so since. I'd buy a BD drive to help crack it though :D except that's a lot of dough.)

Well I guess I can supply moral support then. Way to go!

You can have a look at that file at:

http://rapidshare.com/files/12497232/00007decrypted.m2ts.html

File got removed 'cos of too many "complaints" :(

Btw. great work so far with your HD DVD / Blu-Ray decrypting efforts! Hats off to you!
I'd like to believe those rumours that you're from Canada, cos I'd buy you a beer if it were true! :D

canada can now be known for something..... lol

There's lots of avanced talk on here, I have no idea what your all talking about (I've done some C++ in college and thats about it....:p )

But isn't this the point.

You got some sets of keys already, right?

So if a software player is upgraded, the new release of the player will use some advanced techniques to hide the keys, and it can be certain it will act the same for all discs (Use the same advanced technique always).

But you've already got the keys for some discs, so just search for the current keys you know when playing a disc thats already known in the new player, I'm sure Muslix64 etc, will be able to find out how the algorithm works by doing a search for the known key?

Therefore no matter what player is released with whatever advanced key hiding rubbish you will always be able to find out the algorithm\process being used with your known key.

And apply it to new titles, that won't play in the old player.

BD+ is said to be impossible to implement in the real world....

So its over, right?

Sorry, I obviously don't know what I'm talking about :) Just the idea, is that not how easy it is for you programming wizards?

Some Blu-ray Titles have Region Codes.
If a PC Blu-ray Burner is set to Region B,would it still
work to decrypt a Region A Disc with BackupBlu-ray if
the Key is known??

There's lots of avanced talk on here, I have no idea what your all talking about (I've done some C++ in college and thats about it....:p )

But isn't this the point.

You got some sets of keys already, right?

So if a software player is upgraded, the new release of the player will use some advanced techniques to hide the keys, and it can be certain it will act the same for all discs (Use the same advanced technique always).

But you've already got the keys for some discs, so just search for the current keys you know when playing a disc thats already known in the new player, I'm sure Muslix64 etc, will be able to find out how the algorithm works by doing a search for the known key?

Therefore no matter what player is released with whatever advanced key hiding rubbish you will always be able to find out the algorithm\process being used with your known key.

And apply it to new titles, that won't play in the old player.

BD+ is said to be impossible to implement in the real world....

So its over, right?


I have said this before. The only way they get round this is writing off the 150+ hddvds available at the moment and start again. Somehow I don't see them doing this.

We already have the keys so whatever they do its gonna be alot easier for us to locate them when we know what to look for.

The title keys and volume keys do not change. So I think it is over.

I have said this before. The only way they get round this is writing off the 150+ hddvds available at the moment and start again. Somehow I don't see them doing this.

We already have the keys so whatever they do its gonna be alot easier for us to locate them when we know what to look for.

The title keys and volume keys do not change. So I think it is over.

..and even if they do write off existing titles, go back to the drawing table, rewrite the specification, kill all standalone players, new scheme will be broken as well shortly after release.

Hell, Jeff Goldblum was able to hack into aliens network using his Apple notebook :D

I think it is over too.

They simply aren't going to blacklist all discs released until now, to even contemplate that this is somehow a possibility is ignorance beyond belief.

....Just to clarify :)

(Obviously not implying that posters on this page are implying that it is anything more than a theoretical way out, there is some talk from a few that this could actually happen):p

Muslix64 and Janvitos, you guys are my heroes! I wish I could do that sorta stuff!

LOL this is hilarious!!

They simply aren't going to blacklist all discs released until now, to even contemplate that this is somehow a possibility is ignorance beyond belief.

....Just to clarify :)

(Obviously not implying that posters on this page are implying that it is anything more than a theoretical way out, there is some talk from a few that this could actually happen):p
Guys please stop this speculation about key revocation in this topic and keep it in the topic already created for this kind of speculations instead:
http://forum.doom9.org/showthread.php?t=121115

Let's keep this topic on topic about the current Blu-Ray encryption alogrithm instead.

