@bob0r
And proof the people here wrong: http://www.hdnowonline.com/Comment_Who_Is_Muslix.html

If you dont dare posting keys, i am sure you can find a way to do this anonymous

If you have followed, we'vew seen this paranoid article form someone from HD Camp. Of course that it is possible to find the keys. Simple cryptology (w/o knowing programming) principles will tell you that full obfuscation of the code is not possible and could be reverse engineered. AACS knows that and the task is only to make it labour extensive. That is what they did. Unfortunately they are operating with public algorithm, known length of the crypto word and known material to be scrambled.
That is what could help us to reduce number of trials to find a key. This approach is known from WWII as "crib" approach. We assume that parts of the plain text is known and present in scrambled message. We try combination of the keys till we get that text right and easily exclude all the wrong keys. Hashing is complicating things a bit, but I am sure that muslix64 is a smart guy (as all of hackers out there) and will (or allready has) find the way to get all the requred keys.

Finding the device keys are useless and a bad idea. If you do get the device keys, there is still way too much coding needed to calculate the title keys. They will just revoke the player for future use.

Finding the title keys is a good idea, even better if small brother doesnt find out which player was used. Let the player calculate the title key and steal it.It might not be as simple as that, based on Felten's series (http://www.freedom-to-tinker.com/).
...And proof the people here wrong...It would be nice to have one confirmed case of his methodology working. But doing this only because of that website?
Based on the owner's posts on AVS and on the very page you linked to, it doesn't deserve even being paid attention to, IMHO.

Diogen.

It seems to me that the best course of action is to find a place in the player code where the key is plaintext, and insert some code to dump it to a file from there. That way, no memory dumps are necessary.

Then, ZIDRAV (http://sourceforge.net/projects/zidrav/) can be used to produce a difference file, which can be used to patch everyone's player to do the same. Then we can all start publishing keys...

this better not end up like direct tv... A lot of hype at first on being cracked then nothing shows up, even till today!

Guys... back to topic please. I'm not gonna say it again.

Why is everybody assuming that the required information is stored in just one location? That would be making it much easier to break then if the key information is located in different locations. I'm not just talking player, database or disc in physical terms - but also why should all of the "key" be in for example just one location in memory, or one register - it could be a combination too. I have no cryptography experience of any kind nor any experience with breaking security on PCs. I do have experience with forms of protection on good old commodore 64 - and I can tell you this: a good protection does not do the obvious, it tempts to misguide you or even relocates or rewrites itself/encrypts itself - i.o.w. much like viral activity of the worst kind. Some protection can be broken by finding one key element (in general the easy ones, like jump to a certain protection routine). In other numerous parts and various types of protection will be scattered through the software, making it much more difficult to find everything. Probably the hardest thing to break if they would do the protection/deprotection through a special circuit in hardware (with write once unique key in every player, no reading possibility). I recall one of the harder protections on C64 made use of the soundchip (!) to generate a random value.

As for HD DVD or Bluray media: there will always be a way to break any form of protection, since it has to be able to be played. The matter is: how difficult do they make it and how easy/obvious is it. The challenge will be greater if they make it more difficult, and many people who try will give up because they lack the patience or the knowledge. There will always be people who have the ability to break it though, if they want.


<< START RANT >>

My largest problem with all of this is that there will be a lot of people who bought discs legitimately and they won't be able to play them with the best quality on each and every hardware due to various forms of UNWANTED copyprotection (DRM, AACS, HDCP, whatever...). When will the MPAA/RIAA finally get it that people do not WANT any of this, nor do they want to pay extra for them (because they definately ARE paying for them). Region coding is bull in this day and age (many movies are released almost simultaneously around the globe), and the industry should be aware of that the plubic thinks about it that way. Do they seriously think the player manufacturers and even dealers WANT all these problems with things like HDCP, region coding (customers nagging about it) etc... I can understand perfectly that the studios want to protect their rights as a copyright holder and want to make a profit on their products so that they can correctly & rightfully pay everybody involved in the production/distribution etc.., but there is such a thing as overpricing and scaring away the customers from buying these new products (that is how good new ideas and new techs fail). When multiple formats are being released, ultimately - there always will be losers -& in general it's the early adopting endusers/consumers (the ones who pay back all the R&D!!!) who end up with hardware or media they cannot use as they would have wanted. They get a beta product that only works half the way it should, they pay far the most and often end up with unusable quickly devaluating material. The industry should REWARD these people for being their guineaupigs!!! Instead they ROB them of any decent userexperience, much like they claim to being robbed by piracy year after year (yet with ever increasing profits... don't they realise there is a ceiling to that??)

