This thread may have some important info, near the bottom about basic/advanced authoring mode and firmware:

http://www.avsforum.com/avs-vb/showthread.php?t=826140

Here's the entire contents of the bca.bin:

10011104481200001002100840000115
20072036000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
000000000000000000000000

Looks like we are dealing with the date code volume ID again:
40 00 01 15 20 07 20 36

Jan 15 2007? 20:36?
What are the date and timestamps on the files on the disk itself?

Looks like we are dealing with the date code volume ID again:
40 00 01 15 20 07 20 36

Jan 15 2007? 20:36?
What are the date and timestamps on the files on the disk itself?

file date is 01/16/07 01:25:17

Here's the entire contents of the bca.bin:

10011104481200001002100840000115
20072036000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
000000000000000000000000

Hehe ;).

There is one half of a Volume ID in there :). And since we already know/can guess which form this one is the following will probably work...

Use mkb.exe (http://forum.doom9.org/showthread.php?p=953496#post953496) in the following way:

mkb h:\AACS\MKBROM.AACS 40000115200720360020202020200000

Where h should be your drive letter.

You should get a VUK and with that key you should be able to decrypt your disc using your favorite decrypter :D.

Tell us if it works.

Regards,

arnezami

when i decrypt using the resulting vuk, i get video with only black screen and no audio, eventually crashing pdvd 7.1

the validatevuk tool also says its not valid.

when i decrypt using the resulting vuk, i get video with only black screen and no audio, eventually crashing pdvd 7.1

the validatevuk tool also says its not valid.

Hmmm. I'm not sure how sensitive these programs are but did you remove the white spaces and make it all capitals? And you didn't make a typo when using mkd.exe (be sure)? Best to try with validatevuk.

Could you give a screenshot/copy paste of what mkd.exe is giving?

arnezami

[edit]also try these:
mkb h:\AACS\MKBROM.AACS 40000115200720360000000000000000
mkb h:\AACS\MKBROM.AACS 00000000000000000000000000000000

Could you give a screenshot/copy paste of what mkd.exe is giving?


here are each of the three you asked me to try. none could be verified with validatevuk.

>mkb.exe h:\AACS\MKBROM.AACS 40000115200720360020202020200000
Skipped section 10
Skipped section 21
Skipped section 20
Found Verification Data
Skipped section 7f
Skipped section 07
Found Explicit Subset Difference (514 records)
Found Media Key Data (513 records)
Media Key found at index 0!
a0 bc 2b 16 a2 ad 64 d1 a3 c2 0f ae 26 68 1c 0a
VUK: 4e 77 31 f8 1a 28 63 a1 9a 30 49 35 c5 79 f2 d2

>mkb.exe h:\AACS\MKBROM.AACS 40000115200720360000000000000000
Skipped section 10
Skipped section 21
Skipped section 20
Found Verification Data
Skipped section 7f
Skipped section 07
Found Explicit Subset Difference (514 records)
Found Media Key Data (513 records)
Media Key found at index 0!
a0 bc 2b 16 a2 ad 64 d1 a3 c2 0f ae 26 68 1c 0a
VUK: cb db 1a 22 49 8e 95 6b c2 34 f9 09 7d 34 d8 82

>mkb.exe h:\AACS\MKBROM.AACS 00000000000000000000000000000000
Skipped section 10
Skipped section 21
Skipped section 20
Found Verification Data
Skipped section 7f
Skipped section 07
Found Explicit Subset Difference (514 records)
Found Media Key Data (513 records)
Media Key found at index 0!
a0 bc 2b 16 a2 ad 64 d1 a3 c2 0f ae 26 68 1c 0a
VUK: df 46 7c b3 69 cc bc 93 d6 79 2b ed 00 98 e9 66

Could you give a screenshot/copy paste of what mkd.exe is giving?


here are each of the three you asked me to try. none could be verified with validatevuk (i'm sure i entered them properly).

>mkb.exe h:\AACS\MKBROM.AACS 40000115200720360020202020200000
Skipped section 10
Skipped section 21
Skipped section 20
Found Verification Data
Skipped section 7f
Skipped section 07
Found Explicit Subset Difference (514 records)
Found Media Key Data (513 records)
Media Key found at index 0!
a0 bc 2b 16 a2 ad 64 d1 a3 c2 0f ae 26 68 1c 0a
VUK: 4e 77 31 f8 1a 28 63 a1 9a 30 49 35 c5 79 f2 d2

>mkb.exe h:\AACS\MKBROM.AACS 40000115200720360000000000000000
Skipped section 10
Skipped section 21
Skipped section 20
Found Verification Data
Skipped section 7f
Skipped section 07
Found Explicit Subset Difference (514 records)
Found Media Key Data (513 records)
Media Key found at index 0!
a0 bc 2b 16 a2 ad 64 d1 a3 c2 0f ae 26 68 1c 0a
VUK: cb db 1a 22 49 8e 95 6b c2 34 f9 09 7d 34 d8 82

>mkb.exe h:\AACS\MKBROM.AACS 00000000000000000000000000000000
Skipped section 10
Skipped section 21
Skipped section 20
Found Verification Data
Skipped section 7f
Skipped section 07
Found Explicit Subset Difference (514 records)
Found Media Key Data (513 records)
Media Key found at index 0!
a0 bc 2b 16 a2 ad 64 d1 a3 c2 0f ae 26 68 1c 0a
VUK: df 46 7c b3 69 cc bc 93 d6 79 2b ed 00 98 e9 66

Ok. I think I'm running out of ideas now. There really seems to be a problem with this disc and the xbox 360 HD DVD drive. Maybe there is something wrong with the way the protected area is stored on the disc (which is if I remember correctly stored with a different pit width/length) and therefore not readable by all HD DVD drives.

Btw this may be related: http://slashdot.org/articles/07/04/02/1126209.shtml

arnezami

Well, if even authorized players aren't able to read the disc, I suspect we won't get very far either. Unless they've simply been revoked, but that doesn't seem to be the case.

Dear All,

I try to complie aacskey in windows platform, but something is wrong.

Please give me a hand......


