What we need to do is find another processing key... and not release it until about one month from now ;-)

Yes, another processing key will almost certainly be needed. Right now, one processing key (plus the Volume ID), is all that's needed to decrypt all of the movie on all discs. Note the two "all"s in that sentence. What may not be apparent, is that 1) if they begin using the SKB system, the new processing key will only decrypt portions of the movie (most, but not all). At up to 32 points in the movie you will need other keys (derived from the six SKBs on the disc and secret Sequence Keys stored in the player). 2) The second limitation, is that they are not required to use the same processing key for all discs (or for HD/BR as you noted).

It should be interesting to see what's on the next AACS discs that are released.

hardware revocation is irrelevant.

I'm inclined to agree - but there is an opportunity for the AACS LA to make a huge PR blunder by turning off legitimate drives. People who buy discs may understand that DRM prevents them from copying the discs, but people who buy hardware usually don't understand that the AACS DRM can permanently turn off their hardware so it can't play new discs and it won't even play the same discs it would play last week.

I'm inclined to agree - but there is an opportunity for the AACS LA to make a huge PR blunder by turning off legitimate drives. People who buy discs may understand that DRM prevents them from copying the discs, but people who buy hardware usually don't understand that the AACS DRM can permanently turn off their hardware so it can't play new discs and it won't even play the same discs it would play last week.

We are dangerously close to the legal waters now, but let me say that such action would be a kiss of death to any organization or company which does such things.

I put YOUR DISC into MY DRIVE and YOUR DISC killed MY DRIVE and you are telling me just that?

Yes, another processing key will almost certainly be needed. Right now, one processing key (plus the Volume ID), is all that's needed to decrypt all of the movie on all discs. Note the two "all"s in that sentence. What may not be apparent, is that 1) if they begin using the SKB system, the new processing key will only decrypt portions of the movie (most, but not all). At up to 32 points in the movie you will need other keys (derived from the six SKBs on the disc and secret Sequence Keys stored in the player). 2) The second limitation, is that they are not required to use the same processing key for all discs (or for HD/BR as you noted).


Yes, arnezami explained this early on in his 'Understand AACS (Subset-Difference)' thread ;-)

I hope they do use different keys for Blu-Ray and HD-DVD - and that we crack the Blu-Ray one(s) first (and much earlier) - that way some studios may shift camps!

Just think - hackers may actually be able to influence the outcome of the format war :-)

After all - I only want to be able to convert region-coded Blu-Ray movies into non-region-coded HD-DVDs - something entirely legal here in Australia :-)


It should be interesting to see what's on the next AACS discs that are released.

We're all looking forward to the fun and games ahead :-)

I see =) what is KCD that people are talking about?

Key Conversion Data. It's not used by software players and is optional for hardware players. Its part of the confidential spec, but it's stored on an AACS disc in a known location, so it's interesting to see 1) if it's currently in use (since it's optional) and 2) if the drives used by software players can even see it (since software players aren't supposed to be able to get it.)

I'm not sure we know where the DRL revocation would be stored. Is it in the drive, the software?

To my understanding, according to the specs drives take care of HRLs, while hosts take care of DRLs. In this case, it is up to PowerDVD/WinDVD where they decide to store DRLs. Based on my experience with blu-ray regions, I think they will probably store DRLs in Windows Registry. :)

To my understanding, according to the specs drives take care of HRLs, while hosts take care of DRLs. In this case, it is up to PowerDVD/WinDVD where they decide to store DRLs. Based on my experience with blu-ray regions, I think they will probably store DRLs in Windows Registry. :)

That makes sense, but it's easier to get around such a revocation (reinstall Windows, then player) than it would be to get around a DRL that's also stored on the drive itself. I really doubt we'll see DRLs on the next discs anyway.

A few comments and answers:

Current AACS disks (at least those I have looked at) do have a KCD, and (at least some) standalone players have device key sets that require a KCD. That also means that the drives in those players have a modified firmware which allows reading the KCD, using undocumented CDBs. Incidentally, on at least some of the standalone players the drive firmware is modified even more heavily, e.g. to allow the player to read the volume ID and KCD without exchanging host/drive keys first :). The AACS specs already hinted at that, and it has been confirmed in real life.

FoxDisc: I agree with the fight not being over yet, but behind the scenes player software, drives and standalones have been penetrated by several people a LOT deeper than has been announced so far. No use in tipping AACS-LA off about the targets and methods quite yet, as long as disk backups can already be made with what has been published so far. Don't be surprised though if the stream of VUKs continues after the first AACS key revocation almost like before. We might even see the new processing key (assuming they still only use a single one for all disks) quite quickly.

The problem for AACS-LA and movie studios is that some hardware and software manufacturers have been sloppy in their protection systems while rushing products to market, so we are seeing drives and standalones that can be updated without public key code signing (X-Box add-on and others), software players that do not handle CRLs, software players with insufficient code armor, software players that keep keys lying around in memory etc. etc. Some of these mistakes are probably irrecoverable except possibly to some degree by using BD+ and SKB. Reverse-engineering is alive and well...