Muslix64 and Janvitos ..... you guys rock http://www.evilclubempire.com/ubb/graemlins/yourock.gif

sorry :o :)

Just to let you people know, i too successfully decrypted an entire blu-ray movie.
I am now burning it to a BD-RE disc and will let you updated with the results.

Please remember that this is purely for backup purposes.

Good job muslix64 & Janvitos!

What was the problem with file buffering?
I simply added buffering to BackupHDDVD, the source of BackupBluRay is nearly the same in that part. Perhaps my fix don't work with the BluRay version, perhaps not? :confused:

To help you know, I have added the same fix to backupbluray, try it and if it works great look at DecryptBluRayMedia.java, other sorry for wasting your time ;)

http://www.sendspace.com/file/u79sqn

haha you guys rock. Its funny how they spend countless hours and millions of dollars on useless protections.

I just burned the movie "Corpse Bride" on a BD-RE disc and guess what... It plays back in WinDVD !!!

I just burned the movie "Corpse Bride" on a BD-RE disc and guess what... It plays back in WinDVD !!!

are you able to get to a ps3 and test?

Unfortunately i don't have a PS3 but i guess i could buy one and return it :)

I just burned the movie "Corpse Bride" on a BD-RE disc and guess what... It plays back in WinDVD !!!
CONGRATULATIONS ! WE reached yet another milestone :)
Now we can start to think about semi-profesional piratism :D All we need is a PC device (Blu-Ray reader or burner), blank media, BackUPBluray utility to rip and decrypt and of corse the key would be WinDVD software that allows playing on PC monitor or other devices full 1920x1080 res. without any HDCP stuff. It know looks like it would be more easier paas friends and other eager people those BD-R media with movies - just pop in into PC drive and watch without any moving to local HDD and other rather complicated stuff ...

Nice job Janvitos ;)

Too bad that 1 BD-R 25GB costs $17 and BD-R 50GB is over $30 :(

Yes, prices are still high and if you are lucky you can get BD-R for 12$-14$. And the worst still is that prices for media stays in the same level alreday fro some 4 month ! :( It's about time to start gradually falling by 1$ a mont to some 7-8$ level !
-----------------
Just did some quick search and this seems just the better deal right now :
>>>
FUJIFILM 25GB 2X BD-R(Blu-ray) Single Disc - Retail for 13.99$ at NewEgg with FREE shipping

And this is strange that there are almost no multi packages present into market. Only one offer for 5 package and some for 2 package BD-R media and no significant price gain with those :(

yes, european prices are a little bit higher.
burn a movie on a BD-R is at the moment very expensive, to save data from your HD it's perfect media.

Too bad that 1 BD-R 25GB costs $17 and BD-R 50GB is over $30 :(

All the more reason to buy the original if you like the movie ...

All the more reason to buy the original if you like the movie ...
Here in Europe we have prices 25-38 euros fro good Blu-ray movie, but price for BD-R is around 12-13 euros.
Let's say we are 4 friends - early adaptors with Blu-ray PC drives in our PC's. Then we each put together 3.5 euros, buy media, download from torrents ripped and decripted movie, burn to BD-R, and take turns watching it ! :) If we buy original, then our expenses would be 7-9 euros each.
And I hope that media prices will fall, but it's very unlikely that prices of new and popular Blu-ray movie releases would drop ...

Here in Europe we have prices 25-38 euros fro good Blu-ray movie, but price for BD-R is around 12-13 euros.
Let's say we are 4 friends - early adaptors with Blu-ray PC drives in our PC's. Then we each put together 3.5 euros, buy media, download from torrents ripped and decripted movie, burn to BD-R, and take turns watching it ! :) If we buy original, then our expenses would be 7-9 euros each.
And I hope that media prices will fall, but it's very unlikely that prices of new and popular Blu-ray movie releases would drop ...

This tool is meant to allow backing up you original copies of a movie so you can keep from damaging the original and/or to allow playback on a non-HDCP compliant monitor at full resolution. This is not meant to allow one to pirate the material.

