Welcome to Doom9's Forum, THE in-place to be for everyone interested in DVD conversion.

Before you start posting please read the forum rules. By posting to this forum you agree to abide by the rules.

 

Go Back   Doom9's Forum > General > Decrypting

Reply
 
Thread Tools Search this Thread Display Modes
Old 20th February 2007, 22:38   #321  |  Link
awhitehead
Registered User
 
Join Date: Jan 2007
Location: Tel-Aviv, Israel
Posts: 185
I am providing these for four different movies: Full Metal Jacket, Rambo I, Rambo II and Rambo III.

Volume ID for Full Metal Jacket is:
Code:
 TransferBufferMDL    = 83b06f88
    00000000: 00 22 00 00 40 00 46 55 4c 4c 4d 45 54 41 4c 4a
    00000010: 41 43 00 00 xx xx xx xx xx xx xx xx xx xx xx xx
    00000020: xx xx xx xx
  UrbLink              = 00000000
[56868 ms]
For Rambo movies VIDs and VUKs are here:
http://forum.doom9.org/showpost.php?...&postcount=191

sectors.rar file contains the .bin files corresponding to the following session (My drive is also on letter I: (and plscsi -w seems to agree)):




Code:
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Administrator>cd Desktop

C:\Documents and Settings\Administrator\Desktop>set PLSCSI=\\.\I:

C:\Documents and Settings\Administrator\Desktop>plscsi.exe -v -x "AD 00 00 00 00 00 00 1
5 08 04 00 00" -i x804 -t FULLMETAL.bin
x 00000000 AD 00 00:00:00:00 00 15:08:04:00 00 .. .. .. .. "-@@@@@@UHD@@"
x 00000000 F8:02:00:00 00:00:00:00 00:00:00:00 00:00:00:00 "xB@@@@@@@@@@@@@@"
x 00000010 00:00:00:00 00:00:00:00 00:00:00:00 00:00:00:00 "@@@@@@@@@@@@@@@@"
...
x 000007F0 00:00:00:00 00:00:00:00 00:00:00:00 00:00:00:00 "@@@@@@@@@@@@@@@@"
x 00000800 00:00:00:00 .. .. .. .. .. .. .. .. .. .. .. .. "@@@@"
// 0 = plscsi.main exit int

C:\Documents and Settings\Administrator\Desktop>plscsi.exe -v -x "AD 00 00 00 00 00 00 1
5 08 04 00 00" -i x804 -t RAMBO3.bin
x 00000000 AD 00 00:00:00:00 00 15:08:04:00 00 .. .. .. .. "-@@@@@@UHD@@"
x 00000000 F8:02:00:00 00:00:00:00 00:00:00:00 00:00:00:00 "xB@@@@@@@@@@@@@@"
x 00000010 00:00:00:00 00:00:00:00 00:00:00:00 00:00:00:00 "@@@@@@@@@@@@@@@@"
...
x 000007F0 00:00:00:00 00:00:00:00 00:00:00:00 00:00:00:00 "@@@@@@@@@@@@@@@@"
x 00000800 00:00:00:00 .. .. .. .. .. .. .. .. .. .. .. .. "@@@@"
// 0 = plscsi.main exit int


C:\Documents and Settings\Administrator\Desktop>plscsi.exe -v -x "AD 00 00 00 00 00 00 1
5 08 04 00 00" -i x804 -t RAMBO2.bin
x 00000000 AD 00 00:00:00:00 00 15:08:04:00 00 .. .. .. .. "-@@@@@@UHD@@"
x 00000000 F8:02:00:00 00:00:00:00 00:00:00:00 00:00:00:00 "xB@@@@@@@@@@@@@@"
x 00000010 00:00:00:00 00:00:00:00 00:00:00:00 00:00:00:00 "@@@@@@@@@@@@@@@@"
...
x 000007F0 00:00:00:00 00:00:00:00 00:00:00:00 00:00:00:00 "@@@@@@@@@@@@@@@@"
x 00000800 00:00:00:00 .. .. .. .. .. .. .. .. .. .. .. .. "@@@@"
// 0 = plscsi.main exit int

