February 25th, 2007

Another nail in the AACS coffin

Posted by Adrian Kingsley-Hughes @ 4:54 pm

Categories: Blu-ray, DRM, HD-DVD

Tags:

A hacker has put another nail in the coffin of the HD encryption scheme AACS - the device key for WinDVD 8 has been found.

 Loading ...

A hacker going under the pseudonym of ATARI Vampire has discovered the device key for WinDVD 8 and posted their findings on the Doom9 forum. 

About 35,000 bytes into the file I extracted a 16 byte value that was able, using the constant as the d value, to create the processing key. If my interpretation of the AACS specification is correct, I have found a device key. Here is the device key, along with the memory offset where it can be re-discovered assuming that you dump memory in WinDVD 8 early enough in the runtime process. By the way, psuspened helps tremendously with slowing processes down so that pmdump can accurately dump memory!

[WinDVD 8]

Device Key: AA856A1BA814AB99FFDEBA6AEFBE1C04
Found at memory location: 0×000089EC

Device Key: AA856A1BA814AB99FFDEBA6AEFBE1C04
Found at memory location: 0×00008A20

Another prominent AACS hacker on Doom9 called Arnezami explains the significance of this finding:

We need a Private Host Key (to get volume ids) for fully independent decryption of all existing discs. I'm working 24/7 on this (and hopefully others do too) but haven't had any luck yet . My ecdsa crypto setup is working now though (eg. can verify stuff using pub keys from drive and/or host) and its quite speedy now. Using openssl.

The above sub device key has the same value as the Processing Key atm. But its nice to have a (sub) Device Key . More Device Keys (although nice) won't help decrypt existing discs (since we already have the Processing Key and on every disc this same Processing Key is used).

Given how fast these hackers are breaking down AACS, I don't think it's going to be long until they have a private host key.