Hacker News new | past | comments | ask | show | jobs | submit login
Picking the Widevine Locks: Acquiring and Using an L3 CDM (ismailzai.com)
66 points by zlingasdg on Jan 9, 2024 | hide | past | favorite | 71 comments



Even Widevine L1 is effectively broken. The actual protection offered by it is negligible. Will it stop the average Netflix user from "Right Click -> Save File" on any episode? Sure. But it does nothing to prevent pirated content from being released on the internet and other people downloading said content.

I oppose piracy, but I really wish rightsholders would give up on requiring DRM at this point. It only makes things more annoying for people who legitimately bought the content. At least the music industry went back to offering DRM-free downloads. I hope the video industry gets there as well.


I'm not particularly fond of piracy either, but I get people doing it. If I were to consume more media content, I'd probably do the same, the whole shenanigans around which show/movie is with what provider today ruined the experience of modern streaming platforms. Early Netflix (streaming) was perfect, but the movie studios/distributors ruined it, they deserve to suffer.


Yup. There are people who will pirate no matter what and combating them is a lost cause. As for the 95%, it's purely a matter of availability and convenience. Early Netflix defeated piracy because it was extremely convenient, but in regions where not all content is available piracy is thriving.


Yes and no, whilst centralization is convenient I don't like the implications of everything being served on say Netflix with no alternatives.


It's not a case for centralization, it's a case against exclusives: there's no reason why a TV show should only be available on one streaming platform. Ideally you could get everything from any number of streaming or pay-to-download sources. The issue is the incentives in the current system are not set up for this, and they are somewhat self-reinforcing (basically, a streaming service will get more value from licensing a show exclusively, even if they are paying much more for the sake of it. Show producers are therefore also incentivised to license exclusively as opposed to more generally, doubly so if they own their own streaming platform, at which point they will cease to license to third parties at all)


The answer is compulsory licensing. People have been doing that for decades. It's a solved problem. Look at e.g. radio. There's a compulsory licensing scheme for radio stations. They pay into a pool that is divvied up to rights holders based on some kind of keys and metrics. Radio stations can play whatever music they want, no additional licensing required.

We should have that for streaming music and video. Any streaming platform could offer any content they'd want to host, and they pay into a pool for rights holders. Streaming platforms would have to compete on quality, features, price, availability, etc. But not on holding content hostage.


The streaming era would be greatly improved by the modern version of https://en.wikipedia.org/wiki/United_States_v._Paramount_Pic.... : companies should be either making content or distributing it, and distribution should be on an equal competitive basis.


And with Netflix opening up physical location we seem to have come full circle.


Early Netflix was also not centralized, as they served pre-existing content. Streaming-service exclusives is what ruined this - but as it's an effective revenue generator (it is the only reason anyone would have 5 different streaming subscriptions), that part is unlikely to go away...

But right now, I'd say distributors and national license agreements are the biggest issue. Having to VPN around to find content is a pain, and because each country has its own version of content, which subtitles are available also differ - for example, Danish Netflix generally only has Nordic languages for subtitles, and does not have English subtitles. And then all you get is some low streaming quality.

This is the kind of thing that powers the whole "piracy has better UX" argument - having to VPN around, not have the right languages, and getting a poor quality vs. the effort to download a version with whatever subtitles you want.

Disney+ is so far the only service I've seen where this is largely a non-issue - but I also want to see stuff not owned by Disney.


It's arguable to me whether it's better to centralize vs having seasons 1-3 at one streaming service and 4-7 at another.

But I'm not a fan of any of them right now. The market incentive for e.g. Netflix to continue a series ends when they reach a statistical benchmark of assumed new / restarted subscriptions. There's not enough incentive to run a series unless it's like GOT, which brought HBO large numbers of new subscribers every season. Too few people are willing to make a stand and quit Netflix in protest.


I think the solution resides somewhere in the middle: make video streaming platforms more like music streaming platforms.

Nowadays, YouTube Music, Spotify, Apple Music, Tidal, ..., all have roughly the same base music collection, competing on gimmicks like live lyrics or, for example, YouTube Music with normal video playback, or Spotify with its podcast library and sharing abilities.

This way, there is no centralization around a specific entity, but you also get to have the entire library of things worth considering to the average consumer.


My understanding is that technically DRM doesn’t really need to work perfectly to achieve its objective. DRM works in conjunction with anti-circumvention laws.

Making a private copy of a copyrighted material is legal in many jurisdictions, it is however illegal to circumvent DRM. So effectively by protecting content with any reasonable DRM, the content owner gets more control on the user than copyright law give them. Without DRM you could subscribe to a streaming service and legally record all the content without infringing any copyright. With DRM you are forbidden to do so and anybody helping you doing it is in hot waters: end result no equivalent of a VCR for the internet era.


