Dump L3 CDM from any Android device
This repository has been archived on 2024-04-03. You can view files and clone it, but cannot push or open issues/pull-requests.
Go to file
Diazole 16df7440d6 Add support for Android 13 2023-07-28 18:56:47 +01:00
Helpers Add support for Android 13 2023-07-28 18:56:47 +01:00
.gitignore Update .gitignore 2021-12-03 12:29:36 +01:00
README.md Add support for Android 13 2023-07-28 18:56:47 +01:00
dump_keys.py Add support for Android 13 2023-07-28 18:56:47 +01:00
requirements.txt Update script to support Android 10, 11, 12 2022-10-04 23:23:53 +01:00



Dumper is a Frida script to dump L3 CDMs from any Android device.


The function parameters can differ between CDM versions. The default is [4] but you may have to change this for your specific version in the script.js.



Use pip to install the dependencies:

pip3 install -r requirements.txt


The script will hook every function in your widevine 'libwvhidl.so'/'libwvaidl.so' modules by default, effectively brute forcing the private key function name.

python3 dump_keys.py

You can pass the function name to hook using the --function-name argument. You can use this post to retrive it by yourself.

python3 dump_keys.py --function-name 'polorucp'

The script defaults to args[4] if no --cdm-version is provided. This will only have an effect if your version is 16.1.0 or 17.0.0.

python3 dump_keys.py --cdm-version '16.1.0'

You can pass the .so -module name using the --module-name argument. By default it looks in the libwvhidl.so and libwvaidl.so files. It can have multiple values. Its name can change depending on the version and SoC including but not limited to: libwvaidl.so, libwvhidl.so, libwvdrmengine.so, libwvm.so, libdrmwvmplugin.so source. You can find your module name in the /vendor/lib64/ or /vendor/lib/ directories using an ADB shell.

python3 dump_keys.py --module-name 'libwvhidl.so' --module-name 'libwvaidl.so'


    -h, --help                      Print this help text and exit.
    --cdm-version                   The CDM version of the device e.g. '16.1.0'.
    --function-name                 The name of the function to hook to retrieve the private key.
    --module-name                   The name of the widevine `.so` modules.


  1. You've got the function name
  2. You've got the private key
  3. Client ID extracted
  4. Script closed

The following files will be created after a successful dump:

  • client_id.bin - Device identification
  • private_key.pem - RSA private key

Known Working Versions:

  • Android 9
    • CDM 14.0.0
  • Android 10
    • CDM 15.0.0
  • Android 11
    • CDM 16.0.0
  • Android 12
    • CDM 16.1.0
  • Android 13
    • CDM 17.0.0

Temporary disabling L1 to use L3 instead

A few phone brands let us use the L1 keybox even after unlocking the bootloader (like Xiaomi). In this case, installation of a Magisk module called liboemcrypto-disabler is necessary.


Thanks to the original author of the code.