Difference between revisions of "Blu-ray"

From ArchWiki
Jump to: navigation, search
m (Revoked Host key/certificate)
(AACS decryption process)
Line 15: Line 15:
  
 
===== AACS decryption process =====
 
===== AACS decryption process =====
The AACS decryption process for a protected disc by an "approved" player can be said to have roughly four stages:
+
The AACS decryption process for a protected disc by a licensed player goes through four stages:
 
# The software/embedded player's Device Keys, together with a disc's Media Key Block (MKB) data are used to retrieve a "Processing Key", and with that (plus another datum from the MKB) to compute the Media Key.
 
# The software/embedded player's Device Keys, together with a disc's Media Key Block (MKB) data are used to retrieve a "Processing Key", and with that (plus another datum from the MKB) to compute the Media Key.
 
# That Media Key, together with the disc's Volume ID (VID) -- obtained by the player presenting a valid Host Certificate to the drive (unless it's got patched firmware), which then reads the VID from a special "BD-ROM Mark" -- is used to compute the Volume Unique Key (VUK).
 
# That Media Key, together with the disc's Volume ID (VID) -- obtained by the player presenting a valid Host Certificate to the drive (unless it's got patched firmware), which then reads the VID from a special "BD-ROM Mark" -- is used to compute the Volume Unique Key (VUK).
Line 21: Line 21:
 
# Finally those Title Keys unscramble the disc's protected media content.
 
# Finally those Title Keys unscramble the disc's protected media content.
  
Depending on the content of the KEYDB.cfg file, it is possible to skip some of these stages and reach the last step, which allows the media player to play the disc. This is either by providing in the KEYDB.cfg file either (or both):
+
Depending on the content of the KEYDB.cfg file, libaacs can skip some of these stages to reach the last step, which allows the media player to play the disc. This is either by providing in the KEYDB.cfg file either (or both):
* a valid list of Processing keys and a valid Host key/certificate
+
* a valid (corresponding to the MKB version of the disc) Processing key and a valid (i.e. non revoked by the drive) Host key/certificate
 
* a valid VUK for each specific disc.
 
* a valid VUK for each specific disc.
  
If libaacs finds valid processing keys as well as a valid Host key and certificates, it skips the process to step 2. However, the Host key/certificates are regularly revoked through the propagation of new BluRay discs. Once revoked, a drive is not able to read both new and older discs. This is usually irreversible and can only be fixed by provided a more recent Host key/certificate. However, there is another way to decrypt a disc: by providing a valid VUK in the KEYDB.cfg file. This allows libaacs to skip directly to step 3. Contrary to the Processing keys, VUKs are disc specific. Therefore this is less efficient as the user will have to get the VUK from a third party. But the great advantage is that VUKs cannot be revoked. Note that if libaacs is able to perform step 2 (with a valid Host key/certificate), then it stores the VUK calculated in step 3 in ~/.cache/aacs/vuk. At subsequent viewings of the same disc, libaacs can reuse the stored VUK. Thus it may be a good idea to backup these VUKs.
+
If libaacs finds a valid processing key for the disc MKB version as well as a valid Host key and certificates, it skips the process to step 2. However, the Host key/certificates are regularly revoked through the propagation of new BluRay discs. Once revoked, a drive is not able to read both new and older discs. This is usually irreversible and can only be fixed by provided a more recent Host key/certificate. However, there is another way to decrypt a disc: by providing a valid VUK in the KEYDB.cfg file. This allows libaacs to skip directly to step 3. Contrary to the Processing keys, VUKs are disc specific. Therefore this is less efficient as the user will have to get the VUK from a third party. But the great advantage is that VUKs cannot be revoked. Note that if libaacs is able to perform step 2 (with a valid Host key/certificate), then it stores the VUK calculated in step 3 in ~/.cache/aacs/vuk. At subsequent viewings of the same disc, libaacs can reuse the stored VUK. Thus it may be a good idea to backup these VUKs.
  
 
==== BD+ ====
 
==== BD+ ====

Revision as of 07:54, 19 April 2012

This template has only maintenance purposes. For linking to local translations please use interlanguage links, see Help:i18n#Interlanguage links.


Local languages: Català – Dansk – English – Español – Esperanto – Hrvatski – Indonesia – Italiano – Lietuviškai – Magyar – Nederlands – Norsk Bokmål – Polski – Português – Slovenský – Česky – Ελληνικά – Български – Русский – Српски – Українська – עברית – العربية – ไทย – 日本語 – 正體中文 – 简体中文 – 한국어


External languages (all articles in these languages should be moved to the external wiki): Deutsch – Français – Română – Suomi – Svenska – Tiếng Việt – Türkçe – فارسی

How it works

Forenote

This article is designed to help Linux users to play the BluRay discs they have legally purchased on their computers. Since no official BluRay player software exists, Linux users have to use open-source libraries capable of handling the DRM schemes that protect these disc contents. This is legal in most countries where interoperability allows this.