> Making a private copy of a copyrighted material is legal in many jurisdictions, it is however illegal to circumvent DRM.

I believe that Europe developers are the most prolific in matters related to multimedia, including DRM. And well, European Union does protect the research against DRM. It's "only" for interoperability reason, but since DRMs are never universal, that should be fine.


I'd say the music industry went to Spotify and other streaming services. Wouldn't be suprised if music download sales are now less than physical CD or vinyl sales.

And music streaming services do use DRMs like Widevine too, unfortunately.


> Wouldn't be suprised if music download sales are now less than physical CD or vinyl sales.

The music industry did that to themselves though. They went for digital because they thought they could re-sell the same content at 400% mark-up to their previous customers, but in turn they let the genie out of the bag in terms of reproducibility without loss. That's the main reason you see all these 'remastered' releases: to be able to squeeze the lemon a bit more.

If they had just stuck to vinyl and cassettes they could have milked that cow for decades to come (but not at the quality level of what they music industry puts out at the moment).


I'm not following. None of the crucial elements for this evolution was actually developed by the music industry

If the music industry would have stuck to vinyl and cassettes, the digital era would have still happened.

- At some point people would have recorded their vinyls/cassettes to WAV and store offline.

- Lossy compression comes along,

- People start sharing content online

- Music industry is disrupted


Digitizing a phonograph is a lot harder than ripping a CD.


Which is irrelevant. In a world where the CD didn't exist, someone would have built a phonograph with Line-Out, which later would have been connected to the Line-In of a PC.

Assuming that MP3 wouldn't have disrupted the music industry if they'd have sticked to Vinyl and Cassette is ridiculous. Even today, Vinyl rips of music exists.

The core of this disruption was not in the process of creating the MP3, it was the ease of music distribution without any involvement of a music label.


> Which is irrelevant. In a world where the CD didn't exist, someone would have built a phonograph with Line-Out, which later would have been connected to the Line-In of a PC.

The quality of which would have been lower than that of a CD. Incidentally: many phonograph/amplifier combinations had the option (or even a built in) cassette recorder so that part was readily available from the 70's onward.

> Assuming that MP3 wouldn't have disrupted the music industry if they'd have sticked to Vinyl and Cassette is ridiculous.

You're welcome to your opinions as well.

> Even today, Vinyl rips of music exists.

Yes, they do. But they're not close to the quality that you get when you use FLAC on a CD image, or a high quality MP3 encoding (lossy, but not quite that lossy).

In order to rip vinyl you will have to do your own A->D, you've already gone through a whole pile of analogue stuff, you will have picked up some hum, lost some high and lost a lot of low. CD audio put master tape quality in the hands of millions and then when MP3 happened suddenly all of that was instantly available. If the required steps had been reliant on someone doing all of that work it would have been a lot less quick in terms of adoption. Building the hardware to do this properly so that you'd get something equivalent to a HiFi set on subsequent output isn't all that easy, especially not if you care about modulation depth.

> The core of this disruption was not in the process of creating the MP3, it was the ease of music distribution without any involvement of a music label.

That was another required step, but the widespread availability of master tape grade digital content was an enabler as well and I really don't see why you would deny that.

FWIW I'm the guy that encoded the dutch broadcast archive for TROS so that they could easily call up tracks without running to the physical archive. Trucks with CDs would arrive and harddrives would go the other way. We did many thousands of them. Without the CDs ripping at 40 speed or so that would have absolutely never happened. Ripping a vinyl record at any level of quality will take you more than an hour, there are all kinds of environmental factors, you'll wear out needles like there is no tomorrow and you're going to be busy fiddling with tone arm pressure and all kinds of finicky bits if you want to get even close to something that's good enough for broadcasters.


Let's agree to disagree then.

FWIW, people selling copies of Vinyls and cassettes on blank cassettes were no real threat to the distribution business of a music label. Even people copying CDs didn't harm them that much, because their reach and scale was always limited.

They only got engaged when the scale increased (mass-copying of content).

But when MP3 hit, every single upload was threatening their global distribution business, because suddenly someone was distributing for free.

> The widespread availability of master tape grade digital content was an enabler as well

The Quality of content didn't matter for the disruption of the business, a huge amount of popular music on Napster/LimeWire/AudioGalaxy/... was actually recorded from Radio,.

If cassettes were the peak media and pirated digital content would have been limited to recordings from cassettes, yet still distributed globally by every kid from everywhere on the planet who gets hold of ONE tape, the wheels would have been set in motion just the same.


> Let's agree to disagree then.

That's ok.

> FWIW, people selling copies of Vinyls and cassettes on blank cassettes were no real threat to the distribution business of a music label.

Precisely: crap quality and a medium that didn't last for very long even if you were careful with the cassettes. You usually got a year or two out of them before the tape got eaten, especially if you used them in cars. None of the tapes I had from that era survives. All of the MP3s I made in the '00s survive today.