If they want piracy out of the world (which they will never be able to do entirely anyway), they 'd be better off taking other measures:
1) lower the price of the media (album CDs often cost more than a full DVD out here - which are much more labourintensive to master, anybody care to explain how that is logical?) Lower price means: more people buy the original. If backing up a disc costs almost as much as the original one - why bother copying? They could start lowering the cost by skipping all kinds of unwanted forms of copyprotection, because all these schemes definately cost money to develop + they cost extra in terms of hardware and hardwareresources.
2) allow people to make a legit copy of their rightfully purchased media or provide cheap replacement themselves if a disc goes bad within a normal lifespan. Here in many European countries people already pay some form of copy tax on blank media any way, why don't they just make that the same for everybody everywhere + return part of the money to the people who really earn it (the artists, NOT the large publishing companies behind them - who rake up all the hard cash in a great many cases!) !!!
3) Persue first and foremost mass piracy through illegit reprints, i.o.w. people who make loads of profit out of piracy. People will always copy for family and friends, you will never get that out. That's a battle lost before it's even started. Hell, even the musicians/artist copy themselves. The ones that claim they don't are usually a bunch of hypocrits or flat-out liars! IMHO, the better way would be to convince people to BUY the product if they think it is WORTH the money!

Nobody wants protected original media that does not play the way it should in EVERY player...

If the industry still doesn't realise people want players that play EVERYTHING: Blu Ray, HD DVD, DVD and CD alike -AND- do not have crap like region coding, HDCP etc.. that prevents them from playing back media they purchased legitimately.

When I buy discs at e.g. amazon.com in the USA and I live in Europe and I PAY for them and I PAY taxes for them - I want to be able to play them everywhere! Why buy them in the USA: there hardly are any titles in Europe available, let alone good ones!!!
(note that to my knowledgde NONE of the blu ray titles listed on Amazon indicates which region they belong to or if they have region coding enabled)
That's doesn't mean I want to fork out the schandalous amount of money for 2 players (let alone 4 if no one makes a hybrid Blu-ray/HD-DVD player) if I want to be able to play discs from the USA and Europe!
Hell, these players do not cost the chinese that much to produce at all (not nearly as much as they are being sold at anyway) - early adopters pay all the R&D + the volumes are just too low.
They should give early adopters a reduction voucher for next generation product as a reward for BETATESTING their early release crap!!!

As for the HD-DVD vs Blu Ray battle, it's all politics that in the end consumers are not served by.
HD DVD's wider acceptance in the USA may have to do with better title releases and better mastering of the specific titles.
Here in Europe neither HD-DVD, nor blu ray have broken through (I guess it hasn't anywhere, but even far less here than in the USA) - and I'd say HD DVD even less!(less players/drives for PC, less titles, less brand recognition!)
Personally, all I care about is that in the end we get good versatile & quality product that works properly and can be played without too much of a hassle or harressment by all kinds of lame protection systems ultimately none of the buyers want.

Haven't they learned their lessons yet from audio cd protection then??? The buying consumers didn't want it there either!

I stress: I'm talking about BUYING customers, not pirates...

And even then: just about everybody has a VCR, dont't they? ALSO the RIAA/MPAA execs? Right: they pirate too! TV shows and movies shown on TV are also copyrighted!
It's the same bunch of hypocrits all over: they release/sell MP3/DIVX players, they release/SELL VCRs, they release/SELL blank media for them, they release HDD recorders?

But hardly anybody can record or use them legitimately? Who are they kidding?

Aren't they making enough money yet by selling both the hardware and the software??? Oh, they would love us to pay for each time we play the media too I suppose?

<< END RANT >>

Well, known-plaintext attack worked really well for DeCSS ...

... but ...

wouldn't it be to abasing for the MPAA, if this same lousy method would break these creepy-billion-dollar-concept AACS also?

by the way - muslix ...
... why had the Teaser_1.evo in your really awful^^ YouTube video just a filesize of 4,02 GB?

Mine has 9,2 gig; the 14,4 gig Teaser_2.evo was missing completely ...

Finally I can post!

I wanted to post this over the weekend but had to wait :mad:

Anyway, I can also confirm that BackupHDDVD properly decrypts EVOs when given the correct Title Keys.

I followed this posting http://pastebin.com/853659 for finding one for a movie. And after the lengthy search, interpret, and hex conversion the key actually worked in BackupHDDVD.

~Cheers

I followed this posting http://pastebin.com/853659 for finding one for a movie.
??? Are you sure you gave the right link?

This is the only text I get if I follow your link, it doesn't seem to have any relation HD-DVD encryption:
2/Reavers are bad mmmmkay...Google 4TW!

Mark Twain Intermediate School
Restaurant & Lounge
Cent
Celtic Designs Dover Pictorial
Science Online Special Feature
Link Building Strategies
Starlifter
Solar periodicity
Dawson's Creek Music Guide Decisions
Duncan's F
ways to market your small or solo business
WBFF
Olivia Quinn Food Stamp Leaver
Dalmations
CITI FM
Skippyslist

I think some people are messing around with us.
I followed that link too and get nothing relevant.

Please ban the ignorants.

??? Are you sure you gave the right link?

This is the only text I get if I follow your link, it doesn't seem to have any relation HD-DVD encryption:

Yes the link is correct. It's a scavenger hunt of some sort! And since I had to go through the trouble of following it myself, I'm not going to post the answer directly.

I mean what fun would that be? :)

Don't get me wrong, I don't take some sick pleasure in making others follow the same path I did. But it did seem the safest way to share the information. Which is probably why the original poster put it in this format.

@stormlord - you have just registered 5 days ago and had time to read the rules. This thread is not a place for your rants. Many times, Doom9 and I have asked posters to stay on topic. Strike issued.

@Mikey10 - same comments regarding rules. How does yourt post add to the topic? Strike issued.

Regarding LordSloth's link: I can not get it to load at all. I am loath to issue strikes until I can determine the content for myself. But you are way off topic in your previous post. Strike issued.

Regards

@LordSloth

As an outside observer, having absolutely no involvement in the activity being pursued in this thread (Although I'm certainly interested in its eventual outcome), I must say it's disconcerting to see you trying to make a "game" out of the loosely cooperative effort the other posters to this thread.

I'd suggest that if you have discovered a legitimate, meaningful "piece of the puzzle", you should simply present it here - so that others can advance their combined efforts...

@LordSloth

As an outside observer, having absolutely no involvement in the activity being pursued in this thread (Although I'm certainly interested in its eventual outcome), I must say it's disconcerting to see you trying to make a "game" out of the loosely cooperative effort the other posters to this thread.

I'd suggest that if you have discovered a legitimate, meaningful "piece of the puzzle", you should simply present it here - so that others can advance their combined efforts...

I am just passing on the link that I found and indicated that I went through the trouble of following it, that others could too without much difficulty.

That and the result of following that link is a Title Key for the movie hinted at in the top. Posting the answer directly didn't seem wise.

@Janvitos

I'd speculate you'd have to convert those to hex...

For the ones interested:

239 -> EF
33 -> 21
50 -> 32
159 -> 9F
125 -> 7D
131 -> 83
141 -> 8D
154 -> 9A
112 -> 70
86 -> 56
136 -> 88
45 -> 2D
191 -> BF
102 -> 66
92 -> 5C
213 -> D5

What movie is this a key for ?

Gentlemen - enough of this!

LordSloth - either post your results or do not post at all. Last Warning.

Everybody - there will be no more warnings issued. Posts which can not stay on topic, or do not directly address the issue of decrypting HD-DVD will be struck. These include rants, taunts, accusations, publication of off topic links (including about muslix64's identity), irrelevant numbers which can not possibly be seen as keys and anything else that is not relevant or does not further this discussion.

