April 24, 2014

avatar

Hidden Feature in Sony DRM Uses Open Source Code to Add Apple DRM

For weeks, the blogosphere has been abuzz with tales of intrigue about Sony’s XCP copy protection system. Among the strangest revelations was that XCP itself infringes on the copyrights to several open source software projects. In one case, Sam Hocevar found conclusive evidence that part of XCP’s code was copied from a program called DRMS, which he co-authored with DVD Jon and released under the terms of the GPL open source license. What made this finding particularly curious is that the purpose of DRMS is to break the copy protection on songs sold in Apple’s iTunes Music Store. Why would XCP rip off code intended to defeat another vendor’s DRM?

The answer is that XCP utilizes the DRMS code not to remove Apple DRM but to add it. I’ve discovered that XCP uses code from DRMS as part of a hidden XCP feature that provides iTunes and iPod compatibility. This functionality has shipped on nearly every XCP CD, but it has never been enabled or made visible in the XCP user interface. Despite being inactive, the code appears to be fully functional and was compatible with the current version of iTunes when the first XCP CDs were released. This strongly suggests that the infringing DRMS code was deliberately copied by XCP’s creator, First4Internet, rather than accidentally included as part of a more general purpose media library used for other functions in the copy protection system.

This isn’t the first time another vendor has tried to make its DRM compatible with Apple’s. Apple’s DRM, a system called FairPlay, places restrictions on songs purchased through the iTunes Music Store. FairPlay is the only DRM compatible with the immensely popular iPod, and Apple has declined to license it to rival music distributors, effectively locking rivals out from the iPod platform (at least as long as the rivals insist on using DRM). In 2004, RealNetworks attempted to work around Apple and reverse engineered FairPlay so that Real Player could create FairPlay files for use with the iPod. Apple responded by making vague legal threats and updating iTunes to break this compatibility. It looks like the people at First4Internet wanted to create their own iPod compatibility system, but rather than take the time to reverse engineer FairPlay themselves, they copied critical pieces of code from DRMS in violation of the GPL license.

Intriguingly, the FairPlay compatibility code in XCP is not limited to converting files from XCP CDs. The code appears to support conversion into FairPlay of files in a wide variety of input formats – MP3s, WAV files, raw audio files, and standard unprotected audio CDs – in addition to XCP-protected discs. It’s also strange that the FairPlay compatibility code is shipped but not made available for use by applications, not even XCP’s own player software. (Technically, the code is not exported from the shared library where it is stored.) This might indicate that First4Internet decided to remove the feature at the very last minute, shortly before XCP CDs started to ship.

In any case, the code is present and still works. It’s possible to execute it by jumping to the right memory location after performing some basic setup. I’ve used this method to test various aspects of the software. Here is a screenshot of iTunes playing a protected file that I made from a regular MP3 file using the hidden XCP functionality:

It seems these findings raise more questions than they answer. Where did the code come from? Since it supports audio sources other than XCP CDs, did First4Internet license it from another vendor? Why did Sony disable the code but continue to ship it? How does iTunes compatibility fit in with Sony’s overall copy protection strategy? Which is the greater evil – incompatible DRM platforms or GPL violations? Tune in again tomorrow when Ed will weigh in on these and other conundrums.

* * *

[This rest of this post contains technical information about how XCP uses the DRMS code. Feel free to stop reading now if you aren't interested in the details.]

Understanding how XCP uses code from DRMS requires some basic knowledge about FairPlay. When you buy a song from the iTunes Music Store, you receive a FairPlay encrypted audio file that can only be played with knowledge of a secret key assigned to you by Apple. iTunes retrieves this key from an Apple server, which prompts you to log in with your Apple ID and password. Your user key is stored on your hard drive in an encrypted key database (a file called SC Info.sidb). When you play the song again, or if you try to copy it to an iPod, iTunes reads your key from the database instead of reconnecting to the server.