System environment:
OS : WinXP Pro
OpenSSL : 0.9.8e
MinGW : 3.4.2 (detail as follow)
mingw-runtime-3.12.tar.gz
w32api-3.9.tar.gz
binutils-2.16.91-20060119-1.tar.gz
gcc-core-3.4.2-20040916-1.tar.gz
gcc-g++-3.4.2-20040916-1.tar.gz
mingw32-make-3.81-2.tar.gz


Path:
aacskey source : d:\aacskey
MinGW : D:\MinGW
OpenSSL library : D:\aacskey\lib (static link library files-->libcrypto.a & libssl.a)

command 1: gcc -o aacskeys -lcrypto -L./lib aes.c ecdsa.c ioctl.c mmc.c aacskeys.c
D:\aacskey>gcc -o aacskeys -lcrypto -L./lib aes.c ecdsa.c ioctl.c mmc.c aacskeys.c
ecdsa.c: In function `aacs_set_cert':
ecdsa.c:29: warning: initialization discards qualifiers from pointer target type
ecdsa.c: In function `aacs_sign':
ecdsa.c:67: warning: comparison between pointer and integer
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/ccV3caaa.o:aes.c:(.text+0x22): undefined reference to `AES_set_decrypt_key'
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/ccV3caaa.o:aes.c:(.text+0x3e): undefined reference to `AES_decrypt'
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/ccV3caaa.o:aes.c:(.text+0xba): undefined reference to `AES_set_decrypt_key'
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/ccV3caaa.o:aes.c:(.text+0xd6): undefined reference to `AES_decrypt'
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/ccV3caaa.o:aes.c:(.text+0x103): undefined reference to `AES_set_decrypt_key'
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/ccV3caaa.o:aes.c:(.text+0x11f): undefined reference to `AES_decrypt'
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/ccV3caaa.o:aes.c:(.text+0x17d): undefined reference to `AES_set_decrypt_key'
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/ccV3caaa.o:aes.c:(.text+0x199): undefined reference to `AES_decrypt'
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/cc5udaaa.o:ecdsa.c:(.text+0x7): undefined reference to `EC_KEY_new'
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/cc5udaaa.o:ecdsa.c:(.text+0x33): undefined reference to `EC_KEY_set_group'
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/cc5udaaa.o:ecdsa.c:(.text+0x4c): undefined reference to `EC_KEY_free'
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/cc5udaaa.o:ecdsa.c:(.text+0x7e): undefined reference to `EC_KEY_get0_group'
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/cc5udaaa.o:ecdsa.c:(.text+0xc3): undefined reference to `BN_bin2bn'
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/cc5udaaa.o:ecdsa.c:(.text+0xf6): undefined reference to `BN_bin2bn'
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/cc5udaaa.o:ecdsa.c:(.text+0x113): undefined reference to `EC_POINT_new'
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/cc5udaaa.o:ecdsa.c:(.text+0x14d): undefined reference to `EC_POINT_set_affine_coordinates_GFp'
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/cc5udaaa.o:ecdsa.c:(.text+0x165): undefined reference to `BN_clear_free'
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/cc5udaaa.o:ecdsa.c:(.text+0x170): undefined reference to `BN_clear_free'
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/cc5udaaa.o:ecdsa.c:(.text+0x182): undefined reference to `EC_KEY_set_public_key'
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/cc5udaaa.o:ecdsa.c:(.text+0x1ef): undefined reference to `BN_hex2bn'
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/cc5udaaa.o:ecdsa.c:(.text+0x209): undefined reference to `EC_KEY_set_private_key'
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/cc5udaaa.o:ecdsa.c:(.text+0x217): undefined reference to `EVP_ecdsa'
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/cc5udaaa.o:ecdsa.c:(.text+0x226): undefined reference to `EVP_DigestInit'
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/cc5udaaa.o:ecdsa.c:(.text+0x240): undefined reference to `EVP_DigestUpdate'
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/cc5udaaa.o:ecdsa.c:(.text+0x25a): undefined reference to `EVP_DigestUpdate'
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/cc5udaaa.o:ecdsa.c:(.text+0x273): undefined reference to `EVP_DigestFinal_ex'
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/cc5udaaa.o:ecdsa.c:(.text+0x28c): undefined reference to `ECDSA_do_sign'
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/cc5udaaa.o:ecdsa.c:(.text+0x2a3): undefined reference to `BN_bn2bin'
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/cc5udaaa.o:ecdsa.c:(.text+0x2c2): undefined reference to `BN_bn2bin'
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/cc5udaaa.o:ecdsa.c:(.text+0x2e7): undefined reference to `ECDSA_SIG_free'
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/cc5udaaa.o:ecdsa.c:(.text+0x2f8): undefined reference to `EC_KEY_free'
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/cc5udaaa.o:ecdsa.c:(.text+0x340): undefined reference to `EVP_ecdsa'
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/cc5udaaa.o:ecdsa.c:(.text+0x34f): undefined reference to `EVP_DigestInit'
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/cc5udaaa.o:ecdsa.c:(.text+0x369): undefined reference to `EVP_DigestUpdate'
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/cc5udaaa.o:ecdsa.c:(.text+0x383): undefined reference to `EVP_DigestUpdate'
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/cc5udaaa.o:ecdsa.c:(.text+0x39c): undefined reference to `EVP_DigestFinal_ex'
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/cc5udaaa.o:ecdsa.c:(.text+0x3a1): undefined reference to `ECDSA_SIG_new'
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/cc5udaaa.o:ecdsa.c:(.text+0x3c6): undefined reference to `BN_bin2bn'
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/cc5udaaa.o:ecdsa.c:(.text+0x3ea): undefined reference to `BN_bin2bn'
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/cc5udaaa.o:ecdsa.c:(.text+0x410): undefined reference to `ECDSA_do_verify'
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/cc5udaaa.o:ecdsa.c:(.text+0x424): undefined reference to `ECDSA_SIG_free'
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/cc5udaaa.o:ecdsa.c:(.text+0x435): undefined reference to `EC_KEY_free'
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/cc5udaaa.o:ecdsa.c:(.text+0x509): undefined reference to `BN_CTX_new'
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/cc5udaaa.o:ecdsa.c:(.text+0x53e): undefined reference to `ERR_put_error'
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/cc5udaaa.o:ecdsa.c:(.text+0x548): undefined reference to `BN_new'
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/cc5udaaa.o:ecdsa.c:(.text+0x556): undefined reference to `BN_new'
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/cc5udaaa.o:ecdsa.c:(.text+0x564): undefined reference to `BN_new'
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/cc5udaaa.o:ecdsa.c:(.text+0x572): undefined reference to `BN_new'
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/cc5udaaa.o:ecdsa.c:(.text+0x580): undefined reference to `BN_new'
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/cc5udaaa.o:ecdsa.c:(.text+0x58e): more undefined references to `BN_new' follow
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/cc5udaaa.o:ecdsa.c:(.text+0x5c3): undefined reference to `ERR_put_error'
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/cc5udaaa.o:ecdsa.c:(.text+0x5da): undefined reference to `BN_dec2bn'
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/cc5udaaa.o:ecdsa.c:(.text+0x5f3): undefined reference to `BN_dec2bn'
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/cc5udaaa.o:ecdsa.c:(.text+0x60c): undefined reference to `BN_dec2bn'
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/cc5udaaa.o:ecdsa.c:(.text+0x63c): undefined reference to `ERR_put_error'
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/cc5udaaa.o:ecdsa.c:(.text+0x661): undefined reference to `EC_GROUP_new_curve_GFp'
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/cc5udaaa.o:ecdsa.c:(.text+0x696): undefined reference to `ERR_put_error'
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/cc5udaaa.o:ecdsa.c:(.text+0x6a6): undefined reference to `EC_POINT_new'
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/cc5udaaa.o:ecdsa.c:(.text+0x6db): undefined reference to `ERR_put_error'
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/cc5udaaa.o:ecdsa.c:(.text+0x6f5): undefined reference to `BN_dec2bn'
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/cc5udaaa.o:ecdsa.c:(.text+0x70e): undefined reference to `BN_dec2bn'
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/cc5udaaa.o:ecdsa.c:(.text+0x73e): undefined reference to `ERR_put_error'
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/cc5udaaa.o:ecdsa.c:(.text+0x76a): undefined reference to `EC_POINT_set_affine_coordinates_GF2m'