About SKB: I doubt we will see this before the end of the year, and even after that it will probably only be used in certain high-profile titles, because it would be a PITA for movie companies to use. Mastering movies without SKB is relatively simple, as most the burden of MKB, revocation etc. lies with replicators, but with SKB the movie companies probably will have to do a lot more of the work. The question is: will movie companies continue to invest a lot more money, time, training etc. into a system which so far AACS-LA has not been able to demonstrate to be more effective in preventing copying than CSS, despite of the huge effort put into it.

Also, if software players will continue to be penetrated as easily as they have been in the past then there is no point in SKB (except for the one-time effort required by authors of ripping tools to support it in their software), because all sold copies of the same version of a player share the same keys. The use of SKB would just shift the race to a slightly different playing field: can hackers extract device keys and sequence keys out of players more quickly than AACS-LA can revoke and renew them ? My guess (assuming the HD formats continue to penetrate the market) most likely, yes. That would make the SKB system completely useless for AACS-LA, since all it would tell them shortly after each round of revocation is "Win/PowerDVD has been penetrated again." Doh :)

About drive revocation: I believe individual units can be revoked. It all depends on whether drive ids are assigned per unit or per model. The usual way to test is: if the drive id looks small and simple (like the host id in PowerDVD or WinDVD) then it was probably assigned per model. If it looks complex and irregular, like a serial number, then it is probably unique per drive. Mine looks like a serial number. You can find it in the drive certificate returned by the drive during an AACS key exchange. Just look at a packet trace. Of course, regardless, drive revocation does not affect ripping tools at all, only commercial players. And (at least some) standalones do not use drive keys at all, so their drives can never be revoked.

The PS3 drive does work under Linux (using either a UDF kernel patch or using ripping software that has UDF support built-in). However only file reading works, not the AACS key exchange, because that appears to be blocked by the Hypervisor. This means you will have to get the Volume ID with different hardware.

Wow Boing99 such an excellent post overall.

A few comments and answers:

Current AACS disks (at least those I have looked at) do have a KCD, and (at least some) standalone players have device key sets that require a KCD. That also means that the drives in those players have a modified firmware which allows reading the KCD, using undocumented CDBs. Incidentally, on at least some of the standalone players the drive firmware is modified even more heavily, e.g. to allow the player to read the volume ID and KCD without exchanging host/drive keys first :). The AACS specs already hinted at that, and it has been confirmed in real life.

FoxDisc: I agree with the fight not being over yet, but behind the scenes player software, drives and standalones have been penetrated by several people a LOT deeper than has been announced so far. No use in tipping AACS-LA off about the targets and methods quite yet, as long as disk backups can already be made with what has been published so far. Don't be surprised though if the stream of VUKs continues after the first AACS key revocation almost like before. We might even see the new processing key (assuming they still only use a single one for all disks) quite quickly.

And we have seen it by now :D

The problem for AACS-LA and movie studios is that some hardware and software manufacturers have been sloppy in their protection systems while rushing products to market, so we are seeing drives and standalones that can be updated without public key code signing (X-Box add-on and others), software players that do not handle CRLs, software players with insufficient code armor, software players that keep keys lying around in memory etc. etc. Some of these mistakes are probably irrecoverable except possibly to some degree by using BD+ and SKB. Reverse-engineering is alive and well...

Good.

About SKB: I doubt we will see this before the end of the year, and even after that it will probably only be used in certain high-profile titles, because it would be a PITA for movie companies to use. Mastering movies without SKB is relatively simple, as most the burden of MKB, revocation etc. lies with replicators, but with SKB the movie companies probably will have to do a lot more of the work. The question is: will movie companies continue to invest a lot more money, time, training etc. into a system which so far AACS-LA has not been able to demonstrate to be more effective in preventing copying than CSS, despite of the huge effort put into it.

I bet they will. They still believe they are invincible. They are also slow and if they stop now, quite a few heads will be rolling. And those heads don't want to be rolling. Until someone who is smart and practical will step in, analyze the situation, losses in manufacturing, losses in sales and tell them STFU.

Also, if software players will continue to be penetrated as easily as they have been in the past then there is no point in SKB (except for the one-time effort required by authors of ripping tools to support it in their software), because all sold copies of the same version of a player share the same keys. The use of SKB would just shift the race to a slightly different playing field: can hackers extract device keys and sequence keys out of players more quickly than AACS-LA can revoke and renew them ? My guess (assuming the HD formats continue to penetrate the market) most likely, yes. That would make the SKB system completely useless for AACS-LA, since all it would tell them shortly after each round of revocation is "Win/PowerDVD has been penetrated again." Doh :)

About drive revocation: I believe individual units can be revoked. It all depends on whether drive ids are assigned per unit or per model. The usual way to test is: if the drive id looks small and simple (like the host id in PowerDVD or WinDVD) then it was probably assigned per model. If it looks complex and irregular, like a serial number, then it is probably unique per drive. Mine looks like a serial number. You can find it in the drive certificate returned by the drive during an AACS key exchange. Just look at a packet trace. Of course, regardless, drive revocation does not affect ripping tools at all, only commercial players. And (at least some) standalones do not use drive keys at all, so their drives can never be revoked.