I can't see BD-R prices coming down soon. Them costing near as much as (or more than) the actual movies is another anti-piracy measure. Though for irony's sake you could burn smaller ones to HD-DVD disks. ;)
File got removed 'cos of too many "complaints" :(
Yeah, FYI, Rapidshare is absolute total crap.


Now someone make further progress on decrypting BD so we can get back on topic. :p

CONGRATULATIONS ! WE reached yet another milestone :)
Now we can start to think about semi-profesional piratism :D All we need is a PC device (Blu-Ray reader or burner), blank media, BackUPBluray utility to rip and decrypt and of corse the key would be WinDVD software that allows playing on PC monitor or other devices full 1920x1080 res. without any HDCP stuff. It know looks like it would be more easier paas friends and other eager people those BD-R media with movies - just pop in into PC drive and watch without any moving to local HDD and other rather complicated stuff ...

Here in Europe we have prices 25-38 euros fro good Blu-ray movie, but price for BD-R is around 12-13 euros.
Let's say we are 4 friends - early adaptors with Blu-ray PC drives in our PC's. Then we each put together 3.5 euros, buy media, download from torrents ripped and decripted movie, burn to BD-R, and take turns watching it ! :) If we buy original, then our expenses would be 7-9 euros each.
And I hope that media prices will fall, but it's very unlikely that prices of new and popular Blu-ray movie releases would drop ...

This tool is meant to allow backing up you original copies of a movie so you can keep from damaging the original and/or to allow playback on a non-HDCP compliant monitor at full resolution. This is not meant to allow one to pirate the material.Exactly jokin. :goodpost:

@kuklitis - any more talk along these lines will incur a rule 6 strike. Stick to the topic. You wanna talk about how you or other people can pirate DVDs/BR/HDDVD, please do it elsewhere. :readrule:

Regards

Get the other link !

http://rapidshare.com/files/13113176/blu-ray_backup_audio.avi

Janvitos,

Most excellent! Great job!

Did you use HDV camera to make the video?

Congratulations!


I guess I am going to buy BD drive soon..

Nice:)! you should put the camcorder on something stable tho, picture qual aint great and very wobbly. also you should make a video showing how to do it from start to end, show backupbluray in action, getting the keys etc with keyfinder, decrypting, then watching off hdd unencrypted, state that your graphics card is non-hdcp (assuming it isnt) and then show video of it running like in here.

then put it on youtube.

Nice:)! you should put the camcorder on something stable tho, picture qual aint great and very wobbly. also you should make a video showing how to do it from start to end, show backupbluray in action, getting the keys etc with keyfinder, decrypting, then watching off hdd unencrypted, state that your graphics card is non-hdcp (assuming it isnt) and then show video of it running like in here.

then put it on youtube.

and include your home address and phone number as well and see "Removed by the request of Sony Corporation" a few minutes after.

Doom9 is getting more press (http://www.dailytech.com/article.aspx?newsid=5795) over these efforts than I can recall in all my years of coming by.

Somebody should hook Muslix64 with some Blu-Ray/HD-DVD equipment so he can further his studies.

MorBiD

Doom9 is getting more press (http://www.dailytech.com/article.aspx?newsid=5795) over these efforts than I can recall in all my years of coming by.

Somebody should hook Muslix64 with some Blu-Ray/HD-DVD equipment so he can further his studies.

MorBiD

I do agree, and more than willing to contribute. But we have to figure out how to do it.

http://rapidshare.com/files/13113176/blu-ray_backup_audio.avi

LOL @ powersupply sockets near the floor.... oh and nice video :D

Muslix64 excellent work.
You made HD-DVD/ BluRay fair use.

http://forums.cgsociety.org/images/smilies/notworthy.gifhttp://forums.cgsociety.org/images/smilies/buttrock.gif

http://www.youtube.com/watch?v=pfzLVogXOpM

thx to the video janvitos , i think WB called youtube fast to remove the video ehhe :-D , like muslix64 video .

Hi muslix and janvitos - how is it coming with getting backupbluray to handle Volume unique keys?

Janvitos told me he didn't seen that, but is there anyone who have seen a Blu-ray movie with more than one CPS unit key per disc? This will help me doing the volume key thing...