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/cc5udaaa.o:ecdsa.c:(.text+0x79a): undefined reference to `ERR_put_error'
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/cc5udaaa.o:ecdsa.c:(.text+0x7b4): undefined reference to `BN_dec2bn'
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/cc5udaaa.o:ecdsa.c:(.text+0x7cb): undefined reference to `BN_set_word'
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/cc5udaaa.o:ecdsa.c:(.text+0x7fb): undefined reference to `ERR_put_error'
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/cc5udaaa.o:ecdsa.c:(.text+0x81d): undefined reference to `EC_GROUP_set_generator'
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/cc5udaaa.o:ecdsa.c:(.text+0x84d): undefined reference to `ERR_put_error'
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/cc5udaaa.o:ecdsa.c:(.text+0x867): undefined reference to `EC_GROUP_free'
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/cc5udaaa.o:ecdsa.c:(.text+0x87f): undefined reference to `EC_POINT_free'
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/cc5udaaa.o:ecdsa.c:(.text+0x890): undefined reference to `BN_CTX_free'
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/cc5udaaa.o:ecdsa.c:(.text+0x8a1): undefined reference to `BN_free'
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/cc5udaaa.o:ecdsa.c:(.text+0x8b2): undefined reference to `BN_free'
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/cc5udaaa.o:ecdsa.c:(.text+0x8c3): undefined reference to `BN_free'
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/cc5udaaa.o:ecdsa.c:(.text+0x8d4): undefined reference to `BN_free'
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/cc5udaaa.o:ecdsa.c:(.text+0x8e5): undefined reference to `BN_free'
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/cc5udaaa.o:ecdsa.c:(.text+0x8f6): more undefined references to `BN_free' follow
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/cczOeaaa.o:aacskeys.c:(.text+0x9e2): undefined reference to `ERR_load_crypto_strings'
collect2: ld returned 1 exit status


command 2: gcc -o aacskeys aes.c ecdsa.c ioctl.c mmc.c aacskeys.c -lcrypto -L./lib
D:\aacskey>gcc -o aacskeys aes.c ecdsa.c ioctl.c mmc.c aacskeys.c -lcrypto -L./lib
ecdsa.c: In function `aacs_set_cert':
ecdsa.c:29: warning: initialization discards qualifiers from pointer target type
ecdsa.c: In function `aacs_sign':
ecdsa.c:67: warning: comparison between pointer and integer
./lib/libcrypto.a(rand_win.o):rand_win.c:(.text+0xa0c): undefined reference to `CreateDCA@16'
./lib/libcrypto.a(rand_win.o):rand_win.c:(.text+0xa19): undefined reference to `CreateCompatibleDC@4'
./lib/libcrypto.a(rand_win.o):rand_win.c:(.text+0xa2a): undefined reference to `GetDeviceCaps@8'
./lib/libcrypto.a(rand_win.o):rand_win.c:(.text+0xa3a): undefined reference to `GetDeviceCaps@8'
./lib/libcrypto.a(rand_win.o):rand_win.c:(.text+0xa50): undefined reference to `CreateCompatibleBitmap@12'
./lib/libcrypto.a(rand_win.o):rand_win.c:(.text+0xa5e): undefined reference to `SelectObject@8'
./lib/libcrypto.a(rand_win.o):rand_win.c:(.text+0xa70): undefined reference to `GetObjectA@12'
./lib/libcrypto.a(rand_win.o):rand_win.c:(.text+0xae1): undefined reference to `BitBlt@36'
./lib/libcrypto.a(rand_win.o):rand_win.c:(.text+0xaeb): undefined reference to `GetBitmapBits@12'
./lib/libcrypto.a(rand_win.o):rand_win.c:(.text+0xb42): undefined reference to `SelectObject@8'
./lib/libcrypto.a(rand_win.o):rand_win.c:(.text+0xb49): undefined reference to `DeleteObject@4'
./lib/libcrypto.a(rand_win.o):rand_win.c:(.text+0xb53): undefined reference to `DeleteDC@4'
./lib/libcrypto.a(rand_win.o):rand_win.c:(.text+0xb5d): undefined reference to `DeleteDC@4'
collect2: ld returned 1 exit status


My Questions,
1. Which command is correct?

2. if command 2 is correct, which library was missed?

PS : OpenSSL Library files was complied successful in the same platform(MinGW).

Ok. I think I'm running out of ideas now. There really seems to be a problem with this disc and the xbox 360 HD DVD drive. Maybe there is something wrong with the way the protected area is stored on the disc (which is if I remember correctly stored with a different pit width/length) and therefore not readable by all HD DVD drives.

Btw this may be related: http://slashdot.org/articles/07/04/02/1126209.shtml

arnezami


got my replacement disc today...same problem.

also tried playback with pdvd6.5 which reports "A disc with an unsupported format in drive H:"

additionally, according to these reviews there appears to be problems on other players as well:
http://www.amazon.com/National-Geographic-Relentless-Enemies-DVD/dp/B000MQCULO

I am hoping we will see a version that works on the PS3 soon!

Going to try ubantu 7.04 beta as I think it ships with the 2.6.20 kernel. Will give this a go to see if it works.

what does it mean if the volume id is reported as a string of zeroes? i've been having trouble getting "National Geographic - Relentless Enemies" to work.

any ideas?

thanks

Please try the new vid.exe (http://www.ingenieria-inversa.cl/files/vid.rar) and see what it returns (mirror (http://www.sendspace.com/file/g25nhb)).

arnezami

Please try the new vid.exe (http://www.ingenieria-inversa.cl/files/vid.rar) and see what it returns (mirror (http://www.sendspace.com/file/g25nhb)).

arnezami


still zeroes...

i also patched my fw as soon as you released it the other day, still unable to read it. it looks like this disc may not have been authored properly, as other standalone players are have trouble as well. its supposed to be fixed with a firmware update in may?

heres my output w/ patch (i AM able to get the vid from other discs with this patch/technique):

>set PLSCSI=\\.\G:

