Protection technologys

DVD-video is a standard for making DVDs holding MPEG 2 video and an associated audio stream at a high bitrate so a DVD player will play it. Obviously the paranoid studios dont want anyone to copy them so they have added a lot of protection. See CSS, CGMS, macrovision, RPC-II.

DVD protection is enforced by a licence agreement. This agreement must be signed by all manufacturers of DVD rom drives and both hard and soft players before they are given the encryption keys needed to play DVDs. The licence forces a few restrictions. To be precise it requires the many protection systems, bans unprotected digital outputs, requires regioning, has some anti-tamper and obstrusfication requirements to make reverse enginering harder, and a few minor details.

Of course most of the excessive protection on DVDs has now been broken. All of it, really, as all depended on CSS.

DVD-video includes a few unwanted features required by the license, such as regioning. It also disables chapter skip and menu buttons during the video before the menu, so the viewer is forced to watch it. Normally that space is used for an anti-piracy warning and a few logos, but Disney sometimes puts long trailers in as well. In one extreme example they added over five minutes of trailers to the start of their Hercules film, forceing viewers to sit through the trailers before they could see the film. This is a real "home cinema experience".

DVD copy protection is part of the Content Protection System Arcitecture (CPSA, see below). Because DVD was completed before CPSA the protection is only partially implimented. The CPSAs renewability system isn't implimented, a key revocation system is used instead. While CPSA allows DTCP or HDCP protected digital outputs the DVD-CSS license doesn't allow digital output at all, simply because DTCP wasn't available when the license was written. HDCP still isn't. The CPSA watermark detector isn't yet complete, so no DVDs have it. DVD does use an improvised replacement for the watermark though. If it sees CSS encrypted content on a non-pressed DVD it assumes its a pirate copy and wont play. It seems odd really. Consumer DVD writeing equipment cannot record CSS information, at least not without a firmware hack, and the commercial pirates all press discs anyway. Some people have suggested its because the DVDCCA doesn't want anyone to use its protection without paying huge license fees. Its more likely its just another example of the paranoia which is often seen when studios meet consumer digital technology.

The early dvd-rom drives (pre-2000) used RPC I. In this system, a drive could be in one of two states: Unauthorised, or authorised. While unauthorised, a drive would be incapable of accessing the CSS key blocks. In order to authorise a drive to read these blocks, needed for playing an encrypted DVD, a program must undergo a series of cryptographic authentication steps requiring a secret key. In this way, only authorised DVD players would be able to even access the CSS blocks - a measure intended to prevent attacks such as image-drives. The player, after authenticating, would check the region code of the disc before playing.

The regioning component of this had a few weaknesses. It was subject to cracked players. When CSS was broken it became trivial to authorise a drive and read the CSS blocks, defeating the region-code system.

The DVDCCA and studios realised software region protection was weak and, using the CSS licence, ordered everyone to stop making RPC I drives by 31 december 1999. All drives manufacturer from that point require RPC-II firmware (no physical change is made to the drive). In RPC II, the drive will check the region code of the disc against that in its own firmware prior to authenticating - thus, no technique can read a CSS block from an invalid-region disc. At least, that is the intention. The drive is preset with the right region, and will only play discs from that region. The region can be changed five times by the user, after which it locks in that region. The manufacturer can reset it four times then it stays set permantly.

There are two ways to defeat this annoying piece of protection: Alter the firmware or brute-force the CSS blocks. The former is more convenient. http://www.digital-digest.com/dvd/downloads/firmware.html is a list of RPC-II drives with the nessicary hacked firmware to remove the region codeing.

Failing that, many open-source DVD players will fall back to an emergency brute-force if the authentification fails. This is slow: The disc may require some time to load.

RPC2 has been quite an annoyance for people inexperienced in DVD. These people buy DVDs from another region as well as local DVDs, and frequently switch regions while unaware of the five-change limit. After five changes these people are surprised when their DVD player program starts demanding a manufacturer reset. These people are often seen on alt.media.dvd asking whats happened.

The region code of a DVD is held in the file VIDEO_TS.IFO. The information is only one byte and is stored at offset 0x23. When copying or ripping a DVD, setting the byte to 0xC0 or 0x00 will make the disc region free, apparently. Its bitmapped to the eight regions: 0 plays, 1 doesn't. The program "dvddecryptor" in the toolkit section is able to patch a riped DVD.

