Welcome to Doom9's Forum, THE in-place to be for everyone interested in DVD conversion.

Before you start posting please read the forum rules. By posting to this forum you agree to abide by the rules.

 

Go Back   Doom9's Forum > General > Decrypting

Reply
 
Thread Tools Search this Thread Display Modes
Old 24th April 2007, 04:32   #141  |  Link
arnezami
Registered User
 
Join Date: Sep 2006
Posts: 390
Quote:
Originally Posted by awhitehead View Post
Both 0.2.2 and 0.2.4 work for me now, both without the .txt file, and with it, if it contains a valid device or processing key. 0.2 didn't like the presence of .txt file, but works without it.

Tested with US release of "Syriana"
I can't work without txt file! Which means it somehow gets the txt file from a different directory. But 0.2 working when you remove the file... huh? I guess its possible your 0.2 gets his txt file from somewhere else when the file is not in its current dir (otherwise it read the one from its current dir and there is something wrong with it). Something like that.

I guess there is a problem with accessing the current dir or something (maybe your PATH settings). Bah. I hate this directory stuff.

Can you put the exe file in a different directory and see what happens? If you have a working setup can you remove/rename all occurences of the txt file on your entire HDD (one by one) and see which one is accessed?

Thanks.

arnezami

Last edited by arnezami; 24th April 2007 at 04:39.
arnezami is offline   Reply With Quote
Old 24th April 2007, 04:46   #142  |  Link
awhitehead
Registered User
 
Join Date: Jan 2007
Location: Tel-Aviv, Israel
Posts: 185
Quote:
Originally Posted by arnezami View Post
Can you put the exe file in a different directory and see what happens? If you have a working setup can you remove/rename all occurences of the txt file on your entire HDD (one by one) and see which one is accessed?
*sigh* You are right. Fixed my PATH, moved the programs to a new directory, re-run.

0.2.0 just dies with "Can't open file..."

0.2.2 and 0.2.4 print First u mask nr and First uv and then die.

With correct entry in the ProcessingDeviceKeysSimple.txt 0.2.4 and 0.2.2 still work, though, and with file present, but without the correct keys, complain about lack of keys.
awhitehead is offline   Reply With Quote
Old 24th April 2007, 05:04   #143  |  Link
arnezami
Registered User
 
Join Date: Sep 2006
Posts: 390
Quote:
Originally Posted by awhitehead View Post
*sigh* You are right. Fixed my PATH, moved the programs to a new directory, re-run.

0.2.0 just dies with "Can't open file..."

0.2.2 and 0.2.4 print First u mask nr and First uv and then die.

With correct entry in the ProcessingDeviceKeysSimple.txt 0.2.4 and 0.2.2 still work, though, and with file present, but without the correct keys, complain about lack of keys.
Ok. So apart from crashing when no file is present it all works right?

Also try this: aacskeys v0.2.5

It should give (what it thinks is) the current path and it now uses that path. This prevents it from using the PATH stuff and removes the ambiguity.

arnezami

[edit] Have you also tried the new volumeid input feature?

Last edited by arnezami; 24th April 2007 at 05:12.
arnezami is offline   Reply With Quote
Old 25th April 2007, 13:44   #144  |  Link
Neo2011
Registered User
 
Join Date: Feb 2007
Posts: 6
Quote:
Originally Posted by arnezami View Post
Ok. I'm quite busy extending/improving aacskeys.

I'm also working on BDAV support. But I have a problem. Maybe somebody else can help me here .

I need to extract the Binding Nonce. There is a command for that (which should work after AACS-Auth). The problem is in this command an address needs to be filled: LBA Extend. But I have no idea what to put there... Sure it has to be the same address the Binding Nonce was written to but how do I get this information??

Can anybody help?

Thanks.

arnezami
I found the LBA Extend Value of the BD-RE. The LBA of the file "\AACS\AACS_av\Unit_Key_RW.inf" is the one.

This is the ScreenShot of IsoBuster 2.1. In this picture, "16800=0x000041A0" is the address.
Name:  LBA_ext2.png
Views: 16076
Size:  23.8 KB

Last edited by Neo2011; 15th June 2007 at 18:15.
Neo2011 is offline   Reply With Quote
Old 26th April 2007, 18:59   #145  |  Link
arnezami
Registered User
 
Join Date: Sep 2006
Posts: 390
Quote:
Originally Posted by Neo2011 View Post
I found the LBA Extend Value of the BD-RE. The LBA of the file "\AACS\AACS_av\Unit_Key_RW.inf" is the one.

This is the ScreenShot of IsoBuster 2.1. In this picture, "16800=0x000041A0" is the address.
Thanks .

Is it possible for you to see if the LBA is the exactly same for every disc and any content?

arnezami


PS. As an aside: I've put the 0.2.5 version in my first post of this thread since it seems to be working quite well .

Last edited by arnezami; 26th April 2007 at 21:00.
arnezami is offline   Reply With Quote
Old 27th April 2007, 03:18   #146  |  Link
PepsiLee2001
Registered User
 
Join Date: Jan 2007
Posts: 47
Quote:
Originally Posted by arnezami View Post
Is it possible for you to see if the LBA is the exactly same for every disc and any content?
I have another BDAV disc that own the same file size & LBA value with Neo2011 post one.
PepsiLee2001 is offline   Reply With Quote
Old 27th April 2007, 13:47   #147  |  Link
Neo2011
Registered User
 
Join Date: Feb 2007
Posts: 6
Quote:
Originally Posted by arnezami View Post
Is it possible for you to see if the LBA is the exactly same for every disc and any content?
My another BD-RE Disc's LBA is another one.
Ex. 16832 , 16768. etc.
Neo2011 is offline   Reply With Quote
Old 27th April 2007, 19:14   #148  |  Link
awhitehead
Registered User
 
Join Date: Jan 2007
Location: Tel-Aviv, Israel
Posts: 185
Quote:
Originally Posted by Neo2011 View Post
My another BD-RE Disc's LBA is another one.
Ex. 16832 , 16768. etc.
*sigh*

Seems like the real solution is to write a (limited) UDF 2.5 filesystem parser, that would be able to read the disk, parse the volume descriptors, traverse the chain to root dir file entry of the file we want, and figure out at what LBA needed files start.

Recently I was tracking down a problem while trying to figure out why a particular HD-DVD drive is capable of reading a Fox Pathe HD-DVD disc, while a different one could not, and if it was a filesystem or mastering problem on the disc or a problem with the drive. To do that, I started writing a small set of scripts that call plscsi, send the commands, and then parse the output, but this is nowhere near userfriendly. In addition I'm lazy, so instead of reading UDF 2.5 spec, I started by just randomly reading blocks, and trying to see if I can parse them.

In any event, in order to do that you need to send the following CDBs to the drive:
Get Capacity
25 00 00:00:00:00 00 00:00 00

Example (on a DVD, since this is what I have on hand):
Code:
darkstar:~/plscsi$ plscsi -v -x "25 00 00:00:00:00 00 00:00 00" -i 8 
x 00000000 25 00 00:00:00:00 00 00:00 00 .. .. .. .. .. .. "%@@@@@@@@@"
x 00000000 00:18:94:FF 00:00:08:00 .. .. .. .. .. .. .. .. "@XT?@@H@"
// 0 = plscsi.main exit int
darkstar:~/plscsi$ df -h /mnt/cdrom 
Filesystem   Size   Used  Avail Capacity  Mounted on
/dev/disk1   3.1G   3.1G     0B   100%    /mnt/cdrom
darkstar:~/plscsi$
Bytes 2-5 (we count from zero) are the total number of blocks - 1 on a disk. Blocks 7-8 are the sector byte size (which should be 2048 bytes for the optical discs)

So for example
800h = 2048 bytes/sector
1894FFh = 1611007

1611008 sectors * 2048 bytes = 3299244384 bytes ~= 3.1 G which is what df confirms.

Then you READ(10) the blocks on the disk:
Code:
darkstar:~/plscsi$ plscsi -v -x "28 00 00:00:00:10 00 00:01 00" -i x800
x 00000000 28 00 00:00:00:10 00 00:01 00 .. .. .. .. .. .. "(@@@@P@@A@"
x 00000000 01:43:44:30 30:31:01:00 20:20:20:20 20:20:20:20 "ACD001A@        "
x 00000010 20:20:20:20 20:20:20:20 20:20:20:20 20:20:20:20 "                "
x 00000020 20:20:20:20 20:20:20:20 4B:55:4D:49 54:41:43:48 "        KUMITACH"
x 00000030 49:20:20:20 20:20:20:20 20:20:20:20 20:20:20:20 "I               "
x 00000040 20:20:20:20 20:20:20:20 00:00:00:00 00:00:00:00 "        @@@@@@@@"
x 00000050 00:95:18:00 00:18:95:00 00:00:00:00 00:00:00:00 "@UX@@XU@@@@@@@@@"
x 00000060 00:00:00:00 00:00:00:00 00:00:00:00 00:00:00:00 "@@@@@@@@@@@@@@@@"
x 00000070 00:00:00:00 00:00:00:00 01:00:00:01 01:00:00:01 "@@@@@@@@A@@AA@@A"
x 00000080 00:08:08:00 2A:00:00:00 00:00:00:2A 01:01:00:00 "@HH@*@@@@@@*AA@@"
x 00000090 00:00:00:00 00:00:01:02 00:00:00:00 22:00:03:01 "@@@@@@AB@@@@"@CA"
x 000000A0 00:00:00:00 01:03:00:08 00:00:00:00 08:00:6A:07 "@@@@AC@H@@@@H@jG"
x 000000B0 01:0C:17:30 00:02:00:00 01:00:00:01 01:00:4B:55 "ALW0@B@@A@@AA@KU"
x 000000C0 4D:49:54:41 43:48:49:20 20:20:20:20 20:20:20:20 "MITACHI         "
x 000000D0 20:20:20:20 20:20:20:20 20:20:20:20 20:20:20:20 "                "
...
x 00000220 20:20:20:20 20:20:20:20 20:20:20:20 20:20:20:20 "                "
x 00000230 20:20:20:20 20:20:20:20 20:20:20:20 20:20:44:56 "              DV"
x 00000240 44:20:53:74 75:64:69:6F 20:50:72:6F 3A:34:2E:30 "D Studio Pro:4.0"
x 00000250 2E:33:2C:20 44:53:50:49 6E:74:65:72 66:61:63:65 ".3, DSPInterface"
x 00000260 3A:33:38:32 2C:20:44:56 44:41:75:74 68:6F:72:69 ":382, DVDAuthori"
x 00000270 6E:67:3A:33 37:32:2C:20 44:56:44:42 61:73:65:3A "ng:372, DVDBase:"
x 00000280 33:39:36:28 45:6E:63:6F 64:65:72:3A 20:34:38:33 "396(Encoder: 483"
x 00000290 29:2C:20:4F 78:79:67:65 6E:65:3A:34 30:39:20:20 "), Oxygene:409  "
x 000002A0 20:20:20:20 20:20:20:20 20:20:20:20 20:20:20:20 "                "
...
x 00000310 20:20:20:20 20:20:20:20 20:20:20:20 20:20:20:20 "                "
x 00000320 20:20:20:20 20:20:20:20 20:20:20:20 20:32:30:30 "             200"
x 00000330 36:30:37:30 31:31:32:32 33:34:38:30 30:00:30:30 "6070112234800@00"
x 00000340 30:30:30:30 30:30:30:30 30:30:30:30 30:30:00:30 "00000000000000@0"
x 00000350 30:30:30:30 30:30:30:30 30:30:30:30 30:30:30:00 "000000000000000@"
x 00000360 30:30:30:30 30:30:30:30 30:30:30:30 30:30:30:30 "0000000000000000"
x 00000370 00:01:00:00 00:00:00:00 00:00:00:00 00:00:00:00 "@A@@@@@@@@@@@@@@"
x 00000380 00:00:00:00 00:00:00:00 00:00:00:00 00:00:00:00 "@@@@@@@@@@@@@@@@"
...
x 000007F0 00:00:00:00 00:00:00:00 00:00:00:00 00:00:00:00 "@@@@@@@@@@@@@@@@"
// 0 = plscsi.main exit int
darkstar:~/plscsi$
In the READ(10) CDB 28 00 xx:xx:xx:xx 00 yy:yy 00
bytes 2:3:4:5 (xx) are the start blocks to read from. 16 is generally the first block on optical media. Bytes 7:8 (yy) are number of blocks to read (yes, you can do bulk). I only want one block, and previous CDB told me how large are blocks on this media, so I expect back 800h = 2048 bytes.

Indeed in the drive is a DVD that was authored using Apple DVD Studio Pro and labeled "KUMITACHI". 2006-07-01 12:23:48 is the creation date and time.

In reality, if you are writing the real thing, you want to read in 3 different places on a disk to obtain the Anchor Volume Descriptor Pointer. It can be 256 blocks into the filesystem, at the last block of the filesystem, or at the (last block - 256) block of the filesystem. Last two cases are more common with rewritable media that was not finalized. Since HD-DVDs are pressed and generally reasonably well authored, currently I just ignore the other two cases.

So... 256 = 100h and we started 16 blocks into the disk, so, we want to start by reading 272 (110h) blocks in, and parse the AVDP to figure out where Main Volume Descriptor Sequence is. MVDP will give us either a Logical Volume Descriptor (likely) or Partition Descriptor (very unlikely to see in the field now a days, and comes up on disks that have say HFS+ filesystem and UDF filesystem on them, so I currently just ignore this.) location. Both of the above will point us at the File Set Descriptor, that in turn will give us Root Directory File Entry location (Recall that directories are just files, that have File ID Descriptors of their children files as their File Data).

And then you traverse the disk, parse the FSD, get the RDFE, parse RDFE, find the correct file corresponding to the correct subdirectory, read it's FD, and figure out which block corresponds to the file you want.

I do some of this using scripts, and a fair bit of the above by hand right now (decoding file descriptors, parsing RDFE, etc). I am not sure what my current time commitments are, and if I'll have an opportunity to code something, so if anyone wants to get a crack at this, and contribute a module for aacskeys - Go for it! BD fans - here is your opportunity to shine!

UDF specs are at http://www.osta.org/specs/
awhitehead is offline   Reply With Quote
Old 29th April 2007, 08:32   #149  |  Link
arnezami
Registered User
 
Join Date: Sep 2006
Posts: 390
This may be a stupid question.

But has anyone tried to retrieve a VUK for a BDAV disc using bluray key finder?

If we had a VUK it would be possible to see if we can properly decrypt/dump a bdav disc. If so then we know what VUK a certain disc has and we would have a validated crib to work with. Which would make it easier to figure out the LBA Extend/Binding Nonce/AES-H/Usage file/Kpa stuff.

If you haven't tried this yet please do .

arnezami

Last edited by arnezami; 29th April 2007 at 08:37.
arnezami is offline   Reply With Quote
Old 29th April 2007, 10:45   #150  |  Link
PepsiLee2001
Registered User
 
Join Date: Jan 2007
Posts: 47
Quote:
Originally Posted by arnezami View Post
This may be a stupid question.

But has anyone tried to retrieve a VUK for a BDAV disc using bluray key finder?

If we had a VUK it would be possible to see if we can properly decrypt/dump a bdav disc. If so then we know what VUK a certain disc has and we would have a validated crib to work with. Which would make it easier to figure out the LBA Extend/Binding Nonce/AES-H/Usage file/Kpa stuff.
arnezami

I had tried it, but bluray key finder can't find it.
PepsiLee2001 is offline   Reply With Quote
Old 29th April 2007, 11:27   #151  |  Link
mrazzido
Registered User
 
mrazzido's Avatar
 
Join Date: Jan 2007
Posts: 114
Quote:
Originally Posted by PepsiLee2001 View Post
I had tried it, but bluray key finder can't find it.
hey!

when you have time

made with winhex a copy of the ram from "win dvd"

pack this with rar .

upload to rapidshre i try to find the key in the ram then.

for BDAV

i think its another OFFSET.
mrazzido is offline   Reply With Quote
Old 29th April 2007, 12:41   #152  |  Link
arnezami
Registered User
 
Join Date: Sep 2006
Posts: 390
Quote:
Originally Posted by PepsiLee2001 View Post
I had tried it, but bluray key finder can't find it.
Does it work for normal (prerecorded) movies?

arnezami


PS. Only post links to your memdumps privately (using pms). Because they (could) contain sensitive information about your drive.
arnezami is offline   Reply With Quote
Old 29th April 2007, 12:48   #153  |  Link
mrazzido
Registered User
 
mrazzido's Avatar
 
Join Date: Jan 2007
Posts: 114
Quote:
Originally Posted by arnezami View Post


PS. Only post links to your memdumps privately (using pms). Because they (could) contain sensitive information about your drive.


yeah i know

to pepsilee2001




when you made a memdump send it to my PM.
mrazzido is offline   Reply With Quote
Old 29th April 2007, 14:46   #154  |  Link
PepsiLee2001
Registered User
 
Join Date: Jan 2007
Posts: 47
Quote:
Originally Posted by arnezami View Post
Does it work for normal (prerecorded) movies?
Yes, it work fine for normal BDMV.


Quote:
Originally Posted by arnezami View Post
Does it work for normal (prerecorded) movies?

PS. Only post links to your memdumps privately (using pms). Because they (could) contain sensitive information about your drive.
OK, It's uploading.
PepsiLee2001 is offline   Reply With Quote
Old 4th May 2007, 08:30   #155  |  Link
arnezami
Registered User
 
Join Date: Sep 2006
Posts: 390
Hi all,

The time I talked about earlier has come.

Thanks for all .

Here are all the source and exe files of my programs:

aacskeys v0.2.6 (exe)
aacskeys v0.2.6 (source)

fetchvid v0.2.13 (exe)
fetchvid v0.2.13 (source, very messy, read remarks)

fwchecksum (exe)
fwchecksum (source, messy)

dumpvid v0.3 bd (exe)
dumpvid v0.3 bd (source)

Or on rapidshare.

All my contributions to these programs are released in Public Domain.

Remember: always keep going as a collective .

Double your efforts.

Bye

arnezami

PS. Just to be clear: yes this is my last post.

Last edited by arnezami; 13th June 2007 at 20:38.
arnezami is offline   Reply With Quote
Old 4th May 2007, 08:53   #156  |  Link
mrazzido
Registered User
 
mrazzido's Avatar
 
Join Date: Jan 2007
Posts: 114
Hey! arnezami great for source files!

i hope no one used this source to build there own programm and made profit!!!
mrazzido is offline   Reply With Quote
Old 4th May 2007, 12:10   #157  |  Link
insomniak1981
Guest
 
Posts: n/a
Many thanks for all your time and hard work arnezami, you will be greatly missed.
  Reply With Quote
Old 4th May 2007, 12:43   #158  |  Link
bourke
Registered User
 
Join Date: Feb 2007
Posts: 85
Quote:
Originally Posted by arnezami View Post
Hi all,
The time I talked about earlier has come.
Does anyone have a link to the post(s) where he mentioned this before?
bourke is offline   Reply With Quote
Old 4th May 2007, 12:47   #159  |  Link
mrazzido
Registered User
 
mrazzido's Avatar
 
Join Date: Jan 2007
Posts: 114
Quote:
Originally Posted by bourke View Post
Does anyone have a link to the post(s) where he mentioned this before?




http://forum.doom9.org/showthread.ph...940#post993940
mrazzido is offline   Reply With Quote
Old 4th May 2007, 16:33   #160  |  Link
zeroprobe
Registered User
 
Join Date: Jan 2002
Posts: 155
Why is he disappearing?
zeroprobe is offline   Reply With Quote
Reply

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT +1. The time now is 05:03.


Powered by vBulletin® Version 3.8.11
Copyright ©2000 - 2019, vBulletin Solutions Inc.