>plscsi.exe -v -x "AD 00 00 00 00 00 00 80 00 24 00 00" -i x24
x 00000000 AD 00 00:00:00:00 00 80:00:24:00 00 .. .. .. .. "-@@@@@@@@$@@"
x 00000000 AE:AE:AE:AE AE:AE:AE:AE AE:AE:AE:AE AE:AE:AE:AE "................"
x 00000010 AE:AE:AE:AE AE:AE:AE:AE AE:AE:AE:AE AE:AE:AE:AE "................"
x 00000020 AE:AE:AE:AE .. .. .. .. .. .. .. .. .. .. .. .. "...."
x 00000000 70:00:05:00 00:00:00:0A 00:00:00:00 6F:01 .. .. "p@E@@@@J@@@@oA"
// x 5 6F 01 sense // x24 (36) residue
// -x0102 = -258 = plscsi.main exit int

>

Ok. I'm quite busy extending/improving aacskeys. :)

My new version now uses a proper Hk/Hv combination and supports Bus Key calculation (which was quite some work) and because of that it now supports Volume ID MACs (for both BD and HD DVD). It also supports TKF MAC now (for checking if a VUK is correct, which is a HD-DVD-only feature btw). It also outputs the SHA-1 hash of the Title Key File (or CPS Unit Key file for BD according to new specs by KenD00's decrypter).

I'm still in the process of putting the Processing/Device Key(s) and Host Private Key(s) into editable text files and letting the program figure out which keys to use. Essentially implementing the whole Subset Tree Difference algorithm (and make it even more flexible than the official algo so it can figure out things with less available knowledge)

I'm also working on BDAV support. But I have a problem. Maybe somebody else can help me here ;).

I need to extract the Binding Nonce. There is a command for that (which should work after AACS-Auth). The problem is in this command an address needs to be filled: LBA Extend. But I have no idea what to put there... Sure it has to be the same address the Binding Nonce was written to but how do I get this information??

Can anybody help?

Thanks.

arnezami

PS. I've also enhanced fetchvid.exe (less agressive/more subtle/time in ms) which now works with PowerDVD 7.3 and WinDVD 8 HD. But should work with any player. This will be the equivalent (for BD drive owners) of a Volume ID "hack". Although it requires a working software player.

Here is a new windows version of aacskeys. I've also updated the link in the first post with this one.

http://www.sendspace.com/file/8q6aub

As stated above it has several improvements (most practical I think is the Title/Unit Key file hash atm).

There is still quite a lot I want to change/improve so you can expect more to come :).

Please test if its working: there has been a lot of changes ;).

test it with 2 bluray discs works !

great! :D

Tested with King Kong (HD DVD). Seems to be working...Thanks arnezami

http://img523.imageshack.us/img523/1699/image1xy2.jpg (http://imageshack.us)

Nice :).

Please check if the Bus Key is filled (don't post it) and whether the Volume ID MACs are exactly the same (don't post it).

Also fot Bluray: is the sha-1 hash the correct one? (according to the KenD00's new specs that is)

Nice :).

Please check if the Bus Key is filled (don't post it) and whether the Volume ID MACs are exactly the same (don't post it).

Also fot Bluray: is the sha-1 hash the correct one? (according to the KenD00's new specs that is)


For bluray .


SHA-1 is the correct one !

and Buskey is Filled :-)

I'm also working on BDAV support. But I have a problem. Maybe somebody else can help me here ;).


I have a blu-ray BDAV, but aacskeys can't get any info from it.

message as follow:
C:\aacskeys>aacskeys.exe i v
Error opening Media Key File i:\AACS\MKBROM.AACS


Blu-ray BDAV file structure as follow,
\AACS\MKB_RW.inf
\AACS\AACS_av\CPSUnit00001.cci
\AACS\AACS_av\Unit_Key_RW.inf

Thanks a lot!!!!!!

I have a blu-ray BDAV, but aacskeys can't get any info from it.

message as follow:
C:\aacskeys>aacskeys.exe i v
Error opening Media Key File i:\AACS\MKBROM.AACS


Blu-ray BDAV file structure as follow,
\AACS\MKB_RW.inf
\AACS\AACS_av\CPSUnit00001.cci
\AACS\AACS_av\Unit_Key_RW.inf

Thanks a lot!!!!!!

Because I haven't been able to figure out this problem (http://forum.doom9.org/showpost.php?p=989138&postcount=117) the program isn't looking for BDAV files yet.

I really need help on this.

arnezami

Because I haven't been able to figure out this problem (http://forum.doom9.org/showpost.php?p=989138&postcount=117) the program isn't looking for BDAV files yet.

If any thing I can do, I will do it.
Just let me know how to do.

Ok. I'm quite busy extending/improving aacskeys. :)

My new version now uses a proper Hk/Hv combination and supports Bus Key calculation (which was quite some work) and because of that it now supports Volume ID MACs (for both BD and HD DVD). It also supports TKF MAC now (for checking if a VUK is correct, which is a HD-DVD-only feature btw). It also outputs the SHA-1 hash of the Title Key File (or CPS Unit Key file for BD according to new specs by KenD00's decrypter).

Since you are being so thorough about it you may also be interested in verifying the various signatures in AACS files, using the AACS public keys. I have not seen them posted anywhere else before, so here they are (in decimal format, the same format used in the AACS specs):

#define AACS_CC_PUB_X "686795158131444840350934441718292981749606298444"
#define AACS_CC_PUB_Y "667926496774724305600543583224894590551199207"
#define AACS_LA_PUB_X "569519044145899916876682500420440111695939635058"
#define AACS_LA_PUB_Y "111297986001312168148180416490690086062371334695"

I'm also working on BDAV support. But I have a problem. Maybe somebody else can help me here ;).

I need to extract the Binding Nonce. There is a command for that (which should work after AACS-Auth). The problem is in this command an address needs to be filled: LBA Extend. But I have no idea what to put there... Sure it has to be the same address the Binding Nonce was written to but how do I get this information??

The specs say "For BDRecordable Disc, the Binding Nonce shall be stored in the User Control Data associated with the first logical Sector of the CPS Unit Key File and should be non-zero value.". I assume that "first logical sector" is the same as the "LBA (Logical Block Address) Extent". The term "extent" usually refers to a consecutive range of sectors or blocks. As for how to get this: you have two options: either implement a simple UDF 2.5 reader/handler yourself and get the starting block number of the CPS Unit Key file right out of the directory structure. Or try to get it from the OS, in an OS-specific way using some file/directory query function. I don't know how to do this for Windows, but others may be able to help with that, or just google for it.

Since you are being so thorough about it you may also be interested in verifying the various signatures in AACS files, using the AACS public keys. I have not seen them posted anywhere else before, so here they are (in decimal format, the same format used in the AACS specs):

#define AACS_CC_PUB_X "686795158131444840350934441718292981749606298444"
#define AACS_CC_PUB_Y "667926496774724305600543583224894590551199207"
#define AACS_LA_PUB_X "569519044145899916876682500420440111695939635058"
#define AACS_LA_PUB_Y "111297986001312168148180416490690086062371334695"

Yeah I might aswell do that too. Cool find btw. :) Where did you get that? I haven't really spend much time searching for it but couldn't find it either (in mem). Must have missed it. Although I guessed its in every device and player so somebody would find it sooner or later. Changing this inside a Software Player would also allow us to let the Player do pretty much everything we want: thus potentially revealing all (and even still unused) keys inside the player (like all Device Keys and/or Sequence Keys).