C:\Documents and Settings\Administrator\Desktop>plscsi.exe -v -x "AD 00 00 00 00 00 00 1
5 08 04 00 00" -i x804 -t RAMBO1.bin
x 00000000 AD 00 00:00:00:00 00 15:08:04:00 00 .. .. .. .. "-@@@@@@UHD@@"
x 00000000 F8:02:00:00 00:00:00:00 00:00:00:00 00:00:00:00 "xB@@@@@@@@@@@@@@"
x 00000010 00:00:00:00 00:00:00:00 00:00:00:00 00:00:00:00 "@@@@@@@@@@@@@@@@"
...
x 000007F0 00:00:00:00 00:00:00:00 00:00:00:00 00:00:00:00 "@@@@@@@@@@@@@@@@"
x 00000800 00:00:00:00 .. .. .. .. .. .. .. .. .. .. .. .. "@@@@"
// 0 = plscsi.main exit int

C:\Documents and Settings\Administrator\Desktop>
Looking at the resulting .bin files in winhex, I see that with exception of the two bytes at the beginning of .bin files, the files are full of nulls.
Attached Files
File Type: rar sectors.rar (378 Bytes, 186 views)

Last edited by awhitehead; 20th February 2007 at 22:41. Reason: WinHex information added.
awhitehead is offline   Reply With Quote
Old 21st February 2007, 01:18   #322  |  Link
Geremia
Registered User
 
Join Date: Feb 2007
Posts: 71
thanks

so, the second half of the volume id is not in that sectors, or better, not in the data portion of that sectors, maybe it's in what CPR_MAI field is for dvd-rom secotrs (6bytes of data before the 2048 data bytes), but i don't know the phisical structure of hd-dvd (does anyone has the not public hd-dvd phisical book?), and anyway an hacked firmware is needed for a raw reading.
Geremia is offline   Reply With Quote
Old 21st February 2007, 02:10   #323  |  Link
HyperHacker
Resident DRM Hater
 
HyperHacker's Avatar
 
Join Date: Oct 2006
Location: International waters
Posts: 242
Quote:
Originally Posted by Geremia View Post
Read command accept positive LBA sectors, LBA sector 0 is PSN (phisical sector number) 30000, so you can't read control data zone that is PSN 2F200-2FDFF, unless you hack the firmware to skip the LBA positive check.
Is there a way you could exploit integer overflow? E.g. attempt to read sector 0x10002F200?
__________________
Because Moogles pwn.
HyperHacker is offline   Reply With Quote
Old 21st February 2007, 07:31   #324  |  Link
frogman
I swallow bugs!
 
frogman's Avatar
 
Join Date: Jan 2007
Location: Whitehouse corner Office
Posts: 49
Quote:
Originally Posted by Geremia View Post
Hey, just sniffed my 3 movie, all from universal pictures
kingkong
the bourne supremacy
miami vice

in sniff dump, the volumeID has first 8 bytes 40 00 date and time, the next 8 bytes are 00 20 20 20 20 20 00 00

all the movie has copyright data section all zeroes, maybe it's ok like this, the second part is filled with 20 because no data in the CDS

Can anyone try to read control data segment from a movie that has a complete 16byte volume ID?

just the first sector should be enought

get plscsi here http://members.aol.com/plscsi/2002/09/22/win/plscsi.exe
Here's what I got. xbox 360 hd external drive with King Kong usa in F: Drive

plscsi.exe -v -x "AD 00 00 00 00 00 00 15 08 04 00 00" -i x804 -t CDS.bin
x 00000000 AD 00 00:00:00:00 00 15:08:04:00 00 .. .. .. .. "-@@@@@@UHD@@"
x 00000000 F8:02:00:00 00:00:00:00 00:00:00:00 00:00:00:00 "xB@@@@@@@@@@@@@@"
x 00000010 00:00:00:00 00:00:00:00 00:00:00:00 00:00:00:00 "@@@@@@@@@@@@@@@@"
...
x 000007F0 00:00:00:00 00:00:00:00 00:00:00:00 00:00:00:00 "@@@@@@@@@@@@@@@@"
x 00000800 00:00:00:00 .. .. .. .. .. .. .. .. .. .. .. .. "@@@@"
// 0 = plscsi.main exit int

Hope this helps.

Last edited by frogman; 21st February 2007 at 07:33. Reason: typo
frogman is offline   Reply With Quote
Old 21st February 2007, 16:55   #325  |  Link
KenD00
Registered User
 
Join Date: Jan 2007
Location: Internet
Posts: 378
Quote:
Originally Posted by Geremia View Post
If i'm not wrong, you send cdb command to retrieve FB02h bytes (including response header) but you expect FB04h (63492) bytes back
Yeah, indeed, im missing 2 bytes. Well, two zeros more or less ...

Quote:
Originally Posted by Geremia View Post
all the movie has copyright data section all zeroes, maybe it's ok like this, the second part is filled with 20 because no data in the CDS

Can anyone try to read control data segment from a movie that has a complete 16byte volume ID?
Your VolumeID is complete, its missing nothing.

Quote:
Originally Posted by HyperHacker View Post
Is there a way you could exploit integer overflow?
As far as i know LBA is unsigned so there is no way.


I think enough people have proven that you only get zeros from the Copyright Data Section, no need for more proofs.
So there seems to be no way to get the second half of the VID directly off the disc without a hacked firmware, but why you want to read the sectors raw, why don't modify the drive to give it away without beeing authentified ?

KenD00 is offline   Reply With Quote
Old 21st February 2007, 18:19   #326  |  Link
Deity11
Registered User
 
Join Date: Dec 2006
Location: Delft, The Netherlands
Posts: 1
Quote:
Originally Posted by arnezami View Post
Code:
The Matador 10/19/2006 20:41
Hex:   40 00 ba be 00 00 00 00 00 00 00 00 00 1c 00 00
This one I don't know. So far only one found of this kind. We could try 256 different values in the last byte. Don't know.
Maybe it's just the 28th release?
Deity11 is offline   Reply With Quote
Old 21st February 2007, 20:16   #327  |  Link
Geremia
Registered User
 
Join Date: Feb 2007
Posts: 71
Quote:
Originally Posted by KenD00 View Post
but why you want to read the sectors raw, why don't modify the drive to give it away without beeing authentified ?
hehehe, yes it's for sure the easyest way in theory, problem actually is to know what cpu is inside the main chip.
Geremia is offline   Reply With Quote
Old 21st February 2007, 21:09   #328  |  Link
evdberg
Registered User
 
Join Date: Dec 2006
Posts: 202
Quote:
I think enough people have proven that you only get zeros from the Copyright Data Section, no need for more proofs.
Actually, as I already wrote earlier, the function just fails without sense error. The zeros are there because the buffer is cleared before calling the function.
evdberg is offline   Reply With Quote
Old 22nd February 2007, 01:35   #329  |  Link
mb2696
Registered User
 
Join Date: Jan 2007
Posts: 39
Code:
Babel 12/19/06 21:54:12
Vid:  40 00 20 06 12 19 05 35 00 20 20 20 20 20 00 00
The "20 06 12 19" is clearly the date, but I'm not sure what to make of the "05 35 00"
mb2696 is offline   Reply With Quote
Old 22nd February 2007, 13:49   #330  |  Link
Punqtured
Registered User
 
Join Date: Feb 2007
Posts: 2
Quote:
Originally Posted by mb2696 View Post
Code:
Babel 12/19/06 21:54:12
Vid:  40 00 20 06 12 19 05 35 00 20 20 20 20 20 00 00
The "20 06 12 19" is clearly the date, but I'm not sure what to make of the "05 35 00"
Most likely, it's just the time of creation, like some of the others reported.
Punqtured is offline   Reply With Quote
Old 22nd February 2007, 15:29   #331  |  Link
mb2696
Registered User
 
Join Date: Jan 2007
Posts: 39
Quote:
Originally Posted by Punqtured View Post
Most likely, it's just the time of creation, like some of the others reported.
Time of file creation is 21:54:12. Is there another time involved?
mb2696 is offline   Reply With Quote
Old 22nd February 2007, 18:43   #332  |  Link
mb2696
Registered User
 
Join Date: Jan 2007
Posts: 39
Code:
Four Brothers
05/15/2006 - 18:46:24
vid: 40 00 05 15 20 06 03 50 00 20 20 20 20 20 00 00
Note that Four Brothers and Babel are both Paramount titles, and that the vids are pretty similar.

Code:
40 00 YY YY MM DD 05 35 00 20 20 20 20 20 00 00 - babel

40 00 MM DD YY YY 03 50 00 20 20 20 20 20 00 00 - four bros
Those three bytes seem simple but i dont see a pattern, as they don't appear to be file creation times:

18:46:24 - babel
21:54:12 - four bros


>>>If anyone has any other Paramount titles, please post the VIDs and lets see if we can figure out this scheme.
mb2696 is offline   Reply With Quote
Old 22nd February 2007, 18:56   #333  |  Link
lightshadow
Registered User
 
Join Date: Feb 2007
Posts: 123
Quote:
Originally Posted by Geremia View Post
firmware: actually unable to know what cpu inside the main big chip, it'a unnamed, no brand, no model number...actually unable to deassemble. If any good firmware hackers out here, pm me to help find the main cpu.
If I recall correct then the XBox360 firmware hack all started by people posted photos of their drives PCB's where the chips could be seen.

Perhaps it would be a good idea to do there same here? There might be someone that can regonize the chip either based on the number of pins, or commen used components used in conjuction with that chip?
lightshadow is offline   Reply With Quote
Old 22nd February 2007, 19:35   #334  |  Link
mb2696
Registered User
 
Join Date: Jan 2007
Posts: 39
there are 2 barcodes near the inner hub of the disc. is this the "burst cutting area"? Could those two be the "prerecorded serial number" and first half of the VID?
mb2696 is offline   Reply With Quote
Old 22nd February 2007, 23:46   #335  |  Link
KenD00
Registered User
 
Join Date: Jan 2007
Location: Internet
Posts: 378
Quote:
Originally Posted by evdberg View Post
Actually, as I already wrote earlier, the function just fails without sense error. The zeros are there because the buffer is cleared before calling the function.
But i do not get all zero, the first two bytes contain the correct Disc Structure Data Length. For a test, i initialized the whole buffer with 0xFF, and again, the same result, correct Disc Structure Data Length, the rest all zero.
Also the here posted results show the correct Disc Structure Data Length.

KenD00 is offline   Reply With Quote
Old 23rd February 2007, 05:14   #336  |  Link
lightshadow
Registered User
 
Join Date: Feb 2007
Posts: 123
Quote:
Originally Posted by mb2696 View Post
there are 2 barcodes near the inner hub of the disc. is this the "burst cutting area"? Could those two be the "prerecorded serial number" and first half of the VID?
This reminds me of a disc layout image from the XBox360 firmware hack, where the different sections of the DVD was labeled.

The original thread is here, (42 pages of how the firmware was hacked), but I can't find this image right now=(

At this wiki there are the bar code of the XBox DVD. The reason they tried cover up the inner DVD section was to test if the disc contained any important information there. E.g. in our case, this could be the VID that was hidden there?

There was made a wiki of all the facts and speculations, and I think it is this one, or atleast part of it.

One of the things that speeded the XBox360 firmware hack a great deal up, was that the model numbers on the chip could be looked up, and deassembing could be done.

It seams that they have read the thread in great detail, and learned that removing this information would cause trouble.

The thread contains a lot of "I hope they didn't do that, because that would make it harder" and "why didn't they do that, because that would make it harder".

Taking in consideration that they removed the chip model numbers, I bet searching for the above techniques, will pay off. Depending on how you read it, it is either a guide on how to hacked the firmware or a guide on how to make your next firmware better.

Also, seaching for patents helped out hacking the firmware a lot, as a patent is more or less the specifiation. Google have just opened a patent search engine, but I don't know if it is complete?

So if you ask me, these issues have to be resolved:
  • Post photos of PCB's, chips and surrounding components
  • Search for HD-DVD and Blue-Ray related patents.
  • Read the XBox360 firmware hack thread and find all "i hope they didn't..." and "why didn't they..."
  • Make a wiki with facts and speculations, so nothing is lost or forgotten.
  • Test if the inner section of the discs hold important information, be putting tape on it.

