Only a few days after Corel issued a WinDVD update to close the hole opened by AACS hackers, the folks at the Doom9 forums sent word that they have found yet another way around the copy protection for high definition discs. This time, the method involved the Xbox 360's HD DVD add-on drive to capture the "Volume Unique Keys" as they were being read by the drive itself. Rather than just point out the crack, we're going to take a closer look at how this crack was accomplished, because one of the hackers involved in the crack says that it's more or less unstoppable.
The latest attack vector bypasses the encryption performed by the Device Keys—the same keys that were revoked by the WinDVD update—and the so-called "Host Private Key," which as yet has not been found. This was accomplished by de-soldering the HD DVD drive's firmware chip, reading its contents, and then patching it. Once that was done, the firmware was soldered back onto the drive.
Despite the technical difficulty of performing this hack, it does offer some advantages in the race to beat AACS copy protection. "They cannot revoke this hack," said forum member arnezami, who has been at the center of much of the AACS cracking recently. "No matter how many Private Host Keys they revoke we will still be able to get Volume IDs using patched xbox 360 HD DVD drives."
Simplified high-def decryption diagram, courtesy of arnezami.
"Kvu" is the volume license key.
In addition to being irrevocable, the hack has the potential to make future decryption even easier. "This hack/technique enables us to figure out how the Volume ID is stored on the disc," arnezami explained. "It's very possible we would figure out […] how the KCD is stored on the disc. Knowing that and being able to teach a PC drive how to read a KCD will open the door for what I called third-generation decryption."
While this type of decryption (reading keys directly off a PC drive by sidestepping part of the encryption process) is still not a reality, it may not be too far off. The main issue is the cost of purchasing standalone high-def players by the hackers, but as prices for these come down, this problem will slowly go away.
Although AACS has proven much more difficult to fully crack than the copy protection on regular DVDs, it is unlikely to remain only partially cracked for very long. The real problem with trying to create an "uncrackable" copy protection is that the media must come with the keys used to decrypt it somewhere on the device and the media itself. Hiding these keys in different places—security by obscurity—merely delays the inevitable. Of course, for the content providers, any delay is still better than no delay at all, so expect the battles between copy protection and hackers to continue.