The specs say "For BDRecordable Disc, the Binding Nonce shall be stored in the User Control Data associated with the first logical Sector of the CPS Unit Key File and should be non-zero value.". I assume that "first logical sector" is the same as the "LBA (Logical Block Address) Extent". The term "extent" usually refers to a consecutive range of sectors or blocks. As for how to get this: you have two options: either implement a simple UDF 2.5 reader/handler yourself and get the starting block number of the CPS Unit Key file right out of the directory structure. Or try to get it from the OS, in an OS-specific way using some file/directory query function. I don't know how to do this for Windows, but others may be able to help with that, or just google for it.

Yeah. The problem is I haven't got a BluRay player/burner AND I haven't got BDAV discs. So this makes it pretty much impossible for me to test things. Maybe I will make a small proggy so somebody that does have the above can try out different addresses and see what happens.

But only after I finished the implementation of automatic Device/Processing Key detection: this is gonna be a very cool and powerful feature :) and will be very useful for future attempts by "Key Finders" (aka hackers) to check if they have found a Key among (tons of) possible keys.

Regards,

arnezami

Just incase anyone didn't know.. AnyDVD HD 6.1.3.6 is now capable of decrypting Blu-Ray titles from mounted .iso images created with "dd" on the PS3 in Linux.

There was a thread (http://forum.doom9.org/showthread.php?t=124841) about that. It's just using a database of keys.

I don't think it's using a database of keys.

The discs I tried it on was Casino Royale (AUS) which is different to EUR/GER and USA, and also Sky High (AUS).

No database i've seen includes keys for these discs.

I don't think it's using a database of keys.
The discs I tried it on was Casino Royale (AUS) which is different to EUR/GER and USA, and also Sky High (AUS).
No database i've seen includes keys for these discs.
You didn't read the thread HyperHacker sent you to. It explains that AnyDVD doesn't need its database if you use it with an original disc, and you won't have ever seen their database. AnyDVD uses its own database as a backup, which lets it decrypt files mounted as an ISO or just copied off the original disc.

I'm really busy implementing stuff into aacskeys. :D

Here is something to test:

http://www.sendspace.com/file/f0lh56

Its now supports automatic Device/Processing Key detection :).

But it needs to be tested. If anyone has Device Keys (from our "old" Software Players which are going to be revoked anyway so you can release them if you like) then please test them and see if they are recognized as such.

In the file "ProcessingDeviceKeysSimple.txt" you can simply throw your Device/Processing Keys. If they work on a disc then aacskeys should be able to recognize that.

Here is what I put in for testing:

DEADBEAFDEADBEAFDEADBEAFDEADBEAF
DEEDDEEDDEEDDEEDDEEDDEEDDEEDDEED
12345678123456781234567812345678
87654321876543218765432187654321
AA856A1BA814AB99FFDEBA6AEFBE1C04
DEADBEAFDEADBEAFDEADBEAFDEADBEAF
DEEDDEEDDEEDDEEDDEEDDEEDDEEDDEED
12345678123456781234567812345678
87654321876543218765432187654321
09F911029D74E35BD84156C5635688C0
DEADBEAFDEADBEAFDEADBEAFDEADBEAF
DEEDDEEDDEEDDEEDDEEDDEEDDEEDDEED
12345678123456781234567812345678
87654321876543218765432187654321

Since it starts trying keys from the top it will detect the Device Key (released by ATARI Vampire) first (the one starting with AA85). If you remove or change that key it will find the Processing Key. If you remove or change that one too it doesn't find any working key and aborts.

In order for this to work on a new disc you need to find possible Keys (of course getting these is the hard part) and use aacskeys with these Keys on the new disc (or alternatively : copy the AACS directory from your new disc to a root dir of one of your HDDs and let aacskeys operate on that drive letter. Or mount these files/disc as an ISO. This will prevent wear and tear on your disc/drive).

More will follow (like input of volume id/HPK) but this I had to get out so somebody can (hopefully) confirm its working. ;)

arnezami

PS. As for speed: you will notice it takes quite a lot of time to test many keys. The current version isn't build for speed. There are several ways to speed it up (eg precomputation due to similarity in shapes of subsets) and shortcuts (like only trying a few C-values and ignoring others). In other words: you can't scan (full) memdumps with this program. ;)

No worky

Older version of aacskeys happily works with my current test disk (Total Recall):


C:\aacs>.\aacskeys.exe i v
Processing key: 09F911029D74E35BD84156C5635688C0
Encrypted C-value: B7422BF12E30C7308B66B877E376058D
Corresponding uv: 00000001

Decrypted C-value: 50D497E0D724A42B08E010619D3B6DD7
Media key: 50D497E0D724A42B08E010619D3B6DD6

Encrypted verification data: 9ED2A5E1116D544F0338E74E8A4F9A0B
Decr verif data should be: 0123456789ABCDEF
Decrypted verification data: 0123456789ABCDEF07D27BEAF4FBDC72

AGID: 00

Host certificate from: Power DVD 7.1
Host certificate (Hcert): 0200005CFFFF0000000C00006E3DEB679B9A16AD
FAA8E30878767BA6EB2A9B415385AD1181B4446C
31E9A5DD2AB808B364FF15885BAC490964318C9B
F8029FCF76F688A54FBDA03F6D9332EF04E5A613
12DA85880A4D9CBB79D8602E
Host Private Key (Hpriv): 4737676058D7029452514F0AB186DC4CCA8C578F
Host Nonce (Hn): 2923BE84E16CD6AE529049F1F1BBE9EBB3A6DB3C

Drive certificate (Dcert): ########################################
########################################
########################################
########################################
########################
Drive Nonce (Dn): ########################################

Drive key point (Dv): ########################################
########################################
Drive key signature (Dsig): ########################################
########################################

Host key (Hk): 0000000000000000000000000000000000000000
Host key point (Hv): 8E9B0E3CF41FA7DA3A829F604122EA4ED5261AA4
7570CE0BB9061A66FAF92C4A7D98ACC171CBF19B
Host key signature (Hsig): ########################################
########################################

Bus key (BK): ################################

Volume ID: 4000922B7BCD3536AC5CD7FA41FD0000
Voluem ID MAC: ################################

Volume Unique Key: F51EAABB7CD2E2ED05A6BE00126D4AA6
Title Key File MAC: 232F941592CBE19FF50865356153DEA7

Encrypted Title Key 1: 8D2F4E37CF6525FA88877BFFF77F5F50
Encrypted Title Key 2: 032609ADE9C4FB6B9C8F19E1BF3A8056
Encrypted Title Key 3: 25D499F134D0F546F346814C0E142D6C
Encrypted Title Key 4: 8C03F7420B47ECF1C6A2BEE7174E416E

[64 encrypted and decrypted title keys snipped]



With the newer version of aacskeys I get the following:
(ProcessingDeviceKeysSimpletxt as shipped)


C:\aacs\aacskeys.new>.\aacskeys.exe i v

Could not find a Processing Key or Device Key resulting in the Media Key.

