For English speaking members
I needed to develop a utility that decrypts files protected by OMA DRM technology as part of a project to preserve a wide range of multimedia content once used in Motorola phones. Many users of EZX and MotoMAGX phones have encountered difficulties in transferring or saving unique standard ringtones, animations, images, videos, and Java applications to other devices because of DRM restrictions.
The drmhacker utility and its source code are available on GitHub:
https://github.com/EXL/drmhacker
The concept behind this utility isn't new—it was first used by Borman92 to remove copy protection from Java apps on EZX devices in EZX DRM hacker, Removing copy protection from Java applications topic. But the methods Borman92 used don't work on MotoMAGX phones, so I had to use some tools like IDA Pro and Ghidra, to dig into the MotoMAGX system SO-libraries and figure things out. In the end, I found and tested some new APIs to bypass the DRM and managed to decrypt the files.
In the following sections of the article, I will outline two methods for bypassing DRM protection. The first method can be implemented without the need for a physical device, while the second method is designed to operate directly on the phone itself.
1. Bypassing DRM Through QEMU Emulation
The method of hacking DRM protection without a physical device involves partial emulation of the phone's firmware and environment using the multifunctional QEMU emulator. DRM-protected files are tied to a specific phone firmware, but using QEMU you can emulate part of it and get decrypted files.
To use method tool, you need:
- Operating System: Ubuntu version 22.04 or newer. If you're using Windows, you should have Windows 10 with Windows Subsystem for Linux (WSL or WSL2) installed.
- Skills: You should know how to use the Linux command line and be familiar with SSH (Secure Shell) for remote connections.
- Software: QEMU, OpenSSH.
- Accounts: root:root, user:user
- Firmware: later versions Motorola EZX, all Motorola MotoMAGX.
1. Install the necessary dependencies then download the moto_drmhacker_kitchen.zip archive (mirrors are welcome!), unpack it.
2. Unpack the SBF firmware file containing the encrypted content you wish to decrypt. Use either SBF-Recalc 1.2.9.1 or RSD Lite 3.8 for this purpose. Refer to the method outlined in our guide "7. A Trick for Correctly Unpacking SBF and SHX Firmware" to ensure proper extraction using RSD Lite.
3. The following code groups are required from the unpacked firmware files:
4. Initiate the emulation to begin. Please wait approximately two to three minutes for the system to start up. You will know the process is complete when the prompt "Debian GNU/Linux 7 debian-armhf tty1" appears on the screen.
5. In the second terminal tab, transfer the required code groups to the emulator by using either SCP or SFTP, according to your preference. Use the username and password root, and accept any suggestions from SSH, such as adding the host to the "known_hosts" file.
SCP:
SFTP:
6. In the third tab of the terminal, access the emulated system on QEMU by logging in through SSH from Linux. The username is root and the corresponding password. Once logged in, verify that all required files are present:
7. Using specially prepared scripts, run the unpacking of three SquashFS images, then switch to DRM cracking mode and decrypt all encrypted files in the firmware:
If needed, individual files within the firmware can be decrypted using the following method:
8. Once the uncrypt.sh script has finished executing, you will find the resulting archive, named uncrypted.tgz, at the root of the magx-root directory. Proceed to move this archive to your host system.
SCP:
SFTP:
The resulting archive, containing encrypted content files, can be extracted using either a standard archiving utility on Ubuntu or through the command line in the terminal.
9. Shut down QEMU in the SSH session:
The QEMU window will close after a while.
10. Please note that in the firmware for the latest generation of phones on the EZX platform, everything is similar except for the fact that the code groups are numbered differently:
Certain code groups in EZX phones can be unpacked even with an initial empty offset that consists of blank space (FF bytes). To fix this, simply remove these bytes using a hex editor, such as HxD, or the dd command-line utility.
2. Bypassing DRM by utilizing a physical phone on the EZX or MotoMAGX platform.
The process here is straightforward. First, the target device must be flashed or modified to enable the execution of third-party native executable code with using a custom firmware or a special archives that exploit vulnerabilities. Next, the appropriate utilities – drmhacker_e680, drmhacker_ezx, and drmhacker_magx – should be placed on the device. Finally, the decryption of the necessary files is carried out either through Telnet or directly via the device's console:
Thanks to the help of VINRARUS, special one-line scripts were written that allow us to slightly automate the process of decrypting DCF and DRM files in the firmware directly on the phone itself.
3. Additional information and mirrors:
Here is the directory where you can download archives containing the scripted files and utilities:
https://firmware.center/projects/EXL/Motorola/DRM
Release of the drmhacker on GitHub:
https://github.com/EXL/drmhacker/releases/download/v1.0/drmhacker_linux_x86_64.zip
Debian image credits by aurel32:
https://people.debian.org/~aurel32/qemu/armhf/
https://people.debian.org/~aurel32/qemu/armel/
Thanks:
PUNK-398 -- For motivation, testing and idea.
mhous33 -- For testing and editing the English translation.
VINRARUS -- For one-liners scripts.
The drmhacker utility and its source code are available on GitHub:
https://github.com/EXL/drmhacker
The concept behind this utility isn't new—it was first used by Borman92 to remove copy protection from Java apps on EZX devices in EZX DRM hacker, Removing copy protection from Java applications topic. But the methods Borman92 used don't work on MotoMAGX phones, so I had to use some tools like IDA Pro and Ghidra, to dig into the MotoMAGX system SO-libraries and figure things out. In the end, I found and tested some new APIs to bypass the DRM and managed to decrypt the files.
In the following sections of the article, I will outline two methods for bypassing DRM protection. The first method can be implemented without the need for a physical device, while the second method is designed to operate directly on the phone itself.
1. Bypassing DRM Through QEMU Emulation
The method of hacking DRM protection without a physical device involves partial emulation of the phone's firmware and environment using the multifunctional QEMU emulator. DRM-protected files are tied to a specific phone firmware, but using QEMU you can emulate part of it and get decrypted files.
To use method tool, you need:
- Operating System: Ubuntu version 22.04 or newer. If you're using Windows, you should have Windows 10 with Windows Subsystem for Linux (WSL or WSL2) installed.
- Skills: You should know how to use the Linux command line and be familiar with SSH (Secure Shell) for remote connections.
- Software: QEMU, OpenSSH.
- Accounts: root:root, user:user
- Firmware: later versions Motorola EZX, all Motorola MotoMAGX.
1. Install the necessary dependencies then download the moto_drmhacker_kitchen.zip archive (mirrors are welcome!), unpack it.
Код
sudo apt install qemu-system-arm openssh-client
cd ~/Downloads/
unzip moto_drmhacker_kitchen.zip
cd ~/Downloads/moto_drmhacker_kitchen/
cd ~/Downloads/
unzip moto_drmhacker_kitchen.zip
cd ~/Downloads/moto_drmhacker_kitchen/
2. Unpack the SBF firmware file containing the encrypted content you wish to decrypt. Use either SBF-Recalc 1.2.9.1 or RSD Lite 3.8 for this purpose. Refer to the method outlined in our guide "7. A Trick for Correctly Unpacking SBF and SHX Firmware" to ensure proper extraction using RSD Lite.
3. The following code groups are required from the unpacked firmware files:
- CG43.smg (setup.img, contains the first part of the DRM keys).
- CG44.smg (securesetup.img, contains the second part of the DRM keys).
- CG52.smg (resource.img, contains all encrypted resources).
4. Initiate the emulation to begin. Please wait approximately two to three minutes for the system to start up. You will know the process is complete when the prompt "Debian GNU/Linux 7 debian-armhf tty1" appears on the screen.
Код
qemu-system-arm -M vexpress-a9 -kernel vmlinuz-3.2.0-4-vexpress -initrd initrd.img-3.2.0-4-vexpress -drive if=sd,file=debian_wheezy_armhf_standard.qcow2 -append "root=/dev/mmcblk0p2" -nic user,hostfwd=tcp::2222-:22
5. In the second terminal tab, transfer the required code groups to the emulator by using either SCP or SFTP, according to your preference. Use the username and password root, and accept any suggestions from SSH, such as adding the host to the "known_hosts" file.
SCP:
Код
scp -P 2222 CG43.smg CG44.smg CG52.smg root@localhost:
root@localhost's password: root
root@localhost's password: root
SFTP:
Код
sftp -P 2222 root@localhost
root@localhost's password: root
Connected to localhost.
sftp> put CG43.smg
sftp> put CG44.smg
sftp> put CG52.smg
sftp> quit
root@localhost's password: root
Connected to localhost.
sftp> put CG43.smg
sftp> put CG44.smg
sftp> put CG52.smg
sftp> quit
6. In the third tab of the terminal, access the emulated system on QEMU by logging in through SSH from Linux. The username is root and the corresponding password. Once logged in, verify that all required files are present:
Код
ssh -p 2222 root@localhost
root@localhost's password: root
ls
CG43.smg CG44.smg CG52.smg chroot.sh magx-root unsquash.sh utils
root@localhost's password: root
ls
CG43.smg CG44.smg CG52.smg chroot.sh magx-root unsquash.sh utils
7. Using specially prepared scripts, run the unpacking of three SquashFS images, then switch to DRM cracking mode and decrypt all encrypted files in the firmware:
Код
./unsquash.sh
./chroot.sh
undrm.sh
uncrypt.sh
./chroot.sh
undrm.sh
uncrypt.sh
If needed, individual files within the firmware can be decrypted using the following method:
Код
cd /usr/data_resource/picture/
drmhacker_magx drm_sp Amber.dcf Amber.jpg
drmhacker_magx drm_sp Golden.drm.jpg Golden.jpg
drmhacker_magx drm_sp Amber.dcf Amber.jpg
drmhacker_magx drm_sp Golden.drm.jpg Golden.jpg
8. Once the uncrypt.sh script has finished executing, you will find the resulting archive, named uncrypted.tgz, at the root of the magx-root directory. Proceed to move this archive to your host system.
SCP:
Код
scp -P 2222 root@localhost:magx-root/uncrypted.tgz uncrypted.tgz
root@localhost's password: root
tar -xvzf uncrypted.tgz
root@localhost's password: root
tar -xvzf uncrypted.tgz
SFTP:
Код
sftp -P 2222 root@localhost
root@localhost's password: root
Connected to localhost.
sftp> get magx-root/uncrypted.tgz
sftp> quit
tar -xvzf uncrypted.tgz
root@localhost's password: root
Connected to localhost.
sftp> get magx-root/uncrypted.tgz
sftp> quit
tar -xvzf uncrypted.tgz
The resulting archive, containing encrypted content files, can be extracted using either a standard archiving utility on Ubuntu or through the command line in the terminal.
9. Shut down QEMU in the SSH session:
Код
exit
poweroff
exit
poweroff
exit
The QEMU window will close after a while.
10. Please note that in the firmware for the latest generation of phones on the EZX platform, everything is similar except for the fact that the code groups are numbered differently:
- CG34.smg (resource.img, contains all encrypted resources).
- CG42.smg (setup.img, contains the first part of the DRM keys).
- CG37.smg (securesetup.img, contains the second part of the DRM keys).
Certain code groups in EZX phones can be unpacked even with an initial empty offset that consists of blank space (FF bytes). To fix this, simply remove these bytes using a hex editor, such as HxD, or the dd command-line utility.
2. Bypassing DRM by utilizing a physical phone on the EZX or MotoMAGX platform.
The process here is straightforward. First, the target device must be flashed or modified to enable the execution of third-party native executable code with using a custom firmware or a special archives that exploit vulnerabilities. Next, the appropriate utilities – drmhacker_e680, drmhacker_ezx, and drmhacker_magx – should be placed on the device. Finally, the decryption of the necessary files is carried out either through Telnet or directly via the device's console:
Код
./drmhacker_e680 /diska/preload/java/Application.drm.jar Application.jar
./drmhacker_ezx /usr/data_resource/pictures/Picture.drm.jpg Picture.jpg
./drmhacker_magx drm_sp /usr/data_resource/pictures/Picture.drm.jpg Picture.jpg
./drmhacker_magx drm_sp /usr/data_resource/pictures/Animation.dcf Animation.gif
./drmhacker_ezx /usr/data_resource/pictures/Picture.drm.jpg Picture.jpg
./drmhacker_magx drm_sp /usr/data_resource/pictures/Picture.drm.jpg Picture.jpg
./drmhacker_magx drm_sp /usr/data_resource/pictures/Animation.dcf Animation.gif
Thanks to the help of VINRARUS, special one-line scripts were written that allow us to slightly automate the process of decrypting DCF and DRM files in the firmware directly on the phone itself.
Код
find /usr/data_resource/picture -type f -name "*.dcf*" | while read FILE; do F="${FILE%.*}"; drmhacker_magx drm_sp "$FILE" "${F##*/}"; done
find /usr/data_resource/picture -type f -name "*.drm*" | while read FILE; do F1="${FILE%.drm*}"; F2="${FILE##*.drm}"; drmhacker_magx drm_sp "$FILE" "${F1##*/}$F2"; done
find /usr/data_resource/picture -type f -name "*.drm*" | while read FILE; do F1="${FILE%.drm*}"; F2="${FILE##*.drm}"; drmhacker_magx drm_sp "$FILE" "${F1##*/}$F2"; done
3. Additional information and mirrors:
Here is the directory where you can download archives containing the scripted files and utilities:
https://firmware.center/projects/EXL/Motorola/DRM
Release of the drmhacker on GitHub:
https://github.com/EXL/drmhacker/releases/download/v1.0/drmhacker_linux_x86_64.zip
Debian image credits by aurel32:
https://people.debian.org/~aurel32/qemu/armhf/
https://people.debian.org/~aurel32/qemu/armel/
Thanks:
PUNK-398 -- For motivation, testing and idea.
mhous33 -- For testing and editing the English translation.
VINRARUS -- For one-liners scripts.
[close]
Собственно, саму утилиту drmhacker и её исходный код можно найти на GitHub'е:
https://github.com/EXL/drmhacker
Идея, используемая в утилите не нова и уже когда-то применялась Borman92'ом в теме EZX DRM hacker, Снятие защиты от копирования с Java-приложений, вот только на MotoMAGX устройствах DRM API, которые использовал Borman92 недоступны, поэтому мне пришлось взять в руки IDA Pro вместе с Ghidra и немного заняться реверс-инжинирингом SO-библиотек MotoMAGX. В итоге новые DRM API были найдены, а их работа проверена, что в итоге привело к успешной расшифровке требуемых файлов.
Ниже будут описаны два метода обхода DRM, первый предполагает отсутствие физического устройства, а второй будет работать на самом устройстве.
1. Использование эмуляции QEMU для обхода DRM
Метод взлома DRM-защиты без наличия физического устройства предполагает частичную эмуляцию прошивки и окружения телефона с помощью многофункционального эмулятора QEMU. Файлы защищенные DRM привязаны к определённой прошивке телефона, но с помощью QEMU можно заэмулировать её часть и получить раскриптованные файлы.
Требования: Ubuntu 22.04 LTS и выше, либо Windows 10 + WSL/WSL2, Linux command-line skills, SSH skills.
Зависимости: QEMU, OpenSSH.
Логины и пароли: root:root, user:user
Платформа: Поздние EZX и все MotoMAGX телефоны и смартфоны.
1. Установите необходимые зависимости и загрузите архив moto_drmhacker_kitchen.zip (зеркала приветствуются!), распакуйте его в любое удобное место.
Код
sudo apt install qemu-system-arm openssh-client
cd ~/Downloads/
unzip moto_drmhacker_kitchen.zip
cd ~/Downloads/moto_drmhacker_kitchen/
cd ~/Downloads/
unzip moto_drmhacker_kitchen.zip
cd ~/Downloads/moto_drmhacker_kitchen/
2. Распакуйте SBF-файл прошивки контент из которой вы хотите раскриптовать с помощью программы SBF-Recalc 1.2.9.1 или RSD Lite 3.8 (см. метод описанный здесь: 7. Трюк для корректной распаковки SBF и SHX прошивок).
3. Из распакованных файлов прошивки требуются следующие кодовые группы:
- CG43.smg (setup.img, содержит первую часть ключей DRM).
- CG44.smg (securesetup.img, содержит вторую часть ключей DRM).
- CG52.smg (resource.img, содержит все закриптованные ресурсы).
4. Запускаем эмуляцию на исполнение, ждём примерно две-три минуты до приглашения системы "Debian GNU/Linux 7 debian-armhf tty1".
Код
qemu-system-arm -M vexpress-a9 -kernel vmlinuz-3.2.0-4-vexpress -initrd initrd.img-3.2.0-4-vexpress -drive if=sd,file=debian_wheezy_armhf_standard.qcow2 -append "root=/dev/mmcblk0p2" -nic user,hostfwd=tcp::2222-:22
5. Во второй вкладке терминала перемещаем необходимые кодовые группы внутрь эмулятора с помощью SCP или SFTP, на ваш вкус. Пользователь и пароль root, согласитесь со всем тем, что предложит SSH вроде добавления хоста в файл "know_hosts".
SCP:
Код
scp -P 2222 CG43.smg CG44.smg CG52.smg root@localhost:
root@localhost's password: root
root@localhost's password: root
SFTP:
Код
sftp -P 2222 root@localhost
root@localhost's password: root
Connected to localhost.
sftp> put CG43.smg
sftp> put CG44.smg
sftp> put CG52.smg
sftp> quit
root@localhost's password: root
Connected to localhost.
sftp> put CG43.smg
sftp> put CG44.smg
sftp> put CG52.smg
sftp> quit
6. В третьей вкладке терминала логинимся по SSH из под Linux внутрь эмулируемой системы в QEMU с паролем и пользователем root и проверяем что все нужные файлы на месте:
Код
ssh -p 2222 root@localhost
root@localhost's password: root
ls
CG43.smg CG44.smg CG52.smg chroot.sh magx-root unsquash.sh utils
root@localhost's password: root
ls
CG43.smg CG44.smg CG52.smg chroot.sh magx-root unsquash.sh utils
7. Запускаем групповую распаковку образов SquashFS, затем переходим в режим взлома DRM и раскриптовываем все зашифрованные файлы в прошивке специально подготовленными скриптами:
Код
./unsquash.sh
./chroot.sh
undrm.sh
uncrypt.sh
./chroot.sh
undrm.sh
uncrypt.sh
Если нужно, то можно раскриптовать лишь отдельные файлы из прошивки, например, таким способом:
Код
cd /usr/data_resource/picture/
drmhacker_magx drm_sp Amber.dcf Amber.jpg
drmhacker_magx drm_sp Golden.drm.jpg Golden.jpg
drmhacker_magx drm_sp Amber.dcf Amber.jpg
drmhacker_magx drm_sp Golden.drm.jpg Golden.jpg
8. После успешного завершения работы скрипта uncrypt.sh в корне директории magx-root должен появиться архив uncrypted.tgz, забираем его на хост:
SCP:
Код
scp -P 2222 root@localhost:magx-root/uncrypted.tgz uncrypted.tgz
root@localhost's password: root
tar -xvzf uncrypted.tgz
root@localhost's password: root
tar -xvzf uncrypted.tgz
SFTP:
Код
sftp -P 2222 root@localhost
root@localhost's password: root
Connected to localhost.
sftp> get magx-root/uncrypted.tgz
sftp> quit
tar -xvzf uncrypted.tgz
root@localhost's password: root
Connected to localhost.
sftp> get magx-root/uncrypted.tgz
sftp> quit
tar -xvzf uncrypted.tgz
Полученный архив можно распаковать как стандартными средствами Ubuntu, так и через терминал. В нём будут содержаться раскриптованные файлы.
9. Завершаем работу QEMU в SSH-сессии:
Код
exit
poweroff
exit
poweroff
exit
Через некоторое время окно QEMU закроется.
10. Примечание по прошивкам последнего поколения телефонов на EZX-платформе. В них всё аналогично за исключением того, что кодовые группы имеют другую нумерацию:
- CG34.smg (resource.img, содержит все закриптованные ресурсы).
- CG42.smg (setup.img, содержит первую часть ключей DRM).
- CG37.smg (securesetup.img, содержит вторую часть ключей DRM).
Некоторые кодовые группы в EZX-телефонах могут распаковываться с пустым смещением, которое забито пустотой (FF-байтами) в начале. Поэтому просто обрежьте эту пустоту с помощью HEX-редактора по типу HxD или утилиты dd.
2. Использование физического телефона на платформе EZX или MotoMAGX для обхода DRM
Здесь всё просто. Целевое устройство прошивается или модифицируется для возможности запуска стороннего нативного исполняемого кода (кастомная прошивка, специальные архивы с использованием уязвимостей и пр.), затем на устройство загружаются соответствующие утилиты drmhacker_e680, drmhacker_ezx или drmhacker_magx и через Telnet или просто через консоль на самом устройстве выполняется процедура расшифровки требуемых файлов:
Код
./drmhacker_e680 /diska/preload/java/Application.drm.jar Application.jar
./drmhacker_ezx /usr/data_resource/pictures/Picture.drm.jpg Picture.jpg
./drmhacker_magx drm_sp /usr/data_resource/pictures/Picture.drm.jpg Picture.jpg
./drmhacker_magx drm_sp /usr/data_resource/pictures/Animation.dcf Animation.gif
./drmhacker_ezx /usr/data_resource/pictures/Picture.drm.jpg Picture.jpg
./drmhacker_magx drm_sp /usr/data_resource/pictures/Picture.drm.jpg Picture.jpg
./drmhacker_magx drm_sp /usr/data_resource/pictures/Animation.dcf Animation.gif
Благодаря помощи VINRARUS'а были написаны специальные скрипты-однострочники, позволяющие немного автоматизировать процесс расшифровки DCF и DRM файлов в прошивке прямо на самом телефоне:
Код
find /usr/data_resource/picture -type f -name "*.dcf*" | while read FILE; do F="${FILE%.*}"; drmhacker_magx drm_sp "$FILE" "${F##*/}"; done
find /usr/data_resource/picture -type f -name "*.drm*" | while read FILE; do F1="${FILE%.drm*}"; F2="${FILE##*.drm}"; drmhacker_magx drm_sp "$FILE" "${F1##*/}$F2"; done
find /usr/data_resource/picture -type f -name "*.drm*" | while read FILE; do F1="${FILE%.drm*}"; F2="${FILE##*.drm}"; drmhacker_magx drm_sp "$FILE" "${F1##*/}$F2"; done
3. Список раскриптованного контента / List of decrypted content:
01. Motorola AURA R1 (MotoMAGX)
02. Motorola AURA R1 Celestial Edition (MotoMAGX)
03. Motorola AURA R1 Diamond Edition (MotoMAGX)
04. Motorola ROKR E8 (MotoMAGX)
05. Motorola ROKR EM30 (MotoMAGX)
06. Motorola VE66 (MotoMAGX)
07. Motorola ROKR EM35 (MotoMAGX)
08. Motorola ZINE ZN5 T-Mobile (MotoMAGX)
09. Motorola Z6w (MotoMAGX)
10. Motorola JEWEL U9 (MotoMAGX)
11. Motorola PEBL U9 (MotoMAGX)
12. Motorola Tundra VA76r (MotoMAGX)
13. Motorola RAZR² V8 (MotoMAGX)
14. Motorola RAZR² V8 Luxury Edition (MotoMAGX)
15. Motorola ROKR Z6 (MotoMAGX)
16. Motorola RIZR Z6 (MotoMAGX)
17. Motorola A910 (EZX)
18. Motorola A910i (EZX)
19. Motorola ROKR E2 (EZX)
20. Motorola E680 (EZX)
21. Motorola E680i (EZX)
22. Motorola PEBL U9 Gold Edition (MotoMAGX)
4. Дополнительная информация и зеркала:
Директория где можно скачать архивы с раскриптованными файлами и кухню:
https://firmware.center/projects/EXL/Motorola/DRM
Релиз утилиты на GitHub:
https://github.com/EXL/drmhacker/releases/download/v1.0/drmhacker_linux_x86_64.zip
Авторство образов Debian от aurel32:
https://people.debian.org/~aurel32/qemu/armhf/
https://people.debian.org/~aurel32/qemu/armel/
Спасибо пользователям:
PUNK-398 -- За мотивацию, тестирование и идею.
mhous33 -- За редактирование English-перевода и тестирование.
VINRARUS -- За однострочники.
Прикреплённые файлы / Attached files: