←back to thread

"Widevine Dump":Leaked Code Downloads HD Video from Disney+, Amazon, and Netflix

(torrentfreak.com)
449 points bertman | 9 comments | 27 Dec 21 12:55 UTC | HN request time: 0.764s | source | bottom
Show context
garblegarble ◴[27 Dec 21 15:05 UTC] No.29703013[source]
The repo readme is pretty telling - this is being leaked to force this particular key to be blacklisted, I guess one group annoyed with others and wanting to cut off their access (and presumably the leaking group already has other L1 keys so doesn't fear this key being burned...)
replies(3): >>29703084 #>>29703220 #>>29704610 #
1. charcircuit ◴[27 Dec 21 15:13 UTC] No.29703084[source]
or they had the skills to just dump it again

Edit: nvm I understood which key you were talking about. I would have replied, but I'm rate limited.

replies(1): >>29703102 #
2. garblegarble ◴[27 Dec 21 15:15 UTC] No.29703102[source]
Ah, I thought L1 keys were burned into hardware, so blacklisting this key was effectively blacklisting a bunch of Lenovo tablets from accessing 4K HDR streaming?

Edit: looks like I'm wrong about this, and the Widevine L1 keys can be changed with a firmware update. There's an interesting breakdown of how it works on Qualcomm chips here: http://bits-please.blogspot.com/2016/04/exploring-qualcomms-...

replies(2): >>29703560 #>>29704941 #
3. londons_explore ◴[27 Dec 21 16:01 UTC] No.29703560[source]
Does this mean if I have a lenovo tablet that currently streams 4K, that it will lose 4K video support? Could I ask Lenovo for a refund?
replies(3): >>29703624 #>>29703675 #>>29703683 #
4. nikanj ◴[27 Dec 21 16:08 UTC] No.29703624{3}[source]
Yes and yes. Lenovo probably doesn’t give a shit, though. But you can ask!
replies(1): >>29703681 #
5. garblegarble ◴[27 Dec 21 16:14 UTC] No.29703675{3}[source]
I would think so (the repo suggests this is a Lenovo TB-X505X key, I'd imagine they're at least per-product). I could certainly be be wrong about L1 keys being burned-in, that was just my understanding of it (vendor docs say things like "Hardware DRM", but maybe I'm jumping to conclusions from marketing speak)

The Widevine spec doesn't say either, it just says that all processing is within the Trusted Execution Environment, so I suppose the keys could be loaded/updated in firmware. I'm looking for more docs now...

Edit: looks like I was wrong and they can be changed with firmware updates: http://bits-please.blogspot.com/2016/04/exploring-qualcomms-...

replies(1): >>29703804 #
6. Scoundreller ◴[27 Dec 21 16:15 UTC] No.29703681{4}[source]
Depends on the country. Some do have some liability on manufacturers and/or vendors for defects. Unsure if an asterisk in their click through contract about key revocation would even matter.
7. jeroenhd ◴[27 Dec 21 16:16 UTC] No.29703683{3}[source]
You should be able to ask Lenovo for a refund if you've bought the device with this feature in mind and if Lenovo advertised the ability to watch 4K on your preferred streaming service.

If the device just happens to support 4k, you may be out of luck. You could try sueing the parties that are supposed to deliver the 4k content and have revoked the key, but I doubt you'll get much out of them.

If you rely on DRM, the media industry has all the keys. You're left to their whims when it comes to content consumption, and there's very little you can do.

8. alias_neo ◴[27 Dec 21 16:28 UTC] No.29703804{4}[source]
TEE is an environment with hardware backed attestation, you run a piece of software in the "black box" to do things like key generation etc.

My educated guess, having used TEE/TrustZone for keys is that they could update the payload (the "Trusted Executable") with a new one to resolve the issue.

9. NavinF ◴[27 Dec 21 18:07 UTC] No.29704941[source]
Would they release a firmware update with new keys though? If they can’t fix the vulnerability, the new keys would get dumped just like the old ones.