Welcome to Doom9's Forum, THE in-place to be for everyone interested in DVD conversion.

Before you start posting please read the forum rules. By posting to this forum you agree to abide by the rules.

 

Go Back   Doom9's Forum > General > Decrypting

Reply
 
Thread Tools Search this Thread Display Modes
Old 30th November 2008, 02:58   #461  |  Link
yippiekayee
Registered User
 
Join Date: Jun 2008
Posts: 46
I'm not sure if this needs to go into the dumphd thread or this but I've been trying out the bdvmdbg today and ran into some trouble:
I got the conversion table for Prison Break Season 3 Disc 1.. and got no special errors during the process
Code:
$ Volume ID set to: 90 BB 43 94 DC C6 50 05 54 FE 96 16 96 07 DE 66 
Loading E:\/BDSVM/00000.svm ...
[I] TRAP_LoadContentCode: Loading BDSVM/00001.svm (block 6)
[I] TRAP_DebugLog: 2008-11-01 01:43:11.21 playback starts
[I] TRAP_MediaSHAFileHash: Hashing BDSVM/00000.svm
[I] TRAP_MediaSHAFileHash: Hashing AACS/MKB_RO.inf
[I] TRAP_MediaSHAFileHash: Hashing BDMV/STREAM/00004.m2ts
[I] TRAP_LoadContentCode: Loading BDSVM/00001.svm (block 7)
[Event #00000000] 0110 ( 00000000, 0000FFFF )
[Event #00000001] 0210 ( 00000000, 00000001 )
[W] TRAP_DeviceAccess not implemented!
[Event #00000002] 0110 ( 00000000, 00000001 )
[I] TRAP_LoadContentCode: Loading BDSVM/00002.svm (block 0)
Conversion table set
Then I ran DumpHD and it decrypted the file 00001.mt2s just fine as far as I can tell (cursory browsing through the file - by the way, what's the recommended way of quickly checking the decrypted results? can I run md5sums on the Streams directory and compare it with the Streams directory directly on the disc when I have AnyDVD HD running?).
Anyway, DumpHD reports some potential problems
Code:
0x0000000000 Decryption enabled
Processing: BDMV\STREAM\00001.m2ts
Error! BD+ SubTable not found, dumping may fail
0x0000000000 Decryption enabled
Processing: BDMV\STREAM\00002.m2ts
Error! BD+ SubTable not found, dumping may fail
0x0000000000 Decryption enabled
Processing: BDMV\STREAM\00004.m2ts
Error! BD+ SubTable not found, dumping may fail
0x0000000000 Decryption enabled
and sure enough the second file is corrupt (this is a series so there's one m2ts file per episode.. there are 4 eps on a disc).. it starts out okay but about 20 seconds in things start to look really bad (reminds me of encrypted DVDs). Since the first file is okay I suspect it has something to do with the episodic nature of the disc.

I loaded the convtable into ConvTableView and it can successfully load the table.

Quote:
more likely in this case the wrong SHA-1 hashes of the files i don't have
Would it help if he ran sha1sum on those files for comparison? I doubt uploading m2ts files is practical.
yippiekayee is offline   Reply With Quote
Old 30th November 2008, 03:23   #462  |  Link
yippiekayee
Registered User
 
Join Date: Jun 2008
Posts: 46
Umm... I think there's a problem with Die Another Day (US).. on the right hand side of the debugger I see some stuff marked in red, though the console output doesn't contain any errors / warnings. The convtable is a lot smaller than my previous ones (592KB instead of almost 1 MB) - convtableview loads the table just fine but there's a lot of emptyness there. I'll post again when the decryption process is through.
yippiekayee is offline   Reply With Quote
Old 30th November 2008, 03:44   #463  |  Link
loo3aem3ON
Registered User
 
Join Date: Sep 2008
Posts: 189
Quote:
Originally Posted by yippiekayee View Post
I'm not sure if this needs to go into the dumphd thread or this but I've been trying out the bdvmdbg today and ran into some trouble:
It's probably my fault so it's correct to report the problem in this thread.

