#EXT-X or m3u8 or TS or AES-128? You got HLS.. Howto Beat it in 2017

#EXT-X or m3u8 or TS or AES-128? You got HLS.. Howto Beat it in 2017

 

It's called HTTP Live Streaming and it's a standard..

There is usually a master m3u8 with, for example different resolutions or audio only. Then each version of the content has it's own m3u8 that has the ts files you download and copy(copy *.ts example.mp4 on Windows for example). Then run it through ffmpeg to clean it up.

If it uses encryption then each .ts has it's own crypto key url("#EXT-X-KEY:METHOD=AES-128,URI=") and iv(example:"IV=0x00000000000000000000000000000007" ) that is used to decrypt it. The key is the body of the response of that http GET to the key url. Each key is for each TS there is no inheritor or weird padding or mixing going on..

How big networks make it more secure: The spec allows for a global key also in the ts-m3u8 that is used to decrypt each ts key, and the hosts usually timeout sessions on these and only server over https/tls. FFMPEG can still beat this security if you pass it a fresh enough URL. Sometime you have to manually dump using a cookie but not often. Grab the page with python and use the cookie header to grab ts files and either decrypt with a python encryption library(no native library) or use openssl CLI. Some might start using HTML5 storage too. With spec security just use the following.

How to easily get the m3u8:
How to rip even the secure ones(since HTML5 player has strict rules on key exchange). NOTE: if FFMPEG stops for any reason use the -ss option in front of input to resume ripping to a new file and just concat later; this happens with me with 1080 stream ripping.
Best transcode
P.S. I only got in to streaming a couple days ago but have seen this before on paid podcast networks except not encrypted.. It's easy.. If you use it I suggest tighter rulers on the global key. THE future: Using TPM hardware for decryption with binding to HTML5 video internals.

Re: #EXT-X or m3u8 or TS or AES-128? You got HLS.. Howto Beat it in 2017

 

this isn't gonna work for encrypted streams .. like hbogo, showtime anytime etc...

Re: #EXT-X or m3u8 or TS or AES-128? You got HLS.. Howto Beat it in 2017

 

If it works on Uplynk HLS streams it'll work on all of them. Uplynk uses master+segment keys in AES-128.. I feed them directly to FFMPEG and get clean 1080p rips..

Unless they use a custom player with FlashPlayer they have to comply with the HLS standard to get it to work with HTML5 <video>.. Most browsers shut off FlashPlayer based on domain policy or MAC so HTML5 is pretty much their only option.. Third party players like JWPlayer are even defaulting to HLS standard now.. All of their developers have to be force fed knowledge like most textbook CS grad software people so don't expect them to tighten security around the key URIs anytime soon..

Re: #EXT-X or m3u8 or TS or AES-128? You got HLS.. Howto Beat it in 2017

 

This is the kind of stream I am having difficulty with. When I try your code...

ffmpeg -protocol_whitelist file,udp,rtp,crypto,tcp,https,rtsp,tls -i "TS-M3U8 URL HERE" -c:a copy -c:v copy "OUTPUT FILE HERE.ts"

using my own filenames I get an error about "unable to open key file". I am not sure how to get that key file from the m3u8 file. I have read that it could be found in a cookie but also that it could be found in them m3u8 file itself.

Re: #EXT-X or m3u8 or TS or AES-128? You got HLS.. Howto Beat it in 2017

 

second red text is from first red text. They likely use cookies or referrer or timeout or all of the above to protect individual and/or master key URI. With these you need to use a python script the uses cookie header and sets referrer header. This isn't an uplynk thing it's a client thing.

Re: #EXT-X or m3u8 or TS or AES-128? You got HLS.. Howto Beat it in 2017

 

Roger that, thank you steamcrank!

Re: #EXT-X or m3u8 or TS or AES-128? You got HLS.. Howto Beat it in 2017

 

I still don't buy it

I will share my personal hbogo account with you .. if you get streams working I'll even donate you some money

but I just don't see it working

contact me if interested

Re: #EXT-X or m3u8 or TS or AES-128? You got HLS.. Howto Beat it in 2017

 

I'll do it if the donation is bitcoin. I have to go through a proxy or VPN that isn't blacklisted by HBO because I'm outside the US right now.