The PS3 drive does work under Linux (using either a UDF kernel patch or using ripping software that has UDF support built-in). However only file reading works, not the AACS key exchange, because that appears to be blocked by the Hypervisor. This means you will have to get the Volume ID with different hardware.

A few comments and answers:
All very interesting, and lots of good points. Thanks!

with SKB the movie companies probably will have to do a lot more of the work.

If the movie company needs to come up with eight variations of the movie at each of 32 points, this would be a lot more effort, but I was guessing that this was really just an automated process - the movie company provides the movie and an automated tool picks 32 segments and forms 8 watermarked variants for each.

if software players will continue to be penetrated as easily as they have been in the past then there is no point in SKB (except for the one-time effort required by authors of ripping tools to support it in their software),

The LA might consider it to be worthwhile to force hackers through the one-time effort. It makes it harder because there are lots more keys involved. Plus, they may just want to keep an eye on whether the keys are all coming from the software players and not the hardware. Finally, they may need to confirm which software players are being broken so they can point the finger at a specific software company without them all saying "It wasn't me - it was the other guy who wrote sloppy code!"

Nonetheless, I won't be surprised if they don't add SKBs immediately. They may just want to see how well hardening the software works before giving clues on how the SKB system functions. They might even be concerned that poorly written hardware and software players could malfunction as they try to play new discs with a new complex SKB system.

revoke the 260 hd-dvd I bought it legitimatly with a copy of KK, They would be in court so fast for criminal damage their feet wouldn't touch the floor. I suspect they know this so hardware revocation is more a threat to the manufacturers than anything else

But what I'm wondering is why you are not using aacskeys because that will give you the VUK...

Clearly you have a xbox 306 HD DVD drive and an original disc. So aacskeys should work fine.

Or did you just wanted to know how to use a Volume ID instead of a VUK?

yes, that was just a curiosity question... I have a xbox drive+pc and aacskeys works fine, but you never know, two methods are better than only one ;)

Isn't hard at all to build a little circuit to turn this drive 100% stealth proof. Just desolder the original flash, then build the circuit, put two sockets with two flash memories there, and a switcher. 1 flash IC will contain the hacked one, and the other the original one. You can even put a LED with ON (hacked) / OFF (original) on it. :devil:

Gradius

Isn't hard at all to build a little circuit to turn this drive 100% stealth proof. Just desolder the original flash, then build the circuit, put two sockets with two flash memories there, and a switcher. 1 flash IC will contain the hacked one, and the other the original one. You can even put a LED with ON (hacked) / OFF (original) on it. :devil:

Gradius

It's easier with a double capacity flash with first half containing the original fw and the second half containing the patched fw and you can switch the most upper address pin.

Nonetheless, I won't be surprised if they don't add SKBs immediately. They may just want to see how well hardening the software works before giving clues on how the SKB system functions. They might even be concerned that poorly written hardware and software players could malfunction as they try to play new discs with a new complex SKB system.

I agree. For all we know the certification process may be sloppy and some drives may not even support SKB. Who knows what sort of approval process each drive is subjected to. It could be better for AACS to use SKB now and find out that some drives don't work with it when only a few thousand have been sold rather than wait for a few million to be out in the field and to infuriate several million people.

revoke the 260 hd-dvd I bought it legitimatly with a copy of KK, They would be in court so fast for criminal damage their feet wouldn't touch the floor. I suspect they know this so hardware revocation is more a threat to the manufacturers than anything else

They don't need to do anything to your drive to revoke it, so no damage will have taken place. Your drive will continue to play old disks.

Your only legal recourse would be a claim against the drive manufacturer on the grounds that it's not fit for purpose (i.e it won't play any new disks).

I guess this is OT, so if you want to discus further, this should move to a new thread.

Mal

They don't need to do anything to your drive to revoke it, so no damage will have taken place. Your drive will continue to play old disks.


Actually that is not true.

There are two different kinds of revocation in AACS that people tend to confuse: one is the "forced" revocation of device keys. There is no workaround for that in software, but it only affects new disks. The other one is the completely separate "cooperative" revocation of players and drives based on their host/drive certificates, implemented by Certificate Revocation Lists. Drive revocation requires the cooperation of the player, and player revocation requires the cooperation of the drive. This type of revocation is supposed to be persistent (stored in NV-RAM or an encrypted file required by the player) and affects ALL disks, not just new disks.

On a related topic, I am still a little puzzled why Corel states that updates have to be downloaded from the drive manufacturer's web site (instead of updating only WinDVD from their website). That comment suggests drive firmware updates are required, too. I can only come up with two explanations for that:

One is that they may be planning a mass revocation of drive keys for at least some drive models. Not sure why, but the only obvious explanation I have for that is that some drives might not support player revocation correctly in their current firmware, and that AACS-LA may want to force new firmware onto those drives to ensure revocation of the compromised host private keys.

The other possible explanation is that they may be rolling out and enforcing Bus Encryption to plug the various volume id retrieval holes. That would be an interesting new challenge :)

I agree. For all we know the certification process may be sloppy and some drives may not even support SKB.

