Default package

Get desktop application:
View/edit binary Protocol Buffers messages

from x86 (partial), most of it from the ARM version:

Used in: LicenseRequest, LicenseRequestRaw

• required ClientIdentification.TokenType Type = 1

• optional SignedDeviceCertificate Token = 2

  optional bytes Token = 2; // by default the client treats this as blob, but it's usually a DeviceCertificate, so for usefulness sake, I'm replacing it with this one:

  use this when parsing, "bytes" when building a client id blob

• repeated ClientIdentification.NameValue ClientInfo = 3

• optional bytes ProviderClientToken = 4

• optional uint32 LicenseCounter = 5

• optional ClientIdentification.ClientCapabilities _ClientCapabilities = 6

  how should we deal with duped names? will have to look at proto docs later

• optional FileHashes _FileHashes = 7

  vmp blob goes here

Used in: ClientIdentification

• optional uint32 ClientToken = 1

• optional uint32 SessionToken = 2

• optional uint32 VideoResolutionConstraints = 3

• optional ClientCapabilities.HdcpVersion MaxHdcpVersion = 4

• optional uint32 OemCryptoApiVersion = 5

• optional uint32 AntiRollbackUsageTable = 6

• optional uint32 SrmVersion = 7

• optional bool CanUpdateSrm = 8

• repeated ClientCapabilities.CertificateKeyType SupportedCertificateKeyType = 9

Used in: ClientCapabilities

• RSA_2048 = 0

• RSA_3072 = 1

Used in: ClientCapabilities, License.KeyContainer.OutputProtection

• HDCP_NONE = 0

• HDCP_V1 = 1

• HDCP_V2 = 2

• HDCP_V2_1 = 3

• HDCP_V2_2 = 4

Used in: ClientIdentification

• required string Name = 1

• required string Value = 2

Used in: ClientIdentification

• KEYBOX = 0

• DEVICE_CERTIFICATE = 1

• REMOTE_ATTESTATION_CERTIFICATE = 2

Used in: ProvisioningRequest

• required ClientIdentificationRaw.TokenType Type = 1

• optional bytes Token = 2

  by default the client treats this as blob, but it's usually a DeviceCertificate, so for usefulness sake, I'm replacing it with this one:

• repeated ClientIdentificationRaw.NameValue ClientInfo = 3

  optional SignedDeviceCertificate Token = 2; // use this when parsing, "bytes" when building a client id blob

• optional bytes ProviderClientToken = 4

• optional uint32 LicenseCounter = 5

• optional ClientIdentificationRaw.ClientCapabilities _ClientCapabilities = 6

  how should we deal with duped names? will have to look at proto docs later

• optional FileHashes _FileHashes = 7

  vmp blob goes here

Used in: ClientIdentificationRaw

• optional uint32 ClientToken = 1

• optional uint32 SessionToken = 2

• optional uint32 VideoResolutionConstraints = 3

• optional ClientCapabilities.HdcpVersion MaxHdcpVersion = 4

• optional uint32 OemCryptoApiVersion = 5

• optional uint32 AntiRollbackUsageTable = 6

• optional uint32 SrmVersion = 7

• optional bool CanUpdateSrm = 8

• repeated ClientCapabilities.CertificateKeyType SupportedCertificateKeyType = 9

Used in: ClientCapabilities

• RSA_2048 = 0

• RSA_3072 = 1

Used in: ClientCapabilities

• HDCP_NONE = 0

• HDCP_V1 = 1

• HDCP_V2 = 2

• HDCP_V2_1 = 3

• HDCP_V2_2 = 4

Used in: ClientIdentificationRaw

• required string Name = 1

• required string Value = 2

Used in: ClientIdentificationRaw

• KEYBOX = 0

• DEVICE_CERTIFICATE = 1

• REMOTE_ATTESTATION_CERTIFICATE = 2

Used in: SignedDeviceCertificate

• required DeviceCertificate.CertificateType Type = 1

  the compiled code reused this as ProvisionedDeviceInfo.WvSecurityLevel, however that is incorrect (compiler aliased it as they're both identical as a structure)

• optional bytes SerialNumber = 2

• optional uint32 CreationTimeSeconds = 3

• optional bytes PublicKey = 4

• optional uint32 SystemId = 5

• optional uint32 TestDeviceDeprecated = 6

  is it bool or int?

