Where do I go to get the drivers for my xbox360 hd-dvd drive? Also can some one confirm if power dvd 7.2 works with this or must I use 6.5.

You can always google "xbox 360 hd-dvd drive windows drivers"

We can confirm that PowerDVD can read EVO files but nobody has yet confirmed that that is the program that you need to use to extract the volume keys or title keys needed to decrypt the video.

Great job muslix64!

As for the key, if it's not in memory it has to be in the CPU registers, right?

muslix64 delivered what he promised

Dude thanks

it really is frustrating lol

its batman without robin
tea without sugar


Great work though, alot of effort gone in to it.

I was reading the AACS spec sheets and found something interesting.

There is less than 1MB of space to store the revoked keys on any hd-dvd disc (at least in this revision of the spec). Which means in theory, if you succeed in getting enough keys, and the AACS adds them to the revoke list, eventually they will run out of space!

I think.. I am just trying to understand muslix64 comments by actually dwelling into the AACS spec.

I also think Powerdvd's reply is BS because they know they goofed up somewhere. We'll see if they suddenly push out an update. And as muslix64 said, the AACS spec doesn't require protection of the volume key, so it should always be obtainable, it's just a matter of the degree of difficulty.

Not even a hint to where the keys are :(

Oh well, thanks for all your work. If this thing blows up from here you will go down as the pioneer who started it all.

Thanks Man!

**** Sorry, but without even one working key this is nothing but speculation.

Sure, the BackupHDDVD program looks nice, but without verifiable proof that a volume key has been actually been extracted, this is nothing to get excited about.

Frankly, I now suspect that the youtube video is a hoax, and that muslix64 is just hoping against hope that some superhacker out there will figure out where PowerDVD HD hides the keys.

The volume key has to be in the registers to calculate the CMAC value (and decrypt title keys). If you were to set a breakpoint on the routine that accesses the memory location of the CMAC, you would find the Volume key in the registers.

If anything it got the community really thinking togeather on how to come up with a solution. So cheers to that.

Ok, here it is, BackupHDDVD V1.00!

What's new in this version?

- Volume key support
- Partial resume of an interrupted decryption session
- New file format and file name for key database file.

The key database file is now KEYDB.cfg

You can download it here:

http://rapidshare.com/files/9942683/BackupHDDVDV100.zip.html
http://z13.zupload.com/download.php?file=getfile&filepath=59843


File name: BackupHDDVDV100.zip
File size: 22,429 bytes
SHA1 hash: 0d938a376133dfaf78ec47e6d41201d553a6bb81


This may be my last post here.

I'm going to have a rest for a while.

Take care everyone and wish me good luck!



THANX ! :D

eDiT
another mirror of BackupHDDVDV100.zip (http://www.megaupload.com/?d=W23GXQW1)

In the new FAQ it has changed a little bit..

-Where are title keys?

The title keys are encrypted on the disk.

-What is the volume key?

The volume key is the key used to decrypt the title keys. So the volume key is all you need to decrypt a movie.

-Where is the volume key?

The volume key is the result of several complex decryption process. Read AACS doc for more details.

The last being the most interesting to me.. I've been following all of your conversation.. I would buy an HD-DVD player and work all day on it but the fact of the matter is I'm broke and must work lol..

P.S. dang I really never posted since I registered lol?

GREAT MUSLIX64 !!! Thank you for your work, you've shown us the way, now we have to work on finding the keys. You have delivered what you promised, Thanks again.

The title keys are encrypted on the disk

Yes, but they are also in unencrypted form somewhere in the memory (according to the faq of the 1st vesrion released by Muslix64).

Yes but perhaps the other keys must be assembled with this "volume key". That or your going to be looking for a very long time.. At least he/she perhaps made it more simple for us since now we just must hunt down this "volume key" which maybe easier to find then hunting down a key that at one point is encrypted. But perhaps we are making it more difficult then it seems..

we are making it more difficult then it seems

Yes you could be right, anyway the only way I can figure right now is IDA PRO used with PowerDVD 6.5 and setting breakpoints when PowerDVD is loading the movie. IDA PRO lets you see the map of memory at the breakpoint and then you could start a search over all the 32 bits long words in memory and test them as title keys (if they are not too much) or test the words with length equal to the length of volume keys as volume keys. This is only an idea, but I haven't tested it yet and since this test will require a lot of time I don't know if I'll have the time before the end of CES

Muslix64: You could say things like "I needed to use a debugger" or "I just looked at a memory dump" and you wouldn't be breaking any law.

Thanks and all, but it's a little bit suspicious of you to deliberately avoid saying anything at all. Are you or have you ever been a <strike>member of the Communist</strike> employee of the Sony Corporation?

**** Sorry, but without even one working key this is nothing but speculation.

Sure, the BackupHDDVD program looks nice, but without verifiable proof that a volume key has been actually been extracted, this is nothing to get excited about.

Frankly, I now suspect that the youtube video is a hoax, and that muslix64 is just hoping against hope that some superhacker out there will figure out where PowerDVD HD hides the keys.


agreed.. gg

Well, I'm guessing that even in this day and age I'm personally allowed to speculate on how to decode the movies since I haven't read the AACS doc, don't really have a clue, and thus no information to divulge to anyone except general software principles.

But obviously given both a player and a disc the sum total of available info must be enough to play the movie. And, according to Muslix64's FAQ, both the ECC-160 and AES-128 algorithms are used for decryption purposes. If I had an army of abnormally dedicated programmers (I'm not asking for one here!) I'd disassemble a player (any player) and find the functions called to perform both decoding algorithms. Then I would set breakpoints at the beginning and end of them and see what data was being passed and returned.

But I do not own an HD DVD player, don't consider myself that sort of hacker, and have no intention of doing this. Nor am I sure Muslix64 did.

- Tom

Thanks and all, but it's a little bit suspicious of you to deliberately avoid saying anything at all. Are you or have you ever been a <strike>member of the Communist</strike> employee of the Sony Corporation?Must I continue to remind members about rule 4?

Can we please discuss the technical and practical merits of this program without calling other forum members' reputations into question?

Regards

Must I continue to remind members about rule 4?

Can we please discuss the technical and practical merits of this program without calling other forum members' reputations into question?

Regards

That was a joke. It's obvious that he doesn't want to say more to avoid being sued, not because he works for Sony.

It didn't come across that way to me. I would appreciate it if members would not make such statements since they may be misinterpreted.

Regards

has anyone tested this to see the keys get extracted? i dont have a hd dvd addon or i would.

Thanks muslix64 - this looks to be the start of something very cool! Have a good break.

@GeneralNewbie
Read the thread! We have yet to find the keys first. BackupHDDVD does not provide the keys, we have to supply them. Well, we actually have to find them first.

********************

Its good news that some unreakable protections finally ...break...and melt like...ice cream in front of some smart hackers...persons like muslix64 are the meaning of this sharing community...That was the first step against that HDDVD AACS protection system...be sure that will be next... steps very soon...according to many reactions...!:lol:***********************

You know, reading over the AACS doc I dont think I ever saw a thing called a Volume key or anything similar.

@GeneralNewbie
Read the thread! We have yet to find the keys first. BackupHDDVD does not provide the keys, we have to supply them. Well, we actually have to find them first.


Sorry mate i had the assumption that the first release didn't tell you how to get the keys or the app, but i thought in his second release he would include in the app a method of obtaining the keys. I guess nothings changed and we are still left to figure out how to get the keys. So far i find this app useless until some more light is shed on getting the keys. I mean we are to understand that the data being read from memory is decrypted by the key. But how does one read Memory and what its doing?

You know, reading over the AACS doc I dont think I ever saw a thing called a Volume key or anything similar.

Advanced Access Content System (AACS), Pre-recorded Video Book Section 3.3:

The Volume Unique Key and/or the Volume Variant Unique Keys are used to encrypt and decrypt the Title Keys stored on the pre-recorded media, in a manner that is described in the given Format-specific book of this specification.

You know, reading over the AACS doc I dont think I ever saw a thing called a Volume key or anything similar.

http://www.aacsla.com/specifications/specification_support/AACS_Spec_HD_DVD_and_DVD_Prerecorded_0_912_redline_to_0_911.pdf

3.4 Title Key File
An AACS Disc shall have at least one Title Key File (TKF) in which each Title Key data is
encrypted by AES-128E with Ku. Ku is the Volume Unique Key (Kvu).

... is the Volume Unique Key defined in the <i>AACS Pre-recorded Video Book</i>.

... The Player passes the ... to the AACS module which <b>has already generated</b> the Volume Unique Key.

would softice do the trick? Got all the tools just need the hddvd addon

I searched more info about BackupHDDVD and have found interesting files.

[links deleted per forum rule 6]

Eh that's what I get for skimming lol, I saw Volume ID but I missed the Volume Key parts

You don't have to make a search on volume key but on Volume Unique Key.
But i haven't found any interresting informations on how to get any keys.
I have all the hadware requirement to test. So if somebody have an idea...

am i the only person who's completely confused??

hope you can bring out a new version soon muslix64, even if you only post here once a month like you did yesterday along with a new release.

hope 1.01 will have a windows interface, that would be cool!

i hope you can find the keys and release them on p2p!

p.s you should update the first post on this thread with the link to version 1.00 otherwise people who dont read all these pages wont know there is a new version out.

If this is real after all (I'm still not sure) then I'm getting it.

muslix64 has problems with his/her conscience.

muslix64 wants to show that he/she has found a weakness, but she/he does not want to be fully responsible for major piracy issues. (which would definately come up)

I don't believe muslix64 is afraight of getting caught.

Better pay attention to CLDShowX.dll library, it's the only file
with all necessary crypto functions (Rijndael aka AES, SHA1,
ECC) into.

On what grounds do you come to this conclusion?

I searched more info about BackupHDDVD and have found interesting files.


Struck for posting warez. Don't do it again.

neuron2
But how to know warez this or not?
In description of these files i can't see word "warez"...
Thank you.

@vsv

Now you're posting off-topic. You can challenge strikes through proper channels.

we need somewhere to discuss and share everything on this.

From what ive gathered this info might be helpful to more info and ill share it here

Memory.dmp--you can generate the Memory.dmp file by holding CTRL on the right side of the spacebar while you press SCROLL LOCK two times. Not verified to work but someone said it may......

Windows XP Service Pack 2 Support Tools has a command called dumpchk that will verify the dump and display information about it. This command can be found in the Windows XP Support Tools. The easiest way to run it is to copy the dumpchk.exe into the same folder as the memory.dmp file.

IE c:\windows\memory.dmp

At a command prompt in this folder run the command “dumpchk memory.dmp”.


To really dig into the memory.dmp file you will need to use the Microsoft Debug Tools. You also need the correct symbols for the os that the memory dump came from. These can be downloaded here.
http://www.microsoft.com/whdc/devtools/deb...installx86.mspx
http://www.microsoft.com/whdc/DevTools/Deb.../symbolpkg.mspx

After all that is installed, open up the Debug program windbg. It can be found in the start menu. First set the symbol path, by clicking File, symbol path; and add the path that you installed the symbols to. Default is c:\windows\symbols.

To open up the memory.dmp file, select File, Open Crash dump. It will first show the same info that dumpchk displayed. To get more detailed info, enter this command: !analyze -v. This will display a much more detailed analysis of the problem. Some other useful things you can look at are the call stack (View, Call Stack) to see what system calls were being run when the crash occured, registers (view, registers) to see what registers were being used, and the actually memory (view, memory) to view the contents of the memory when the crash occured. You could also view the dissassembly to see what code was running.

we need somewhere to discuss and share everything on this.

Then switch to some kind of darknet.
TOR hidden services or Freenet websites should do.

Brute forcing the memory for keys should work. The title key or whatever is needed to actually decrypt the content of the disc will probably be stuck on the heap as aposed to the stack as it will probably need to outlive the scope of the decryption functions :p

Someone suggested the key will be in the registers .. well it will be eventually but i guess the key is probably bigger than the current x86 registers so probably easier to get it out of mem.

I can't really see how you can protect against this hack.

I can't really see how you can protect against this hack.
TPM (sigh!)

You can just look @ C:\program files\CyberLink\PowerDVD (6.5 HD) and check what "some specific files" do.

I doubt is on registry, must be on memory (RAM).

I do not have a HD-DVD, nor HD-DVD movies, so I cannot try it by myself.

TPM (sigh!)

Keep the old good ones working, never buy ANY TPM/TPC compliant.

From what I had understood EACH AND EVERY HD-DVD TITLE has it's own volume key (or more).
Like "Superman" released in US has it's own volume key ,"Superman" released in Europe has it's own volume key , "Enter the dragon" released in US has it's own volume key, etc...
Morever even same title like "Superman" released in US can have SEVERAL volume keys like one for disks produced in October-November and one for disks produced in December-February, etc ...

This means for each HD-DVD disk someone will need to find a right volume key , not just once per player or even one per title.

This means this someone need to post it somewhere to be accessible by other users and therefor this someone can be sued.

Also since wast majority of users will not be able to extract Title key for every disk they put in their drive by themselves they will need someone to do it for them.

No Automatic key extraction software will be possible, let's say someone for example develop such software that uses speciffic version of PowerDVD (just for example it can be any other software player even on Vista 64 despite all the protections built-in) to extract volume key. Then very soon studios will block that player's key (so it will not play new titles at all) and PowerDVD will release new version with new player key.
So no reason to stick with old version and new version can't be "harvested" for keys automatically.