Unless your target site is using a flash player they're forced to stick to the standards supported by the target browser HTML5 <video> support. There is no if and or but.. Both HTML5 DRM and HLS use clear key exchanges only protected by weak session policies. FFMPEG does great with HLS encrypted as long as you have the bandwidth for HD and they don't check cookie and referrer headers on key URIs.

Re: #EXT-X or m3u8 or TS or AES-128? You got HLS.. Howto Beat it in 2017

 

I'm willing to donate as well. Keep us updated. Check your PM.

EDIT:

And btw. HBO and a few others don't use #EXT-X-KEY:METHOD=AES-128,URI=

Last time I checked it was #EXT-X-KEY:METHOD=SAMPLE-AES,URI="faxs://faxs.adobe.com",KEYFORMAT="com.apple.streamingkeyd elivery",KEYFORMATVERSIONS="1",IV=

Re: #EXT-X or m3u8 or TS or AES-128? You got HLS.. Howto Beat it in 2017

 

hbo works with vpn

and sure .. btc is fine

Re: #EXT-X or m3u8 or TS or AES-128? You got HLS.. Howto Beat it in 2017

 

Nothing streamcrank has said indicates that he is familiar with flash access.

Re: #EXT-X or m3u8 or TS or AES-128? You got HLS.. Howto Beat it in 2017

 

crap.. you are right.. it is SAMPLE-AES

I didn't check on this for a while... was pretty sure it's AES-128

but now I see they use fairplay encryption with xs key delivery
faxs:// url points the player to the Adobe Access (XS) system ... key is probably never even passed through the browser

this completely bypasses widevine .. so netflix approach is a no go

maybe somebody out there knows the trick... but with written above... I just don't see it

Re: #EXT-X or m3u8 or TS or AES-128? You got HLS.. Howto Beat it in 2017

 

I don't see it either. XS solution is probably closely held unless you've seen it on darkweb. I don't have hbo but is hls with XS the method they use on all device platforms?

Re: #EXT-X or m3u8 or TS or AES-128? You got HLS.. Howto Beat it in 2017

 

that's what I'm wondering too

web one is a no go as far as i know...
but then again... I could be wrong

Re: #EXT-X or m3u8 or TS or AES-128? You got HLS.. Howto Beat it in 2017

 

Re: #EXT-X or m3u8 or TS or AES-128? You got HLS.. Howto Beat it in 2017

 

dash is most commonly widevine but I have seen playready versions of it like on some content on nbcsports.

Re: #EXT-X or m3u8 or TS or AES-128? You got HLS.. Howto Beat it in 2017

 

even if you grab dash link ... u can't do much with it..

key request is gonna be https ... fiddler or charles cert on device will be required to decrypt it .. and "man in the middle" is another topic that will be hard to pull off for something like this

i don't see them encrypting request of video itself.. that's gonna be http .. which means it;s easy to grab .mpd


but key exchange is httpS... 1000000% ... regardless of which device we are talking about

in so many words, it can't be done

Re: #EXT-X or m3u8 or TS or AES-128? You got HLS.. Howto Beat it in 2017

 

Re: #EXT-X or m3u8 or TS or AES-128? You got HLS.. Howto Beat it in 2017

 

what are xfinity and att using?

if I'm not mistaking they have on demand content from hbo

Re: #EXT-X or m3u8 or TS or AES-128? You got HLS.. Howto Beat it in 2017

 

Re: #EXT-X or m3u8 or TS or AES-128? You got HLS.. Howto Beat it in 2017

 

What is "flash access".. It doesn't exist..

Flash can use custom same-domain protocols and encryption and has a a few codecs because it has ASC which you can code anything. You dump the ASC with a flash decompiler then reverse engineer it.. Again "flash access" does exist. JWPlayer is flash based and I've extracted TEA encryption keys from it before.

AES-SAMPLE works the same as AES-128 except they can change keys instead of just IV per segment. I don't care about these other networks because all the big networks use uplynk and zype and uplynk and zype only use variants of HLS that are all standards compliant..

https://bitmovin.com/tutorials/hls-encryption/

Re: #EXT-X or m3u8 or TS or AES-128? You got HLS.. Howto Beat it in 2017

 

I was using the legacy name. As kingstaytheking pointed out earlier, the more precise name is Adobe Access. No flash player need be involved.

https://helpx.adobe.com/adobe-media-...ction-hls.html

As described in the above link, the content can be protected using three modes:
Vanilla
PHLS
Adobe Access 4.0

Sure, but there is the small matter of actually getting the key in the first place. For HLS implementations of Adobe Access and PlayReady, this is an entirely different proposition than vanilla AES-128 where the key is in plaintext in the first instance.

I can't argue with you not caring. Some members here are interested in content that uses actual hls drm methods to protect the key, which is distinct from vanilla AES-128 hls which is not really drm at all.

Re: #EXT-X or m3u8 or TS or AES-128? You got HLS.. Howto Beat it in 2017

 

I've reverse engineered plenty of flash media players and have yet to see one using AdobeAccess. Currently I'm ripping HD streams from a lot of big sites and they all use HLS which is a Apple patent and doesn't include any Adobe spec because it wouldn't work with native <video> HTML5 support. If you see any of the tags I mention in this thread and there is no flash object embedded(so they can have their own custom ASC HLS handling) you can 100% guarantee there is nothing to do with any Adobe spec.. Since most browsers disable FlashPlayer by default they all use HTML5.. Worse Case Scenario: Session timeouts on key URIs with a referrer header check.. Anything else literally breaks playback..

The native HTML5 DRM engine also uses cleartext key exchange over TLS. I haven't seen it used yet but it's well documented.
I'm currently working on a generic tool but FFMPEG is still working when I feed it fresh m3u8. My tool will work the same except I spoof referrer and get a fresh session.

Re: #EXT-X or m3u8 or TS or AES-128? You got HLS.. Howto Beat it in 2017

 

What a relief. Thanks for clearing that up. I've either been malignantly confused or it has all been in my imagination. I'm forever in your debt.

Re: #EXT-X or m3u8 or TS or AES-128? You got HLS.. Howto Beat it in 2017

 

hmm tried it... video is decrypted with no problems.. trouble with audio

Re: #EXT-X or m3u8 or TS or AES-128? You got HLS.. Howto Beat it in 2017

 

jutru tired this with AES-128

error

Re: #EXT-X or m3u8 or TS or AES-128? You got HLS.. Howto Beat it in 2017

 

Anything with "#EXT-X-FAXS-CM" in it is a custom implementation for Adobe Media Server and not HTML5. It uses out of band JS to fetch keys that have tight session restrictions. You can defeat it with custom code the same as with hardened HLS key URI.

Re: #EXT-X or m3u8 or TS or AES-128? You got HLS.. Howto Beat it in 2017

 

if you really have a way.,.. add me to skype
and we can talk

Re: #EXT-X or m3u8 or TS or AES-128? You got HLS.. Howto Beat it in 2017

 

Setting aside that it doesn't exist, Adobe Primetime for hls can work in a HTML5 player in firefox via the Adobe Primetime Content Decryption Module (CDM).

Dash implementations are largely supplanting hls, but there are html5 players that support Adobe Primetime with hls.

Re: #EXT-X or m3u8 or TS or AES-128? You got HLS.. Howto Beat it in 2017

 

this guy is just talking out of his ass

only reason why any of these protected streams are crackable is widewine bug in chrome .. take that away.. and all premium streams are untouchable

and that's a fact

are you kidding me????

why do you even need -protocol_whitelist?


this shit will work for nbc, espn, amc ... and all those streams .. but youtube-dl makes it so easy that is pointless to do any of this

all that shit that you are doing for no reason, replace with
youtube-dl "M3U8 link here"



approach like this
http://stream-recorder.com/forum/sho...71&postcount=3

maybe ...

but name of the this topic.. and than "how to.." explanation is just laughable

I'm out

Re: #EXT-X or m3u8 or TS or AES-128? You got HLS.. Howto Beat it in 2017