• optional bytes ServiceId = 7

  service URL for service certificates

Used in: DeviceCertificate

• ROOT = 0

• INTERMEDIATE = 1

• USER_DEVICE = 2

• SERVICE = 3

missing some references,

Used in: DeviceCertificateStatusList

• optional bytes SerialNumber = 1

• optional DeviceCertificateStatus.CertificateStatus Status = 2

• optional ProvisionedDeviceInfo DeviceInfo = 4

  where is 3? is it deprecated?

Used in: DeviceCertificateStatus

• VALID = 0

• REVOKED = 1

• optional uint32 CreationTimeSeconds = 1

• repeated DeviceCertificateStatus CertificateStatus = 2

Used in: LicenseRequest, LicenseRequestRaw, ProvisioningRequest, RemoteAttestation

• required string ServiceId = 1

• optional bytes ServiceCertificateSerialNumber = 2

• required bytes EncryptedClientId = 3

• required bytes EncryptedClientIdIv = 4

• required bytes EncryptedPrivacyKey = 5

vmp support

Used in: ClientIdentification, ClientIdentificationRaw

• optional bytes signer = 1

• repeated FileHashes.Signature signatures = 2

Used in: FileHashes

• optional string filename = 1

• optional bool test_signing = 2

  0 - release, 1 - testing

• optional bytes SHA512Hash = 3

• optional bool main_exe = 4

  0 for dlls, 1 for exe, this is field 3 in file

• optional bytes signature = 5

Used in: SignedLicense

• optional LicenseIdentification Id = 1

• optional License.Policy _Policy = 2

  duped names, etc

• repeated License.KeyContainer Key = 3

• optional uint32 LicenseStartTime = 4

• optional uint32 RemoteAttestationVerified = 5

  bool?

• optional bytes ProviderClientToken = 6

• optional uint32 ProtectionScheme = 7

  there might be more, check with newer versions (I see field 7-8 in a lic) this appeared in latest x86:

  type unconfirmed fully, but it's likely as WidevineCencHeader describesit (fourcc)

Used in: License

• optional bytes Id = 1

• optional bytes Iv = 2

• optional bytes Key = 3

• optional KeyContainer.KeyType Type = 4

• optional KeyContainer.SecurityLevel Level = 5

• optional KeyContainer.OutputProtection RequiredProtection = 6

• optional KeyContainer.OutputProtection RequestedProtection = 7

• optional KeyContainer.KeyControl _KeyControl = 8

  duped names, etc

• optional KeyContainer.OperatorSessionKeyPermissions _OperatorSessionKeyPermissions = 9

  duped names, etc

• repeated KeyContainer.VideoResolutionConstraint VideoResolutionConstraints = 10

Used in: KeyContainer

• required bytes KeyControlBlock = 1

  what is this?

• required bytes Iv = 2

Used in: KeyContainer

• SIGNING = 1

• CONTENT = 2

• KEY_CONTROL = 3

• OPERATOR_SESSION = 4

Used in: KeyContainer

• optional uint32 AllowEncrypt = 1

• optional uint32 AllowDecrypt = 2

• optional uint32 AllowSign = 3

• optional uint32 AllowSignatureVerify = 4

Used in: KeyContainer, VideoResolutionConstraint

• optional ClientIdentification.ClientCapabilities.HdcpVersion Hdcp = 1

  it's most likely a copy of Hdcp version available here, but compiler optimized it away

• optional OutputProtection.CGMS CgmsFlags = 2

Used in: OutputProtection

• COPY_FREE = 0

• COPY_ONCE = 2

• COPY_NEVER = 3

• CGMS_NONE = 42

  PC default!

Used in: KeyContainer

• SW_SECURE_CRYPTO = 1

• SW_SECURE_DECODE = 2

• HW_SECURE_CRYPTO = 3

• HW_SECURE_DECODE = 4

• HW_SECURE_ALL = 5

Used in: KeyContainer

• optional uint32 MinResolutionPixels = 1

• optional uint32 MaxResolutionPixels = 2

• optional OutputProtection RequiredProtection = 3

Used in: License

• optional bool CanPlay = 1

  changed from uint32 to bool

• optional bool CanPersist = 2

• optional bool CanRenew = 3

• optional uint32 RentalDurationSeconds = 4

• optional uint32 PlaybackDurationSeconds = 5

• optional uint32 LicenseDurationSeconds = 6

• optional uint32 RenewalRecoveryDurationSeconds = 7

• optional string RenewalServerUrl = 8

• optional uint32 RenewalDelaySeconds = 9

• optional uint32 RenewalRetryIntervalSeconds = 10

• optional bool RenewWithUsage = 11

  was uint32

• optional LicenseError.Error ErrorCode = 1

  LicenseRequest.RequestType ErrorCode; // clang mismatch

Used in: LicenseError

• INVALID_DEVICE_CERTIFICATE = 1

• REVOKED_DEVICE_CERTIFICATE = 2

• SERVICE_UNAVAILABLE = 3

Used in: License, LicenseRequest.ContentIdentification.ExistingLicense, LicenseRequestRaw.ContentIdentification.ExistingLicense