Quote:
Originally Posted by yippiekayee View Post
by the way, what's the recommended way of quickly checking the decrypted results?
I use 'vbindiff' to compare with the result AnyDVD-HD produced. Using md5sum is faster if you only want to check if the files are (still) identical after making changes as developer.

Quote:
Originally Posted by yippiekayee View Post
can I run md5sums on the Streams directory and compare it with the Streams directory directly on the disc when I have AnyDVD HD running?).
Yes but you should use a program which shows differences between both files if you have reasons to believe they are different. You can for instance use WinHEX.

Quote:
Originally Posted by yippiekayee View Post
Anyway, DumpHD reports some potential problems
Those error messages say that the conversion table doesn't contain entries for all the files you have on disc. It most likely means that either the conversion table is corrupt (which you would have noticed with ConvTableView) or you are using the wrong conversion table. Is it possible that you are using the conversion table from a different movie?

Are you running dumpHD from command line like this example below?
Code:
/dumphd-0.5/dumphd.sh --infile:BDMV/STREAM/00001.m2ts --convtable:conv_tab.bin /media/cdrom/ > /tmp/00001.m2ts
Quote:
Originally Posted by yippiekayee View Post
and sure enough the second file is corrupt (this is a series so there's one m2ts file per episode.. there are 4 eps on a disc).. it starts out okay but about 20 seconds in things start to look really bad (reminds me of encrypted DVDs).
That's because dumpHD can't repair those m2ts files if it can't find the subtable for the file you would like to restore (AACS decrypt and BD+ repair).

Quote:
Originally Posted by yippiekayee View Post
I loaded the convtable into ConvTableView and it can successfully load the table.
Upload the conversion tables please. I would like to take a look at them.

Quote:
Originally Posted by yippiekayee View Post
Would it help if he ran sha1sum on those files for comparison? I doubt uploading m2ts files is practical.
There is no need to do that because TRAP_MediaSHAFileHash should be working fine if you have a original encrypted disc. Just make sure AnyDVD-HD is switched off while you create the conversion table.

Quote:
Originally Posted by yippiekayee View Post
Umm... I think there's a problem with Die Another Day (US).. on the right hand side of the debugger I see some stuff marked in red, though the console output doesn't contain any errors / warnings.
Those are the registers which have changed. Don't worry about that.

Quote:
Originally Posted by yippiekayee View Post
The convtable is a lot smaller than my previous ones (592KB instead of almost 1 MB) - convtableview loads the table just fine but there's a lot of emptyness there. I'll post again when the decryption process is through.
I have recently introduced code which removes bogus repair descriptors. It might be possible that a bug causes the removal of valid descriptors.

Last edited by loo3aem3ON; 30th November 2008 at 03:51.
loo3aem3ON is offline   Reply With Quote
Old 30th November 2008, 04:20   #464  |  Link
yippiekayee
Registered User
 
Join Date: Jun 2008
Posts: 46
Quote:
Is it possible that you are using the conversion table from a different movie?
No.. it's the right file.. the first of the four episodes is properly decrypted all the way through.. I jumped around the entire 4x minutes and haven't found a glitch.
Quote:
Are you running dumpHD from command line like this example below?
Well I'm on windows but here's a sample commandline. Note that the same procedure has worked for two previous movies (Day after Tomorrow and Hitman).


In the meantime I'm done with Die Another Day and at first glance the decrypted output seems to be fine. DumpHD reported no issues and in jumping around the movie I have yet to discover a corrupted part.

I will compare the decrypted output with the files on the disc when I have AnyDVD HD active.

Are you interested in knowing which discs decrypt okay? I have a sizeable collection (by my count 19 from the list of Fox/MGM discs posted here though I'm not convinced every one is really a BD+ disc.. plus two titles are actually series so they have 4/6 discs respectively) and if it helps I can run them all through and compare with AnyDVD HD.

Last edited by yippiekayee; 15th December 2008 at 20:01.
yippiekayee is offline   Reply With Quote
Old 30th November 2008, 15:33   #465  |  Link
yippiekayee
Registered User
 
Join Date: Jun 2008
Posts: 46
Quote:
Yes but you should use a program which shows differences between both files if you have reasons to believe they are different. You can for instance use WinHEX.
Could you elaborate on this a bit.. how would I go about doing that and what kind of information would you need to see? I just finished Dr. No and compared sh1sums (I'm back to md5sums now.. it seems to run faster plus it has a progress indicator which is good for impatient people like me).. most files seem to be the same.. there are 6 files (6 KB each) which differ and I'd like to get to the bottom of this.

