widevine-l3-decryptor/README.md

# Widevine L3 Decryptor
[Widevine](https://www.widevine.com/solutions/widevine-drm) is a Google-owned DRM system that's in use by many popular streaming services (Netflix, Spotify, &c) to prevent media content from being downloaded.

But Widevine's least secure security level, L3, as used in most browsers and PCs, is implemented 100% in software (i.e no hardware TEEs), thereby making it reversible and bypassable.

This Chrome extension demonstates how it's possible to bypass Widevine DRM by hijacking calls to the browser's [Encrypted Media Extensions (EME)](https://www.html5rocks.com/en/tutorials/eme/basics) and decrypting all Widevine content keys transferred - effectively turning it into a clearkey DRM.

## Usage
To see this concept in action, just load the extension in Developer Mode and browse to any website that plays Widevine-protected content, such as https://bitmovin.com/demos/drm.

Keys will be logged in plaintext to the javascript console.

e.g:

```
WidevineDecryptor: Found key: 100b6c20940f779a4589152b57d2dacb (KID=eb676abbcb345e96bbcf616630f1a3da)
```

Decrypting the media itself is then just a matter of using a tool that can decrypt MPEG-CENC streams, like `ffmpeg`. 

e.g:

```
ffmpeg -decryption_key 100b6c20940f779a4589152b57d2dacb -i encrypted_media.mp4 -codec copy decrypted_media.mp4
```

## How
In the context of browsers the actual decryption of the media is usually done inside a proprietary binary (`widevinecdm.dll`, known as the Content Decryption Module or CDM) only after receiving the license from a license server with an encrypted key in it.

This binary is usually heavily obfuscated and makes use of third-party solutions that claim to offer software "protection" such as [Arxan](https://digital.ai/application-protection) or [Whitecryption](https://www.intertrust.com/products/application-shielding).

Some reversing job on that binary can then be done to extract the secret keys and mimic the key decryption algorithm from the license response.

## Why
This PoC was done to further show that code obfuscation, anti-debugging tricks, whitebox cryptography algorithms and other methods of security-by-obscurity will eventually by defeated anyway, and are, in a way, pointless.

## Legal Desclaimer
This is for educational purposes only. Downloading copyrighted materials from streaming services may violate their Terms of Service. **Use at your own risk.**
Initial commit 2020-10-17 21:25:57 +02:00			`# Widevine L3 Decryptor`
Proofreading and copy edits 2020-10-20 19:10:17 +02:00			`[Widevine](https://www.widevine.com/solutions/widevine-drm) is a Google-owned DRM system that's in use by many popular streaming services (Netflix, Spotify, &c) to prevent media content from being downloaded.`
Initial commit 2020-10-17 21:25:57 +02:00
			`But Widevine's least secure security level, L3, as used in most browsers and PCs, is implemented 100% in software (i.e no hardware TEEs), thereby making it reversible and bypassable.`

Proofreading and copy edits 2020-10-20 19:10:17 +02:00			`This Chrome extension demonstates how it's possible to bypass Widevine DRM by hijacking calls to the browser's [Encrypted Media Extensions (EME)](https://www.html5rocks.com/en/tutorials/eme/basics) and decrypting all Widevine content keys transferred - effectively turning it into a clearkey DRM.`
Initial commit 2020-10-17 21:25:57 +02:00
			`## Usage`
Proofreading and copy edits 2020-10-20 19:10:17 +02:00			`To see this concept in action, just load the extension in Developer Mode and browse to any website that plays Widevine-protected content, such as https://bitmovin.com/demos/drm.`
Initial commit 2020-10-17 21:25:57 +02:00
Proofreading and copy edits 2020-10-20 19:10:17 +02:00			`Keys will be logged in plaintext to the javascript console.`
Initial commit 2020-10-17 21:25:57 +02:00
Proofreading and copy edits 2020-10-20 19:10:17 +02:00			`e.g:`

			```
			`WidevineDecryptor: Found key: 100b6c20940f779a4589152b57d2dacb (KID=eb676abbcb345e96bbcf616630f1a3da)`
			```
Initial commit 2020-10-17 21:25:57 +02:00
Update README.md 2020-10-18 19:43:50 +02:00			Decrypting the media itself is then just a matter of using a tool that can decrypt MPEG-CENC streams, like `ffmpeg`.

			`e.g:`
Initial commit 2020-10-17 21:25:57 +02:00
Proofreading and copy edits 2020-10-20 19:10:17 +02:00			```
			`ffmpeg -decryption_key 100b6c20940f779a4589152b57d2dacb -i encrypted_media.mp4 -codec copy decrypted_media.mp4`
			```
Initial commit 2020-10-17 21:25:57 +02:00
			`## How`
			In the context of browsers the actual decryption of the media is usually done inside a proprietary binary (`widevinecdm.dll`, known as the Content Decryption Module or CDM) only after receiving the license from a license server with an encrypted key in it.

Proofreading and copy edits 2020-10-20 19:10:17 +02:00			`This binary is usually heavily obfuscated and makes use of third-party solutions that claim to offer software "protection" such as [Arxan](https://digital.ai/application-protection) or [Whitecryption](https://www.intertrust.com/products/application-shielding).`
Initial commit 2020-10-17 21:25:57 +02:00
			`Some reversing job on that binary can then be done to extract the secret keys and mimic the key decryption algorithm from the license response.`

			`## Why`
			`This PoC was done to further show that code obfuscation, anti-debugging tricks, whitebox cryptography algorithms and other methods of security-by-obscurity will eventually by defeated anyway, and are, in a way, pointless.`

			`## Legal Desclaimer`
Proofreading and copy edits 2020-10-20 19:10:17 +02:00			`This is for educational purposes only. Downloading copyrighted materials from streaming services may violate their Terms of Service. Use at your own risk.`