i'll share what i know with caveat that i don't have a working tool for this. problem with tracking this down is exposing an exploit results in it getting patched, so there's incentive to be secretive about such things. hopefully someone here has experience doing this, it's has been changing rapidly.
it can be done, depends on your background (real CS knowledge helps immensely) and amount of time you have. but there's a steady stream of easily available content from tons of groups that don't require the extra time, work and risk. it needs multiple people doing different roles to divide the labor and liability. it can become costly. even if you have the chops to get L1 keys, its a lot of work for one person. all reasons i've chosen to stay out of doing that myself. it'd be nice to have that ability within i2p so trying to give a realistic view here not discourage.
I've noticed a resurgence in 4k webrip content and even some 1080p content, it seems to avoid needing to sacrifice a device for a new single episode.
L1 ups the difficulty by a huge margin from what i can tell and i have ZERO real experience with L1, but it seems for better than 720p you need to break this. hopefully someone here does have experience with this.
Hard part #1: Keys
the way widevine works generally:
Streaming Service Verification Tokens ---> (a) Client Issues Widevine Challenge ---> Server Issues Widevine License ---> Client Extracts Key and Stores in White-Box ---> Decryption of Content ---> Decrypted Content Held Within Memory Buffers ---> (b) Video Sent Securely via HDCP
there are different levels of widevine decryption:
L1: highest level, hardware based protection. both cryptography and media processing operations occur in a trusted execution environment (TEE). services like netflix will use this for 4k/1080p content
L2: Only cryptography operations are executed in a TEE, not media processing.
L3: software based DRM only (keys can be accessed without dealing with TEE but are obfuscated, also are not tied to device)
with L1, compatible devices have a hardware based secure storage area (the TEE). to my understanding rooting a device will cause it to drop use of L1 and go to L3, so you'll be stuck with non 1080p+. a successful exploit will get the public/private key pair from the devices keybox.
on safety side, information is embedded in the stream. this is a reason not everything is L1 encrypted, it's more intensive since the server can be modifying the stream to include identifiable information. so when the media is shared, the device keys (core part of the CDM/content delivery module) will get blacklisted and the CDM is burned.
so a single CDM is expensive in both the device (nividia shields for ex) and time/skills to crack and get the keys. if you don't have unlimited time and money you want this CDM to go as far as possible, which can include rate limiting downloads and releasing things in batch that use that CDM since it will be lost when shared.
To get keys out of the TEE there needs to be an exploit specific to the hardware that will give you read/write access, without signaling that the keybox has been compromised. seems that android based devices have the most available exploits. the whole point of having hardware dedicated TEE is to shield information there from the broader CPU using a private key set by the factory. the private key is never supposed to physically leave the TEE. From there need to be able to extract the contents from the TEE.
so the real trouble is getting a working CDM, there may be someone out there that can provide this, but if you want to do consistent releases you need to have a supply of CDMs. With L1, it seems to me like the only way to do this is to have a steady stream of devices to get keys from, so your best bet is to learn how to do this aspect or find someone that can. If you're capable of doing this than OPSEC should be a breeze at least. whoever is doing this needs to understand how to do it, not just run a script that will inevitably break one day, because things will get patched and a new method (likely requiring a different device load out) will be needed.
I'll have to look but there are some tools that might be usable, but you still need a working CDM for them to work.
Some groups may have figured out how to erase identifiable embedded info from the stream, which would save their CDMs from getting burned. from what i've gleaned i couldn't imagine how this would be done and looks much more difficult than comparing 2 streams obtained with different CDMs to find the changed bits, but if you had the time and skills anything is possible. if i had to guess i don't think this is done and groups need to constantly acquire keys.
webrips are way simpler to do but can be a pain, only need to bypass HDCP which is easily done with an off market hdmi splitter. to be safe you'd still want to be concerned about visual watermarking and have good opsec. with settings tuned right and a decent re-encode the quality can be ok, and for some things it CAN make sense to do this. Some groups have opted to webrip certain 4k content of popular tv series to avoid needing to sacrifice an expensive CDM for a single episode and some less popular content is still being webripped at 1080p.
Some useful background:
https://i.blackhat.com/asia-21/Thursday ... n-QTEE.pdf
https://github.com/enovella/TEE-reversing
https://github.com/tomer8007/widevine-l ... ion-Module
https://github.com/Satsuoni/widevine-l3-guesser
https://tamirzb.com/attacking-android-k ... -trustzone
https://forum.videohelp.com/forums/48-V ... ownloading
https://github.com/CloudRealm/widevine- ... /README.md
Hard part #2: OPSEC/INFOSEC
you need burner accounts as well as a stream of crackable devices. accounts will get banned for suspicious activity, so you need to be careful or could lose a valuable CDM and the burner account. burner accounts and devices need to be purchased safely like with prepaid cards, cash, "alternatively obtained" cc's/accounts, crypto (not bitcoin) etc.
i wouldn't trust a vpn for obfuscation, would probably want something like 2+ vps's from different providers (obviously purchased anonymously) to multihop through wiregaurd. I would assume that the stream is going to embeded identifiable info should it be shared, so you should be careful with this setup and test it. it's been a while since i've looked at specifics of what is embedded but i think it's safest to just assume the worst in this scenario.
have a separate system just for webdl, do hardening, connect only wired, remove all wireless hardware physically, put it on a separate subnet by itself with no non-associated devices (especially iot), make a deadman switch, full disk encryption and/or whatever else. i might have been over the top and encryption is probably good enough. it's a good time to re-examine your own "normal" network. wire everything you can, use wiregaurd, examine every device and view it as a potential source of compromise, throw a physical firewall in there. keep your attack surface small and simple.
some people may consider some of this unnecessary and over the top. be paranoid, do an appraisal of the state of your opsec/infosec, bolt it down best you can, test it, repeat. seems people tend to get tracked down more from following money and real life personal contacts. more in line with what i'd think of as basic police work. no reason to think more sophisticated tools aren't or won't be utilized though. So major weak links here as far as easily traceable activities go are acquiring devices. Other necessary tools like VPS's and burner streamer accounts should be able to be acquired more safely.
streams can also have imperceptible visual watermarks that can (potentially) include identifiable info and both visual and digital embeds are supposed to survive through re-encodes. so would also want to be reasonably careful with webrips. seems like most browsers/os's will only stream 720p, so with L1 being the norm capping needs to come through a device that supports it for max resolution, but it also doesn't seem like devices are being lost this way.
some basic security things:
https://madaidans-insecurities.github.i ... ening.html
Easiest part: dissemination and storage
not much different than regular torrenting, but you accept more risk as a source of new raw content. So you should be careful with your opsec, on i2p this is an added level of protection on one hand but on the other you still need to ensure you are not leaking information, so no reason not to do general hardening for anything used for this.
seed boxes are good for getting new content out especially on private trackers. storage can get expensive, though so they only make sense for seeding new content. the most cost effective way to keep the rest (if you intend to do that) is to self host. in my opinion it's safer to do this in a residence where you control the hardware, not necessarily your own residence though. or better yet (if you are doing the ripping) find someone willing to handle this end of things.
there's a lot of ways to do this but the main idea is the same, keep it separate and hidden in how you connect to it and where it is physically. there's lots of consumer nas's out there but this is a situation where it makes sense to make your own. get something with room to grow. stash or smash drives if you think you're compromised.