Welcome to Doom9's Forum, THE in-place to be for everyone interested in DVD conversion.

Before you start posting please read the forum rules. By posting to this forum you agree to abide by the rules.

 

Go Back   Doom9's Forum > General > Decrypting

Reply
 
Thread Tools Search this Thread Display Modes
Old 9th February 2007, 11:30   #81  |  Link
arnezami
Registered User
 
Join Date: Sep 2006
Posts: 390
I think I've found the Volume ID of a Blu-Ray disc. Well its from a memdump of WinDVD playing Lord of War.

Anyway here it is:

Code:
Length Code: 00 22 00 00 
Volume ID:   9F A6 47 7B B0 10 30 A5 63 7F 36 E1 9D C4 ED 11 
MAC:         xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx
As you can see this is properly random and not at all guessable. I'm not sure if its possible the volume ID is encrypted here because then the 00 22 00 00 would probably have been encrypted too (although the protocol might not allow that). Not sure. My gut says its not encrypted. We can check this though if we have two dumps of the same disc (but the second dump after a restart of WinDVD) and compare the Volume IDs. They should be the same.

Because it has no 40 00 in it (like with HD DVDs) its much harder to find in a memdump but sniffing should be easier (searching for "00000000: 00 22 00 00"). But if you have a Blu-Ray burner and have a memdump of WinDVD you can try to hex search for 00 22 00 00. You will find many occurrences of that but only one with 32 random bytes behind it (= Volume ID + MAC). Thats the way I found it anyway (I mainly looked at the ascii part when pressing F3 so I could quickly see if it was followed by random bytes. I found it around Offset 4ABxxx but it could vary: between 300000 and 500000 would be my guess).

Something different. Regarding Device Keys. Could some people count the number of 0xx.fcl files their PowerDVD version has? (where xx are sequenced numbers) I suspect the newer versions have more of them. This is still a "feeling" but it could be interesting (its possible the new PowerDVD version got a different set of Device Keys already...)

Back to hunting

Regards,

arnezami

PS. I just found out my xbox 360 HD DVD is not capable of Bus Encryption . If you do a text search in your sniff log on "00000000: 00 72" you'll find two occurrances. The one with 01 (not 02) at the blue byte is the Drive Certificate. The byte right next to it should be 00 (red) if not then you're screwed otherwise you will always be able to sniff volume IDs . Here is mine:

Code:
00000000: 00 72 00 00 xx xx xx xx xx xx xx xx xx xx xx xx
00000010: xx xx xx xx xx xx xx xx 01 00 00 5c xx xx xx xx
Be careful with posting this stuff. If you are not you could reveal your drive id. Btw. if you have a PC drive and a memdump you may be able to find it using a hex search for 00720000 or 0100005C or 0101005C (but there are either lots or none of those so its hard).

PPS. Apparently WinDVD isn't capable either. Seems they really haven't implemented Bus Encryption yet.

Last edited by arnezami; 15th March 2007 at 19:38.
arnezami is offline   Reply With Quote
Old 9th February 2007, 21:00   #82  |  Link
jkenzie
Registered User
 
Join Date: Jan 2007
Posts: 40
Quote:
Originally Posted by arnezami View Post
Something different. Regarding Device Keys. Could some people count the number of 0xx.fcl files their PowerDVD version has? (where xx are sequenced numbers) I suspect the newer versions have more of them. This is still a "feeling" but it could be interesting (its possible the new PowerDVD version got a different set of Device Keys already...)

My version has two. .000 and .001. What new version are you speaking of?
jkenzie is offline   Reply With Quote
Old 10th February 2007, 06:51   #83  |  Link
arnezami
Registered User
 
Join Date: Sep 2006
Posts: 390
Quote:
Originally Posted by jkenzie View Post
My version has two. .000 and .001. What new version are you speaking of?
Only two. Hmmm... So not 23 or 27. Interesting... Whats their size: roughly 630 bytes each?

I ask because a full set of Device Keys would have 31 + 30 + 29 + .. + .. + 1 =~ 500 Keys. So that would require 500 x 16 =~ 8000 bytes. Now they could do without certain Keys and only give 31 Keys (or even a little less) but that would mean that when two non-adjacent Players are revoked this PowerDVD version has to get new Keys by default. Because it wouldn't have keys for sub-trees. Hard to explain quickly.

Of course this is only relevant if these fcl files ineed contain the Device Keys that is .

Do you have Power DVD 6.5 or 7.1 or 7.2 installed?

Last edited by arnezami; 10th February 2007 at 07:47.
arnezami is offline   Reply With Quote
Old 10th February 2007, 07:02   #84  |  Link
jkenzie
Registered User
 
Join Date: Jan 2007
Posts: 40
Some interesting things about the 001.fcl file.
I noticed the original file date was 9/21/2006 from an install I had on a separate partition, but it had recently been modified in my main install. It showed a date of 2/5/2007.
The files were infact different, but not by much, it was actually smaller than the original.
Every time you put in a new movie it writes to the 001.fcl.
jkenzie is offline   Reply With Quote
Old 10th February 2007, 07:05   #85  |  Link
jkenzie
Registered User
 
Join Date: Jan 2007
Posts: 40
I have both 7.1 and 7.2 installed
000.fcl is 14KB
001.fcl is 19KB
both versions
jkenzie is offline   Reply With Quote
Old 10th February 2007, 07:36   #86  |  Link
arnezami
Registered User
 
Join Date: Sep 2006
Posts: 390
Quote:
Originally Posted by jkenzie View Post
Some interesting things about the 001.fcl file.
I noticed the original file date was 9/21/2006 from an install I had on a separate partition, but it had recently been modified in my main install. It showed a date of 2/5/2007.
The files were infact different, but not by much, it was actually smaller than the original.
Every time you put in a new movie it writes to the 001.fcl.
Hmm. Interesting. Thanks. A few questions:

- Are you sure its every time you put in a new movie? Not every time Power DVD gets new keys from the internet? Can you re-install and insert a new movie (for that new installation) and check whether the file(s) has/have changed? What movies do change it? Does it change only once or with every new movie?
- How many versions do you know of?
- Is 000.fcl still original?
- Is there any difference in behaviour between 7.1 and 7.2 in this matter?
- What do you mean by "not by much": how many bytes of difference are we talking about and where? Are you talking about a difference in the content or just the size? Are they different in content?

General question: does anybody have an (old) PowerDVD version that doesn't support HD/BD playback? Does it also have *.fcl files?

Thanks.

arnezami

PS. Its possible they have given a separate Key Set for BD. Which means two full sets would need roughly 16kb.
PPS. It might be possible Power DVD is removing Device Keys it knows it will never need (which it can see from the MKB on the first disc it sees) which might explain the "shrinking" here.

Last edited by arnezami; 10th February 2007 at 08:02.
arnezami is offline   Reply With Quote
Old 10th February 2007, 08:20   #87  |  Link
arnezami
Registered User
 
Join Date: Sep 2006
Posts: 390
Making a perfect (but encrypted) backup

I've got a related idea.

It just may be possible to create a perfect (but still encrypted) backup which is still playable. It would require re-encrypting the title key file and mac-ing it (with a new VUK) This new VUK would derive from the Volume ID of a re-writable (here lies the possible problem) and the unchanged Media Key (derived from the MKB).

To test if this even could work somebody with a HD DVD burner (and maybe a usb connected HD DVD drive) would have to try the following:

- Burn all (still encrypted) files to the new rewritable disc (do a bit-for-bit copy)
- Put it in a (preferably usb) HD DVD drive (and with usb turn on the sniffer) and start a software player (btw the movie won't play)
- See if the log contains a Volume ID (or if you don't have it usb connected and can't use the sniffer: if its in Jap WinDVD's memdump, see page 1 of this thread for instructions but leave out the 40 00 part like with Blu-Ray). If so it just might be possible...

Its entirely possible the disc is first somehow checked if its a pre-recorded one (eg. the drive missing the HRL in the lead-in area: or does the bit-for-bit copy that too? or something in the so called "system lead-in") which ends the story right away. But its worth a try I think.

arnezami

Last edited by arnezami; 10th February 2007 at 14:55.
arnezami is offline   Reply With Quote
Old 10th February 2007, 09:07   #88  |  Link
jkenzie
Registered User
 
Join Date: Jan 2007
Posts: 40
It's hard to tell when it is actually changing the file. This is the original file header:
Code:
00000000   43 4C 46 43 4C 30 30 31  01 00 00 00 00 00 00 00  01 00 00 00 00 00 00 00  00 03 01 05   CLFCL001                    
0000001C   00 06 00 00 00 02 01 00  00 07 00 00 00 00 00 00  00 00 00 00 00 08 00 00  00 00 00 02                               
00000038   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  00 00 00 00                               
00000054   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  00 00 00 00 30 30                                          00
If I overwrite my 001.fcl file with the original, as I play the first disc, it changes to this. With no other changes to the file.

Code:
00000000   43 4C 46 43 4C 30 30 31  01 00 00 00 00 00 00 00  01 00 00 00 00 00 00 00  00 03 01 05   CLFCL001                    
0000001C   00 06 00 00 00 03 01 05  00 07 00 00 00 00 00 00  00 00 00 00 00 08 00 00  00 00 00 02                               
00000038   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  00 00 00 00                               
00000054   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  00 00 00 00 30 30                                          00
My current version looks like this but ia also 1576 bytes smaller
Code:
00000000   43 4C 46 43 4C 30 30 30  01 00 00 00 00 00 00 00  01 00 00 00 00 00 00 00  00 07 00 06   CLFCL000                    
0000001C   00 06 00 00 00 02 00 05  00 07 00 00 00 00 00 00  00 00 00 00 00 08 00 00  00 00 00 02                               
00000038   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  00 00 00 00                               
00000054   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  00 00 00 00 20 20
jkenzie is offline   Reply With Quote
Old 10th February 2007, 09:59   #89  |  Link
arnezami
Registered User
 
Join Date: Sep 2006
Posts: 390
@jkenzie (or anybody else who has PowerDVD): could you try the following:

Open the 001.fcl file in WinHex (make a backup first) and see if there are any random stuff in it (I suspect the bulk is random is it?) Now change one byte in that area and try if Power DVD will play a movie. And try changing the file at different places (but only change at most one byte compared the the backup) and see what happens.

This could pin-point the exact position of the Device Keys used. But its possible there is some kind of checksum which disables this technique. If it works all the time then I suspect there are no Device Keys in it at all.
arnezami is offline   Reply With Quote
Old 10th February 2007, 10:52   #90  |  Link
mrazzido
Registered User
 
mrazzido's Avatar
 
Join Date: Jan 2007
Posts: 114
i have bd burner i made an complete image of a encrypted movie, burn bd yet on rw 30mins to go :-). i try windvd then what memdumb says then.

Last edited by mrazzido; 10th February 2007 at 10:56.
mrazzido is offline   Reply With Quote
Old 10th February 2007, 11:13   #91  |  Link
arnezami
Registered User
 
Join Date: Sep 2006
Posts: 390
Quote:
Originally Posted by mrazzido View Post
i have bd burner i made an complete image of a encrypted movie, burn bd yet on rw 30mins to go :-). i try windvd then what memdumb says then.
If you can't find the Volume ID easely you may want to try to find the VUK using ape's hd-dvd volume key finder or use jokin's while WinDVD is running (there is also a possible timing issue: when WinDVD sees its a corrupt disc it may remove all information from memory or even crash, if that happens than just before that the dump has to be made). And see if it finds the VUK (which almost certainly is different from the one retrieved from the original disc)...

[edit] Sorry you need the bluray key finder of course... (but it checks for title/CPS keys so i'm not sure if this is a good test. Well maybe..)

Last edited by arnezami; 10th February 2007 at 11:27.
arnezami is offline   Reply With Quote
Old 10th February 2007, 12:01   #92  |  Link
mrazzido
Registered User
 
mrazzido's Avatar
 
Join Date: Jan 2007
Posts: 114
i try to start the decrypted movie with windvd , windvd crached after push start. windvd try to load ( drive is working) the movie . then 2sec later crahed.
mrazzido is offline   Reply With Quote
Old 10th February 2007, 12:32   #93  |  Link
arnezami
Registered User
 
Join Date: Sep 2006
Posts: 390
Quote:
Originally Posted by mrazzido View Post
i try to start the decrypted movie with windvd , windvd crached after push start. windvd try to load ( drive is working) the movie . then 2sec later crahed.
I think there are several possibities here. One (relatively easy) way would be to install Visual C++ (just an example). After starting Visual C++ and then pushing the start button in WinDVD it (= MSDEV.exe which should be in memory) will intercept the crashing application and ask if you want to debug the application. At that moment (before clicking 'ok' on the pop-up) you can do a memdump of WinDVD.

There are probably many other ways (maybe somebody else can give suggestions) but this will most likely work fine.

Its interesing it actually crashes because that could mean we really fooled it (which is good news) .

Last edited by arnezami; 10th February 2007 at 12:41.
arnezami is offline   Reply With Quote
Old 10th February 2007, 14:10   #94  |  Link
mrazzido
Registered User
 
mrazzido's Avatar
 
Join Date: Jan 2007
Posts: 114
powerdvd says this movie is aasc crypted cant play the movie.
mrazzido is offline   Reply With Quote
Old 10th February 2007, 14:22   #95  |  Link
arnezami
Registered User
 
Join Date: Sep 2006
Posts: 390
Quote:
Originally Posted by mrazzido View Post
powerdvd says this movie is aasc crypted cant play the movie.
That sounds right. The movie is encrypted and the current volume ID (which is unknown for the moment) and Media Key won't produce a VUK that decrypts the Title Key file correctly.

In order to make this completely work we need to know (1) if the VUK is calculated at all (2) what that VUK is (3) encrypt the decrypted Title Key file with this new VUK (4) change the iso with the new Title Key file bytes (5) burn the new iso.

Keep in mind we are still at step 1 and 2.

But for the moment it appears the Software player notices that decrypting the Title keys (with the "strange" VUK) isn't working. Which is correct since we haven't changed the Title Key file yet.

In order to get any further we need to know if the Volume ID is extracted (which could be a sign that 1 is working) or extract the VUK directly (which sovles 1 and 2). But we can only do that with either a sniff log or a memdump.

It might be possible to do a memdump (or use the key finder) during the 2 seconds you mentioned. Its tricky though... The best way is to let the crash be intercepted.
arnezami is offline   Reply With Quote
Old 10th February 2007, 14:27   #96  |  Link
mrazzido
Registered User
 
mrazzido's Avatar
 
Join Date: Jan 2007
Posts: 114
just an idea ?? we need a "hd dvd or blu-ray emu" that powerdvd or windvd think a original disc is inside. then the programm has a databse with the keys. ripped from windvd memdump.
mrazzido is offline   Reply With Quote
Old 10th February 2007, 14:45   #97  |  Link
arnezami
Registered User
 
Join Date: Sep 2006
Posts: 390
Quote:
Originally Posted by mrazzido View Post
just an idea ?? we need a "hd dvd or blu-ray emu" that powerdvd or windvd think a original disc is inside. then the programm has a databse with the keys. ripped from windvd memdump.
Then its probably better to decrypt and play it (with an open source player). The gest of the above idea is that you might fool for example a PS3 or fool WinDVD/PowerDVD without the need of any software to be installed and without needing to decrypt the entire disc: a simple fix to the title key file in the iso would do the trick (if this works of course ). In principle you could even let a burning program do it on-the-fly for you.

Anyway maybe the posts (by mrazzido and me replying to him and my original idea-starter-post) about this subject (making an encrypted perfect copy) should be moved to separate thread because it really is a related idea. But has nothing much to do with trying to find Device/Processing/Media Keys and Volume IDs (sorry mods didn't really anticipate this).

Last edited by arnezami; 10th February 2007 at 15:02.
arnezami is offline   Reply With Quote
Old 10th February 2007, 16:54   #98  |  Link
jkenzie
Registered User
 
Join Date: Jan 2007
Posts: 40
Quote:
Originally Posted by arnezami View Post
@jkenzie (or anybody else who has PowerDVD): could you try the following:

Open the 001.fcl file in WinHex (make a backup first) and see if there are any random stuff in it (I suspect the bulk is random is it?) Now change one byte in that area and try if Power DVD will play a movie. And try changing the file at different places (but only change at most one byte compared the the backup) and see what happens.

This could pin-point the exact position of the Device Keys used. But its possible there is some kind of checksum which disables this technique. If it works all the time then I suspect there are no Device Keys in it at all.
If I change one byte at any point in the file the player will not initialize. I get the 1103 error.
Iíve watched the changes several times with several different discís inserted as first play. I always end up with a different .fcl file.
I don't think the changes are from am internet update, because the computer I'm testing this on has no connection.
jkenzie is offline   Reply With Quote
Old 10th February 2007, 17:16   #99  |  Link
arnezami
Registered User
 
Join Date: Sep 2006
Posts: 390
Quote:
Originally Posted by jkenzie View Post
If I change one byte at any point in the file the player will not initialize. I get the 1103 error.
Iíve watched the changes several times with several different discís inserted as first play. I always end up with a different .fcl file.
I don't think the changes are from am internet update, because the computer I'm testing this on has no connection.
Ok. Thanks.
arnezami is offline   Reply With Quote
Old 11th February 2007, 06:23   #100  |  Link
arnezami
Registered User
 
Join Date: Sep 2006
Posts: 390
After some (sometimes frustrating) work I found the Media Key of King Kong:

Code:
07 4E 1F C8 8F B9 B7 80 A2 25 CA A2 3B C3 DB 56


With that we are one step closer to finding a Processing Key .

Last edited by arnezami; 11th February 2007 at 08:15.
arnezami is offline   Reply With Quote
Reply

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT +1. The time now is 01:52.


Powered by vBulletin® Version 3.8.11
Copyright ©2000 - 2019, vBulletin Solutions Inc.