PIxel 6a running Android 34 fails after hooks completed.

Question

PIxel 6a running Android 34 fails after hooks completed.

Closed this issue 3 months ago · 5 comments

agt:~/Programming/gits/KeyDive$ py keydive.py -a -d 2729xxxxx42 --functions /home/agt/android.hardware.drm-service.widevine2.xml
2024-05-31 11:20:19 [I] KeyDive: Version: 1.0.8
2024-05-31 11:20:19 [I] Cdm: Device: Pixel 6a (272xxxxx142)
2024-05-31 11:20:19 [I] Cdm: SDK API: 34
2024-05-31 11:20:19 [I] Cdm: ABI CPU: arm64-v8a
2024-05-31 11:20:19 [I] Cdm: Script loaded successfully
2024-05-31 11:20:19 [D] Cdm: Analysing... (android.hardware.drm-service.widevine)
2024-05-31 11:20:19 [D] Cdm: Analysing... (android.hardware.drm-service.widevine)
2024-05-31 11:20:20 [D] Cdm: Analysing... (mediaserver)
2024-05-31 11:20:20 [I] Vendor: CDM version: 18.0.0
2024-05-31 11:20:20 [I] Vendor: OEM Crypto API: 18
2024-05-31 11:20:20 [I] KeyDive: Process: 965 (android.hardware.drm-service.widevine)
2024-05-31 11:20:20 [I] Cdm: Library: android.hardware.drm-service.widevine (/apex/com.google.android.widevine/bin/hw/android.hardware.drm-service.widevine)
2024-05-31 11:20:20 [D] Script: Hooked (0x565c2aa6e8): wvcdm::Properties::UsePrivacyMode
2024-05-31 11:20:20 [D] Script: Hooked (0x565c2e3a84): wvcdm::CdmLicense::PrepareKeyRequest
2024-05-31 11:20:20 [D] Script: Hooked (0x565c36fa00): ocnywnen
2024-05-31 11:20:20 [I] KeyDive: Successfully hooked. To test, play a DRM-protected video: https://bitmovin.com/demos/drm
2024-05-31 11:20:20 [I] KeyDive: Starting DRM player launch process...
2024-05-31 11:20:22 [C] Script: No data for device info, invalid argument position
2024-05-31 11:20:22 [I] KeyDive: Exiting

keydive repeatedly gets stuck here. Chrome launches with bitmovin and exits. Error message is "No data for device info, invalid argument position"
functions.zip

Answer 1 · 2024-05-31T18:13:42.000Z

After analysis, your function file appears correctly structured. To try to correct the argument positioning problem, try changing the value located at this location in the JS script code with one of the following proposals:

<REGISTER_VAR NAME="param_1" REGISTER="x0" DATATYPE="InitializationData *" DATATYPE_NAMESPACE="/Demangler/wvcdm" />
<REGISTER_VAR NAME="param_2" REGISTER="x1" DATATYPE="basic_string *" DATATYPE_NAMESPACE="/Demangler/std/__1" />
<REGISTER_VAR NAME="param_3" REGISTER="w2" DATATYPE="CdmLicenseType" DATATYPE_NAMESPACE="/Demangler/wvcdm" />
<REGISTER_VAR NAME="param_4" REGISTER="x3" DATATYPE="map *" DATATYPE_NAMESPACE="/Demangler/std/__1" />
<REGISTER_VAR NAME="param_5" REGISTER="x4" DATATYPE="basic_string *" DATATYPE_NAMESPACE="/Demangler/std/__1" />
<REGISTER_VAR NAME="param_6" REGISTER="x5" DATATYPE="basic_string *" DATATYPE_NAMESPACE="/Demangler/std/__1" />

However, this does not seem to be the only problem since even if you get this error, you should first recover the private key of the device. Make sure to use the magisk module referenced here in order to force the use of L3.

Answer 2 · 2024-06-01T11:51:07.000Z

Thanks for an informative reply. Installed liboemcrypto-disabler and cycled through 1 to 6 on line 134 of keydive.js.

Results (2 looks promising?):-

1 No data for device info, invalid argument position
2 Crashes:
Traceback (most recent call last):
File "/home/angela/.local/lib/python3.12/site-packages/frida/core.py", line 549, in _on_message
callback(message, data)
File "/home/angela/Programming/gits/KeyDive/extractor/cdm.py", line 212, in _process_message
self._extract_device_info(data)
File "/home/angela/Programming/gits/KeyDive/extractor/cdm.py", line 238, in _extract_device_info
license_request.ParseFromString(signed_message.msg)
google.protobuf.message.DecodeError: Error parsing message
3 hangs at 'Starting DRM player launch process...
4 hangs at 'Starting DRM player launch process...
5 Hangs complaining 'Failed to intercept the private key'
6 No data for device info, invalid argument position

Answer 3 · 2024-06-01T21:07:25.000Z

the correct value of the argument is therefore 5. to try to make a generic hook (remove the pre-selection of the privatekey function), remove the string value (ocnywnen) from the list of known functions and try again (using arg position with 5):

https://github.com/hyugogirubato/KeyDive/blob/main/extractor/cdm.py#L26

Answer 4 · 2024-06-02T08:04:22.000Z

Nothing was working, so this morning I went back to Ghidra and re-analyzed the widevine lib afresh - but this time ticked every option in the analyse pop up.

Running KeyDive again the script produced a private RSA key and dumped keys immediately on running, but it did need option 5, as above.

This time it found very many more function names;

Thank you very much for your help, Kind Sir, and for producing such a wonderful piece of software.

Answer 5 · 2024-06-02T13:43:23.000Z

Yes, the analysis done with Ghidra must be a complete analysis because the binary is stripped, the function names are not visible by default.

I have just made a new update bringing in the latest changes, notably the addition to the known name of your private function as well as the change to the default index for vendor 34.

Thank you for the additional information provided and for the debugging on your part!