Aborting...

C:\aacs\aacskeys.new>


If I go ahead and edit ProcessingDeviceKeysSimple.txt to just contain a single line:
09F911029D74E35BD84156C5635688C0
(Processing key that works with older version of aacskeys and this disk), I still get the same error message.

Hope this helps.

System in question is Windows XP, Pan European release (?), English locale. Xbox 360 HD-DVD drive connected over USB.

Are there any other tests I can run?

No worky

Older version of aacskeys happily works with my current test disk (Total Recall):


C:\aacs>.\aacskeys.exe i v
Processing key: 09F911029D74E35BD84156C5635688C0
Encrypted C-value: B7422BF12E30C7308B66B877E376058D
Corresponding uv: 00000001

Decrypted C-value: 50D497E0D724A42B08E010619D3B6DD7
Media key: 50D497E0D724A42B08E010619D3B6DD6

Encrypted verification data: 9ED2A5E1116D544F0338E74E8A4F9A0B
Decr verif data should be: 0123456789ABCDEF
Decrypted verification data: 0123456789ABCDEF07D27BEAF4FBDC72

AGID: 00

Host certificate from: Power DVD 7.1
Host certificate (Hcert): 0200005CFFFF0000000C00006E3DEB679B9A16AD
FAA8E30878767BA6EB2A9B415385AD1181B4446C
31E9A5DD2AB808B364FF15885BAC490964318C9B
F8029FCF76F688A54FBDA03F6D9332EF04E5A613
12DA85880A4D9CBB79D8602E
Host Private Key (Hpriv): 4737676058D7029452514F0AB186DC4CCA8C578F
Host Nonce (Hn): 2923BE84E16CD6AE529049F1F1BBE9EBB3A6DB3C

Drive certificate (Dcert): ########################################
########################################
########################################
########################################
########################
Drive Nonce (Dn): ########################################

Drive key point (Dv): ########################################
########################################
Drive key signature (Dsig): ########################################
########################################

Host key (Hk): 0000000000000000000000000000000000000000
Host key point (Hv): 8E9B0E3CF41FA7DA3A829F604122EA4ED5261AA4
7570CE0BB9061A66FAF92C4A7D98ACC171CBF19B
Host key signature (Hsig): ########################################
########################################

Bus key (BK): ################################

Volume ID: 4000922B7BCD3536AC5CD7FA41FD0000
Voluem ID MAC: ################################

Volume Unique Key: F51EAABB7CD2E2ED05A6BE00126D4AA6
Title Key File MAC: 232F941592CBE19FF50865356153DEA7

Encrypted Title Key 1: 8D2F4E37CF6525FA88877BFFF77F5F50
Encrypted Title Key 2: 032609ADE9C4FB6B9C8F19E1BF3A8056
Encrypted Title Key 3: 25D499F134D0F546F346814C0E142D6C
Encrypted Title Key 4: 8C03F7420B47ECF1C6A2BEE7174E416E

[64 encrypted and decrypted title keys snipped]



With the newer version of aacskeys I get the following:
(ProcessingDeviceKeysSimpletxt as shipped)


C:\aacs\aacskeys.new>.\aacskeys.exe i v

Could not find a Processing Key or Device Key resulting in the Media Key.

Aborting...

C:\aacs\aacskeys.new>


If I go ahead and edit ProcessingDeviceKeysSimple.txt to just contain a single line:
09F911029D74E35BD84156C5635688C0
(Processing key that works with older version of aacskeys and this disk), I still get the same error message.

Hope this helps.

System in question is Windows XP, Pan European release (?), English locale. Xbox 360 HD-DVD drive connected over USB.

Are there any other tests I can run?
Ok. Thanks. What happens if you remove the file: ProcessingDeviceKeysSimple.txt altogether? Do you get a different error message? Or does it crash?

Do others have the same problem here? Please test it.

(btw it works fine on my system and I don't see (yet) why it would not work with yours)

arnezami

BTW, I have a couple of suggestions for aacskeys....

There are many revisions of it out there by now, so maybe implementing some sort of versioning as maybe the first line of the output would make sense. In the above post I refer to "older" aacskeys, but I have no idea which particular build it is. This would make your life easier with bug reports, etc.

If you add a way of adding comments to ProcessingDeviceKeysSimple.txt (ie lines that will not be processed by the aacskeys, say lines that start with # or ; ), it would probably be useful for key management, etc.

BTW, I have a couple of suggestions for aacskeys....

There are many revisions of it out there by now, so maybe implementing some sort of versioning as maybe the first line of the output would make sense. In the above post I refer to "older" aacskeys, but I have no idea which particular build it is. This would make your life easier with bug reports, etc.

If you add a way of adding comments to ProcessingDeviceKeysSimple.txt (ie lines that will not be processed by the aacskeys, say lines that start with # or ; ), it would probably be useful for key management, etc.

You're right about the versions. Here is the same new version again (now called v0.2). No changes but the output of the version nr:

http://www.sendspace.com/file/vdnfzt

Please read my previous post. You may have missed it.

arnezami

PS. Regarding the extension of the text file: this is the "Simple" version and is for people thinking they might have found a new key. So they can just throw in possible keys...

I have made some changes so it gives more info. Hopefully this will clarify where the problem lies:

aacskeys v0.2.2 (http://www.sendspace.com/file/envig6)

Please to others too: try this on different discs. Thanks :).

I have made some changes so it gives more info. Hopefully this will clarify where the problem lies:
aacskeys v0.2.2 (http://www.sendspace.com/file/envig6)
Please to others too: try this on different discs. Thanks :).


Does this version support BDAV disc?

Error message as follow,

C:\aacskeys_v0.2.2>aacskeys.exe m v
aacskeys v0.2.2

Error opening Media Key File m:\AACS\MKBROM.AACS

Ok. I now got the automatic Device Key detection working thanks to someone "lending me a hand" ;). Thanks. You know who you are :).

I'm still going to (more methodically) check whether its really accurate but it looks very good now.

Screenshot of usage for new aacskeys version:

http://img338.imageshack.us/img338/2418/aacskeysv024ym7.jpg

Anyway. Version 0.2.4 now supports volume id input too. This is going to be very handy when (well technically: if) we find the new Processing Key(s) without having a working HPK yet.

aacskeys v0.2.4 (http://www.sendspace.com/file/je0k22)

For the other problem (that awhitehead posted): anyone please test this new version (just run it) and post your results :thanks:

Regards,

arnezami

@PepsiLee2001: no this version doesn't support BDAV yet. Please read my last posts about this.

