Hello All, We released codes for "Microsoft PlayReady toolkit", a tool that has been developed as part of our research from 2022:
https://security-explorations.com/microsoft-playready.html#details The toolkit illustrates the following: - fake client device identity generation, - acquisition of license and content keys for encrypted content, - downloading and decryption of content, - content inspection (MPEG-4 file format), - Manifest files inspection, - combination of content fragments into single, ready to play or distribute, plaintext movie file, - watermarking detection / checks, - CDN auth bypass, - license crawling, - automatic content security check for Canal+ environment. Please, note that due to “not fixed” status (Microsoft didn't revoke group cert and Canal+ didn't implement auth checks for license server among others) the following has been removed from the public package: - crypto secrets such as STB private keys, PlayReady private group key, Canal+ client SSL certificates, CDN / VOD secrets, - STB PlayReady binary - reverse engineering API traces - functionality pertaining to VOD purchases / orders (online and SMS based, affecting users' billing) As such, the toolkit is not "functional / ready to use" (the codes cannot be used for the piracy of Canal+ VOD content without the missing secrets). Yet, we hope the released codes help both security researchers interested in PayTV / content security along content providers gain a more in-depth understanding of Microsoft PlayReady technology operation and its limitations. We hope it helps others avoid some mistakes too. Thank you. Best Regards, Adam Gowdiak ---------------------------------- Security Explorations - AG Security Research Lab https://security-explorations.com ---------------------------------- _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/