2024-03-31 13:27:10 +00:00
|
|
|
import json
|
2024-03-30 19:03:15 +00:00
|
|
|
import logging
|
|
|
|
import re
|
|
|
|
import subprocess
|
|
|
|
from pathlib import Path
|
|
|
|
|
2024-03-31 13:27:10 +00:00
|
|
|
import xmltodict
|
2024-04-01 13:53:18 +00:00
|
|
|
import frida
|
2024-03-30 19:03:15 +00:00
|
|
|
from _frida import Process
|
2024-04-01 11:17:28 +00:00
|
|
|
from frida.core import Device, Session, Script
|
2024-03-30 19:03:15 +00:00
|
|
|
from Cryptodome.PublicKey import RSA
|
|
|
|
|
|
|
|
from extractor.license_protocol_pb2 import SignedMessage, LicenseRequest, ClientIdentification, DrmCertificate, SignedDrmCertificate
|
|
|
|
from extractor.vendor import Vendor
|
|
|
|
|
|
|
|
SCRIPT_PATH = Path(__file__).parent / 'script.js'
|
|
|
|
|
|
|
|
|
|
|
|
class Cdm:
|
|
|
|
"""
|
|
|
|
Manages the capture and processing of DRM keys from a specified device using Frida to inject custom hooks.
|
|
|
|
"""
|
2024-04-01 13:53:18 +00:00
|
|
|
OEM_CRYPTO_API = {
|
2024-03-31 13:27:10 +00:00
|
|
|
# Mapping of function names across different API levels (obfuscated names may vary).
|
|
|
|
'rnmsglvj', 'polorucp', 'kqzqahjq', 'pldrclfq', 'kgaitijd',
|
|
|
|
'cwkfcplc', 'crhqcdet', 'ulns', 'dnvffnze', 'ygjiljer',
|
2024-04-01 19:02:45 +00:00
|
|
|
'qbjxtubz', 'qkfrcjtw', 'rbhjspoh', 'zgtjmxko'
|
2024-03-31 13:27:10 +00:00
|
|
|
# Add more as needed for different versions.
|
2024-04-01 13:53:18 +00:00
|
|
|
}
|
2024-03-31 13:27:10 +00:00
|
|
|
|
2024-04-01 13:53:18 +00:00
|
|
|
def __init__(self, device: str = None, functions: Path = None):
|
2024-03-30 19:03:15 +00:00
|
|
|
self.logger = logging.getLogger('Cdm')
|
|
|
|
self.running = True
|
|
|
|
self.keys = {}
|
|
|
|
self.device: Device = frida.get_device(id=device, timeout=5) if device else frida.get_usb_device(timeout=5)
|
|
|
|
self.logger.info('Device: %s (%s)', self.device.name, self.device.id)
|
|
|
|
|
|
|
|
# Fetch and log device properties
|
|
|
|
self.properties = self._fetch_device_properties()
|
|
|
|
self.sdk_api = self.properties['ro.build.version.sdk']
|
|
|
|
self.logger.info('SDK API: %s', self.sdk_api)
|
|
|
|
self.logger.info('ABI CPU: %s', self.properties['ro.product.cpu.abi'])
|
|
|
|
|
|
|
|
# Determine vendor based on SDK API
|
2024-04-01 13:53:18 +00:00
|
|
|
self.script = self._prepare_hook_script(functions)
|
2024-04-01 16:04:51 +00:00
|
|
|
self.logger.info('Successfully loaded script')
|
2024-03-31 08:23:19 +00:00
|
|
|
self.vendor = self._prepare_vendor()
|
2024-03-30 19:03:15 +00:00
|
|
|
|
|
|
|
def _fetch_device_properties(self) -> dict:
|
|
|
|
"""
|
|
|
|
Retrieves system properties from the connected device using ADB shell commands.
|
|
|
|
"""
|
|
|
|
# https://source.android.com/docs/core/architecture/configuration/add-system-properties?#shell-commands
|
|
|
|
properties = {}
|
|
|
|
for line in subprocess.getoutput(f'adb -s "{self.device.id}" shell getprop').splitlines():
|
|
|
|
match = re.match(r'\[(.*?)\]: \[(.*?)\]', line)
|
|
|
|
if match:
|
|
|
|
key, value = match.groups()
|
|
|
|
# Attempt to cast numeric and boolean values to appropriate types
|
|
|
|
try:
|
|
|
|
value = int(value)
|
|
|
|
except ValueError:
|
|
|
|
if value.lower() in ('true', 'false'):
|
|
|
|
value = value.lower() == 'true'
|
|
|
|
properties[key] = value
|
|
|
|
return properties
|
|
|
|
|
2024-03-31 13:27:10 +00:00
|
|
|
def _prepare_hook_script(self, path: Path) -> str:
|
|
|
|
"""
|
|
|
|
Prepares and returns the hook script by replacing placeholders with actual values, including
|
2024-04-01 13:53:18 +00:00
|
|
|
SDK API version and selected functions from a given XML file.
|
2024-03-31 13:27:10 +00:00
|
|
|
"""
|
2024-04-01 13:53:18 +00:00
|
|
|
selected = {}
|
2024-03-31 13:27:10 +00:00
|
|
|
if path:
|
2024-04-01 10:24:00 +00:00
|
|
|
# Verify symbols file path
|
|
|
|
if not path.is_file():
|
|
|
|
raise FileNotFoundError('Symbols file not found')
|
|
|
|
|
2024-03-31 13:27:10 +00:00
|
|
|
try:
|
|
|
|
# Parse the XML file
|
|
|
|
program = xmltodict.parse(path.read_bytes())['PROGRAM']
|
2024-04-01 13:53:18 +00:00
|
|
|
addr_base = int(program['@IMAGE_BASE'], 16)
|
|
|
|
functions = program['FUNCTIONS']['FUNCTION']
|
2024-03-31 13:27:10 +00:00
|
|
|
|
|
|
|
# Find a target function from a predefined list
|
2024-04-01 16:04:51 +00:00
|
|
|
target = next((f['@NAME'] for f in functions if f['@NAME'] in self.OEM_CRYPTO_API), None)
|
2024-03-31 13:27:10 +00:00
|
|
|
|
2024-04-01 13:53:18 +00:00
|
|
|
# Extract relevant functions
|
2024-03-31 13:27:10 +00:00
|
|
|
for func in functions:
|
|
|
|
name = func['@NAME']
|
2024-04-01 16:04:51 +00:00
|
|
|
args = len(func.get('REGISTER_VAR', []))
|
2024-04-01 13:53:18 +00:00
|
|
|
|
|
|
|
# Add function if it matches specific criteria
|
2024-04-01 16:04:51 +00:00
|
|
|
if name not in selected and (
|
2024-04-01 13:53:18 +00:00
|
|
|
name == target
|
|
|
|
or any(keyword in name for keyword in ['UsePrivacyMode', 'PrepareKeyRequest'])
|
|
|
|
or (not target and re.match(r'^[a-z]+$', name) and args >= 6)
|
|
|
|
):
|
2024-04-01 16:04:51 +00:00
|
|
|
selected[name] = {'name': name, 'address': hex(int(func['@ENTRY_POINT'], 16) - addr_base)}
|
2024-03-31 13:27:10 +00:00
|
|
|
except Exception:
|
2024-04-01 13:53:18 +00:00
|
|
|
raise ValueError('Failed to extract functions from Ghidra')
|
2024-03-31 13:27:10 +00:00
|
|
|
|
|
|
|
# Read and prepare the hook script content
|
|
|
|
content = SCRIPT_PATH.read_text(encoding='utf-8')
|
|
|
|
# Replace placeholders with actual values
|
|
|
|
content = content.replace('${SDK_API}', str(self.sdk_api))
|
2024-04-01 13:55:46 +00:00
|
|
|
content = content.replace('${OEM_CRYPTO_API}', json.dumps(list(self.OEM_CRYPTO_API)))
|
2024-04-01 13:53:18 +00:00
|
|
|
content = content.replace('${SYMBOLS}', json.dumps(list(selected.values())))
|
2024-03-31 13:27:10 +00:00
|
|
|
|
|
|
|
return content
|
|
|
|
|
|
|
|
def _prepare_vendor(self) -> Vendor:
|
2024-03-30 19:03:15 +00:00
|
|
|
"""
|
2024-03-31 13:27:10 +00:00
|
|
|
Prepares and selects the most compatible vendor version based on the device's processes.
|
2024-03-30 19:03:15 +00:00
|
|
|
"""
|
2024-03-31 13:27:10 +00:00
|
|
|
details: [int] = []
|
|
|
|
for p in self.device.enumerate_processes():
|
|
|
|
for k, v in Vendor.SDK_VERSIONS.items():
|
|
|
|
if p.name == v[2]:
|
|
|
|
session: Session = self.device.attach(p.name)
|
|
|
|
script: Script = session.create_script(self.script)
|
|
|
|
script.load()
|
2024-04-01 11:00:44 +00:00
|
|
|
if script.exports_sync.getlibrary(v[3]):
|
2024-03-31 13:27:10 +00:00
|
|
|
details.append(k)
|
|
|
|
session.detach()
|
|
|
|
|
|
|
|
if not details:
|
|
|
|
return Vendor.from_sdk_api(self.sdk_api)
|
|
|
|
|
|
|
|
# Find the closest SDK version to the current one, preferring lower matches in case of a tie.
|
|
|
|
sdk_api = min(details, key=lambda x: abs(x - self.sdk_api))
|
|
|
|
if sdk_api == Vendor.SDK_MAX and self.sdk_api > Vendor.SDK_MAX:
|
|
|
|
sdk_api = self.sdk_api
|
|
|
|
elif sdk_api != self.sdk_api:
|
|
|
|
self.logger.warning('Non-default Widevine version for SDK %s', sdk_api)
|
|
|
|
|
|
|
|
return Vendor.from_sdk_api(sdk_api)
|
2024-03-30 19:03:15 +00:00
|
|
|
|
|
|
|
def _process_message(self, message: dict, data: bytes) -> None:
|
|
|
|
"""
|
|
|
|
Handles messages received from the Frida script.
|
|
|
|
"""
|
|
|
|
logger = logging.getLogger('Script')
|
|
|
|
level = message.get('payload')
|
|
|
|
|
|
|
|
if isinstance(level, int):
|
|
|
|
# Process logging messages from Frida script
|
|
|
|
logger.log(level=level, msg=data.decode('utf-8'))
|
|
|
|
if level in (logging.FATAL, logging.CRITICAL):
|
|
|
|
self.running = False
|
|
|
|
elif level == 'device_info':
|
|
|
|
if data:
|
|
|
|
self._extract_device_info(data)
|
|
|
|
else:
|
|
|
|
logger.critical('No data for device info, invalid argument position')
|
|
|
|
self.running = False
|
|
|
|
elif level == 'private_key':
|
|
|
|
self._extract_private_key(data)
|
|
|
|
|
|
|
|
def _extract_private_key(self, data: bytes) -> None:
|
|
|
|
"""
|
|
|
|
Extracts and stores the private key from the provided data.
|
|
|
|
"""
|
|
|
|
key = RSA.import_key(data)
|
|
|
|
key_id = key.n
|
|
|
|
if key_id not in self.keys:
|
|
|
|
self.keys[key_id] = key
|
|
|
|
self.logger.debug('Retrieved key: \n\n%s\n', key.exportKey('PEM').decode('utf-8'))
|
|
|
|
|
|
|
|
def _extract_device_info(self, data: bytes) -> None:
|
|
|
|
"""
|
|
|
|
Extracts device information and associated private keys, storing them to disk.
|
|
|
|
"""
|
|
|
|
# https://github.com/devine-dl/pywidevine
|
|
|
|
signed_message = SignedMessage()
|
|
|
|
signed_message.ParseFromString(data)
|
|
|
|
|
|
|
|
license_request = LicenseRequest()
|
|
|
|
license_request.ParseFromString(signed_message.msg)
|
|
|
|
|
|
|
|
client_id: ClientIdentification = license_request.client_id
|
|
|
|
|
|
|
|
signed_drm_certificate = SignedDrmCertificate()
|
|
|
|
drm_certificate = DrmCertificate()
|
|
|
|
|
|
|
|
signed_drm_certificate.ParseFromString(client_id.token)
|
|
|
|
drm_certificate.ParseFromString(signed_drm_certificate.drm_certificate)
|
|
|
|
|
|
|
|
public_key = drm_certificate.public_key
|
|
|
|
key = RSA.importKey(public_key)
|
|
|
|
key_id = key.n
|
|
|
|
|
|
|
|
private_key = self.keys.get(key_id)
|
|
|
|
if private_key:
|
|
|
|
path = Path() / 'device' / self.device.name / 'private_keys' / str(drm_certificate.system_id) / str(key_id)[:10]
|
|
|
|
path.mkdir(parents=True, exist_ok=True)
|
|
|
|
path_client_id = path / 'client_id.bin'
|
|
|
|
path_private_key = path / 'private_key.pem'
|
|
|
|
|
|
|
|
path_client_id.write_bytes(data=client_id.SerializeToString())
|
|
|
|
path_private_key.write_bytes(data=private_key.exportKey('PEM'))
|
|
|
|
|
|
|
|
self.logger.info('Dumped client ID: %s', path_client_id)
|
|
|
|
self.logger.info('Dumped private key: %s', path_private_key)
|
|
|
|
self.running = False
|
|
|
|
else:
|
|
|
|
self.logger.warning('Failed to intercept the private key')
|
|
|
|
|
|
|
|
def hook_process(self, process: Process) -> bool:
|
|
|
|
"""
|
|
|
|
Hooks into the specified process to intercept DRM keys.
|
|
|
|
"""
|
|
|
|
session: Session = self.device.attach(process.name)
|
|
|
|
script: Script = session.create_script(self.script)
|
|
|
|
script.on('message', self._process_message)
|
|
|
|
script.load()
|
|
|
|
|
2024-04-01 11:00:44 +00:00
|
|
|
library_info = script.exports_sync.getlibrary(self.vendor.library)
|
|
|
|
if library_info:
|
2024-03-30 19:03:15 +00:00
|
|
|
self.logger.info('Library: %s (%s)', library_info['name'], library_info['path'])
|
|
|
|
return script.exports_sync.hooklibrary(library_info['name'])
|
2024-04-01 11:00:44 +00:00
|
|
|
return False
|