The same also holds for Live and Let Die.. only that on that disc the difference are 36KB files.

By the way, is it enough to compare the Streams directory or are there other files protected by BD+?

Last edited by yippiekayee; 30th November 2008 at 17:03.
yippiekayee is offline   Reply With Quote
Old 30th November 2008, 16:31   #466  |  Link
loo3aem3ON
Registered User
 
Join Date: Sep 2008
Posts: 189
Quote:
Originally Posted by yippiekayee View Post
Could you elaborate on this a bit.. how would I go about doing that and what kind of information would you need to see?
Slow down please. I am currently writing a few functions which record the hashes returned by TRAP_MediaSHAFileHash. You will have to run this new version of the debugger once with "Prison Break" and then send me the file "hash_db.bin" it has created.
I believe there is a problem with the callback parameters (event management) and i need the hashes to fool the content code.

Below is the structure of the hash_db.bin in EBNF. Accident will probably want to add support for it. We could include the volume id.
*edit* removed. See posting #480 *edit*

After this issue is fixed we can take a look at the other problems.

Quote:
Originally Posted by yippiekayee View Post
I just finished Dr. No and compared sh1sums (I'm back to md5sums now.. it seems to run faster plus it has a progress indicator which is good for impatient people like me).. most files seem to be the same.. there are 6 files (6 KB each) which differ and I'd like to get to the bottom of this.
I would need to see what bytes differ in both files so a hash is useless to me. The conversion table is used to repair the m2ts files. If any other files differ please contact KenD00 who maintains DumpHD.

Last edited by loo3aem3ON; 1st December 2008 at 19:30.
loo3aem3ON is offline   Reply With Quote
Old 30th November 2008, 17:09   #467  |  Link
yippiekayee
Registered User
 
Join Date: Jun 2008
Posts: 46
Quote:
I would need to see what bytes differ in both files so a hash is useless to me
Just tell me how I can show you that. You suggested Winhex which I installed but I don't really know what to do with it. The files are very small so I suppose I could just upload them for you in this case as well as the convtable but suppose I see a difference in a larger file.. I cannot upload a file that spans multiple GBs.
yippiekayee is offline   Reply With Quote
Old 30th November 2008, 17:33   #468  |  Link
bugnotme
Registered User
 
Join Date: Dec 2006
Posts: 5
Quote:
Originally Posted by loo3aem3ON View Post
I don't have access to any device that contains the private exponent. If i had one i wouldn't be sitting here writing postings
Those certificates are probably created on a pc without a network connection to rule out any side channel attacks.
He wasn't highlighting the timing attack but the use of
Coppersmith's algorithm -- a low-exponent attack on RSA --
after the upper half of the bits had been determined by the
timing attack.

Since you claim the upper half bits have been obtained the method
described in the article should be directly applicable. However, I do
not think knowing the upper half bits is necessary in order to apply
Coppersmith's algorithm. I'm also unclear about how knowledge of the
upper half bits can be exploited in order to speed-up the algorithm.

Coppersmith's algorithm is implemented as zncoppersmith in PARI/GP,
coppersmith in Sage and elsewhere.

http://groups.google.com/group/sage-...0c9b2a9e8d22ee
bugnotme is offline   Reply With Quote
Old 30th November 2008, 18:33   #469  |  Link
loo3aem3ON
Registered User
 
Join Date: Sep 2008
Posts: 189
Quote:
Originally Posted by bugnotme View Post
He wasn't highlighting the timing attack but the use of
Coppersmith's algorithm -- a low-exponent attack on RSA --
after the upper half of the bits had been determined by the
timing attack.
Why would i start a timing attack if i can easily calculate the upper half of the private exponent from the public key (e,N) like i did? I've tried to explain why those bits are most likely useless to factor N. A timing attack can be used to obtain some of the least significant bits. With them N can be factored efficiently.