FairPlay’s security depends on the encrypted key database being difficult for anyone but Apple to decipher, so it is protected using a proprietary encryption method and a system-dependent secret key. (As security experts predicted, this protection was quickly broken; today DRMS is able to defeat FairPlay because DVD Jon painstakingly reverse engineered the database decryption code in iTunes.) iTunes encrypts the key database using a two step process. First, it XORs the plaintext database with the output from a proprietary pseudorandom number generator (PRNG) using a system-dependent seed; then it applies AES encryption with a system-dependent key. As a consequence of this design, the code for the PRNG is exactly the same whether the file is being encrypted or decrypted. To decrypt, iTunes applies AES decryption, then XORs the same PRNG output again. This explains why parts of the DRMS code – in particular, a function called DoShuffle, which computes the PRNG’s output – are useful for encryption as well as their original purpose, decryption.

The complex, proprietary PRNG must have been especially difficult to reverse engineer. Rather than expend this effort themselves, XCP’s authors appear to have lifted the DoShuffle code verbatim from DRMS. XCP uses this code to manipulate the iTunes key database in the process of adding FairPlay protection. Starting with an unencrypted audio file, such as a track from a protected CD, XCP compresses the audio in memory, then encrypts it using the same algorithm as FairPlay. Instead of using an Apple-assigned user key, XCP creates a new random user key and, with the help of the DRMS code, adds it to the iTunes key database. This ensures that the song file can only be used on the computer where it was created.

The XCP FairPlay compatibility code is contained in a file named ECDPlayerControl.ocx that is installed the first time an XCP CD is played. Here is how the DRMS code ties in with the rest of the library. (I’ve provided a debugger offset for each function as an aid to other investigators.) The DRMS DoShuffle subroutine (0x10089E00) is called from only two places, a function that encrypts the iTunes key database (0x1008A0C0) and a function that decrypts it (0x1008A300). Both these functions are called from only one other routine, which serves to read the key database, decrypt it, and, if necessary, to add the XCP user key to the database and write it out again in encrypted form (0x1008A470). This routine is called by a higher level function that converts an audio file into a FairPlay-protected AAC file (0x10027D20). You can test these functions by jumping into an earlier routine (0×10010380, apparently the start of a thread for transferring music to iTunes) after some simple initialization. I’ll happily provide serious investigators with rough sample code and instructions.

My tests indicate that XCP’s FairPlay-compatibility code works with iTunes up to iTunes version 4.8. iTunes 4.9, released June 28, 2005, included changes unrelated to FairPlay that cause the XCP code to fail. XCP CDs released after this date do not appear to contain an updated version of the code.

Comments

  1. sm says:

    Nice detective work. This is a very interesting development.

    Somehow I doubt DVD Jon will file suit against Sony/F4i for stealing his code, but Apple might weigh in on the matter, as it could be argued Sony is “trafficking” in a circumvention device per the DMCA. ‘Course, it’s not usable out of the box, so that seems unlikely.

  2. pete says:

    There seems to good evidence that several OSS projects have had thier copyrights violated by XCP. Are you aware of any of the authors suing for infringement?

  3. The PC Doctor says:

    More Open Source code buried into Sony XCP

    Freedom to Tinker  continues to discover more interesting information about the Sony XCP rootkit DRM junkware.  This latest post outlines more code “borrowed” from other applications.

    For weeks, the blogosphere has been abuzz …

  4. Anon says:

    In response to pete:

    Here is an open letter from the developers of LAME, the open source mp3 encoder whose code was apparently included with XCP:

    http://lame.sourceforge.net/open_letter_sony_bmg.html

    Many so-called “Sony apologists” will state that the responsibility for the illegal inclusion of copyrighted, open source code in XCP falls directly on First 4 Internet. The fact that is it currently unclear if Sony ordered F4I to include the copyrighted code, or if Sony was even aware that XCP included copyrighted code does not reduce Sony’s liability in the matter under U.S. law. Merely releasing copyrighted code, even if they were unaware of it, makes Sony as legally liable as F4I.

    In other words, whether or not any of the open source developers whose license agreements/copyrights were violated choose to sue Sony is irrelevant as to whether or not Sony BMG broke the law. They clearly did.

  5. AnonX2 says:

    In response to sm:

    Judging from the Hot Coffee incident, the presence of unaccessible code in a public release of software is a sticky situation. Whether or not they can be held liable in court is another matter, but in theory with a “mod” I’m sure you could provide an interface to the XCP code.

  6. Joshua Tauberer says:

    With the talk about whether one of the OSS projects will sue, maybe this is a criminal offense (http://www.copyright.gov/title17/92chap5.html#506) and the DOJ should step in…..

  7. Dale says:

    I wonder how DVD Jon feels now. Not so smug and self-righteous I bet. Here he was thinking he was SuperBit, helping mankind break DRM, and one of the first people to use his code do so to enhance DRM!

  8. abb3w says:

    First, the Hot Coffee incident is a bad parallel. Hot Coffee was activating stub assembly code (present, but not normally used), by end users. Based on the above report, it seems that Sony used a portion of the copyrighted DRMS code (that is: the code was both present AND in active use), and redistributed the derived executable without associated source. The latter part is a violation of the (L?)GPL license terms. Unfortunately for any copyright case against Sony, any competent Sony lawyer will be arguing that by withdrawing the product from the market once learning the GPL code was included, they are no longer distributing the code. This leaves any case against trying to argue that withdrawal of the offending product is not a sufficient equitable remedy. This would be an uphill battle… unless, of course, you can prove that Sony understood they were using copyrighted code.

    Getting an order for discovery of materials related to whether or not Sony knowingly infringed would doubtless release a large variety of interesting correspondence between First4Internet and Sony about the XPC software. IANAL, but I’d guess the discovery order (nearly routine in litigation) would be much easier than the anti-equity argument… especially since First4Internet doesn’t have any protection from the GPL’s big nasty teeth whatsoever, and discovery would help Sony prove they weren’t corporate co-conspirators. The doctrine of unclean hands might have DIRE consequences for the copyright status of any XPC protected music, which might make any future contract negotiations with artists even harder than the current bad press already has.

    Sony is up an excremental tributary without propulsion, and those aren’t WATERfalls they’re hearing ahead.

  9. mamling says:

    > Are you aware of any of the authors suing for infringement?

    Within minutes of the first such suit, the FUD mongers will be claiming that developers should stay away from Open Source software for fear of being sued.

  10. James Katt says:

    What is interesting about Fairplay is that Apple can come out with new versions of iTunes with each version having an updated encryption algorithm and automatically updating the encrypted key database to conform with the algorithm.

    Thus, even if the DRM algorithm is broken through reverse engineering, Apple can always update it at any time with a new version of iTunes – thus keeping ahead of the hackers.

    Apple has an updatable DRM. This is, in the end, what allows Apple to keep ahead of reverse engineering, while allowing the user to be not connected to the iTunes Music Store server to play their music.

  11. anonymous says:

    Customer 1: Have you got anything without DRM?
    Music Exec: Well, there’s DRM egg sausage and DRM, that’s not got much DRM in it.
    Customer 1: I don’t want ANY DRM!
    Customer 2: Why can’t she have egg bacon DRM and sausage?
    Music Exec: THAT’S got DRM in it!
    Customer 2: Hasn’t got as much DRM in it as DRM egg sausage and DRM, has it?
    Vikings: DRM DRM DRM DRM… (Crescendo through next few lines…)

    etc, etc.

  12. Anonymous says:

    If this report on SunnComm is true, and it seems so, it would explain the complete lack of morality of all the players involved in the recent fiasco, Sony-BMG, SunnComm and First4Internet.

    http://p2pnet.net/story/7201

  13. Tulse says:

    I don’t mean this as flamebait, but as a genuine question: How can one get upset about violations of the GPL for software that violates Apple’s Terms of Service? Aren’t the two licenses covered by the same basic principle, in that you can use them if you agree to the terms, and not use them if you don’t? How can one get legalistic about open source license violations while applauding violations of commercial licenses without courting hypocrisy, or at the very least undermining the legal principles that allow open source licenses in the first place?

  14. Anonymous says:

    Tulse:
    Copyright does underlie both, and the GPL would not work w/o copyrights to lincense, but the differance is profound.

    Terms of service are contracts of adhesion, you can’t negoate them. The GPL is NOT a contact at all and makes no effort to limit what you do with or to a product for your own use.

    DRM also errodes fair use, an important element of copyright since it balances the social cost of exclusive use with public goods like educational exceptions.

  15. Tulse says:

    I will grant that both the GPL and Apple’s ToS are vastly different in intent, and in their implications for fair use and the like. But the issue raised here seems to be primarily a legal one, namely, did Sony violate the GPL in a legal sense. And it seems to me the only way one can defend the legal foundation of the GPL is by also defending the legal foundation (if not the philosophical principles or societal implications) of commercial ToS. I just find it odd that folks get legalistic about GPL violations, but happily support violations of other licenses, since as I understand it, it’s the same legal mechanisms that protect both.

    I am not a lawyer, however, and I’d be happy to have this issue clarified.

  16. Andy Green says:

    Are you sure this is a GPL violation by the nice folks at First4Internet? If they linked in pure GPL code then perhaps the intention – and effect – was to GPL their DLL at least. Maybe they just forgot to send out a LICENSE file and somebody should just ask for the sources.

    Of course, because the GPL operates through the act of distribution, perhaps owners of this novel GPL’d DRM binary might equally ask Sony(-BMG) for the sources they are entitled to, since Sony distributed it.

  17. Paul says:

    The difference is subtle, and to some perhaps meaningless, but this is it. Sony/F4I broke the terms of the license (GPL) in what they did. DRMS is offered as a tool that does not fall within the terms of Apples ToS, however it is not illegal for DVD Jon to release it. It is true he is enabling people to break the Apple ToS, but in releasing the software he doesn’t break their ToS, whereas Sony actively broke the terms of the GPL.

    I do agree though that many people who I would term “open-source zealots” look at protections for public IP vs private IP in a very different light, and try and bend their interpretations of the law to fit their views. However, it is far more hypocritical to steal someone else’s IP to protect your own. And we haven’t even started talking about the ramifications of hijacking someones computer with a rootkit without their knowledge.

  18. HJ says:

    I can’t locate the link at the moment, but wasn’t one of the DRM peddlers recently responding to complaints about (non-)interobility with iTunes by telling its customers to please contact Apple and urge them to open up FairPlay?

  19. John Nilsson says:

    Someone said that DRM erodes fair use. I just want to mention the fact that the threat against fair use is neglectable in comparison on how DRM erodes _unregulated_ use.

    In respect to the GPL discussion: Remember that even though GPL relies on copyright to be effective, it’s purpose is to reverse it.

  20. J. P. Milne says:

    John Nilsson:
    The question is, should my right to fair use be eroded so that unregulated use may be diminished?

    Answers:
    Recording industry: Yes. DRM actively applied.
    Customers: No. Active struggle to remove DRM restrictions.
    Me: I have not been consulted by either party about my rights.

  21. conspiracy theorist says:

    What are the odds that First4Internet and/or Sony deliberately introduced the code with the intention of essentially shaking down Apple? “Look…we have a proof of concept…we can make our players compatible…it’s no development cost to you…why don’t you just license us the rights to co-market? If you don’t work with us, it’s obviously just a matter of time until DVD-Jon does the same thing, so you might as well go with the flow…give us a good deal, and we’ll all come out ahead.”

  22. Poster says:

    I don’t think DRM is a kiss from the mouth of God, but I find Apple’s Fairplay reasonable. It’s something I can live with, which is much more than I can say about the other guys.

  23. James says:

    What have they been smoking over at sony?

    First this reprehensible rootkit fiasco, then it appears that they themselves have not only ‘taken’ code, but have incorporated it into a system designed to prevent users from owning songs they buy. Sony, can you say hypocrisy?

  24. Dennis D. McDonald says:

    I think Conspiracy Theorist may be on to something.

  25. Boing Boing: Sony rootkit ripped off anti-DRM code to break says:

    [...] So when Sony’s arms-dealer was making its munitions, it added an attractive new feature for Sony and others: the ability to break DRM to sneak music into iTunes. The answer is that XCP utilizes the DRMS code not to remove Apple DRM but to add it. I’ve discovered that XCP uses code from DRMS as part of a hidden XCP feature that provides iTunes and iPod compatibility. This functionality has shipped on nearly every XCP CD, but it has never been enabled or made visible in the XCP user interface. Despite being inactive, the code appears to be fully functional and was compatible with the current version of iTunes when the first XCP CDs were released. This strongly suggests that the infringing DRMS code was deliberately copied by XCP’s creator, First4Internet, rather than accidentally included as part of a more general purpose media library used for other functions in the copy protection system. Link [...]

  26. Adam says:

    I have a copy protected CD, can somebody please give me step by step instructions on how to get the actual songs off of it so they’re playable in iTunes? Thanks!