jcroy
Senior HTF Member
- Joined
- Nov 28, 2011
- Messages
- 7,932
- Real Name
- jr
(On a huge tangent).
(Some updates to my thinking on this).
On and off over the past month or so, I was reading some of the legal documents which were released from the decss lawsuits between 2600 magazine vs. the MPAA from the early 2000s. One in particular was interesting:
In particular, a section titled "The Original Hack of CSS was Through the Xing License" where they described how the MPAA technical folks determined that original deCSS program was from hacking a software dvd player from 1998 or 1999 which was made by Xing. From a technical perspective, I was wondering how exactly they "zeroed" out the keys/data of interest to determine this, as described in the passage from the above legal document:
Third, I then "zeroed out" (i.e., nullified) the Xing "master key" in the DVD ROM buffer memory and, using the same DeCSS program, copied the digital data from the DVD disc and the other "master keys" onto the hard drive of that PC. When I attempted to use the copied digital data, a message appeared on the computer screen stating that the motion picture could not be played. Finally, I "zeroed out" all of the other "master keys in the DVD ROBA buffer memory, but activated the Xing "master key" only. Using the same DeCSS program, copied the digital data from the DVD disc and the Xing key onto the computer's hard drive. When I attempted to play the motion picture from the hard drive this time, it played properly. From this experiment, I concluded that the October 6, l999 posting contained both the CSS technology and only the Xing "master key."
The only possible place I can think of where this ^ might possibly be easily done without de-soldering any chips from a circuit board inside a dvd-r (or bluray-r) drive, would be the cache of a dvd-r (or bluray-r) drive. Reading through more scsi commands documents, I tried several commands where one could read and write data directly into the actual dvd-r drive's cache memory. (It turns out these commands are manufacturer dependent and not documented very well).
Gradually the cache reading command could eventually read the entire cache memory from the dvdr drive's cache, which gives some insight into how the data read off a dvd disc is actually buffered before it is sent to the computer. It turns out I came across a small block which I immediately recognized: the entire block of diskhash/playerciphered keys without any further bus encryption. (For that matter, there was no further encryption applied to the cached buffer data read from a dvd disc).
Some further detective work, I was able to find the segment where the region coding is stored in the dvd-r drive's cache. (It turned out the actual region code part, was just one single byte).
For a joke, I decided to see what happens if I use the cache writing command and write over the region code data in the dvd-r drive's cache. Oddly enough, it actually changed the region where the dvd-r drive thinks the current dvd disc has a different region or no region at all. So until the current dvd disc is ejected, the dvd-r drive thinks that partciular disc has no region (or a different region). Somewhat strange, but it actually worked!
The dvd's css hardware region locking, turns out to a hardware scheme which can be undermined by a simple software hack.