BluRay DRM

Contrary to the DVD CSS, which was definitely compromised once the unique encryption key had been discovered, BluRay uses stronger DRM mechanisms, which makes it a lot more difficult to manage. Firstly, the AACS standard uses a lot more complicated cryptographic process to protect the disc content, but also allows the industry to revoke compromised keys and distribute new keys through new BR discs. Secondly, BluRay may also use another layer of protection: BD+. Although most of commercial discs use AACS, a few of them additionally use BD+. In 2007, the AACS system was compromised and decryption keys were published on the Internet. Many decryption programs were made available, but the interest to Linux users was the capability of playing their discs - legally purchased - on their computers. Although the industry was able to revoke the first leaked decryption keys, new keys are regularly published in a cat and mouse play.

AACS

libaacsAUR is a research project from the VideoLAN developer team to implement the Advanced Access Content System specification, and distributed as an open-source library. This project does not offer any key or certificate that could be used to decode encrypted copyrighted material. However, combined with a key database file, it is possible to use it to play BluRay discs that use the AACS standard. This file is called KEYDB.cfg and is accessed by libaacs in ~/.config/aacs. The format of this file is available at [1].

AACS decryption process

The AACS decryption process for a protected disc by a licensed player goes through four stages:

  1. The software/embedded player's Device Keys, together with a disc's Media Key Block (MKB) data are used to retrieve a "Processing Key", and with that (plus another datum from the MKB) to compute the Media Key.
  2. That Media Key, together with the disc's Volume ID (VID) -- obtained by the player presenting a valid Host Certificate to the drive (unless it's got patched firmware), which then reads the VID from a special "BD-ROM Mark" -- is used to compute the Volume Unique Key (VUK).
  3. That VUK is used to unscramble the disc's scrambled Title Keys.
  4. Finally those Title Keys unscramble the disc's protected media content.

Depending on the content of the KEYDB.cfg file, libaacs can skip some of these stages to reach the last step, which allows the media player to play the disc. This is either by providing in the KEYDB.cfg file either (or both):

  • a valid (corresponding to the MKB version of the disc) Processing key and a valid (i.e. non revoked by the drive) Host key/certificate
  • a valid VUK for each specific disc.

If libaacs finds a valid processing key for the disc MKB version as well as a valid Host key and certificates, it skips the process to step 2. However, the Host key/certificates are regularly revoked through the propagation of new BluRay discs. Once revoked, a drive is not able to read both new and older discs. This is usually irreversible and can only be fixed by provided a more recent Host key/certificate. However, there is another way to decrypt a disc: by providing a valid VUK in the KEYDB.cfg file. This allows libaacs to skip directly to step 3. Contrary to the Processing keys, VUKs are disc specific. Therefore this is less efficient as the user will have to get the VUK from a third party. But the great advantage is that VUKs cannot be revoked. Note that if libaacs is able to perform step 2 (with a valid Host key/certificate), then it stores the VUK calculated in step 3 in ~/.cache/aacs/vuk. At subsequent viewings of the same disc, libaacs can reuse the stored VUK. Thus it may be a good idea to backup these VUKs.

BD+

There is currently no way to handle BD+. The VideoLAN development is working on a libbdplus library too, but the source code is not made public until legal clarification.

Playback

Preparation

Firstly install libbluray from the official repositories and libaacs-gitAUR from the AUR.

Fast & Simple

Put http://vlc-bluray.whoknowsmy.name/files/KEYDB.cfg (no pregenerated keys, contains a real hcert) in ~/.config/aacs/. This method will only work if your drive has not revoked the host key/certificate (usually when inserting a newer disc) that is in the KEYDB.cfg file.

cd ~/.config/aacs/ && wget http://vlc-bluray.whoknowsmy.name/files/KEYDB.cfg
Next, mount the bluray to a directory. eg:
# mount /dev/sr0 /media/blurays

When you play the disc (using mplayer or vlc), libaacs will store the VUK in ~/.cache/aacs/vuk. The filename is the disc ID and its content is the VUK itself. VLC will reuse this VUK even if it does not find a valid KEYDB.cfg file, so it could be a good idea to backup this directory for the future. Mplayer always depends on a valid KEYDB.cfg file though.

