BD+

From Wikipedia, the free encyclopedia

Jump to: navigation, search
 This article is in need of attention from an expert on the subject. Please help recruit one or improve this article yourself. See the talk page for details. Please consider using {{Expert-subject}} to associate this request with a WikiProject. (January 2009)

BD+ is a component of the Blu-ray Disc Digital Rights Management system. It was developed by Cryptography Research Inc. and is based on their Self-Protecting Digital Content concept.[1] Its intent was to prevent unauthorized copies of Blu-ray discs and the playback of Blu-ray media using unauthorized devices.

BD+ has proven effective at re-establishing security for new titles, and forcing adversaries to reinvest resources to break each new version of security code.[2] On 1 December 2008 Slysoft announced it would for the first time begin charging its new customers for updates to AnyDVD HD.[3]

BD+ played a pivotal role in the format war of Blu-ray and HD DVD. Several studios cited Blu-ray Disc's adoption of the BD+ anti-copying system as the reason they supported Blu-ray Disc over HD DVD. The copy protection scheme was to take "10 years" to crack, according to Richard Doherty, an analyst with Envisioneering Group.[4]

On 19 November 2007, Macrovision announced that it planned to acquire the SPDC technology (including patents and software code) from CRI for US$45 million in cash plus stock warrants.[5] As of 19 March 2008, SlySoft, makers of media software circumvented the first iteration of BD+. Blu-Ray titles starting with Jumper were introduced with slightly changed BD+ protection. However, in a short time it was also circumvented. A third iteration of BD+ was released in November 2008, and was announced to be cracked by Slysoft with the release of AnyDVD HD 6.5.0.2 on 29 December 2008[6]. A fourth version of BD+ security code was discovered with the movie Australia on 13 February 2009, thwarting the effectiveness of Slysoft's software.[7] On 19 March 2009, AnyDVD HD 6.5.3.1 was released, adding support for some titles with the new BD+ iteration of security code including titles such as Australia.[8] Some BD+ movies were not supported by Slysoft's update, e.g. movies Slumdog Millionaire, The Day the Earth Stood Still, Marley & Me, X-men Trilogy.[9]

Contents

[edit] Capabilities

 This section needs reorganization to meet Wikipedia's quality standards. There is good information here, but it is poorly organized; editors are encouraged to be bold and make changes to the overall structure to improve this article. (January 2009)

BD+ is effectively a virtual machine embedded in authorized players. It allows content providers to include executable programs on Blu-ray Discs. Such programs can:[10]

  • examine the host environment, to see if the player has been tampered with. Every licensed playback device manufacturer must provide the BD+ licensing authority with memory footprints that identify their devices.
  • verify that the player's keys have not been changed.
  • execute native code, possibly to patch an otherwise insecure system.
  • transform the audio and video output. Parts of the content will not be viewable without letting the BD+-program repair it.
  • limit playback of a Blu-Ray disc to the first device in which the disc is played

If a playback device manufacturer finds that its devices have been hacked, it can potentially release BD+-code that detects and circumvents the vulnerability. These programs can then be included in all new disc releases.

The specifications of the BD+ virtual machine are only officially available to licensed device manufacturers. A list of licensed adopters is available from the BD+ website.[11]. Both SlySoft and members of the Doom9 forum have reverse engineered the virtual machine specification, however.

According to the reverse-engineered specification, the virtual machine consists of a 32-bit big endian DLX like processor with 4MB of RAM. It has 32 32-bit registers available for use. A TRAP instruction is used to allow the virtual machine host to perform more complex actions as system calls.[12]

To prevent simple, static disassembly of the BD+ code, an instruction filter is available that can perform an XOR operation on an opcode before executing it. By varying the instruction filter at runtime, the compiler can force an adversary to trace through the code at runtime before they can fully disassemble it.[13]

[edit] Virtual machine

This program which can be found inside the BDSVM directory of a BD+ protected disc is called content code[14]. The content code is executed on a virtual big endian DLX-like processor interfacing 4MB of memory. The processor supports 59 different instructions and a register set consisting of 32 general purpose registers and three special purpose registers for the instruction filter, the clock cycle counter and the program counter. The BD+ Virtual Machine applies memory protection by masking memory access addresses to prevent them from falling outside of the designated memory areas. The execution of content code starts at address 0x1000 relative to the beginning of the payload of the first block of the file 00001.svm (located inside the BDSVM directory).

