Wednesday, May 2, 2007

The Famous Hacked HD-DVD/Blu-Ray Processing Key

There appears to be a storm emerging on the internet regarding the famous HD-DVD/Blu-Ray processing key:


This key originated from one of the Wired blogs:

The New HD-DVD/Blu-Ray Hack: What It Might Mean For Us

That's the so-called "Processing Key" that unlocks the heart of every HD-DVD disk to date. Happy Valentine's day, AACS.

AACS, a DRM scheme used to encrypt data on HD-DVD and Blu-Ray disks, would appear to be cracked wide open by that short string of hexadecimal codes, as previously, only disk-specific Volume Keys were compromised. The new hack is the work of Arnezami, a hacker posting at the doom9 forums, fast becoming the front line in the war on DRM.

"The AACS is investigating the claims right regarding of the hack," said AACS spokesporson Jacqueline Price. "It is going to take a appropriate action if it can be verified."

Price said she could not disclose what their investigation might entail, or what "appropriate action" might be.

“We’ve just learned of this claim today and are checking into it,” said Andy Parsons, chair of the Blu-ray Disc Association and senior V.P. of product development at Pioneer Electronics, in an email.

The new crack follows that from earlier this year, when a hacker by the name of muslix64 broke the AACS system as it applied to each movie. While the earlier hack led to 100 HD-DVD titles and a small number of Blu-Ray movies being decrypted one-by-one, the so-called "processing keys" covers everything so far made.:

"Most of the time I spend studying the AACS papers," Arnezami said in his forum post revealing the successful assault on the next-gen DRM system. "... what I wanted to do is "record" all changes in this part of memory during startup of the movie. Hopefully I would catch something insteresting. ... I now had the feeling I had something. And I did. ... Nothing was hacked, cracked or even reverse engineered btw: I only had to watch the "show" in my own memory. No debugger was used, no binaries changed."

It's not yet clear what it means for the consumer's ability to copy movies, or, for that matter, that of mass-market piracy operations. The short form is that the user still needs a disk's volume ID to deploy the processing key and break the AACS encryption — but getting the ID is surprisingly easy.

Arnezami found that they are not even random, but often obvious to the point of foolishness: one movie's Volume ID turns out to be it's own name and the date it was released. There isn't yet an automatic system, however, that will copy any disk, in the manner of DeCSS-based DVD copying systems.

Even so, the new method completely compromises HD-DVD in principle, as it relies on AACS alone to encrypt data, even if there are other parts of the puzzle that are yet to fit together. Blu-Ray has two more levels of protection: ROM-MARK (a per factory watermark, which might revoke mass production rights from a factory but not, it seems individuals) and BD+, another encyption system, which hasn't actually been used yet on sold disks (but which soon will be), meaning that its own status seems less obviously compromised.

How might the companies respond? The processing key can now be changed for future disks. However, the flaws inherent in the system make it appear easy to discover the replacement: the method of attack itself will be hard to offset without causing knock-on effects. For example, revoking player keys (in advance of obfuscating the keys in memory in future revisions of the system) would render current players unable to view future movies. Revoking the volume and processing keys that have been hacked would mean that all movies to date would not run on new players.

Publishers could randomly generate Volume IDs in future releases (as they are still needed for the current hack to work), which would make them harder to brute-force. That said, it's claimed that the "specific structure" of the Volume ID in memory makes it feasible to brute-force randomized ones anyway.

Following are links to the current discussion at the doom9 forums, in which Arnezami and other provide regular updates on their progress. We don't offer any warantee that the software implementations so far produced won't blow up your computer or get you thrown in jail and whipped with wet towels by MPAA lawyers:

Proof of concept code for the process key hack is here:

Implementation for Windows:

Implementation for OSX:

Here is the sample code:

// Processing Key
static unsigned char processing_key[16] = {0x09,0xF9,0x11,0x02,0x9D,0x74,0xE3,0x5B,0xD8,

// Encrypted C Value
static unsigned char encrypted_c_value[16] = {0x6D,0x02,0xCA,0xC6,0x7B,0x1A,0x7E,0x95,0xC2,

//Decrypted C Value
static unsigned char decrypted_c_value[16];
static unsigned char uv[4] = {0x00,0x00,0x00,0x01};

// Media Key
static unsigned char media_key[16];

//Encrypted Verification Data (King Kong)
static unsigned char encrypted_verification_data[16] = {0x87,0xB8,0xA2,0xB7,0xC1,0x0B,0x9F,0xAD,0xF8,0xC4,0x36,

//Decrypted Verification Data Should Be
static unsigned char decrypted_verification_data_should_be[8] = {0x01,0x23,0x45,0x67,0x89,0xAB,0xCD,0xEF};

//Decrypted Verification Data
static unsigned char decrypted_verification_data[16];

// Volume ID
static unsigned char volume_id[16] = {0x40,0x00,0x09,0x18,0x20,0x06,0x08,0x41,0x00,0x20,

//Decrypted Volume ID
static unsigned char decrypted_volumeid[16];

//Volume Unique Key
static unsigned char volume_unqiue_key[16];

// First decrypt the C-value with the processing key
oRijndael.MakeKey((char *)processing_key, CRijndael::sm_chain0, 16, 16);
oRijndael.DecryptBlock((char *)encrypted_c_value,
(char *)decrypted_c_value);

// Then XOR it with with the uv (of the corresponding C-value)
for (j = 0; j <>
if (j <>
media_key[j] = decrypted_c_value[j];
media_key[j] = decrypted_c_value[j]^uv[j-12];

// Then check if the resulting media key is correct using the verify media key
oRijndael.MakeKey((char *)media_key, CRijndael::sm_chain0, 16, 16);
oRijndael.DecryptBlock((char *)encrypted_verification_data,
(char *)decrypted_verification_data);

if (!memcmp(decrypted_verification_data_should_be, decrypted_verification_data, 8))
for (j = 0; j <>
printf("%02X ", decrypted_verification_data[j]);

// Then do a AES-G (basicly a decrypt and an XOR) on the media key + volumeID
oRijndael.MakeKey((char *)media_key, CRijndael::sm_chain0, 16, 16);
oRijndael.DecryptBlock((char *)volume_id, (char *)decrypted_volumeid);
for (j = 0; j <>
volume_unqiue_key[j] = volume_id[j]^decrypted_volumeid[j];

// This results in the Volume Unique Key
for (j = 0; j <>
printf("%02X ", volume_unqiue_key[j]);

Also, rumor has it that DVD copying software (such as Slysoft's AnyDVD) already has the ability to copy HD-DVD /Blu-Ray.