Category Archives: DRM

iTunes 6

Some of you have been pinging me about iTunes 6. I’ve yet to start reverse engineering iTunes 6 as I don’t have much free time in my personal life these days. Spending hours on end in front of a debugger with pen and paper is not an attractive proposition in the great San Diego weather. Perhaps I’ll find the time in December.

What follows is a high-level description of FairPlay that I wrote for a Norwegian journalist:

Kryptoalgoritmen som benyttes i FairPlay heter AES. Nøklene som benyttes er 128-bit.

Når man kjøper en sang i iTunes Music Store fra en ny PC for første gang så genererer Music Store serverne en tilfeldig brukernøkkel. Når sangen er ferdig lastet ned så bruker iTunes denne brukernøkkelen til å legge DRM på filen. Det som skjer når iTunes ber om brukernavn og passord for å autorisere datamaskinen er at alle brukernøklene som tilhører kontoen din blir lastet ned og lagret på PC’en.

Under Windows lagres brukernøklene i en fil i mappen

C:Documents and SettingsAll UsersApplication DataApple ComputeriTunesSC Info

og under MacOS X i mappen

/Users/Shared/SC Info

Dette brukernøkkellageret er kryptert med en nøkkel som beregnes på bakgrunn av diverse informasjon (under Windows er dette BIOS versjon, navnet på CPU’en, Windows Produkt ID og serienummeret på C: harddisken).

Hvis du har en iPod så vil iTunes under synkronisering kopiere over brukernøkkellageret og kryptere det med en nøkkel som beregnes på bakgrunn av serienummeret til iPod’en.

Det eneste man trenger for å dekryptere en FairPlay fil er altså brukernøkkelen som ble brukt for å legge til FairPlay på filen.

For å skaffe seg brukernøklene sine kan man enten hente de ut fra brukernøkkellageret som ligger på PC’en eller iPod’en, eller man kan laste de ned fra Apple sine servere (FairKeys) på samme måte som iTunes gjør det når maskinen autoriseres.

Apple har aldri endret hvordan FairPlay legges til på filene. Det de derimot har endret flere ganger er hvordan brukernøkkellageret blir kryptert. De har også endret protokollen for kommunikasjon mot Music Store serverne i et forsøk på å stenge ute andre programmer enn iTunes fra å f.eks. laste ned brukernøklene.

Protokollen for kommunikasjon mot Music Store serverne er HTTP basert. Se disse to XML filene for en oversikt over kommandoer:

Det er samme protokollen som benyttes i SharpMusique for å kjøpe filer fra iTunes Music Store uten DRM.

Real Music

Article: Real in online music price war

Media software firm RealNetworks has halved the price of its music downloads in an aggressive attempt to boost its share of the online music market.

The company is offering songs for $0.49 each, down from the usual $0.99, while albums are available for just $4.99.

Interview with Rob Glaser over at

Q: Has the Harmony project met your expectations?

A: No, it has blown them away. We took the decision at the beginning of the year to implement Harmony. It really went back to some things we were working on before, where we’ve had good experience with creating technology with interoperability in the past.

What a coincidence 🙂

Article: Real ‘frees’ Apple’s iPod player

It says its engineers used publicly-available information in order to work out how to make files compatible with Apple’s digital rights management (DRM) software, which is called FairPlay.

Article: The Apple of forbidden knowledge (via Luis Villa)

How exactly had Real “broken into” the iPod? It hadn’t broken into my iPod, which is after all my iPod. If I want to use Real’s service to download music to my own device, where’s the breaking and entering? … So leaving aside the legal claim for a moment, where is the ethical foul? Apple was saying (and apparently believed) that Real had broken into something different from my iPod or your iPod. They had broken into the idea of an iPod. (I imagine a small, Platonic white rectangle, presumably imbued with the spirit of Steve Jobs.)

Really Fair

Real ‘frees’ Apple’s iPod player

Software firm RealNetworks says it has found a way for tunes from its store to be played on devices like Apple iPods.
Previously, the only tracks with digital protection the iPod would play were those from the iTunes store.

It says its engineers used publicly-available information in order to work out how to make files compatible with Apple’s digital rights management (DRM) software, which is called FairPlay.

What took them so long? Probably the legal review 😉

Some details from Karl Lillevold (RealNetworks Sr. Codec Engineer):

As you know, the RealNetworks music store sells songs in 192 kbps AAC (as opposed to iTMS at 128 kbps). When transferring your purchased songs to the iPod, the AAC itself is not touched, but the Helix DRM is transmuxed to the DRM used by the iPod, i.e. fully protected and without trans-coding. If you then transfer the file back to your PC (for instance with Anapod), you get an M4P file, that is a protected MPEG-4 AAC file.


I’ve released FairKeys, a tool which lets you retrieve your FairPlay keys from Apple’s servers.

Instructions for MacOS X users:

1. Install MonoFramework-1.0.4.dmg
2. Start
3. curl -O ‘
4. tar -zxvf FairKeys-latest.tar.gz ; cd FairKeys-*
5. mcs -target:exe -out:”FairKeys.exe” -r:ICSharpCode.SharpZipLib.dll -r:System.Web.dll *.cs
6. mono FairKeys.exe <AppleID> <Password>