[edit] Small update: turned on something that wasn't supposed to stay turned off.

PS. If/when the new Processing/Device Key is found and released you can use fetchvid (http://forum.doom9.org/showthread.php?p=992791#post992791) to retrieve the Volume ID of a new disc and then use it as input for aacskeys. :)

For the other problem (that awhitehead posted): anyone please test this new version (just run it) and post your results :thanks:


Both 0.2.2 and 0.2.4 work for me now, both without the .txt file, and with it, if it contains a valid device or processing key. 0.2 didn't like the presence of .txt file, but works without it.

Tested with US release of "Syriana"

Both 0.2.2 and 0.2.4 work for me now, both without the .txt file, and with it, if it contains a valid device or processing key. 0.2 didn't like the presence of .txt file, but works without it.

Tested with US release of "Syriana"

I can't work without txt file! :) Which means it somehow gets the txt file from a different directory. But 0.2 working when you remove the file... huh? I guess its possible your 0.2 gets his txt file from somewhere else when the file is not in its current dir (otherwise it read the one from its current dir and there is something wrong with it). Something like that.

I guess there is a problem with accessing the current dir or something (maybe your PATH settings). Bah. I hate this directory stuff.

Can you put the exe file in a different directory and see what happens? If you have a working setup can you remove/rename all occurences of the txt file on your entire HDD (one by one) and see which one is accessed?

Thanks.

arnezami

Can you put the exe file in a different directory and see what happens? If you have a working setup can you remove/rename all occurences of the txt file on your entire HDD (one by one) and see which one is accessed?


*sigh* You are right. Fixed my PATH, moved the programs to a new directory, re-run.

0.2.0 just dies with "Can't open file..."

0.2.2 and 0.2.4 print First u mask nr and First uv and then die.

With correct entry in the ProcessingDeviceKeysSimple.txt 0.2.4 and 0.2.2 still work, though, and with file present, but without the correct keys, complain about lack of keys.

*sigh* You are right. Fixed my PATH, moved the programs to a new directory, re-run.

0.2.0 just dies with "Can't open file..."

0.2.2 and 0.2.4 print First u mask nr and First uv and then die.

With correct entry in the ProcessingDeviceKeysSimple.txt 0.2.4 and 0.2.2 still work, though, and with file present, but without the correct keys, complain about lack of keys.

Ok. So apart from crashing when no file is present it all works right?

Also try this: aacskeys v0.2.5 (http://www.sendspace.com/file/3e8bzt)

It should give (what it thinks is) the current path and it now uses that path. This prevents it from using the PATH stuff and removes the ambiguity.

arnezami

[edit] Have you also tried the new volumeid input feature?

Ok. I'm quite busy extending/improving aacskeys. :)

I'm also working on BDAV support. But I have a problem. Maybe somebody else can help me here ;).

I need to extract the Binding Nonce. There is a command for that (which should work after AACS-Auth). The problem is in this command an address needs to be filled: LBA Extend. But I have no idea what to put there... Sure it has to be the same address the Binding Nonce was written to but how do I get this information??

Can anybody help?

Thanks.

arnezami

I found the LBA Extend Value of the BD-RE. The LBA of the file "\AACS\AACS_av\Unit_Key_RW.inf" is the one.

This is the ScreenShot of IsoBuster 2.1. In this picture, "16800=0x000041A0" is the address.
7324

I found the LBA Extend Value of the BD-RE. The LBA of the file "\AACS\AACS_av\Unit_Key_RW.inf" is the one.

This is the ScreenShot of IsoBuster 2.1. In this picture, "16800=0x000041A0" is the address.
http://soarern.hp.infoseek.co.jp/image/LBA_ext.png

Thanks :).

Is it possible for you to see if the LBA is the exactly same for every disc and any content?

arnezami


PS. As an aside: I've put the 0.2.5 version in my first post of this thread since it seems to be working quite well :).

Is it possible for you to see if the LBA is the exactly same for every disc and any content?


I have another BDAV disc that own the same file size & LBA value with Neo2011 post one.

Is it possible for you to see if the LBA is the exactly same for every disc and any content?

My another BD-RE Disc's LBA is another one.:(
Ex. 16832 , 16768. etc.

My another BD-RE Disc's LBA is another one.:(
Ex. 16832 , 16768. etc.

*sigh*

Seems like the real solution is to write a (limited) UDF 2.5 filesystem parser, that would be able to read the disk, parse the volume descriptors, traverse the chain to root dir file entry of the file we want, and figure out at what LBA needed files start.

Recently I was tracking down a problem while trying to figure out why a particular HD-DVD drive is capable of reading a Fox Pathe HD-DVD disc, while a different one could not, and if it was a filesystem or mastering problem on the disc or a problem with the drive. To do that, I started writing a small set of scripts that call plscsi, send the commands, and then parse the output, but this is nowhere near userfriendly. In addition I'm lazy, so instead of reading UDF 2.5 spec, I started by just randomly reading blocks, and trying to see if I can parse them.

In any event, in order to do that you need to send the following CDBs to the drive:
Get Capacity
25 00 00:00:00:00 00 00:00 00

Example (on a DVD, since this is what I have on hand):

darkstar:~/plscsi$ plscsi -v -x "25 00 00:00:00:00 00 00:00 00" -i 8
x 00000000 25 00 00:00:00:00 00 00:00 00 .. .. .. .. .. .. "%@@@@@@@@@"
x 00000000 00:18:94:FF 00:00:08:00 .. .. .. .. .. .. .. .. "@XT?@@H@"
// 0 = plscsi.main exit int
darkstar:~/plscsi$ df -h /mnt/cdrom
Filesystem Size Used Avail Capacity Mounted on
/dev/disk1 3.1G 3.1G 0B 100% /mnt/cdrom
darkstar:~/plscsi$


Bytes 2-5 (we count from zero) are the total number of blocks - 1 on a disk. Blocks 7-8 are the sector byte size (which should be 2048 bytes for the optical discs)

So for example
800h = 2048 bytes/sector
1894FFh = 1611007

1611008 sectors * 2048 bytes = 3299244384 bytes ~= 3.1 G which is what df confirms.

