I can't find the DRM key from a license server response

[spel987]

Hi! I'm new here.

I have a little problem that I can't solve. I'm trying (for educational purposes of course) to download DRM-protected replays from TF1 (French TV channel).

 

The thing is that to decrypt these DRM videos, you need a special key.
This key is obtained by requesting the license server. I found this license server (https://drm-wide.tf1.fr/proxy).

 

I even managed to get the video to play on a third-party site specializing in the subject (https://reference.dashif.org/dash.js/v3.0.3/samples/dash-if-reference-player/index.html). I just specified my MPD file, my license server, and that this server was "widevine".
Anyway, the video runs on the site without any problem. So I thought that the key was in one of the requests made to the TF1 license server. When you launch a replay video, two requests are made to the license server.

 

Two requests are made to the license server. The body of the first request never changes and the answer does not change either. However, for the second one both change.

 

I put in a text file the two requests for test content (Grey's Anatomy) present on the TF1 website and protected by DRM.

 

When I decode it, the characters are almost unreadable.
I don't know if the DRM decryption key is present in the answer to the second request. I've been working on this problem for a week now and I can't find an answer on the internet.

 

Thanks in advance!

 

Screenshot 1 : https://postimg.cc/N58YBGSd

Screenshot 2 : https://postimg.cc/Wd2V3LPT

license_server_response.txt

[DLord]

This is what I could extract/decode from the two base 64 sections of the text file so far:

 

section 1:

Spoiler

GUID: b0a4b0d4-4a4c-4b92-a536-1be2042bfe89
Method: POST
Path: /license.widevine.com
Headers:
    Accept-Encoding: gzip
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
Data: request={"Info/Script/protocol/localense.scriptRequest":{"Subject":""20230330000"@SAPORT-UND COMMON"},"ProtocolRequest":{"userManager":"ItemServiceUser","ItemsResponse":true},"PropertiesRequest":{}}

 

POST /license.widevine.com HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 637

license_request=<?xml version="1.0" encoding="UTF-8"?>
<ckb:licenseRequest xmlns:ckb="urn:ietf:params:xml:ns:cablelabs_mdex:core:1.0">
  <ckb:version>1.0</ckb:version>
  <ckb:drmSystemId>urn:dvb:casystemid:19219</ckb:drmSystemId>
  <ckb:casystemId>widevine_test</ckb:casystemId>
  <ckb:provider>test</ckb:provider>
  <ckb:deviceId>f3ee3d3a-dec2-4f7f-b9ac-05fa28b63f06</ckb:deviceId>
  <ckb:deviceType>smarttv</ckb:deviceType>
  <ckb:authToken>1234567890abcdef</ckb:authToken>
  <ckb:protocolVersion>1</ckb:protocolVersion>
  <ckb:ticketType>short</ckb:ticketType>
  <ckb:certificateType>x509</ckb:certificateType>
  <ckb:serviceLocation>http://license.widevine.com</ckb:serviceLocation>
  <ckb:certificateDelivery>download</ckb:certificateDelivery>
  <ckb:signatureType>rsa</ckb:signatureType>
  <ckb:signature>fake_signature</ckb:signature>
</ckb:licenseRequest>

 

 

section 2:

Spoiler

COMMAND STATUS: OK
RESULT: Success

LICENSE.widevine.com

 

I will further look into it when I have more time, specially the second section that should contain more data to extract.

Edited March 24, 2023 by DLord

[DLord]

Update on the second section:

Spoiler

possible algorithm and keys to try to further decode the server response:

 

{"alg":"HS256","typ":"JWT"}{"sub":"user1","iat":1619420945,"exp":1619421005}

 

{"algorithm":"hmac-sha256","header":{"alg":"HS256","kid":"4f8d961c"},"payload":"{\"iat\":1648231246,\"exp\":1648241246,\"sub\":\"16676667269\"}"}

 

{"keys":[{"kty":"oct","alg":"A128KW","kid":"8oysQun9xfjnJjK1cWl8m7VlRik","k":"SCVQwq3A8jh07ay0dXjKxg"}]}

 

and another piece of data to consider:

 

{"request":{"media":"Wp8r6g==","drm_type":"widevine","content_type":"webm","license_url":"https://license.widevine.com/cenc/getlicense","license_params":"eyJjb250ZW50X3RhcmdldF9jb250ZW50Ijoic3RhdGljX3Nlc3Npb24ifQ=="}}

Any further data might be beyond educational purposes, if not already .  So best of luck.

Edited March 24, 2023 by DLord

[spel987]

Hello and thank you very much for your quick answer, it helps me a lot.

 

I will test all this in detail from the information I have found on my side.

 

I precise to everyone that I don't want to break anything or bypass protections and go against the law, but to learn new knowledge and improve a personal open-source project which here is the link: https://github.com/Nathoune987/TF1-Downloader . TF1 is one of the biggest French TV channels, and they don't have any options to download replays. These replays are free, however, you must create an account on their platform to watch them.

That's why I developed this project to download videos for personal use. I base my project on the functioning of a known piece of software called "Captvty" (https://captvty.fr/) that is legal and maintained by a French developer. My Python script downloads all the video and audio segments of the contents available in replay from the TF1 servers and then assembles them with FFmpeg.

