Soooo, after a few evenings of work, I've 100% broken Widevine L3 DRM. Their Whitebox AES-128 implementation is vulnerable to the well-studied DFA attack, which can be used to recover the original key. Then you can decrypt the MPEG-CENC streams with plain old ffmpeg...— Dаvіd Вucһаnаn (@David3141593) January 2, 2019
[Netflix vs. Poco F1] The curious case of Xiaomi / Poco and Widevine certification
New updates are being added at the bottom of this story…….
Original story (published on February 25, 2019) follows:
Xiaomi continues to amaze smartphone enthusiasts by providing excellent hardware configurations under budget. In recent years, the Chinese OEM started to release two distinct flavours of yearly flagships: the regular Mi series and the experimental design oriented Mi MIX series.
Xiaomi has also come up with the sub-brand called Poco (or Pocophone), which is targeted specifically for budget conscious youth gamers as well as modding communities.
At Mobile World Congress 2019, Xiaomi has unveiled Mi 9 as their primary flagship. A 5G refresh of last year’s Mi MIX 3 has also been released. The Chinese OEM considerably fortified their software development team, as the kernel source codes for Mi 9 was released on the launch day.
Amidst these positive vibes, one thing is still missing – it’s nothing but the Widevine L1 certification.
FYI, Widevine is a modular DRM (Digital Rights Management) mechanism. The term became a household name after the rise of streaming services. Services like Netflix or Amazon Prime Video get assurance from the client devices about the tamper resistance capabilities using Widevine.
The most desirable status of Widevine is Level 1 AKA L1, which ensures proper hardware backed DRM measures so that high definition (HD/FHD/UHD/4K) streams can be decrypted and viewed on the target device.
Without the existence of appropriate secret keys in the hardware trustzone falls back Widevine to Level 3. L3 mode is only suitable for validating standard definition video streams up to 540p, even if the device comes with a FHD display and rocks a flagship SoC.
PSA: Widevine L3 DRM is no longer secure.
Widevine operates under Google, and the company does not charge any licensing fees for the certification process.
Widevine supports the use of standards-based royalty-free solutions for encryption, adaptive streaming, transport and player software without licensing fees or required participation in the CWIP training program.
It really does not make any sense not to include Widevine L1 certification on Xiaomi phones. For example, Poco F1 users have got numerous deadlines and excuses from the company officials but they are still on L3.
Alvin Tse, head of Pocophone Global, has now claimed that some video providers do not want to certify a device which is already in the market.
Still trying to close the case with hopefully at least one of the video partners but looks like not every partner is willing to support widevine certification after the device has gone public— Alvin Tse #MiFan (@atytse) February 16, 2019
Technically OTA is possible but some partners just not willing to certify phones that are already on the market. They need to certify before you release into the market. That is their policy unfortunately but we are still trying with one partner— Alvin Tse #MiFan (@atytse) February 16, 2019
Reader may recall that there was a similar incident with OnePlus 5 and 5T. OnePlus asked users to send their phones as “… the security processes involved with updating the devices, we can only deliver the update via a physical connection from an authenticated PC”.
According to Alvin, OnePlus pre-certified their phones, and so the move was possible.
They pre certified before release of the phone— Alvin Tse #MiFan (@atytse) February 16, 2019
Because their BSP is pre validated but just forgot to give users the provision so updating via physical stores worked for them— Alvin Tse #MiFan (@atytse) February 16, 2019
Xiaomi is hopeful that at least one of the (video streaming) partner will certify them in near future.
We are hopeful that one partner would allow us to support Widevine. Some others would not certify us because the device is already out in the market. I would say chance is decent that one video partner will support and we can release to market— Alvin Tse #MiFan (@atytse) February 23, 2019
Yea we've updated on multiple occasions. Just waiting for partners to certify us but many of them don't agree to certifying devices that are out in market. We're hopeful that one would and once they do we can release— Alvin Tse #MiFan (@atytse) February 23, 2019
Because Widevine was extra cost and we wanted to offer Snapdragon 845 as cheaply as affordable— Alvin Tse #MiFan (@atytse) February 23, 2019
The “extra cost” is hard to justify. Yes, it does involve man hours to apply for certification but the rest requires no cost!
The excuses sound more and more groundless, as users are now reporting that the recently launched Mi 9 in China comes with Widevine L3.
Xiaomi’s last year flagships: Mi 8 and Mi MIX 3 (LTE) also lack Widevine L1 certification.
Users can install this app and check existing DRM support (including Widevine) on their phones and tablets.
Xiaomi has expanded their target market to many European regions. A major entry in USA is a longtime cherished plan, but their current stance with Widevine certification will surely take a toll on it.
Update 1 (26 February, 2019)
According to user reports, Xiaomi delivered Widevine L1 certification via a new beta build for Poco F1, carrying the version number 9.2.25.
C Manmohan, general manager of Poco India, has confirmed the event:
Guys! You asked for it, we got it. #POCOF1 is now Widevine L1 certified. We have started rolling out an OTA update (version - 9.2.25) for beta users . Once the beta test is complete, we shall roll it in the upcoming stable updates. We really appreciate your patience.@IndiaPOCO— C Manmohan (@cmanmohan) February 26, 2019
XDA Developers has posted a detailed article, explaining all behind the stage nitty-gritties.
However, Netflix is reportedly falling back to SD mode even after this update, as they have not whitelisted the model yet.
Update 2 (28 February, 2019)
It looks like the European (global) version of Mi 9 does come with Widevine L1 certification, as reported by multiple users (here, here, here).
Update 3 (10 June, 2019)
Alvin confirmed that Netflix would not change their policy for Xiaomi. As a result, Poco F1 users can not watch Netflix in HD even after having Widevine L1 certification.
PiunikaWeb is a unique initiative that mainly focuses on investigative journalism. This means we do a lot of hard work to come up with news stories that are either ‘exclusive,’ ‘breaking,’ or ‘curated’ in nature. Perhaps that’s the reason our work has been picked by the likes of Forbes, Foxnews, Gizmodo, TechCrunch, Engadget, The Verge, Macrumors, and more. Do take a tour of our website to get a feel of our work. And if you like what we do, stay connected with us on Twitter (@PiunikaWeb) and other social media channels to receive timely updates on stories we publish.