Then you READ(10) the blocks on the disk:

darkstar:~/plscsi$ plscsi -v -x "28 00 00:00:00:10 00 00:01 00" -i x800
x 00000000 28 00 00:00:00:10 00 00:01 00 .. .. .. .. .. .. "(@@@@P@@A@"
x 00000000 01:43:44:30 30:31:01:00 20:20:20:20 20:20:20:20 "ACD001A@ "
x 00000010 20:20:20:20 20:20:20:20 20:20:20:20 20:20:20:20 " "
x 00000020 20:20:20:20 20:20:20:20 4B:55:4D:49 54:41:43:48 " KUMITACH"
x 00000030 49:20:20:20 20:20:20:20 20:20:20:20 20:20:20:20 "I "
x 00000040 20:20:20:20 20:20:20:20 00:00:00:00 00:00:00:00 " @@@@@@@@"
x 00000050 00:95:18:00 00:18:95:00 00:00:00:00 00:00:00:00 "@UX@@XU@@@@@@@@@"
x 00000060 00:00:00:00 00:00:00:00 00:00:00:00 00:00:00:00 "@@@@@@@@@@@@@@@@"
x 00000070 00:00:00:00 00:00:00:00 01:00:00:01 01:00:00:01 "@@@@@@@@A@@AA@@A"
x 00000080 00:08:08:00 2A:00:00:00 00:00:00:2A 01:01:00:00 "@HH@*@@@@@@*AA@@"
x 00000090 00:00:00:00 00:00:01:02 00:00:00:00 22:00:03:01 "@@@@@@AB@@@@"@CA"
x 000000A0 00:00:00:00 01:03:00:08 00:00:00:00 08:00:6A:07 "@@@@AC@H@@@@H@jG"
x 000000B0 01:0C:17:30 00:02:00:00 01:00:00:01 01:00:4B:55 "ALW0@B@@A@@AA@KU"
x 000000C0 4D:49:54:41 43:48:49:20 20:20:20:20 20:20:20:20 "MITACHI "
x 000000D0 20:20:20:20 20:20:20:20 20:20:20:20 20:20:20:20 " "
...
x 00000220 20:20:20:20 20:20:20:20 20:20:20:20 20:20:20:20 " "
x 00000230 20:20:20:20 20:20:20:20 20:20:20:20 20:20:44:56 " DV"
x 00000240 44:20:53:74 75:64:69:6F 20:50:72:6F 3A:34:2E:30 "D Studio Pro:4.0"
x 00000250 2E:33:2C:20 44:53:50:49 6E:74:65:72 66:61:63:65 ".3, DSPInterface"
x 00000260 3A:33:38:32 2C:20:44:56 44:41:75:74 68:6F:72:69 ":382, DVDAuthori"
x 00000270 6E:67:3A:33 37:32:2C:20 44:56:44:42 61:73:65:3A "ng:372, DVDBase:"
x 00000280 33:39:36:28 45:6E:63:6F 64:65:72:3A 20:34:38:33 "396(Encoder: 483"
x 00000290 29:2C:20:4F 78:79:67:65 6E:65:3A:34 30:39:20:20 "), Oxygene:409 "
x 000002A0 20:20:20:20 20:20:20:20 20:20:20:20 20:20:20:20 " "
...
x 00000310 20:20:20:20 20:20:20:20 20:20:20:20 20:20:20:20 " "
x 00000320 20:20:20:20 20:20:20:20 20:20:20:20 20:32:30:30 " 200"
x 00000330 36:30:37:30 31:31:32:32 33:34:38:30 30:00:30:30 "6070112234800@00"
x 00000340 30:30:30:30 30:30:30:30 30:30:30:30 30:30:00:30 "00000000000000@0"
x 00000350 30:30:30:30 30:30:30:30 30:30:30:30 30:30:30:00 "000000000000000@"
x 00000360 30:30:30:30 30:30:30:30 30:30:30:30 30:30:30:30 "0000000000000000"
x 00000370 00:01:00:00 00:00:00:00 00:00:00:00 00:00:00:00 "@A@@@@@@@@@@@@@@"
x 00000380 00:00:00:00 00:00:00:00 00:00:00:00 00:00:00:00 "@@@@@@@@@@@@@@@@"
...
x 000007F0 00:00:00:00 00:00:00:00 00:00:00:00 00:00:00:00 "@@@@@@@@@@@@@@@@"
// 0 = plscsi.main exit int
darkstar:~/plscsi$


In the READ(10) CDB 28 00 xx:xx:xx:xx 00 yy:yy 00
bytes 2:3:4:5 (xx) are the start blocks to read from. 16 is generally the first block on optical media. Bytes 7:8 (yy) are number of blocks to read (yes, you can do bulk). I only want one block, and previous CDB told me how large are blocks on this media, so I expect back 800h = 2048 bytes.

Indeed in the drive is a DVD that was authored using Apple DVD Studio Pro and labeled "KUMITACHI". 2006-07-01 12:23:48 is the creation date and time.

In reality, if you are writing the real thing, you want to read in 3 different places on a disk to obtain the Anchor Volume Descriptor Pointer. It can be 256 blocks into the filesystem, at the last block of the filesystem, or at the (last block - 256) block of the filesystem. Last two cases are more common with rewritable media that was not finalized. Since HD-DVDs are pressed and generally reasonably well authored, currently I just ignore the other two cases.

So... 256 = 100h and we started 16 blocks into the disk, so, we want to start by reading 272 (110h) blocks in, and parse the AVDP to figure out where Main Volume Descriptor Sequence is. MVDP will give us either a Logical Volume Descriptor (likely) or Partition Descriptor (very unlikely to see in the field now a days, and comes up on disks that have say HFS+ filesystem and UDF filesystem on them, so I currently just ignore this.) location. Both of the above will point us at the File Set Descriptor, that in turn will give us Root Directory File Entry location (Recall that directories are just files, that have File ID Descriptors of their children files as their File Data).

And then you traverse the disk, parse the FSD, get the RDFE, parse RDFE, find the correct file corresponding to the correct subdirectory, read it's FD, and figure out which block corresponds to the file you want.

I do some of this using scripts, and a fair bit of the above by hand right now (decoding file descriptors, parsing RDFE, etc). I am not sure what my current time commitments are, and if I'll have an opportunity to code something, so if anyone wants to get a crack at this, and contribute a module for aacskeys - Go for it! BD fans - here is your opportunity to shine!

UDF specs are at http://www.osta.org/specs/

This may be a stupid question. :D

But has anyone tried to retrieve a VUK for a BDAV disc using bluray key finder (http://forum.doom9.org/showthread.php?p=941504#post941504)?

If we had a VUK it would be possible to see if we can properly decrypt/dump a bdav disc. If so then we know what VUK a certain disc has and we would have a validated crib to work with. Which would make it easier to figure out the LBA Extend/Binding Nonce/AES-H/Usage file/Kpa stuff.

If you haven't tried this yet please do :).

arnezami

This may be a stupid question. :D

But has anyone tried to retrieve a VUK for a BDAV disc using bluray key finder (http://forum.doom9.org/showthread.php?p=941504#post941504)?

If we had a VUK it would be possible to see if we can properly decrypt/dump a bdav disc. If so then we know what VUK a certain disc has and we would have a validated crib to work with. Which would make it easier to figure out the LBA Extend/Binding Nonce/AES-H/Usage file/Kpa stuff.
arnezami


I had tried it, but bluray key finder can't find it.