Quote:
Originally Posted by yippiekayee View Post
Just tell me how I can show you that.
Download this snapshot please: http://uploaded.to/?id=7yht2d
Run it once with Prison Break and send me the hash_db.bin and the contents of the BDSVM directory (without the BACKUP subdirectory). That's all i need currently. Before running verify that the hash_db.bin has zero length. Thank you.
loo3aem3ON is offline   Reply With Quote
Old 30th November 2008, 19:10   #470  |  Link
haggi
coffee addict
 
Join Date: Apr 2007
Posts: 9
Quote:
Originally Posted by bugnotme View Post
He wasn't highlighting the timing attack but the use of
Coppersmith's algorithm -- a low-exponent attack on RSA --
after the upper half of the bits had been determined by the
timing attack.
But to use this algorithm you need to know the upper half of p or q not the upper half of d, which is what we've got ...
haggi is offline   Reply With Quote
Old 30th November 2008, 21:00   #471  |  Link
yippiekayee
Registered User
 
Join Date: Jun 2008
Posts: 46
I'm afraid the new version didn't do the trick either. Same errors from dumphd and while the first episode is again properly decrypted, subsequent episodes aren't.

And I did compare the last three of my Bond discs - which played just fine but there are again small files where the md5sums differ. I also watched ripped Hitman today and watched the main movie.. it was glitch free but I haven't yet compared md5sums with AnyDVD.

Last edited by yippiekayee; 15th December 2008 at 20:02.
yippiekayee is offline   Reply With Quote
Old 30th November 2008, 21:06   #472  |  Link
bugnotme
Registered User
 
Join Date: Dec 2006
Posts: 5
Quote:
Originally Posted by loo3aem3ON View Post
Why would i start a timing attack if i can easily calculate the upper half of the private exponent from the public key (e,N) like i did? I've tried to explain why those bits are most likely useless to factor N. A timing attack can be used to obtain some of the least significant bits. With them N can be factored efficiently.
Forget timing attacks. The point is Coppersmith's algorithm is a
potentially useful low-exponent RSA attack.
bugnotme is offline   Reply With Quote
Old 30th November 2008, 21:21   #473  |  Link
bugnotme
Registered User
 
Join Date: Dec 2006
Posts: 5
Quote:
Originally Posted by haggi View Post
But to use this algorithm you need to know the upper half of p or q not the upper half of d, which is what we've got ...
Chapter 6 of this PhD thesis seems pertinent:

http://www.informatik.tu-darmstadt.d...tions/03/bp.ps
bugnotme is offline   Reply With Quote
Old 30th November 2008, 21:32   #474  |  Link
yippiekayee
Registered User
 
Join Date: Jun 2008
Posts: 46
Quote:
how can i send you the BDSVM directories (for each disc)?
Zip them up and upload to a file hoster like rapidshare, uploaded.to, etc and post the link here.
yippiekayee is offline   Reply With Quote
Old 30th November 2008, 22:05   #475  |  Link
haggi
coffee addict
 
Join Date: Apr 2007
Posts: 9
Quote:
Originally Posted by bugnotme View Post
Chapter 6 of this PhD thesis seems pertinent:

http://www.informatik.tu-darmstadt.d...tions/03/bp.ps
e ∈ [N^(0,5); N^(~0,72))

Our e is 3 which is smaller, much smaller, than N^(0,5)

I am not mathematician enough to know how to alter that equation to suit our needs.
haggi is offline   Reply With Quote
Old 30th November 2008, 22:59   #476  |  Link
yippiekayee
Registered User
 
Join Date: Jun 2008
Posts: 46
I just ripped the second disc of Prison Break Season 3. Got the same error about BD+ subtable not being found, but this time only for the episodes... subsequent m2ts files didn't yield the error and the first episode (first m2ts file) was okay again - so I think this is something systemic.. has the BD+ code ever been tested against episodic discs?
This brings me to a question: how can we verify the debugger against titles with MKB versions for which we don't have a processing key yet? Firefly is in the mail but afaik it's MKBv9.. AnyDVD HD can handle that but not the BD+. So, since DumpHD won't be able to decrypt those discs without the processing key is there a way to apply the BD+ removal without doing AACS encryption so that we could first remove BD+, then run AnyDVD HD on it to remove AACS and the verify if the output is correct.
yippiekayee is offline   Reply With Quote
Old 30th November 2008, 23:26   #477  |  Link
loo3aem3ON
Registered User
 
