Most active commenters
  • hatware(6)
  • garblegarble(3)

←back to thread

"Widevine Dump":Leaked Code Downloads HD Video from Disney+, Amazon, and Netflix

(torrentfreak.com)
449 points bertman | 35 comments | 27 Dec 21 12:55 UTC | HN request time: 0.963s | source | bottom
1. garblegarble ◴[27 Dec 21 15:05 UTC] No.29703013[source]
The repo readme is pretty telling - this is being leaked to force this particular key to be blacklisted, I guess one group annoyed with others and wanting to cut off their access (and presumably the leaking group already has other L1 keys so doesn't fear this key being burned...)
replies(3): >>29703084 #>>29703220 #>>29704610 #
2. charcircuit ◴[27 Dec 21 15:13 UTC] No.29703084[source]
or they had the skills to just dump it again

Edit: nvm I understood which key you were talking about. I would have replied, but I'm rate limited.

replies(1): >>29703102 #
3. garblegarble ◴[27 Dec 21 15:15 UTC] No.29703102[source]
Ah, I thought L1 keys were burned into hardware, so blacklisting this key was effectively blacklisting a bunch of Lenovo tablets from accessing 4K HDR streaming?

Edit: looks like I'm wrong about this, and the Widevine L1 keys can be changed with a firmware update. There's an interesting breakdown of how it works on Qualcomm chips here: http://bits-please.blogspot.com/2016/04/exploring-qualcomms-...

replies(2): >>29703560 #>>29704941 #
4. betterunix2 ◴[27 Dec 21 15:26 UTC] No.29703220[source]
There is something amusing about weaponizing the key revocation process like this...
replies(1): >>29703609 #
5. londons_explore ◴[27 Dec 21 16:01 UTC] No.29703560{3}[source]
Does this mean if I have a lenovo tablet that currently streams 4K, that it will lose 4K video support? Could I ask Lenovo for a refund?
replies(3): >>29703624 #>>29703675 #>>29703683 #
6. hatware ◴[27 Dec 21 16:07 UTC] No.29703609[source]
Everything about it is fascinating. These people all have day jobs yet they provide a better experience than the multi-trillion dollar corporations that are releasing the product in the first place.
replies(1): >>29703771 #
7. nikanj ◴[27 Dec 21 16:08 UTC] No.29703624{4}[source]
Yes and yes. Lenovo probably doesn’t give a shit, though. But you can ask!
replies(1): >>29703681 #
8. garblegarble ◴[27 Dec 21 16:14 UTC] No.29703675{4}[source]
I would think so (the repo suggests this is a Lenovo TB-X505X key, I'd imagine they're at least per-product). I could certainly be be wrong about L1 keys being burned-in, that was just my understanding of it (vendor docs say things like "Hardware DRM", but maybe I'm jumping to conclusions from marketing speak)

The Widevine spec doesn't say either, it just says that all processing is within the Trusted Execution Environment, so I suppose the keys could be loaded/updated in firmware. I'm looking for more docs now...

Edit: looks like I was wrong and they can be changed with firmware updates: http://bits-please.blogspot.com/2016/04/exploring-qualcomms-...

replies(1): >>29703804 #
9. Scoundreller ◴[27 Dec 21 16:15 UTC] No.29703681{5}[source]
Depends on the country. Some do have some liability on manufacturers and/or vendors for defects. Unsure if an asterisk in their click through contract about key revocation would even matter.
10. jeroenhd ◴[27 Dec 21 16:16 UTC] No.29703683{4}[source]
You should be able to ask Lenovo for a refund if you've bought the device with this feature in mind and if Lenovo advertised the ability to watch 4K on your preferred streaming service.

If the device just happens to support 4k, you may be out of luck. You could try sueing the parties that are supposed to deliver the 4k content and have revoked the key, but I doubt you'll get much out of them.

If you rely on DRM, the media industry has all the keys. You're left to their whims when it comes to content consumption, and there's very little you can do.

11. londons_explore ◴[27 Dec 21 16:24 UTC] No.29703771{3}[source]
These people probably all have day school... I think most people who get past school age tend to retire out of this crowd of people...
replies(2): >>29703821 #>>29704076 #
12. alias_neo ◴[27 Dec 21 16:28 UTC] No.29703804{5}[source]
TEE is an environment with hardware backed attestation, you run a piece of software in the "black box" to do things like key generation etc.

My educated guess, having used TEE/TrustZone for keys is that they could update the payload (the "Trusted Executable") with a new one to resolve the issue.

13. Wiseacre ◴[27 Dec 21 16:29 UTC] No.29703821{4}[source]
I would just like to point out that this is a forum called Hacker News.
replies(1): >>29729518 #
14. hatware ◴[27 Dec 21 16:51 UTC] No.29704076{4}[source]
Are you implying that young adults are more responsible for the state of piracy today than adults? I don't see that at all.
replies(2): >>29704507 #>>29706197 #
15. dijit ◴[27 Dec 21 17:26 UTC] No.29704507{5}[source]
I feel like I have to defend the parent here. My experience in the nulling/warez/pirating community is that it tends to be young adults doing the majority of the work and mostly they do it for kudos and not monetary benefit.

Adults might be giving them the kudos, but the hard work (again, in my experience) is young adults, of school age.

replies(3): >>29704704 #>>29705052 #>>29705357 #
16. tyingq ◴[27 Dec 21 17:37 UTC] No.29704610[source]
I also noticed it provides part of the functionality with a .pyc file, without including the normal python source. This one, for example: https://github.com/widevinedump/WV-AMZN-4K-RIPPER/blob/main/...

