Welcome to Doom9's Forum, THE in-place to be for everyone interested in DVD conversion. Before you start posting please read the forum rules. By posting to this forum you agree to abide by the rules. |
18th February 2007, 17:21 | #301 | Link | ||
Registered User
Join Date: Jan 2007
Location: Internet
Posts: 378
|
Quote:
1.) A Host Certificate. This can be revoked so it won't work forever. But until they enforce bus encryption everyone can get a new one Because of that Quote:
2.) A Host Private Key. This is hard to get because it does not travel on the bus. But, correct me if i'm wrong, i don't see a mechanism for revoking a Private Key, so this will work forever? The rest is sending the right commands to the drive. |
||
18th February 2007, 17:30 | #302 | Link | |
Registered User
Join Date: Sep 2006
Posts: 390
|
Quote:
|
|
18th February 2007, 18:18 | #303 | Link |
(Trial period expired!)
Join Date: Jan 2007
Location: Halifax, NS, CANADA
Posts: 17
|
...assuming you have just one single processor. But brute-force keyspace searches are almost perfectly scalable. 48 bits encryption is laughable in crypto security terms these days. Even DES which is -in theory- 56 bits (or 8 orders of magnitude more difficult in binary speak) is no challenge at all. Don't worry, if it ever comes down to "cracking" a 48 bit key, this will be done. Either by an open distributed computing effort, or by people who have more means (f.e. admins of a large office network who will let it run after hours).
|
18th February 2007, 18:37 | #304 | Link |
*****
Join Date: Feb 2005
Posts: 5,642
|
Most keys only contain only letters, numbers and spaces. So instead of 256 possible values for each byte, there are only 26x2+10+1=63 values.
63^6 = 62,523,502,209 How long does it approximately take to check a single key? Or how many keys can be checked per second?
__________________
MPC-HC 2.1.7.2 |
18th February 2007, 19:21 | #306 | Link |
Registered User
Join Date: Sep 2006
Posts: 390
|
Don't forget what the objective is: making it easier than sniffing or extracting from a Software player. A distributed project clearly is overkill for getting only one Volume ID. Lets keep some perspective here .
Last edited by arnezami; 18th February 2007 at 20:28. |
18th February 2007, 21:40 | #310 | Link |
Registered User
Join Date: Dec 2006
Posts: 202
|
Actually a plain-text-attack should work ... since we know the public key, we can try out all keys from a memory dump as private key, just like musix64 found his first titlekey. Only difference is that ECDSA is quite slow ...
|
18th February 2007, 23:31 | #311 | Link | |
Registered User
Join Date: Jan 2007
Location: Internet
Posts: 378
|
Quote:
I'm sure the people at the AACS LA have internet too, so i bet they will kick all their licensees in their b*tts to not use this scheme any more. Looking for an alternative way to get the VolumeID i asked myself what happens when i hammer the drive with VolumeID requests, using every possible AGID, when a software player performs the AACS-Authentication? Well, i've tested that and the answer is: the drive gives you the VolumeID !! But depending on your software player the timing is very tricky: Your favorite software player A: Start the hammering, start the software player, hit "play", wait a few seconds, receive a VolumeID Your favorite software player B: Don't dare to start the hammering until you pressed "play", then, if you start too early, the player simply stops. If you start too late, you miss the present. My advice: use software player A This method should also work on Blu-Ray, you just need to change the media type code in the CDB. I've attached a new Version of DumpVID with hammering support (no Blu-Ray support!). |
|
19th February 2007, 05:53 | #312 | Link | |
Registered User
Join Date: Sep 2006
Posts: 390
|
Quote:
Maybe we can "automate" the timing somehow or see what is the difference in commands to the drive (between Player A and B) what makes it stopping from working... (how does it "feel" there is something wrong?) Maybe less hammering more "precise bombing"? Maybe some playing around with AGIDs before it all starts? But anyway its fantastic. Its another alternative method of retrieving the Volume ID! (A = PowerDVD it seems...) Btw: now that I think about it it makes perfect sense it gives away the VolumeID: the MMC command sent to the drive doesn't contain any authentification information (like a Bus-MAC). This done by the Software Player beforehand (AACS-Auth). And the drive simply thinks you are the Player!! There is only an AGID (0-3) to try. So this will always work (its another fundamental flaw in the system: as long as there is no Bus encryption this should work and my drive isn't capable of Bus encryption , so there are thousands of people with drives not capable of Bus encryption...). This may become the easiest way (apart from the Host Private Key) of getting the VID in the future because it happens outside the Player and doesn't install or change a (detectable) service or driver. Cool. arnezami PS. Not so important but good to know: the cds dumping doesn't work on W2K: it seems to always hang on that OS (and requires a hard reset of the system to shut it down). In XP it also takes one or two seconds (which is long for 64kb) but it does work (well give zeros that is: this is probably the most meaningless command they invented, or does it work after AACS-auth? or after some special secret AACS-auth?). Last edited by arnezami; 19th February 2007 at 08:04. |
|
19th February 2007, 10:18 | #313 | Link |
Resident DRM Hater
Join Date: Oct 2006
Location: International waters
Posts: 242
|
The player could detect this program just as it could detect a driver, however, it wouldn't be exceptionally difficult to prevent it from doing either.
