Dump L3 CDM from any Android device
Go to file
Diazole 2899fc93a2 Allow the CDM version and fn to be passed via args 2022-10-30 02:23:28 +00:00
Helpers Allow the CDM version and fn to be passed via args 2022-10-30 02:23:28 +00:00
.gitignore Update .gitignore 2021-12-03 12:29:36 +01:00
README.md Allow the CDM version and fn to be passed via args 2022-10-30 02:23:28 +00:00
dump_keys.py Allow the CDM version and fn to be passed via args 2022-10-30 02:23:28 +00:00
requirements.txt Update script to support Android 10, 11, 12 2022-10-04 23:23:53 +01:00

README.md

Dumper

Dumper is a Frida script to dump L3 CDMs from any Android device.

** IMPORTANT **

The function parameters can differ between CDM versions. The default is [4] but you may have to change this for your specific version.

  • CDM_VERSION can be retrieved using a DRM Info app.

Requirements:

Use pip to install the dependencies:

pip3 install -r requirements.txt

Usage:

  • Enable USB debugging
  • Start frida-server on the device
  • Execute dump_keys.py
  • Start streaming some DRM-protected content

The script will hook every function in your 'libwvhidl.so' module by default, effectively brute forcing the private key function name.

python3 .\dump_keys.py [OPTIONS]

You can pass the function name to hook using the --function-name argument.

python3 .\dump_keys.py --function-name 'polorucp'

The script defaults to args[4] if no --cdm-version is provided. This will only have an effect if your version is 16.1.0.

python3 .\dump_keys.py --cdm-version '16.1.0'

Options:

    -h, --help                      Print this help text and exit.
    --cdm-version                   The CDM version of the device e.g. '16.1.0'.
    --function-name                 The name of the function to hook to retrieve the private key.

Known Working Versions:

  • Android 9
    • CDM 14.0.0
  • Android 10
    • CDM 15.0.0
  • Android 11
    • CDM 16.0.0
  • Android 12
    • CDM 16.1.0

Temporary disabling L1 to use L3 instead

A few phone brands let us use the L1 keybox even after unlocking the bootloader (like Xiaomi). In this case, installation of a Magisk module called liboemcrypto-disabler is necessary.

Credits

Thanks to the original author of the code.