Hackers in doom9.org has managed to find a way to decrypt, extract and retrieve the HD-DVD disc encrypted volume unique key that can be used to decode the title keys for the high definition video contents, and also the title keys which each video title will has one and been used to decode the matching encrypted HD video files EVOB (Enhanced Video Object) stored on the disk. The volume unique key (VUK) and title keys (TK, normally same for all ) are the important missing element that enable BackupHDDVD to work properly, and fill in the final piece for the proper way to break, crack, decrypt and copy or backup to other media or storage medium a copy-protected commercial HD DVD disks.

Apparently to extract the decrypted volume key and title keys, you have to use InterVideo WinDVD 8, and not CyberLink PowerDVD as previously believed which used by the original author Muslix64 in his video demo of ripping and copying of AACS DRM-protected HD video contents on HD-DVD disc, due to the fact that WinDVD cannot play .EVO file. By dumping WinDVD’s memory and tracing WinDVD’s code, you can find the title keys for each video title or track found on the HD-DVD together with the unique volume key for the particular batch of disks. The keys can then be populate and enter into BackupHDDVD KEYDB.cfg (previously known as TKDB.cfg) to rip the HD movie EVO to hard disk.

Currently only Japanese version of InterVideo WinDVD 8 can play HD-DVD high definition video or movie contents. If you own an English version of InterVideo WinDVD 8 Gold or Platinum, you need to purchase an upgrade costs $26 for HD DVD and Blu-ray playback support. However, with this upgrade HD pack, it’s unsure of whether the vulnerability that allows users to hack the keys from memory has been patched or continue to left open and exist.

To crack the volume key and title keys yourself, you will also need WinHex. With WinHex, dump the memory of the WinDVD while playing the HD-DVD, and search for VPLST000.XPL in WinDVD’s memory (4th occurrence) and from that offset:

+0x0181 is the Decrypted Title Keys table
+0x1571 is the Volume Unique Key

or

+0x13C0 is the Volume Unique keys after the location of the 2nd Title Key

The offsets may vary from system to system and disc to disc, or even video to video. In case you’re having trouble finding the keys, search for the second occurrence of the following text:

file:///required/

Then scroll down until you a lot of paired 00 digits, which represents the TK (Title Keys) block. Further down will be the VK (Volume Key).

Or search for “00 20 00 00 00 3F 00 00 00 80 00 00 00” with the key after it.

Once you manage to get the VK or TK, input the value into KEYDB.cfg (previously TKDB.cfg) file. To recap, KEYDB.cfg has the following format:

0000000000000000000000000000000000000000=My movie 2 |T|00/00/00|
14-00000000000000000000000000000000| 2-00000000000000000000000000000000

Note: Suppose to be in one line, wrapped to maintain readability.

Field 1 is the SHA1 Hash value of the VTKF000.AACS file on your HDDVD disk. To get the hash value or checksum of VTKF0000.AACS file, use any of the hash calculator listed in this calculate hash tutorial.

After field 1, the string is followed by a “=” sign. Then followed by field 2, which is the Movie Title.

After field 2, the line is tabbed to the right, and followed by a pipe “|” delimiter. Then it’s field 3 which specifies the key type where V is for Volume Unique Key and T is for Title Key. Another pipe “|” delimiter after this. The VK or VUK feature is only available from BackupHDDVD v1.00 onwards.

Field 4 is the file creation date. This field is informational only, and is ignored by the program. It should be the creation date of the media file on the disk. Seperated to the last field again with a pipe.

In field 5, it’s where you enter the volume key or the title keys that are cracked and decoded from the memory leak. You can input a variable number of Title Keys, each separated by a pipe “|” delimiter or just a single volume key. Since version 1.00, you can use either title or volume keys, depending on what value you defined in field 3 in the KEYDB.cfg file.

If you’re using the title keys, the syntax format of field 5 will like what shown above, where it’s a key number followed by the key value such as below:

12-08A3DC61910280F2…

If you’re using volume key or VLU, there is no key number and the dash (-) in front. BackupHDDVD comes with a sample KEYDB.cfg that contains some entries for your reference. Key values are 128 bits long, so it will be 16 bytes, or 32 hexadecimal characters long.