Join Date: Sep 2008
Posts: 189
Quote:
Originally Posted by yippiekayee View Post
I just ripped the second disc of Prison Break Season 3. Got the same error about BD+ subtable not being found, but this time only for the episodes... subsequent m2ts files didn't yield the error and the first episode (first m2ts file) was okay again - so I think this is something systemic.. has the BD+ code ever been tested against episodic discs?
The problem is the debugger only announces the playback of the first m2ts file to the content code and therefor only gets this portion of the conversion table. It's the largest conversion table i have seen so far which is probably why it was split. I need to rewrite some code to handle this properly.

Quote:
Originally Posted by yippiekayee View Post
This brings me to a question: how can we verify the debugger against titles with MKB versions for which we don't have a processing key yet?
AnyDVD-HD will support these titles soon.

Quote:
Originally Posted by yippiekayee View Post
is there a way to apply the BD+ removal without doing AACS encryption so that we could first remove BD+, then run AnyDVD HD on it to remove AACS and the verify if the output is correct.
Maybe you have heard of "confusion" and "diffusion" which are properties of every serious encryption algorithm. In our case the "diffusion" property of AES would cripple the entire 128-bit block if you only change a single bit before decryption. I see no way to modify the encrypted stream so that the decryption result is already repaired (without knowing the key of course).

Last edited by loo3aem3ON; 30th November 2008 at 23:35.
loo3aem3ON is offline   Reply With Quote
Old 30th November 2008, 23:55   #478  |  Link
yippiekayee
Registered User
 
Join Date: Jun 2008
Posts: 46
Oh, I thought BD+ came before AACS, not after. But in this case, if there was a simple BD+ repair program we could fix the stream after decryption by AnyDVD, correct?
yippiekayee is offline   Reply With Quote
Old 1st December 2008, 01:23   #479  |  Link
loo3aem3ON
Registered User
 
Join Date: Sep 2008
Posts: 189
Quote:
Originally Posted by yippiekayee View Post
Oh, I thought BD+ came before AACS, not after. But in this case, if there was a simple BD+ repair program we could fix the stream after decryption by AnyDVD, correct?
Yes, that is correct.

Try this development snapshot please: http://uploaded.to/?id=ij27kc
I still don't understand the second parameter of callback/event 0x0110 but i know this event occurs before the playback of every m2ts file. So i decided to issue event 0x0110 with the second parameter with all possible values between 0 and 50 to get all the pieces from the conversion table. It seems to work. The resulting conversion table for "Prison break" is 4MB big.
loo3aem3ON is offline   Reply With Quote
Old 1st December 2008, 19:15   #480  |  Link
loo3aem3ON
Registered User
 
Join Date: Sep 2008
Posts: 189
I've redesigned the hash database. It now supports multiple hashes created from a single large block. It's implemented as a chained list which is fast enough for those few entries we have. The structure is:
Code:
key = SHA-1 hash of offset, bytesToHash and Filename; 20 bytes
nextPointer = points at the beginning of the next entry; relative address; 4 bytes
bytesHashed = number of bytes used to calculate the hash; 4 bytes

database ::= {entry}
entry ::= key , nextPointer , bytesHashed , {hash}
The reason to create such a database is that the content code uses hashes from arbitrary files on the disc. If a bug prevents the correct creation of the conversion table the developers have problems reproducing the error given only the contents of the BDSVM directory. Because the hash database already contains the hashes the content code likes to verify this is no longer a problem. All the user needs to do is clear the hash_db.bin (e.g. create an empty file with that name) and run the debugger once. The resulting hash_db.bin is then to be sent to a developer.
loo3aem3ON is offline   Reply With Quote
Reply

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT +1. The time now is 12:57.


Powered by vBulletin® Version 3.8.11
Copyright ©2000 - 2018, vBulletin Solutions Inc.