If Fast & Simple does not work
If bluray playback with the hcert mentioned above does not work, install aacskeysAUR and get a list of VUKs from http://forum.doom9.org/attachment.php?attachmentid=11170&d=1276615904 or (newer) http://forum.doom9.org/showthread.php?p=1525922#post1525922 and unzip it into ~/.config/aacs/KEYDB.cfg. Then run
sed -i 's/\([[:xdigit:]]\)\{5,\}/0x&/g' ~/.config/aacs/KEYDB.cfg"
Next, mount the bluray to a directory. eg:
# mount /dev/sr0 /media/blurays
Now the bluray has to be added to the key database so that libaacs can decrypt it. To do this, cd into /usr/share/aacskeys and run:
aacskeys </bluray/mount/dir>
eg:
cd /usr/share/aacskeys && aacskeys /media/blurays

Edit ~/.config/aacs/KEYDB.cfg and add the information outputted by aacskeys using this syntax:

0x<unit key file hash> = Film Title    | V | 0x<volume unique key>
If aacskeys is not able to generate the key

Try to generate the VolumeID with DumpVID using wine. The VolumeID can now be used to generate the bluray key with aacskeys with the VolumeID option

Usage: aacskeys [options] <mountpath> [volume id / binding nonce]

Media Players

These are media players capable of using libbluray and libaacs to play AACS-scrambled BluRay discs.

mplayer

To play blurays in mplayer the basic playback command is:

mplayer br:///</bluray/mount/dir>

or:

mplayer br://<title number> -bluray-device </bluray/mount/dir>

vlc

Since version 2.0.0, vlc has had experimental bluray playback support. Bluray menus are not yet working. For discs not protected by BD+ the above Fast & Simple method should work (unless your drive has revoked the host key/certificate, then only the other method will work).

Start playback with:
vlc bluray://</bluray/mount/dir>

Troubleshooting

Stuttering Video

It is likely that you will need to enable hardware acceleration and multi core CPU support for the bluray to play smoothly.

For nvidia cards, enable hardware acceleration by installing libvdpau and using the option '-vo vdpau' with mplayer. eg:

mplayer -vo vdpau br:///</bluray/mount/dir>

For multi core CPU support use the options '-lavdopts threads=N', where 'N' is the number of cores. eg:

mplayer -lavdopts threads=2 br:///</bluray/mount/dir>
Incorrect Audio Language

You can scroll through the playback languages using the '#' key.

Out of Sync Audio

From your first mplayer output, you must find the codec used for the bluray. It will be at the end of the line "Selected video codec".

For H.264 discs use the option '-vc ffh264vdpau'. eg:

mplayer -vc ffh264vdpau br:///</bluray/mount/dir>

For VC-1 discs use '-vc ffvc1vdpau'. eg:

mplayer -vc ffvc1vdpau br:///</bluray/mount/dir>

For MPEG discs use '-vc ffmpeg12vdpau'. eg:

mplayer -vc ffmpeg12vdpau br:///</bluray/mount/dir>
Revoked Host key/certificate

Unfortunately, what may happen when inserting a newer BluRay disc is the revocation of host key/certificates (which are keys of licensed software players) by your drive. When this happens, aacskeysAUR will return this message:

 The given Host Certficate / Private Key has been revoked by your drive.

This is part of the AACS protection scheme: editors are able to revoke old software player host keys that have leaked on the Internet and distribute the lists on newer commercial disc releases. This is irreversible and does cannot be fixed even after reflashing the drive. The only two ways to correct this would be:

  • to update the host key/certificate part in the KEYDB.cfg file to ones that have not been revoked (yet)
  • to add in KEYDB.cfg the VUK of each specific disc instead, as explained above. VUKs cannot be revoked by the industry.

When a disc (using mplayer or vlc) is succesfully decrypted, libaacs will store the VUK in ~/.cache/aacs/vuk. If the host key/certificate in KEYDB.cfg is subsequently revoked, VLC will still be able to use the stored VUK, so it could be a good idea to backup the ~/.cache/aacs directory for the future.

Note that even if a valid VUK is found in ~/.cache/aacs/vuk, a KEYDB.cfg file in ~/.config/aacs/ is required by libaacs to work (even if that file is empty).

Other Useful Software

For DVD, the libdvdcss package supplies the needed decryption libs. Below are some options for BluRay/HD-DVD decryption. Users can employ to backup a commercial BluRay movie under Fair Use guidelines:

  • anydvdhd - Commercial software requiring users to run it on an Microsoft OS in a VM.