Finally, note that should windows find either an RPC1 or cracked-firmware drive, its own (purely software-based) region system will start. This is a trivial region-lock mechanism to disable:

However, load REGEDT32 and go to [HKEY_LOCAL_MACHINE\Software\Microsoft]. You should see a strange looking random letter key (for example "`dv:=/") as the first entry... Delete the entire key. Reboot the machine and... the first disc you'll use will be set as the new region, with 1 change left.

One of the most annoying video formats is realvideo, produced by realmedia and playable only on realplayer. Very predictable branding.

Realplayer itsself is free adware, well known as bloatware and with some spyware. It also associates an annoying selection of files when installed: RA, RV, RM, RAM, ROM, AVI, MP3, WAV and some others. These files have a tendency to inexplicable reassociate with realplayer for no reason. Its possibly more bloated than WMP, and occasionally an advert appears when realplayers not running.

Realvideo format quality is pathetic, and the format is corepondingly unpopular. Even at high bitrate and low resolution it shows the familiar block artifacts, and something that looks a lot like dithering gone wrong. It is still used often by sites that want to offer unrecordable streams but dont want to pay the large license costs associated with windows media technology.

The DRM componants are similar to Microsofts streaming system. The streams are difficult to download, and difficult to convert to other formats. Fortunatly I managed to do both and have packaged up all the tools you need. There are three programs. "Streambox Vcr" is a program for downloading realmedia files. Although it was intended as commercial software, Real set the lawyers on it and the realmedia downloading ability was severly crippled. You can download an uncripled version in the toolkit section. "Streambox ripper" is another program Real didn't like. It needs realplayer installed, but will convert realaudio files to wave, MP3 or WMA. I have been told it works with DRMed files too, ignoreing the DRM CCI, but havn't got any programs to test it with. Toolkit section again. Finally, TINRA (this is not real anymore) is a processor-intensive and complicated program for converting realvideo to AVI.

But there are some things the manufaturer doesn't mention when you buy it. Lyra does not actually play MP3. When you write a file to a compactflash you need the lyra software, which reads the serial number from the compactflash and then encrypts the file into a propritary .MPX file. The lyra plays that. Because the file is encrypted with the key from the compactflash its usless if taken off it. Just why it does that for mp3 is a bit of a mystery. The software also accepts WMA and realaudio format though plugins in mediaplayer and realjukebox respectivly. The encrypted MPX file is probably to stop people transcodeing those into an open standard. The WMA license at least explicitly says software must not save any WMA data in another format, and realvideo might have something similar.

The software is an inconvienience. You cannot just drag files to the card. As well as that there is no known way to use a lyra under linux. I know it works under windows, havn't checked macos, certinly doesn't work under anything else. Perhaps wine would do it, but I havn't checked. I dont have a lyra, so email me if you have tried it.

The DRM-MPX system doesn't protect any files against transcodeing, because both WMA and RA files have already been cracked. It is simply an inconvienience for users, and a big problem for linux users. I expect some level of anti-transcode capability is required by the WMP and realplayer plugin SDK or format licenses.

Sky digital TV is encrypted using their highly propritary "videoguard" technology. As well as the obvious use as a CDA, sky has found Videoguard perfect for a little bit of sneaky business. Most digital satellite TV systems use reasonably open technology. You can buy any decoder and any service, and once you slot in the card it works. Not sky. Sky requires its own form of modified decoder. You can recognise them because they are labeled "digibox". Digiboxes are very cheap, sky will even give them away for free if you sign up for a year minimum contract, but because sky controls who can make them it can manage them very closely. For example, with other satellite TV systems its possible to buy a PC reciever card. Its expensive, but its useful. Sky wont let you. There is only one DVR which can record the sky stream directly, the one sold as part of the sky+ deal, and because Sky controls it they can make sure it only saves the stream undecrypted. You still need the card in to play back. I will research videoguard itsself at some point, but as far as I know its not been broken - so no pirate sky TV yet.

The sky+ recorder supports two unpopular flags, a "do not record" flag and a "do not skip" flag, intended for PPV and adverts respectivly. Neither has been used, but a study of the firmware showed they are supported. Ordinary Sky digiboxes support Macrovision protection on the outputs, used for some movies, sports and PPV programs. This is not the same flag used for sky+ do not copy.

All sky digiboxes also have interactive supports, a modem which automaticially dials home at night which you must keep pluged in at all times (its a contract thing) and will occasionally overlay adverts from sky on the picture.

Finally, it goes without saying that it is not possible to transfer a file from a sky+ box to a long-term storage medium. When your drive is full, you must delete something.

Sky+ can set some more advances rules, but they are rarely used. For example, when usng sky+ to record a movie from sky box office, the film will be set to auto-delete after seven days, or 24 hours after first viewing, whichever is sooner.

NetMD is a minidisc-to-computer interface. According to sony you can buy the netMD, connect to a PC and then make digital transfers to and from the minidisc. But the advertiseing misses a limitation. Although netMD has no problems getting audio to a minidisc, it refuses to get it back. The hardware is capable of getting it back, this is a deliberate restriction. Without this minidisc-to-pc transfers can only be made with an analog cable. Slowly and with degraded sound. (Only expensive minidisc players and recorders have digital outputs.). The reason seems simple enough. If people could copy music from a minidisc they might try taking their recorders into concerts, and sony could never allow people to do that. Or worse, what if people start tradeing music on minidisc? So the netMD is one-way, because of a deliberate restriction from sony. A lot of people have brought netMDs for things like archiveing interviews, and found netMD wouldn't work in case their interviewers were concerts. The same restriction is built into sony laptops with internal minidisc-audio drives, such as the PCG-NV105. Yet another symptom of the Sony Divide, the conflict between sony-electronics and sony-entertainment.

Minidisc.org also has this intresting piece of information: "Protected Tracks Audio tracks downloaded to Minidisc by OpenMG Jukebox and BeatJam are marked as "protected" and cannot be deleted or divided by most Minidisc equipment; only a "check-in" with NetMD PC software will delete the track. (This feature ironically makes Minidisc portables with NetMD downloaded tracks as inflexibile as solid-state MP3 players). Tracks downloaded with Simple Burner do not have these restrictions however and behave like normally recorded MD tracks."

Pressplay is a legal pay-per-download music site, the industrys main attempt at online distribution. Music is available either streaming or downloadable. Both services use Windows Media Audio DRM technology. Because of the windows media requirements pressplay can be used on windows 98, me, 2000 or XP but not 95, NT or anything non-microsoft.

Intrestingly, pressplay downloaded files only work if the pressplay license server allows it. If you end your account all your music becomes unplayable. Pressplay has politely admitted that problem though, and has notices all over its site saying downloaded files will only play until you end your account. There is a monthly fee of course. Once you use pressplay you cant leave without loseing your music. Nice scam.

The only exception is what they call "portable" downloads. Just ordinary protected downloads with a different set of permissions. Portable downloads will remain playable if you leave pressplay, and can also be moved to WMA or SDMI compliant portable players or burnt to a CD. Ordinary downloads cannot. However, portable downloads will be lost if the license is lost. Because licenses are not backed up by normal backup procedures, reformatting the computer without a DRM expert to go through the complicated procesure will destroy all pressplay portable downloads.

Pressplay music downloads are individual songs, but you cannot pay for individual songs. The smallest possible order is five downloads. They dont have to be used together. Its both a solution to the micropayment problem and a way to encourage you to buy music you wouldn't normally pay for.

This is intresting. The US version of terminator 2 has a copy of the film in windows media 9 format on disc 2, at very high definition. Much higher than the DVD version, 1080p to be precise. This file is DRMed of course, and in a fairly annoying way. Firstly, in order to view the file the user must install a few programs: Media Player 9, InterActual Player (which conflicts with some MPEG decoders, such as my TV capture device), and a DRM update for InterActual. Next, the user must connect to the internet and contact the license server, which will do a reverse IP lookup to determine the country of the viewer. If the viewer is outside the US or Canada, tough. You can use a US-based proxy server to get around that. If the server approves, it sends the time-limited license file. This makes the disc playable for five days, after which the server must be contacted again for a new license.

This is, of course, very annoying. It also means that all of these discs will be rendered completly usless when the server goes offline - and it will. Someone has to pay to run it, and they probably wont keep paying forever.

When Apple launched its music store, it needed DRM. So it produced Fairplay, and iTunes DRM system. The iTunes music download site is less restrictive than its competitors, allowing anything short of putting music on a p2p system. You can playback on up to three computers (you can deauthorise these to change which three computers), sync with an unlimited number of ipods and burn a song to CD as much as you want (this would seem to be an effective way to break it too: CDs can be riped). Strangely, you can only burn any single custom playlist to 10 CDs though. You can easily reset this count just by makeing any change to the playlist, such as putting a song on and takeing it off again.

iTunes/Fairplay runs on both Mac and Windows systems. Computers are identified by a unique number for DRM. Windows systems produce this number based on the series number of c: drive, the bios version, the CPU name and the windows product ID. Its been cracked now under windows. The first utility to do so was the awkwardly-named "QuickTime for Windows AAC Memory Dumper", written by Jon Johansen of DeCSS fame. I dont have the program, but it should be easy to find it. This system was later intigrated into the VideoLan open-source cross-platform media player, though the system ID must still be produced under windows.

There are a few ways to break this. The burn-and-rerip trick works of course, with some loss of quality. Currently, the best method is to use a flaw in iMovie. This program can imported an iTuned DRMed file, and if the file is saved using the "share" option will not apply DRM or encryption to the new file. That feature was overlooked. I would expect Apple to release a patch for that soon through.

There is also an unrelated, obsolete DRM system also called FairPlay.

Not-very-OpenCable is a new standard for digital cable systems in the US. Authentication is handled by a POD, a smart card, so subscribeing to an opencable service in theory is just a matter of running the coax, pluging into your OpenCable-compatable TV and putting the POD in its slot. OpenCable though, dispite its name, is far from open. Its license conditions are paranoid. OpenCable equipment must protect the bitstream from unauthorised access, such as people trying to record digital TV, with a combination of encryption and tamper-detection. The POD authentication systems very sophisticated, and used an elaborate renewability system. The POD itsself used a symetric encryption system on its IO to prevent anyone intercepting the MPEG stream on its ports, in the unlikely event a user could afford a logic analyser able to handle that bitrate. The objective of this is to ensure digital streams never leave protected, authenticated, and license-regulated hardware. OpenCable is very similar, and designed to work with, the CPSA system. OC equipment is only permistted to output digital streams using DTCP-encrypted firewire or HDCP-encrypted DVI. Analog outputs must be protected by the Macrovision system (look it up under analog). Finally, although Digital Video Recorders with OpenCable support are allowed, they must obey more restrictive usage rules than ordinary decoders, must save to encrypted discs only and must authenticate their own hard drives, to stop people tradeing programs on disk I imagine. Of course, explicitly forbidding the capability to make removeable or archival backups of programs is going to make series collecting much harder. PC cable tuner cards are not allowed. Well, I suppose they might be if they degrade the output to poor analog 480i TV quality.

Not surprisingly, an open-source implimentation is out of the question. Although most technical information is public, the all-important keys can only be obtained by those with secure, tamper-proof hardware and pockets deep enough to pay for the license. (I expect this is a way to get rid of competition from smaller manufacturers).

From what ive seen of OpenCables specs, its a very hard system to defeat. The authentication and encryption are suitably paranoid, and the tamper-proofing is rediculous. The weak point is its CPSA integration. It outputs on CPSA protected ports, which in turn go into CPSA protected recorders, which put the program on CPSA protected discs. That means if CPSA is fully compromised, so is OpenCable.

This is just an ordinary WMA file with WMA DRM, but connected to an unusual payment server designed to allow p2p-based superdistribution. That is, users are encouraged to share these files on p2p.

Weed allows downloaders to play any given song three times before they must pay up or lose the ability to play that track. Payment is made via PayPal.

Weed files can be shared, and anyone who grabs a shared-but-paid-for song then coughs up the 50c to $1 charged for the song ensures 20 per cent of the proceeds go to the person who paid before. Previous sharers get ten per cent and five per cent, going down the chain. Artists get 50 per cent of the sale price and Weed developer Shared Media Licensing gets the remaining 15 per cent.

There are some small flaws. As the files shared are modified with each purchase for tracability, and thus payment to users, the files tend to be a bit awkward on p2p. The hashes dont match, so multi-source downloading doesn't work, and if a source goes offline no alternates can be found.

Weed-like superdistribution has another common name: Pyramid-scheme.