Look in the Unit_key_ro.inf file.

i test a backupped bd movie on ps3 jap. edition , it doesnt work :-( . " unknown disk "

@muslix64
i see only one cps key on my movies. if i see more i write you immediatly,get next day new delivery :-)

which movie @mrazzido?

i test 2 movies on BD-R and BD-RE ICE AGE II and The Fugitive both PAL . doenst work , can the ps3 handle PAL movie?

the fugitive should be playable on a PS3 because the movie is regionfree

PS3 JAPAN
Region A Movies (Japan / Asia / USA)

PS3 ASIA
Region A Movies (Japan / Asia / USA)

PS3 US
i dont know..

let's talk in a ps3 thread, because this thread is about blu-ray and aacs...

ps: have a look at blu-ray regionfree movies at http://bluray.lindsite.dk/

2bigkings, that will be the next step once we get ime working and a single app to do everything in backuphddvd and backupbluray. there is probably some bytes somewhere on the discs which tell the player what region it is, im sure we will find out where those bytes are and change the discs to ripped discs to multiregion, or even hack the firmware to multi-region.

I heard that Standalone Blu-ray Players only can playback
AACS protected Discs.Would it be possible that this is the
case with the PS3?On this Forum it has been reported
that a backup from 5th Element on a SL Blu-ray R was
working in a Samsung Player.How was this done exactly?

I'm going to buy a PS3 later tonight and will keep you updated with the results.

I'm going to buy a PS3 later tonight and will keep you updated with the results.
>>>>>It sems that you trully mad esome investing sacrifice and I just hope that we al get benefif from it and even more is we all could do some kind of reward of yoyr financial and time investment to aou r common cause ! :)

This is a very basic, but powerfull crypto attack that I have used to decrypt both format.

[...]
Because I know the keys are unprotected in memory, I can skip all the painfull process of code reversal.

I don't have any Blu-Ray equipment but I was able to recover the keys anyways... because I had access to a memory dump file and a media file.
[...]
Do you see something special? Do you see any pattern?

The first byte is always D1 and the 5th byte is always 47. Can we use that to mount the known-plaintext attack? Of course!
[...]
Any questions?

Based on this reasoning, can the same be done to do a known plaintext attack against the device key?

I'm assuming that the device key is also at one time present in the memory dump, and the title key is the known plaintext from the disc header. Thus, the attack described could in theory be used to try to decrypt the disc header to see if parts of it matches the title key.

The device key is probably discarded just after use, so a more elaborate memory dump scheme is probably needed.

Don't worry about it i'm returning the stuff anyways :)
Only the movies and BD-RE discs i can't return but they'll be useful to me anyways.

I'm glad I can finally be of some help to this cause. So, the reason your PS3 cannot play your burned BD-R or BD-RE disc is because the Firmware isn't supporting it yet. We are on Firmware 1.5, and this feature won't be supported until at least 2.0.

I noticed someone mentioned it worked with the Samsung BD player, and that is great because the PS3 slowly but surely takes everything every other player can do and does it better with Firmware upgrades. :)

I have burners and PS3's available to do testing with, I just need enough HDD space hehe.

Based on this reasoning, can the same be done to do a known plaintext attack against the device key?

I'm assuming that the device key is also at one time present in the memory dump, and the title key is the known plaintext from the disc header. Thus, the attack described could in theory be used to try to decrypt the disc header to see if parts of it matches the title key.

The device key is probably discarded just after use, so a more elaborate memory dump scheme is probably needed.

