MODERATOR NOTE: arnezami is apparently no longer active in maintaining this software. New versions can be found here:

http://forum.doom9.org/showthread.php?p=1186415#post1186415

Thank you, arnezami, for your pioneering work!

Original contents of this post follow...

----------------------------------------

Finally.

Here is my program that gives a list of all keys used for aacs decryption for one disc. Currently I'm too tired to go into this deeply but I need people to test this. Especially the Blu-ray owners: I have no Blu-ray burner/player so I'm "flying blind" when it comes to programming stuff for Blu-ray. I think I've read the Blu-ray specs right and hope it all works. But it really has to be tested.

Anyway. As promised the program itself: aacskeys.exe v0.2.5 (http://www.sendspace.com/file/3e8bzt) (fixed for Blu-ray now :))

Go here for the new v0.2.8 version (http://forum.doom9.org/showthread.php?p=1018060#post1018060).

Its still in the early stages of development so there are probably some bugs in it.

Here is a screenshot (King Kong):

http://img110.imageshack.us/img110/4728/aacskeyspicfu1.jpg

Thats gotta put a smile on your face :D :D

Keep in mind there are three types of views now: normal (n), verbose (v) and sensitive (s). But you'll figure it out ;).

When I iron some things out I will release the source (of course) but this will take at least a couple of days (maybe next week). There are still a couple of things to do (Hk, VID MAC, BK, TKFMAC, Device Keys etc). But I want it to work first and there is where you guys come in :).

So if you can test if it works please do. Any feedback is welcome.

Thanks already :thanks:

Regards,

arnezami

It works.
Or these are burned-in values... :)
Processing key: 09F911029D74E35BD84156C5635688C0
Encrypted C-value: 6D02CAC67B1A7E95C216EFD4C92809CF
Corresponding uv: 00000001

Decrypted C-value: 074E1FC88FB9B780A225CAA23BC3DB57
Media key: 074E1FC88FB9B780A225CAA23BC3DB56

Encrypted verification data: 87B8A2B7C10B9FADF8C4361E238659E5
Decr verif data should be: 0123456789ABCDEF
Decrypted verification data: 0123456789ABCDEF0A9BE086140F5A60

AGID: 00

Host certificate from: Power DVD 7.1
Host certificate (Hcert): 0200005CFFFF0000000C00006E3DEB679B9A16AD
FAA8E30878767BA6EB2A9B415385AD1181B4446C
31E9A5DD2AB808B364FF15885BAC490964318C9B
F8029FCF76F688A54FBDA03F6D9332EF04E5A613
12DA85880A4D9CBB79D8602E
Host Private Key (Hpriv): 4737676058D7029452514F0AB186DC4CCA8C578F
Host Nonce (Hn): 2923BE84E16CD6AE529049F1F1BBE9EBB3A6DB3C

Drive certificate (Dcert): ########################################
########################################
########################################
########################################
########################
Drive Nonce (Dn): ########################################

Drive key point (Dv): ########################################
########################################
Drive key signature (Dsig): ########################################
########################################

Host key (Hk): 0000000000000000000000000000000000000000
Host key point (Hv): 8E9B0E3CF41FA7DA3A829F604122EA4ED5261AA4
7570CE0BB9061A66FAF92C4A7D98ACC171CBF19B
Host key signature (Hsig): ########################################
########################################

Bus key (BK): ################################

Volume ID: 40000918200608410020202020200000
Voluem ID MAC: ################################

Volume Unique Key: 802F78B1B20D1183638D84E1A96D6EDD
Title Key File MAC: 399FE6A364D623541418E3805D1ED790

Encrypted Title Key 1: 30F8DC87B137A1607C7F2A731FF7B6BC
Encrypted Title Key 2: B5183BDC3335A1EBC8E517B6611A1CBA
Encrypted Title Key 3: A625BDC656E9D5EDE040A07B9FB8D7B1
Encrypted Title Key 4: F5ACB8900A639E85B4133933E74A92E7
Encrypted Title Key 5: 635B440099BFAB97911ABBBC4B1F25A7
Encrypted Title Key 6: 9EB5C32E0AFB0B3A4A906CB360CE57A0
Encrypted Title Key 7: 21258E976BECFF0090E371058DDDE695
Encrypted Title Key 8: E49D4100A52DB01F7F605768DB4000F2

Decrypted Title Key 1: 7D743D3C92652CC16B66D9CB87F6D132
Decrypted Title Key 2: 70B71C6E767E213AEB7456985BAAD8A4
Decrypted Title Key 3: 4BC362995030035312A5B6030D76C817
Decrypted Title Key 4: A019B5101E904A700A44F056B7EB3579
Decrypted Title Key 5: 896AB02D3D77554EABCE3CCE931DA39D
Decrypted Title Key 6: BEC07637E9C4EFA1F70FED6891DB277B
Decrypted Title Key 7: 1DC0D276F2C5B9FCFDE1414C5002BAAB
Decrypted Title Key 8: BC7EB577D1936818AEB9241F024DE681

confirmed working....

Batman Begins UK HD-DVD - 15/09/06
Here is the output given after using verbose mode:
C:\>aacskeys d v
Processing key: 09F911029D74E35BD84156C5635688C0
Encrypted C-value: C8ADC9F88E38FB152FCD5E68291C4C60
Corresponding uv: 00000001

Decrypted C-value: B0A84A4838821346834751E1E9D33B44
Media key: B0A84A4838821346834751E1E9D33B45

Encrypted verification data: 8D960C0952C0A6260AD3FDD236DF015B
Decr verif data should be: 0123456789ABCDEF
Decrypted verification data: 0123456789ABCDEF143F000821C02F93

AGID: 00

Host certificate from: Power DVD 7.1
Host certificate (Hcert): 0200005CFFFF0000000C00006E3DEB67
FAA8E30878767BA6EB2A9B415385AD11
31E9A5DD2AB808B364FF15885BAC4909
F8029FCF76F688A54FBDA03F6D9332EF
12DA85880A4D9CBB79D8602E
Host Private Key (Hpriv): 4737676058D7029452514F0AB186DC4C
Host Nonce (Hn): 2923BE84E16CD6AE529049F1F1BBE9EB

Drive certificate (Dcert): ################################
################################
################################
################################
########################
Drive Nonce (Dn): ################################

Drive key point (Dv): ################################
################################
Drive key signature (Dsig): ################################
################################

Host key (Hk): 00000000000000000000000000000000
Host key point (Hv): 8E9B0E3CF41FA7DA3A829F604122EA4E
7570CE0BB9061A66FAF92C4A7D98ACC1
Host key signature (Hsig): ################################
################################

Bus key (BK): ################################

Volume ID: 400009061209091557474844564D0000
Voluem ID MAC: ################################

Volume Unique Key: F66308D9151653672AB7D75A01DC3F7E
Title Key File MAC: 40746D614A37CE2EAC331A5939D3E238

Encrypted Title Key 1: A51DACA264BC206442AD767237E02130
Encrypted Title Key 2: A57046224AE96E17D7F2F8878E914B0A
Encrypted Title Key 3: BD21A78EADF40081516133E925066C19
Encrypted Title Key 4: 34970BF350A7342F579C7187365D3771
Encrypted Title Key 5: 872E9B67DA39B10BF8C10796F82A394D

Decrypted Title Key 1: 2D9CF93FA5F221C2135DDB06AE4F3EA5
Decrypted Title Key 2: 8B6922BEBDE8B48A25021E75F1B7B597
Decrypted Title Key 3: 4F32342FB377E0FE8A9C1166A51F3B8E
Decrypted Title Key 4: F3419DE7F77AC83E0230A3E2A7833059
Decrypted Title Key 5: 04AF9217B59BA527663CD968BDD701DB

Sorry if it looks a mess... Either way there were 64 encrypted and decrypted keys... I will not paste all of those as we get the drift. :eek:

Again, as many have already said - thanks a lot for all of your efforts, and in releasing this long awaited tool. :thanks:

i try it on bluray , House of Wax EUR / GER


when i read the keys from memory ( windvd )

i get these



CPS Unit Key : 9329A4976FE297AF4475BDAD13119A4F

Volume Unique Key : 83AD82670F99F9F9A64D05B0501CF20D




with your tool i get

http://img474.imageshack.us/img474/7059/hghta3.png

second test

on click EUR / GER


winddvd memory



CPS Unit Key : 05BAFE2DD84C0781C6CE09714726FED9

Volume Unique Key : 5928C17E732E17FCC896401715556D07



tool

http://img393.imageshack.us/img393/5159/vsvsvms3.png

second test

on click EUR / GER


winddvd memory



CPS Unit Key : 05BAFE2DD84C0781C6CE09714726FED9

Volume Unique Key : 5928C17E732E17FCC896401715556D07



tool

Ok. There is clearly a problem with the retrieval of the Volume ID here (its all 0's) . Which is also the hardest to test for me.

Can you tell me if any of the sensitive data: Dv/Dsig/Dn/Dcert/VID MAC are also all 0's (don't post them just tell if some of them they are all 0's and if so which ones)

And are these file names on your disc(s):

G:\AACS\Unit_Key_RO.inf
G:\AACS\MKB_RO.inf

Because it seems to have problems opening the Title Key file (error on top).

I'm pretty sure the MKB file is working since the Media Key is verified.

yeah these files on the disc.


http://img183.imageshack.us/img183/1518/vsvsvsvsbm5.png

Ah. I think I see the problem.

Try this one: aacskeys.exe (http://www.sendspace.com/file/8ltp8b)

works

test it on click


http://www.directupload.net/images/070311/rXH8PKd3.jpg

works

test it on click




Perfect :D

Now it works for BluRay too.

second test of how / ger/eur

http://www.directupload.net/images/070312/zdJK8kZo.jpg






great work :-)

How do you find the 'hash' value used in programs like BackupHDDVD? Is that something that could be added to the output?

sometimes ago i burned a CRYPTED movie on BD-RE

when i try the tool

C:\Dokumente und Einstellungen\Administrator>aacskeys g n
Processing key: 09F911029D74E35BD84156C5635688C0
Media key: 853EC6162030F7F7EF1B61265BE30A68
Volume ID: 00000000000000000000000000000000
Volume Unique Key: 378A39F68C5FDABE94D0621BDBC4481D
Decrypted Unit Key 1: 8AF9B2644339E90931DA68DB96AA06AA

How do you find the 'hash' value used in programs like BackupHDDVD? Is that something that could be added to the output?

Yeah. Still have to do that. :)

Very practical indeed.

i sometimes ago i burned a CRYPTED movie on BD-RE

when i try the tool

Interesting. Volume ID is all 0's with rewritables. That sort of makes sense though. But does it give a Volume ID MAC (when doing the sensitive view). Or is that one all 0's too? If it all 0's then Players can probably not be fooled by putting encrypted movies on rewritables (even after re-encrypting the title keys). But if the Volume ID MAC is anything other than 0's then its going to be interesting to see what we can do with rewritables...

No hurry either - we all appreciate this (whole AACS caper) must have used up a lot of your time already :-)

I'm actually more waiting on the lads doing those evo demux/authoring tools (which are coming nicely) - then if they include your code they can have a very nice 1080p to 720p (~8Gb) conversion tool indeed :-)

Interesting. But does it give a Volume ID MAC (when doing the sensitive view). Or is that one all 0's too? If it all 0's then Players can probably not be fooled by putting encrypted movies on rewritables (even after re-encrypting the title keys). But if the Volume ID MAC is anything other than 0's then its going to be interesting to see what we can do with rewritables...





i try all 0's :-/

@arnezami

A huge thank you for this. Thread stuck.

Regards

Excellent!!!

:thanks:

Nice. Thank you!

Please compile your program in Java so I can test it on my PS3 linux !

Still can't compile properly the iscsi application to mount the blu-ray drive in windows, but it's coming ...

@woodspire - I have had enough of people ignoring the policy on requests. Strike issued.

Regards

Excellent work, I can't test it myself but it looks great. Just thinking though you should add an ASCII view of the volume ID, as those seem to be ASCII fairly often. :)

GREAT WORK!!!! I have tested on SEVERAL BLu Ray discs and it is working on all of them (at least producing what appears to be working keys). I can't confirm the keys are valid without title hash (unless I'm missing something).

GREAT WORK!!!! I have tested on SEVERAL BLu Ray discs and it is working on all of them (at least producing what appears to be working keys). I can't confirm the keys are valid without title hash (unless I'm missing something).

Yeah, thats the final question I have too... where's the Title hash? Is this not possible to get via software?

If this is a program revealing all AACS Key's needed to decrypt, does that mean it is hidden somewhere in the output?

Thanks, great job!

The title hash is the SHA-1 hash value from the file AACS\CPSUnit00001.cci off the disc. There are many programs which can calculate a SHA-1 hash, e.g. HexWorkshop or WinHEX. Btw., this identifier is not very well chosen, there are already titles which have the same title hash. This is because this file does not contain information that is unique per title, it contains Copyright Control Information. If two discs have the same number of titles and use the same copy-rights (things like Image Constraint Token and so on) they will produce the same title hash.

Therefor, when BluRay support is included into DumpHD it will use the SHA-1 hash of the file AACS\Unit_Key_RO.inf as title hash.

:rolleyes:

The title hash is the SHA-1 hash value from the file AACS\CPSUnit00001.cci off the disc. There are many programs which can calculate a SHA-1 hash, e.g. HexWorkshop or WinHEX. Btw., this identifier is not very well chosen, there are already titles which have the same title hash. This is because this file does not contain information that is unique per title, it contains Copyright Control Information. If two discs have the same number of titles and use the same copy-rights (things like Image Constraint Token and so on) they will produce the same title hash.

Therefor, when BluRay support is included into DumpHD it will use the SHA-1 hash of the file AACS\Unit_Key_RO.inf as title hash.

:rolleyes:
That sounds like a really good idea. I always assumed Muslix64 hashed the Unit_Key_RO.inf. But looking at it more closely its pretty obvious now we get duplicate hash values (there isn't much info in the cci info to begin with).

Theoretically the Unit Key files could be the same for some discs aswell. But I don't know if they would actually do that (different vuks with the same unit key file lead to different unit keys, so they could do this since there is no tkfmac).

Anyway. If you're going to do this then I will do the same with my program aacskeys: hashing the title key file for HD DVDs and hashing the Unit Key file for blu-ray discs. So our programs will be compatible that way. :)

What should we do if there are multiple title key file btw? (for hd dvd only I believe)

Is there a specific file format you're going to use? Or plain pipe separated? I thought about using ";" or "//" or something as comment markers at the beginning of each comment line (at the beginning of the file). Maybe also column names. I like to keep it really basic and simple though ;).

Regards,

arnezami

First of all, fantastic work to all that have contributed to make this program happen =)

Regaring the source, I can understand that you want to wait a while before releasing it. But the problem is, if Doom9 gets closed in the meantime, the source is not released =(

So what if you made a rar/gpg encrypted archive of the source available, and when you feel it is ready we get the passphrase? =)

The advantage is that if Doom9 should get closed, it is easier to make a passphrase slip, so someone can make a Slashdot story, that THE passphrase have slipped and it is ####, rather than having to release the soruce. =)

Another advantage is, that if you tell the passphrase to a few trusted secret people, and you should go silent, the passphrase is still out there, and you haven't released it after you have gone silent. Someone else have, and it could be anybody. Who knows who you can trust these days? =)

Ps. It would be fun if the passphrase was 4737676058d7029452514f0ab186dc4cca8c578f . Just of the irony =)

First of all, fantastic work to all that have contributed to make this program happen =)

Regaring the source, I can understand that you want to wait a while before releasing it. But the problem is, if Doom9 gets closed in the meantime, the source is not released =(

So what if you made a rar/gpg encrypted archive of the source available, and when you feel it is ready we get the passphrase? =)

The advantage is that if Doom9 should get closed, it is easier to make a passphrase slip, so someone can make a Slashdot story, that THE passphrase have slipped and it is ####, rather than having to release the soruce. =)

Another advantage is, that if you tell the passphrase to a few trusted secret people, and you should go silent, the passphrase is still out there, and you haven't released it after you have gone silent. Someone else have, and it could be anybody. Who knows who you can trust these days? =)

Ps. It would be fun if the passphrase was 4737676058d7029452514f0ab186dc4cca8c578f . Just of the irony =)

Well ok then. For me not yet releasing the source is not about being secretive but about being proper. What I've learned about open source is that its not just about releasing the source but making it understandable and easely useable and giving credit to all that should be given credit to. I haven't had the time to do that properly. But if you instist and really want it (the raw version that is) I will release the source of the current version.

Here is is: source (http://www.sendspace.com/file/4x8imn). You need openssl for this to work.

This is not an "official" release. This is just for those who want to play around with it.

Regards,

arnezami

does this only work for power dvd 7.1 or will it work with all software players i.e 7.2 and above?

the info is that the key is from power dvd 7.1

you can decrypt the movie with backuphddvd / bluray

and play fine with windvd or power dvd 6 hd or bd edition

I tried it on a bluray iso copied from PS3. I got the processing key, which is the one we all know. I also got the media key but then the program aborted with message saying "all AGIDs in use".
Then I tried it on the PS3 linux with the original movie for the above ISO, then I got the "permission denied" message.
So I guess it is no go if I don't have a BD drive connected to my PC, right? Sorry for the newb question.

Could somebody try to compile this on linux (PS3 or PC).

aacskeys multi platform source (http://www.sendspace.com/file/7rvzff). (linux + windows)

This version should compile both on windows as on linux. But I haven't tested it yet on linux. Please keep me informed of any problems and/or solutions.

The instructions are almost the the same as for aacsauth:

INSTALL

You need openssl 0.9.8
Compile with gcc -o aacskeys -lcrypto ioctl.c ecdsa.c mmc.c aes.c aacsauth.c

There may be some warnings. But hopefully it compiles for linux now (not tested yet).

USAGE

Type something like ./aacskeys /dev/scd0 v
/dev/scd0 is the device file of your drive

Regards,

arnezami

PS. The PS3 uses a hypervisor which might prevent it from getting the volume id at all. And mounted ISOs can't handle the mmc commands properly.
PPS. The old source should't work on linux unless adapted of course :).

This one compiles now on linux. Still untested on PS3.
http://www.sendspace.com/file/x9nmjq

Theoretically the Unit Key files could be the same for some discs aswell. But I don't know if they would actually do that (different vuks with the same unit key file lead to different unit keys, so they could do this since there is no tkfmac).

Hmm, thats a point that i have missed. Since title keys are random, this could happen by chance, but how big is this probability? Maybe a second file should be used in addition to create the title hash? I'm open for ideas.

What should we do if there are multiple title key file btw? (for hd dvd only I believe)

For HD-DVD Advanced Content the VTKF000.AACS is still a good choice, for HD-DVD Standard Content i use the only present TKF VTKF.AACS.

Is there a specific file format you're going to use?

For now, the database format is not nice, but sufficient enough. For BluRay i will only change the key entries to be consistent with the HD-DVD format (i will store both keys in one db), that is adding a key type flag (V = VUK, U = CPS Unit Key) and numbering the CPS Unit Keys like the Title Keys. When its time for Sequence Keys i think we should think about a new format, the current one can only store one key type per entry, for Sequence Keys you would need two lines, with redundancy of the movie name and so on, thats not so nice.

:rolleyes:

This one compiles now on linux. Still untested on PS3.
http://www.sendspace.com/file/x9nmjq

Thanks for helping to get it to work on linux. Have you tested it on PC (running linux)? HD DVD or Blu-ray? Or did you only compile it.

Also you added this to the aacskeys.h:

#if !defined(linux)
int send_cmd(drive_handle h, unsigned char *cmd, unsigned char *buf, size_t send, size_t recv);
#endif


So the definition of send_cmd will not be available for linux. But how can this work since mmc.c needs it? Did it give an error and if so which one?

Thanks.

People own a PS3 could try to compile it on their PS3 and see what happens... (i'm quite curious) :)

Regards,

arnezami

Hmm, thats a point that i have missed. Since title keys are random, this could happen by chance, but how big is this probability? Maybe a second file should be used in addition to create the title hash? I'm open for ideas.
The chance of this happening by pure chance is zero. They really would have to do this intentionally (but it would be a little silly for them to do this). So (for now) I think it would be a good idea to use the Unit Key file: its also equivalent to the Title Key file (for HD DVD). So it would all make more sense.

For HD-DVD Advanced Content the VTKF000.AACS is still a good choice, for HD-DVD Standard Content i use the only present TKF VTKF.AACS.

Yeah. That should work fine.

For now, the database format is not nice, but sufficient enough. For BluRay i will only change the key entries to be consistent with the HD-DVD format (i will store both keys in one db), that is adding a key type flag (V = VUK, U = CPS Unit Key) and numbering the CPS Unit Keys like the Title Keys.

Sounds good. Especially the V/U differentiation. Blu-rays are bound to get more Unit keys per disc.

When its time for Sequence Keys i think we should think about a new format, the current one can only store one key type per entry, for Sequence Keys you would need two lines, with redundancy of the movie name and so on, thats not so nice.
I'm probably also creating my own kinds of files for Device/Processing keys and Host Certificates/Private Keys (probably using the some kind of format). Which would also include corresponding uv values and MKB versions and Software player name+versions. But your program will not need these files/keys (until that is you implement the mkb processing and aacsauth stuff aswell).

Regards,

arnezami

People own a PS3 could try to compile it on their PS3 and see what happens... (i'm quite curious) :)

Regards,

arnezami

I have a ps3 and want to test it (actually I need it to work for something I'm trying to do: http://forum.doom9.org/showthread.php?t=123355), but I'm a linux n00b so I would need very clear instructions.

I have a ps3 and want to test it (actually I need it to work for something I'm trying to do: http://forum.doom9.org/showthread.php?t=123355), but I'm a linux n00b so I would need very clear instructions.

INSTALL

You need openssl 0.9.8
Compile with gcc -o aacskeys -lcrypto ioctl.c ecdsa.c mmc.c aes.c aacsauth.c

There may be some warnings. But hopefully it compiles for linux now (not tested yet).

USAGE

Type something like ./aacskeys /dev/scd0 v
/dev/scd0 is the device file of your drive

here I tried in gentoo, and it compiles,But cannot test no HDDVd or BlUray disk nor drives :)

gcc -o aacskeys -lcrypto ioctl.c ecdsa.c mmc.c aes.c aacskeys.c
ecdsa.c: In function 'aacs_set_cert':
ecdsa.c:29: warning: initialization discards qualifiers from pointer target type
ecdsa.c: In function 'aacs_sign':
ecdsa.c:67: warning: comparison between pointer and integer

Done under PS3 with Yellow Dog Linux 5. I have modified the ioctl.c file to match both send_cmd header. (I add unsigned to the linux header function). So now, I don't get the error between ioctl.c and aacskeys.h

But still get these errors. Seems that openssl can't get correctly installed. Don't know why. openssl ppc version (not ppc64). It seems it install itself in /usr/local/ssl/include instead of the default path.

If I run openssl, it says it's version 0.9.8a 11 october 2005
But I compiled 0.9.8e

Please someone with C compilation knowledge (I so much love perl, so such compilation problem) compile a binary for linux-ppc or linux-ppc64. Staticly linked would be better I think.

Here is the output from the gcc command:

gcc -o aacskeys -lcrypto -I/usr/local/ssl/include ioctl.c ecdsa.c mmc.c aes.c aacskeys.c
ecdsa.c: In function ‘aacs_set_cert’:
ecdsa.c:29: warning: initialization discards qualifiers from pointer target type
ecdsa.c: In function ‘aacs_sign’:
ecdsa.c:67: warning: comparison between pointer and integer
aes.c:62:2: warning: no newline at end of file
aacskeys.c: In function ‘main’:
aacskeys.c:555: warning: comparison is always false due to limited range of data type
/tmp/ccIwRoTT.o: In function `aacs_key':
ecdsa.c:(.text+0x14): undefined reference to `EC_KEY_new'
ecdsa.c:(.text+0x4c): undefined reference to `EC_KEY_set_group'
ecdsa.c:(.text+0x6c): undefined reference to `EC_KEY_free'
/tmp/ccIwRoTT.o: In function `aacs_set_cert':
ecdsa.c:(.text+0xd0): undefined reference to `EC_KEY_get0_group'
ecdsa.c:(.text+0x190): undefined reference to `EC_POINT_new'
ecdsa.c:(.text+0x1c8): undefined reference to `EC_POINT_set_affine_coordinates_GFp'
ecdsa.c:(.text+0x1fc): undefined reference to `EC_KEY_set_public_key'
/tmp/ccIwRoTT.o: In function `aacs_sign':
ecdsa.c:(.text+0x2cc): undefined reference to `EC_KEY_set_private_key'
ecdsa.c:(.text+0x2dc): undefined reference to `EVP_ecdsa'
ecdsa.c:(.text+0x34c): undefined reference to `ECDSA_do_sign'
ecdsa.c:(.text+0x3c4): undefined reference to `ECDSA_SIG_free'
ecdsa.c:(.text+0x3d8): undefined reference to `EC_KEY_free'
/tmp/ccIwRoTT.o: In function `aacs_verify':
ecdsa.c:(.text+0x458): undefined reference to `EVP_ecdsa'
ecdsa.c:(.text+0x4b4): undefined reference to `ECDSA_SIG_new'
ecdsa.c:(.text+0x534): undefined reference to `ECDSA_do_verify'
ecdsa.c:(.text+0x550): undefined reference to `ECDSA_SIG_free'
ecdsa.c:(.text+0x564): undefined reference to `EC_KEY_free'
/tmp/ccIwRoTT.o: In function `aacs_group':
ecdsa.c:(.text+0x828): undefined reference to `EC_GROUP_new_curve_GFp'
ecdsa.c:(.text+0x864): undefined reference to `EC_POINT_new'
ecdsa.c:(.text+0x918): undefined reference to `EC_POINT_set_affine_coordinates_GF2m'
ecdsa.c:(.text+0x9bc): undefined reference to `EC_GROUP_set_generator'
ecdsa.c:(.text+0xa04): undefined reference to `EC_GROUP_free'
ecdsa.c:(.text+0xa20): undefined reference to `EC_POINT_free'
collect2: ld returned 1 exit status

I couldn't get aacskeys working on ps3 linux. I had similar errors as the ones stated above.

I just tried running aacskeys from windows xp(qemu) on the ps3 and I get the "All AGIDs are in use, aborting." message. Same thing happened when I used a daemon-tools mounted iso on my normal windows xp computer.

If someone could compile and correctly execute the iscsi-target on the ps3, we could access the blu-ray from windows with the iscsi-initiator:

iscsi-initiator: http://www.microsoft.com/downloads/details.aspx?FamilyID=12cb3c1a-15d6-4585-b385-befd1319f825&DisplayLang=en

iscsi-target: http://iscsitarget.sourceforge.net/

Watch out, I think openssl needs to be compile in ppc64.

For my part, iscsi-target compiles correctly. It's when I run it that the're an error in /var/log/messages

For all the linux guru, please help us!

If I run openssl, it says it's version 0.9.8a 11 october 2005
But I compiled 0.9.8e

This sounds like the openssl that ships with your distribution is located in /usr/ where your compiled is located in /usr/local

For the rpm installed openssl you can check that by
rpm -qa|grep -i openssl|xargs rpm -ql

For the openssl you compiled, try check the --PREFIX by
./configure --help
in your unpacked openssl directory, and see what the PREFIX variable is set to. Changing it to /usr will replace your rpm installed openssl.

recompile openssl with --prefix=/usr

Now the default openssl is 0.9.8e

Remove the -I/usr/local/ssl/include part

But still same error. Check in the /usr/include/openssl/evp.h and the function EVP_ecdsa is well defined. Why can't the compiler find it ?

Ok. It looks like ebsi has managed to compile and run aacskeys on the PS3. It looks like his Dv/Dsig values are all zero. As far as I can see he has also added a mount point variable (to make a distinction between the device file where mmc commands are send to and the mountpoint to find the MKB/UnitKey files I guess). So my source probably requires some more tweaking for linux.

Can somebody else confirm this? I wonder if Dcert is returned by the drive (don't post it we just need to know if its not all 0's).

http://www.sendspace.com/file/d3aava
In the archive you also find a PS3 linux binary.
It's compiled on Ubuntu Edgy for PPC.
For mounting the a BD disk this patch :
http://sourceforge.net/tracker/index.php?func=detail&aid=1671912&group_id=295&atid=300295
is needed.

To use it you must mount the BD disk. For example:
mount /dev/scd0 /media/cdrom
./aacskeys /dev/scd0 /media/cdrom s

Dv, Disg, HK and BK are empty.

http://www.sendspace.com/file/d3aava
In the archive you also find a PS3 linux binary.
It's compiled on Ubuntu Edgy for PPC.
For mounting the a BD disk this patch :
http://sourceforge.net/tracker/index.php?func=detail&aid=1671912&group_id=295&atid=300295
is needed.

To use it you must mount the BD disk. For example:
mount /dev/scd0 /media/cdrom
./aacskeys /dev/scd0 /media/cdrom s

Dv, Disg, HK and BK are empty.

Ok. I now understand that you do get the Dcert and Dn which means the mmc command are working on the PS3.

There are some things we can do to see what is the problem with retrieving the Dsig and Dv.

(1) There is an (small) error in the report key and send key command.

This is what report_key should look like:

int report_key(drive_handle h, unsigned char * buffer, char agid, char key_format, short length, unsigned char bluray) {
unsigned char cmd[CDROM_PACKET_SIZE];
memset(cmd, 0, CDROM_PACKET_SIZE);

cmd[0] = REPORT_KEY;
cmd[1] = 0;
cmd[7] = 0x02;
cmd[8] = (length>>8)&0xff;
cmd[9] = (length)&0xff;
cmd[10] = agid<<6|(key_format&0x3f);

memset(buf, 0, length);

if(send_cmd(h, cmd, buf, 0, length) >= 0)
return 0;
else
return -1;
}


This is what send_key should look like:

int send_key(drive_handle h, unsigned char *buffer, char agid, char key_format, short length, unsigned char bluray) {
unsigned char cmd[CDROM_PACKET_SIZE];
memset(cmd, 0, CDROM_PACKET_SIZE);

cmd[0] = SEND_KEY;
cmd[1] = 0;
cmd[7] = 0x02;
cmd[8] = (length>>8)&0xff;
cmd[9] = (length)&0xff;
cmd[10] = agid<<6|(key_format&0x3f);

if(send_cmd(h, cmd, buf, length, 0) >= 0)
return 0;
else
return -1;
}


The read_vid should stay the same (with the bluray var).

(2) There could be a problem with timing or the agid being invalid (after the drive cert has been recieved).

This is unlikely but we could check if the agid is still in use after retrieving the drive cert. We do this by trying to obtain an agid just after we have done the report_drive_cert_chal. If its -1 then the agid is still in use (as it should be). But if its 0 then the agid has been dropped by the drive. Alternatively we could try to wait a little before asking the drive for the Dv/Dsig (or ask many times).

(3) We should try to compile and run this program on a PC linux system.

When using either a Bluray drive or a HD DVD drive on a linux PC (not the PS3) we can see what works. If this is working (on a PC) then the PS3 hypervisor is probably giving us trouble (or the distro/processor whatever). If it doesn't work for linux PC (or maybe only bluray) then we have to solve that first.

(4) We should make sure we get better error messages

When the report_drive_key is executed it gives back all 0's. But this can be due to several reasons. We could change this function to give us a little more info on what happened (by check the resulting value of course)

int report_drive_key(drive_handle h, char agid, unsigned char *point, unsigned char *signature, unsigned char bluray) {
if(report_key(h, buf, agid, 2, 84, bluray))
return -2;

if(buf[0] != 0 || buf[1] != 0x52)
return -1;

memcpy(point, buf+4, 40);
memcpy(signature, buf+44, 40);

return 0;
}
A return value of -2 would mean that the report_key function failed (and therefore the send_cmd function). With a return value of -1 we know that the drive has actually returned something (but not something beginning with 00 52). Maybe there is also a way to get sense data from the commands send. I don't know how to do this for linux ioctl.

Of course somebody has to do some precise debugging to see where the problem lies.

(5) We should compile and try aacsauth

We have working source code (for linux) in aacsauth (http://forum.doom9.org/showthread.php?t=122969). We could use this for trying to see what works. When we add the following in the read_vid of jx6bpm's source it should work for bluray:

int read_vid(drive_handle h, char agid, char *vid, char *mac) {
char cmd[CDROM_PACKET_SIZE];
memset(cmd, 0, CDROM_PACKET_SIZE);

cmd[0] = 0xad;
cmd[1] = 1;
cmd[7] = 0x80;
cmd[8] = 0;
cmd[9] = 36;
cmd[10] = (agid<<6)&0xc0;

if(send_cmd(h, cmd, buf, 0, 36) < 0)
return -1;

memcpy(vid, buf+4, 16);
memcpy(mac, buf+20, 16);

return 0;
}

(6) We may have to fill in vendor specific information

The report key command (aswell as the other commands) say that byte 11 is somewhat vendor specific:

http://img152.imageshack.us/img152/7964/reportxd8.jpg

Currently we set this entire byte to 0. I don't know if this is a problem (since the Dcert is working it wouldn't make sense this is the reason the Dv isn't retrieved). And what is NACA, flag and link?

There is also the question if this is correct:

cmd[8] = (length>>8)&0xff;
cmd[9] = (length)&0xff;


Maybe its better to use an unsigned char for length (and only use byte 9) to avoid potential problems regarding endian encoding? Since the (allocation) length is never going to exceed 255 anyway.

We could also do a GET CONFIGURATION command and see what comes out of that.

Hopefully we will find out soon what is going on here. The fact that the PS3 is actually returning the Dcert is very positive news because it means that the mmc commands are not blocked :).

Regards,

arnezami

boy am I lost now! I thought I was getting it, then whammo!

OK, so I hope this question falls into this thread:
If the program reveals all AACS Keys needed to decrypt, then how do I get the SHA1 hash? I believe that is needed to decrypt?

In the following example of the BD movie Click, I don't know how to get the 40 character string prior to the "=Click" name. I DO know how to get the 32 character string following the "|00/00/00|".

F40F9413E223031170483DEBD0495F5D64F41392=Click |00/00/00|C1F8540A04E9405FED346872CD125990
....^ I can not figure out how to get this string.................................^ I do know how to get this one. (Its just the CPS key)

So, does this program help in revealing that 40-character string?

Thanks!

The hash is the sha1 hash of the AACS/CPUnit00001.cci file.

under linux, type: openssl sha1 CPUnit00001.cci

Under windows, down an utility to calculate sha1 hash of file

Maybe this could help: http://www.codeproject.com/cs/files/dt_file_hasher.asp

or try this: http://hashtab.beeblebrox-org.qarchive.org/

You could also have looked in the backupblurayv21.zip source. Under src/shared/utils.java, the hashFile function explain how it's done.

And the src/main/BackupBluRay.java show which file is hashed.

Same problem has ebsi.

Can't compile right now the binary for aacskeys (openssl problem stated above) but the binary provided by ebsi is working.

Dv, Dsig, Hk and BK all zero.

Dcert not zero.

Actually, no other info are zero except the 4 above.

Get a volume Unique Key for talladega nights:

Processing key: 09F911029D74E35BD84156C5635688C0
Encrypted C-value: CBB16165DDC196FC65D0E6A0333045F5
Corresponding uv: 00000001

Decrypted C-value: 31143BED2A2E4A23A546A708267DDC7C
Media key: 31143BED2A2E4A23A546A708267DDC7D

Encrypted verification data: B385A42078219980710627B27BF7C541
Decr verif data should be: 0123456789ABCDEF
Decrypted verification data: 0123456789ABCDEF682370557C3E243C

AGID: FF

Host certificate from: Power DVD 7.1
Host certificate (Hcert): 0200005CFFFF0000000C00006E3DEB679B9A16AD
FAA8E30878767BA6EB2A9B415385AD1181B4446C
31E9A5DD2AB808B364FF15885BAC490964318C9B
F8029FCF76F688A54FBDA03F6D9332EF04E5A613
12DA85880A4D9CBB79D8602E
Host Private Key (Hpriv): 4737676058D7029452514F0AB186DC4CCA8C578F
Host Nonce (Hn): 2923BE84E16CD6AE529049F1F1BBE9EBB3A6DB3C

Drive certificate (Dcert): ########################################
########################################
########################################
########################################
########################
Drive Nonce (Dn): ########################################

Drive key point (Dv): ########################################
########################################
Drive key signature (Dsig): ########################################
########################################

Host key (Hk): 0000000000000000000000000000000000000000
Host key point (Hv): 8E9B0E3CF41FA7DA3A829F604122EA4ED5261AA4
7570CE0BB9061A66FAF92C4A7D98ACC171CBF19B
Host key signature (Hsig): ########################################
########################################

Drive signature wrong/error
Bus key (BK): ################################

Volume ID: 8E9B0E3CF41FA7DA3A829F604122EA4E
Voluem ID MAC: ################################

Volume Unique Key: 3104B2690FA032CD8849139B2D518D0F
Encrypted Unit Key 1: 819CCCE5F7FCF2C8F30FD559F0DDCA0E

Decrypted Unit Key 1: 23403F01F9FD3023ADDF2698C12E7C03


But not the correct one: 243302819492872FB60BF20BCCE28531

It's my way to check if the application is working.

Can't make the change to the source code because can't compile but can run any binary you provide, if you want to debug (woodspire@hotmail.com)

P.S. I have a strange copy of "The Prestige" that can't be decrypt with the key provided in this forum. Hopping to correct the problem and be able to provide it to everybody after testing it.

The hash is the sha1 hash of the AACS/CPUnit00001.cci file.

under linux, type: openssl sha1 CPUnit00001.cci

Under windows, down an utility to calculate sha1 hash of file

Maybe this could help: http://www.codeproject.com/cs/files/dt_file_hasher.asp

or try this: http://hashtab.beeblebrox-org.qarchive.org/

You could also have looked in the backupblurayv21.zip source. Under src/shared/utils.java, the hashFile function explain how it's done.

And the src/main/BackupBluRay.java show which file is hashed.


:devil: This is the first time it was clearly put to me what needed to be done to get this Hash... The software you linked wouldn't work based on some kind of .NET security, but a program called Pinpoint Hash by Pinpoint Laboratories pulled up that exact code! I was like :eek: then :confused: then :devil:

Thanks!

:devil: This is the first time it was clearly put to me what needed to be done to get this Hash... The software you linked wouldn't work based on some kind of .NET security, but a program called Pinpoint Hash by Pinpoint Laboratories pulled up that exact code! I was like :eek: then :confused: then :devil:

Thanks!

Yes. I this has been discussed. Firstly: the aacskeys program is in progress and it isn't finished. Earlier in this thread I said I would include the sha1 hash at some time. Secondly: KenD00 and I agreed the wrong file is currently hashed which is likely to give us duplicate values for different movies and we agreed to change it to the Unit Key file. We even discussed the file format and the possibility of the Unit Key files being the same for different movies. Its all in this thread.

Sorry for not being more clear about this. But there is a time for building and programming stuff and there is a time for explaining stuff. Usually in that order ;).

Regards,

arnezami

Same problem has ebsi.

Can't compile right now the binary for aacskeys (openssl problem stated above) but the binary provided by ebsi is working.

Dv, Dsig, Hk and BK all zero.

Dcert not zero.

Actually, no other info are zero except the 4 above.

Get a volume Unique Key for talladega nights:

...

It's my way to check if the application is working.

Can't make the change to the source code because can't compile but can run any binary you provide, if you want to debug (woodspire@hotmail.com)

P.S. I have a strange copy of "The Prestige" that can't be decrypt with the key provided in this forum. Hopping to correct the problem and be able to provide it to everybody after testing it.
Thanks for testing. This is interesting (and stange). It actually gives back a Volume ID (although its the wrong one).

In this post (http://forum.doom9.org/showthread.php?p=953582#post953582) the Volume ID for Talladega Nights The Ballad of Ricky Bobby was posted:

7f 58 3c b4 6c 30 99 e5 c8 99 44 08 07 f7 41 4b

I'm assuming thats the same movie. But since it gives back something it may be an encrypted Volume ID (possibly some special PS3 encryption?).** Can somebody look at their Dcert and see if the drive as Bus Key capable. As I explained earlier how to see this: look for 01 00 00 5c in there. The red value is zero if the drive is not capable of bus encryption.

There is another thing we should try. I now suspect the Dv/Dsig is not empty at all its just not copied to the appropiate buffers (because it contains something strange).

In order to test this you could remove the following code from the report_drive_key function:

int report_drive_key(drive_handle h, char agid, unsigned char *point, unsigned char *signature, unsigned char bluray) {
if(report_key(h, buf, agid, 2, 84, bluray))
return -1;

if(buf[0] != 0 || buf[1] != 0x52)
return -1;

memcpy(point, buf+4, 40);
memcpy(signature, buf+44, 40);

return 0;
}


so it would look like this:

int report_drive_key(drive_handle h, char agid, unsigned char *point, unsigned char *signature, unsigned char bluray) {
if(report_key(h, buf, agid, 2, 84, bluray))
return -1;

memcpy(point, buf+4, 40);
memcpy(signature, buf+44, 40);

return 0;
}


If it then gives any data I would be very interested in what that data is. Would the first two values be close to 0x00 0x52? It wouldn't be working according to specs btw...


[edit] Ooh wait. The agid is wrong! Huh?! There is something wrong there. It should never be FF. Ah. Ok. The check has been removed by ebsi. This explains why its acting up. No agid means no go. Although it doesn't help us yet. Will try to figure out how to proceed.



arnezami

** It may be wise/healthy paranoia to remove everything from this "Volume ID" and all stuff below that (until we know what it is).

FYI, "Voluem ID MAC" is spelled wrong.

Ok. I've completely stripped aacskeys into aacstiny.

It now doesn't need openssl. So more people can compile and help us.

It doesn't do much. Its just a test program. It gives more information about what is going with the drive so please try this and report back to us (careful: it dumps buffers so I've sort of marked potential sensitive data but if you don't trust yourself just desribe what you see)

Here is part of what I see on my PC:

Sending report key command: A40000000000000200003F00
Invalidation AGID 0. Result: 0
Sending report key command: A40000000000000200007F00
Invalidation AGID 1. Result: 0
Sending report key command: A4000000000000020000BF00
Invalidation AGID 2. Result: 0
Sending report key command: A4000000000000020000FF00
Invalidation AGID 3. Result: 0
Sending report key command: A40000000000000200080000
Returning buffer from report agid command: 0006000000000000
AGID: 00

Sending send key command: A30000000000000200740100
Host certificate from: Power DVD 7.1
Host certificate (Hcert): 0200005CFFFF0000000C00006E3DEB679B9A16AD
FAA8E30878767BA6EB2A9B415385AD1181B4446C
31E9A5DD2AB808B364FF15885BAC490964318C9B
F8029FCF76F688A54FBDA03F6D9332EF04E5A613
12DA85880A4D9CBB79D8602E
Host Private Key (Hpriv): 4737676058D7029452514F0AB186DC4CCA8C578F
Host Nonce (Hn): 2923BE84E16CD6AE529049F1F1BBE9EBB3A6DB3C

Sending report key command: A40000000000000200740100
CAREFUL SENSITIVE: Returning buffer from report drive challenge command: 00720000xxxxxxx

http://rapidshare.com/files/21107374/aacstiny.rar.html

(sorry sendspace is down atm)

Instructions:

INSTALL

Compile with gcc -o aacstiny ioctl.c mmc.c aacstiny.c

There may be some warning. But hopefully it compiles for linux now (not tested yet).

USAGE

mount /dev/scd0 /media/cdrom (this may not be needed but well doesn't hurt I guess)
./aacstiny /dev/scd0 s
/dev/scd0 is the device file of your drive

Good luck :).

arnezami

PS. On a sidenote: since AACS auth is only implemented on "PC-based systems" its also possible the PS3 doesn't support it at all. If this is the case then I have no idea how the PS3 gets its volume ids. I highly doubt though this is the case.

Can somebody look at their Dcert and see if the drive as Bus Key capable. As I explained earlier how to see this: look for 01 00 00 5c in there. The red value is zero if the drive is not capable of bus encryption.


The only '5C' is at the start of my Dcert. Here how it starts:

0200005CFFFF00 ...

So, it seems that it's not capable of bus encryption.

And it doesn't begin with '01' but with '02'.

Also, if no bus encryption is supported, isn't that a nice thing to have... no encryption ???

I can't compile aacstiny Linux. The latter is a bit more verbose.
~/bdownload/aacstiny$ gcc -o aacstiny ioctl.c mmc.c aacstiny.c
aacstiny.c: In function ‘main’:
aacstiny.c:245: error: ‘EXIT_SUCCESS’ undeclared (first use in this function)
aacstiny.c:245: error: (Each undeclared identifier is reported only once
aacstiny.c:245: error: for each function it appears in.)
~/bdownload/aacstiny$ gcc -Wall -O2 -o aacstiny ioctl.c mmc.c aacstiny.c
ioctl.c: In function ‘close_drive’:
ioctl.c:167: warning: implicit declaration of function ‘close’
aacstiny.c:40: warning: return type defaults to ‘int’
aacstiny.c:83: warning: return type defaults to ‘int’
aacstiny.c: In function ‘main’:
aacstiny.c:193: warning: pointer targets in passing argument 1 of ‘output_key’ differ in signedness
aacstiny.c:245: error: ‘EXIT_SUCCESS’ undeclared (first use in this function)
aacstiny.c:245: error: (Each undeclared identifier is reported only once
aacstiny.c:245: error: for each function it appears in.)
aacstiny.c:239: warning: label ‘err’ defined but not used
~/bdownload/aacstiny$

The hash is the sha1 hash of the AACS/CPUnit00001.cci file.

under linux, type: openssl sha1 CPUnit00001.cci

Under windows, down an utility to calculate sha1 hash of file

Under Windows I'd recommend the HashTab shell extension:

http://www.beeblebrox.org/hashtab/

Might also come in handy for other uses, like comparing if two files are identical, or when you want to release some software on a public server.

I can't compile aacstiny Linux. The latter is a bit more verbose.
~/bdownload/aacstiny$ gcc -o aacstiny ioctl.c mmc.c aacstiny.c
aacstiny.c: In function ‘main’:
aacstiny.c:245: error: ‘EXIT_SUCCESS’ undeclared (first use in this function)
aacstiny.c:245: error: (Each undeclared identifier is reported only once
aacstiny.c:245: error: for each function it appears in.)
~/bdownload/aacstiny$ gcc -Wall -O2 -o aacstiny ioctl.c mmc.c aacstiny.c
ioctl.c: In function ‘close_drive’:
ioctl.c:167: warning: implicit declaration of function ‘close’
aacstiny.c:40: warning: return type defaults to ‘int’
aacstiny.c:83: warning: return type defaults to ‘int’
aacstiny.c: In function ‘main’:
aacstiny.c:193: warning: pointer targets in passing argument 1 of ‘output_key’ differ in signedness
aacstiny.c:245: error: ‘EXIT_SUCCESS’ undeclared (first use in this function)
aacstiny.c:245: error: (Each undeclared identifier is reported only once
aacstiny.c:245: error: for each function it appears in.)
aacstiny.c:239: warning: label ‘err’ defined but not used
~/bdownload/aacstiny$

Just change EXIT_SUCCESS into 0 (as in zero).

Or download this one: http://www.sendspace.com/file/tutjhl

Regards,

arnezami

Can somebody look at their Dcert and see if the drive as Bus Key capable. As I explained earlier how to see this: look for 01 00 00 5c in there. The red value is zero if the drive is not capable of bus encryption.


The only '5C' is at the start of my Dcert. Here how it starts:

0200005CFFFF00 ...

So, it seems that it's not capable of bus encryption.

And it doesn't begin with '01' but with '02'.

Also, if no bus encryption is supported, isn't that a nice thing to have... no encryption ???
Hmm. Are you absolutely sure this is the shown Dcert value and not the Hcert? Because Hcerts begin with 0200005C while Dcerts begin with 0100005C. In other words: are the Dcert and Hcert the same for you?

This could in fact be the case because the buffer isn't cleaned up between the two and the agid isn't working (so the drive doesn't overwrite the buffer with new info). This would also mean that while the Dsig looks like its filled its not filled by the drive (which would make sense if there is no agid btw)

We need to test this (agid stuff) with aacstiny (http://www.sendspace.com/file/tutjhl) first.

Just change EXIT_SUCCESS into 0 (as in zero).

Or download this one: http://www.sendspace.com/file/tutjhl

Thanks.

Here is a Makefile for the Linux users that features "make" "make clean" "make install".

The file must be called "Makefile" with capital 'M'.
# Top-level Makefile for aacstiny

CC = gcc

CFLAGS=-Wall -O2

.SUFFIXES: .o .c .h

OBJS = aacstiny.o ioctl.o mmc.o
EXE = aacstiny

.c.o:
$(CC) $(CFLAGS) -c $<

$(EXE): $(OBJS)
$(CC) -o $@ $(OBJS)

all: clean $(EXE)

clean:
-rm -f *.o $(EXE)

install:
cp $(EXE) /usr/local/bin


Example:
~/tr/aacstiny$ make
gcc -Wall -O2 -c aacstiny.c
aacstiny.c:40: warning: return type defaults to ‘int’
aacstiny.c:83: warning: return type defaults to ‘int’
aacstiny.c: In function ‘main’:
aacstiny.c:193: warning: pointer targets in passing argument 1 of ‘output_key’ differ in signedness
aacstiny.c:239: warning: label ‘err’ defined but not used
aacstiny.c: In function ‘output_text’:
aacstiny.c:97: warning: control reaches end of non-void function
aacstiny.c: In function ‘output_key’:
aacstiny.c:80: warning: control reaches end of non-void function
gcc -Wall -O2 -c ioctl.c
ioctl.c: In function ‘close_drive’:
ioctl.c:167: warning: implicit declaration of function ‘close’
gcc -Wall -O2 -c mmc.c
gcc -o aacstiny aacstiny.o ioctl.o mmc.o
~/tr/aacstiny$

Hmm. Are you absolutely sure this is the shown Dcert value and not the Hcert? Because Hcerts begin with 0200005C while Dcerts begin with 0100005C. In other words: are the Dcert and Hcert the same for you?

This could in fact be the case because the buffer isn't cleaned up between the two and the agid isn't working (so the drive doesn't overwrite the buffer with new info). This would also mean that while the Dsig looks like its filled its not filled by the drive (which would make sense if there is no agid btw)

We need to test this (agid stuff) with aacstiny (http://www.sendspace.com/file/tutjhl) first.

Yes, Dcert and Hcert identical.

here is the output from aacstiny:

Sending report key command: A40000000000000200003F00
Invalidation AGID 0. Result: 0
Sending report key command: A40000000000000200007F00
Invalidation AGID 1. Result: 0
Sending report key command: A4000000000000020000BF00
Invalidation AGID 2. Result: 0
Sending report key command: A4000000000000020000FF00
Invalidation AGID 3. Result: 0
Sending report key command: A40000000000000200080000
Returning buffer from report agid command: 0000000000000000
All AGIDs in use, aborting. AGID: -1

Yes, Dcert and Hcert identical.

here is the output from aacstiny:

Sending report key command: A40000000000000200003F00
Invalidation AGID 0. Result: 0
Sending report key command: A40000000000000200007F00
Invalidation AGID 1. Result: 0
Sending report key command: A4000000000000020000BF00
Invalidation AGID 2. Result: 0
Sending report key command: A4000000000000020000FF00
Invalidation AGID 3. Result: 0
Sending report key command: A40000000000000200080000
Returning buffer from report agid command: 0000000000000000
All AGIDs in use, aborting. AGID: -1
Ok. This looks like the PS3 is doesn't even know what to do with an AGID request. The buffer is simply not written to at all.

I'm starting to believe the PS3 does not use the AACS-auth system (or we can't use it). Which means:

1) We can go directly for an (encrypted?) Volume ID (but what to use as AGID?). Skipping the AACS auth process. This is unlikely to be that simple. But what was that Volume ID we got earlier: was that also a buffer fluke? We have to test this seperately.
2) We simply don't know how to extract a Volume ID from the PS3. And somehow have to sniff the (hardware) bus in order to see how its retrieved.
3) The hypervisor is blocking the AGID mmc command. We would have to break the hypervisor or (maybe) hack the drive firmware. Or maybe better: try to install the drive into a PC (with no hypervisor) and see if we can get the Volume ID.

Of course we could still do something wrong. But seeing the response from aacstiny above (which is really simple) I don't think we've done anything wrong here. Somebody check this please.

Can somebody test aacskeys or aacstiny on a PC linux system (HD DVD or Blu-ray). This would confirm the program is working and that its the PS3 acting up. We really need to know this for certain.

Regards,

arnezami

Anybody tested the aacstiny apps under linux x86 or x86-64 ?

Maybe the problem of aacstiny and aacskeys is that x86 processor are little-endian and PPC are either Big-endian or Bi-endian...

http://en.wikipedia.org/wiki/Endian

Don't know if it applies but I know that we are playing with registry, memory addresses...


Edit: Esay way to test under linux x86:

- download ubuntu livecd iso
- run
- compile aacstiny
- run

Also, there is two other ways to test aacstiny:

1- user yellow dog linux under a PowerPC G5 Mac.
Problem: not lot of people got a ppc mac, with a blu-ray drive, with linux as the OS ...

2- run linux on ps3... load linux only in memory (hardware detection, shell ans aacstiny)
- disconnect the hard drive (serial ata, so hot plug)
- plug serial ata blu-ray or ide blu-ray with converter in place of the hard drive
- detect the blu-ray drive (rerun the hardware detection)
- run aacstiny

(so no need to open the ps3, so the warranty is kept)

Usefulness: maybe the hypervisor only filter the command on the blu-ray serial ata channel, and not on the harddrive
We could be able to know if the restriction is on the hypervisor or in the blu-ray firmware (because the external blu-ray will have already been tested in windows and report no problem).

If you got any other suggestion, be my guest.

Anybody tested the aacstiny apps under linux x86 or x86-64 ?

Maybe the problem of aacstiny and aacskeys is that x86 processor are little-endian and PPC are either Big-endian or Bi-endian...

http://en.wikipedia.org/wiki/Endian

Don't know if it applies but I know that we are playing with registry, memory addresses...


Edit: Esay way to test under linux x86:


Endinanness might be an issue if you are packing data into structures, or reading data from structures.

There is an easy way to check for host system endianness:

#include <stdio.h>
union foo
{
char p[4];
int k;
};

int main()
{
int j;
union foo bar;
printf("Bigendian platform (ie Mac OS X PPC) would return \"abcd\"\n");
printf("Littleendian platform (ie Linux x86) would return \"dcba\"\n");
printf("Your platform returned ");
bar.k = 0x61626364;
for(j=0; j<4 ; j++)
{
printf("%c",bar.p[j]);
}

printf("\n");
return 0;

}

(save the above into file, compile using gcc -o foo foo.c )

however we already do know that PlayStation uses a PowerPC based CPU that is bigendian, while PCs are littleendian.


NAME
htonl, htons, ntohl, ntohs -- convert values between host and network
byte order

LIBRARY
Standard C Library (libc, -lc)


At this popint it might make sense to sprinkle htonl() and friends liberally through the aacstiny source.

Sorry, I don't have a PS3, so most I can do is theorise.

Anybody tested the aacstiny apps under linux x86 or x86-64 ?

Maybe the problem of aacstiny and aacskeys is that x86 processor are little-endian and PPC are either Big-endian or Bi-endian...

http://en.wikipedia.org/wiki/Endian

Don't know if it applies but I know that we are playing with registry, memory addresses...


Edit: Esay way to test under linux x86:

- download ubuntu livecd iso
- run
- compile aacstiny
- run

Also, there is two other ways to test aacstiny:

1- user yellow dog linux under a PowerPC G5 Mac.
Problem: not lot of people got a ppc mac, with a blu-ray drive, with linux as the OS ...

2- run linux on ps3... load linux only in memory (hardware detection, shell ans aacstiny)
- disconnect the hard drive (serial ata, so hot plug)
- plug serial ata blu-ray or ide blu-ray with converter in place of the hard drive
- detect the blu-ray drive (rerun the hardware detection)
- run aacstiny

(so no need to open the ps3, so the warranty is kept)

Usefulness: maybe the hypervisor only filter the command on the blu-ray serial ata channel, and not on the harddrive
We could be able to know if the restriction is on the hypervisor or in the blu-ray firmware (because the external blu-ray will have already been tested in windows and report no problem).

If you got any other suggestion, be my guest.
Some good ideas to test whats going on with the PS3. :)

We indeed need to know where exactly the problem lies.

(btw is there a live cd available with kernel 2.6.20 with udf 2.5 support?)

I have been distracted a bit by the sequence key issue/development etc. But I'm also thinking about some test programs to see whats going on regarding the PS3: making a very simple mmc commmand actually work would be confirmation we are doing something right ;).

I'm not so sure endianess playes a role anymore: the agid request command is printed above and is (and should be) the same for any system (btw: I used a simple "for loop" to print it). So I don't think this is the problem. The commands sent are according to specs. The result is not.

Sending report key command: A40000000000000200080000
Returning buffer from report agid command: 0000000000000000

But I'm not claiming to be a linux/PS3 expert ;).

arnezami

Endinanness might be an issue if you are packing data into structures, or reading data from structures.

There is an easy way to check for host system endianness:

#include <stdio.h>
union foo
{
char p[4];
int k;
};

int main()
{
int j;
union foo bar;
printf("Bigendian platform (ie Mac OS X PPC) would return \"abcd\"\n");
printf("Littleendian platform (ie Linux x86) would return \"dcba\"\n");
printf("Your platform returned ");
bar.k = 0x61626364;
for(j=0; j<4 ; j++)
{
printf("%c",bar.p[j]);
}

printf("\n");
return 0;

}

(save the above into file, compile using gcc -o foo foo.c )

however we already do know that PlayStation uses a PowerPC based CPU that is bigendian, while PCs are littleendian.



At this popint it might make sense to sprinkle htonl() and friends liberally through the aacstiny source.

Sorry, I don't have a PS3, so most I can do is theorise.


The result was: ABCD.

So the PS3 is big endian.

Since we are possibly dealing with the hypervisor I think this might be useful:

http://wiki.ps2dev.org/ps3:hypervisor (discussion here (http://forums.ps2dev.org/viewtopic.php?t=7859))

It deals with hypervisor commands. I guess the ioctl function we use should at some point use the hypervisor commands to access the drive. Whether this is fully implemented or whether the right commands are available (mmc stuff) is a question I cannot anwser.

But maybe somebody else can go into this more deeply. Figure out whats going on.

Btw: on this page (http://moss.csc.ncsu.edu/~mueller/cluster/ps3/doc/LinuxKernelOverview.html) you can read about the ioctl commands being blocked :

Since the BD drive is basically ATAPI device, Linux can issue ATAPI commands by ioctl. Some of ATAPI commands have been rejected by the hypervisor call because of security issues.

Just in case you were wondering why I think the hypervisor is bugging us :)

arnezami

[edit]This looks like the command we are talking about: http://wiki.ps2dev.org/ps3:hypervisor:lv1_storage_send_device_command

Hmmm. Might this be the problem:
These hypervisor calls consist of simple straightforward methods: open, close, read, write, ioctl.Most of all methods are asynchronous, that is, methods will return immediately after call, and then the caller must wait for its completion via other method. These completions are notified by virtualized interrupts.As in: we have to do something more than just call, but wait for the interupt (or simply wait some time) and do another call and get the info we need? Anyone have any ideas on what that other call would be? Or is it simply doing it twice??

[edit]Hmmm. It seems there is a lv1_tag (- tag to identify operation?) given back by the lv1_storage_send_device_command (http://wiki.ps2dev.org/ps3:hypervisor:lv1_storage_send_device_command) which probably has to be used when using the lv1_storage_get_async_status and lv1_storage_check_async_status methods. But the latter don't give a buffer pointer so I'm starting to believe we simply might have to wait a little longer and take another look at our buffer...

Ok. Compile and run this one on the PS3 and see what happens. If you only get a bunch of zeroes (including the last ones) then timing is unlikely to be the issue...

aacstiny (http://www.sendspace.com/file/c5yphl) (with some buffer waiting stuff)

arnezami

PS. Just for the record: you really do need kernel 2.6.20 but I guess you have that.

Ok. Compile and run this one on the PS3 and see what happens. If you only get a bunch of zeroes (including the last ones) then timing is unlikely to be the issue...

aacstiny (http://www.sendspace.com/file/c5yphl) (with some buffer waiting stuff)

arnezami

PS. Just for the record: you really do need kernel 2.6.20 but I guess you have that.


Doesn't use kernel 2.6.20 because I can't compile it. (not lot of experience compiling linux kernel however)...

With kernel 2.6.16 with ntfs and udf 2.5 patch here are the results:


- without a blu-ray disk:

Sending report key command: A40000000000000200003F00
Invalidation AGID 0. Result: 0
Sending report key command: A40000000000000200007F00
Invalidation AGID 1. Result: 0
Sending report key command: A4000000000000020000BF00
Invalidation AGID 2. Result: 0
Sending report key command: A4000000000000020000FF00
Invalidation AGID 3. Result: 0
Sending report key command: A40000000000000200080000
Returning buffer from report agid command: 0FFD9F8000000000
0FFD9F8000000000


And the last line repeat itself until I hit ctrl-c.

With Casino royale:


Sending report key command: A40000000000000200003F00
Invalidation AGID 0. Result: 0
Sending report key command: A40000000000000200007F00
Invalidation AGID 1. Result: 0
Sending report key command: A4000000000000020000BF00
Invalidation AGID 2. Result: 0
Sending report key command: A4000000000000020000FF00
Invalidation AGID 3. Result: 0
Sending report key command: A40000000000000200080000
Returning buffer from report agid command: 0000000000000000
0000000000000000


And the last line repeat itself also. Maybe the 2.6.20 kernel will return something different. If someone has been able to compile it, even without the udf 2.5 patch, please post a detail procedure, so I can redo the test.

Ok. Has anybody been able to run any program released here with the 2.6.20 kernel on the PS3? The 2.6.20 enables PS3 support (including some hypervisor stuff). I don't think all that is in the udf patch alone. So until somebody is capable of compiling the (important parts of the) kernel I don't think its useful to go on trying and testing programs with the PS3. Although I'm really not sure (this is not my thing).

What needs to be done (not by me) is this: somebody with a PS3 and some programming/linux experience should make sure at least one ioctl command works properly on the PS3. Until then I'm going to concentrate on something else.

arnezami

@woodspire: please don't use ctrl-c. It will stop after 200 tries and will give a little bit more info after that. The non-zero value with tray no disc is interesting though (although probably trash). Please let it run longer too.

First of all, I read somewhere that kernel 2.6.20 cannot boot yet on the PS3.

The only kernel that I can use are provided by YDL because they contain sony patches. (kernel 2.6.16 and 2.6.17)

I was able to compile the 2.6.17 kernel but it didn't boot up the PS3.

With the kernel 2.6.16, I was able to recompile it with the udf 2.5 patch and it can boot.

Secondly, I did 6 test with the accstiny program.

2th and 6th were without a disk.
All the other tests were with a disk (casino royale)
results:

1-
Sending report key command: A40000000000000200003F00
Invalidation AGID 0. Result: 0
Sending report key command: A40000000000000200007F00
Invalidation AGID 1. Result: 0
Sending report key command: A4000000000000020000BF00
Invalidation AGID 2. Result: 0
Sending report key command: A4000000000000020000FF00
Invalidation AGID 3. Result: 0
Sending report key command: A40000000000000200080000
Returning buffer from report agid command: 0FF6F2400FEC0F40
0FF6F2400FEC0F40
...
All AGIDs in use, aborting. AGID: -1


2-
Sending report key command: A40000000000000200003F00
Invalidation AGID 0. Result: 0
Sending report key command: A40000000000000200007F00
Invalidation AGID 1. Result: 0
Sending report key command: A4000000000000020000BF00
Invalidation AGID 2. Result: 0
Sending report key command: A4000000000000020000FF00
Invalidation AGID 3. Result: 0
Sending report key command: A40000000000000200080000
Returning buffer from report agid command: 100F507000000000
100F507000000000
...
All AGIDs in use, aborting. AGID: -1


3-
Sending report key command: A40000000000000200003F00
Invalidation AGID 0. Result: 0
Sending report key command: A40000000000000200007F00
Invalidation AGID 1. Result: 0
Sending report key command: A4000000000000020000BF00
Invalidation AGID 2. Result: 0
Sending report key command: A4000000000000020000FF00
Invalidation AGID 3. Result: 0
Sending report key command: A40000000000000200080000
Returning buffer from report agid command: 0000000000000000
0000000000000000
...
All AGIDs in use, aborting. AGID: -1

4-
Sending report key command: A40000000000000200003F00
Invalidation AGID 0. Result: 0
Sending report key command: A40000000000000200007F00
Invalidation AGID 1. Result: 0
Sending report key command: A4000000000000020000BF00
Invalidation AGID 2. Result: 0
Sending report key command: A4000000000000020000FF00
Invalidation AGID 3. Result: 0
Sending report key command: A40000000000000200080000
Returning buffer from report agid command: 0FF6F2400FEC0F40
0FF6F2400FEC0F40
...
All AGIDs in use, aborting. AGID: -1

5-
Sending report key command: A40000000000000200003F00
Invalidation AGID 0. Result: 0
Sending report key command: A40000000000000200007F00
Invalidation AGID 1. Result: 0
Sending report key command: A4000000000000020000BF00
Invalidation AGID 2. Result: 0
Sending report key command: A4000000000000020000FF00
Invalidation AGID 3. Result: 0
Sending report key command: A40000000000000200080000
Returning buffer from report agid command: 100F507000000000
100F507000000000
...
All AGIDs in use, aborting. AGID: -1

6-
Sending report key command: A40000000000000200003F00
Invalidation AGID 0. Result: 0
Sending report key command: A40000000000000200007F00
Invalidation AGID 1. Result: 0
Sending report key command: A4000000000000020000BF00
Invalidation AGID 2. Result: 0
Sending report key command: A4000000000000020000FF00
Invalidation AGID 3. Result: 0
Sending report key command: A40000000000000200080000
Returning buffer from report agid command: 0FFD9F8000000000
0FFD9F8000000000
...
All AGIDs in use, aborting. AGID: -1

Has you can see, the results are strange. Doesn't seems to be working.

Also, The PS3 boots with kboot. After this boot, we can select the kernel we want to run.

Maybe we should run a "sony patch free" kernel just to check. (anybody been able to boot kernel 2.6.20 on a PS3 ?)

Kboot is provided in a 25 meg zip file by sony.
I have never see a linux install process on the PS3 without it but I'm pretty sure that on any normal PC, either grub or lilo are used, not kboot.

Slightly improved version. It now properly cleans the buffer before sending it to the drive:

http://www.sendspace.com/file/e8uo8w

Slightly improved version. It now properly cleans the buffer before sending it to the drive:

http://www.sendspace.com/file/e8uo8w

Same inconsistent results.

Dear arnezami,

I got a BDAV blu-ray disc (not BDMV) with AACS protection.

But the file structure of the disc is different from BDMV.

The file structure is shown as below (three files only)

X:\AACS\MKB_RW.info

X:\AACS\AACS_av\CPSUnit00001.cci
X:\AACS\AACS_av\Unit_Key.RW.inf

Is possible the next version of aacskey.exe can get CPSUnitkey for BDAV disc?

Dear All,

I try to complie aacskey.exe, but some errors was happened.

error message:

ioctl.c:8:25: my_ntddscsi.h: No such file or directory
ioctl.c:9:17: sam.h: No such file or directory

ioctl.c:12: parse error before "sptd_sb"
ioctl.c:12: warning: data definition has no type or storage class
ioctl.c: In function `send_cmd':
ioctl.c:95: request for member `sptd' in something not a structure or union
ioctl.c:95: `SCSI_PASS_THROUGH_DIRECT' undeclared (first use in this function)
ioctl.c:95: (Each undeclared identifier is reported only once
ioctl.c:95: for each function it appears in.)
ioctl.c:96: request for member `sptd' in something not a structure or union
ioctl.c:97: request for member `sptd' in something not a structure or union
ioctl.c:98: request for member `sptd' in something not a structure or union
ioctl.c:99: request for member `sptd' in something not a structure or union
ioctl.c:100: request for member `sptd' in something not a structure or union
ioctl.c:100: `MAX_SENSE_LEN' undeclared (first use in this function)
ioctl.c:103: request for member `sptd' in something not a structure or union
ioctl.c:103: `SCSI_IOCTL_DATA_OUT' undeclared (first use in this function)
ioctl.c:104: request for member `sptd' in something not a structure or union
ioctl.c:106: request for member `sptd' in something not a structure or union
ioctl.c:106: `SCSI_IOCTL_DATA_IN' undeclared (first use in this function)
ioctl.c:107: request for member `sptd' in something not a structure or union
ioctl.c:110: request for member `sptd' in something not a structure or union
ioctl.c:110: `SCSI_IOCTL_DATA_UNSPECIFIED' undeclared (first use in this function)
ioctl.c:111: request for member `sptd' in something not a structure or union
ioctl.c:114: request for member `sptd' in something not a structure or union
ioctl.c:115: request for member `sptd' in something not a structure or union
ioctl.c:116: request for member `sptd' in something not a structure or union
ioctl.c:119: request for member `sptd' in something not a structure or union
ioctl.c:121: request for member `SenseBuf' in something not a structure or union
ioctl.c:125: `IOCTL_SCSI_PASS_THROUGH_DIRECT' undeclared (first use in this function)


where can I get the files(my_ntddscsi.h and sam.h)?

Dear All,

I try to complie aacskey.exe, but some errors was happened.

error message:


where can I get the files(my_ntddscsi.h and sam.h)?

Sorry. My bad. In the post I first released the source (http://forum.doom9.org/showthread.php?p=969481#post969481) the extra three .h files (you need for compiling under windows) were still in the rar. So you can take my_ntddscsi.h, sam.h and spc.h from this old rar ;)

Later on I want to release the source properly. Including new features and compatabilities.

BTW: PepsiLee2001 and I just checked whether the Processing Key works for an encrypted BDAV disc: it does :D. So we can already get the Media Key...

arnezami

Later on I want to release the source properly. Including new features and compatabilities.
arnezami

Thank you :)

what does it mean if the volume id is reported as a string of zeroes? i've been having trouble getting "National Geographic - Relentless Enemies" to work.

any ideas?

thanks

what does it mean if the volume id is reported as a string of zeroes? i've been having trouble getting "National Geographic - Relentless Enemies" to work.

any ideas?

thanks

Is it a BD or HD DVD?
What drive do you have?
What operating system?
Are other discs (still) working? Or do you only have one?
Do you get a Media Key and is the decr verif ok?
Do you get a Dcert (in sensitive mode)?
Have you tried any of the vuk keyfinder programs?
Have you tried sniffing the volume id?

A screenshot/copy-paste using the program in verbose mode would also be helpful.

arnezami

it is an hd dvd, xbox 360 addon, win xp pro. other discs are working.

when i try to play the disc directly in powerdvd 7.1, it goes into file mode and plays the evo files in sequence. I get no error about system compliance, despite having DVI w/o HDCP (normally get an error). it is only black video and no audio however. eventually it frezees (doens't crash, just locks up).

anydvd hd is also unable to allow playback and reports the disc as NOT AACS protected.

below is the verbose output of aacskeys for this disc.

Processing key: 09F911029D74E35BD84156C5635688C0
Encrypted C-value: C990975CBD4ADDB666DD661AFE0A1FAC
Corresponding uv: 00000001

Decrypted C-value: A0BC2B16A2AD64D1A3C20FAE26681C0B
Media key: A0BC2B16A2AD64D1A3C20FAE26681C0A

Encrypted verification data: B87D991B8B5E6CF11273D29EB3F5784B
Decr verif data should be: 0123456789ABCDEF
Decrypted verification data: 0123456789ABCDEFD904126F3088DD12

AGID: 00

Host certificate from: Power DVD 7.1
Host certificate (Hcert): 0200005CFFFF0000000C00006E3DEB679B9A16AD
FAA8E30878767BA6EB2A9B415385AD1181B4446C
31E9A5DD2AB808B364FF15885BAC490964318C9B
F8029FCF76F688A54FBDA03F6D9332EF04E5A613
12DA85880A4D9CBB79D8602E
Host Private Key (Hpriv): 4737676058D7029452514F0AB186DC4CCA8C578F
Host Nonce (Hn): 2923BE84E16CD6AE529049F1F1BBE9EBB3A6DB3C

Drive certificate (Dcert): ########################################
########################################
########################################
########################################
########################
Drive Nonce (Dn): ########################################

Drive key point (Dv): ########################################
########################################
Drive key signature (Dsig): ########################################
########################################

Host key (Hk): 0000000000000000000000000000000000000000
Host key point (Hv): 8E9B0E3CF41FA7DA3A829F604122EA4ED5261AA4
7570CE0BB9061A66FAF92C4A7D98ACC171CBF19B
Host key signature (Hsig): ########################################
########################################

Drive signature wrong/error
Bus key (BK): ################################

Volume ID: 00000000000000000000000000000000
Voluem ID MAC: ################################

Volume Unique Key: DF467CB369CCBC93D6792BED0098E966
Title Key File MAC: 6E11DD594198CF674FBE74B9664EE80F

Encrypted Title Key 1: DE6785635AF17AE449571F763937684F
Encrypted Title Key 2: 853D0D63B9BD4990814009CAC2C9BCC4
Encrypted Title Key 3: 067BEE3D57983E426D2F0FF1FDE74DF9
Encrypted Title Key 4: 4891A8FEA46663CBAAFD2C23C99C9225
Encrypted Title Key 5: 2D7B7F1CA6F7D37D69AD8C496AD47A38
Encrypted Title Key 6: A009ADFCDC5989747B4C8BF28E69AC79
Encrypted Title Key 7: AAD29F9598BD98812BA3FCC6181A93F5
Encrypted Title Key 8: B6402AD20F5028BBDBC681EDF2DF28D5
Encrypted Title Key 9: 62F94819A15A8D4D37DCAA0FFC62EF12
Encrypted Title Key 10: 59ABE1644D98ED1E334094E1D826C18C
Encrypted Title Key 11: B98F04EA86D87701D07A3326374AC793
Encrypted Title Key 12: 964A86CC899551F8138C5920ED9052E4
Encrypted Title Key 13: 0823DC62F0B707D1B4DA1574ECECCA2D
Encrypted Title Key 14: 4494BC773EABC6468175905FD7DE1481
Encrypted Title Key 15: 0DD6DB058BD26DF882168BAEE60D187E
Encrypted Title Key 16: 5F19D4CF2A464ED428832291D44BE38F
Encrypted Title Key 17: E614648A79686D557814910F8B0F920C
Encrypted Title Key 18: 737D94F443D1953DD4EAB4D23DBFB497
Encrypted Title Key 19: 8924F90DBBCA432CFD67215D222BB016
Encrypted Title Key 20: 12685674EF40155416D5A4B944644664
Encrypted Title Key 21: FE36FFB973DC916A55FDF7962083C5C8
Encrypted Title Key 22: 04B3B15B96AAEB8ED837C77C9D9C159F
Encrypted Title Key 23: D29FD7212E78B144E38E1D5563B8FD04
Encrypted Title Key 24: 4B6FA66D8A4CD64CA7E85EF37F871405
Encrypted Title Key 25: 5E5E430478DCCB60A58E9AEC11D3996E
Encrypted Title Key 26: A4770F6477551BF428EB2691DE4D323D
Encrypted Title Key 27: F91905AB75F121470AEF780FA26FD2F2
Encrypted Title Key 28: 4E7D7D69C2E0BE12B0845CA16BCF0A09
Encrypted Title Key 29: 006B89CDF5A7955A38DB8D27163B0A14
Encrypted Title Key 30: ECC3BF960ECA00A37F3EB574A2879C43
Encrypted Title Key 31: AEBCA11C64856AB841AC6C948CBCF348
Encrypted Title Key 32: 8E2AA7BF0C908DAA121CFAFB81F76358
Encrypted Title Key 33: AB91207C4915A9EBDFBC1E8AE7CDBFFB
Encrypted Title Key 34: 8CBE0199CB8A826145B962DEAB65727D
Encrypted Title Key 35: 31C27F2C84D4E54E834BC7F9C27FF766
Encrypted Title Key 36: 939DB5093D5256B372B1FF8882D7A991
Encrypted Title Key 37: 900C2E111807C8C363B20A7F02D3103C
Encrypted Title Key 38: FF3715A4C288505034D1B423251C539F
Encrypted Title Key 39: 320A49E010897E2A13DE4EFC23553877
Encrypted Title Key 40: 78E5939F220D37F4FF2D5CAC529D3BF1
Encrypted Title Key 41: 12E7CD9E71284D36324B70FDC63BEB96
Encrypted Title Key 42: 652C70408C93D766950FD88444088B2D
Encrypted Title Key 43: 46B20498D6B3B61066B93D07EA47D7FC
Encrypted Title Key 44: 5FEC3D236700190DCD7B9A3CBF2EECCB
Encrypted Title Key 45: C5C8B3C739BD57E1DC6AC86C09A41395
Encrypted Title Key 46: A64BCE20A6078988828B4D901BF47E1F
Encrypted Title Key 47: 31D8DDC4C8F43620B73BCC005D668D9F
Encrypted Title Key 48: C3471E12EDA8B2E0D69FC3BB9F9A5D90
Encrypted Title Key 49: 99525C1EEE31123BF1A5C50C03512D14
Encrypted Title Key 50: 2194F56FC616A9807534DDFF802B600A
Encrypted Title Key 51: 48CDCD7C390D7D28F77A00CBC0527CE7
Encrypted Title Key 52: 912233A518C7C002CEE0105A0CD84CF3
Encrypted Title Key 53: 91322B3E8B6F031185BDD64E92B759F8
Encrypted Title Key 54: C1803CDD727E626491A666FC03A4067B
Encrypted Title Key 55: D2604E141DE6BEDE1486659243B00506
Encrypted Title Key 56: 37FB50CB9AC163F6D529CE5051B315E8
Encrypted Title Key 57: D3881422187B9E2D9B5F3CBB999241F1
Encrypted Title Key 58: 7A3D46993C90F86621CD341FD6E19092
Encrypted Title Key 59: D499AB49241EF4D8785D168BC3D07374
Encrypted Title Key 60: 5CF021DF6B7A7B272CF6BED1584094B6
Encrypted Title Key 61: 52ED5C5A71557A2EDACFCE35A370F9B6
Encrypted Title Key 62: 7E4A9004DCEC9CFE5A5F68E4C7BF3A7F
Encrypted Title Key 63: 926AAB3E041408F67D6C1999AAC2498A
Encrypted Title Key 64: 5384523CCFD947C0D736913335A41858