Please read the above carefully.

Regards

For the ones interested:

...

What movie is this a key for ?

Serenity

It took me awhile to figure that out from the Reavers comment at the top...

Hope you have a copy.

It's the 2nd Title Key

For the ones interested:

239 -> EF
33 -> 21
50 -> 32
159 -> 9F
125 -> 7D
131 -> 83
141 -> 8D
154 -> 9A
112 -> 70
86 -> 56
136 -> 88
45 -> 2D
191 -> BF
102 -> 66
92 -> 5C
213 -> D5

What movie is this a key for ?

It's Serenity.

@Janvitos

I'd speculate you'd have to convert those to hex...
Google each of the 16 lines in the text. The first Google hit you get for each text line contains a 2 or 3 digit number in the title.
These decimal numbers probably have to be converted to hex and you get a 64 bit number.

deleted

Regarding LordSloth's link: I can not get it to load at all. I am loath to issue strikes until I can determine the content for myself.
I couldn't get the link working the first time either, but hitting the refresh button a couple of times made the site load.
The only contents of the link is the text I quoted above, which are suppoed to be used in Google to find decimal numbers.

I just got my hands on the movie Serenity from a friends, i will update you with results (if any).

I have Serenity... Trying to figure out how to try it. If anyone wants to help with the .cfg file setup I should be using, hit me.

I can confirm the following value "EF21329F7D838D9A7056882DBF665CD5" to be in WinDVD memory after playback of the movie "Serenity".

Will continue to research this and update you with results.

So this so far.....

0000000000000000000000000000000000000000=Serenity |T|MM/DD/YY|2-EF21329F7D838D9A7056882DBF665CD5

Luders, replace the 0s with the SHA1 of the VTKF000.AACS file, which is "C8A57242AF4CB5C0D7848BDA10821F984DC656E0"

I can confirm the following value "EF21329F7D838D9A7056882DBF665CD5" to be in WinDVD memory after playback of the movie "Serenity".

Will continue to research this and update you with results.
If the above is the complete title key #2, then you only need to calculate the SHA1 hash value to put into the field 1 of TKDB.cfg file

[QUOTE]Field 1: SHA1 Hash of the VTKF000.AACS file on your HDDVD disk.

Next fields are pipe "|" delimited.

-Movie Title
-A variable number of Title key, pipe delimited

You have a key number followed by the key value like:

12-08A3DC61910280F2...

Key values are 128 bits long, so 16 bytes, or 32 hexadecimal characters long..[QUOTE]

He-Man, how do you know this is key #2 ?

Hmmm I get a java error because I am using JRE 6 in vista. Might have to boot into xp to try this.

He-Man, how do you know this is key #2 ?
Because that's what LordSloth wrote in a previous post:
Serenity

It took me awhile to figure that out from the Reavers comment at the top...

Hope you have a copy.

Its the 2nd Title Key

Now after I followed that crypted scavenger hunt and got the 2nd TK, I searched for the key in WinDVD's memory...and guess what I found...

The entire Title Key table decrypted!!!!

That's right....the next 16 bytes after the 2nd key is the 3rd key and so on...

Enjoy!

So this so far.....

0000000000000000000000000000000000000000=Serenity |T|MM/DD/YY|2-EF21329F7D838D9A7056882DBF665CD5
Why do you have the MM/DD/YY filed in there?

I don't see this in the original TKDB.cfg file, only 4 fields:
1: hash value
2: title
3: title key number
4: title key in hex (128 bit)

Now after I followed that crypted scavenger hunt and got the 2nd TK, I searched for the key in WinDVD's memory...and guess what I found...

The entire Title Key table decrypted!!!!

That's right....the next 16 bytes after the 2nd key is the 3rd key and so on...

Enjoy!
How about the Volume Unique Key, is this in memory too?

Why do you have the MM/DD/YY filed in there?

I don't see this in the original TKDB.cfg file, only 4 fields:
1: hash value
2: title
3: title key number
4: title key in hex (128 bit)

That's the new structure in hdvdbackup 1.00 posted Jan 02

You must be using the first version of BackupHDDVD. The new one has the date field though it is ignored by the program.