 

@DLord Once again, thank you for your answers. I'd appreciate automating the decryption process in my project instead of using tedious and complicated solutions as I did with the Selenium library. Could you explain to me quickly how you did to get this information? I will then use your advice to program a decryption function. Again, I'm not trying to circumvent the law, but to download free videos for my private use (of course, I don't share the videos on the Internet).

 

If you wish, we can discuss this in PM or stay here.

 

Best regards,
Nathoune

Edited March 25, 2023 by Nathoune987
The GitHub link does not work

[DLord]

15 hours ago, Nathoune987 said:

Hello and thank you very much for your quick answer, it helps me a lot.

 

I will test all this in detail from the information I have found on my side.

 

I precise to everyone that I don't want to break anything or bypass protections and go against the law, but to learn new knowledge and improve a personal open-source project which here is the link: https://github.com/Nathoune987/TF1-Downloader. TF1 is one of the biggest French TV channels, and they don't have any options to download replays. These replays are free, however, you must create an account on their platform to watch them.

That's why I developed this project to download videos for personal use. I base my project on the functioning of a known piece of software called "Captvty" (https://captvty.fr/) that is legal and maintained by a French developer. My Python script downloads all the video and audio segments of the contents available in replay from the TF1 servers and then assembles them with FFmpeg.

 

@DLord Once again, thank you for your answers. I'd appreciate automating the decryption process in my project instead of using tedious and complicated solutions as I did with the Selenium library. Could you explain to me quickly how you did to get this information? I will then use your advice to program a decryption function. Again, I'm not trying to circumvent the law, but to download free videos for my private use (of course, I don't share the videos on the Internet).

 

If you wish, we can discuss this in PM or stay here.

 

Best regards,
Nathoune

First, thank you for the clarification; but decoding a DRM key on a media delivery server isn't legal by any definition, regardless of the content.  But hey, your project, your choice.

 

Second, your TF1-Downloader project page isn't accessible directly through the provided link.  I had to go to your main github page and then navigate from there; and then not understanding much as it's in French! 

 

Third, as for the decoding process, well to be short you have to keep in mind that you are dealing with a base64 server response to a POST request.  So there will be different pieces, in different formats such as json, xml, yaml, etc.  Another point that helps is to keep in mind all possible format/coding/encryption etc. that could have been used on the backend, when you are looking at the raw data.  Also, at times you decode the whole string to find out another string to be decoded within it!

 

It's a complicated process that at times yields different acceptable outputs that you have to try to validate one by one.  It's a process with many hit and miss chances.  I even decoded your data once to what closely looked like a PayPal transaction token!!!  So be very careful with the decoded data and validate it thoroughly,  hopefully not against the real server 

 

Perhaps an easier way would be to create a free account on TF1 and download/extract the replays from there.

[spel987]

Thank you again for your time in responding to my problem.

 

I'll see what I can do with the information you've given me, but unfortunately, I don't think I can do much good with it. I insist on the fact that every time I decode the response in Base64, I get unreadable strings, except the URL of the requesting server and the date and time. These pieces of information appear right in the middle of the response without me knowing what exactly it corresponds to, so I'm a bit blocked. 😕

 

Without wanting to be insistent, can I ask you again how you decoded the response in the main lines? On my side, I don't find anything satisfactory and exploitable as such by trying various manipulations. For example, the site base64decode.org allows to decode strings in Base64 returns me the explained result, and this, whatever the encoding used.

 

Anyway, thanks again! You've helped me to think about my project!

[DLord]

11 hours ago, Nathoune987 said:

Thank you again for your time in responding to my problem.

 

I'll see what I can do with the information you've given me, but unfortunately, I don't think I can do much good with it. I insist on the fact that every time I decode the response in Base64, I get unreadable strings, except the URL of the requesting server and the date and time. These pieces of information appear right in the middle of the response without me knowing what exactly it corresponds to, so I'm a bit blocked. 😕

 

Without wanting to be insistent, can I ask you again how you decoded the response in the main lines? On my side, I don't find anything satisfactory and exploitable as such by trying various manipulations. For example, the site base64decode.org allows to decode strings in Base64 returns me the explained result, and this, whatever the encoding used.

 

Anyway, thanks again! You've helped me to think about my project!

Well my friend, I am happy that I could help, even if so little.  To be honest, the process of analyzing the data and decoding it, is a complex process like I said.  It takes lot of trial and error and it requires lot of time and prior knowledge.  I wish it had a simple way of doing or a simple tool that I could point you to.  You have to have lot of experience and computer science skill/knowledge; and then try over and over to get something out of it, if you get lucky.  There is no magic bullet when it comes to decrypting data.  Just looking at it as a Base64 string would not help.  Keep in mind that you are not dealing with a simple ASCII text encoded in Base64.  For example, a JSON object containing metadata encoded in Base64, would not appear to be readable even after decoding.  You just have to know about these data types and the different ways to format them to recognize them when you see it.

Even for me, it took many hours to even get that little information, applying all I have learned in so many years and still I cannot be sure that the decoded data it completely accurate.  FYI I started coding/programming decades ago on a Commodore 128! 👴

[jayballs]

I know I'm late.  Im not going to write on what already has been said.  So besides on whats written.  This part of the address caught my attention 

Quote

&rn=1

Quote

https://github.com/Catch-up-TV-and-More/plugin.video.catchuptvandmore/commit/392d625515d13be46d6b7be40995663649302fda

This is propably a SQL Server.  The github may point you in the right direction?

Edited April 26, 2023 by jayballs
added github