[edit] Traps

While the BD+ virtual machine is extremely simple, the interface between the virtual machine and the player is somewhat more complicated.[15] BD+ provides the content code with 25 system calls or "traps". An overview is given in the table below. Note that the bits 00-07 of the trap id uniquely identify each trap within a group. The group id itself is specified by the bits 08-16 of the trap id. The group ids seen so far are 00 (event handling), 01 (cryptography operations), 02 (arithmetic operations), 03 (memory operations), 04 (slot memory access), 05 (device access) and 80 (debugging).

Group ID Trap ID Name Parameters
00 000010 TRAP_Finished 0
000020 TRAP_FixUpTableSend 2
01 000110 TRAP_Aes 5
000120 TRAP_PrivateKey 5
000130 TRAP_Random 2
000140 TRAP_Sha1 4
02 000210 TRAP_AddWithCarry 3
000220 TRAP_MultiplyWithCarry 4
000230 TRAP_XorBlock 3
03 000310 TRAP_Memmove 3
000320 TRAP_MemSearch 5
000330 TRAP_Memset 3
04 000410 TRAP_SlotAttach 2
000420 TRAP_SlotRead 2
000430 TRAP_SlotWrite 1
05 000510 TRAP_ApplicationLayer 3
000520 TRAP_Discovery 4
000530 TRAP_DiscoveryRAM 3
000540 TRAP_LoadContentCode 5
000550 TRAP_MediaCheck 6
000560 TRAP_RunNative 4
000570 TRAP_??? 0
80 008010 TRAP_DebugLog 2
008020 TRAP_???  ?
008030 TRAP_???  ?

Each of these system calls can be invoked by the TRAP instruction (opcode 0x39). By convention register 29 is used as the stack pointer holding the memory address of the parameters. After parameter validation the system call is executed and a return code is written to register 1. During its execution the content code performs a series of tests to verify it is being executed in a trusted environment. One of these tests involves asking the player for its certificate with TRAP_Discovery. The RSA signature of this certificate is later verified by the content code using the public key of the license administration which is (optionally in obfuscated form) also stored in the content code. Later the player is asked to sign a random message with ECDSA by calling TRAP_PrivateKey. The generated signature is subsequently verified using the player's public key stored in the previously verified certificate.

[edit] Events

The BD+ virtual machine is event driven. Five callbacks (events) are defined by the interface which the player may invoke to notify the content code of a variety of events, including the playback of various parts of the movie, shutdown or media eject events or player security operations. The event data is exchanged using a dedicated memory area (0x00-0x3F). TRAP_Finished is invoked whenever the content code has finished processing an event. The first event invoked is EVENT_Startup which starts the execution of the content code.

Group ID Event ID Name Parameters
00 000000 EVENT_Startup 1
000010 EVENT_Shutdown 1
01 000110 EVENT_PlaybackFile 2
02 000210 EVENT_??? 2
000220 EVENT_PlaybackSegment 3

[edit] Conversion table

Before a BD+-capable disc is mastered, random sections of the .m2ts files are overwritten by random data, effectively corrupting parts of the content. The original data is stored encrypted and obfuscated within the BD+ content code.[16] After the content code has verified the security of the execution environment, it sends a table with repair instructions (the "conversion table" or "fix-up table") to the player using the system call TRAP_FixUpTableSend. The conversion table consists of one subtable for each .m2ts file on the disc. A subtable consists of multiple, possibly empty, segments which contain the repair descriptors. Each repair descriptor then provides the raw data and the offset needed to repair a small section of a .m2ts file, replacing the corrupted part of the file with the original data.

[edit] Reverse engineering and emulation of BD+ implementations

On November 8, 2007, SlySoft announced that BD+ discs can be copied with their AnyDVD HD software.[17] This was possible because first generation BD+ titles didn't check if AACS was present. This allowed a user to copy a BD to the harddrive and play it back from there using only a specific version of Cyberlink's PowerDVD (3319a), but not to transcode, otherwise manipulate the content or play it back from a burned BD-R or BD-RE. Updated versions of BD+ security code plugged this hole.

On January 9, 2008, engadgethd.com reported that Fox has stated that BD+ has yet to be compromised.[18] When asked how many hi-def 20th Century Fox titles had become available online, the rep reported that the titles were available as HD DVDs in Europe.

On March 3, 2008, SlySoft updated AnyDVD HD allowing the full decryption of BD+ [19], allowing for not only the viewing of the film itself but also playing and copying disks with third-party software.

On March 19, 2008, a new version of AnyDVD HD was released (6.4.0.0) that supports the full removing of the BD+ copy protection for all titles released to date.[20][21][22]

In May 2008 the Blu-Ray release of Jumper introduced a modified version of BD+ security code which prevented the Slysoft AnyDVD HD software from removing BD+. This modified version was again circumvented by Slysoft several months after Jumper hit the streets.