> Even people copying CDs didn't harm them that much, because their reach and scale was always limited.

Copying CDs wasn't possible for the first two decades of the CD format because there were no writable CDs.

> They only got engaged when the scale increased (mass-copying of content).

Yes. Plextor was a factor in that, the MP3 format, the internet and a massive available catalog of high quality content without DRM.

> But when MP3 hit, every single upload was threatening their global distribution business, because suddenly someone was distributing for free.

That's because it was the last missing component. Fraunhofer didn't exactly make any friends in the music industry with that trick. But all of the other elements were just as much a requirement.

> The Quality of content didn't matter for the disruption of the business, a huge amount of popular music on Napster/LimeWire/AudioGalaxy/... was actually recorded from Radio,.

You see the same today with movie piracy: the DVD rips are the ones that really drive it, the 'cam' captures are junk.

> If cassettes were the peak media and pirated digital content would have been limited to recordings from cassettes, yet still distributed globally by every kid from everywhere on the planet who gets hold of ONE tape, the wheels would have been set in motion just the same.

It wouldn't have happened due to the generational loss between copies. And that's exactly why the availability of CD grade content matters because it effectively plugs you into the ADC at the studio instead of 3 different mastering steps in between. That's why 'virgin pressings' (the first 100 or so of the records off a new master) were so sought after, especially by fans of music with a high dynamic range.


>The quality of which would have been lower than that of a CD.

Debatable (e.g. people still buy vinyls), but what's true is a mp3 _is_ lower quality than the CD it is ripped from. Didn't quite stop piracy.


A lot harder, but still as easy as playing it back while recording it, then splitting in tracks.

And doing it once is enough.


They went to digital releases because they wanted access to a large customer base. Buying physical music is a chore I certainly don't have time for, nor would I be able to listen to music from an LP or cassette in any of the scenarios I normally listen to music. Plus, LP and cassette audio quality is Very Bad, and LPs wear out.

Music was pirated before digital music was a thing, but it brought a way bigger market. The problem now is with how newer streaming services haven't figured out how to pay artists, or have been unwilling to do so. Although, perhaps the value of music has just changed with time.


I can tell you first hand that cassette audio could wear out too.


The music industry never went to digital downloads. They were entirely forced to by competition from Napster from digital CD rips.


They went to digital when they introduced the CD. That opened the door to people ripping those CDs, if they hadn't gone digital they could have avoided that entirely.


CD's were the first digital versions. That's what enabled the lossless reproduction that GP is talking about.

I don't agree with GP though that they did it to themselves. I think they would have been quickly forced to digitize anyway had they tried to resist the CD


Sony and Philips (the parents of the CD) were doing this while they were at the same time part of the music industry as such. They didn't resist the CD, they pretty much invented it. It's possible that otherwise another entity would have come up with a practical digital format but without the support of the music industry such a format would have surely failed, especially because initially there were no recordable optical media, which is what you need if you want to introduce a new format without having access to a very large catalogue of music.


ah, fair point, thanks!


Fortunately, the RIAA actually has an easy-to-read graph of where music industry revenue comes from: https://www.riaa.com/u-s-sales-database/.

In 2022, ~$500m came from music download sales, whereas ~$1700m came from physical sales. And ~$15000m came from streaming. From 2012 to 2017, music download sales were ahead of physical sales.


Widevine L1 certainly seems to be holding up well enough to prevent major Netflix shows being released in 4K via torrent sites for weeks or months after launch.


Is this just due to the fact that Netflix will only send 720p to a Linux PC running chrome?


I assume the parent was ironic since 4K/Dolby Vision versions of top Netflix shows are actually released by pirates on the very day they are available on the platform.


No, they're not. It's actually quite rare for that to happen.

Nobody uploaded Stranger Things S4 in UHD until after the season had finished for example.


That fact is directly due to the above, not the other way around.


And it's holding up content against real customers for years.


> Even Widevine L1 is effectively broken

Is there any evidence that Widevine L1 itself is actually broken, instead of let's say Netflix still offering legacy routes to provide HiRes content to some STB's and other devices (routes which are then used by pirates to download the content)?


CVE-2018-6242 allows dumping keys from affected Nvidia Tegra processors that are used, for example, in Nvidia Shields. That hardware flaw is unpatchable in existing units and revoking their keys would mean rendering a large swath of media center devices unable to do their job.


Which basically makes devices with this processor the mentioned "legacy route for HiRes content", until content-providers decide to flag those trust-chains as broken and fall back to Widevine L3 (SW-based).

This happened more often in the past than people may realize, especially on devices from Xiaomi, Oppo, OnePlus.

Netflix is actively monitoring this and are escalating to device-vendors as soon as they see suspicious load and are about to flag the devices.


... all to the detriment of paying customers who happen to use these devices.


