Introduction
While exploring Widevine DRM and its L3 implementation, I experimented with extracting my own Content Decryption Module (CDM) keys using Android Studio and Frida.
This post documents my environment, the exact steps I followed, and a few notes that might save time for anyone attempting the same process.
Environment
- Machine: Mac Mini (M2 Chip)
- OS: macOS 15.2
- Emulator: Pixel 4 XL, API 29 (without Google Play)
Step 1 β Android Studio Setup
Create and launch an emulator.
For my setup, I used a Pixel 4 XL image running API 29 without Google Play services.
Step 2 β Download Frida Server
Obtain the matching Frida server binary for the emulatorβs architecture:
1 | frida-server-16.0.2-android-arm64 |
Step 3 β Push Frida to the Emulator
1 | adb devices |
Leave this shell running β Frida must stay active in the background.
Step 4 β Dumper Setup
Clone and configure wvdumper.
My Python environment looked like this:
1 | Package Version |
Then simply run:
1 | python dump_keys.py |
Step 5 β Identifying Functions in libwvhidl.so
Pull the library from the emulator:
1 | adb pull /vendor/lib64/libwvhidl.so |
The output includes multiple function names, such as:
1 | 000000000026eb00 T vehbyocv |
Add all suspicious-looking 8-character function names to dumper/Helpers/script.js. For example:
1 | const KNOWN_DYNAMIC_FUNC = ["vehbyocv", "ygjiljer", "yhwxewib", "ywbqglwf", "zlhgtlbc", "znyuaxnv", "zqajgkxr"]; |
Step 6 β Running the Demo
At this point, you should have two terminal windows:
- one with the Frida server running,
- one executing dump_keys.py.
Now launch the emulator and visit https://bitmovin.com/demos/drm
If everything is configured correctly, the magic happens: the dumper intercepts and reveals the keys.
Closing Thoughts
This walkthrough is less of a polished tool release and more of a record of my own exploration. Still, it shows how approachable Widevine L3 research can be with the right setup.
By combining Android Studio, Frida, and a bit of reverse-engineering curiosity, you can peek into how DRM operates at a lower level β and thatβs an exciting learning experience for any developer.
Ref
https://forum.videohelp.com/threads/408031-Dumping-Your-own-L3-CDM-with-Android-Studio
https://github.com/wvdumper/dumper/issues/31#issuecomment-1745622411