I thought SKB compatibility is dependent soley on the player - not the drive?!

On a related topic, I am still a little puzzled why Corel states that updates have to be downloaded from the drive manufacturer's web site (instead of updating only WinDVD from their website). That comment suggests drive firmware updates are required, too. I can only come up with two explanations for that:


First about the drive revocation: each XBOX360 drives seems to have a different Drive ID (at least the two, I've had a look at). So revocation of the complete "class" of XBOX360 drives seems to be completely out of the question.

Second: I think I can add a third explanation to your two, but that one is a lot less startling.
The exact phrase was:

"[...]security update from your PC or Drive manufacturer's websites[...]".

The point is that WinDVD8/HD is usually only available as an OEM version that comes with certain notebooks (apart from that infamous japanese standalone version).
So I suppose the above terminology simply refers to the fact, that the notebook manufacturers will be providing the update for download, being the OEM vendors.
Not sure though, what "or Drive" means exactly, but I'm quite certain, WinDVD/HD was bundled with a number of drives as well, so this would be the same then...

Simple and maybe disappointing :) explanation.

I thought SKB compatibility is dependent soley on the player - not the drive?!

Sorry, I meant player as in the complete system.

There are two different kinds of revocation in AACS that people tend to confuse: one is the "forced" revocation of device keys.
I tend to think of this type of revocation as "implicit" revocation. The revoked device searches for the keys it can decrypt in the MKB, but never finds them.

The other one is the completely separate "cooperative" revocation of players and drives based on their host/drive certificates, implemented by CRLs.
I think of this as "explicit" revocation because there are explicit "Revocation Lists" on the disc. There are three such lists and I don't think you should call them CRLs. "CRL" is defined in the specs as one of the three - the "Content Revocation List," while you are talking about the other two - the Drive Revocation List and the Host Revocation List.

First about the drive revocation: each XBOX360 drives seems to have a different Drive ID (at least the two, I've had a look at). So revocation of the complete "class" of XBOX360 drives seems to be completely out of the question.

Not necessarily. The CRLs use ID ranges, and up to 65536 consecutive IDs can be revoked in a single entry, taking up only 8 bytes of space.

The point is that WinDVD8/HD is usually only available as an OEM version that comes with certain notebooks (apart from that infamous japanese standalone version).
So I suppose the above terminology simply refers to the fact, that the notebook manufacturers will be providing the update for download, being the OEM vendors.
Not sure though, what "or Drive" means exactly, but I'm quite certain, WinDVD/HD was bundled with a number of drives as well, so this would be the same then...

Simple and maybe disappointing :) explanation.

But somewhat comforting :). Makes sense, thanks.

I think of this as "explicit" revocation because there are explicit "Revocation Lists" on the disc. There are three such lists and I don't think you should call them CRLs. "CRL" is defined in the specs as one of the three - the "Content Revocation List," while you are talking about the other two - the Drive Revocation List and the Host Revocation List.

Mmmh, ok... In the wider security community "CRL" usually means "Certificate Revocation List", which is what the Host and Drive revocation lists are and what I meant, but you are right, it looks like AACS-LA redefined that acronym to mean "Content Revocation List". Too bad, redefining acronyms only creates confusion...

Too bad, redefining acronyms only creates confusion...
It is part of the AACS DRM specs. =)

http://it.slashdot.org/it/07/04/12/164228.shtml

heh.

A few comments and answers:

Current AACS disks (at least those I have looked at) do have a KCD, and (at least some) standalone players have device key sets that require a KCD. That also means that the drives in those players have a modified firmware which allows reading the KCD, using undocumented CDBs. Incidentally, on at least some of the standalone players the drive firmware is modified even more heavily, e.g. to allow the player to read the volume ID and KCD without exchanging host/drive keys first :). The AACS specs already hinted at that, and it has been confirmed in real life.

FoxDisc: I agree with the fight not being over yet, but behind the scenes player software, drives and standalones have been penetrated by several people a LOT deeper than has been announced so far. No use in tipping AACS-LA off about the targets and methods quite yet, as long as disk backups can already be made with what has been published so far. Don't be surprised though if the stream of VUKs continues after the first AACS key revocation almost like before. We might even see the new processing key (assuming they still only use a single one for all disks) quite quickly.

The problem for AACS-LA and movie studios is that some hardware and software manufacturers have been sloppy in their protection systems while rushing products to market, so we are seeing drives and standalones that can be updated without public key code signing (X-Box add-on and others), software players that do not handle CRLs, software players with insufficient code armor, software players that keep keys lying around in memory etc. etc. Some of these mistakes are probably irrecoverable except possibly to some degree by using BD+ and SKB. Reverse-engineering is alive and well...

About SKB: I doubt we will see this before the end of the year, and even after that it will probably only be used in certain high-profile titles, because it would be a PITA for movie companies to use. Mastering movies without SKB is relatively simple, as most the burden of MKB, revocation etc. lies with replicators, but with SKB the movie companies probably will have to do a lot more of the work. The question is: will movie companies continue to invest a lot more money, time, training etc. into a system which so far AACS-LA has not been able to demonstrate to be more effective in preventing copying than CSS, despite of the huge effort put into it.

