The Cracking of Napster WMA DRM

Update, 10/07/2006: Those interested in this story might be interested in the release of FairUse4WM, a Janus DRM evasion tool

Cody Brocious was kind enough to respond to my post below, and then chat with me on AIM about the crack.  Here’s the scoop:

Cody and co. are apparently very near an implementation of a utility
that will allow people to turn songs acquired through Napster Light
(the a la carte service) and Premium (the non-portable subscription
service) into unencrypted files. You have to have paid for the songs
first to do this circumvention, because the keys have to be retrieved
from Napster.  This tool will actually circumvent and remove the
DRM, rather than recording from the sound card or employing other
similar workarounds to create unencrypted files.

The tool will not circumvent Napster To Go songs using Janus DRM, which
is WMA DRM v10 and different from the DRM applied to Light and Premium
songs.  Their utility is indeed based on the Beale Screamer code
document
and only works with the WMA DRM
code pre-v10.  After the Beale Screamer code’s release, a tool called Freeme
was released that decrypted WMA files, but MS updated WMA to account
for this problem and secure the keys held client-side. Since the
utility “requests the license from the Napster license server just like
the official client does,” this issue is inapplicable. 
Technically, this is distinct from the PyMusique crack for iTMS.

Cody suggests that Napster Light and Premium songs do not use the Janus
DRM because of backwards compatibility issues.  If Napster Light
were to sell songs using Janus, the pre-Janus portable players (that
is, most players on the market) would not be able to play the content.
This issue does not apply to the non-portable Napster Premium; however,
since Napster To Go only works with WinXP, I imagine that all Win2k
users may have problems if Premium were to use Janus DRM. 

So Napster could respond to this crack simply by updating all DRM to
Janus, but it would come at great cost.  Cody acknowledged other
ways they could change the way they encrypt the content, but he
believes these changes would be trivial to circumvent, assuming they do
successfully implement the utility they are currently working on. He
also expects that Janus will be cracked, but stated that he is not
attempting to do so.

The tool will only work with Napster, but Cody expects that this scheme can be applied to other music stores in the future.

Cody sees his actions as “ethical,” irrespective of legality, and he is
willing to “fight the DMCA.”  He wants to be able to play his
lawfully acquired Napster music on Linux.

Further technical details will be available shortly.

Update, noon 12/15: Alex Goodwin, one of Cody’s fellow coders, offers additional details in this comment.

11 Responses to “The Cracking of Napster WMA DRM”

  1. Alex Goodwin
    April 15th, 2005 | 12:46 pm

    We are currently not certain if the napster-to-go service will work with our current code.

    It is my belief (based on napsters compatible players list) that the napster to go service will not function properly with our current code.

    But there is at least some evidence to suggest there are non documented backwards compatibility measures in their store. So we will just have to wait and see.

    Any code we release to allow the wma files to play on linux will NOT be applicable to existing files not purchased through musik since it is not a ‘crack’ of the drm, it is simply an implementation of the drm decryption.

    Our goal is to support all the major music stores in a single framework in python, so that a single app can be used in linux to access them all.

  2. Seth Finkelstein
    April 15th, 2005 | 4:58 pm

    “… and he is willing to “fight the DMCA.” …”

    Well, good luck – and many lawyers – to him. He’ll need both of those.

  3. Carl
    April 15th, 2005 | 6:15 pm

    “He’ll need both of those.”

    If he succeeds, that is. The code that has been released so far doesn’t include any DRM code.

  4. John
    April 15th, 2005 | 6:27 pm

    The fact is: he may never succeed. From this message:
    http://blogs.law.harvard.edu/cmusings/comments?u=cmusings&p=1074&link=http%3A%2F%2Fblogs.law.harvard.edu%2Fcmusings%2F2005%2F04%2F14%23a1074
    It’s obvious that they claimed that Napster’s DRM cracked without really knowing “how to generate the license _requests_”. So basically they haven’t cracked DRM yet, however they proclaimed that they did! What a childish and stupid act. Now, they maybe held liable for misinformation and possible loses from it in addition to possible DMCA and etc. This is plain stupid and for the stupid purpose to be in the center of the spotlight.

  5. Alex Goodwin
    April 16th, 2005 | 11:15 am

    As far as I know, nobody on the project has said “we’ve hacked the drm’ all we said is that we are currently in the process of making an app that should provide linux/mac support for napster (and iTunes). We do think we are quite close to completion, but it is the media/blogs who have came out wrongfully saying that the napster drm has been hacked already (and in my opinion ‘jumping the gun’ on the story a bit). There have also been quite a few other astounding innacuraccies, one story even said something along the lines of ‘while a command line version is currently available for windows, the linux version should be available soon’ which is definately not the case, and at the time was completely backwards.

  6. John
    April 16th, 2005 | 5:54 pm

    If you don’t really know “how to generate the license _requests_” it’s too premature to declare that you “are quite close to completion”, isn’t it? Or you guys think that you and only you are saving everybody? And therefore you should be in the center of attention! As far as I know that “_request_” is encoded and unless you find all of the following 3: structure of the challenge, algorithm to encode and public key used during encoding: you can not claim/think/or state that you “are quite close to completion”. Time will tell if you will be able to find at least 1 answer to above 3, not to say that you will be able to find all 3, as you may spend all your life finding just public key which I assume is 20 bytes long.
    So, Alex: you maybe right stating that media is “’jumping the gun’ on the story a bit”, but looks like you too by that statement.

  7. Carl
    April 18th, 2005 | 12:15 pm

    If you’re quite close to completion, why not actually complete the work before going public? Perhaps the request for donations has something to do with it.

    As for the media jumping the gun, what was Neowin’s response when you requested that they correct the article?

  8. John
    April 23rd, 2005 | 12:40 am

    Looks like it’s not that easy to generate “_requests_”. Grow up!

  9. bryan
    April 27th, 2005 | 11:00 am

    John! You need to grow up if all you do is hang around blogs criticizing others creativity. Get a life man.

  10. Senator Manx
    February 16th, 2006 | 8:32 am

    John, your jealous. Admit it. You sound just like my ex-girlfriend. Trying to grab a little of the attention for yourself? Huh? Feeling neglected? Been working on this for months, and you can’t get it right? Frustrated? I feel ya, B. We’re with you as you try to work through this difficult time.

  11. Anonymous
    May 14th, 2006 | 12:15 am

    John — “Held liable for misinformation and possible losses from it”???

    Yes, we’re going to sue you for saying you accomplished something when you may have not actually accomplished it — at least according to my own personal interpretation of “accomplish”. That’s against the law.

    Also, we lost a lot of money because you said you accomplished it, and it may not be true, so we’re suing for that too.

    What the hell are you talking about???