Well, it would be a lot more difficult, first of all there is no such thing as 'the one and only device key', each device is assigned a set of device keys together with their u,v subtree mask (cfr specs).
The media key in the MKB on the disc is encrypted using a number of keys (say n times with n keys), this number is dependent on the number of actual revocations (the larger the number of revocations, the more encrypted entries you will find).
The device will search for a working key in it's device key set (complicated search using the uv masks, the device number, the device keyset, and a key derivation alg...) and will be able to use it to decrypt just one of the n encrypted media key entries. If the device is revoked it will not find a matching key in it's set and will not be able to get to the title key.
So in order to use this 'device key mechanism', one needs to discover all the keys assigned to a player and their corresponding u,v subtree mask + the device number! So this is a lot more then finding 128 consecutive bits in memory.
In fact I consider the AACS spec quite secure and a 'real crack' would include cracking AES-128. The funny thing is that this whole complex MKB decoding algorithm is bypassed by a trick based on finding the title key immediately in memory.

hopefully there will be such tools available for linux too...

The problem is that some devices only play BDAV and not BDMV if the support is a BD-RE or a BD-R.

BDAV= format for home made HD videos
BDMV= format for pre-recorded HD film

The Samsung BD-P1000 & the Panasonic BD-10 CAN play BDMV (so the ripped film) with menu & everything, I do all the test and I can confirm it.
The PS3 can't player BDMV, and is not for incompatibility but it's a Sony decision. They can unlock this when the want, like Samsung.

Samsung BD-P1000: first firmware plays BDMV. 1.1 & 1.2 don't play BDMV. And now the latest play BDMV. It's a politic reason.

There is only a problem now: if you burn a dual layer BD you can't replicate the layer change info & the disc doesn't work fine, when you arrive @ latyer change the playback stops.

thanks for information dvdguru. very interesting!
i think to change the layer info should not be a big problem.
they were successful with double layer media for xbox360, so there will be a tool for changing the layer info for blu-ray movies / games in the future.

The problem is that some devices only play BDAV and not BDMV if the support is a BD-RE or a BD-R.

BDAV= format for home made HD videos
BDMV= format for pre-recorded HD film

The Samsung BD-P1000 & the Panasonic BD-10 CAN play BDMV (so the ripped film) with menu & everything, I do all the test and I can confirm it.
I'am little bit confused regarding term "support is a BD-RE or a BD-R" ... Does it mean that device can phiscally tell the diference detwwen stamped media and BD-R/BD-RE media ? Or is just the firmware that allows playing BDAV folder = home made/authorized videos and therefore it also allows BD-R/BD-RE media ?
What if ripped film gets durned on BD-R under BDMV ?


The PS3 can't player BDMV, and is not for incompatibility but it's a Sony decision. They can unlock this when the want, like Samsung.

Samsung BD-P1000: first firmware plays BDMV. 1.1 & 1.2 don't play BDMV. And now the latest play BDMV. It's a politic reason.

Or is the whole sing going around that you removed whole AACS folder in order to play ripped movies all devices just considers it actions against existance/absance of this folder and not BDAV/BDMV namings ?

I'am little bit confused regarding term "support is a BD-RE or a BD-R"


He means "disk is a BD-RE or a BD-R"

Sorry, support = disk.

Yes, the device can recoglize the type of disc. A player recognize if a disc is a BD-ROM, a BD-R or a BD-RE disc. There are some info about the support written into the inner area, so via firmware you can force the playback of a standard on a certain type of disk.

In BDAV there is a folder called BDAV into the disk root.

In BDMV (produced with Roxio DVDit HD) there is a folder called BDMV into the disk root.

In BDMV (prerecorder, for ex a film) there is a folder called BDMV into the disk root.

So if the player look only @ file structure, it plays everything without any problem. But it checks for disk type, so plays only format that are authorized. And BDMV is not authorized for some players like PS3.

Disc volume is not important when you burn: every blu ray has the same disc volume name but i change it in my backups without any problem.

Don't burn AACS directory: if you burn AACS dir the player look for encrypted M2TS, your disc is not encrypted and the player eject it. So burn only BDMV directory.

The layer change is a big problem in my opinion. When now you burn a DVD+R DL Nero adjust for you the information about layer break (that you must remove in ifo or during the ripping with DVD Decrypter option).
So in Blu-ray we need to find the layer break info (imo is in the playlist file), we have to cancel that info and then we need a burning software that put the layer break position during the burning @ the correct position.