Those keys were downgraded to L3.


Oh! I was not aware that happened. Right now I can't find anything on that matter (not that it would be highly advertised). I'm not doubting this, but do you have a reference for that?


What? That should be illegal. They changed the rules after you already purchased the device


Got to keep consumers in their toes.

You're supposed to buy new devices, consume.



That's L3, not L1.


Quote from the Article

> That said, there is also a free L1 Content Decryption Module posted in the ‘LenovoTB-X505X-L1-KEY’ repository. A trusted source confirmed to TorrentFreak that this CDM is indeed working. However, as Widevinedump also notes, it may not be active for much longer.


That key was revoked the day the article was published.


A noble sacrifice. Some paying customers will be affected, but it's for the greater good.

The streams will continue to get dumped, with different keys.


Yup, my Netflix on a recent Android box frequently throws some error code I can't be bothered to check.

STB man, plug and play, if I wanted to debug issues I'd use Linux.


I got -1 don't know why but be advised I do use Linux. But the amount of time I am willing to waste troubleshooting depends on the OS and its advantages to me.


There was a talk at 37c3 recently about UHD BluRay encryption[1] as well which is just more of the same "security" through obscurity

[1] https://media.ccc.de/v/37c3-12296-full_aacsess_exposing_and_...


I refuse to buy DRM'd content. I refused to watch DRM'd streams. I periodically write to media organisations and highlight my opposition to my legal rights under copyright law, and point out that I have not bought their product because of it. I haven't bought a Sony product since their rootkit fiasco, for example, and occasionally remind them of it.

I often get a response – usually media companies (like Channel 4 in the UK) reply saying something like "We know this is a bit shit, and we're sorry for it, but it's a contractual obligation we are under". I've never quite understood that argument. Both the BBC and Danish Radio (Denmark's equivalent of the BBC) have no DRM whatsoever on their websites, both buy in lots of programmes, and both send them quite happily over teh interwebz to me when I happen to be in whichever country at the same time.

Meanwhile, I buy CDs or DRM-free audio files (hyperion-records.co.uk comes recommended, as does obviously itch.io and gog.com) and continue to rage against the Widevine machine. Occasionally browser adverts will ask to use the widevine CDM on my phone, which yields a large popup saying "never visit this site again" before I hit the 'deny' button...


The BBC certainly apply Widevine or Fairplay to iPlayer downloads.

The BBC buys in very little, all told, and I suspect they will move to Widevine at some point.


They don't apply it to the html5 stream. I periodically write in and complain about DRM to them. I really suggest others do too, to highlight the issue. I also don't like the fact that the Sounds app contains a ton of trackers as well as DRM, and I've highlighted that to them as well. I usually get a sympathetic, if ultimately futile, response.


The website doesn't seem to load for me. (Android Firefox/Chrome)



This procedure is almost identical to that in https://forum.videohelp.com/threads/408031-Dumping-Your-own-...

I appreciate there's more technical detail in this blog post than the forum post, but it is generally polite to cite your sources even if there is no legal or cultural requirement.


Since the link is Cloudflare'd (can't see the site) here's a mirror in case you encountered it: https://web.archive.org/web/20240109062934/https://www.ismai...


I contacted Widevine multiple times. They never even responded to me. How this guy got a license is a mystery.


What do you mean he got a license? It doesn't sound like he dealt directly with Widevine to me. It sounds like he reversed engineered some existing application.


He used a legitimate endpoint to dump the license


Isn't L3 content limited to 720p for most content providers? Practically useless.

edit: Just to clarify. This is a good article, sorry about that. My perspective was from the content provider -- aka -- do they care if the lowest quality content is accessible via emulator generated keys.


720p is perfectly fine when watched from a beamer and optionnally a laptop screen.


It's fine on most screens for most content on an average TV screen even. Sure, not good enough if you are sitting down in a home cinema for the latest blockbuster, but totally OK for Chicken Run, Dawn of the Nugget or just tuning out with some tolerable series.


It is totally subjective.

1. It only matters to people who are used to 4K or are equipped with a 4K TV. If you don't own such screen, which a lot of people still do, it doesn't matter. You don't miss what you have never experienced.

2. When using a beamer, outright resolution is less important because the image is smoothed out. Relative to the size of my wall I don't feel like I lose detail or enjoyment on my own beamer at home than when I watch same movie in a real cinema theater. What I do miss is usually more the experience: going out, meeting friends in a neutral place and anticipate with them the screening, smelling the popcorn from the theater entrance, going out for lunch after the screening, etc. The outright resolution? couldn't care less.


640K is enough for anyone


Well I have difficulty going back to VHS but still enjoy watching childhood family videos on video 8 so there is that.


A little writeup on Widevine DRM and generating CDMs with Android Studio.


Thanks, ChatGPT.




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: