Welcome to Doom9's Forum, THE in-place to be for everyone interested in DVD conversion.

Before you start posting please read the forum rules. By posting to this forum you agree to abide by the rules.

 

Go Back   Doom9's Forum > General > Decrypting

Reply
 
Thread Tools Search this Thread Display Modes
Old 6th February 2007, 13:12   #41  |  Link
jokin
Dwight Schrute's homeboy
 
Join Date: Jan 2007
Location: The Office
Posts: 136
Quote:
Originally Posted by arnezami View Post
Code:
Lentgh Code: 00 22 00 00
  Volume ID: 40 00 04 06 32 04 20 11 57 47 48 44 56 4D 00 00 
        MAC: xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx
Thats a Volume ID indeed. And the unqiue 12 bytes are much more random in this case (although the last six sort of look like ascii characters: assuming you got this from WinHex: how does it show up in the Ascii part of WinHex?). What movie/distributer is this from?

I still see structure. Maybe we can figure out what it stands for (like the date/time thing in my example).

arnezami

PS. Its best to remove the MAC bytes like I just did for your own protection.
It is a memory dump I still had when I found the volume key for Apollo 13 from Universal studios.
Attached Images
 
jokin is offline   Reply With Quote
Old 6th February 2007, 13:52   #42  |  Link
evdberg
Registered User
 
Join Date: Dec 2006
Posts: 202
Quote:
Originally Posted by zeroprobe View Post
disc not disks.
You mean disk ... disc is UK, disk US ... and since Silicon Valley is in the US ... disk is used with computer related round objects, disc is used for other round objects ... curious enough the CD is Compact Disc, most likely because the CD was not related to computers when it was invented.

Last edited by evdberg; 6th February 2007 at 14:00.
evdberg is offline   Reply With Quote
Old 6th February 2007, 17:43   #43  |  Link
The_ByteMaster
(Trial period expired!)
 
Join Date: Jan 2007
Location: Halifax, NS, CANADA
Posts: 17
Quote:
Originally Posted by evdberg View Post
You mean disk ... disc is UK, disk US ... and since Silicon Valley is in the US ... disk is used with computer related round objects, disc is used for other round objects ... curious enough the CD is Compact Disc, most likely because the CD was not related to computers when it was invented.
OFFTOPIC
Actually "Disc" is in the definition, just like you said
CD = Compact Disc
DVD = Digital Versatile Disc

Usually, "The Queen's English" is used for these matters.

The trailing D's are defined to mean "Disc". That is why "backing up your compact disc to your hard disk" looks funny but is correct in U.S. english.
/OFFTOPIC

ONTOPIC
I think it's great when we can find another way in, aside from using the volume unique keys. You bet software players are going to be hardened against these kinds of attacks. Snooping keys off a USB bus combined with knowledge of a "secret" device key might be the only way to go 2 years from now. For now there's no reason not to use the volume unique keys, but you have to be prepared when AACS LA is taking it to the next level.
The_ByteMaster is offline   Reply With Quote
Old 6th February 2007, 19:47   #44  |  Link
arnezami
Registered User
 
Join Date: Sep 2006
Posts: 390
Quote:
Originally Posted by jokin View Post
Is this the right area?

Code:
00 00 22 00 00 40 00 04 06 32 04 20 11 57 47 48 44 56 4D 00 00
Does anybody have more Volume IDs of this form? Do you by any chance jokin?

In order to find a pattern or see what parts of the Volume IDs are different between different movies we need to have more Volume IDs. You can read the beginning of this thread to see how to extract Volume IDs. The more we have the better . Especially the one with no date/time (like the one from jokin). If we find a pattern we don't have to extract these Volume IDs anymore since we can then "guess" them (where "guessing" means: trying millions at a time using a computer). So even if we get a hint of a pattern that might be good enough.

Its also interesting to know that there are now two different versions.

First the ones with date/time in it:

- King Kong (USA) / 09-18-2006 / Universal studios / IME
- Manchurian Candidate (???) / 05-31-2006 / ??? / IME??

Then the one(s) with 6 ascii characters in it (and maybe two 24 bit numbers?) :

- Apollo 13 (???) / Universal studios / IME?? (ascii chars: WGHDVM - is this an Acronym?)

It would be good to have more of these (and there may be more groups) so we can maybe figure this out.

As for the different MKBs and Media Keys: I think its pretty clear that they are different on every disc. So we need to get a Processing Key (or sub Device keys) to be able to decrypt different discs**.

arnezami

** It can be proven whether or not one Processing Key can be used to decrypt every disc released so far: if the Explicit Subset-Difference Record is the same on every disc (I'm pretty sure it is) then the same Processing Key can be used. This Subset Record starts at position 0x0704 in my MKBROM.AACS file and the first 16 bytes are: 04000A1017000000011700800001. Please somebody check if its the same on at least two discs.

Last edited by arnezami; 6th February 2007 at 21:49.
arnezami is offline   Reply With Quote
Old 6th February 2007, 20:13   #45  |  Link
evdberg
Registered User
 
Join Date: Dec 2006
Posts: 202
You won't give up, won't you? But anyway, I checked 2 disks for you and guess what: the value starting at 0x704 is indeed the same! Please note that you only gave 14 bytes of data, but most likely the last 2 bytes are 1701.
I am not sure what you looking at. All I see is a repeating 5 bytes pattern in which the 2nd byte is increased by 1 every 2 patterns, and the 3rd byte is alternatively 0x00 and 0x80. It looks like counting 0, 0.5, 1, 1.5, 2, etc.

Last edited by evdberg; 6th February 2007 at 20:21.
evdberg is offline   Reply With Quote
Old 6th February 2007, 20:34   #46  |  Link
arnezami
Registered User
 
Join Date: Sep 2006
Posts: 390
Quote:
Originally Posted by evdberg View Post
You won't give up, won't you? But anyway, I checked 2 disks for you and guess what: the value starting at 0x704 is indeed the same! Please note that you only gave 14 bytes of data, but most likely the last 2 bytes are 1701.
I am not sure what you looking at. All I see is a repeating 5 bytes pattern in which the 2nd byte is increased by 1 every 2 patterns, and the 3rd byte is alternatively 0x00 and 0x80. It looks like counting 0, 0.5, 1, 1.5, 2, etc.
Well you were right about the Media Keys being different. I assumed they wouldn't do that and I was wrong.

In this case though I know the Processing Key is able to decrypt multiple discs (which is what our aim is ) because of the algo used leads to the same position in the tree (because all the subsets are identical) with all these discs. And the position essentially determines which Processing Key you end up with. Its the C-values that make the Media Key different on every disc. These C-values are inside the Media Key Data Record which start at 0x1114 in my MKBROM.AACS file and starts with 0500xxxx followed by many C-values of 16 bytes each. If Media Keys are different then these C-values should be too. Just check it.

arnezami

Last edited by arnezami; 6th February 2007 at 20:55.
arnezami is offline   Reply With Quote
Old 6th February 2007, 21:32   #47  |  Link
blutach
Country Member
 
blutach's Avatar
 
Join Date: Sep 2004
Location: is everything!
Posts: 6,499
Can we leave the spelling and grammar to another place please?

Regards
__________________
Les

Only use genuine Verbatim or Taiyo Yuden media.
blutach is offline   Reply With Quote
Old 6th February 2007, 22:50   #48  |  Link
pacman2006
Registered User
 
Join Date: Dec 2006
Posts: 11
Quote:
Originally Posted by arnezami View Post

- Apollo 13 (???) / Universal studios / IME?? (ascii chars: WGHDVM - is this an Acronym?).
HDVM is the basic subset of graphics for menus and subtitles. According to a discussion here:
http://forums.appleinsider.com/archi...59917-p-5.html

It's just a guess. Also, Don't know about WG.
pacman2006 is offline   Reply With Quote
Old 6th February 2007, 22:59   #49  |  Link
arnezami
Registered User
 
Join Date: Sep 2006
Posts: 390
Quote:
Originally Posted by pacman2006 View Post
HDVM is the basic subset of graphics for menus and subtitles. According to a discussion here:
http://forums.appleinsider.com/archi...59917-p-5.html

It's just a guess. Also, Don't know about WG.
Ok. Thanks. This definatly feels like its not random. And thats important.

It would be sweet if we could get another one of these Volume IDs extracted and see if the "WG HDVM" changes. If not than we wouldn't have to worry about that part being random/changable (this is important is you have to guess parts of the Volume ID: the more is fixed the better).
arnezami is offline   Reply With Quote
Old 7th February 2007, 00:10   #50  |  Link
Ishan
Anime Vampire
 
Ishan's Avatar
 
Join Date: Nov 2002
Location: Earth, Solar system, Milky way, Universe.
Posts: 126
I got the VID for Serenity (US), you're gonna laugh I guess

Code:
00000000: 00 22 00 00 40 00 53 45 52 45 4e 49 54 59 20 20
00000010: 20 20 00 00 xx xx xx xx xx xx xx xx xx xx xx xx
00000020: xx xx xx xx
Wich of the 12 bytes "UniqueNumber" translate in ascii to :

Code:
"SERENITY    "
I'm not kidding, check for yourself
Ishan is offline   Reply With Quote
Old 7th February 2007, 00:43   #51  |  Link
mrazzido
Registered User
 
mrazzido's Avatar
 
Join Date: Jan 2007
Posts: 114
hey

is volume id in blu-ray avaible is it useable? i can try to put my bluray burner in a usb case and sniff the usb port.
mrazzido is offline   Reply With Quote
Old 7th February 2007, 04:56   #52  |  Link
awhitehead
Registered User
 
Join Date: Jan 2007
Location: Tel-Aviv, Israel
Posts: 185
Title: Full Metal Jacket (US)
Studio: Warner Brothers
Modification Date: 4/17/2006 8:57 PM
UDF volume name: FULL_METAL_JACKET

USBsnoop log:
Code:
 TransferBufferMDL    = 83b06f88
    00000000: 00 22 00 00 40 00 46 55 4c 4c 4d 45 54 41 4c 4a
    00000010: 41 43 00 00 xx xx xx xx xx xx xx xx xx xx xx xx
    00000020: xx xx xx xx
  UrbLink              = 00000000
[56868 ms]
HEX to ASCII translates this to FULLMETALJAC



MKBROM.AACS:
Code:
00000070 8D FF 1D E9 81 00 00 14 02 74 7B 32 9D 76 6C C7
00000080 C4 7F E4 04 DA 71 94 3D 7F 00 00 70 28 43 29 20 
00000090 43 6F 70 79 72 69 67 68 74 20 32 30 30 36 2C 20
Hope this helps!

Andy

Last edited by awhitehead; 7th February 2007 at 05:02. Reason: Added HEX to ASCII translation
awhitehead is offline   Reply With Quote
Old 7th February 2007, 06:15   #53  |  Link
Mug Funky
interlace this!
 
Mug Funky's Avatar
 
Join Date: Jun 2003
Location: i'm in ur transfers, addin noise
Posts: 4,555
finding patterns in volume IDs is a red herring i suspect.

if there is a pattern, it would likely vary per replicator. there's no requirement for them to follow a pattern (or in fact to be well hidden), so it's no surprise they convey mundane information like title, date, etc instead of random numbers.

however, it does give us a bit more known plain-text. whether that helps us or not remains to be seen.

that's my 2 cents anyway...
__________________
sucking the life out of your videos since 2004
Mug Funky is offline   Reply With Quote
Old 7th February 2007, 06:33   #54  |  Link
SBeaver
Registered User
 
Join Date: Dec 2002
Posts: 86
Quote:
Originally Posted by Mug Funky View Post
however, it does give us a bit more known plain-text.

Could you explain what you mean by this?
Don't you mean that it gives us a bit of the key?

edit: and in any case, if the remainder of the key can't be guessed, bruteforced, or somehow calculated, it's of no use, is it?

Last edited by SBeaver; 7th February 2007 at 06:36.
SBeaver is offline   Reply With Quote
Old 7th February 2007, 08:01   #55  |  Link
arnezami
Registered User
 
Join Date: Sep 2006
Posts: 390
Quote:
Originally Posted by Ishan View Post
I got the VID for Serenity (US), you're gonna laugh I guess

Code:
"SERENITY    "

Quote:
Originally Posted by awhitehead View Post
Title: Full Metal Jacket (US)
Studio: Warner Brothers
Modification Date: 4/17/2006 8:57 PM
UDF volume name: FULL_METAL_JACKET

HEX to ASCII translates this to FULLMETALJAC
Thanks all!

This is indeed funny. A week ago I was really concerned about this Volume ID. I thought it would be very hard to get. But well...

I guess there are now 3 types of Volume IDs

1) With Date/Time
2) With 2x24bit? + 6 Captials WGHDVM (possibly fixed)
3) With the name of the movie!

I'm not sure how many replicators there are. But the person that fills in the Volume ID can do this after the Media Key/MKB are made and signed by the AACS LA (in their little "bunker"). So yes Replicators could do that. I'm curious who makes this decision and to what extend they can be "forced" to use a more random code. Well anyway. Maybe we can use barcodes to see if we can categorize them? I wonder if we have found all types used so far.

Of course they could change this Volume ID into a more random number. But as long as they don't we might aswell take advatage of it.

Does anybody have more of the WGHDVM type? The other 2 are pretty clear now .

Quote:
Originally Posted by mrazzido View Post
hey

is volume id in blu-ray avaible is it useable? i can try to put my bluray burner in a usb case and sniff the usb port.
Ooh yes! I would be very interested if this also works for Blu-Ray (according to the common specs it should). I'm also curious if they use a standardized system or something.

I would also be interested if this works with PowerDVD. Since it detects debuggers I wonder if it will detect sniffers too. If not then maybe we can devise a way to cloack it (the sniffer also uses a service so that may be hard to do).

And for those application/GUI programmers out there: since USB sniffer is open source maybe we can strip it from all things we don't need and make it a one-click type of application to retrieve the Volume ID only: "Volume ID Sniffer" . That could be very helpful in the future. Maybe we could also make one for directly connected IDE drives.

I'm going hunting for a Media and Processing Key .

Regards,

arnezami

Last edited by arnezami; 11th February 2007 at 18:18.
arnezami is offline   Reply With Quote
Old 7th February 2007, 11:39   #56  |  Link
jokin
Dwight Schrute's homeboy
 
Join Date: Jan 2007
Location: The Office
Posts: 136
Quote:
Originally Posted by arnezami View Post
Does anybody have more of the WGHDVM type? The other 2 are pretty clear now .
Here are two more:

Batman Begins:



King Kong:


Last edited by jokin; 7th February 2007 at 12:24.
jokin is offline   Reply With Quote
Old 7th February 2007, 11:57   #57  |  Link
Mtz
Registered User
 
Mtz's Avatar
 
Join Date: Sep 2003
Location: On The Beach
Posts: 714
sorry for offtopic. jokin, remove the .th from your screnshots links.

enjoy,
Mtz
Mtz is offline   Reply With Quote
Old 7th February 2007, 12:25   #58  |  Link
jokin
Dwight Schrute's homeboy
 
Join Date: Jan 2007
Location: The Office
Posts: 136
Quote:
Originally Posted by Mtz View Post
sorry for offtopic. jokin, remove the .th from your screnshots links.

enjoy,
Mtz
Thanks.
jokin is offline   Reply With Quote
Old 7th February 2007, 13:58   #59  |  Link
Momotte
Registered User
 
Join Date: Apr 2004
Posts: 55
Is there something that I do not understand or is the VolumeID not enough to be able to perform decryption ?
All of this sniffing is interesting, but for us people who do not completely understand the math, how to we get to the VUK or to a key that allows us to perform the data decryption ?

thanks...
Momotte is offline   Reply With Quote
Old 7th February 2007, 14:08   #60  |  Link
jokin
Dwight Schrute's homeboy
 
Join Date: Jan 2007
Location: The Office
Posts: 136
Quote:
Originally Posted by Momotte View Post
Is there something that I do not understand or is the VolumeID not enough to be able to perform decryption ?
All of this sniffing is interesting, but for us people who do not completely understand the math, how to we get to the VUK or to a key that allows us to perform the data decryption ?

thanks...
http://forum.doom9.org/showthread.php?t=120970
jokin is offline   Reply With Quote
Reply

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT +1. The time now is 14:55.


Powered by vBulletin® Version 3.8.11
Copyright ©2000 - 2024, vBulletin Solutions Inc.