Extract Widevine L3 keys from Android devices effortlessly, spanning multiple Android versions for DRM research and education.
KeyDive is a sophisticated Python script designed for the precise extraction of Widevine L3 DRM (Digital Rights Management) keys from Android devices. This tool leverages the capabilities of the Widevine CDM (Content Decryption Module) to facilitate the recovery of DRM keys, enabling a deeper understanding and analysis of the Widevine L3 DRM implementation across various Android SDK versions.
[!IMPORTANT]
Support for Android 14+ (SDK > 33) require the use of functions extracted from Ghidra.
client_id.bin
for device identification and the private_key.pem
for the RSA private key.Before you begin, ensure you have the following prerequisites in place:
frida-server
on your target Android device. This requires root access on the device. For installation instructions and downloads, visit the official Frida documentation.requirements.txt
file:
pip install -r requirements.txt
Follow these steps to set up KeyDive:
client_id.bin
- This file contains device identification information.private_key.pem
- This file contains the RSA private key.This sequence ensures that the DRM-protected content is active and ready for key extraction by the time the KeyDive script is initiated, optimizing the extraction process.
usage: keydive.py [-h] [-d DEVICE] [-f FUNCTIONS] [--force]
Extract Widevine L3 keys from an Android device.
options:
-h, --help show this help message and exit
-d DEVICE, --device DEVICE
Target Android device ID.
-f FUNCTIONS, --functions FUNCTIONS
Path to Ghidra XML functions file.
--force Force using the default vendor (skipping analysis).
For advanced users looking to use custom functions with KeyDive, a comprehensive guide on extracting functions from Widevine libraries using Ghidra is available. Please refer to our Functions Extraction Guide for detailed instructions.
Some manufacturers (e.g., Xiaomi) allow the use of L1 keyboxes even after unlocking the bootloader. In such cases, it's necessary to install a Magisk module called liboemcrypto-disabler to temporarily disable L1, thereby facilitating L3 key extraction.
Special thanks to the original developers and contributors who have made KeyDive possible. This tool is the culmination of collaborative efforts, research, and a deep understanding of DRM technologies.
KeyDive is intended for educational and research purposes only. The use of this tool in unauthorized testing of protected content is strictly prohibited. Please ensure you have permission before proceeding with DRM key extraction.
By using KeyDive, you acknowledge and agree to the terms of use and disclaimer stated above.