Last edited by lightshadow; 23rd February 2007 at 09:28. Reason: Forgot link.
lightshadow is offline   Reply With Quote
Old 5th March 2007, 21:38   #337  |  Link
arnezami
Registered User
 
Join Date: Sep 2006
Posts: 390
Quote:
Originally Posted by KenD00 View Post
Looking for an alternative way to get the VolumeID i asked myself what happens when i hammer the drive with VolumeID requests, using every possible AGID, when a software player performs the AACS-Authentication? Well, i've tested that and the answer is: the drive gives you the VolumeID !!

But depending on your software player the timing is very tricky:

Your favorite software player A:
Start the hammering, start the software player, hit "play", wait a few seconds, receive a VolumeID

Your favorite software player B:
Don't dare to start the hammering until you pressed "play", then, if you start too early, the player simply stops. If you start too late, you miss the present. My advice: use software player A

This method should also work on Blu-Ray, you just need to change the media type code in the CDB.

I've attached a new Version of DumpVID with hammering support (no Blu-Ray support!).

I've build on KenD00's work and am now able to reliably extract a Volume ID from the drive using any Software Player without the need of the found Host Private Key.

It first involves some tweaking by the user (but the proggy each try gives advise on what to do: setting the time earlier or later). But once setup it will work perfectly. And it requires no sniffing. It uses the moment the AGID is allocated by the Software Player as a pretty precise time marker.

This technique uses the huge hole in AACS: no bus encryption. This allows us to pretend to be the Software Player at the exact right time. And I don't think they can plug this hole now since so many drives (without the capability to bus encrypt) are already sold.

They really f**ked up here . They should have waited longer and finished the job properly. Shame on them.

I will probably release the (now still experimental) program to do this in the future. Possibly combined with my other proggy that uses the now found Host Private Key. This technique can be used as a "fall-back position" in the case the found HPK gets revoked.

Oh yes. We really are busting AACS. Piece by piece.

In my mind the whole Drive-Host protection (Chapter 4 common AACS specs) is toast.

Regards,

arnezami

Last edited by arnezami; 6th March 2007 at 07:45.
arnezami is offline   Reply With Quote
Old 5th March 2007, 22:25   #338  |  Link
HyperHacker
Resident DRM Hater
 
HyperHacker's Avatar
 
Join Date: Oct 2006
Location: International waters
Posts: 242
OK, some people were wondering about barcodes and burst cutting areas, so here's an image that should help clarify. This is a Gamecube disc but other discs will be similar; Gamecube discs are only mini DVDs really.

The "barcode" is printed on the inner ring. This is, as best I know, not readable by any drive. It serves only to identify the disc and probably contains the same info as the text around it or a serial number.

The "burst cutting area" can be seen on the innermost section of the data area. This is phsyically pressed into the disc. Some drives can read this, but to write it requires very expensive disc pressing equipment. This could indeed hold things like volume ID.
Attached Images
 
__________________
Because Moogles pwn.
HyperHacker is offline   Reply With Quote
Old 5th March 2007, 22:31   #339  |  Link
ATARI Vampire
Registered User
 
ATARI Vampire's Avatar
 
Join Date: Feb 2007
Posts: 14
Quote:
Originally Posted by arnezami View Post
I will probably release the (now still experimental) program to do this in the future. Possibly combined with my other proggy that uses the now found Host Private Key.
I'd love to play around with this code. Please do release it. Thanks.

Last edited by ATARI Vampire; 8th March 2007 at 01:32.
ATARI Vampire is offline   Reply With Quote
Old 6th March 2007, 06:48   #340  |  Link
arnezami
Registered User
 
Join Date: Sep 2006
Posts: 390
Well here is something to play with.

fetchvid.exe

For me it works with WinDVD (which is the most sensitive I believe) and the Xbox 360 HD DVD. My sweet spot is a time value between 390 and 420. I usually set it at 410 which works perfectly (btw time is measured in nr of AGID retrieval attempts counted from the moment the player accesses the drive).

Just try it and play with it a bit.

Remember: this program does not use the private key. It just "watches" the drive carefully and then pretends to be the software player.

It works for HD DVD only atm.

Screenshot:



Regards,

arnezami

PS. This is experimental programming. There could be bugs in it.

Last edited by arnezami; 6th March 2007 at 07:59.
arnezami is offline   Reply With Quote
Reply

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT +1. The time now is 06:27.


Powered by vBulletin® Version 3.8.11
Copyright ©2000 - 2020, vBulletin Solutions Inc.