All the above means that probably same as with ISO "releases" one of two "industries" will develop :

1. "Indexing" sites that hold a lot of volume keys for different versions of the movies.

2. "Images" releases same as cracked games will spread on Torrent or other P2P networks with already decoded versions of HD-DVDs same way as now they "release" images of games with crack.
(This option I believe more feasible, after all what is 25 or even 50GB for Torrent ? And internet speeds continue to increase all the time).

In both cases it will be either professional programmers that will do the debugging (like now only few people in the world do software cracking) or people around industry steal volume keys (like now steal games before they even get released).

So that's my analysis on the future of HD-DVD (and probably BD too).
This means no "immediate" threat for studios, there will be no such programs as DVDDecriptor for DVDs that any kid can use at home to decrypt but in a long run - yes, AACS IS cracked.

I think for the studios it's again (like with CSS or/and region protected DVDs) the situation becoming worse then if no protection were used since legal user will have many limitations (streaming for example if forbidden etc) while pirates will have more "usable" versions.

I have a theory for how to figure out where to find a key for any given player application after PowerDVD 6.5 HD gets revoked (you know it's coming).

Say you picked some HD-DVD available in stores today and figured out its keys via Muslix's PowerDVD exploit. You now have a copy of the decrypted key. You would then play back that same disk for which you already know the key in any other current or future HD-DVD playing application. You would then watch memory (knowing in advance the decrypted key) for the decrypted key to appear and remember the memory location where it was found.

Now you know where in memory decrypted keys are kept and you can play any other disk, go to the same memory location, and there's the decrypted key.

A program could easily be written to automate all of this.

Good thought process. Except for that fact that we are not sure that Muslix64 even used PowerDVD to find the keys in the first place. Although it does look that way, we should totally assume anything.

1. Task is to encript content and deliver it to the public without discovering the keys for decription.
2. At the same time they have to give you (user) the key in some form so you can watch the movie.
3. You own the player, soft or standalone and have acces to it.
4. If you have the acces to it, you could extract the keys or the algorithm in theory - everyhing should be there.
5. Main rule for authrized decription is not followed. Key is public on the media side, key is public on the player side.
Even encripted, they are accesible.
6. Only way to have message secure is to have user specific key that only he/she knows (public/private key scheme).
7. In this case "private" key is accesible (in some way) by "malevolent hacker'.
8. Logical conclusion is that there is now way to protect content available to all public in secure way. It is just matter of time spent to get there.
9. If we remember Enigma machine, only way English could decipher it was to get hands on code book and a machine. Germans changed the code, but too late, and the alghoritm wasn't changed for the compatibility reasons (sounds familiar for standalones). I am not saying that it couldnt be done brute force at the end, language is closed set and it has its own distribution and syntaxe, but it would take indefinite time.
10. AACS alghoritm was made public, keys are out there, so only logical conclusion is - it could be done!

I am not a programmer, have no clue how to do it, but please comment on above statements.
I figure, the only reason for content scrambling is to stop "average joe" to copy movies. Remember NagraVision 2, it was praised as unbrakable, Asian sat dealrs were offering 1M$ for a solution, I know (and you too) that money is collected.
The only way to secure something is to keep one part secret (totally, not encrypted in some form and accesible), either private key or algorithm, or content probability distribution. All else is just increasing workload. Having computers and smart hackers out there, even workload could be shortened.
just my 2c...
Regards...

And insecure players will always exist, in fact you can extract keys from any player! (by Muslix64)
Lanier's point was that AACS has the ability to revoke compromised keys. AACS can revoke a compromised key with future HD DVD releases.
The way keys are revoked is by putting the revocation information on future releases. For instance, if a title key is revoked, the revocation information is stamped onto all future HD DVD releases, every title. When the disc is inserted in a player for the first time, the player's memory is updated with the revocation information. At that point, the compromised title will no longer play. (Chris Lanier, a Microsoft MVP for Digital Media products)
Some of us can mod firmware of a standalone player, usually the Mediatek based. From this players the firmware can be extracted using a serial cable.
As Lanier said, if a player will be upgraded with some revocation, comparing the firmware after and before inserting new HDDVD disc will give us some informations. The wrong step from them is to release a disc which include revocation.
Another way is to read the memory dump from the player when inserting a HDDVD disc. I never made this type of dump, but some people already did it when hacking the Mediatek firmwares.

Edit: The title keys are used to decrypt media files. You can have up to 64 title keys on a disk. (by Muslix64) And all this 64 keys must to be in the player firmware, no? :D

enjoy,
Mtz