HD-DVD ramblings

From auby.no

Jump to: navigation, search

During the HD-DVD encryption research I wrote some posts about the progress and such. As some of them actually contains some useful information, I've kept them here.

Contents

DMCA vs Freedom of Speech

So what's the deal? Digg started censoring posts containing the Processing Key (known for weeks), and now suddenly everyone riots. Oh well, riots are fun. AACS-LA is using the DMCA to shut down blogs and so fort; don't they have anything better to do? There are no legal grounds here what so ever. And btw, the IPv6 of my coffee machine is:

09-f9-11-02-9d-74-e3-5b-d8-41-56-c5-63-56-88-c0

For the record, I'm in Norway. So please send me a localized version of the DMCA I can laugh at.

Xbox 360 HD-DVD rom and Volume Id

I guess you could say the inevitable have happened. Due to certain firmware features of the Xbox 360 HD-DVD rom you can now ask it for the Volume Id without beeing authenticated. This is exactly what I suggested might be possible in my previous post. Generally, this means that ANY HD-DVD can be decrypted purely with the Process Key and this method. Basically you patch the HD-DVD firmware to skip authentication check, and remove the patch after you've done, making it completely stealthy and non-permanent.

The Process Key can (and will) be changed sooner or later, but so far all HD-DVDs and BluRays use the same Process Key. When the Process Key is eventually changed all that's needed is to find the new one; a task quite feasible now that there's a lot known about the system itself.

This is pretty much the conclusion of AACSLA vs The World, part one. Guess who won. Coming to a screen near you soon: AACS actually get broken.

AACSLA responds, and Process Keys

As some might have noticed AACSLA posted a response to the Volume Key discoveries, as seen here: www.aacsla.com/home

Behind the PR bullshit they are basically telling the truth; nothing is broken in regards to AACS as it's an attack on the player itself.

In other news, some other crafty fellas at the doom9 forum discovered the Process Key used for all current HD-DVD and BluRay discs. This Process Key can be used (if you have the Volume Id) to generate the Volume Key. Volume Ids aren't random, and can be generated from date, movie title, or at worst guessed.

http://forum.doom9.org/showthread.php?t=121866

It's still not a perfect solution; new releases can get a new Process Key. The Player Key can be used to find the Process Key, but the Player Key can also be revoked.

The people at www.slysoft.com have found a solution, but hasn't said how, which they obviously won't share with potential competitors/free products. I'm guessing they're using a combination of several Player Keys (to survive a revocation), the Process Key, and Volume Id generation. Just a guess though, might be something entirely different.

The Volume Id is acquired by asking the drive, but to do this you have to be authenticated using the Player Key. If this could somehow be bypassed things would be a lot easier. (again, until they change the Process Key) From what I have gathered Volume Id is not encrypted on the disc itself; with a modified drive firmware you could allow it to be read unauthenticated. As everyone has a Xbox 360 HD-DVD drive this is a good solution as any. Might require hardware modding, unless it's flashable.

How to find HD-DVD Volume Keys using WinDVD

1. Start movie playback in WinDVD

2. Start WinHex, open WinDVD memory

3. Search for "VPLST000.XPL" until there are no more hits (press F3 repeatedly, when you see this string followed by a bunch of zeroes you're close.) If you're searching with full path like I do in the video, replace H: with your hd-dvd drive.

alternate: search for H:\AACS, and continue to point 4 as usual

alternate 2: search for HDNetwork.HLP

4. Scroll past alot of zeroes (sometimes several pages) , until you see a few bytes, + 16 continous bytes sitting all alone. These 16 bytes are the volume key.

5. To find another key close WinDVD and start over.

For a quick video, check:

http://www.auby.no/files/hddvd.wmv

WinHex: http://www.x-ways.net/winhex/

WinDVD: use the japanese bluray/hd-dvd version.

What are volume keys you might ask?

There is one volume key per disc, and different releases (e.g. territories, special editions etc) can have one key each. The volume key is used to decrypt the title keys, which in turn decrypts the movie contents. Some movies only have one title key for all files, others have one for each segment (movie, menu, extras etc).

The volume key is all you need to decrypt the contents of one particular disc. There is no such thing as Volume Key revocation, so any known volume key will work until they actually rerelease the disc. They can, however, revoke the player key, making the search for volume keys harder.

There is a silver lining though; now that we have known volume keys it's much easier to find volume keys in new players as they are released, even standalone players. (Most are just computers in a hifi case.)

What's next? IMO finding the player key, and figuring out how to decrypt the volume key directly from the disc. This could be implemented in VLC, mplayer and such, and allow hd-dvd playback on linux, non-HDCP devices and anything else currently beeing screwed. This would also require a demuxer/media splitter for the EVOB file format, but now that there are uencrypted evobs avaible I imagine such will be avaible sooner rather than later.

Disclaimer: This information is provided as is. I do not take any responsibility what so ever, use at own risk. Knowledge gathered from peers on #doom9 on efnet and the online forums, thanks to those that helped. You know who you are.

I don't think this information breaks any sort of law, but if it does, let me know. Decryption of content you have purchased has always been vague, and I am no legal expert.

Note to newswriters: AACS is not "cracked", "hacked" or any other hip word you like to put in your newspieces. The HD-DVD consortium expected this to happen, and it's exactly why they have a player key revocation system. The encryption algorithm is not reverse engineered, broken or anything like that. AACS is described in great detail on the AACS homepage, www.aacsla.com , and contains everything needed to decrypt movies when you have the keys.

Personal tools