Black Hawk Down is a 47 Gb BD. There is a 23 Gb M2TS file and another 23 Gb M2TS file. I think that the first file is on layer 0 and the second file is placed on layer 1. The player plays the first file, finds the layer break info and changes layers. And everything work.

But if I burn now this movie with Nero Nero put on the first layer 23 Gb + 2 Gb of the second file. Then change layer and write the other part of file. But the lyer change info are still here, and @ the end of the first file the player try to change layer.

Sorry, support = disk.

Yes, the device can recoglize the type of disc. A player recognize if a disc is a BD-ROM, a BD-R or a BD-RE disc. There are some info about the support written into the inner area, so via firmware you can force the playback of a standard on a certain type of disk.

In BDAV there is a folder called BDAV into the disk root.

In BDMV (produced with Roxio DVDit HD) there is a folder called BDMV into the disk root.

In BDMV (prerecorder, for ex a film) there is a folder called BDMV into the disk root.

So if the player look only @ file structure, it plays everything without any problem. But it checks for disk type, so plays only format that are authorized. And BDMV is not authorized for some players like PS3.

Disc volume is not important when you burn: every blu ray has the same disc volume name but i change it in my backups without any problem.

Don't burn AACS directory: if you burn AACS dir the player look for encrypted M2TS, your disc is not encrypted and the player eject it. So burn only BDMV directory.
OK, thanks, now all thing are getting more clear to me :)

In BDMV (produced with Roxio DVDit HD)
you first mentioned that home made video are stored into BDMA type folder ! Shouldn't stuff produced with Roxio DVDit HD must be considered as home made video ?
Waht happens if we rip the movie and then burn it on BD-R under BDMA folder to disguise it as home made ? Is it completely different structure or it somehow downgrades home made video quality playing back and it's no more 1080p ?

BDAV and BDMV are totally diferent format.

BDAV= only video, lower bitrate, no menu, no interactivity. And also a different file structure.

Roxio DVDit HD is a professional authoring tools and with it you can produce BDMV. BDAV is the format for Cyberlink PowerProducer or Ulead, mass market software.

Well, it would be a lot more difficult, first of all there is no such thing as 'the one and only device key', each device is assigned a set of device keys together with their u,v subtree mask (cfr specs).
The media key in the MKB on the disc is encrypted using a number of keys (say n times with n keys), this number is dependent on the number of actual revocations (the larger the number of revocations, the more encrypted entries you will find).
The device will search for a working key in it's device key set (complicated search using the uv masks, the device number, the device keyset, and a key derivation alg...) and will be able to use it to decrypt just one of the n encrypted media key entries. If the device is revoked it will not find a matching key in it's set and will not be able to get to the title key.
So in order to use this 'device key mechanism', one needs to discover all the keys assigned to a player and their corresponding u,v subtree mask + the device number! So this is a lot more then finding 128 consecutive bits in memory.

Is this key derivation algorithm also part of the AES-128 specification, or is it specific to AACS?

I got a problem......

The "SHA-1 hash code" under the CPSUnit00001.ccs are the same in the following 2 blu-ray titles:
"House of Flying Daggers" and "Ultraviolet"

i think its offtopic when pls delete.

i installed windvd jap. edition on a second pc , i made an iso of my ripped movie the iso is mounted by deamon tools. when i try to start the film he want that i change region code to B , is there a chance to change region on windvd without a bluray drive inside? the option is "locked" without Drive.

See above:

---> http://forum.videohelp.com/viewtopic.php?t=320788

Now, the other step is to deal with BD+ protection and some other schemes that industries will take, trying to solve the situation about Blu-Ray and Hd-DVD weak points.

---> http://en.wikipedia.org/wiki/BD+

All the help from community will help a lot Muslix64 and some other people, much willing to stop DRM abusive behaviours towards us, the consumers !!

Thanks.

devil (johner)

i think its offtopic when pls delete.

i installed windvd jap. edition on a second pc , i made an iso of my ripped movie the iso is mounted by deamon tools. when i try to start the film he want that i change region code to B , is there a chance to change region on windvd without a bluray drive inside? the option is "locked" without Drive.

try ghosting your drive?
that way you can play however you want and just restore the original

Is this key derivation algorithm also part of the AES-128 specification, or is it specific to AACS?

The key derivation alg is part of what is called 'subset difference based key management', it is used by AACS.
I've been reading about this and it seems a very flexible way to implement the revocations. If you are interested in this don't read the AACS specs they are too short on explaining this topic. There is a much better explanation in : http://www.watersprings.org/pub/id/draft-irtf-smug-subsetdifference-00.txt
unbreakable if you ask me...

Now, the other step is to deal with BD+ protection and some other schemes that industries will take, trying to solve the situation about Blu-Ray and Hd-DVD weak points.

devil (johner)

Here's an interesting observation I found, from an Industry Insider...who states, that its just a matter of time, before BD+ can be cracked too...along the lines of AACS crack....

Posts from forum somewhere... Link (http://www.avsforum.com/avs-vb/showthread.php?p=9532683&&#post9532683)

and then the Industry Insider proceeds to explain it in some detail in this Link (http://www.avsforum.com/avs-vb/showthread.php?p=9533539&&#post9533539)

6ixed

Any news on the Volume keys yet?

and then the Industry Insider proceeds to explain it in some detail in this Link (http://www.avsforum.com/avs-vb/showthread.php?p=9533539&&#post9533539)


The "insider" is from "Washington State". Microsoft perhaps? ;)

They've invested quite a bit into HD-DVD.

Here's an interesting observation I found, from an Industry Insider...who states, that its just a matter of time, before BD+ can be cracked too...along the lines of AACS crack....

Posts from forum somewhere... Link (http://www.avsforum.com/avs-vb/showthread.php?p=9532683&&#post9532683)

and then the Industry Insider proceeds to explain it in some detail in this Link (http://www.avsforum.com/avs-vb/showthread.php?p=9533539&&#post9533539)

6ixed
BD+ was turned down by the HD DVD forum and will only be implemented on Blu-Ray.
Of course Amir says BD+ on Blu-Ray will be easy to crack, he is a HD DVD insider (not Blu-Ray insider) who works for Mircosoft and Microsoft is supporting the competing format HD DVD which will not use BD+.

i find a way to change the region settings in windvd without have any bluray drive inside :-) yeah the movie works on my second pc yet .

Can you explain how to change the region setting in Win DVD
without connected Blu-ray Drive?
Another question is about changing the Blu-ray regions A or B when the drive is connected.I heard you can change 5 times.
So if the first Disc inserted is region A,the drive will ask if you want set it to region A and then you can change it another 4 times.
Which means with the last change you have a region A drive.
Or after the first region set you can change 5 times which means
you end with a region B drive ?

here is the tool ...Click... (http://www.file-upload.net/download-187729/windvd_tool.rar.html) , it activate the "grey" windowze buttonz.

start the tool then push "start" , then start windvd BD edition, go to the window where change region , and watch the buttons avaible :-) (the timer is 0 but it works ehhe.

this topic should be renamed to: "BackupBLURAY, a tool to decrypt AACS protected movies"

Hi mrazzido , thank you for the tip and the tool.
Will try it later ,i've got my BD-Burner just yesterday.
I noticed that a movie who is enforcing the region code does this only
together with a Softwareplayer.When the key is aviable
on the internet you can decrypt A and B enforced titels
without to change the region setting on the drive.
I did backup Terminator 2 , The Fifth Element and Lord of Wars.
BackupBluRay did need 4 hours for one movie.Is this usual
or is something wrong with my settings?

Hi mrazzido , thank you for the tip and the tool.
Will try it later ,i've got my BD-Burner just yesterday.
I noticed that a movie who is enforcing the region code does this only
together with a Softwareplayer.When the key is aviable
on the internet you can decrypt A and B enforced titels
without to change the region setting on the drive.
I did backup Terminator 2 , The Fifth Element and Lord of Wars.
BackupBluRay did need 4 hours for one movie.Is this usual
or is something wrong with my settings?

I've backed up some of mine too, and they can take a good few hours each

i read the BD disk with DVDDECRYPTER "only read iso" to my hd (30-40mins) faster than with bblueray tool ,then mounted the CRYPTED movie with DM TOOLS , then use backupblueray with your virtual drive . backup 1200seconds for one movie.

I got a problem.

there are three blu-ray titles have ths same hash code of CPSUnit00001.cci, but CPS Unit Key were different.

They are


75673083FD45B39B1ACE02315523E3D242A17064=Terminator 2 : Judgment Day |00/00/00|61B0F7CCFB372F34BC729AE68575DD91

75673083FD45B39B1ACE02315523E3D242A17064=Kingdom of the Heaven (Jap) |00/00/00|7154C66FC9F5FD261CDBED3663851479

75673083FD45B39B1ACE02315523E3D242A17064=XXX |00/00/00|72B9A7683430B339DE99D37D05070A32



and another titles have the same problem


A060DA91B326CD7A6DBF318D06EA89901AF83DA8=House of Flying Daggers |00/00/00|B45529FF11A2E82BC051FA9454A5B1E1

A060DA91B326CD7A6DBF318D06EA89901AF83DA8=UltraViolet |00/00/00|E3B97D702F712312F4CA28774579C087

A060DA91B326CD7A6DBF318D06EA89901AF83DA8=S.W.A.T. |00/00/00|CD2EA76C6FAC27971C937AB60E6DCD1B

yeah pepsilee2001 i read this in the key thread dont know a solution for it , crazy that all files has same SHA1 :-/.

I guess it will require that for BD disk, that we use a different file / method to ID the disk. Taking the disk title and adding it to the sha1 might be a good idea...

I got a problem.

there are three blu-ray titles have ths same hash code of CPSUnit00001.cci, but CPS Unit Key were different.

They are


75673083FD45B39B1ACE02315523E3D242A17064=Terminator 2 : Judgment Day |00/00/00|61B0F7CCFB372F34BC729AE68575DD91

75673083FD45B39B1ACE02315523E3D242A17064=Kingdom of the Heaven (Jap) |00/00/00|7154C66FC9F5FD261CDBED3663851479

75673083FD45B39B1ACE02315523E3D242A17064=XXX |00/00/00|72B9A7683430B339DE99D37D05070A32



and another titles have the same problem


A060DA91B326CD7A6DBF318D06EA89901AF83DA8=House of Flying Daggers |00/00/00|B45529FF11A2E82BC051FA9454A5B1E1

A060DA91B326CD7A6DBF318D06EA89901AF83DA8=UltraViolet |00/00/00|E3B97D702F712312F4CA28774579C087

A060DA91B326CD7A6DBF318D06EA89901AF83DA8=S.W.A.T. |00/00/00|CD2EA76C6FAC27971C937AB60E6DCD1B

Are the "MAC of PMSN" also the same for all discs?
It has been suggested using "MAC of PMSN" instead of SHA-1 for Blu-Ray since this would avoid any need of hash calculations in the software:
http://forum.doom9.org/showthread.php?p=941339#post941339

And likewise for HD DVD the "TKF MAC" should be used instead of SHA-1.

Have muslix and janvitos "left the building" - I don't see much going on these days to finish BackupBluray? (scratches head).

Without Volume Unique Key, isn't this tool just a curiosity piece but will never go far?

Sorry if I sound like a grinch :D I had just thought it would have been dusted now...

Used BackupBluray tool with installing JDK 6 java. But no luck. Everytime run backupbluray in DOS, the result is : Could not find Blu-ray source O:

O: is bluray drive.

Any suggestion?

Have muslix and janvitos "left the building" - I don't see much going on these days to finish BackupBluray? (scratches head).

Without Volume Unique Key, isn't this tool just a curiosity piece but will never go far?

Sorry if I sound like a grinch :D I had just thought it would have been dusted now...Almost all your posts do sound this way.

Plus, their whereabouts is not for you to enquire about. What business of yours is it? They are private people, as we all are. Learn to respect that. As well, they owe you nothing!

I truly think you need to revise the way you post here.

Regards