Soooo, after a few evenings of work, I've 100% broken Widevine L3 DRM. Their Whitebox AES-128 implementation is vulnerable to the well-studied DFA attack, which can be used to recover the original key. Then you can decrypt the MPEG-CENC streams with plain old ffmpeg...
Conversation
Huge thanks to and the
Side-Channel Marvels project for making this attack scarily trivial to pull off.
1
5
104
Replying to
Very cool work.
Did they not respond to previous responsible disclosure notices?
1
2
5
Replying to
DRM is flawed by design. I do not consider this a bug, and it cannot be fixed.
2
18
224
Show replies
now break L1 by extracting the intermediate keys from any device with a vulnerable TZ implementation or boot ROM
4
3
60
Replying to
(sorry for noob question) So if I understand correctly, you need access to clear output? Hence it won't work when SW_SECURE_DECODE is enabled in the license?
1
2