I suspect the reason the player reacts poorly is simply because the drive is having two "conversations" at once, and so the player isn't getting the replies it's expecting because some of them are replies to this program. Or, perhaps once the drive has given the volume ID it won't give it again, so the player doesn't get a copy. Could the program not sniff to tell when the player is communicating, so it knows when to start hammering? Or have a button/command line which automatically starts the player, delays however long, and starts hammering (or vice-versa)?
__________________
Because Moogles pwn. |
20th February 2007, 00:36 | #314 | Link |
Registered User
Join Date: Feb 2007
Posts: 71
|
Hi all
first, congrats to all, very interesting reading here just got an xbox360 dvd drive and started playing a little. firmware: actually unable to know what cpu inside the main big chip, it'a unnamed, no brand, no model number...actually unable to deassemble. If any good firmware hackers out here, pm me to help find the main cpu. just sniffed usb trafic between drive and powerdvd 7.2, unfortunally the authentication can not be reproduced, because every time i send the same host certificate challenge, i receive different drive certificate challenge and different drive key, then if i send the host key it returns error, so i suppose anydvd has the host private key (i've not sniffed anydvd, are you sure it asks aacs authenitcation to the drive?) Sniffed drive keys and drive certificate challenge data are not present in firmware, at least not in clear, so i guess the drive has something like a master private key (i'm not cripto specialist, i'm not specialist in nothing, just hobbyst). I'm using plscsi to send cdb commands, it's nice. here some example of using plscsi: plscsi.exe -v -x "A4 00 00 00 00 00 00 02 00 10 00 00" -i x8 // request Authentication Grant ID plscsi.exe -v -x "A3 00 00 00 00 00 00 02 00 74 01 00" -o x74 -f hostchal1.bin // send host certificate challenge plscsi.exe -v -x "A4 00 00 00 00 00 00 02 00 74 01 00" -i x74 // request drive certificate challenge plscsi.exe -v -x "A4 00 00 00 00 00 00 02 00 54 02 00" -i x54 // request drive key plscsi.exe -v -x "A3 00 00 00 00 00 00 02 00 54 02 00" -o x54 -f hostkey1.bin // send host key plscsi.exe -v -x "AD 00 00 00 00 00 00 03 00 50 00 00" -i x50 // read BCA About control data zone, it's hidden from the simple "read" cdb command, the drive forbid you to read negative LBA sectors. Read command accept positive LBA sectors, LBA sector 0 is PSN (phisical sector number) 30000, so you can't read control data zone that is PSN 2F200-2FDFF, unless you hack the firmware to skip the LBA positive check. I don't know what Kend00 have tried, anyway the read disc structure - (15h) read Copyright data section works, but output all zeroes , at least for kingkong, miami vice and the bourne supremacy. plscsi.exe -v -x "AD 00 00 00 00 00 00 15 F8 04 00 00" -i xF804 -t CDS.bin P.S. i've tried to send read disc structure - read volume ID cdb command when powerdvd plays, but i was not luck. plscsi.exe -v -x "AD 00 00 00 00 00 00 80 00 24 00 00" -i x24 It seems that the drive does not accept repetition of authentication procedure steps, in fact powerdvd repeats the procedure 3-4 times. For procedure i mean: - clear AGID -request an AGID -send host certificate challenge -request drive certificate challenge - request drive key - send host key - read disc structure, volume id (format code 80h) (btw, it seems to not read other stuff here, like pre recorded media serial number or MKB in the leadin) Last edited by Geremia; 20th February 2007 at 02:16. |
20th February 2007, 15:21 | #315 | Link |
Registered User
Join Date: Feb 2007
Posts: 71
