Welcome to Doom9's Forum, THE in-place to be for everyone interested in DVD conversion. Before you start posting please read the forum rules. By posting to this forum you agree to abide by the rules. |
|
18th January 2007, 06:30 | #1 | Link |
Registered User
Join Date: Jan 2007
Posts: 55
|
Blu-ray and AACS
Well, since i was interested in HD DVD , i am now interested in blueray.
I bought an 800$ (CAD) Blueray burner and bought the "Lord of War " movie and will be working on this (for a while i guess). PowerDVD BD doesn't play the movie properly AT ALL (looks like when you have a defective pipeline in your video card). WinDVD plays it just fine, and i'm about to go through the memory with WinHEX. Here is what the directory structure looks like: Volume in drive E is LOGICAL_VOLUME_ID Volume Serial Number is 3C05-DB57 Directory of E:\ 05/31/2006 05:21 AM <DIR> BDMV 05/31/2006 05:21 AM <DIR> AACS 05/31/2006 05:21 AM <DIR> CERTIFICATE 0 File(s) 0 bytes Directory of E:\BDMV 05/31/2006 05:18 AM 180 index.bdmv 05/31/2006 05:18 AM 33,714 MovieObject.bdmv 05/31/2006 05:21 AM <DIR> PLAYLIST 05/31/2006 05:21 AM <DIR> CLIPINF 05/31/2006 05:21 AM <DIR> STREAM 05/31/2006 05:21 AM <DIR> AUXDATA 05/31/2006 05:21 AM <DIR> META 05/31/2006 05:21 AM <DIR> BDJO 05/31/2006 05:21 AM <DIR> JAR 05/31/2006 05:21 AM <DIR> BACKUP 2 File(s) 33,894 bytes Directory of E:\BDMV\PLAYLIST 05/31/2006 05:18 AM 470 00000.mpls 05/31/2006 05:18 AM 234 00001.mpls 05/31/2006 05:18 AM 216 00002.mpls 05/31/2006 05:18 AM 232 00003.mpls 05/31/2006 05:18 AM 159,954 00004.mpls 05/31/2006 05:18 AM 168 00005.mpls 6 File(s) 161,274 bytes Directory of E:\BDMV\CLIPINF 05/31/2006 05:18 AM 65,924 00000.clpi 05/31/2006 05:18 AM 292 00005.clpi 05/31/2006 05:18 AM 824 00001.clpi 05/31/2006 05:18 AM 2,016 00002.clpi 05/31/2006 05:18 AM 940 00003.clpi 05/31/2006 05:18 AM 612 00004.clpi 05/31/2006 05:18 AM 292 00006.clpi 05/31/2006 05:18 AM 396 00007.clpi 8 File(s) 71,296 bytes Directory of E:\BDMV\STREAM 05/31/2006 05:17 AM 22,602,240,000 00000.m2ts 05/31/2006 05:18 AM 4,546,560 00005.m2ts 05/31/2006 05:17 AM 142,307,328 00001.m2ts 05/31/2006 05:17 AM 372,750,336 00002.m2ts 05/31/2006 05:18 AM 167,755,776 00003.m2ts 05/31/2006 05:18 AM 61,009,920 00004.m2ts 05/31/2006 05:18 AM 1,419,264 00006.m2ts 05/31/2006 05:18 AM 7,127,040 00007.m2ts 8 File(s) 23,359,156,224 bytes Directory of E:\BDMV\BACKUP 05/31/2006 05:18 AM 180 index.bdmv 05/31/2006 05:18 AM 33,714 MovieObject.bdmv 05/31/2006 05:21 AM <DIR> PLAYLIST 05/31/2006 05:21 AM <DIR> CLIPINF 05/31/2006 05:21 AM <DIR> BDJO 2 File(s) 33,894 bytes Directory of E:\BDMV\BACKUP\PLAYLIST 05/31/2006 05:18 AM 470 00000.mpls 05/31/2006 05:18 AM 234 00001.mpls 05/31/2006 05:18 AM 216 00002.mpls 05/31/2006 05:18 AM 232 00003.mpls 05/31/2006 05:18 AM 159,954 00004.mpls 05/31/2006 05:18 AM 168 00005.mpls 6 File(s) 161,274 bytes Directory of E:\BDMV\BACKUP\CLIPINF 05/31/2006 05:18 AM 65,924 00000.clpi 05/31/2006 05:18 AM 292 00005.clpi 05/31/2006 05:18 AM 824 00001.clpi 05/31/2006 05:18 AM 2,016 00002.clpi 05/31/2006 05:18 AM 940 00003.clpi 05/31/2006 05:18 AM 612 00004.clpi 05/31/2006 05:18 AM 292 00006.clpi 05/31/2006 05:18 AM 396 00007.clpi 8 File(s) 71,296 bytes Directory of E:\AACS 05/31/2006 05:18 AM 1,048,576 MKB_RO.inf 05/31/2006 05:18 AM 1,048,576 MKB_RW.inf 05/31/2006 05:18 AM 1,048,576 ContentRevocation.lst 05/31/2006 05:18 AM 65,536 Unit_Key_RO.inf 05/31/2006 05:18 AM 192 Content000.cer 05/31/2006 05:18 AM 2,048 CPSUnit00001.cci 05/31/2006 05:18 AM 1,571 mcmf.xml 05/31/2006 05:21 AM <DIR> DUPLICATE 05/31/2006 05:18 AM 950,552 ContentHash000.tbl 8 File(s) 4,165,627 bytes Directory of E:\AACS\DUPLICATE 05/31/2006 05:18 AM 1,048,576 MKB_RO.inf 05/31/2006 05:18 AM 1,048,576 MKB_RW.inf 05/31/2006 05:18 AM 1,048,576 ContentRevocation.lst 05/31/2006 05:18 AM 65,536 Unit_Key_RO.inf 05/31/2006 05:18 AM 192 Content000.cer 05/31/2006 05:18 AM 2,048 CPSUnit00001.cci 05/31/2006 05:18 AM 1,571 mcmf.xml 05/31/2006 05:18 AM 950,552 ContentHash000.tbl 8 File(s) 4,165,627 bytes Directory of E:\CERTIFICATE 05/31/2006 05:21 AM <DIR> BACKUP 0 File(s) 0 bytes Total Files Listed: 56 File(s) 23,368,020,406 bytes 16 Dir(s) 0 bytes free -------------------------------------------- I hope i have some other people to help out with this... We need to kick DRM in the butt ! Last edited by Janvitos; 18th January 2007 at 06:32. |
18th January 2007, 11:04 | #3 | Link |
Registered User
Join Date: Jan 2007
Posts: 114
|
hey guys my first post :-) , i have a bluray burner too the "lg gbw-h10n" i have the german version of "ICE AGE II" as a bluray movie. its same powerdvd does not work :-( on Analog Monitor , WINDVD works for me fine to!!
i uploaded the directory structe of the movie to an upload center LINK my movie has more files then Janvitos movie . i search the memory dump for .bdmv i think die index.bdmv its the same as VPLST000.XPL i found the .bmdv many times in memory. sorry for the bad English writing :-) cant write good English when i can help any one to cracking BD i am here :-) |
18th January 2007, 21:00 | #7 | Link |
Registered User
Join Date: Jan 2007
Posts: 55
|
I have uploaded a WinHEX memory dump of the playback of "Lord of War" Blueray movie for the ones interested.
Here is the link: * deleted for scecurity reasons * Enjoy ! Last edited by Janvitos; 19th January 2007 at 01:24. |
19th January 2007, 15:54 | #8 | Link |
Registered User
Join Date: Jan 2007
Posts: 55
|
Alright. Here's an update on the situation with blueray.
I've been reading the documents concerning AACS and the blueray format. There are a lot of interesting things in there but it seems that we're gonna have a harder time with this than HD DVD. First of all, it seems like the blueray format has a tendency to only use 1 key instead of many. This might be a problem when trying to search the memory dumps since we are looking for a single 128 bit key rather than 8, 11 or even 60. Just to let you know, the blueray format employs the term "CPS Unit Key" rather than "Title Key" but both are the same. They also talk about Volume Unique Key which means they most likely also use it. One of the other major drawback would be the lack of clues residing inside the CPS Unit Key File (Title Key File). The Title Key File for the HD DVD format has plain text strings (such as VPLST000.XPL) but the CPS Unit Key File has none. The file is mostly comprised of zeros and the encrypted key. In the end of the line, we pretty much will have to follow a different path than we did with HD DVD. Another important matter, and a question i will dare ask, are the keys for blueray in WinDVD's memory ? Unfortunately i cannot check PowerDVD's memory because the program tells me my graphics driver is not HDCP compliant (although i can playback blueray movies through WinDVD just fine). I also tried a most recent version of PowerDVD but this one doesn't seem to playback video properly as i get sound, but really ugly / scrambled-like video. I will continue to work on this like i did with HD DVD. Last edited by Janvitos; 19th January 2007 at 15:58. |
19th January 2007, 16:40 | #12 | Link |
Registered User
Join Date: Jan 2007
Posts: 55
|
It says my graphics driver is not compatible.
I believe i have the most recent Catalyst driver (7.1) and the problem might be that the PowerDVD version that shipped with the blueray drive doesn't recognize the drivers. |
20th January 2007, 05:24 | #15 | Link |
Registered User
Join Date: Dec 2006
Posts: 35
|
Oups, I did it again!
In less that 24 hours, without any Blu-Ray equipment, but with the help of Janvitos, I managed to decrypt and play a Blu-Ray media file using my known-plaintext attack...
The file from the movie "Lord of war", play well with VideoLan. Janvitos gave me few files on the BD disc and a memory dump... Note that I don't address BD+. The file don't seem to be BD+ protected. I will keep you informed If I found anything new... |
23rd January 2007, 10:11 | #17 | Link | |
Registered User
Join Date: Jan 2007
Posts: 2
|
Quote:
Btw. great work so far with your HD DVD / Blu-Ray decrypting efforts! Hats off to you! I'd like to believe those rumours that you're from Canada, cos I'd buy you a beer if it were true! Last edited by inu-liger; 23rd January 2007 at 10:14. |
|
20th January 2007, 16:43 | #20 | Link |
Registered User
Join Date: Dec 2006
Posts: 35
|
More about the "known-plaintext attack"
Many people ask me more details about the known-plaintext attack. This is a very basic, but powerfull crypto attack that I have used to decrypt both format.
After reading posts of people trying to get the keys in memory, I realized, I have a different way of looking into the problem. A lot of people try to attack the software, I'm attacking the data! So I spent more time analysing the data, to look for patterns or something special to mount my known-plaintext attack. Because I know the keys are unprotected in memory, I can skip all the painfull process of code reversal. I don't have any Blu-Ray equipment but I was able to recover the keys anyways... because I had access to a memory dump file and a media file. To give you an example, let's take the Blu-Ray case. First, I had to read the documentation about the media file format. In the case of Blu-Ray, the media files are divided in blocks called "Aligned unit". Let's simply call them "Unit" for short. A Unit is a block of 6144 bytes. The first 16 bytes are unencrypted, and the rest are encrypted using AES in CBC mode. A unit is composed of 32 blocks called "MPEG source packet". Each packet is 192 bytes long. The first 16 bytes of the first MPEG source packet of a Unit are decrypted. Just to see the decrypted part of the packet, I have printed a few. Have a look: D13BF428474000100000B0110000C100 D13C5DE84710111C6E3468D1861B8D1A D13CC7A84710111CE3468D1861B8D1A3 D13D31684710111C1A346186E3468D18 D13D9B284710111C6186E3468D1861B8 D13E04E84710111C8D1861B8D1A34618 D13E6EA84710111CD1861B8D1A346186 D13ED8684710111C186E3468D1861B8D D14D57924710111CFCC810FE80107F08 D14DC1524710111C1007647E401C002E D14E2B124710111C8001880350400300 D14E94D24710111C007690DE581426A3 D14EFE924710111C80800E8081F9E081 D14F68524710111CA01300C007408C00 D14FD2124710111C005200B002E00D49 Do you see something special? Do you see any pattern? The first byte is always D1 and the 5th byte is always 47. Can we use that to mount the known-plaintext attack? Of course! Because we know we have multiple MPEG source packet inside a Unit, we know the decrypted version of the unit at position 192 will probably look like the sequences shown above. In most cases, the know-plaintext attack is in fact a guessed-plaintext attack. We "assume" the data will look like something we "guessed" when decrypted. Most of the time, it works! Knowing that, all you have to do, is to write a small program that scan a memory dump file, that comes from of a software player while it was playing the movie. The key is in that file, you have to locate it. You just have to decrypt the first 2 MPEG source packets of the first unit until, you find a key that decrypt to something like: D1??????47?????????????????????? at position 192. That's it! I also do something similar for the HD-DVD format. Once you know the value and the position of the key in memory, you can do like people are doing here. Use "memory landmark" to locate the key. Any questions? |
Thread Tools | Search this Thread |
Display Modes | |
|
|