Decrypted Title Key 1: DE5E4DB4B7365B7CFD91107FECC3D54A
Decrypted Title Key 2: 3EFF30EB5D509F7C44BE60C1C27E1E72
Decrypted Title Key 3: C1471F2BFA77F714D134D1E35893577E
Decrypted Title Key 4: CBE9384603931E1E5F462B0A2183C8F5
Decrypted Title Key 5: 12193E2D72EBF288C49C4F6646AE62E4
Decrypted Title Key 6: 5453B697EB25A7EFADC42D9DCF7F73D8
Decrypted Title Key 7: 31405D51FE8961FBFBC69E94447E3BDF
Decrypted Title Key 8: B206367595727DE08CDA953F5B7966AC
Decrypted Title Key 9: 7099AB7C4D4D990F7D591E4166982F9E
Decrypted Title Key 10: 0A8D1F30E159231EF6CB7122AD628F3F
Decrypted Title Key 11: 400E59ED5B89ECAE4AA4197CF6857512
Decrypted Title Key 12: 84349904F473A88C4C5B5F61490439D1
Decrypted Title Key 13: 4F123A0754FB0AD1D63DE8ED1AA82BF8
Decrypted Title Key 14: 80029EF555C975713E5CC8B0A3868D33
Decrypted Title Key 15: 51FC3529176E79CEE4C74CECA09A07F9
Decrypted Title Key 16: B2B8A7F2E3DEFA0FDEC84642AD893290
Decrypted Title Key 17: DBB7516E551F78DDF554659D37281FC8
Decrypted Title Key 18: 2CDBFD80C54FD887B7EFDB98CBCD4CBE
Decrypted Title Key 19: 2177CDE40DEE61129EA12FD54243A6B6
Decrypted Title Key 20: 6C6633AFA44320321ABA8D770E259722
Decrypted Title Key 21: 1124310E7C2C871B0E4C3C2DDF75ECF5
Decrypted Title Key 22: 862818A2915A8E540C086AE6D70D5DFF
Decrypted Title Key 23: E60C4F2E0C8E2E17172EA58A6B4162BD
Decrypted Title Key 24: 6C9EF06F097A1860639F9CF67E744ED3
Decrypted Title Key 25: 666F2D6F9CACD4E8048C8B49CEE4D60F
Decrypted Title Key 26: 13DB98AD715160D50BB1630E1FE89D04
Decrypted Title Key 27: F241BC19E54FDE26D747AC749F122424
Decrypted Title Key 28: C8F699ACAD06B72D8FAA6A46D2F0E6D4
Decrypted Title Key 29: 22FAF62B92C3B097D1BC0C27F215F5BF
Decrypted Title Key 30: 28843CFB1B949AA7277BE3E5749A799A
Decrypted Title Key 31: 1FC715148F71B37D5F3D4DC8727172DF
Decrypted Title Key 32: 83E2A13D2F8198A23AA93E3ED644446A
Decrypted Title Key 33: 5E53A9C2BE85FA02965810833B1C9DBC
Decrypted Title Key 34: DE3F36220642162B321292E51CC5EE8D
Decrypted Title Key 35: FF0DFC1F529572F6FD5C3775A90C4810
Decrypted Title Key 36: E37B6BEF8883EE30131DD7E64F306A8E
Decrypted Title Key 37: 0737C851B2358E157A1C8C664F3D7A05
Decrypted Title Key 38: 35A772F991B84DCD0DDFAECA0D2FF9B8
Decrypted Title Key 39: D718824549DA46144DC015D16FB43A89
Decrypted Title Key 40: A009CC503749A69F0295657C831E1A62
Decrypted Title Key 41: 63B0072B377303237A66011A93A90EA7
Decrypted Title Key 42: CF1201B14B3CA0CE33AF640B5D8BD82E
Decrypted Title Key 43: 85E693F3BC809AA9B3B9018AEA88E926
Decrypted Title Key 44: 43FDE24CFC9A1F997D55A90EBCF7BC22
Decrypted Title Key 45: E4A3A04555291F3D03AC9304DF063B12
Decrypted Title Key 46: B761955930A726F44D556D7C8B80E999
Decrypted Title Key 47: 28B8A94901440D6465233993ACF5379A
Decrypted Title Key 48: 2D6889616F041831732B3B5521000D6D
Decrypted Title Key 49: 48E0498B6264AE80098DAE292C1A9AE9
Decrypted Title Key 50: 89E2B5BC8C2D08F69BDC0C359DB92258
Decrypted Title Key 51: F83036CB4E28D4BB1244D1A6CB141EB3
Decrypted Title Key 52: F43281CFCD726738D793B1B13CBED822
Decrypted Title Key 53: 22433445DC3B4591DE12C789073DF379
Decrypted Title Key 54: 5DB6F0B0A3E55A97F42E58A74B88B767
Decrypted Title Key 55: B8AD884889124A8EE386644410AB42BA
Decrypted Title Key 56: 5711C77BCBFB7F08B414DF23B066083B
Decrypted Title Key 57: 89F4A2EA4F836DE4CA448600D6A07CE1
Decrypted Title Key 58: 910AEF1F7FCBDD97B3BC1613FDA828E7
Decrypted Title Key 59: A934E626EDE578F2BD216564E25A07A3
Decrypted Title Key 60: E0C8ED9E39802EEE779BF6035FF2C209
Decrypted Title Key 61: A760D11F6AED68E3A392760626CF66EA
Decrypted Title Key 62: D963E8BF655DD550AA06FEB9E5F18092
Decrypted Title Key 63: 0D2E8E0B142C13B79121A786BB139CCC
Decrypted Title Key 64: 664BE38CC25FBA5CAA58D9C9FC0F15BC

Forgive me for being an idiot, but will this tool still work if there is a new set of AACS keys coming out next much?

Will this tool still give us the information needed to make backups, or does this program rely on something they can revoke?

I think if they change the key, then a new version of the tool will have to be compiled with the new keys. But first we have to find the new key ;)

I think if they change the key, then a new version of the tool will have to be compiled with the new keys. But first we have to find the new key ;)

It would probably be best to keep this key secret until all the delayed releases start flowing, otherwise they will just change it again.
I'm guessing all software players to date will be pulled and they will force upgrades on everyone, or at least a patch that makes them more secure.
I believe it's all the better that they get this change out ASAP so that they rush it and hopefully make mistakes.
Change the keys, gives us BD+, do it all.
Then they have played all their cards and have nothing left to fall back on.

so is this a result of a key revoke?

when i try to play the disc directly in powerdvd 7.1, it goes into file mode and plays the evo files in sequence. I get no error about system compliance, despite having DVI w/o HDCP (normally get an error). it is only black video and no audio however. eventually it frezees (doens't crash, just locks up).

anydvd hd is also unable to allow playback and reports the disc as NOT AACS protected.

I have a similar effect with another disc - checked the communication over the bus, the drive in fact reports the disc to be not AACS protected, even though it is.
Probably a mastering error and that's why PowerDVD is unable to decrypt - because it doesn't even try, it just blindly plays the encrypted video data...

I have a similar effect with another disc - checked the communication over the bus, the drive in fact reports the disc to be not AACS protected, even though it is.
Probably a mastering error and that's why PowerDVD is unable to decrypt - because it doesn't even try, it just blindly plays the encrypted video data...

hmmm...others are able to play it on standalone players. if it's a mastering error wouldn't it affect all discs?

For mb2696.

These questions aren't answered yet:

Do you get a Dcert (in sensitive mode)?
Have you tried any of the vuk keyfinder programs?
Have you tried sniffing the volume id?

Other questions:

- What MKB version is on it? My MKBROM starts with 1000000C000410030000000121000034 (using WinHex). Meaning my MKB version is 1 and the length of the HRL is 34h. If any of this is different then its important.
- Does it play with any software player on any other PC system? Does your disc (not similar discs) work on standalones? Do similar discs (same title) work on your PC?
- Have you tried to demux the files to see if it contains streams or whatever? Using the original files on the disc.
- Are you absolutely sure your other discs/movies are still working? And does aacskeys give volume ids for these movies?
- Is it by any chance a recordable? Be sure.

hmmm...others are able to play it on standalone players. if it's a mastering error wouldn't it affect all discs?

What do you mean by "it"? Your disc or a similar disc? It is possible your disc is damaged/badly pressed somehow so the volume id cannot be retrieved. In that case if we can find somebody with the same title then he could retrieve the VUK and you might be able to decrypt it. Alternatively we could quess the volume id (tricky but maybe possible :)).

The strange thing is there is a "Drive signature wrong/error" in your report. This means the drive either doesn't see the need for AACS-Auth (as in: its a recordable or non-encrypted/damaged disc) or it has revoked the Hcert (of PowerDVD 7.1). But if it has revoked it then other discs shouldn't work either anymore. Unless your drive "forgets" it (which strangely would in itself be great).

Anyway. Something doesn't seem to add up here ;).

[edit] Just had an idea. Use KenD00's dumpvid (http://forum.doom9.org/attachment.php?attachmentid=6824&d=1171837753) (the exe is in the Release dir). It will dump the bca (Burst Cutting Area) of the disc and this should reveal half of the Volume ID :D. (you don't have to do the hammering stuff btw). We will know much more when we have that.

Regards,

arnezami

PS. A Dcert starts with 01. If not then its garbadge data.
PPS. There is another possibility: they didn't want this title to be playable on a PC. Hmmm.....

I have a similar effect with another disc - checked the communication over the bus, the drive in fact reports the disc to be not AACS protected, even though it is.
Probably a mastering error and that's why PowerDVD is unable to decrypt - because it doesn't even try, it just blindly plays the encrypted video data...

Which movie? Release date? How did you see it was not being identified as AACS protected using the bus?

Running Yellow Dog 5.0 PS3 on my PAL PlayStation3, Firmware 1.60.

Under both kernel 2.6.16 and the same with the UDF 2.50 patch, I get the following output when attempting to run the most recent posted aacstiny in the thread:

[root@playstation3 aacstiny]# ./aacstiny /dev/cdrom
Sending report key command: A40000000000000200003F00
Invalidation AGID 0. Result: 0
Sending report key command: A40000000000000200007F00
Invalidation AGID 1. Result: 0
Sending report key command: A4000000000000020000BF00
Invalidation AGID 2. Result: 0
Sending report key command: A4000000000000020000FF00
Invalidation AGID 3. Result: 0
Sending report key command: A40000000000000200080000
Returning buffer from report agid command: 0FF6F2400FEC0F40
All AGIDs in use, aborting. AGID: -1


aacstiny compiled with no warnings or errors. The movie I'm attempting this against is xXx, PAL release Blu-Ray.

I ran some very similar tests on my PS3 a few weeks ago and can comment on some of the results posted here.

First some preliminaries:

2.6.16 is the correct kernel to use, as it contains Sony's own drivers and modifications. 2.6.20 is an (incomplete) effort by the regular kernel maintainers to merge those changes back into the regular kernel source tree and integrate them with existing drivers. That effort is still work in progress and the kernel does not boot on PS3 yet.

The UDF-2.5 patch is completely unrelated to any PS3 changes or drivers and not needed if all you want to do is send SCSI commands to the drive (to extract volume ids etc.). It IS needed if you want to mount a Blu-ray volume to get access to the files on it, for decryption. Without the patch you can simply send SCSI commands directly to the underlying device. For most setups (including PS3) that is "/dev/sr0".

Now about my actual tests, run on Gentoo (not YDL), using a 64-bit kernel and userland:

I used SG_IO instead of CDROM_SEND_PACKET in the ioctl. I am not sure this made a difference, but it seems to me that SG_IO is a lower-level request closer to the ATAPI layer, with better diagnostics and it may arguably have a better chance of not having its data modified or misinterpreted by the CD-ROM driver layer.

The first thing I tried is sending ordinary SCSI commands to the drive to ensure that the ATAPI transport through the Hypervisor works correctly. INQUIRY works fine and returns meaningful results, as does GET_CONFIGURATION, so we know the ATAPI layer works. This also very likely rules out any problems regarding sync vs. async I/O, timing, buffer management, Hypervisor API access etc.

Interesting info here: The "Vendor info" and "Identification" fields in INQUIRY return "PS-SYSTEM <serial number>". I think this is fairly unusual because typically, even for standalones, those fields report the OEM manufacturer of the drive. For example the X-Box-360 HD drive simply returns "TOSHIBA <something>". I might have expected "SONY" here, but not "PS-SYSTEM". The "PS-SYSTEM" response to me suggests that either Sony used a special drive built in-house exclusively for the PS3, without any intent to ever use it in standalone Blu-ray players (probably unlikely), or that the Hypervisor intercepted INQUIRY and responded on behalf of the drive. If it is the latter then it's bad news because it would suggest that the Hypervisor does filter SCSI commands one by one, which would explain the problems with AACS commands.

Next I tried the usual AACS SCSI commands, and all of them returned driver_status=7 (hard error) and sense_key=5 (ILLEGAL_REQUEST). That seemed strange to me at first (the part about this being reported in driver_status instead of host_status), because the driver is supposed to handle different SCSI commands transparently. The explanation is in the Sony driver in the kernel sources. ps3pf_storage.c contains a table of supported SCSI commands, and maps them to Hypervisor calls. Except for REQUEST_SENSE, READ and WRITE, which have their own handling, probably for optimization purposes, all other listed commands are forwarded to the same single Hypervisor call. Commands not in the table generate the above-mentioned error. Of course AACS commands were not in the list...

So I added A3, A4 and AD to the list and in the process noticed that the PS3 ATAPI layer does not support 12-byte SCSI commands, only 6-byte, 10-byte and CDDA-FRAME-RAW, so I ended up adding support for 12-byte commands, too, since that is the format of AACS commands. Three small changes and a kernel recompilation and reboot later...

The AACS commands still fail: now driver_status is 0 (ok), but host_status=7 (error) and, strangely enough, I get a zero-ed out sense buffer.

I am not sure what to make of this. The empty sense buffer seems strange and suggests that the problem is probably not with the drive, but more likely either with using 12-byte SCSI commands through the Hypervisor (which it might not support) or with the Hypervisor blocking the request explicitly and not even bothering to set its sense buffer properly. Add to that the fact that REQUEST_SENSE is treated differently in the driver than other commands (which may well account for the empty sense buffer here), and this whole problem more and more looks like a Hypervisor issue to me -- meaning, the Hypervisor probably blocks these requests intentionally, without any chance to bypass this in a Linux kernel.

The next step would be to add diagnostic code in the driver around the Hypervisor calls to try and get more meaningful error codes out of the Hypervisor than just an empty sense buffer, and to log them... I probably won't have the time to dig into this deeper any time soon though.

Very much thanks Boing99. Thats quite enlightning information. Thats worth an awful lot :).

It seems now though (more likely than ever) that a Hypervisor hack is needed to ever retrieve Volume IDs from a PS3. :(

arnezami

IBM Cell BE Software Development Kit 2.1 is out with Linux kernel to 2.6.20, http://www6.software.ibm.com/sdfdl/1v2/regs2/awadmin/cellsw/Xa.2/Xb.bCxnaYZiaXdlJSEfHwej7ZthLvSZss8BC7HE_Sc/Xc.CellSDK21.iso/Xd./Xf.Ltr./Xg.3819903/Xi.cellsw/XY.regsrvs/XZ.uwvNY90x6fvw1vHmT0-h0agjD5I/CellSDK21.iso

Best regards!

For mb2696.

These questions aren't answered yet:


Other questions:

- What MKB version is on it? My MKBROM starts with 1000000C000410030000000121000034 (using WinHex). Meaning my MKB version is 1 and the length of the HRL is 34h. If any of this is different then its important.
- Does it play with any software player on any other PC system? Does your disc (not similar discs) work on standalones? Do similar discs (same title) work on your PC?
- Have you tried to demux the files to see if it contains streams or whatever? Using the original files on the disc.
- Are you absolutely sure your other discs/movies are still working? And does aacskeys give volume ids for these movies?
- Is it by any chance a recordable? Be sure.



What do you mean by "it"? Your disc or a similar disc? It is possible your disc is damaged/badly pressed somehow so the volume id cannot be retrieved. In that case if we can find somebody with the same title then he could retrieve the VUK and you might be able to decrypt it. Alternatively we could quess the volume id (tricky but maybe possible :)).

The strange thing is there is a "Drive signature wrong/error" in your report. This means the drive either doesn't see the need for AACS-Auth (as in: its a recordable or non-encrypted/damaged disc) or it has revoked the Hcert (of PowerDVD 7.1). But if it has revoked it then other discs shouldn't work either anymore. Unless your drive "forgets" it (which strangely would in itself be great).

Anyway. Something doesn't seem to add up here ;).

[edit] Just had an idea. Use KenD00's dumpvid (http://forum.doom9.org/attachment.php?attachmentid=6824&d=1171837753) (the exe is in the Release dir). It will dump the bca (Burst Cutting Area) of the disc and this should reveal half of the Volume ID :D. (you don't have to do the hammering stuff btw). We will know much more when we have that.

Regards,

arnezami

PS. A Dcert starts with 01. If not then its garbadge data.
PPS. There is another possibility: they didn't want this title to be playable on a PC. Hmmm.....


-In sensitive mode, the Dcert is reported as a string of zeros (but not for other discs).

-i am not able to get a vuk by any means

-the mkb ver is the same "1000000C000410030000000121000034"

-i don't have a standalone to test my disc on. i'm getting a replacement disc to see if it's bad

-its definitely not recordable

-i'm sure my other discs are working now

-evo demux reports a vc-1, dd+, and subpicture stream when reading the feature evo

-here is the result of dumpvid:
DumpVID 0.3 by KenD00

Drive type is recognised as CDROM/DVD.

Sending SPC1 Test Unit CDB6 command..done.
Returned good status.

Reading BCA...
Reading Copyright Data Section...
Sense data, key:ASC:ASCQ: 05:30:02
Aborting process.
Dump failed from drive h:

-In sensitive mode, the Dcert is reported as a string of zeros (but not for other discs).

-i am not able to get a vuk by any means

-the mkb ver is the same "1000000C000410030000000121000034"

-i don't have a standalone to test my disc on. i'm getting a replacement disc to see if it's bad

-its definitely not recordable

-i'm sure my other discs are working now

-evo demux reports a vc-1, dd+, and subpicture stream when reading the feature evo

-here is the result of dumpvid:
DumpVID 0.3 by KenD00

Drive type is recognised as CDROM/DVD.

Sending SPC1 Test Unit CDB6 command..done.
Returned good status.

Reading BCA...
Reading Copyright Data Section...
Sense data, key:ASC:ASCQ: 05:30:02
Aborting process.
Dump failed from drive h:

Ok. No new MKB version and no different Host Revocation List means nothing is revoked here. The files are not (completely) corrupted since demuxer still sees streams (i'm not sure if this means its not encrypted, you would have to try to play any of the demuxed files).

Did the dumpvid create a bca.bin file btw? And if so is there anything in it?

It sounds to me like this disc is either damaged or badly made or was created in such a way it won't play on a PC based system. Or for some reason you drive can't handle it.

Anyway I will be interested to know if the replacement works. :)

Regards,

arnezami

its definitely not recordable[/CODE]
Are you sure? It could be a fake or something.

Are you sure? It could be a fake or something.

i bought it from amazon.com, i doubt it

it also has a barcode on the inner hub

...

Did the dumpvid create a bca.bin file btw? And if so is there anything in it?

...

Here's the entire contents of the bca.bin:

10011104481200001002100840000115
20072036000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
000000000000000000000000

This thread may have some important info, near the bottom about basic/advanced authoring mode and firmware:

http://www.avsforum.com/avs-vb/showthread.php?t=826140

Here's the entire contents of the bca.bin:

10011104481200001002100840000115
20072036000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
000000000000000000000000

Looks like we are dealing with the date code volume ID again:
40 00 01 15 20 07 20 36

Jan 15 2007? 20:36?
What are the date and timestamps on the files on the disk itself?

Looks like we are dealing with the date code volume ID again:
40 00 01 15 20 07 20 36

Jan 15 2007? 20:36?
What are the date and timestamps on the files on the disk itself?

file date is 01/16/07 01:25:17

Here's the entire contents of the bca.bin:

10011104481200001002100840000115
20072036000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
000000000000000000000000

Hehe ;).

There is one half of a Volume ID in there :). And since we already know/can guess which form this one is the following will probably work...

Use mkb.exe (http://forum.doom9.org/showthread.php?p=953496#post953496) in the following way:

mkb h:\AACS\MKBROM.AACS 40000115200720360020202020200000

Where h should be your drive letter.

You should get a VUK and with that key you should be able to decrypt your disc using your favorite decrypter :D.

Tell us if it works.

Regards,

arnezami

when i decrypt using the resulting vuk, i get video with only black screen and no audio, eventually crashing pdvd 7.1

the validatevuk tool also says its not valid.

when i decrypt using the resulting vuk, i get video with only black screen and no audio, eventually crashing pdvd 7.1

the validatevuk tool also says its not valid.

Hmmm. I'm not sure how sensitive these programs are but did you remove the white spaces and make it all capitals? And you didn't make a typo when using mkd.exe (be sure)? Best to try with validatevuk.

Could you give a screenshot/copy paste of what mkd.exe is giving?

arnezami

[edit]also try these:
mkb h:\AACS\MKBROM.AACS 40000115200720360000000000000000
mkb h:\AACS\MKBROM.AACS 00000000000000000000000000000000

Could you give a screenshot/copy paste of what mkd.exe is giving?


here are each of the three you asked me to try. none could be verified with validatevuk.

>mkb.exe h:\AACS\MKBROM.AACS 40000115200720360020202020200000
Skipped section 10
Skipped section 21
Skipped section 20
Found Verification Data
Skipped section 7f
Skipped section 07
Found Explicit Subset Difference (514 records)
Found Media Key Data (513 records)
Media Key found at index 0!
a0 bc 2b 16 a2 ad 64 d1 a3 c2 0f ae 26 68 1c 0a
VUK: 4e 77 31 f8 1a 28 63 a1 9a 30 49 35 c5 79 f2 d2

>mkb.exe h:\AACS\MKBROM.AACS 40000115200720360000000000000000
Skipped section 10
Skipped section 21
Skipped section 20
Found Verification Data
Skipped section 7f
Skipped section 07
Found Explicit Subset Difference (514 records)
Found Media Key Data (513 records)
Media Key found at index 0!
a0 bc 2b 16 a2 ad 64 d1 a3 c2 0f ae 26 68 1c 0a
VUK: cb db 1a 22 49 8e 95 6b c2 34 f9 09 7d 34 d8 82

>mkb.exe h:\AACS\MKBROM.AACS 00000000000000000000000000000000
Skipped section 10
Skipped section 21
Skipped section 20
Found Verification Data
Skipped section 7f
Skipped section 07
Found Explicit Subset Difference (514 records)
Found Media Key Data (513 records)
Media Key found at index 0!
a0 bc 2b 16 a2 ad 64 d1 a3 c2 0f ae 26 68 1c 0a
VUK: df 46 7c b3 69 cc bc 93 d6 79 2b ed 00 98 e9 66

Could you give a screenshot/copy paste of what mkd.exe is giving?


here are each of the three you asked me to try. none could be verified with validatevuk (i'm sure i entered them properly).

>mkb.exe h:\AACS\MKBROM.AACS 40000115200720360020202020200000
Skipped section 10
Skipped section 21
Skipped section 20
Found Verification Data
Skipped section 7f
Skipped section 07
Found Explicit Subset Difference (514 records)
Found Media Key Data (513 records)
Media Key found at index 0!
a0 bc 2b 16 a2 ad 64 d1 a3 c2 0f ae 26 68 1c 0a
VUK: 4e 77 31 f8 1a 28 63 a1 9a 30 49 35 c5 79 f2 d2

>mkb.exe h:\AACS\MKBROM.AACS 40000115200720360000000000000000
Skipped section 10
Skipped section 21
Skipped section 20
Found Verification Data
Skipped section 7f
Skipped section 07
Found Explicit Subset Difference (514 records)
Found Media Key Data (513 records)
Media Key found at index 0!
a0 bc 2b 16 a2 ad 64 d1 a3 c2 0f ae 26 68 1c 0a
VUK: cb db 1a 22 49 8e 95 6b c2 34 f9 09 7d 34 d8 82

>mkb.exe h:\AACS\MKBROM.AACS 00000000000000000000000000000000
Skipped section 10
Skipped section 21
Skipped section 20
Found Verification Data
Skipped section 7f
Skipped section 07
Found Explicit Subset Difference (514 records)
Found Media Key Data (513 records)
Media Key found at index 0!
a0 bc 2b 16 a2 ad 64 d1 a3 c2 0f ae 26 68 1c 0a
VUK: df 46 7c b3 69 cc bc 93 d6 79 2b ed 00 98 e9 66

Ok. I think I'm running out of ideas now. There really seems to be a problem with this disc and the xbox 360 HD DVD drive. Maybe there is something wrong with the way the protected area is stored on the disc (which is if I remember correctly stored with a different pit width/length) and therefore not readable by all HD DVD drives.

Btw this may be related: http://slashdot.org/articles/07/04/02/1126209.shtml

arnezami

Well, if even authorized players aren't able to read the disc, I suspect we won't get very far either. Unless they've simply been revoked, but that doesn't seem to be the case.

Dear All,

I try to complie aacskey in windows platform, but something is wrong.

Please give me a hand......