|
ops, i made some mistake, i'm just learnin on the way
The returned drive cetificate is always the same, it's the Nonce that changes everytime ( a random number), and Nonce is necessary for the next step, report key - drive key, but this is not the drive public key(which is inside the previous challenge), it's a signed (with drive private key) info for the host to calculate the bus key. Anydvd must know the powerdvd private key to be able to sign the send key - drive key cdb command (and also must have the helliptic curve of whatever it is) Into firmware, there is no visible drive ID or drive public key |
20th February 2007, 16:14 | #316 | Link | |
Registered User
Join Date: Jan 2007
Location: Internet
Posts: 378
|
Quote:
@arnezami, HyperHacker This timing stuff depends on the player and maybe on the system, now only one software player makes trouble, maybe this "feature" will spread. These ideas like monitoring the player, prevent the detection of the prog, are beyond my knowledge, also i was looking for a more independend way to get the VID, i discovered this method by accident when probing fancy ideas. I won't go further this way and will concentrate on my "use of keys" application, not the "get of keys" way. |
|
20th February 2007, 17:10 | #317 | Link |
Registered User
Join Date: Feb 2007
Posts: 1
|
Well I was just reading this thread when I was linking to a blog post I wrote and I thought I might mention I have actually made an attempt to explain the subset-difference algorithm here. Hope it is of at least some help.
|
20th February 2007, 18:27 | #318 | Link | |
Registered User
Join Date: Sep 2006
Posts: 390
|
Quote:
Here you can read my explanation: Understanding AACS (including Subset-Difference) Regards, arnezami |
|
20th February 2007, 20:28 | #319 | Link | |
Registered User
Join Date: Feb 2007
Posts: 71
|
Quote:
sptd_sb.sptd.Cdb[8] = 0xF8; sptd_sb.sptd.Cdb[9] = 0x02; // No AGID sptd_sb.sptd.Cdb[10] = 0; // Control is 0, don't know whats this for sptd_sb.sptd.Cdb[11] = 0; // Zero the rest of the structure sptd_sb.sptd.Cdb[12] = 0; sptd_sb.sptd.Cdb[13] = 0; sptd_sb.sptd.Cdb[14] = 0; sptd_sb.sptd.Cdb[15] = 0; ZeroMemory(data_buf, 63492); ZeroMemory(sptd_sb.SenseBuf, MAX_SENSE_LEN); If i'm not wrong, you send cdb command to retrieve FB02h bytes (including response header) but you expect FB04h (63492) bytes back The correct value for the cdb is FB04 because you will have 4bytes oh header (2 bytes of lenght + 2bytes reserved) plscsi.exe -v -x "AD 00 00 00 00 00 00 15 F8 04 00 00" -i xF804 -t dump.bin these sectors are readable, because you don't get sense error, but presumibly the drive firmware doesn't output any data for us unauthenticated people. The maximum data to retrieve is 63488=31 sectors, so the last sector is out, but even if you read it, it's the same all zeroes. |
|
20th February 2007, 21:06 | #320 | Link |
Registered User
Join Date: Feb 2007
Posts: 71
|
Hey, just sniffed my 3 movie, all from universal pictures
kingkong the bourne supremacy miami vice in sniff dump, the volumeID has first 8 bytes 40 00 date and time, the next 8 bytes are 00 20 20 20 20 20 00 00 all the movie has copyright data section all zeroes, maybe it's ok like this, the second part is filled with 20 because no data in the CDS Can anyone try to read control data segment from a movie that has a complete 16byte volume ID? set PLSCSI=\\.\I: <---- I: is my drive letter plscsi.exe -v -x "AD 00 00 00 00 00 00 15 08 04 00 00" -i x804 -t CDS.bin just the first sector should be enought get plscsi here http://members.aol.com/plscsi/2002/09/22/win/plscsi.exe Last edited by Geremia; 20th February 2007 at 21:27. |
Thread Tools | Search this Thread |
Display Modes | |
|
|