Alright, this is good news.
The key "EF21329F7D838D9A7056882DBF665CD5" is the 2nd key which decrypts the file UNILOGO.EVO from the movie Serenity. This is *CONFIRMED* and *WORKING*.

Here are all the keys for Serenity:

1-31325529846E19E90D88F414DA7D1661
2-EF21329F7D838D9A7056882DBF665CD5
3-46BE356597AD71BFFADEDA14FE335B64
4-8906E3E8B05EEC17E594E98D42C913FE
5-0F998F1C0C7FEB30381C01F135FBE8E9
6-97895F12C018845C9CDCE95DFF4101DF
7-6C005DA9DAA97E168129753319D748A1
8-0608D2628A9FE952398B0FB432BDB6B1
9-A24471CC766C6E7F7F56DB560CCD31E5
10-6EC977757A9E8AC378CC680770874E33
11-55962EA8084BF5135CB2ED5A5E795233

Here are the keys for KingKong:

1-7D743D3C92652CC16B66D9CB87F6D132
2-70B71C6E767E213AEB7456985BAAD8A4
3-4BC362995030035312A5B6030D76C817
4-A019B5101E904A700A44F056B7EB3579
5-896AB02D3D77554EABCE3CCE931DA39D
6-BEC07637E9C4EFA1F70FED6891DB277B
7-1DC0D276F2C5B9FCFDE1414C5002BAAB
8-BC7EB577D1936818AEB9241F024DE681

To find these keys, my best advice would be to search your memory for "VPLST000.XPL" and they will be near one of the instances of it.

Now we have to find the volume keys for a lot less trouble.

Yes won't we need the first version of the decryption to use a title key? Since the newest is for volumes? And I must say very good work on finding the key.. If the table has been reveled surely the volume key is with it..

Volume Unique keys are located

+0x13C0 after the 2nd title key location

:D

LordSoth i dont have the same addresses, can you tell me exactly where the volume unique key is ?

So to recap...

Search for VPLST000.XPL in WinDVD's memory (4th occurrence) and from that offset.

+0x0181 is the Decrypted TK table
+0x1571 is the Volume Unique Key

Granted these may vary from system to system and disc to disc.

I believe the offsets vary from movie to movie and computer to computer.

Looks like Janvitos confirmed they do since they don't match what I posted. But just look somewhere around that region and you should be able to locate the TK table and the VUK.

LOL! holy crap the keys are flying.. are the volume keys in the same place every time? Or do they vary?

Serenity Volume Unique Key: D075568AE6BB0B3F85446927B3794C28

KingKong Volume Unique Key: 802F78B1B20D1183638D84E1A96D6EDD

12 Monkeys Volume Unique Key: 2662C05B5238B0C50BD1BDF693223712

I believe the offsets vary from movie to movie and computer to computer.

And the keys stays in memory after a HD-DVD disc has been stopped again?

What tool do you use to get a memory dump?

You must be using the first version of BackupHDDVD. The new one has the date field though it is ignored by the program.
Yes, I opened up version 0.99 by mistake.


Yes won't we need the first version of the decryption to use a title key? Since the newest is for volumes?
No, version 1.00 can be used with either title or volume keys, it's your choice, you just have to define which type you use in Field 3 in the KEYDB.cfg file:
Field 1: SHA1 Hash of the VTKF000.AACS file on your HDDVD disk.

Next fields are pipe "|" delimited.

Field 2: Movie Title
Field 3: Key type (V or T for Volume or Title key)
Field 4: File creation date
This field is informational only. It's ignored by the program. It should be the creation date of the media file on the
disk.

Field 5:A variable number of Title key, pipe delimited or one volume key

In the case of a title keys, you have a key number followed by the key value like:

12-08A3DC61910280F2...

Key values are 128 bits long, so 16 bytes, or 32 hexadecimal characters long.

I use WinHEX to edit the memory directly.

some screenshots would be nice. Wish I had the addon would love to play about with this for myself.

I think posting the Volume Unique Keys speaks for itself :)

So if the players key in question gets revoked. Would any of the keys now found be any use in future players for tracking more? or would a new players key get totally different results on the exploited discs?