• optional bytes RequestId = 1

• optional bytes SessionId = 2

• optional bytes PurchaseId = 3

• optional LicenseType Type = 4

• optional uint32 Version = 5

• optional bytes ProviderSessionToken = 6

Used in: SignedLicenseRequest

• optional ClientIdentification ClientId = 1

• optional LicenseRequest.ContentIdentification ContentId = 2

• optional LicenseRequest.RequestType Type = 3

• optional uint32 RequestTime = 4

• optional bytes KeyControlNonceDeprecated = 5

• optional ProtocolVersion ProtocolVersion = 6

  lacking symbols for this

• optional uint32 KeyControlNonce = 7

• optional EncryptedClientIdentification EncryptedClientId = 8

Used in: LicenseRequest

• optional ContentIdentification.CENC CencId = 1

• optional ContentIdentification.WebM WebmId = 2

• optional ContentIdentification.ExistingLicense License = 3

Used in: ContentIdentification

• optional WidevineCencHeader Pssh = 1

  optional bytes Pssh = 1; // the client's definition is opaque, it doesn't care about the contents, but the PSSH has a clear definition that is understood and requested by the server, thus I'll replace it with:

• optional LicenseType LicenseType = 2

  unfortunately the LicenseType symbols are not present, acceptable value seems to only be 1 (is this persist/don't persist? look into it!)

• optional bytes RequestId = 3

Used in: ContentIdentification

• optional LicenseIdentification LicenseId = 1

• optional uint32 SecondsSinceStarted = 2

• optional uint32 SecondsSinceLastPlayed = 3

• optional bytes SessionUsageTableEntry = 4

  interesting! try to figure out the connection between the usage table blob and KCB!

Used in: ContentIdentification

• optional bytes Header = 1

  identical to CENC, aside from PSSH and the parent field number used

• optional LicenseType LicenseType = 2

• optional bytes RequestId = 3

Used in: LicenseRequest

• NEW = 1

• RENEWAL = 2

• RELEASE = 3

raw pssh hack

Used in: SignedLicenseRequestRaw

• optional ClientIdentification ClientId = 1

• optional LicenseRequestRaw.ContentIdentification ContentId = 2

• optional LicenseRequestRaw.RequestType Type = 3

• optional uint32 RequestTime = 4

• optional bytes KeyControlNonceDeprecated = 5

• optional ProtocolVersion ProtocolVersion = 6

  lacking symbols for this

• optional uint32 KeyControlNonce = 7

• optional EncryptedClientIdentification EncryptedClientId = 8

Used in: LicenseRequestRaw

• optional ContentIdentification.CENC CencId = 1

• optional ContentIdentification.WebM WebmId = 2

• optional ContentIdentification.ExistingLicense License = 3

Used in: ContentIdentification

• optional bytes Pssh = 1

  the client's definition is opaque, it doesn't care about the contents, but the PSSH has a clear definition that is understood and requested by the server, thus I'll replace it with:

• optional LicenseType LicenseType = 2

  optional WidevineCencHeader Pssh = 1;

  unfortunately the LicenseType symbols are not present, acceptable value seems to only be 1 (is this persist/don't persist? look into it!)

• optional bytes RequestId = 3

Used in: ContentIdentification

• optional LicenseIdentification LicenseId = 1

• optional uint32 SecondsSinceStarted = 2

• optional uint32 SecondsSinceLastPlayed = 3

• optional bytes SessionUsageTableEntry = 4

  interesting! try to figure out the connection between the usage table blob and KCB!

Used in: ContentIdentification

• optional bytes Header = 1

  identical to CENC, aside from PSSH and the parent field number used

• optional LicenseType LicenseType = 2

• optional bytes RequestId = 3

Used in: LicenseRequestRaw

• NEW = 1

• RENEWAL = 2

• RELEASE = 3

todo: fill (for this top-level type, it might be impossible/difficult)

Used in: LicenseIdentification, LicenseRequest.ContentIdentification.CENC, LicenseRequest.ContentIdentification.WebM, LicenseRequestRaw.ContentIdentification.CENC, LicenseRequestRaw.ContentIdentification.WebM

• ZERO = 0

• DEFAULT = 1

  1 is STREAMING/temporary license; on recent versions may go up to 3 (latest x86); it might be persist/don't persist type, unconfirmed

• OFFLINE = 2

todo: fill (for this top-level type, it might be impossible/difficult) this is just a guess because these globals got lost, but really, do we need more?

Used in: LicenseRequest, LicenseRequestRaw, SignedProvisioningMessage

• VERSION_2_0 = 20

• VERSION_2_1 = 21

Used in: DeviceCertificateStatus

• optional uint32 SystemId = 1

• optional string Soc = 2

• optional string Manufacturer = 3

• optional string Model = 4

• optional string DeviceType = 5

• optional uint32 ModelYear = 6

• optional ProvisionedDeviceInfo.WvSecurityLevel SecurityLevel = 7

• optional uint32 TestDevice = 8

  bool?

Used in: ProvisionedDeviceInfo

• LEVEL_UNSPECIFIED = 0

• LEVEL_1 = 1

• LEVEL_2 = 2

• LEVEL_3 = 3

Used in: ProvisioningRequest

• optional ProvisioningOptions.CertificateType certificate_type = 1

• optional string certificate_authority = 2

Used in: ProvisioningOptions

• WIDEVINE_DRM = 0

• X509 = 1

• optional ClientIdentificationRaw client_id = 1

• optional EncryptedClientIdentification encrypted_client_id = 5

• optional bytes nonce = 2

• optional ProvisioningOptions options = 3

• optional bytes stable_id = 4

• optional bytes provider_id = 6

• optional bytes spoid = 7

todo: fill

• optional bytes device_rsa_key = 1

• optional bytes device_rsa_key_iv = 2

• optional bytes device_certificate = 3

• optional bytes nonce = 4

• optional bytes wrapping_key = 5

Used in: SignedLicense, SignedLicenseRequest, SignedLicenseRequestRaw, SignedMessage, SignedServiceCertificate

• optional EncryptedClientIdentification Certificate = 1

• optional string Salt = 2

• optional string Signature = 3

todo: fill

(message has no fields)

todo: fill

(message has no fields)

todo: fill

(message has no fields)

Used in: ClientIdentification, SignedServiceCertificate

• optional DeviceCertificate _DeviceCertificate = 1

  optional bytes DeviceCertificate = 1; // again, they use a buffer where it's supposed to be a message, so we'll replace it with what it really is:

  how should we deal with duped names? will have to look at proto docs later

• optional bytes Signature = 2

• optional SignedDeviceCertificate Signer = 3

• optional SignedLicense.MessageType Type = 1

  has in incorrect overlap with License_KeyContainer_SecurityLevel

• optional License Msg = 2

  this has to be casted dynamically, to LicenseRequest, License or LicenseError (? unconfirmed), for Request, no other fields but Type need to be present

• optional bytes Signature = 3

  for SERVICE_CERTIFICATE, only Type and Msg are present, and it's just a DeviceCertificate with CertificateType set to SERVICE

  might be different type of signatures (ex. RSA vs AES CMAC(??), unconfirmed for now)

• optional bytes SessionKey = 4

  often RSA wrapped for licenses

• optional RemoteAttestation RemoteAttestation = 5

Used in: SignedLicense

• LICENSE_REQUEST = 1

• LICENSE = 2

• ERROR_RESPONSE = 3

• SERVICE_CERTIFICATE_REQUEST = 4

• SERVICE_CERTIFICATE = 5

remove these when using it outside of protoc: from here on, it's just for testing, these messages don't exist in the binaries, I'm adding them to avoid detecting type programmatically

• optional SignedLicenseRequest.MessageType Type = 1

  has in incorrect overlap with License_KeyContainer_SecurityLevel

• optional LicenseRequest Msg = 2

  this has to be casted dynamically, to LicenseRequest, License or LicenseError (? unconfirmed), for Request, no other fields but Type need to be present

• optional bytes Signature = 3

  for SERVICE_CERTIFICATE, only Type and Msg are present, and it's just a DeviceCertificate with CertificateType set to SERVICE

  might be different type of signatures (ex. RSA vs AES CMAC(??), unconfirmed for now)

• optional bytes SessionKey = 4

  often RSA wrapped for licenses

• optional RemoteAttestation RemoteAttestation = 5

Used in: SignedLicenseRequest

• LICENSE_REQUEST = 1

• LICENSE = 2

• ERROR_RESPONSE = 3

• SERVICE_CERTIFICATE_REQUEST = 4

• SERVICE_CERTIFICATE = 5

hack

• optional SignedLicenseRequestRaw.MessageType Type = 1

  has in incorrect overlap with License_KeyContainer_SecurityLevel

• optional LicenseRequestRaw Msg = 2

  this has to be casted dynamically, to LicenseRequest, License or LicenseError (? unconfirmed), for Request, no other fields but Type need to be present

• optional bytes Signature = 3

  for SERVICE_CERTIFICATE, only Type and Msg are present, and it's just a DeviceCertificate with CertificateType set to SERVICE

  might be different type of signatures (ex. RSA vs AES CMAC(??), unconfirmed for now)

• optional bytes SessionKey = 4

  often RSA wrapped for licenses

• optional RemoteAttestation RemoteAttestation = 5

Used in: SignedLicenseRequestRaw

• LICENSE_REQUEST = 1

• LICENSE = 2

• ERROR_RESPONSE = 3

• SERVICE_CERTIFICATE_REQUEST = 4

• SERVICE_CERTIFICATE = 5

the root of all messages, from either server or client

• optional SignedMessage.MessageType Type = 1

  has in incorrect overlap with License_KeyContainer_SecurityLevel

• optional bytes Msg = 2

  this has to be casted dynamically, to LicenseRequest, License or LicenseError (? unconfirmed), for Request, no other fields but Type need to be present

• optional bytes Signature = 3

  for SERVICE_CERTIFICATE, only Type and Msg are present, and it's just a DeviceCertificate with CertificateType set to SERVICE

  might be different type of signatures (ex. RSA vs AES CMAC(??), unconfirmed for now)

• optional bytes SessionKey = 4

  often RSA wrapped for licenses

• optional RemoteAttestation RemoteAttestation = 5

Used in: SignedMessage

• LICENSE_REQUEST = 1

• LICENSE = 2

• ERROR_RESPONSE = 3

• SERVICE_CERTIFICATE_REQUEST = 4

• SERVICE_CERTIFICATE = 5

todo: may be outdated

• optional bytes message = 1

• optional bytes signature = 2

• optional ProtocolVersion protocol_version = 3

• optional SignedServiceCertificate.MessageType Type = 1

  has in incorrect overlap with License_KeyContainer_SecurityLevel

• optional SignedDeviceCertificate Msg = 2

  this has to be casted dynamically, to LicenseRequest, License or LicenseError (? unconfirmed), for Request, no other fields but Type need to be present

• optional bytes Signature = 3

  for SERVICE_CERTIFICATE, only Type and Msg are present, and it's just a DeviceCertificate with CertificateType set to SERVICE

  might be different type of signatures (ex. RSA vs AES CMAC(??), unconfirmed for now)

• optional bytes SessionKey = 4

  often RSA wrapped for licenses

• optional RemoteAttestation RemoteAttestation = 5

Used in: SignedServiceCertificate

• LICENSE_REQUEST = 1

• LICENSE = 2

• ERROR_RESPONSE = 3

• SERVICE_CERTIFICATE_REQUEST = 4

• SERVICE_CERTIFICATE = 5

This message is copied from google's docs, not reversed:

Used in: LicenseRequest.ContentIdentification.CENC

• optional WidevineCencHeader.Algorithm algorithm = 1

• repeated bytes key_id = 2

• optional string provider = 3

  Content provider name.

• optional bytes content_id = 4

  A content identifier, specified by content provider.

• optional string track_type_deprecated = 5

  Track type. Acceptable values are SD, HD and AUDIO. Used to differentiate content keys used by an asset.

• optional string policy = 6

  The name of a registered policy to be used for this asset.

• optional uint32 crypto_period_index = 7

  Crypto period index, for media using key rotation.

• optional bytes grouped_license = 8

  Optional protected context for group content. The grouped_license is a serialized SignedMessage.

• optional uint32 protection_scheme = 9

  Protection scheme identifying the encryption algorithm. Represented as one of the following 4CC values: 'cenc' (AESCTR), 'cbc1' (AESCBC), 'cens' (AESCTR subsample), 'cbcs' (AESCBC subsample).

• optional uint32 crypto_period_seconds = 10

  Optional. For media using key rotation, this represents the duration of each crypto period in seconds.

Used in: WidevineCencHeader

• UNENCRYPTED = 0

• AESCTR = 1