Also, if software players will continue to be penetrated as easily as they have been in the past then there is no point in SKB (except for the one-time effort required by authors of ripping tools to support it in their software), because all sold copies of the same version of a player share the same keys. The use of SKB would just shift the race to a slightly different playing field: can hackers extract device keys and sequence keys out of players more quickly than AACS-LA can revoke and renew them ? My guess (assuming the HD formats continue to penetrate the market) most likely, yes. That would make the SKB system completely useless for AACS-LA, since all it would tell them shortly after each round of revocation is "Win/PowerDVD has been penetrated again." Doh :)

About drive revocation: I believe individual units can be revoked. It all depends on whether drive ids are assigned per unit or per model. The usual way to test is: if the drive id looks small and simple (like the host id in PowerDVD or WinDVD) then it was probably assigned per model. If it looks complex and irregular, like a serial number, then it is probably unique per drive. Mine looks like a serial number. You can find it in the drive certificate returned by the drive during an AACS key exchange. Just look at a packet trace. Of course, regardless, drive revocation does not affect ripping tools at all, only commercial players. And (at least some) standalones do not use drive keys at all, so their drives can never be revoked.

The PS3 drive does work under Linux (using either a UDF kernel patch or using ripping software that has UDF support built-in). However only file reading works, not the AACS key exchange, because that appears to be blocked by the Hypervisor. This means you will have to get the Volume ID with different hardware.

Very interesting and encouraging. :)

Btw: you are incredibly well informed when it comes to the workings of AACS. I love your precision and deep understanding of how things work. And your thoroughness makes you very trustworthy...

When the time is ready I would like to hear more about the efforts being made :).

Regards,

arnezami

PS. Personally I'm most "worried" about the time consumption it would take to figure out both BD+ and Sequence Keys. I'm not impressed by BD+ itself (I think breaking it amounts to figuring out the "100 lines of code" for the VM and the BD+ keys hidden in a software player) but it will take time to iron things out (the first time they introduce it). I wonder btw if they would introduce both BD+ and Sequence Keys since they both have an effect of small parts of the content and therefore are highly sensitive to implementation problems. It would be more advantageous to us if they would introduce them one by one. And it would (have) be(en) a joke if they just changed the MKB and HRL.

When the time is ready I would like to hear more about the efforts being made :).

You are not the only one who would like to hear more when the time is right, but there is no hurry.

It comes as no surprise to hear that there is lots going on behind the scenes. One would have expected reverse engineering tools (Olly, Ida, Softice and friends) to have been heavily used against the software players, yet very little has leaked out about attacks from this direction that must be going on. It's all been USB sniffing, memory dumps and crypto known-text attacks.

hi, sorry for being late in this party, but doom9 posting politics seems a little crap, because you can post the first 5 days you got your account.

I'm very proudly on the work of people on this forum, intended to defeat DRM stuff, specially for the lastest advances of arnezami and Geremia :)

if you have a MATSHITA UJ-820B, UJ-822B, UJ-825, SW-9583, SW-9573, time, and your an "advanced user" PM.

does anybody know what is the chipset of the PS3 ODD??

hi, sorry for being late in this party, but doom9 posting politics seems a little crap, because you can post the first 5 days you got your account.

I'm very proudly on the work of people on this forum, intended to defeat DRM stuff, specially for the lastest advances of arnezami and Geremia :)

if you have a MATSHITA UJ-820B, UJ-822B, UJ-825, SW-9583, SW-9573, time, and your an "advanced user" PM.

does anybody know what is the chipset of the PS3 ODD??

Welcome xt5 :).

And thanks again for your help.

If you have any issues/questions regarding AACS encryption stuff I'm your man ;).

Concerning the PS3 drive: I would be very interested to see if we can find a way to retrieve the fw for a PS3 drive. In my eyes there is a lot to be gained from that. The BD drive inside the PS3 is by far the most sold BD drive and running linux the Volume ID is currently not even accessible (blocked by the hypervisor). So there is a lot of "mystery" in this area.

I also understand from avs forums (http://www.avsforum.com/avs-vb/showthread.php?p=10290836&&#post10290836) (also here (http://www.avsforum.com/avs-vb/showthread.php?p=10291069&&#post10291069)) that MS may start talking to Toshiba whether its possible to do a patch on the HD DVD drive using the xbox 360. If they were to do this it would be nice if we could prevent it from doing this: by looking at how it would normally detect the fw version and then change the fw to make it look like it has already been patched (it may be more complicated than that of course but its probably good to take a look at).

Just so you know: in my opinion the ultimate goal when it comes to analyzing fw's is I believe figuring out the way the KCD is stored on the disc (which may be very similar to the way the Volume ID is stored on the disc). If we were to figure this out we could teach our PC drives to act like a standalone KCD enabled system. This would enable us to use the Device Keys from standalones to decrypt discs on our PCs. Btw: the KCD is simply a (16 byte) value to be retrieved from the disc but only (certain) standalones can do this. But this is not a short term goal because its probably very time consuming project.

Anyway keep up the good work :).