I'd be a little leery of running that outside of a sandbox.

replies(2): >>29721739 #>>29721821 #
17. hatware ◴[27 Dec 21 17:45 UTC] No.29704704{6}[source]
Young adults aren't breaking into streaming devices to extract the CDM keys. They also aren't running trackers like Orpheus and Redacted. Those are small examples, but I'm not sure I understand how young adults would ever have the mobility and network to do these things.
replies(3): >>29705215 #>>29705550 #>>29707535 #
18. NavinF ◴[27 Dec 21 18:07 UTC] No.29704941{3}[source]
Would they release a firmware update with new keys though? If they can’t fix the vulnerability, the new keys would get dumped just like the old ones.
19. rolph ◴[27 Dec 21 18:16 UTC] No.29705052{6}[source]
these young adults havent learned the utility and nessecity of anonymity
20. floatingatoll ◴[27 Dec 21 18:31 UTC] No.29705215{7}[source]
Er, you may not have been a young adult with l33t hardware hacking skills, but others were.
replies(1): >>29708336 #
21. monocasa ◴[27 Dec 21 18:42 UTC] No.29705357{6}[source]
A lot of them started as young adults, but the scene has been going on for over 20 years. Some people quit over time, and some other joined as they got old enough to contribute, but I wouldn't paint with as wide of a brush as you're doing.
22. betterunix2 ◴[27 Dec 21 18:58 UTC] No.29705550{7}[source]
George Hotz (geohot) was a teenager when he cracked the iPhone and was 20 when he cracked the PS3. So...yes, young adults certainly can extract keys if they have the time and motivation, and being young adults they often have plenty of time on their hands.
replies(1): >>29708320 #
23. Commodore63 ◴[27 Dec 21 20:04 UTC] No.29706197{5}[source]
It was definitely the case for me! I aged out of warez when I got a full time job.
replies(1): >>29707391 #
24. jorvi ◴[27 Dec 21 22:07 UTC] No.29707391{6}[source]
I think the warez ‘golden age’ was 1995-2015.

Before that most of the protections were just not that severe (and thus interesting), and after 2015 Steam, Netflix and Spotify severely stemmed the influx of people being exposed to piracy and thus potentially going deeper into the culture.

Tangentially related but I think that’s also why in a strange way the advent of the smartphone and other ‘curated technological experiences’ has lowered computer literacy for the average person born after ~1995.

replies(1): >>29710867 #
25. selfhoster11 ◴[27 Dec 21 22:22 UTC] No.29707535{7}[source]
They are. Plenty of them are more than talented enough for it.
replies(1): >>29708325 #
26. hatware ◴[27 Dec 21 23:37 UTC] No.29708320{8}[source]
Using George Hotz as an example is pretty disingenuous. He is clearly not your average young adult, even for the average of HN.
replies(1): >>29709991 #
27. hatware ◴[27 Dec 21 23:37 UTC] No.29708325{8}[source]
Can you provide a counter-example or is this all anecdotes?
28. hatware ◴[27 Dec 21 23:40 UTC] No.29708336{8}[source]
Odd comparison, I wasn't basing this off of my experience as a young adult.
29. Sunspark ◴[28 Dec 21 03:26 UTC] No.29709991{9}[source]
That was some funny stuff. Watching this guy make Sony freak out and chase after him down the street with lawyers. Halt varlet, for I shalt sue!
30. arsome ◴[28 Dec 21 05:46 UTC] No.29710867{7}[source]
Yeah, I think software piracy was a huge part of technological learning for me from an early age, figuring out how to the name of what I was even looking for (cracks, Warez), using astalavista, early torrent clients, forwarding ports, finding good torrents, using a firewall to block applications, applying cracks, learning about loaders, key generators, patches, protectors, and later reverse engineering and cracking software myself... staring at assembly in IDA for a few days straight so you can do something no one else online has done is a pretty interesting experience and probably one of the most formative ones to my enjoyment of computing.
31. masterofpupp3ts ◴[29 Dec 21 04:07 UTC] No.29721739[source]
Forgive me for my ignorance, but would you mind explaining why providing functionality with a .pyc is potentially a red flag? I'm interested in learning more about Python codebases.
replies(1): >>29721775 #
32. tomc1985 ◴[29 Dec 21 04:12 UTC] No.29721775{3}[source]
.pyc files are the compiled bytecode for its corresponding .py file. It's scrambled, you would need a decompiler to inspect the source code and it would be very hard to read (compared to the original source).

People typically ship .pyc files when they want to hide what they are doing, for a wide variety of reasons.

replies(1): >>29722078 #
33. rolandog ◴[29 Dec 21 04:21 UTC] No.29721821[source]
Do you think it could probably be decompiled? [0].

[0]: https://stackoverflow.com/a/14808336/297570

34. masterofpupp3ts ◴[29 Dec 21 05:01 UTC] No.29722078{4}[source]
Oh! That makes complete sense. I didn't know .pyc was the bytecode of a Python file. Thank you!
35. nurettin ◴[29 Dec 21 20:22 UTC] No.29729518{5}[source]
People come to HN to discuss whether the hacking blog's title was too big for their tastes or if the content is readable by every disabled person under the sun. The comment section is literally pain incarnate for actual hackers.