If you are too lazy to decrypt and hack the HD-DVD title keys or volume license key yourself, or still has no idea on how to do it, some Samaritans have done the dirty job. Here are some of the Volume Unique Keys of the HD-DVD movies released in USA (removed due to DMCA complain):

12 Monkeys, 16 Blocks, Aeon Flux, Apollo 13, Apollo 13 (EUR), Batman Begins, Casablanca, Casino, Charlie And The Chocolate Factory, Chronicles of Riddick, Constantine, CSI NY (GER), Dune, Enter the Dragon, Equilibrium (Jap), Excalibur, Fear & Loathing Las Vegas, Friday Night Lights, Full Metal Jacket, GoodFellas, GrandPrix, Happy Gilmore, Harry Potter GOF (UK), Hulk, Jarhead, Jarhead (EUR), Jet Li’s Fearless, King Kong, King Kong (EUR), Kiss Kiss Bang Bang, Kiss Kiss Bang Bang (EUR), Lady in the Water, Last Samurai, Lethal Weapon, Lucky Number Slevin, Miami Vice, Mission: Impossible, Mission: Impossible (EUR), Mission: Impossible 2, Mission: Impossible 2 (EUR), Mission: Impossible 3 (Disc 1), Mission: Impossible 3 (Disc 1) (EUR), Mission: Impossible 3 (Disc 2), Mission: Impossible 3 (Disc 2) (EUR), Nacho Libre, Phantom of the Opera, Pitch Black, Poseidon, Ray, Red Dragon, Sahara, Scorpion King, Serenity, Serenity (EUR), Sky Captain and the World of Tomorrow, Sleepy Hollow, Slither, Spy Game, Superman: The Movie, Superman II: Donner Cut, SuperMan Returns, Swordfish, Syriana, Syriana (EUR), Terminator 3, The Adventures of Robin Hood, The Deer Hunter, The Fugutive, The Interpreter, The Italian Job, The Lake House, The Matador, The Mummy, The Mummy Returns, The Perfect Storm, The Pianist (uk), The Polar Express (EUR), The Thing, Total Recall (fr), TrainingDay, Troy, U-571, Unforgiven, Unleashed (USA), V for Vendetta, V For Vendetta (EUR), Van Helsing, WaterWorld, We Were Soldiers, World Trade Center

The list of the decrypted and decoded volume keys are increasing everyday, visit Doom9.org thread for the latest update and volume key of the new titles. You can simply copy and paste all the movie titles VUK or VK and put them into KEYDB.cfg, and you can now use BackupHDDVD to rip or back up your HD movie to your hard disk. But one word of caution, the backup EVOB generated will take up tens of GBs of your hard disk space.

The only consent now is the ACCS LA authority may ignite the content revocation, although they can only revoke physical optical drives, software player hosts on the PC and HD-DVD content, but unable to revoke volume or title keys. Revocation info (Host Revocation List HRL and Drive Revocation List DRL) from the Media Key Block (MKB) stored on the disc, stamped with a version number. Before any HD EVO file is played back the revocation lists that are stored on the HDDVD drive flash ROM or NVRAM and your PC are checked and updated with the information from the HD-DVD disc if it has a later version. If it’s content revocation, then it’s listed on CONTENT_REVOCATION_LIST.AACS file on the disc.

This means that if you insert a AACS DRM copy protected HD-DVD or even Blu-Ray disc (likely to be new or future release) with updated revocation information that revokes your drive or your player, it will not play certified content (HDDVDs) anymore. The only workaround to play HD-DVDs again is to upgrade and update the product to higher and more secure version, which is re-certified by AACS with new Host Certificate and Host ID. However, in this case, you may not be able to get title and volume decryption keys anymore.

Note: Links to download BackupHDDVD here.

As BackupHDDVD is based on Java, you may face the following problem:

An unexpected error has been detected by HotSpot Virtual Machine:
# Internal Error (4E41544956452C4F4F4B55500E43505000D5), pid=3704, tid=3304
# Java VM: Java HotSpot(TM) Server VM (1.5.0_10-b03 mixed mode)

In this case, try to uninstall all Java editions and version from your computer, download the Java Runtime Environment version 5 from http://www.java.com/en/. If you download JDK 6.0 from http://java.sun.com/javase/downloads/index.jsp, you need to rename the folder name after installation of Java JDK.

Original path and folder name:

C:\Program Files\Java\jdk1.6.0\jre\bin\server

Rename or copy to the following path and folder name:

C:\Program Files\Java\jre1.6.0\bin\server

Related Posts