In August 2008, members of the Doom9 forum began work on an independent project to create an open-source implementation of BD+.[23]

In late October 2008, the same Doom9 members made the first working repaired BD+ movie with the previously developed open source tools,[24] and as of November 1, 2008, have created code to debug content produced for BD+'s virtual machine.[25]

On November 2, 2008, Doom9 forums announced that early (pre-May 2008) BD+ discs can be played back using open source software only.[26]

In early November 2008 multiple versions of BD+ security code were released which, according to Slysoft, may take a few months to circumvent.[27]

On December 29, 2008 Slysoft announced that AnyDVD HD 6.5.0.2 decrypts copy protection on all current Blu-ray movies.[6]

On February 13, 2009 a 4th version of BD+ security code was discovered on the movie Australia [28], rendering Slysoft's existing AnyDVD HD software ineffective.

On March 19, 2009 Slysoft announced that AnyDVD HD 6.5.3.1 adds support for some new BD+ protections, e.g. movies Australia, US, The Robe, US, South Pacific, US.[29] Some BD+ movies were not supported by Slysoft's update, e.g. movies Slumdog Millionaire, The Day the Earth Stood Still, Marley & Me, X-men Trilogy.[30]

[edit] See also

[edit] References

  1. ^ "About SPDC". Cryptography Research, Inc.. http://www.cryptography.com/technology/spdc/index.html. Retrieved on 2009-04-12. 
  2. ^ BD+ re-secured, Slysoft beaten
  3. ^ Press release: SlySoft announces new update policy
  4. ^ Ryan Singel (February 26, 2008). "How Crypto Won the DVD War". Wired. http://blog.wired.com/27bstroke6/2008/02/how-crypto-won.html. Retrieved on 2008-02-27. 
  5. ^ "Macrovision to Acquire Blu-ray Disc Security Technology from Cryptography Research, Inc.". http://www.macrovision.com/company/newscenter/pressreleases/1434_7711.htm. 
  6. ^ a b SlySoft defeats Blu-ray's BD+ DRM scheme again
  7. ^ BD+ discs that may not work properly with Anydvd HD
  8. ^ "AnyDVD change log". http://www.slysoft.com/. March 19, 2008. http://www.slysoft.com/download/changes_anydvd.txt. 
  9. ^ More BD+ discs that may not work properly with Anydvd HD
  10. ^ "Blu-ray Disc Next-Generation Optical Storage: Protecting Content on the BD-ROM" (PDF). DELL. http://www.dell.com/downloads/global/vectors/brcp.pdf. Retrieved on 2007-05-03. 
  11. ^ BD+ Technologies LLC
  12. ^ Doom9 thread on reverse engineering
  13. ^ Doom9 thread on instruction filter
  14. ^ Doom9 thread on reverse engineering
  15. ^ Doom9 thread on reverse engineering
  16. ^ Doom9 thread on reverse engineering
  17. ^ AnyDVD 6.1.9.6 beta - SlySoft Forum
  18. ^ BD+ has not been compromised, yet, Engadget HD.
  19. ^ Press Release: AnyDVD HD now with BD+ support - SlySoft Forum
  20. ^ AnyDVD 6.4.0.0 - SlySoft Forum
  21. ^ ZDNet Blogs
  22. ^ Press Release: AnyDVD HD now with BD+ support - SlySoft Forum
  23. ^ Finally handling BD+ - Doom9 Forum
  24. ^ [1] Finally handling BD+ - Doom9 Forum
  25. ^ Dawson, K (2008-11-01). "Doom9 Researchers Break BD+". Slashdot. http://it.slashdot.org/it/08/11/01/1728222.shtml. Retrieved on 2008-11-02. 
  26. ^ Doom9 forums announced that BD+ disc can be copied
  27. ^ BD+ movies that Anydvd HD 6.4.8.4 beta may not handle properly
  28. ^ BD+ discs that may not work properly with Anydvd HD
  29. ^ AnyDVD (HD) 6.5.3.1 released
  30. ^ More BD+ discs that may not work properly with Anydvd HD
v  d  e
High definition media
Media formats
Promoter
Interactivity
Recordable formats
Comparison
Copy protection
AACS (both)  · HDCP (both)  · BD+ (BD)  · ROM-Mark (BD)
Blu-ray Disc players
HD DVD players
Retrieved from "http://en.wikipedia.org/wiki/BD%2B"
Personal tools