Welcome to Doom9's Forum, THE in-place to be for everyone interested in DVD conversion. Before you start posting please read the forum rules. By posting to this forum you agree to abide by the rules. |
7th February 2007, 14:38 | #61 | Link | |
Registered User
Join Date: Sep 2006
Posts: 390
|
Quote:
There are essentially two ways of getting the VUK: 1) Use jokin's key finder while WinDVD is playing the movie (this may not work in the future) 2) Get the Volume ID and use a (still to be found) general Processing/Device key to get the VUK. (as long as a general key will be found for each MKB version this will pretty much always work) So in this thread we are talking about an alternative way of getting VUKs. But for now just use the keyfinder. arnezami Last edited by arnezami; 7th February 2007 at 14:41. |
|
7th February 2007, 16:34 | #62 | Link | |
Registered User
Join Date: Apr 2004
Posts: 55
|
Quote:
Thanks for your time, |
|
7th February 2007, 18:43 | #65 | Link | ||
Registered User
Join Date: Sep 2006
Posts: 390
|
Quote:
Quote:
It does indeed seem that the sniffer has some bugs in it. Those (at some point) have to be removed (and it has to be stripped of not required stuff) or we could use a different one (or an software IDE sniffer?). Last edited by arnezami; 7th February 2007 at 18:50. |
||
7th February 2007, 19:42 | #67 | Link |
Registered User
Join Date: Sep 2006
Posts: 390
|
Thanks to jokin .
Appollo 13: Code:
Hex: 40 00 04 06 32 04 20 11 57 47 48 44 56 4D 00 00 Dec: 04 06 50 04 32 17 Ascii: W G H D V M Code:
Hex: 40 00 40 06 26 08 10 15 57 47 48 44 56 4D 00 00 Dec: 64 06 38 08 16 21 Ascii: W G H D V M Last edited by arnezami; 7th February 2007 at 20:17. |
7th February 2007, 20:05 | #68 | Link |
Registered User
Join Date: Jan 2007
Posts: 28
|
@arnezami
this is really minor, but i thought i should point out, there is an error in your apollo 13 hex2dec conversion. 06 should be 06, not 05 interesting to note that this one value is the same on both WGHDVM titles (aside from the WGHDVM values themselves) |
7th February 2007, 20:18 | #69 | Link |
Registered User
Join Date: Sep 2006
Posts: 390
|
Thanks melakai
Some things I've noticed (when looking at these six numbers): - The second number is very low (=< 6) and is the same for both - The fourth number is also very low (<= 8) - The sixth number is odd, all others are even - The third number is somewhat higher than the last 5 numbers - The first number has only 4's in it It think we could use more of these to figure it out a little better. Last edited by arnezami; 7th February 2007 at 20:27. |
7th February 2007, 20:28 | #70 | Link |
Registered User
Join Date: Dec 2002
Posts: 86
|
I think it's just an acronym that they use one their discs, it doesn't even have to mean anything.
As long as you can still sniff them out anyway, why not try and break something else more important instead. Try and get the device keys (or is it host keys?) from the software players to start with and then go on from there. If all xbox players have the same device keys and you can manage to extract it, that would be a big step forward. edit: btw, how many iterations would it take to bruteforce the discs with the WGHDVM? Can't be that many, like (2^3)^6 possible values, that's no work at all. Last edited by SBeaver; 7th February 2007 at 20:34. |
7th February 2007, 20:32 | #71 | Link | |
Registered User
Join Date: Sep 2006
Posts: 390
|
Quote:
|
|
7th February 2007, 20:53 | #72 | Link |
Registered User
Join Date: Dec 2002
Posts: 86
|
If someone has a volume id decrypted and encrypted, and just say how to check if it's correct (that's done through hashing if I understand correctly) I could try fiddle around with it in some mathematics software and benchmark and try to refine the way to get the number with as few interations as possible while keeping it functional.
I'm doing a lot of this stuff at university right now and this would be a lot more interesting to try. If the different manufacturers all use different naming schemes, it's likely they also have some other thing on their discs that is unique to only them which could make for a good detection system, unless the manufacturer differences is only between the different movie companies in which case you can just enter select the manufacturer in a list an the app selects the best way to bruteforce the key. Since this key still isn't very useful maybe it doesn't matter but it's a fun exercise still. edit: btw i made edit in above post |
7th February 2007, 23:03 | #73 | Link |
Registered User
Join Date: Dec 2006
Posts: 202
|
Before people spend any more time on this ... as can be read from the documents and follows from the fact that you can 'sniff' the data from the USB, the Volume ID is exchanged unencrypted between the drive and the player. Hence getting hold of the Volume ID is not an issue ... please focus on the means to get from the Volume ID to the VUK ... just my 2 cents ...
|
8th February 2007, 03:11 | #74 | Link |
Registered User
Join Date: Jan 2007
Posts: 7
|
I'm a little confused if this line of attack will be a massive gain.
Essentially it seems that by finding the device key you will be able to get the volume key directly without the need to do a memory dump while the player is playing it. However if AACS take action against the compromised player they should start issuing new discs with a MKB file that does not contain the Media Key encrypted with the compromised player device key. Therefore the player could try and paly the media but it would not be able to decrypt it. Likewise any decryption utility using that device key would fail. It got me thinking about what is in a Media Key Block file. Presumably AACS have generated all the device keys for all future players and when a new player is developed the AACS will release a key to that player. Also all discs (and all discs that have been made in the past) must have there media keys encrypted with the the total set of device keys. However the moment that a player is "revoked" then that device key is not used to encrypt future media keys. In saying that it may take a long time for a key to get revoked. And the creation of a utility that can get the Volume Key without using a player would be nice as you don't need a VUK finder program. Don't want to discourage just want to check if my reasoning right |
8th February 2007, 08:08 | #75 | Link | |
Registered User
Join Date: Sep 2006
Posts: 390
|
Quote:
Of course there are also problems with this technique:
An even more ambitious approach would be to retrieve both the Processing Key and the Host private key (of a software player). That way we wouldn't even have to sniff Volume IDs anymore. But keep in mind that hosts are subject to revocation aswell and this is even harder for the hacker. Hope I cleared it up a bit. Regards, arnezami Last edited by arnezami; 8th February 2007 at 23:14. |
|
8th February 2007, 08:22 | #76 | Link | |
Resident DRM Hater
Join Date: Oct 2006
Location: International waters
Posts: 242
|
Quote:
jokin, you blanked out some of the hex in your screenshot, but not the ASCII that goes with it. It wouldn't be difficult to figure out what the hex was from the ASCII, since this editor doesn't appear to ignore characters 00-1F and 7F-FF.
__________________
Because Moogles pwn. |
|
8th February 2007, 09:01 | #77 | Link | |
Dwight Schrute's homeboy
Join Date: Jan 2007
Location: The Office
Posts: 136
|
Quote:
|
|
8th February 2007, 11:32 | #78 | Link |
Registered User
Join Date: Dec 2002
Posts: 86
|
ok i counted without the 06, but i still typed the wrong number.
Anyway, that, combined with patterns of the code, like all numbers are under 70 or something. I googled to check and found this: "Swiss-based Ph.D. Student Solves 48-bit Key in RSA Data Security's Secret-Key Challenge; Search rate by 3,500 computers reaches 1.5 trillion keys per hour" Note that this was from 1997 |
8th February 2007, 11:44 | #79 | Link | |
Registered User
Join Date: Sep 2006
Posts: 390
|
Quote:
But we need more examples for that! |
|
8th February 2007, 22:34 | #80 | Link |
Registered User
Join Date: Jan 2007
Posts: 7
|
Thanks arnezami, thats a good answer and covers a lot of the things I didn't think of. Like the idea of finding the host private key. Maybe it will be easier to find as its bit bigger and may be stored very close in memory to the host public key (which should be viewable in the USB sniff.)
|
|
|