3ef69deb29
There's no need for it. The image isn't even done particularly well. It's too specific to a browser scenario with some information not properly reflected/explained in the legend. I have no reason to try make my own or look for an alternative. If someone is particularly interested they can look online for more or less broad explanations as they see fit. |
||
|---|---|---|
| .github | ||
| docs/images | ||
| pywidevine | ||
| .deepsource.toml | ||
| .gitignore | ||
| CHANGELOG.md | ||
| LICENSE | ||
| README.md | ||
| poetry.lock | ||
| pyproject.toml | ||
| serve.example.yml | ||
README.md
pywidevine
Python Widevine CDM implementation.
Features
- 🛡️ Security-first approach; All user input has Signatures verified
- 👥 Remotely accessible Server/Client CDM code
- 📦 Supports parsing and serialization of WVD (v2) provisions
- 🛠️ Class for creation, parsing, and conversion of PSSH data
- 🧩 Plug-and-play installation via PIP/PyPI
- 🗃️ YAML configuration files
- ❤️ Forever FOSS!
Installation
Note: Requires Python 3.7.0 or newer with PIP installed.
$ pip install pywidevine
You now have the pywidevine package installed and a pywidevine executable is now available.
Check it out with pywidevine --help - Voilà 🎉!
From Source Code
The following steps are instructions on download, preparing, and running the code under a Poetry environment.
You can skip steps 3-5 with a simple pip install . call instead, but you miss out on a wide array of benefits.
git clone https://github.com/rlaphoenix/pywidevinecd pywidevine- (optional)
poetry config virtualenvs.in-project true poetry installpoetry run pywidevine --help
As seen in Step 5, running the pywidevine executable is somewhat different to a normal PIP installation.
See Poetry's Docs on various ways of making calls under the virtual-environment.
Troubleshooting
Executable pywidevine was not found
Make sure the Python installation's Scripts directory is added to your Path Environment Variable.
If this happened under a Poetry environment, make sure you use the appropriate Poetry-specific way of calling the executable. You may make this executable available globally by adding the .venv's Scripts folder to your Path Environment Variable.
Disclaimer
- This project requires a valid Google-provisioned Private Key and Client Identification blob which are not provided by this project.
- Public test provisions are available and provided by Google to use for testing projects such as this one.
- License Servers have the ability to block requests from any provision, and are likely already blocking test provisions on production endpoints.
- This project does not condone piracy or any action against the terms of the DRM systems.
- All efforts in this project have been the result of Reverse-Engineering, Publicly available research, and Trial & Error.
Key and Output Security
Licenses, Content Keys, and Decrypted Data is not secure in this CDM implementation.
The Content Decryption Module is meant to do all downloading, decrypting, and decoding of content, not just license acquisition. This Python implementation only does License Acquisition within the CDM.
The section of which a 'Decrypt Frame' call is made would be more of a 'Decrypt File' in this implementation. Just returning the original file in plain text defeats the point of the DRM. Even if 'Decrypt File' was somehow secure, the Content Keys used to decrypt the files are already exposed to the caller anyway, allowing them to manually decrypt.
An attack on a 'Decrypt Frame' system would be analogous to doing an HDMI capture or similar attack. This is because it would require re-encoding the video by splicing each individual frame with the right frame-rate, syncing to audio, and more.
While a 'Decrypt Video' system would be analogous to downloading a Video and passing it through a script. Not much of an attack if at all. The only protection against a system like this would be monitoring the provision and acquisitions of licenses and prevent them. This can be done by revoking the device provision, or the user or their authorization to the service.
There isn't any immediate way to secure either Key or Decrypted information within a Python environment that is not Hardware backed. Even if obfuscation or some other form of Security by Obscurity was used, this is a Software-based Content Protection Module (in Python no less) with no hardware backed security. It would be incredibly trivial to break any sort of protection against retrieving the original video data.
Though, it's not impossible. Google's Chrome Browser CDM is a simple library extension file programmed in C++ that has been improving its security using math and obscurity for years. It's getting harder and harder to break with its latest versions only being beaten by Brute-force style methods. However, they have a huge team of very skilled workers, and making a CDM in C++ has immediate security benefits and a lot of methods to obscure and obfuscate the code.
Credit
- Widevine Icon © Google.
- The awesome community for their shared research and insight into the Widevine Protocol and Key Derivation.