System environment:
OS : WinXP Pro
OpenSSL : 0.9.8e
MinGW : 3.4.2 (detail as follow)
mingw-runtime-3.12.tar.gz
w32api-3.9.tar.gz
binutils-2.16.91-20060119-1.tar.gz
gcc-core-3.4.2-20040916-1.tar.gz
gcc-g++-3.4.2-20040916-1.tar.gz
mingw32-make-3.81-2.tar.gz


Path:
aacskey source : d:\aacskey
MinGW : D:\MinGW
OpenSSL library : D:\aacskey\lib (static link library files-->libcrypto.a & libssl.a)

command 1: gcc -o aacskeys -lcrypto -L./lib aes.c ecdsa.c ioctl.c mmc.c aacskeys.c
D:\aacskey>gcc -o aacskeys -lcrypto -L./lib aes.c ecdsa.c ioctl.c mmc.c aacskeys.c
ecdsa.c: In function `aacs_set_cert':
ecdsa.c:29: warning: initialization discards qualifiers from pointer target type
ecdsa.c: In function `aacs_sign':
ecdsa.c:67: warning: comparison between pointer and integer
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/ccV3caaa.o:aes.c:(.text+0x22): undefined reference to `AES_set_decrypt_key'
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/ccV3caaa.o:aes.c:(.text+0x3e): undefined reference to `AES_decrypt'
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/ccV3caaa.o:aes.c:(.text+0xba): undefined reference to `AES_set_decrypt_key'
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/ccV3caaa.o:aes.c:(.text+0xd6): undefined reference to `AES_decrypt'
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/ccV3caaa.o:aes.c:(.text+0x103): undefined reference to `AES_set_decrypt_key'
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/ccV3caaa.o:aes.c:(.text+0x11f): undefined reference to `AES_decrypt'
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/ccV3caaa.o:aes.c:(.text+0x17d): undefined reference to `AES_set_decrypt_key'
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/ccV3caaa.o:aes.c:(.text+0x199): undefined reference to `AES_decrypt'
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/cc5udaaa.o:ecdsa.c:(.text+0x7): undefined reference to `EC_KEY_new'
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/cc5udaaa.o:ecdsa.c:(.text+0x33): undefined reference to `EC_KEY_set_group'
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/cc5udaaa.o:ecdsa.c:(.text+0x4c): undefined reference to `EC_KEY_free'
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/cc5udaaa.o:ecdsa.c:(.text+0x7e): undefined reference to `EC_KEY_get0_group'
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/cc5udaaa.o:ecdsa.c:(.text+0xc3): undefined reference to `BN_bin2bn'
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/cc5udaaa.o:ecdsa.c:(.text+0xf6): undefined reference to `BN_bin2bn'
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/cc5udaaa.o:ecdsa.c:(.text+0x113): undefined reference to `EC_POINT_new'
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/cc5udaaa.o:ecdsa.c:(.text+0x14d): undefined reference to `EC_POINT_set_affine_coordinates_GFp'
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/cc5udaaa.o:ecdsa.c:(.text+0x165): undefined reference to `BN_clear_free'
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/cc5udaaa.o:ecdsa.c:(.text+0x170): undefined reference to `BN_clear_free'
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/cc5udaaa.o:ecdsa.c:(.text+0x182): undefined reference to `EC_KEY_set_public_key'
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/cc5udaaa.o:ecdsa.c:(.text+0x1ef): undefined reference to `BN_hex2bn'
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/cc5udaaa.o:ecdsa.c:(.text+0x209): undefined reference to `EC_KEY_set_private_key'
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/cc5udaaa.o:ecdsa.c:(.text+0x217): undefined reference to `EVP_ecdsa'
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/cc5udaaa.o:ecdsa.c:(.text+0x226): undefined reference to `EVP_DigestInit'
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/cc5udaaa.o:ecdsa.c:(.text+0x240): undefined reference to `EVP_DigestUpdate'
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/cc5udaaa.o:ecdsa.c:(.text+0x25a): undefined reference to `EVP_DigestUpdate'
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/cc5udaaa.o:ecdsa.c:(.text+0x273): undefined reference to `EVP_DigestFinal_ex'
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/cc5udaaa.o:ecdsa.c:(.text+0x28c): undefined reference to `ECDSA_do_sign'
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/cc5udaaa.o:ecdsa.c:(.text+0x2a3): undefined reference to `BN_bn2bin'
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/cc5udaaa.o:ecdsa.c:(.text+0x2c2): undefined reference to `BN_bn2bin'
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/cc5udaaa.o:ecdsa.c:(.text+0x2e7): undefined reference to `ECDSA_SIG_free'
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/cc5udaaa.o:ecdsa.c:(.text+0x2f8): undefined reference to `EC_KEY_free'
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/cc5udaaa.o:ecdsa.c:(.text+0x340): undefined reference to `EVP_ecdsa'
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/cc5udaaa.o:ecdsa.c:(.text+0x34f): undefined reference to `EVP_DigestInit'
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/cc5udaaa.o:ecdsa.c:(.text+0x369): undefined reference to `EVP_DigestUpdate'
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/cc5udaaa.o:ecdsa.c:(.text+0x383): undefined reference to `EVP_DigestUpdate'
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/cc5udaaa.o:ecdsa.c:(.text+0x39c): undefined reference to `EVP_DigestFinal_ex'
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/cc5udaaa.o:ecdsa.c:(.text+0x3a1): undefined reference to `ECDSA_SIG_new'
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/cc5udaaa.o:ecdsa.c:(.text+0x3c6): undefined reference to `BN_bin2bn'
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/cc5udaaa.o:ecdsa.c:(.text+0x3ea): undefined reference to `BN_bin2bn'
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/cc5udaaa.o:ecdsa.c:(.text+0x410): undefined reference to `ECDSA_do_verify'
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/cc5udaaa.o:ecdsa.c:(.text+0x424): undefined reference to `ECDSA_SIG_free'
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/cc5udaaa.o:ecdsa.c:(.text+0x435): undefined reference to `EC_KEY_free'
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/cc5udaaa.o:ecdsa.c:(.text+0x509): undefined reference to `BN_CTX_new'
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/cc5udaaa.o:ecdsa.c:(.text+0x53e): undefined reference to `ERR_put_error'
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/cc5udaaa.o:ecdsa.c:(.text+0x548): undefined reference to `BN_new'
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/cc5udaaa.o:ecdsa.c:(.text+0x556): undefined reference to `BN_new'
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/cc5udaaa.o:ecdsa.c:(.text+0x564): undefined reference to `BN_new'
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/cc5udaaa.o:ecdsa.c:(.text+0x572): undefined reference to `BN_new'
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/cc5udaaa.o:ecdsa.c:(.text+0x580): undefined reference to `BN_new'
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/cc5udaaa.o:ecdsa.c:(.text+0x58e): more undefined references to `BN_new' follow
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/cc5udaaa.o:ecdsa.c:(.text+0x5c3): undefined reference to `ERR_put_error'
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/cc5udaaa.o:ecdsa.c:(.text+0x5da): undefined reference to `BN_dec2bn'
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/cc5udaaa.o:ecdsa.c:(.text+0x5f3): undefined reference to `BN_dec2bn'
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/cc5udaaa.o:ecdsa.c:(.text+0x60c): undefined reference to `BN_dec2bn'
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/cc5udaaa.o:ecdsa.c:(.text+0x63c): undefined reference to `ERR_put_error'
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/cc5udaaa.o:ecdsa.c:(.text+0x661): undefined reference to `EC_GROUP_new_curve_GFp'
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/cc5udaaa.o:ecdsa.c:(.text+0x696): undefined reference to `ERR_put_error'
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/cc5udaaa.o:ecdsa.c:(.text+0x6a6): undefined reference to `EC_POINT_new'
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/cc5udaaa.o:ecdsa.c:(.text+0x6db): undefined reference to `ERR_put_error'
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/cc5udaaa.o:ecdsa.c:(.text+0x6f5): undefined reference to `BN_dec2bn'
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/cc5udaaa.o:ecdsa.c:(.text+0x70e): undefined reference to `BN_dec2bn'
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/cc5udaaa.o:ecdsa.c:(.text+0x73e): undefined reference to `ERR_put_error'
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/cc5udaaa.o:ecdsa.c:(.text+0x76a): undefined reference to `EC_POINT_set_affine_coordinates_GF2m'

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/cc5udaaa.o:ecdsa.c:(.text+0x79a): undefined reference to `ERR_put_error'
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/cc5udaaa.o:ecdsa.c:(.text+0x7b4): undefined reference to `BN_dec2bn'
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/cc5udaaa.o:ecdsa.c:(.text+0x7cb): undefined reference to `BN_set_word'
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/cc5udaaa.o:ecdsa.c:(.text+0x7fb): undefined reference to `ERR_put_error'
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/cc5udaaa.o:ecdsa.c:(.text+0x81d): undefined reference to `EC_GROUP_set_generator'
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/cc5udaaa.o:ecdsa.c:(.text+0x84d): undefined reference to `ERR_put_error'
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/cc5udaaa.o:ecdsa.c:(.text+0x867): undefined reference to `EC_GROUP_free'
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/cc5udaaa.o:ecdsa.c:(.text+0x87f): undefined reference to `EC_POINT_free'
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/cc5udaaa.o:ecdsa.c:(.text+0x890): undefined reference to `BN_CTX_free'
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/cc5udaaa.o:ecdsa.c:(.text+0x8a1): undefined reference to `BN_free'
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/cc5udaaa.o:ecdsa.c:(.text+0x8b2): undefined reference to `BN_free'
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/cc5udaaa.o:ecdsa.c:(.text+0x8c3): undefined reference to `BN_free'
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/cc5udaaa.o:ecdsa.c:(.text+0x8d4): undefined reference to `BN_free'
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/cc5udaaa.o:ecdsa.c:(.text+0x8e5): undefined reference to `BN_free'
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/cc5udaaa.o:ecdsa.c:(.text+0x8f6): more undefined references to `BN_free' follow
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/cczOeaaa.o:aacskeys.c:(.text+0x9e2): undefined reference to `ERR_load_crypto_strings'
collect2: ld returned 1 exit status


command 2: gcc -o aacskeys aes.c ecdsa.c ioctl.c mmc.c aacskeys.c -lcrypto -L./lib
D:\aacskey>gcc -o aacskeys aes.c ecdsa.c ioctl.c mmc.c aacskeys.c -lcrypto -L./lib
ecdsa.c: In function `aacs_set_cert':
ecdsa.c:29: warning: initialization discards qualifiers from pointer target type
ecdsa.c: In function `aacs_sign':
ecdsa.c:67: warning: comparison between pointer and integer
./lib/libcrypto.a(rand_win.o):rand_win.c:(.text+0xa0c): undefined reference to `CreateDCA@16'
./lib/libcrypto.a(rand_win.o):rand_win.c:(.text+0xa19): undefined reference to `CreateCompatibleDC@4'
./lib/libcrypto.a(rand_win.o):rand_win.c:(.text+0xa2a): undefined reference to `GetDeviceCaps@8'
./lib/libcrypto.a(rand_win.o):rand_win.c:(.text+0xa3a): undefined reference to `GetDeviceCaps@8'
./lib/libcrypto.a(rand_win.o):rand_win.c:(.text+0xa50): undefined reference to `CreateCompatibleBitmap@12'
./lib/libcrypto.a(rand_win.o):rand_win.c:(.text+0xa5e): undefined reference to `SelectObject@8'
./lib/libcrypto.a(rand_win.o):rand_win.c:(.text+0xa70): undefined reference to `GetObjectA@12'
./lib/libcrypto.a(rand_win.o):rand_win.c:(.text+0xae1): undefined reference to `BitBlt@36'
./lib/libcrypto.a(rand_win.o):rand_win.c:(.text+0xaeb): undefined reference to `GetBitmapBits@12'
./lib/libcrypto.a(rand_win.o):rand_win.c:(.text+0xb42): undefined reference to `SelectObject@8'
./lib/libcrypto.a(rand_win.o):rand_win.c:(.text+0xb49): undefined reference to `DeleteObject@4'
./lib/libcrypto.a(rand_win.o):rand_win.c:(.text+0xb53): undefined reference to `DeleteDC@4'
./lib/libcrypto.a(rand_win.o):rand_win.c:(.text+0xb5d): undefined reference to `DeleteDC@4'
collect2: ld returned 1 exit status


My Questions,
1. Which command is correct?

2. if command 2 is correct, which library was missed?

PS : OpenSSL Library files was complied successful in the same platform(MinGW).

Ok. I think I'm running out of ideas now. There really seems to be a problem with this disc and the xbox 360 HD DVD drive. Maybe there is something wrong with the way the protected area is stored on the disc (which is if I remember correctly stored with a different pit width/length) and therefore not readable by all HD DVD drives.

Btw this may be related: http://slashdot.org/articles/07/04/02/1126209.shtml

arnezami


got my replacement disc today...same problem.

also tried playback with pdvd6.5 which reports "A disc with an unsupported format in drive H:"

additionally, according to these reviews there appears to be problems on other players as well:
http://www.amazon.com/National-Geographic-Relentless-Enemies-DVD/dp/B000MQCULO

I am hoping we will see a version that works on the PS3 soon!

Going to try ubantu 7.04 beta as I think it ships with the 2.6.20 kernel. Will give this a go to see if it works.

what does it mean if the volume id is reported as a string of zeroes? i've been having trouble getting "National Geographic - Relentless Enemies" to work.

any ideas?

thanks

Please try the new vid.exe (http://www.ingenieria-inversa.cl/files/vid.rar) and see what it returns (mirror (http://www.sendspace.com/file/g25nhb)).

arnezami

Please try the new vid.exe (http://www.ingenieria-inversa.cl/files/vid.rar) and see what it returns (mirror (http://www.sendspace.com/file/g25nhb)).

arnezami


still zeroes...

i also patched my fw as soon as you released it the other day, still unable to read it. it looks like this disc may not have been authored properly, as other standalone players are have trouble as well. its supposed to be fixed with a firmware update in may?

heres my output w/ patch (i AM able to get the vid from other discs with this patch/technique):

>set PLSCSI=\\.\G:

>plscsi.exe -v -x "AD 00 00 00 00 00 00 80 00 24 00 00" -i x24
x 00000000 AD 00 00:00:00:00 00 80:00:24:00 00 .. .. .. .. "-@@@@@@@@$@@"
x 00000000 AE:AE:AE:AE AE:AE:AE:AE AE:AE:AE:AE AE:AE:AE:AE "................"
x 00000010 AE:AE:AE:AE AE:AE:AE:AE AE:AE:AE:AE AE:AE:AE:AE "................"
x 00000020 AE:AE:AE:AE .. .. .. .. .. .. .. .. .. .. .. .. "...."
x 00000000 70:00:05:00 00:00:00:0A 00:00:00:00 6F:01 .. .. "p@E@@@@J@@@@oA"
// x 5 6F 01 sense // x24 (36) residue
// -x0102 = -258 = plscsi.main exit int

>

Ok. I'm quite busy extending/improving aacskeys. :)

My new version now uses a proper Hk/Hv combination and supports Bus Key calculation (which was quite some work) and because of that it now supports Volume ID MACs (for both BD and HD DVD). It also supports TKF MAC now (for checking if a VUK is correct, which is a HD-DVD-only feature btw). It also outputs the SHA-1 hash of the Title Key File (or CPS Unit Key file for BD according to new specs by KenD00's decrypter).

I'm still in the process of putting the Processing/Device Key(s) and Host Private Key(s) into editable text files and letting the program figure out which keys to use. Essentially implementing the whole Subset Tree Difference algorithm (and make it even more flexible than the official algo so it can figure out things with less available knowledge)

I'm also working on BDAV support. But I have a problem. Maybe somebody else can help me here ;).

I need to extract the Binding Nonce. There is a command for that (which should work after AACS-Auth). The problem is in this command an address needs to be filled: LBA Extend. But I have no idea what to put there... Sure it has to be the same address the Binding Nonce was written to but how do I get this information??

Can anybody help?

Thanks.

arnezami

PS. I've also enhanced fetchvid.exe (less agressive/more subtle/time in ms) which now works with PowerDVD 7.3 and WinDVD 8 HD. But should work with any player. This will be the equivalent (for BD drive owners) of a Volume ID "hack". Although it requires a working software player.

Here is a new windows version of aacskeys. I've also updated the link in the first post with this one.

http://www.sendspace.com/file/8q6aub

As stated above it has several improvements (most practical I think is the Title/Unit Key file hash atm).

There is still quite a lot I want to change/improve so you can expect more to come :).

Please test if its working: there has been a lot of changes ;).

test it with 2 bluray discs works !

great! :D

Tested with King Kong (HD DVD). Seems to be working...Thanks arnezami

http://img523.imageshack.us/img523/1699/image1xy2.jpg (http://imageshack.us)

Nice :).

Please check if the Bus Key is filled (don't post it) and whether the Volume ID MACs are exactly the same (don't post it).

Also fot Bluray: is the sha-1 hash the correct one? (according to the KenD00's new specs that is)

Nice :).

Please check if the Bus Key is filled (don't post it) and whether the Volume ID MACs are exactly the same (don't post it).

Also fot Bluray: is the sha-1 hash the correct one? (according to the KenD00's new specs that is)


For bluray .


SHA-1 is the correct one !

and Buskey is Filled :-)

I'm also working on BDAV support. But I have a problem. Maybe somebody else can help me here ;).


I have a blu-ray BDAV, but aacskeys can't get any info from it.

message as follow:
C:\aacskeys>aacskeys.exe i v
Error opening Media Key File i:\AACS\MKBROM.AACS


Blu-ray BDAV file structure as follow,
\AACS\MKB_RW.inf
\AACS\AACS_av\CPSUnit00001.cci
\AACS\AACS_av\Unit_Key_RW.inf

Thanks a lot!!!!!!

I have a blu-ray BDAV, but aacskeys can't get any info from it.

message as follow:
C:\aacskeys>aacskeys.exe i v
Error opening Media Key File i:\AACS\MKBROM.AACS


Blu-ray BDAV file structure as follow,
\AACS\MKB_RW.inf
\AACS\AACS_av\CPSUnit00001.cci
\AACS\AACS_av\Unit_Key_RW.inf

Thanks a lot!!!!!!

Because I haven't been able to figure out this problem (http://forum.doom9.org/showpost.php?p=989138&postcount=117) the program isn't looking for BDAV files yet.

I really need help on this.

arnezami

Because I haven't been able to figure out this problem (http://forum.doom9.org/showpost.php?p=989138&postcount=117) the program isn't looking for BDAV files yet.

If any thing I can do, I will do it.
Just let me know how to do.

Ok. I'm quite busy extending/improving aacskeys. :)

My new version now uses a proper Hk/Hv combination and supports Bus Key calculation (which was quite some work) and because of that it now supports Volume ID MACs (for both BD and HD DVD). It also supports TKF MAC now (for checking if a VUK is correct, which is a HD-DVD-only feature btw). It also outputs the SHA-1 hash of the Title Key File (or CPS Unit Key file for BD according to new specs by KenD00's decrypter).

Since you are being so thorough about it you may also be interested in verifying the various signatures in AACS files, using the AACS public keys. I have not seen them posted anywhere else before, so here they are (in decimal format, the same format used in the AACS specs):

#define AACS_CC_PUB_X "686795158131444840350934441718292981749606298444"
#define AACS_CC_PUB_Y "667926496774724305600543583224894590551199207"
#define AACS_LA_PUB_X "569519044145899916876682500420440111695939635058"
#define AACS_LA_PUB_Y "111297986001312168148180416490690086062371334695"

I'm also working on BDAV support. But I have a problem. Maybe somebody else can help me here ;).

I need to extract the Binding Nonce. There is a command for that (which should work after AACS-Auth). The problem is in this command an address needs to be filled: LBA Extend. But I have no idea what to put there... Sure it has to be the same address the Binding Nonce was written to but how do I get this information??

The specs say "For BDRecordable Disc, the Binding Nonce shall be stored in the User Control Data associated with the first logical Sector of the CPS Unit Key File and should be non-zero value.". I assume that "first logical sector" is the same as the "LBA (Logical Block Address) Extent". The term "extent" usually refers to a consecutive range of sectors or blocks. As for how to get this: you have two options: either implement a simple UDF 2.5 reader/handler yourself and get the starting block number of the CPS Unit Key file right out of the directory structure. Or try to get it from the OS, in an OS-specific way using some file/directory query function. I don't know how to do this for Windows, but others may be able to help with that, or just google for it.

Since you are being so thorough about it you may also be interested in verifying the various signatures in AACS files, using the AACS public keys. I have not seen them posted anywhere else before, so here they are (in decimal format, the same format used in the AACS specs):

#define AACS_CC_PUB_X "686795158131444840350934441718292981749606298444"
#define AACS_CC_PUB_Y "667926496774724305600543583224894590551199207"
#define AACS_LA_PUB_X "569519044145899916876682500420440111695939635058"
#define AACS_LA_PUB_Y "111297986001312168148180416490690086062371334695"

Yeah I might aswell do that too. Cool find btw. :) Where did you get that? I haven't really spend much time searching for it but couldn't find it either (in mem). Must have missed it. Although I guessed its in every device and player so somebody would find it sooner or later. Changing this inside a Software Player would also allow us to let the Player do pretty much everything we want: thus potentially revealing all (and even still unused) keys inside the player (like all Device Keys and/or Sequence Keys).

The specs say "For BDRecordable Disc, the Binding Nonce shall be stored in the User Control Data associated with the first logical Sector of the CPS Unit Key File and should be non-zero value.". I assume that "first logical sector" is the same as the "LBA (Logical Block Address) Extent". The term "extent" usually refers to a consecutive range of sectors or blocks. As for how to get this: you have two options: either implement a simple UDF 2.5 reader/handler yourself and get the starting block number of the CPS Unit Key file right out of the directory structure. Or try to get it from the OS, in an OS-specific way using some file/directory query function. I don't know how to do this for Windows, but others may be able to help with that, or just google for it.

Yeah. The problem is I haven't got a BluRay player/burner AND I haven't got BDAV discs. So this makes it pretty much impossible for me to test things. Maybe I will make a small proggy so somebody that does have the above can try out different addresses and see what happens.

But only after I finished the implementation of automatic Device/Processing Key detection: this is gonna be a very cool and powerful feature :) and will be very useful for future attempts by "Key Finders" (aka hackers) to check if they have found a Key among (tons of) possible keys.

Regards,

arnezami

Just incase anyone didn't know.. AnyDVD HD 6.1.3.6 is now capable of decrypting Blu-Ray titles from mounted .iso images created with "dd" on the PS3 in Linux.

There was a thread (http://forum.doom9.org/showthread.php?t=124841) about that. It's just using a database of keys.

I don't think it's using a database of keys.

The discs I tried it on was Casino Royale (AUS) which is different to EUR/GER and USA, and also Sky High (AUS).

No database i've seen includes keys for these discs.

I don't think it's using a database of keys.
The discs I tried it on was Casino Royale (AUS) which is different to EUR/GER and USA, and also Sky High (AUS).
No database i've seen includes keys for these discs.
You didn't read the thread HyperHacker sent you to. It explains that AnyDVD doesn't need its database if you use it with an original disc, and you won't have ever seen their database. AnyDVD uses its own database as a backup, which lets it decrypt files mounted as an ISO or just copied off the original disc.

I'm really busy implementing stuff into aacskeys. :D

Here is something to test:

http://www.sendspace.com/file/f0lh56

Its now supports automatic Device/Processing Key detection :).

But it needs to be tested. If anyone has Device Keys (from our "old" Software Players which are going to be revoked anyway so you can release them if you like) then please test them and see if they are recognized as such.

In the file "ProcessingDeviceKeysSimple.txt" you can simply throw your Device/Processing Keys. If they work on a disc then aacskeys should be able to recognize that.

Here is what I put in for testing:

DEADBEAFDEADBEAFDEADBEAFDEADBEAF
DEEDDEEDDEEDDEEDDEEDDEEDDEEDDEED
12345678123456781234567812345678
87654321876543218765432187654321
AA856A1BA814AB99FFDEBA6AEFBE1C04
DEADBEAFDEADBEAFDEADBEAFDEADBEAF
DEEDDEEDDEEDDEEDDEEDDEEDDEEDDEED
12345678123456781234567812345678
87654321876543218765432187654321
09F911029D74E35BD84156C5635688C0
DEADBEAFDEADBEAFDEADBEAFDEADBEAF
DEEDDEEDDEEDDEEDDEEDDEEDDEEDDEED
12345678123456781234567812345678
87654321876543218765432187654321

Since it starts trying keys from the top it will detect the Device Key (released by ATARI Vampire) first (the one starting with AA85). If you remove or change that key it will find the Processing Key. If you remove or change that one too it doesn't find any working key and aborts.

In order for this to work on a new disc you need to find possible Keys (of course getting these is the hard part) and use aacskeys with these Keys on the new disc (or alternatively : copy the AACS directory from your new disc to a root dir of one of your HDDs and let aacskeys operate on that drive letter. Or mount these files/disc as an ISO. This will prevent wear and tear on your disc/drive).

More will follow (like input of volume id/HPK) but this I had to get out so somebody can (hopefully) confirm its working. ;)

arnezami

PS. As for speed: you will notice it takes quite a lot of time to test many keys. The current version isn't build for speed. There are several ways to speed it up (eg precomputation due to similarity in shapes of subsets) and shortcuts (like only trying a few C-values and ignoring others). In other words: you can't scan (full) memdumps with this program. ;)

No worky

Older version of aacskeys happily works with my current test disk (Total Recall):


C:\aacs>.\aacskeys.exe i v
Processing key: 09F911029D74E35BD84156C5635688C0
Encrypted C-value: B7422BF12E30C7308B66B877E376058D
Corresponding uv: 00000001

Decrypted C-value: 50D497E0D724A42B08E010619D3B6DD7
Media key: 50D497E0D724A42B08E010619D3B6DD6

Encrypted verification data: 9ED2A5E1116D544F0338E74E8A4F9A0B
Decr verif data should be: 0123456789ABCDEF
Decrypted verification data: 0123456789ABCDEF07D27BEAF4FBDC72

AGID: 00

Host certificate from: Power DVD 7.1
Host certificate (Hcert): 0200005CFFFF0000000C00006E3DEB679B9A16AD
FAA8E30878767BA6EB2A9B415385AD1181B4446C
31E9A5DD2AB808B364FF15885BAC490964318C9B
F8029FCF76F688A54FBDA03F6D9332EF04E5A613
12DA85880A4D9CBB79D8602E
Host Private Key (Hpriv): 4737676058D7029452514F0AB186DC4CCA8C578F
Host Nonce (Hn): 2923BE84E16CD6AE529049F1F1BBE9EBB3A6DB3C

Drive certificate (Dcert): ########################################
########################################
########################################
########################################
########################
Drive Nonce (Dn): ########################################

Drive key point (Dv): ########################################
########################################
Drive key signature (Dsig): ########################################
########################################

Host key (Hk): 0000000000000000000000000000000000000000
Host key point (Hv): 8E9B0E3CF41FA7DA3A829F604122EA4ED5261AA4
7570CE0BB9061A66FAF92C4A7D98ACC171CBF19B
Host key signature (Hsig): ########################################
########################################

Bus key (BK): ################################

Volume ID: 4000922B7BCD3536AC5CD7FA41FD0000
Voluem ID MAC: ################################

Volume Unique Key: F51EAABB7CD2E2ED05A6BE00126D4AA6
Title Key File MAC: 232F941592CBE19FF50865356153DEA7

Encrypted Title Key 1: 8D2F4E37CF6525FA88877BFFF77F5F50
Encrypted Title Key 2: 032609ADE9C4FB6B9C8F19E1BF3A8056
Encrypted Title Key 3: 25D499F134D0F546F346814C0E142D6C
Encrypted Title Key 4: 8C03F7420B47ECF1C6A2BEE7174E416E

[64 encrypted and decrypted title keys snipped]



With the newer version of aacskeys I get the following:
(ProcessingDeviceKeysSimpletxt as shipped)


C:\aacs\aacskeys.new>.\aacskeys.exe i v

Could not find a Processing Key or Device Key resulting in the Media Key.

Aborting...

C:\aacs\aacskeys.new>


If I go ahead and edit ProcessingDeviceKeysSimple.txt to just contain a single line:
09F911029D74E35BD84156C5635688C0
(Processing key that works with older version of aacskeys and this disk), I still get the same error message.

Hope this helps.

System in question is Windows XP, Pan European release (?), English locale. Xbox 360 HD-DVD drive connected over USB.

Are there any other tests I can run?

No worky

Older version of aacskeys happily works with my current test disk (Total Recall):


C:\aacs>.\aacskeys.exe i v
Processing key: 09F911029D74E35BD84156C5635688C0
Encrypted C-value: B7422BF12E30C7308B66B877E376058D
Corresponding uv: 00000001

Decrypted C-value: 50D497E0D724A42B08E010619D3B6DD7
Media key: 50D497E0D724A42B08E010619D3B6DD6

Encrypted verification data: 9ED2A5E1116D544F0338E74E8A4F9A0B
Decr verif data should be: 0123456789ABCDEF
Decrypted verification data: 0123456789ABCDEF07D27BEAF4FBDC72

AGID: 00

Host certificate from: Power DVD 7.1
Host certificate (Hcert): 0200005CFFFF0000000C00006E3DEB679B9A16AD
FAA8E30878767BA6EB2A9B415385AD1181B4446C
31E9A5DD2AB808B364FF15885BAC490964318C9B
F8029FCF76F688A54FBDA03F6D9332EF04E5A613
12DA85880A4D9CBB79D8602E
Host Private Key (Hpriv): 4737676058D7029452514F0AB186DC4CCA8C578F
Host Nonce (Hn): 2923BE84E16CD6AE529049F1F1BBE9EBB3A6DB3C

Drive certificate (Dcert): ########################################
########################################
########################################
########################################
########################
Drive Nonce (Dn): ########################################

Drive key point (Dv): ########################################
########################################
Drive key signature (Dsig): ########################################
########################################

Host key (Hk): 0000000000000000000000000000000000000000
Host key point (Hv): 8E9B0E3CF41FA7DA3A829F604122EA4ED5261AA4
7570CE0BB9061A66FAF92C4A7D98ACC171CBF19B
Host key signature (Hsig): ########################################
########################################

Bus key (BK): ################################

Volume ID: 4000922B7BCD3536AC5CD7FA41FD0000
Voluem ID MAC: ################################

Volume Unique Key: F51EAABB7CD2E2ED05A6BE00126D4AA6
Title Key File MAC: 232F941592CBE19FF50865356153DEA7

Encrypted Title Key 1: 8D2F4E37CF6525FA88877BFFF77F5F50
Encrypted Title Key 2: 032609ADE9C4FB6B9C8F19E1BF3A8056
Encrypted Title Key 3: 25D499F134D0F546F346814C0E142D6C
Encrypted Title Key 4: 8C03F7420B47ECF1C6A2BEE7174E416E

[64 encrypted and decrypted title keys snipped]



With the newer version of aacskeys I get the following:
(ProcessingDeviceKeysSimpletxt as shipped)


C:\aacs\aacskeys.new>.\aacskeys.exe i v

Could not find a Processing Key or Device Key resulting in the Media Key.

Aborting...

C:\aacs\aacskeys.new>


If I go ahead and edit ProcessingDeviceKeysSimple.txt to just contain a single line:
09F911029D74E35BD84156C5635688C0
(Processing key that works with older version of aacskeys and this disk), I still get the same error message.

Hope this helps.

System in question is Windows XP, Pan European release (?), English locale. Xbox 360 HD-DVD drive connected over USB.

Are there any other tests I can run?
Ok. Thanks. What happens if you remove the file: ProcessingDeviceKeysSimple.txt altogether? Do you get a different error message? Or does it crash?

Do others have the same problem here? Please test it.

(btw it works fine on my system and I don't see (yet) why it would not work with yours)

arnezami

BTW, I have a couple of suggestions for aacskeys....

There are many revisions of it out there by now, so maybe implementing some sort of versioning as maybe the first line of the output would make sense. In the above post I refer to "older" aacskeys, but I have no idea which particular build it is. This would make your life easier with bug reports, etc.

If you add a way of adding comments to ProcessingDeviceKeysSimple.txt (ie lines that will not be processed by the aacskeys, say lines that start with # or ; ), it would probably be useful for key management, etc.

BTW, I have a couple of suggestions for aacskeys....

There are many revisions of it out there by now, so maybe implementing some sort of versioning as maybe the first line of the output would make sense. In the above post I refer to "older" aacskeys, but I have no idea which particular build it is. This would make your life easier with bug reports, etc.

If you add a way of adding comments to ProcessingDeviceKeysSimple.txt (ie lines that will not be processed by the aacskeys, say lines that start with # or ; ), it would probably be useful for key management, etc.

You're right about the versions. Here is the same new version again (now called v0.2). No changes but the output of the version nr:

http://www.sendspace.com/file/vdnfzt

Please read my previous post. You may have missed it.

arnezami

PS. Regarding the extension of the text file: this is the "Simple" version and is for people thinking they might have found a new key. So they can just throw in possible keys...

I have made some changes so it gives more info. Hopefully this will clarify where the problem lies:

aacskeys v0.2.2 (http://www.sendspace.com/file/envig6)

Please to others too: try this on different discs. Thanks :).

I have made some changes so it gives more info. Hopefully this will clarify where the problem lies:
aacskeys v0.2.2 (http://www.sendspace.com/file/envig6)
Please to others too: try this on different discs. Thanks :).


Does this version support BDAV disc?

Error message as follow,

C:\aacskeys_v0.2.2>aacskeys.exe m v
aacskeys v0.2.2

Error opening Media Key File m:\AACS\MKBROM.AACS

Ok. I now got the automatic Device Key detection working thanks to someone "lending me a hand" ;). Thanks. You know who you are :).

I'm still going to (more methodically) check whether its really accurate but it looks very good now.

Screenshot of usage for new aacskeys version:

http://img338.imageshack.us/img338/2418/aacskeysv024ym7.jpg

Anyway. Version 0.2.4 now supports volume id input too. This is going to be very handy when (well technically: if) we find the new Processing Key(s) without having a working HPK yet.

aacskeys v0.2.4 (http://www.sendspace.com/file/je0k22)

For the other problem (that awhitehead posted): anyone please test this new version (just run it) and post your results :thanks:

Regards,

arnezami

@PepsiLee2001: no this version doesn't support BDAV yet. Please read my last posts about this.

[edit] Small update: turned on something that wasn't supposed to stay turned off.

PS. If/when the new Processing/Device Key is found and released you can use fetchvid (http://forum.doom9.org/showthread.php?p=992791#post992791) to retrieve the Volume ID of a new disc and then use it as input for aacskeys. :)

For the other problem (that awhitehead posted): anyone please test this new version (just run it) and post your results :thanks:


Both 0.2.2 and 0.2.4 work for me now, both without the .txt file, and with it, if it contains a valid device or processing key. 0.2 didn't like the presence of .txt file, but works without it.

Tested with US release of "Syriana"

Both 0.2.2 and 0.2.4 work for me now, both without the .txt file, and with it, if it contains a valid device or processing key. 0.2 didn't like the presence of .txt file, but works without it.

Tested with US release of "Syriana"

I can't work without txt file! :) Which means it somehow gets the txt file from a different directory. But 0.2 working when you remove the file... huh? I guess its possible your 0.2 gets his txt file from somewhere else when the file is not in its current dir (otherwise it read the one from its current dir and there is something wrong with it). Something like that.

I guess there is a problem with accessing the current dir or something (maybe your PATH settings). Bah. I hate this directory stuff.

Can you put the exe file in a different directory and see what happens? If you have a working setup can you remove/rename all occurences of the txt file on your entire HDD (one by one) and see which one is accessed?

Thanks.

arnezami

Can you put the exe file in a different directory and see what happens? If you have a working setup can you remove/rename all occurences of the txt file on your entire HDD (one by one) and see which one is accessed?


*sigh* You are right. Fixed my PATH, moved the programs to a new directory, re-run.

0.2.0 just dies with "Can't open file..."

0.2.2 and 0.2.4 print First u mask nr and First uv and then die.

With correct entry in the ProcessingDeviceKeysSimple.txt 0.2.4 and 0.2.2 still work, though, and with file present, but without the correct keys, complain about lack of keys.

*sigh* You are right. Fixed my PATH, moved the programs to a new directory, re-run.

0.2.0 just dies with "Can't open file..."

0.2.2 and 0.2.4 print First u mask nr and First uv and then die.

With correct entry in the ProcessingDeviceKeysSimple.txt 0.2.4 and 0.2.2 still work, though, and with file present, but without the correct keys, complain about lack of keys.

Ok. So apart from crashing when no file is present it all works right?

Also try this: aacskeys v0.2.5 (http://www.sendspace.com/file/3e8bzt)

It should give (what it thinks is) the current path and it now uses that path. This prevents it from using the PATH stuff and removes the ambiguity.

arnezami

[edit] Have you also tried the new volumeid input feature?

Ok. I'm quite busy extending/improving aacskeys. :)

I'm also working on BDAV support. But I have a problem. Maybe somebody else can help me here ;).

I need to extract the Binding Nonce. There is a command for that (which should work after AACS-Auth). The problem is in this command an address needs to be filled: LBA Extend. But I have no idea what to put there... Sure it has to be the same address the Binding Nonce was written to but how do I get this information??

Can anybody help?

Thanks.

arnezami

I found the LBA Extend Value of the BD-RE. The LBA of the file "\AACS\AACS_av\Unit_Key_RW.inf" is the one.

This is the ScreenShot of IsoBuster 2.1. In this picture, "16800=0x000041A0" is the address.
7324

I found the LBA Extend Value of the BD-RE. The LBA of the file "\AACS\AACS_av\Unit_Key_RW.inf" is the one.

This is the ScreenShot of IsoBuster 2.1. In this picture, "16800=0x000041A0" is the address.
http://soarern.hp.infoseek.co.jp/image/LBA_ext.png

Thanks :).

Is it possible for you to see if the LBA is the exactly same for every disc and any content?

arnezami


PS. As an aside: I've put the 0.2.5 version in my first post of this thread since it seems to be working quite well :).

Is it possible for you to see if the LBA is the exactly same for every disc and any content?


I have another BDAV disc that own the same file size & LBA value with Neo2011 post one.

Is it possible for you to see if the LBA is the exactly same for every disc and any content?

My another BD-RE Disc's LBA is another one.:(
Ex. 16832 , 16768. etc.

My another BD-RE Disc's LBA is another one.:(
Ex. 16832 , 16768. etc.

*sigh*

Seems like the real solution is to write a (limited) UDF 2.5 filesystem parser, that would be able to read the disk, parse the volume descriptors, traverse the chain to root dir file entry of the file we want, and figure out at what LBA needed files start.

Recently I was tracking down a problem while trying to figure out why a particular HD-DVD drive is capable of reading a Fox Pathe HD-DVD disc, while a different one could not, and if it was a filesystem or mastering problem on the disc or a problem with the drive. To do that, I started writing a small set of scripts that call plscsi, send the commands, and then parse the output, but this is nowhere near userfriendly. In addition I'm lazy, so instead of reading UDF 2.5 spec, I started by just randomly reading blocks, and trying to see if I can parse them.

In any event, in order to do that you need to send the following CDBs to the drive:
Get Capacity
25 00 00:00:00:00 00 00:00 00

Example (on a DVD, since this is what I have on hand):

darkstar:~/plscsi$ plscsi -v -x "25 00 00:00:00:00 00 00:00 00" -i 8
x 00000000 25 00 00:00:00:00 00 00:00 00 .. .. .. .. .. .. "%@@@@@@@@@"
x 00000000 00:18:94:FF 00:00:08:00 .. .. .. .. .. .. .. .. "@XT?@@H@"
// 0 = plscsi.main exit int
darkstar:~/plscsi$ df -h /mnt/cdrom
Filesystem Size Used Avail Capacity Mounted on
/dev/disk1 3.1G 3.1G 0B 100% /mnt/cdrom
darkstar:~/plscsi$


Bytes 2-5 (we count from zero) are the total number of blocks - 1 on a disk. Blocks 7-8 are the sector byte size (which should be 2048 bytes for the optical discs)

So for example
800h = 2048 bytes/sector
1894FFh = 1611007

1611008 sectors * 2048 bytes = 3299244384 bytes ~= 3.1 G which is what df confirms.

Then you READ(10) the blocks on the disk:

darkstar:~/plscsi$ plscsi -v -x "28 00 00:00:00:10 00 00:01 00" -i x800
x 00000000 28 00 00:00:00:10 00 00:01 00 .. .. .. .. .. .. "(@@@@P@@A@"
x 00000000 01:43:44:30 30:31:01:00 20:20:20:20 20:20:20:20 "ACD001A@ "
x 00000010 20:20:20:20 20:20:20:20 20:20:20:20 20:20:20:20 " "
x 00000020 20:20:20:20 20:20:20:20 4B:55:4D:49 54:41:43:48 " KUMITACH"
x 00000030 49:20:20:20 20:20:20:20 20:20:20:20 20:20:20:20 "I "
x 00000040 20:20:20:20 20:20:20:20 00:00:00:00 00:00:00:00 " @@@@@@@@"
x 00000050 00:95:18:00 00:18:95:00 00:00:00:00 00:00:00:00 "@UX@@XU@@@@@@@@@"
x 00000060 00:00:00:00 00:00:00:00 00:00:00:00 00:00:00:00 "@@@@@@@@@@@@@@@@"
x 00000070 00:00:00:00 00:00:00:00 01:00:00:01 01:00:00:01 "@@@@@@@@A@@AA@@A"
x 00000080 00:08:08:00 2A:00:00:00 00:00:00:2A 01:01:00:00 "@HH@*@@@@@@*AA@@"
x 00000090 00:00:00:00 00:00:01:02 00:00:00:00 22:00:03:01 "@@@@@@AB@@@@"@CA"
x 000000A0 00:00:00:00 01:03:00:08 00:00:00:00 08:00:6A:07 "@@@@AC@H@@@@H@jG"
x 000000B0 01:0C:17:30 00:02:00:00 01:00:00:01 01:00:4B:55 "ALW0@B@@A@@AA@KU"
x 000000C0 4D:49:54:41 43:48:49:20 20:20:20:20 20:20:20:20 "MITACHI "
x 000000D0 20:20:20:20 20:20:20:20 20:20:20:20 20:20:20:20 " "
...
x 00000220 20:20:20:20 20:20:20:20 20:20:20:20 20:20:20:20 " "
x 00000230 20:20:20:20 20:20:20:20 20:20:20:20 20:20:44:56 " DV"
x 00000240 44:20:53:74 75:64:69:6F 20:50:72:6F 3A:34:2E:30 "D Studio Pro:4.0"
x 00000250 2E:33:2C:20 44:53:50:49 6E:74:65:72 66:61:63:65 ".3, DSPInterface"
x 00000260 3A:33:38:32 2C:20:44:56 44:41:75:74 68:6F:72:69 ":382, DVDAuthori"
x 00000270 6E:67:3A:33 37:32:2C:20 44:56:44:42 61:73:65:3A "ng:372, DVDBase:"
x 00000280 33:39:36:28 45:6E:63:6F 64:65:72:3A 20:34:38:33 "396(Encoder: 483"
x 00000290 29:2C:20:4F 78:79:67:65 6E:65:3A:34 30:39:20:20 "), Oxygene:409 "
x 000002A0 20:20:20:20 20:20:20:20 20:20:20:20 20:20:20:20 " "
...
x 00000310 20:20:20:20 20:20:20:20 20:20:20:20 20:20:20:20 " "
x 00000320 20:20:20:20 20:20:20:20 20:20:20:20 20:32:30:30 " 200"
x 00000330 36:30:37:30 31:31:32:32 33:34:38:30 30:00:30:30 "6070112234800@00"
x 00000340 30:30:30:30 30:30:30:30 30:30:30:30 30:30:00:30 "00000000000000@0"
x 00000350 30:30:30:30 30:30:30:30 30:30:30:30 30:30:30:00 "000000000000000@"
x 00000360 30:30:30:30 30:30:30:30 30:30:30:30 30:30:30:30 "0000000000000000"
x 00000370 00:01:00:00 00:00:00:00 00:00:00:00 00:00:00:00 "@A@@@@@@@@@@@@@@"
x 00000380 00:00:00:00 00:00:00:00 00:00:00:00 00:00:00:00 "@@@@@@@@@@@@@@@@"
...
x 000007F0 00:00:00:00 00:00:00:00 00:00:00:00 00:00:00:00 "@@@@@@@@@@@@@@@@"
// 0 = plscsi.main exit int
darkstar:~/plscsi$


In the READ(10) CDB 28 00 xx:xx:xx:xx 00 yy:yy 00
bytes 2:3:4:5 (xx) are the start blocks to read from. 16 is generally the first block on optical media. Bytes 7:8 (yy) are number of blocks to read (yes, you can do bulk). I only want one block, and previous CDB told me how large are blocks on this media, so I expect back 800h = 2048 bytes.

Indeed in the drive is a DVD that was authored using Apple DVD Studio Pro and labeled "KUMITACHI". 2006-07-01 12:23:48 is the creation date and time.

In reality, if you are writing the real thing, you want to read in 3 different places on a disk to obtain the Anchor Volume Descriptor Pointer. It can be 256 blocks into the filesystem, at the last block of the filesystem, or at the (last block - 256) block of the filesystem. Last two cases are more common with rewritable media that was not finalized. Since HD-DVDs are pressed and generally reasonably well authored, currently I just ignore the other two cases.

So... 256 = 100h and we started 16 blocks into the disk, so, we want to start by reading 272 (110h) blocks in, and parse the AVDP to figure out where Main Volume Descriptor Sequence is. MVDP will give us either a Logical Volume Descriptor (likely) or Partition Descriptor (very unlikely to see in the field now a days, and comes up on disks that have say HFS+ filesystem and UDF filesystem on them, so I currently just ignore this.) location. Both of the above will point us at the File Set Descriptor, that in turn will give us Root Directory File Entry location (Recall that directories are just files, that have File ID Descriptors of their children files as their File Data).

And then you traverse the disk, parse the FSD, get the RDFE, parse RDFE, find the correct file corresponding to the correct subdirectory, read it's FD, and figure out which block corresponds to the file you want.

I do some of this using scripts, and a fair bit of the above by hand right now (decoding file descriptors, parsing RDFE, etc). I am not sure what my current time commitments are, and if I'll have an opportunity to code something, so if anyone wants to get a crack at this, and contribute a module for aacskeys - Go for it! BD fans - here is your opportunity to shine!

UDF specs are at http://www.osta.org/specs/

This may be a stupid question. :D

But has anyone tried to retrieve a VUK for a BDAV disc using bluray key finder (http://forum.doom9.org/showthread.php?p=941504#post941504)?

If we had a VUK it would be possible to see if we can properly decrypt/dump a bdav disc. If so then we know what VUK a certain disc has and we would have a validated crib to work with. Which would make it easier to figure out the LBA Extend/Binding Nonce/AES-H/Usage file/Kpa stuff.

If you haven't tried this yet please do :).

arnezami

This may be a stupid question. :D

But has anyone tried to retrieve a VUK for a BDAV disc using bluray key finder (http://forum.doom9.org/showthread.php?p=941504#post941504)?

If we had a VUK it would be possible to see if we can properly decrypt/dump a bdav disc. If so then we know what VUK a certain disc has and we would have a validated crib to work with. Which would make it easier to figure out the LBA Extend/Binding Nonce/AES-H/Usage file/Kpa stuff.
arnezami


I had tried it, but bluray key finder can't find it.

I had tried it, but bluray key finder can't find it.

hey!

when you have time

made with winhex a copy of the ram from "win dvd"

pack this with rar .

upload to rapidshre i try to find the key in the ram then.

for BDAV

i think its another OFFSET.

I had tried it, but bluray key finder can't find it.

Does it work for normal (prerecorded) movies?

arnezami


PS. Only post links to your memdumps privately (using pms). Because they (could) contain sensitive information about your drive.

PS. Only post links to your memdumps privately (using pms). Because they (could) contain sensitive information about your drive.



yeah i know

to pepsilee2001




when you made a memdump send it to my PM.

Does it work for normal (prerecorded) movies?


Yes, it work fine for normal BDMV.


Does it work for normal (prerecorded) movies?

PS. Only post links to your memdumps privately (using pms). Because they (could) contain sensitive information about your drive.

OK, It's uploading.

Hi all,

The time I talked about earlier has come.

Thanks for all :thanks:.

Here are all the source and exe files of my programs:

aacskeys v0.2.6 (exe) (http://www.sendspace.com/file/q44d83)
aacskeys v0.2.6 (source) (http://www.sendspace.com/file/5vrl6g)

fetchvid v0.2.13 (exe) (http://www.sendspace.com/file/cflczv)
fetchvid v0.2.13 (source, very messy, read remarks) (http://www.sendspace.com/file/g15bcu)

fwchecksum (exe) (http://www.sendspace.com/file/uqhj99)
fwchecksum (source, messy) (http://www.sendspace.com/file/cuftuf)

dumpvid v0.3 bd (exe) (http://www.sendspace.com/file/c1g2h0)
dumpvid v0.3 bd (source) (http://www.sendspace.com/file/kse5xd)

Or on rapidshare (http://forum.doom9.org/showthread.php?p=1010630#post1010630).

All my contributions to these programs are released in Public Domain.

Remember: always keep going as a collective :).

Double your efforts. ;)

Bye

arnezami

PS. Just to be clear: yes this is my last post.

Hey! arnezami great for source files!

i hope no one used this source to build there own programm and made profit!!!

Many thanks for all your time and hard work arnezami, you will be greatly missed.

Hi all,
The time I talked about earlier has come.

Does anyone have a link to the post(s) where he mentioned this before?

Does anyone have a link to the post(s) where he mentioned this before?





http://forum.doom9.org/showthread.php?p=993940#post993940

Why is he disappearing?

These are very sad news, you have done great work for the community, i wish you all the best.

:rolleyes:

Yes, we can't thank you enogh for you exceeding huge contribution to the world!

We owe you greatly!

I hope you or someone sets up a PayPal (if it is anonymous?) account for people to donate $1. I think it would be a success.

I hope you have left us a red button to press, or a projector with your logo on we can point to the sky, if we ever should need your help =)

Thanks!

Yes, Thank You arnezami. I am sure you have your reasons for leaving and wish you the best bro. I have been a silent reader since the whole Muslix64 stuff started and got to say that you have inspired us all to continue this quest as best that we can. You will be missed dude. :(

Hi all,

The time I talked about earlier has come.



Thank you very much! :thanks:

Thank for all you have done.
You will be missed. :thanks: :thanks:

PS. Just to be clear: yes this is my last post.

A great loss for us. You always will be remenbered here. Just a word:

:thanks:

It's been nice having you around. You've done fantastic work for the good of users everywhere.

Yes, my thanks also. A very knowledgable person who has contributed immeasureably to furthering our knowledge. Best of luck for your future endeavours.

According to itpro :search: the big boys have criticized the AACS LA for taking so long to react to the broken encryption scheme.

BD+ (a much more secure encryption scheme) is start being utilized out next month.:devil:

Congrats to all who have put so much time and effort into wounding the giants.:thanks:

arnezami, thanks a lot for your effort in trying to create a fair-to-use multimedia future. With your work here you have become for sure a legend like DVD Jon and muslix64.

BTW: Good luck - and don´t get caught. :)

arnezami, thanks a lot for your effort in trying to create a fair-to-use multimedia future. With your work here you have become for sure a legend like DVD Jon and muslix64.

Yes, I hope someone (with a little more knowledge than me about this subject) will put him in to the history book (http://en.wikipedia.org/wiki/Advanced_Access_Content_System) =)

Actually, he and Muslix64 was mentioned, but for some reason all names have been removed.

In fact, I think in this hack, the credits should be given to a few more. awhitehead, FoxDisc, Geremia, and xt5 are names that spring to my mind, just to limit it to a top 5.

Clearly there have been more important hackers and testers that couldn't have been done without. Not to forget the brains at the Understanding AACS (including Subset-Difference) (http://forum.doom9.org/showthread.php?t=122363&page=1) thread and the programmers in this thread =)

I think we will see more to Boing99 in the next round of AACS DRM hackers. =)

I had some trouble getting the original aacskeys working in linux (haven't looked at the latest source release yet) so I ported it to be linux friendly and also included a sha1 hash.. and modified the output a little bit. Here it is with source.. its ugly but the output is right :)

OK, it might be my last post on this forum as well.

Feeling under double pressure I think the time has come.

Of course I did not contribute even close to 0.1% compared to arnezami but at least I've tried to discuss and offered some solutions when I knew the answer.

Now they can have their formats and shave it in their A$$.

I will not spend $0.01 on either format.

If you want to talk to me, you know where to find me: http://www.avsforum.com.

I am done with this $rap.

Bye comrades.

OK, it might be my last post on this forum as well.

Feeling under double pressure I think the time has come.

Of course I did not contribute even close to 0.1% compared to arnezami but at least I've tried to discuss and offered some solutions when I knew the answer.

Now they can have their formats and shave it in their A$$.

I will not spend $0.01 on either format.

I am done with this $rap.

Bye comrades.

Hmmm. What happened? Double pressure? By who?

aacs la must be paying everybody off lol.

muslix64, janvitos, arnezami, galileo ....

Props to everyone that has helped.:thanks: I've been following this from day one.

Given the sesitivity of this issue, you'd think our main contribs such as muslix64, janvitos, arnezami, galileo, etc. would have used fake reg info, fake location, one time email adds and anonymous surfing (proxy servers) to help protect themselves.

And if they did, I sure am clueless on how they still got pressured.:confused:

Anyway, good luck to all, and again, thanks for everything.

aacs la must be paying everybody off lol.

muslix64, janvitos, arnezami, galileo ....

More like harrassing them. I wonder if there's a law against harrasment over the Internet.

Guys, I need to make another post after my last post.

AACS LA did not contact me.

My decision to leave was for the different than that reasons.

So don't be afraid, we are not on that stage of the game, at least not yet.

My apologies if my post was ambigous on that matter.

I hope this post clears it up.

All the best.

are there some mirrors of arnezami's tools posted here?
http://forum.doom9.org/showpost.php?p=999019&postcount=155

Pfff....

http://rapidshare.com/files/35218493/aacskeys_v0.2.6.rar.html

http://rapidshare.com/files/35218695/aacskeys_source_v0.2.6.rar.html


http://rapidshare.com/files/35219018/fetchvid_v0.2.13.rar.html

http://rapidshare.com/files/35219077/fetchvid_source_v0.2.13.rar.html


http://rapidshare.com/files/35218795/fwchecksum.rar.html

http://rapidshare.com/files/35218857/fwchecksum_source.rar.html


http://rapidshare.com/files/37033433/dumpvid_v0.3_bd.rar.html

http://rapidshare.com/files/37033559/dumpvid_v0.3_bd_source.rar.html

@arnezami

Is that new version of AACSKeys ready yet?

@arnezami

Is that new version of AACSKeys ready yet?

Ehm. No. Not yet.

But for the moment you can use v0.2.6 in combination with DumpHD. For MKB v3 HD DVDs you first need vid.exe to get a VID (build by xt5) and for MKB v3 BDs you first need dumpvid (by KenD00 and adapted by me, see previous page) using the new PowerDVD to get a VID.

Regards,

arnezami

hmm,

i currentlky use powerdvd, so DumpHD..must not be an issue..i can get a VID.

Here is a new version of aacskeys:

http://www.sendspace.com/file/dt7o5o

Its an in-between version. But what it does already is automatically detect the xbox add-on drive and get the vid through our hack. So no need for a new Host Private Key, vid.exe or sniffing Volume IDs for HD DVD owners anymore :D. And its even (much) faster than the official method...

No flashing needed. So those that have the Xbox HD DVD drive: please test it ;).

Working on more stuff:

- incorporating vid hammering (especially for Blu-Ray drives)
- better errors and stopping when something goes wrong
- combining with DumpHD

Regards,

arnezami

arnezami !

I can report SUCCES :)

After copying the ProcessingDeviceKeysSimple.txt from a previous version to the same directory it ran without any problem !

E:\Progs\HD-DVD\aacskeys_v0.2.7>aacskeys h
aacskeys v0.2.7

Volume Unique Key: 79E3ABB4B7DBD2D37CC0B33F80812433
TKF Hash (DiscID): CD8A706BA7D6A44744F940103F51D57A63626A00

E:\Progs\HD-DVD\aacskeys_v0.2.7>

Now let me check if the numers are correct !

CD8A706BA7D6A44744F940103F51D57A63626A00=Bourne Supremacy (EU) |V|10/28/06| 79E3ABB4B7DBD2D37CC0B33F80812433 :) :) :)

Instead of the "powerDVD 7.1" numers (certificate and stuff) it now gives me my drive FW number !

Thanks for this cool program ! :)

Ah ok :)

I changed the link so now the text file with both Processing Keys is included ;)

A verbose test would also be nice. And a test with an MKB v3 HD DVD.

arnezami

So does the xbox hack still require flashing a new firmware or does it get the vid through some kind of workaround? Maybe this was mentioned before

Here is the verbose output !

E:\Progs\HD-DVD\aacskeys_v0.2.7>aacskeys h v
aacskeys v0.2.7

Current path: E:\Progs\HD-DVD\aacskeys_v0.2.7
Device key: AA856A1BA814AB99FFDEBA6AEFBE1C04
Processing key: 09F911029D74E35BD84156C5635688C0
Encrypted C-value: 607101739330EB82601790C3C25F0224
Corresponding uv: 00000001

Decrypted C-value: 04E23CE9FCEAF1EDC3ED4C6F2E0A6972
Media key: 04E23CE9FCEAF1EDC3ED4C6F2E0A6973

Encrypted verification data: FB7515969AE048DE773C85C9C3728C29
Decr verif data should be: 0123456789ABCDEF
Decrypted verification data: 0123456789ABCDEF39CF7A719194F14F

Drive FW info: MC0810/03/06

AGID: 00

Volume ID: 40001027200607200020202020200000

Volume Unique Key: 79E3ABB4B7DBD2D37CC0B33F80812433
TKF Hash (DiscID): CD8A706BA7D6A44744F940103F51D57A63626A00
Title Key File MAC: D0FFF212615C4A28FEE9D4BE12DF484D
TKF MAC should be: D0FFF212615C4A28FEE9D4BE12DF484D

Encrypted Title Key 1: 19F4D956D76909C9D5DDD2DA91A303F4
Encrypted Title Key 2: 444AB92C2E962E68C412BA5E411D7354
Encrypted Title Key 3: D5D111BAA474DB0303FB83A881DDB915
Encrypted Title Key 4: EEB06A9345B18338319C667F9FF157A1
Encrypted Title Key 5: 878CB225D4BB02578EA3C98323A4DD7B

Can't help you with MKBv3 :mad: I only own 1 disc......

So does the xbox hack still require flashing a new firmware or does it get the vid through some kind of workaround? Maybe this was mentioned before

No flashing needed. Works with the original Xbox HD DVD drive :D.

arnezami

Its an in-between version. But what it does already is automatically detect the xbox add-on drive and get the vid through our hack. So no need for a new Host Private Key, vid.exe or sniffing Volume IDs for HD DVD owners anymore :D. And its even (much) faster than the official method...

No flashing needed. So those that have the Xbox HD DVD drive: please test it ;).
Now that's interresting. Any change of me testing this using Linux?

Now that's interresting. Any change of me testing this using Linux?

Since this is an in-between version the source is not released. So currently there isn't a way to compile it under linux. However maybe using some VMware might work.

arnezami

Just tested new version w/ Matrix Reloaded and Matrix Revolutions, MKB v3, works fine.

xbox add-on was used as a drive.

Let me know if you need some more testing or the output from Matrix Reloaded.

Great job, thanks.

Verbose output from Matrix Revolutions is below:




aacskeys v0.2.7

Current path: E:\arnezami
Processing key: 455FE10422CA29C4933F95052B792AB2
Encrypted C-value: A9060B76DA82C88A037F1C7C26C3DA0E
Corresponding uv: 00000049

Decrypted C-value: DEC16A984E6CB59538D654F621E6AFE3
Media key: DEC16A984E6CB59538D654F621E6AFAA

Encrypted verification data: E7D1A8013AB5CF59E211396347FA5829
Decr verif data should be: 0123456789ABCDEF
Decrypted verification data: 0123456789ABCDEFD1DE762378736603

Drive FW info: MC0810/03/06

AGID: 00

Volume ID: 400018074404200457474844564D0000

Volume Unique Key: E94ECC840F0BE02ABB5A2BB8AD85246A
TKF Hash (DiscID): CE20B4BF37E23CE20B2B53AEBFFE3C56315A396F
Title Key File MAC: 399072C4A8D2C400A940A686646F7592
TKF MAC should be: 399072C4A8D2C400A940A686646F7592

Encrypted Title Key 1: 7A31C513CFCDE1EC41FE9952E7615087
Encrypted Title Key 2: 9FE6EA5CB03E8C3C46AB9BB73478E383
Encrypted Title Key 3: 29A428B0540FD7C8083A7AF1363265FC
Encrypted Title Key 4: 46F9B5D8188CDC91E02E36E81DF8D501
Encrypted Title Key 5: AD13B6765478522E4452225406744B34
Encrypted Title Key 6: 284D8A10F9E1485DCDFA2719C6F95A64
Encrypted Title Key 7: B9A136A46C758EC894C83E0C07FA4886
Encrypted Title Key 8: 53A9A1D0FE5920DBEFD7AA006E6E2167
Encrypted Title Key 9: 41E255F9B17E3D989A5137BE78F95922
Encrypted Title Key 10: 8C3352A668E34BC9CD7B0411A7A1D1E7
Encrypted Title Key 11: 2B86DD84BF65927D224BC3CDCA07F147
Encrypted Title Key 12: 5A92BFFDAE65DE32FB6FD32290AD595F
Encrypted Title Key 13: 29D1265DA7C1F09B1B67C4B85D9DDC21
Encrypted Title Key 14: E3B15D7A1D82366AF688C9C96418EF8A
Encrypted Title Key 15: B7525B38B1E3931DFDE0BEEEB79E138E
Encrypted Title Key 16: 6EC4F85ACA0150FF984CA8F9A0A34591
Encrypted Title Key 17: E29E114C54D54B717D30D9C10FE7DC52
Encrypted Title Key 18: D1580D2C16A9AE224B96AC82040F0482
Encrypted Title Key 19: 0A0FC2C7C05B3AEBFD212700954AF00B
Encrypted Title Key 20: 3D12E9D35A823D5DE058B6732C3B278F
Encrypted Title Key 21: CCE24CD2BF253A8C2CD64B16BF613F82
Encrypted Title Key 22: 9617A624F575278CD3B0578F3ABC6C5C
Encrypted Title Key 23: A29945248EFC3EED2C956B85CB87E237
Encrypted Title Key 24: D0C4A4155678ACFF4BEA0C5E37547975
Encrypted Title Key 25: 8CF51F125E1520C89D4D6AF03853FE05
Encrypted Title Key 26: 2B57764651FEA334A191700DA93EB299
Encrypted Title Key 27: FA5946330E989418E5379B1EA928F837
Encrypted Title Key 28: 66FC7FCAA7D59AE60E47AF3AB5A1ABE1
Encrypted Title Key 29: 0E9D8EC0D9029A1BCD1E7B230BA10820
Encrypted Title Key 30: C8AC7BADE4004CEF67068D8C81D2CC91
Encrypted Title Key 31: F5A180E3DDB0D8FB16F75119525F24E9
Encrypted Title Key 32: 9EDC0F3084724E68DCBDC61B27BE25CA
Encrypted Title Key 33: E5C99420ABDF298840079970200558E9
Encrypted Title Key 34: 4FDF6108361CED8C46E3F963AACA839C
Encrypted Title Key 35: 1E758C21C820E63DAC28125F84E9AB32
Encrypted Title Key 36: 902DD5EC92CEF9E7C8F534AB807CDECD
Encrypted Title Key 37: 3BFD1141DF3E03CC1E9448FB1D1E8F67
Encrypted Title Key 38: B8AB4437340373EB0FB0033A71F25BB1
Encrypted Title Key 39: 07EB58BD3BE017799ECA32403BCA1621
Encrypted Title Key 40: 25791E29B8965E99F6E655738DB1ED67
Encrypted Title Key 41: DAB83F3E439AF0AE99CEB1059DEFE1B2
Encrypted Title Key 42: C9B88C752589C59BCBA63341D64970A0
Encrypted Title Key 43: E8C89EAF4B84D8F9551B0419F5D0AD0D
Encrypted Title Key 44: E68F7703AD35631608EF7211C38292EA
Encrypted Title Key 45: D88984613E990FE29A3A8E25E8DF6B4F
Encrypted Title Key 46: C342359535B2F84CDA8CCB15311E6C93
Encrypted Title Key 47: 74712670CD7FF3E54497872A7400B81E
Encrypted Title Key 48: C6F67FB1CF33E9D8B7ED8C1C5B45DF41
Encrypted Title Key 49: 7DD9EDB71B18DA677BEEB30144DE09F8
Encrypted Title Key 50: 5E6BA1C49AEA29DDD5480D0046A74744
Encrypted Title Key 51: FC8F5259686D4D439B6619A15CBA1F13
Encrypted Title Key 52: 3CB0E454238B47AB29E115508AC6DC8A
Encrypted Title Key 53: CCE460C7673635F5064FF84ACE613B31
Encrypted Title Key 54: D380B35D5E14F186A6D1AEEDDA2F901C
Encrypted Title Key 55: D881B5CB319671D0195E883E1BA959F6
Encrypted Title Key 56: B90491B884B8B918530C087C730F9019
Encrypted Title Key 57: 4B17E2C1FEAD481D0F5FE2422815E74A
Encrypted Title Key 58: 25F9E442F0C7F4108A0F7F47B4263A06
Encrypted Title Key 59: 36E977772A2535E82DC8A3AF0B06808E
Encrypted Title Key 60: 0D850B79F6323B07FF701682982EBDF1
Encrypted Title Key 61: 3FA417FC9691F6435F4492EDD77BD1A6
Encrypted Title Key 62: 99861E2F5D46359998389010EE3D0C96
Encrypted Title Key 63: 9FA9BE058789AA1DC27F9CB0E553C58E
Encrypted Title Key 64: FBC64EA5075FE7ECBC67F1435E284827

Decrypted Title Key 1: 708C3DA990BFFB794EA70CAC08E4BD9B
Decrypted Title Key 2: BCA3BDD708D89B3EA23E91D080F7DB20
Decrypted Title Key 3: B7B0BFF3AC5B0C63CD3B182CF5B29BEC
Decrypted Title Key 4: DF5E7AE1C8652958EF28E01032D20C0E
Decrypted Title Key 5: FD923782EB4E1FD6F75C645B75D28D72
Decrypted Title Key 6: 24D4242CB52A8D945F66BFCC59549C68
Decrypted Title Key 7: 8F700271F4BC2B0BD41EF652C354A99D
Decrypted Title Key 8: ADDB9BE6689D7BEAE3E59320157B6D87
Decrypted Title Key 9: 95F6BF842BD4245F3E33724AF3501BFD
Decrypted Title Key 10: 628AFEE1961E8957355B59C11852FE6D
Decrypted Title Key 11: 62F334F5155323E0540F887D6091B9AB
Decrypted Title Key 12: 59629C6CCB8AF0E03FEAD7BB49C32A16
Decrypted Title Key 13: 74961844D9C83E884F82C143E2883FF8
Decrypted Title Key 14: F11F147BB1E9144F1D9CD968BCFDEB61
Decrypted Title Key 15: 8F8B6E75C75265C981598A88D3ECC95A
Decrypted Title Key 16: 61BDE8AA45370E19288DD1309176777A
Decrypted Title Key 17: B57627DFF4B0E5D55D83E3C6970A3B70
Decrypted Title Key 18: 21E1ED862DE831576BF92D25726CDF7E
Decrypted Title Key 19: E2B85AF3893B129F9C5ADF6DB14723A7
Decrypted Title Key 20: 9FC1BD02F435BCDD93729F93A4EA6587
Decrypted Title Key 21: F0F873090FB89E5DEDCB0B5B64B711F3
Decrypted Title Key 22: 7BC51272CA6F647E0C2EF832CC13990C
Decrypted Title Key 23: 66558F995528EB8F1EF6856E55D2A8F3
Decrypted Title Key 24: 4708A0DF8E40556F16B9E52D980847C6
Decrypted Title Key 25: B81DB68F6243F63F651C7BB104E818B0
Decrypted Title Key 26: 0C944E221048859043DC5690BCE234F0
Decrypted Title Key 27: E275D5C0EC6E70FDB34A3544DFF6E075
Decrypted Title Key 28: 97D80234B96594E1DF7F9EA12FCAE6E9
Decrypted Title Key 29: E030EE1DEE5EDBF3B164F760F77DE6C5
Decrypted Title Key 30: DB9F1B560D865157EACC0F3EB086845B
Decrypted Title Key 31: 3E269A4D5713BC388A811801F56A11C0
Decrypted Title Key 32: 7C0651ECCC527B220181AB27D83F152B
Decrypted Title Key 33: 04036CC99292007D8EB821CA680DB478
Decrypted Title Key 34: 62127EEBD0393AD0C2B6F4F990CBB425
Decrypted Title Key 35: BFA54FB7DDC973FCE9CECA054BAFDF62
Decrypted Title Key 36: A856C07D63870AC0EB8C2D58B3A1A65F
Decrypted Title Key 37: 643B47623B850ED4E8014B6B54A99506
Decrypted Title Key 38: E852991122F4E236975DD8677ADE6F82
Decrypted Title Key 39: 35C5E6F8C45729BE59D716397B65008C
Decrypted Title Key 40: 95AD563298514383B561B6B4917C8275
Decrypted Title Key 41: 38DF7381CE94F29E28FB0510854C165C
Decrypted Title Key 42: 95EA80ECE5E790B76579E8506C5F8E46
Decrypted Title Key 43: 7F42BC78C596BD3BCE7417A32FBC08DD
Decrypted Title Key 44: 07D48467AD8891BA351B2252B4BDBBDF
Decrypted Title Key 45: 245F8F40958B8325541A8818DE23F8A1
Decrypted Title Key 46: 284FBBA0C6126FDBCB68B98F35DD5A72
Decrypted Title Key 47: 7F27113583567B0E9DD1AE848A69F41C
Decrypted Title Key 48: C021849410F9CE36741165B50C36CC8F
Decrypted Title Key 49: 9CB387D10465CFB526EFF8E805C84F7B
Decrypted Title Key 50: 6ECF2FCD490157D803C1B85B15D271ED
Decrypted Title Key 51: FF8DC5A3888CC267443F9E66F4C41EE7
Decrypted Title Key 52: 8CA24F1FCCB1C7056F5A94D2DE407075
Decrypted Title Key 53: 61AED602F85EC7E6FA44DF27584C0F54
Decrypted Title Key 54: FA5A52289AB32B1D0125C7E5A89F8787
Decrypted Title Key 55: 3B03D5D74407D3068B9081F2C422AAF7
Decrypted Title Key 56: 6BF3424A9F88217758225BD7E6CB5D63
Decrypted Title Key 57: CC32DF462913768EC68ABFED3D24AE8C
Decrypted Title Key 58: 5235F69F5309723C8F7AEC0EA9922EB7
Decrypted Title Key 59: 2D371EC4FECD046F9F25F6C281F18B5C
Decrypted Title Key 60: 10F33256731752AD99CE60C8C33432BD
Decrypted Title Key 61: E01CA81B9A647B671DF982DF9BB3C35E
Decrypted Title Key 62: 4B10821FA4F12EF995973E6EE178B4A5
Decrypted Title Key 63: CEFF4965A1583F068F7AF8B6CAE4DF64
Decrypted Title Key 64: A865E5DB0C079E055BFA91287ACDA5D5

Just tested new version w/ Matrix Reloaded and Matrix Revolutions, MKB v3, works fine.

xbox add-on was used as a drive.
Arnezami, let me know if you need specifics on MKB v3.

Great job, thanks.

Ok. Thanks. Seems to work pretty good.

Keep in mind it checks if the FW is MC0810/03/06. Maybe some people have newer FW versions though. It won't do the "trick" but we would be really interested in that FW revision! :).

arnezami

Ok. Thanks. Seems to work pretty good.

Keep in mind it checks if the FW is MC0810/03/06. Maybe some people have newer FW versions though. It won't do the "trick" but we would be really interested in that FW revision! :).

arnezami

You are too fast, I just posted the entire output of the program.

Do you know where to get a new version of the firmware? I don't feel like logging in to Xbox live...

I have two xbox add-ons, might as well flash one...

You are too fast, I just posted the entire output of the program.

Do you know where to get a new version of the firmware? I don't feel like logging in to Xbox live...

I have two xbox add-ons, might as well flash one...

No idea if there even exists a new revision. But there is bound to come a new one sometime. If so it will be very interesting ;).

Thanks for the output btw :).

No idea if there even exists a new revision. But there is bound to come a new one sometime. If so it will be very interesting ;).



Oh yes, there is. Look here:

"While we look forward to enjoying these new features, we wouldn't be one bit surprised if Microsoft also figured out a way to secure that pesky AACS hardware key that has caused such a ruckus."


http://www.engadgethd.com/2007/05/16/xbox-360-hd-dvd-add-on-drive-update/





Thanks for the output btw :).

Pleasure is all mine :D

Oh yes, there is. Look here:

"While we look forward to enjoying these new features, we wouldn't be one bit surprised if Microsoft also figured out a way to secure that pesky AACS hardware key that has caused such a ruckus."

http://www.engadgethd.com/2007/05/16/xbox-360-hd-dvd-add-on-drive-update/


I'm pretty sure the famous "May Update" does not flash the drive at all. It does update the (software) player etc however.

arnezami

Here is a new version of aacskeys...an in-between version. But what it does already is automatically detect the xbox add-on drive and get the vid through our hack.Does anyone here know if this will work with the HP HD100 (now on sale for $129 AR at Fry's)?

Does anyone here know if this will work with the HP HD100 (now on sale for $129 AR at Fry's)?

I've heard HP uses the same Toshiba drive. If so, yes, it most probably will work.

If not, it won't work the same "easy" way as Arnezami mentioned because of the different firmware.

Does anyone here know if this will work with the HP HD100 (now on sale for $129 AR at Fry's)?

Wow. Thats cheap! :)

No the xbox HD DVD trick won't work on the HP HD100. Although maybe we can find a similar exploit. Cheap drives and firmware hackers are made for eachother ;).

Anyway. As long as no exploit is found for a drive you would still be able to decrypt your discs though. You would need to use either dumpvid (the original by Kend00 for HD DVD) or use fetchvid (made by me). Depending on how it behaves. And you probably need PowerDVD 7.3 (upgraded) for it. Unless you only have old discs because then none of this is needed. But I'm assuming you want to buy new discs in the future.

Ooh. Nearly forgot. If its an usb drive you can always sniff the usb as a "fallback method". And then there is of course the online list of vuks here on this forum (if your title is in it no need for getting a vid at all, aacskeys isn't needed anymore).

arnezami

Thanks arnezami for your complete reply!

...you can always sniff the usb as a "fallback method".Sounds kinda perverse... ;)

I dunno what this means but if I need to, I will do a "Search"! Many thanks...

Hmmm. I tried the new version but all I get is this:


aacskeys v0.2.7


Could not find a Processing Key or Device Key resulting in the Media Key.

Aborting...


If I rename the ProcessingDeviceKeysSimple.txt file it reports that it cannot find it, so it must be trying to load it from the correct place.

I'm using an Xbox360 drive, and the disk is the UK edition of Corpse Bride.

If I use my ancient version of aacskeys, it reports an incorrect VUK, so I presume this disk requires the newer processing key.

Any ideas?

Mal

Hmmm. I tried the new version but all I get is this:



If I rename the ProcessingDeviceKeysSimple.txt file it reports that it cannot find it, so it must be trying to load it from the correct place.

I'm using an Xbox360 drive, and the disk is the UK edition of Corpse Bride.

If I use my ancient version of aacskeys, it reports an incorrect VUK, so I presume this disk requires the newer processing key.

Any ideas?

Mal

Whats in your ProcessingDeviceKeysSimple.txt file? Two keys? Which ones?

Can you also check the MKBROM.AACS file with WinHex and post the first 16 bytes of that file (in hex)?

Does it play with PowerDVD/WinDVD? Does AnyDVD work on it?

What are the dates of the files in the AACS directory of the disc?

arnezami

Whats in your ProcessingDeviceKeysSimple.txt file? Two keys? Which ones?
Two keys:
09F911029D74E35BD84156C5635688C0 ; Processing Key MKB v1
455FE10422CA29C4933F95052B792AB2 ; Processing Key MKB v3

Can you also check the MKBROM.AACS file with WinHex and post the first 16 bytes of that file (in hex)?
10 00 00 0C 00 04 10 03 00 00 00 03 21 00 00 64

Does it play with PowerDVD/WinDVD? Does AnyDVD work on it?
I can't play it with PowerDVD because despite having paid good money for HDCP compliant hardware, the graphics card is not on the "list", so it refuses to play. That's why I'm interested in removing this DRM horsesh*t.

My trial for AnyDVD ran out a while back. I don't really want to buy it, but if the other information I've listed here doesn't help, I guess I may have to.

What are the dates of the files in the AACS directory of the disc?
14/04/2007 09:27

Thanks

M.

Since this is an in-between version the source is not released. So currently there isn't a way to compile it under linux. However maybe using some VMware might work.

arnezami
A little offtopic, but I just got the authentication skip method working in decrypthd, including FW checking. So I'm happy afterall ;)

Bottomline is this works in Linux aswell and seems indeed to be faster compared to actually doing authentication. Unfortunately I've got the same firmware as mentioned above, so no news there.

edit:
To be more exact;
- no authentication: 0,098 seconds
- with authentication: 1,640 seconds


10 00 00 0C 00 04 10 03 00 00 00 03 21 00 00 64

That's a v3 MKB alright.

@Zotty.
when are you going to release it? :D

Errr.. haven't thought about that yet. Been experimenting a bit with this and optimization. But I've also been quite busy at work lately, so development is going a bit slow.

Anyways, let's not hijack this thread. This one is about aacskeys ;)

@mlansell: check you pm box. ;)

Hmmm. I tried the new version but all I get is this:



If I rename the ProcessingDeviceKeysSimple.txt file it reports that it cannot find it, so it must be trying to load it from the correct place.

I'm using an Xbox360 drive, and the disk is the UK edition of Corpse Bride.

If I use my ancient version of aacskeys, it reports an incorrect VUK, so I presume this disk requires the newer processing key.

Any ideas?

Mal
I removed a pretty major bug in aacskeys which caused this sometimes. In fact KenD00 already pointed this out to me earlier. Anyway should work now :).

aacskeys v0.2.8 (http://www.sendspace.com/file/sull3p)

Please test it.

arnezami

I removed a pretty major bug in aacskeys which caused this sometimes. In fact KenD00 already pointed this out to me earlier. Anyway should work now :).

aacskeys v0.2.8 (http://www.sendspace.com/file/sull3p)

Please test it.

arnezami

The new aacskeys works like a dream - great work, Arnezami :-)

BTW, using AnyDVD worked as well. However, if I then try to play the decrypted pevob_1.evo in PowerDVD, it glitches for the first minute or so. Playback in Windows Media Player / Media Center is fine.

Using the key from Aacskeys to decrypt via BackupHDDVD has no such troubles.

The files produced by both methods are exactly the same size.

Weird eh?

M.

The files produced by both methods are exactly the same size.


Why don't compare the contents of the two file?

Why don't compare the contents of the two file?

I would, but I don't have the corrupt one anymore. I suppose I could try it again and see if it comes out corrupt the second time...

Hey! my friends!

got new bluray disc today aacskeys 0.2.8 doesnt work ?? did i anything wrong?

its a new movie 4days here out in our shops.

dumpvid j

DumpVID 0.3 by KenD00 (adapted for bluray testing)

Drive type is recognised as CDROM/DVD.

Sending SPC1 Test Unit CDB6 command..done.
Returned good status.

Press ENTER to start hammering

Hammering drive...
vid: 86C48635F69A116990A78741EDDE574D
Hammering finished.



aacskeys j 86c48635f69a116990a78741edde574d

aacskeys v0.2.8


Could not find a Processing Key or Device Key resulting in the Media Key.

Aborting...




Edit 1:

okay i think i found the "Error" i used the other proccessing key yet " 455FE10422CA29C4933F95052B792AB2 "

edit 2:

hmm the key

Volume Unique Key: D0648FF3A68CF94A8E6FC900DEEB56BE
Unit Key File Hash (DiscID): 509A0A831370A1B4865802D29E05B26C69211B
Encrypted Unit Key 1: 2AA6415E92A27E2EFBAB4779F8522D52

Decrypted Unit Key 1: 6034C6A8459D212E1C00C9C4E98FF868


doenst work :-/ cant decrypt the movie :-(.

Hey! my friends!

got new bluray disc today aacskeys 0.2.8 doesnt work ?? did i anything wrong?

its a new movie 4days here out in our shops.




Edit 1:

okay i think i found the "Error" i used the other proccessing key yet " 455FE10422CA29C4933F95052B792AB2 "

edit 2:

hmm the key

Volume Unique Key: D0648FF3A68CF94A8E6FC900DEEB56BE
Unit Key File Hash (DiscID): 509A0A831370A1B4865802D29E05B26C69211B
Encrypted Unit Key 1: 2AA6415E92A27E2EFBAB4779F8522D52

Decrypted Unit Key 1: 6034C6A8459D212E1C00C9C4E98FF868


doenst work :-/ cant decrypt the movie :-(.

Does the "Decrypted verification data" start with 0123456789ABCDEF ? If so the Processing Key is working.

Can you copy-paste the verbose output here so I can better see what is going on. And when trying to decrypt always copy-paste (better not re-type). One bit wrong and it won't work. Try the Volume ID again too...

Does the movie play in PowerDVD btw? What does AnyDVD do?

arnezami

i didnt try anydvd yet.

powerdvd starts the movie but some seconds later it stops because non HDCP / HDMI monitor only DVI .


hmm i see something wrong with volume ID.
its all Zero.


aacskeys v0.2.8

Current path: C:\Users\acid
Processing key: 455FE10422CA29C4933F95052B792AB2
Encrypted C-value: C3934F6EC5B1AE06E15C727D2CE9BD8F
Corresponding uv: 00000049

Decrypted C-value: 72FD3676B3F7FCC7D186813DA5C26D9B
Media key: 72FD3676B3F7FCC7D186813DA5C26DD2

Encrypted verification data: 6548954A05889EB63FA0DB52D4356B5B
Decr verif data should be: 0123456789ABCDEF
Decrypted verification data: 0123456789ABCDEF72F0033722AB4B0C

Drive FW info: AL06 R___

AGID: 01

Host certificate from: Power DVD 7.1
Host certificate (Hcert): 0200005CFFFF0000000C00006E3DEB679B9A16AD
FAA8E30878767BA6EB2A9B415385AD1181B4446C
31E9A5DD2AB808B364FF15885BAC490964318C9B
F8029FCF76F688A54FBDA03F6D9332EF04E5A613
12DA85880A4D9CBB79D8602E
Host Private Key (Hpriv): 4737676058D7029452514F0AB186DC4CCA8C578F
Host Nonce (Hn): 2923BE84E16CD6AE529049F1F1BBE9EBB3A6DB3C

Drive certificate (Dcert): ########################################
########################################
########################################
########################################
########################
Drive Nonce (Dn): ########################################

Drive key point (Dv): ########################################
########################################
Drive key signature (Dsig): ########################################
########################################

Host key (Hk): 5613E7F89B11D9CAA27B610A1096332BEED86BC4
Host key point (Hv): 8A60C80BD60C23605FBE90B27BF96B2DB38195C1
801F54EB29E0F6EC57AC2B9168E88B2D56977508
Host key signature (Hsig): ########################################
########################################

Drive signature wrong/error
Bus key (BK): ################################

Volume ID: 00000000000000000000000000000000
Volume ID MAC: ################################
Volume ID MAC should be: ################################

Volume Unique Key: D0648FF3A68CF94A8E6FC900DEEB56BE
Unit Key File Hash (DiscID): 509A0A831370A1B4865802D29E05B26C69211B3C
Encrypted Unit Key 1: 2AA6415E92A27E2EFBAB4779F8522D52

Decrypted Unit Key 1: 6034C6A8459D212E1C00C9C4E98FF868

hmm i see something wrong with volume ID.
its all Zero.

Yep. You need to do this:

aacskeys j 86c48635f69a116990a78741edde574d

I fact you did that earlier see your post above (but then you didn't use the right processing key yet). So just do it again now. It should work :).

thx for help workxx *g

I think I found a problem, no matter what version of aacskeys I use, it keeps crashing after giving me just the basic keys and noticed something:

Error opening Title Key/Unit Key File: g:\AACS\VTKF000.AACS

Well, my disc doesn't have a VTKF000.AACS file. It's named something else. I've got VTKF090.AACS and VTKF100.AACS. Is there anyway we can get the program updated to work with alternate VTKF files?

In case anyone is curious, this disc is the Freedom anime HD-DVD/DVD episode 1 from Bandai Visual.

I think I found a problem, no matter what version of aacskeys I use, it keeps crashing after giving me just the basic keys and noticed something:

Error opening Title Key/Unit Key File: g:\AACS\VTKF000.AACS

Well, my disc doesn't have a VTKF000.AACS file. It's named something else. I've got VTKF090.AACS and VTKF100.AACS. Is there anyway we can get the program updated to work with alternate VTKF files?

In case anyone is curious, this disc is the Freedom anime HD-DVD/DVD episode 1 from Bandai Visual.
Hmmm. Interesting. Could you give the directory listing of the AACS dir?

Thanks.

arnezami

PS. Read your pms.

Hmmm. Interesting. Could you give the directory listing of the AACS dir?

Thanks.

arnezami

PS. Read your pms.

Sent you a PM about this. Thanks.

hi

arnezami: aacskeys v0.2.8 runs on linux? (not include sources)

Just a quicky:

I'm totally swamped atm. Will be back. Please have patience ;).

@ arnezami

Thanks for this great tool, but having small problem that I can't get sorted out.

When I try to run it off of my C: drive, I get:
C:\>aacskeys k v
aacskeys v0.2.8

Current Path c:\
Could not open file: C:\\ProcessingDeviceKeysSimple.txt

I'm getting same message whichever location I try to run aacskeys from.. any ideas?

@ arnezami

Thanks for this great tool, but having small problem that I can't get sorted out.

When I try to run it off of my C: drive, I get:
C:\>aacskeys k v
aacskeys v0.2.8

Current Path c:\
Could not open file: C:\\ProcessingDeviceKeysSimple.txt

I'm getting same message whichever location I try to run aacskeys from.. any ideas?

Make sure the file "ProcessingDeviceKeysSimple.txt" is in the same dir. You can find a copy of the file in this link.

http://forum.doom9.org/showthread.php?p=1014933#post1014933

Goodluck !

Make sure the file "ProcessingDeviceKeysSimple.txt" is in the same dir. You can find a copy of the file in this link.

http://forum.doom9.org/showthread.php?p=1014933#post1014933

Goodluck !

@ SvT
That was it, Thanks! Works great now.

hi

arnezami: aacskeys v0.2.8 runs on linux? (not include sources)
I just tried it under Wine 0.9.42 and it worked fine. A native build would be nice, but this works for me for now :)

I just tried it under Wine 0.9.42 and it worked fine. A native build would be nice, but this works for me for now :)

Did you used it with HDDVD drive or with mounted image? I can't obtain VUK from mounted image:

login@host:~/aacskey$ wine aacskeys.exe L: v
aacskeys v0.2.8

Current path: E:\aacskey
Processing key: 09F911029D74E35BD84156C5635688C0
Encrypted C-value: 47BEA12C44440DEDDAFCF95673C16D69
Corresponding uv: 00000001

Decrypted C-value: 9EA73F392FC815DABFF2FC8A20D0BA4F
Media key: 9EA73F392FC815DABFF2FC8A20D0BA4E

Encrypted verification data: F84AA53687CBA97A30353D959DB1984D
Decr verif data should be: 0123456789ABCDEF
Decrypted verification data: 0123456789ABCDEFBA41C7D9D209A3E2

Could not create handle for CD/DVD device.
Drive FW info:

All AGIDs in use, aborting.

You can't obtain a VUK from a mounted image because you need the VID for that which is not in a mounted image because it cannot be copied from the disc.

:rolleyes:

hm... right:

login@host:~/aacskey 0.32$ wine aacskeys.exe L: v v
aacskeys v0.2.8

Current path: E:\aacskey 0.32
Processing key: 09F911029D74E35BD84156C5635688C0
Encrypted C-value: 47BEA12C44440DEDDAFCF95673C16D69
Corresponding uv: 00000001

Decrypted C-value: 9EA73F392FC815DABFF2FC8A20D0BA4F
Media key: 9EA73F392FC815DABFF2FC8A20D0BA4E

Encrypted verification data: F84AA53687CBA97A30353D959DB1984D
Decr verif data should be: 0123456789ABCDEF
Decrypted verification data: 0123456789ABCDEFBA41C7D9D209A3E2

Volume ID: 00000000000000000000000000000000
Volume Unique Key: 9D1542E520DA01F22A053E29336DD4C9
Unit Key File Hash (DiscID): E139051278CF873697A370FC10527D4854E35681
Encrypted Unit Key 1: 306DFD64F7159FBAAAD56D28C879ECD0

Decrypted Unit Key 1: B69A4B6435C518B1262012A2065986AE


so what do I need now is... aacskeys for PS3, but the files posted a few pages away on sendspace aren't available now.

does anyone know the 300 Blu-Ray US AACS Key? I'm trying to rip it and decrypt it from my PS3 using BackupBluray.

Ive been reading this and related threads for the last week or so and have backed up and decrypted blurays using a ps3 and windows comp assuming I have a released key combinations for that movie, but I have had no luck in obtaining a working combination of keys using either linux on the ps3, or the files in the AACS folder. I was wondering though if this quest to get keys using a bluray drive in a ps3 and/or using a backup to get it to play was still alive. Curious if anyone has done this successfully as of yet, and through what means. Thanks in advance

Wrong thread dude...
This thread is for Windows decrypting with BD-ROM/Writer connected directly to PC only (since aacskeys isn't for PS3 right now).

If you want to use PS3&Windows for decrypting then you are interested with this thread: http://forum.doom9.org/showthread.php?t=124841

Hello. I got a bluray which I seem cant decrypt properly.
AACSKEYS gives me the following:

Processing key: 09F911029D74E35BD84156C5635688C0
Encrypted C-value: 0B26C036A16F301B63B553B007A96F08
Corresponding uv: 00000001

Decrypted C-value: D3388BD9EB29DF366355717DA76BB915
Media key: D3388BD9EB29DF366355717DA76BB914

Encrypted verification data: 7E912AD0AE711FD9FED482CB7E765721
Decr verif data should be: 0123456789ABCDEF
Decrypted verification data: E8F80D4DC4ADFAE42A0C90997AA7A6EE

AGID: 00

Host certificate from: Power DVD 7.1
Host certificate (Hcert): 0200005CFFFF0000000C00006E3DEB679B9A16AD
FAA8E30878767BA6EB2A9B415385AD1181B4446C
31E9A5DD2AB808B364FF15885BAC490964318C9B
F8029FCF76F688A54FBDA03F6D9332EF04E5A613
12DA85880A4D9CBB79D8602E
Host Private Key (Hpriv): 4737676058D7029452514F0AB186DC4CCA8C578F
Host Nonce (Hn): 2923BE84E16CD6AE529049F1F1BBE9EBB3A6DB3C

Drive certificate (Dcert): ########################################
########################################
########################################
########################################
########################
Drive Nonce (Dn): ########################################

Drive key point (Dv): ########################################
########################################
Drive key signature (Dsig): ########################################
########################################

Host key (Hk): 0000000000000000000000000000000000000000
Host key point (Hv): 8E9B0E3CF41FA7DA3A829F604122EA4ED5261AA4
7570CE0BB9061A66FAF92C4A7D98ACC171CBF19B
Host key signature (Hsig): ########################################
########################################

Bus key (BK): ################################

Volume ID: 1BC7547FAF328373663731A98DC539D7
Voluem ID MAC: ################################

Volume Unique Key: B6664DC1AD4063C0AEB4553B2E0D460D
Encrypted Unit Key 1: 77D36C9D8113B3E88B50F3D339E1885B

Decrypted Unit Key 1: E8169FE9805700C64F29C4545D4D5412


and the newest aacskeys 0.2.8:

Processing key: 455FE10422CA29C4933F95052B792AB2
Encrypted C-value: 6062BAA9905525D7D6D0B2B023D63DE2
Corresponding uv: 00000049

Decrypted C-value: A29EEF856B39D75A7ABCD5ED78BDC1B4
Media key: A29EEF856B39D75A7ABCD5ED78BDC1FD

Encrypted verification data: 7E912AD0AE711FD9FED482CB7E765721
Decr verif data should be: 0123456789ABCDEF
Decrypted verification data: 0123456789ABCDEF72724A82FB5715C4

Drive FW info: 1.01 07/05/15 PIONEER

AGID: 00

Host certificate from: Power DVD 7.1
Host certificate (Hcert): 0200005CFFFF0000000C00006E3DEB679B9A16AD
FAA8E30878767BA6EB2A9B415385AD1181B4446C
31E9A5DD2AB808B364FF15885BAC490964318C9B
F8029FCF76F688A54FBDA03F6D9332EF04E5A613
12DA85880A4D9CBB79D8602E
Host Private Key (Hpriv): 4737676058D7029452514F0AB186DC4CCA8C578F
Host Nonce (Hn): 2923BE84E16CD6AE529049F1F1BBE9EBB3A6DB3C

Drive certificate (Dcert): ########################################
########################################
########################################
########################################
########################
Drive Nonce (Dn): ########################################

Drive key point (Dv): ########################################
########################################
Drive key signature (Dsig): ########################################
########################################

Host key (Hk): 5613E7F89B11D9CAA27B610A1096332BEED86BC4
Host key point (Hv): 8A60C80BD60C23605FBE90B27BF96B2DB38195C1
801F54EB29E0F6EC57AC2B9168E88B2D56977508
Host key signature (Hsig): ########################################
########################################

Bus key (BK): ################################

Volume ID: 1BC7547FAF328373663731A98DC539D7
Volume ID MAC: ################################
Volume ID MAC should be: ################################

Volume Unique Key: 6F4B8F19CF714805E553A17676233C25
Unit Key File Hash (DiscID): 4E008BADC49CCAB1BFB24115DC6049C2886FE0E5
Encrypted Unit Key 1: 77D36C9D8113B3E88B50F3D339E1885B

Decrypted Unit Key 1: F9713FF049FAAAB4C771A6E59CA22896


I think the first one is right but it doesn't show the Unit Key File Hash (DiscID) which I need for DumpHD or should I take the VUK from the first one and the DiscID from the second as DumpHD shows this DiscID anyway.

DumpVid didnt show anything.

Thanks in advance

I test aacskey 0.2.8, The disc is Basic Instinct 2. aacskey 0.2.8 output:
D:\aacskeys_v0.2.5>aacskeys2.8.exe h v
aacskeys v0.2.8

Current path: D:\aacskeys_v0.2.5
Device key: AA856A1BA814AB99FFDEBA6AEFBE1C04
Processing key: 09F911029D74E35BD84156C5635688C0
Encrypted C-value: 31A883FE8F48B6EB731F7D390A0900D0
Corresponding uv: 00000001

Decrypted C-value: CF8642753C67C52EC9A077D25259B530
Media key: CF8642753C67C52EC9A077D25259B531

Encrypted verification data: 0D233917C27E8084DFCE1CAAAF5F440B
Decr verif data should be: 0123456789ABCDEF
Decrypted verification data: 0123456789ABCDEF002705C060959863

Drive FW info: AL07 R___

AGID: 01

Host certificate from: Power DVD 7.1
Host certificate (Hcert): 0200005CFFFF0000000C00006E3DEB679B9A16AD
FAA8E30878767BA6EB2A9B415385AD1181B4446C
31E9A5DD2AB808B364FF15885BAC490964318C9B
F8029FCF76F688A54FBDA03F6D9332EF04E5A613
12DA85880A4D9CBB79D8602E
Host Private Key (Hpriv): 4737676058D7029452514F0AB186DC4CCA8C578F
Host Nonce (Hn): 2923BE84E16CD6AE529049F1F1BBE9EBB3A6DB3C

Drive certificate (Dcert): ########################################
########################################
########################################
########################################
########################
Drive Nonce (Dn): ########################################

Drive key point (Dv): ########################################
########################################
Drive key signature (Dsig): ########################################
########################################

Host key (Hk): 5613E7F89B11D9CAA27B610A1096332BEED86BC4
Host key point (Hv): 8A60C80BD60C23605FBE90B27BF96B2DB38195C1
801F54EB29E0F6EC57AC2B9168E88B2D56977508
Host key signature (Hsig): ########################################
########################################

Drive signature wrong/error
Bus key (BK): ################################

Volume ID: 00000000000000000000000000000000
Volume ID MAC: ################################
Volume ID MAC should be: ################################

Volume Unique Key: 100A216C1F714C0CB1970D73C33A0741
Unit Key File Hash (DiscID): 32E4DE0056128E0A88147D46BA8A98E95648CBBB
Encrypted Unit Key 1: DB55EDC19B31E13742E0EED21DA4A8DA

Decrypted Unit Key 1: 6133B7AD32B6518716B1DBF9552854C7

The key is wrong, right key is EB7DF18EF85EBB9CA12CAC4A4448EB27

BTW: I can play the disc with PowerDVD 7.3

Volume ID: 00000000000000000000000000000000
Volume ID MAC: ################################
Volume ID MAC should be: ################################


There's something wrong with the volume ID I think.
its all Zero.

I think you can get the VUK with dumpvid and use that for aacskeys:

See this post: http://forum.doom9.org/showthread.php?p=1019403#post1019403

Goodluck

The volume id is all zero if the drive does not accept the host (certificate) and authentication fails. "Drive signature wrong/error" is another indicator. The drive deliberately returns an incorrect signature if it rejects the host.

Someone could update aacskeys to read the MKBROM from the drive to check for revoked host certificates. Would be another nice feature :)

I really appreciate Svt and Gioowe’s help. I tried the method from http://forum.doom9.org/showthread.php?p=1019403#post1019403, At last, I got the right key by using DumpVID and aacskeys software. But it is not so convenient, because DumpVID needs to run player software.

I used to get the right key only by running aacskeys. However, aacskeys can not get the right key after playing the movie Speed on the other day. This happens on both the DVD driver and pc. I doubt that the disc has recorded a kind of blacklist which contains the revealed Device Key. When the disc is played, the blacklist is written into the flash in the dvd driver. Therefore, aacskeys can not get the right key. I tried to change the device key several times, but got the same wrong key.

BTW: PowerDVD 7.3 can play normally, and AnyDVD HD 6.1.7.0 also can do that.

I doubt that the disc has recorded a kind of blacklist which contains the revealed Device Key

And exactly that it has. Well, almost, not the found Procesing Key is blacklisted but the Host Certificate aacskeys uses. Unless the community finds a new Host Certificate the only way for BluRay users to get the VID is the DumpVID method. Enjoy the power of AACS which gives you the good feeling that you don't need to worry about using the disc in a way the content owner has not licensed it to you (hmm, i think this sentence is copyrighted by some AACS spokeperson, hopefully they won't sue me for using it without permission *g*).

:rolleyes:

Someone able to "send" the new host revocation list? First 1024 bytes of MKBROM. I'm just curious...

Someone able to "send" the new host revocation list? First 1024 bytes of MKBROM. I'm just curious...

How to get the first 1024 bytes of MKBROM?

By using any hex-viewer / hex-editor on X:\AACS\MKBROM.AACS

The first 256 bytes should be enought.

This is Host Revocation List record from a MKBv3 (excluding preceeding Record Type and Record Length fields).

00000006000000060009FFFF0000000B0002FFFF000000210003FFFF000000260003FFFF000000350002FFFF0000004E0003FFFF00000054336ED852525410754F0D1221EC3BC425C621E3B580EF60673FACECFBAD3BD70DEC706B70C4E8AF87

:rolleyes:

===============================================
RECORD >>> Type, Version (3.2.5.1)
===============================================
000000 10 Record Type = 16 --
------ -----------------------------------------------
000001 00 00 0C Record Size = 12 OK
------ -----------------------------------------------
000004 00 04 10 03 MKB Type = 266243 OK
------ -----------------------------------------------
000008 00 00 00 03 Version Number = 3 --
------ -----------------------------------------------

===============================================
RECORD >>> Host Revocation (3.2.5.3)
===============================================
00000C 21 Record Type = 33 --
------ -----------------------------------------------
00000D 00 00 64 Record Size = 100 OK
------ -----------------------------------------------
000010 00 00 00 06 Total Number of Entries = 6 --
------ -----------------------------------------------
000014 00 00 00 06 Number of Entries in Block #1 = 6 OK
------ -----------------------------------------------
000018 00 09 FF FF 00 00 00 0B Revocation #1 = FFFF0000000B..0014 --
------ -----------------------------------------------
000020 00 02 FF FF 00 00 00 21 Revocation #2 = FFFF00000021..0023 --
------ -----------------------------------------------
000028 00 03 FF FF 00 00 00 26 Revocation #3 = FFFF00000026..0029 --
------ -----------------------------------------------
000030 00 03 FF FF 00 00 00 35 Revocation #4 = FFFF00000035..0038 --
------ -----------------------------------------------
000038 00 02 FF FF 00 00 00 4E Revocation #5 = FFFF0000004E..0050 --
------ -----------------------------------------------
000040 00 03 FF FF 00 00 00 54 Revocation #6 = FFFF00000054..0057 --
------ -----------------------------------------------
000048 33 6E D8 52 52 54 10 75
000050 4F 0D 12 21 EC 3B C4 25 C6 21 E3 B5 80 EF 60 67
000060 3F AC EC FB AD 3B D7 0D EC 70 6B 70 C4 E8 AF 87 Signature of Block VERIFIED
------ -----------------------------------------------


:thanks:

MKBROM v3 in human readable form.

today i got Dirty Dancing 20th anniversity BD Disc

when i try to use AACSKEYS

i got the followring error :

Drive signature wrong/error
Volume Unique Key: 15AD8D1B9251FD2E46E328B2D1D1B4DB
Unit Key File Hash (DiscID): 88D4FEB81412EF57515928025B6427048DB3ECC9

when i try DUMPVID

Drive type is recognised as CDROM/DVD.

Sending SPC1 Test Unit CDB6 command..done.
Returned good status.

Press ENTER to start hammering

Hammering drive...
vid: 89037DEBD3673F9B6BE3B48AD5B4B346
Hammering finished.



i have LITE-ON LH-2B1S with latest firmware .

This is not the first time someone asks this, so to get this finally cleared:

Current aacskeys cannot retrieve the Volume ID from any drive that has been used with a MKBv3 disc (EXCEPT the Xbox 360 HD-DVD AddOn) because its used Host Certificate has been revoked.

:rolleyes:

Hi All,

I am pretty new here... so I appologize in advance in case I am asking an obvious question.
I was checking the program provided by arnezami (who seems to be a genious :)) and I noticed that when calculating the bus_key he skipped (4 + 1) bytes. I could understand that the 1 byte is due to the uncompressed code (which he commented). But I do not understand why he needed to skip 4 more bytes?!!! Any idea guys?

Thanks
Faith

The bus key is 128 bits, the calculated ECDSA point is 160 bits wide. Therefore the msb 32 bits are skipped.

1 additional byte is skipped for signed/unsigned reasons. One additional byte is added with 00h/FFh resp.

The bus key is 128 bits, the calculated ECDSA point is 160 bits wide. Therefore the msb 32 bits are skipped.

1 additional byte is skipped for signed/unsigned reasons. One additional byte is added with 00h/FFh resp.

I see,so what you are saying is that the data is represented as MSB first, right?

:thanks:

Faith

Everyone here is amazing!