Regards,

arnezami

hi, sorry for being late in this party, but doom9 posting politics seems a little crap, because you can post the first 5 days you got your account.
Welcome to the forum. Sorry you feel that way, but those are our rules and they apply to everybody. I trust the world didn't stop turning while you waited and got to know us a bit better by lurking.

Again, welcome.

Regards

Just so you know: in my opinion the ultimate goal when it comes to analyzing fw's is I believe figuring out the way the KCD is stored on the disc (which may be very similar to the way the Volume ID is stored on the disc). If we were to figure this out we could teach our PC drives to act like a standalone KCD enabled system. This would enable us to use the Device Keys from standalones to decrypt discs on our PCs. Btw: the KCD is simply a (16 byte) value to be retrieved from the disc but only (certain) standalones can do this. But this is not a short term goal because its probably very time consuming project.

arnezami

I'm just working on this, but have more trouble than expected, and i've still a lot of code to trace, but at first look, i'm thinking that they secured the system lead-in (not the data lead-in, i can read it) someway, maybe with wrong ECC, maybe different track pitch...something similar.

I'm just working on this, but have more trouble than expected, and i've still a lot of code to trace, but at first look, i'm thinking that they secured the system lead-in (not the data lead-in, i can read it) someway, maybe with wrong ECC, maybe different track pitch...something similar.

This post/thread might also be interesting for your purpose.

http://forum.doom9.org/showthread.php?p=956065#post956065

oh yes, but my problem is about reading PSN prior than about PSN 026B00 (i've not checked exactly, but +-100 this is the last PSN i can read backward), then errors about mechanism laser pointing.
Actually i'm looking at read CD command to see if i can raw read something, but maybe 01Fxxx psn has not the same track/sector structure of PSN > 026B00.....maybe i must go back tracing the AD format 15 cdb (read CDS) ans see if i can extend the area with simply poking ram

http://img95.imageshack.us/img95/8577/leadinij3.png

BTW, data lead-in contains some data, some "MKB" text

oh yes, but my problem is about reading PSN prior than about PSN 026B00 (i've not checked exactly, but +-100 this is the last PSN i can read backward), then errors about mechanism laser pointing.
Actually i'm looking at read CD command to see if i can raw read something, but maybe 01Fxxx psn has not the same track/sector structure of PSN > 026B00.....maybe i must go back tracing the AD format 15 cdb (read CDS) ans see if i can extend the area with simply poking ram

http://img95.imageshack.us/img95/8577/leadinij3.png

BTW, data lead-in contains some data, some "MKB" text


This may be of interest and might explain this behaviour :):

On the other hand, HD-DVD offers a single capacity (15 GB) with a fixed pit length. This is actually not truly the case, because the pit length changes on a given HD-DVD disc: indeed, if the data area uses minimum pit length of 204 µm, the so called System Lead In and System Lead Out areas use a minimum pit length of 408 um. The purpose of these half-density regions is all the more puzzling that these pits are there even larger the ones on a DVD-ROM, which is pretty strange for a blue laser disc. Toshiba hinted that this large pit size had been chosen to guarantee that this region will be readable even when pits are badly defined on the disc.

taken from here:

http://www.cdfreaks.com/reviews/Blu-ray-vs_-HD-DVD/Differences.html

arnezami

wow :)
ehehehe
this clears all my suspicions, much thanks arnezami :)

So, now i've only to see where this info is stored in ram, and mainly what is the value for double the pitch,...maybe simply double that value.

but damn, i've to go to work in half an hour :(

wow :)
ehehehe
this clears all my suspicions, much thanks arnezami :)

So, now i've only to see where this info is stored in ram, and mainly what is the value for double the pitch,...maybe simply double that value.

but damn, i've to go to work in half an hour :(

If I'm not mistaken the Volume ID is (somehow) stored in the system lead-in area. So tracing the Volume ID retrieval command should lead to something that can read this area. I guess... :)

yes, but actually i'm near the solution for reading all sectors, just need to spot the right ram address to patch for playing with track/pit density, but i can't do it prior to late night :(

yes, but actually i'm near the solution for reading all sectors, just need to spot the right ram address to patch for playing with track/pit density, but i can't do it prior to late night :(

ah. ok.

Link (http://news.digitaltrends.com/news_printerfriendly12663.html)

A lot of people have bought Xbox 360 HD DVD drives for their HTPC.
And now because you have cracked it, they are going to break the compatibility the drive has with new movies.

They want you to post that you have done this crack successfully then they will break the drives compatibility.

How do you think they will make money if people stop buying their equipment to buy their movies.
People will stop buying Xbox drives to play movies on their htpc, so will they buy external drives that have bloated prices ?
No they won't.
So you've just cut out a major portion of the enthusiast market with the genius crack you've made.

Link (http://news.digitaltrends.com/news_printerfriendly12663.html)

A lot of people have bought Xbox 360 HD DVD drives for their HTPC.
And now because you have cracked it, they are going to break the compatibility the drive has with new movies.

They want you to post that you have done this crack successfully then they will break the drives compatibility.

How do you think they will make money if people stop buying their equipment to buy their movies.
People will stop buying Xbox drives to play movies on their htpc, so will they buy external drives that have bloated prices ?
No they won't.
So you've just cut out a major portion of the enthusiast market with the genius crack you've made.
You are wrong. Read more about this thing.
Anyway, lot of people bought the XBOX HD DVD drive because it can play their legally bought movies without any restriction, thanks to this people here who working on breaking AACS LA.

You are wrong. Read more about this thing.
Anyway, lot of people bought the XBOX HD DVD drive because it can play their legally bought movies without any restriction, thanks to this people here who working on breaking AACS LA.

I'm not fully understanding your point ?
They will make the HD DVD Drive for the Xbox360 unable to play new movies on a HTPC.
You understand that point ?
Where is the freedom in that ?

I'm not fully understanding your point ?
They will make the HD DVD Drive for the Xbox360 unable to play new movies on a HTPC.
You understand that point ?
Where is the freedom in that ?

You don't understand the point.

As long as the drive can be used to decrypt the HD DVD, old or new, their revocations are irrelevant and only will aggravate people.

If they start playing this game, first they will revoke 360 drive.

Then they will have to revoke Toshiba A1.

Then they will have to revoke Toshiba A2.

Then they will become irrelevant.

I really hope AACS is smarter than that. Stupid article suggesting future actions does not mean anything, but even if they go this path, like I said it is irrelevant.

It is not about 360 drive whatsoever. 360 drive just happened to be a handy tool. Any hardware player can be taken apart and reverse-engineered in terms of firmware / software.

And we'll crack that too. :) We know all about the ability to revoke a drive. There are two ways to do it; hacked firmware makes one useless, and retrieving keys from other players makes the other useless.

Hey, good timing Galileo2000. :P

A lot of people have bought Xbox 360 HD DVD drives for their HTPC.
And now because you have cracked it, they are going to break the compatibility the drive has with new movies.


It seems like there might be a misinterpretation.
Optical disk drive is a mechanism that reads the contents of the optical disk, and provides the bits recroded on the disk to the software to deal with - decrypt, decode, display, etc.

There exists a host revocation list on the drive, designed to tell the drive not to read the disk, and not to provide disk's contents to the host, if the host runs software that is not approvied or revoked.

With discovery of undocumented debug commands in Toshiba ODD firmware, we discovered that no matter what the software is used to read the contents of the optical disk, regardless if it's revoked or not, we can always convince the drive to read back to the host the contents of the optical disk.

So the drive you bought will always read the disks you bought, regardless of what anyone might decide to change that.

This is a consumer win, not a consumer loss.


They want you to post that you have done this crack successfully then they will break the drives compatibility.


The only way to "break compatibility" of a drive, is to update the software on the host system, so that it would refuse to read the disk contents if the disk is inserted into the drive. Note that the drive will happily read the disk, but the software on the host will refuse to talk to the drive.

Don't you think that this is a problem with the software manufatureres - intervideos, cyberlinks and neros of the world, and not with the drive? Drive works, they refuse to use it. Complain to them, please.


How do you think they will make money if people stop buying their equipment to buy their movies.
People will stop buying Xbox drives to play movies on their htpc, so will they buy external drives that have bloated prices ?


I realize you concern. You likely invested hundreds of dollars into your HD-DVD collection. I, too, bit the "Red Pill" and spent over a thousand dollars on the Xbox drive, a stand-alone Toshiba player, close to 20 HD disks, etc.

But there really is no cause for concern. How can you tell right now that HD-DVD will win, and Blu-Ray will not? Or that something will not supplant both HD-DVD and Blu-Ray in the future?

Recall, that video making is a business. The film makers film and studios sell us a dream. We, as consumers, choose to pay for it or not.

So if the studios and equipment makers make it too hard or too expensive for us to watch movies, we will obtain entertainment elsehow - by going to a concert, game, restorant or wenching, instead of giving them money.

Thus ultimatley if the studios want our money, they will provide us with means and inscentive to give the money to them.

So taking some control from manufactureres of HD-DVD disks, and being able to read every byte on the disk you legitimately bought (recall that there are still no consumer HD-DVD-R drives) will not scare the studios away. They want our money. If we do not use their product, they do not make money. This is Capitalism 101.


No they won't.
So you've just cut out a major portion of the enthusiast market with the genius crack you've made.

As an enthusiast, and an early adopter, you yourself expected, and you are expected by the manufacturers to overpay, as opposed to the late adopter. If I wanted to buy a DVD player back when DVDs were just starting out, I'd expect to spend a thousand dollars. Now I can get a DVD player with tons of features for as low as 25$ (9.99 UK pounds). Being an early adopter does not guarantee that you will be able to play the format of your choice for ever (actually you can right now, until your player gets revoked), nor does it guarantee that there will be new content generated in your format of choice (think when was the last time you saw a video out on Beta).

As for the enthusiast market.... I've lurked on AVSforum for 3 months. I am honestly convinced that most of "enthusiast market" is a bunch of people who just want their movies to look good, and have very low technical knowledge. Thus "enthusiasts" easily give in into fear uncertanity and doubting, and repeat marketing spin of people with the clue without understanding what is going on. That's why AmirM is spending hours on AVSforum telling people that Xbox is good, that no, there will be no problems with Xbox HD-DVD drive, and no, there is no cause for concern. That's why there are paidgeeks and TalkStr8ts that tell you that no, HD-DVD is bad, "breach" of HD-DVD drive is the nail in the coffin of HD-DVD, and you should have bought Blu-Ray any way. Problem is that marketing spin by people with a clue is paid for. They have an agenda. So always follow the money when you read things like this.

An example of the FUD spreading working is you: You came here making wild allegations about the end of the world for HD-DVD in general and Xbox 360 HD-DVD drive in particular.

But you have no idea how the revocation works ("low technical knowledge amongst the enthusiasts"). You don't understand the political and economical realities of the situation. There really is no cause for alarm.

Specifically, to address your concern: if there will be a new firmware update by Microsoft for Xbox connected HD-DVD drives (as part of the May 7th update?), it would be a simple matter of flashing it into PC connected HD-DVD drives, and that the life will go on as a result. You would be able to chose to flash the "stock" firmware, or the "modified" firmware that gives you, as consumer, more rights.

Yes, it might be inconvenient for you as a end user. But nobody told the early adopters that the ride will not be rocky (and if someone did, they wanted your money and they lied).

So please don't spread even more fear uncertainity and doubt. Don't do what the paid people want you to do. Otherwise we'll think that you are part of Project Hydra, and a Blu-Ray schill.

P.S. Personally, I think that was Geremia, xt5 and arnezami managed to do with Xbox HD-DVD drive is amazing. What Muslix64 started is incredible. Our hats should be off for them, since what they do favors and empowers the consumer. Attacking them is both shameless and ungrateful and in the end undermines your own consumer rights.

Just some clarifications: the Volume ID retrieval protection system has been broken from the start. As early as February (http://forum.doom9.org/showthread.php?t=121866) I already made clear that it was rediculously easy to retrieve a Volume ID. Basicly its a joke. Since then several other ways have been discovered to retrieve it.

The hack discussed in this thread only concerns a slightly easier way for owners of a 360 add-on drive to retrieve the Volume ID. Thats it.

The fact that the press is making a huge fuss about it doesn't mean its really that important (from an AACS perspective): people should actually read the first post of this thread and read what Geremia thought of the importance of this hack...

Sure. It was (from a technical perspective) quite a feat. And it opens some other doors. But it should not be blown out of proportions just becuase of some media journalists. If they do they usually have an agenda or are simply ignorant. Believe me there have seen soo many incorrect reports about this (and earlier) hacks that I gave up hope on (most of) them.

arnezami

@awhitehead: you have said things very well. :)

Regarding muslix64: what he did was indeed incredible: he joined knowledge from audio/video formats (as in "patterns" in the audio/video format) with knowledge about encryption schemes (title keys and vuks). I would like to meet another person who can bridge the gap which usually exists between those who know all about containers/demuxing etc and those that know the intricate details about encryption schemes. But this is exactly what muslix64 did by using patterns in decrypted audio/video output as crib for possible title encryption keys :). Deep respect here... in fact he inspired me ;).

@awhitehead - you need not have mentioned "hookers" to get your point across. Please consider rule 4.

Regards

@awhitehead - you need not have mentioned "hookers" to get your point across. Please consider rule 4.

Regards

Hmm, too bad I missed this part.

@awhitehead - you need not have mentioned "hookers" to get your point across. Please consider rule 4.

I don't get it. If anyone should be corrected, it should be Jeremy Duncan. He violated rule 1, 1a, 2, 3, 4 and lack of respect for others peoples work.

In regards to the word hokker, it is just one word taken out of a reply of 50 lines or so. In its context I find it appropriate and not offending. In fact anyone that gives a so good 50 line reply to a offeending post like Jeremy Duncan's deserves the best.

awhitehead have contributed to make this DRM hack and variants possible. Anyone who enjoys Free Rights, use these hacks to defeat DRM for now and in the future should either contribute to the project or help in other ways. E.g. by keeping the tone to these people positive and motivational.

I think it is wrong to point fingers at awhitehead and not Jeremy Duncan.

I will not reply to any posts regarding this topic in this thread, as I think we should concentrate on hacking in this thread. But I thought it was important to stand up for what I think is right. PM me, and I will answer.

I've bought a piece of hardware and some hd-dvd titles like you all.
You like watching higdef movie (at lame 24fps with prehistorical 2:3 pulldown), i like to use what i own in a different manner.
You like to be passive to technology, i like to be active, that's all.


Got enought of finding the density in ram, I've quick patched the CDB AD format15 to point to different PSN, this way i've read the ControlDS and the CopyrightDS. Well, the CopyryghtDS is all 00 in both places (01E600 and 01FA00), it would be interesting to see the headers too of these sectors.

The ControlDS are equal inthe first 3 sectors (PFI, DMI and CPI), while the second ControlDS have unreadable sectors in the "reserved" sectors (sectors 4 to 31)

@lightshadow - I'd be grateful if you left modding to the mod team please.

Regards