AACS errors on Fedora FC 19 X64

The place to discuss linux version of MakeMKV
heretic
Posts: 2
Joined: Tue Dec 31, 2013 12:28 am

Re: AACS errors on Fedora FC 19 X64

Post by heretic »

Having the exact same problems here as well. The CFLAGS option isn't causing a segfault for me but it's not working around the problem either. I'd be interested in exactly how it was spear installed the F19 version of openssl and then configured makemkv to use those libs instead. Using --prefix either isn't the right way to do it or that workaround isn't working for me either.

Code: Select all

MakeMKV v1.8.7 linux(x64-release) started
Using direct disc access mode
Error 'Scsi error - ILLEGAL REQUEST:COPY PROTECTION KEY EXCHANGE FAILURE - KEY NOT ESTABLISHED' occurred while issuing SCSI command AD010..080002400 to device 'SG:dev_11:0'
Error 'Scsi error - ILLEGAL REQUEST:COPY PROTECTION KEY EXCHANGE FAILURE - KEY NOT ESTABLISHED' occurred while issuing SCSI command AD010..080002400 to device 'SG:dev_11:0'
Error 'Scsi error - ILLEGAL REQUEST:COPY PROTECTION KEY EXCHANGE FAILURE - KEY NOT ESTABLISHED' occurred while issuing SCSI command AD010..080002400 to device 'SG:dev_11:0'
Error 'Scsi error - ILLEGAL REQUEST:COPY PROTECTION KEY EXCHANGE FAILURE - KEY NOT ESTABLISHED' occurred while issuing SCSI command AD010..080002400 to device 'SG:dev_11:0'
Error 'Scsi error - ILLEGAL REQUEST:COPY PROTECTION KEY EXCHANGE FAILURE - KEY NOT ESTABLISHED' occurred while issuing SCSI command AD010..080002400 to device 'SG:dev_11:0'
Error 'Scsi error - ILLEGAL REQUEST:COPY PROTECTION KEY EXCHANGE FAILURE - KEY NOT ESTABLISHED' occurred while issuing SCSI command AD010..080002400 to device 'SG:dev_11:0'
Error 'Scsi error - ILLEGAL REQUEST:COPY PROTECTION KEY EXCHANGE FAILURE - KEY NOT ESTABLISHED' occurred while issuing SCSI command AD010..080002400 to device 'SG:dev_11:0'
Error 'Scsi error - ILLEGAL REQUEST:COPY PROTECTION KEY EXCHANGE FAILURE - KEY NOT ESTABLISHED' occurred while issuing SCSI command AD010..080002400 to device 'SG:dev_11:0'
Error 'Scsi error - ILLEGAL REQUEST:COPY PROTECTION KEY EXCHANGE FAILURE - KEY NOT ESTABLISHED' occurred while issuing SCSI command AD010..080002400 to device 'SG:dev_11:0'
Error 'Scsi error - ILLEGAL REQUEST:COPY PROTECTION KEY EXCHANGE FAILURE - KEY NOT ESTABLISHED' occurred while issuing SCSI command AD010..080002400 to device 'SG:dev_11:0'
Error 'Scsi error - ILLEGAL REQUEST:COPY PROTECTION KEY EXCHANGE FAILURE - KEY NOT ESTABLISHED' occurred while issuing SCSI command AD010..080002400 to device 'SG:dev_11:0'
Error 'Scsi error - ILLEGAL REQUEST:COPY PROTECTION KEY EXCHANGE FAILURE - KEY NOT ESTABLISHED' occurred while issuing SCSI command AD010..080002400 to device 'SG:dev_11:0'
Error 'Scsi error - ILLEGAL REQUEST:COPY PROTECTION KEY EXCHANGE FAILURE - KEY NOT ESTABLISHED' occurred while issuing SCSI command AD010..080002400 to device 'SG:dev_11:0'
Error 'Scsi error - ILLEGAL REQUEST:COPY PROTECTION KEY EXCHANGE FAILURE - KEY NOT ESTABLISHED' occurred while issuing SCSI command AD010..080002400 to device 'SG:dev_11:0'
Error 'Scsi error - ILLEGAL REQUEST:COPY PROTECTION KEY EXCHANGE FAILURE - KEY NOT ESTABLISHED' occurred while issuing SCSI command AD010..080002400 to device 'SG:dev_11:0'
Can't read AACS VID from disc - most likely current AACS host certificate is revoked by your drive
Highest AACS version is v1 , MKB saved as /home/<munge>/.MakeMKV/MKB_v1_LOGICAL_VOLUME_ID.tgz
The volume key is unknown for this disc - video can't be decrypted
Failed to open disc
This was while trying to rip The Corpse Bride.

Code: Select all

[root@localhost .MakeMKV]# uname -a
Linux localhost.localdomain 3.12.5-302.fc20.x86_64 #1 SMP Tue Dec 17 20:42:32 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
[root@localhost .MakeMKV]# rpm -q openssl-devel
openssl-devel-1.0.1e-30.fc20.x86_64
spear
Posts: 4
Joined: Sun Aug 19, 2012 12:29 am

Re: AACS errors on Fedora FC 19 X64

Post by spear »

This is quick-and-dirty, but it worked for me. I pointed to the older version of openssl-libs but I don't think it was needed, just the older include files:

Code: Select all

# extract older openssl files
mkdir -p /path/to/private/openssl
cd /path/to/private/openssl
rpm2cpio /path/to/openssl-devel-1.0.1e-4.fc19.x86_64.rpm | cpio -dumiv
rpm2cpio /path/to/openssl-libs-1.0.1e-4.fc19.x86_64.rpm | cpio -dumiv

# unpack makemkv-oss-1.8.7
cd /path/to
tar xzf /path/to/makemkv-oss-1.8.7.tar.gz
cd /path/to/makemkv-oss-1.8.7
./configure   # I prefer to add --prefix=/usr/local

# edit Makefile
vi Makefile
# append this to CFLAGS:
# -L/path/to/private/openssl/usr/lib64 -I/path/to/private/openssl/usr/include
#
# I also prefer to change LIBDIR to lib64:
# LIBDIR=$(PREFIX)/lib64

make
make install
nevergonnahappen4me
Posts: 7
Joined: Sun Dec 22, 2013 10:35 am

Re: AACS errors on Fedora FC 19 X64

Post by nevergonnahappen4me »

I upgraded to F20 just to test this, and can confirm, my earlier suggestion does result in a segmentation fault in F20 (it worked just fine in F19, I promise).

In F20, you can run './configure' as usual, then edit the Makefile, adding ' -DOPENSSL_NO_EC' to the line that starts with 'CFLAGS='. Build and install normally after that.
tctc1
Posts: 4
Joined: Sat Dec 21, 2013 12:36 am

Re: AACS errors on Fedora FC 19 X64

Post by tctc1 »

Yahoo! That hack works for me with F20 x86_64 and MakeMKV 1.8.7. Thanks!
miracoolix
Posts: 10
Joined: Sat Dec 14, 2013 7:39 am

Re: AACS errors on Fedora FC 19 X64

Post by miracoolix »

Yes, can also confirm it's working on fc20.

Thanks!
MartinKG
Posts: 15
Joined: Wed May 26, 2010 4:58 pm

Re: AACS errors on Fedora FC 19 X64

Post by MartinKG »

now I was also able to create a rpm package that successfully works.

part in the rpm spec file:

Code: Select all

CFLAGS="$RPM_OPT_FLAGS -DOPENSSL_NO_EC"
%configure CPPFLAGS="%{optflags} -I%{_includedir}/ffmpeg"
hakayova
Posts: 6
Joined: Tue Dec 31, 2013 8:39 pm

Re: AACS errors on Fedora FC 19 X64

Post by hakayova »

mike admin wrote:...
UPDATE2: Kudos to nevergonnahappen4me for figuring out the bug and workaround. The workaround works for both F19 and F20.
nevergonnahappen4me wrote:In F20, you can run './configure' as usual, then edit the Makefile, adding ' -DOPENSSL_NO_EC' to the line that starts with 'CFLAGS='. Build and install normally after that.
Thank you for this awesome solution. It did work for me.
heretic
Posts: 2
Joined: Tue Dec 31, 2013 12:28 am

Re: AACS errors on Fedora FC 19 X64

Post by heretic »

Confirmed for me as well. The makefile work-around did the trick for me too. Thanks to spear also for sharing the FC19 work-around.

Now I can get back to ripping all these BDs I bought at the Blockbuster closure sales. :D
zeroepoch
Posts: 20
Joined: Sat Apr 14, 2012 6:45 pm

Re: AACS errors on Fedora FC 19 X64

Post by zeroepoch »

I'd suggest that the configure script detect if EC curves work with the selected openssl library and if not automatically append -DOPENSSL_NO_EC to CFLAGS. This is what the configure script is suppose to do anyways. It detects your system configuration and adjusts to it. If this change was made for future releases then no one would need any hacks.
belegdol
Posts: 26
Joined: Mon Mar 05, 2012 5:30 pm

Re: AACS errors on Fedora FC 19 X64

Post by belegdol »

I did some checks and found the following: the ec support was added to openssl-1.0.1e-27.fc20, but was then limited to only NIST Suite B in openssl-1.0.1e-28.fc20. -27 works with makemkv, -28 does not.
Which curves are needed by makemkv? With this information I could file a bug asking to have them re-enabled. Hopefully these are not the encumbered ones...
mike admin
Posts: 4075
Joined: Wed Nov 26, 2008 2:26 am
Contact:

Re: AACS errors on Fedora FC 19 X64

Post by mike admin »

belegdol wrote:I did some checks and found the following: the ec support was added to openssl-1.0.1e-27.fc20, but was then limited to only NIST Suite B in openssl-1.0.1e-28.fc20. -27 works with makemkv, -28 does not.
Which curves are needed by makemkv? With this information I could file a bug asking to have them re-enabled. Hopefully these are not the encumbered ones...
This is not because of NIST curves. The openssl in fedora has an unique fips patch. The library can be in two modes - fips and non-fips. Several "insecure" ciphers are always disabled in fips mode. On fedora default is non-fips, and even then application can switch to non-fips mode, in order to use "old" ciphers. Now, the bug - most places where fips check is made, it is made properly - inside #ifdef OPENSSL_FIPS and by calling "is fips enabled" function. However for EC, whoever was making a patch made an unconditional decision: all EC curves smaller than 256 bits are always disabled if OPENSSL_FIPS is #defined. AACS uses 192-bit curves. The patch is fedora-specific and there is no way to detect the condition during configure/compile time. The proper fix is to allow any curve order in non-fips mode. Starting with next version MakeMKV will automatically use its own EC code if compiled on fedora.
belegdol
Posts: 26
Joined: Mon Mar 05, 2012 5:30 pm

Re: AACS errors on Fedora FC 19 X64

Post by belegdol »

Thank you for the detailed explanation. I have posted this to redhat bugzilla, hopefully 192 bit curves can be enabled.

ETA: I got the answer, turns out it has nothing to do with FIPS - 192 bit curves cannot be enabled for legal reasons. Damn patents...
mike admin
Posts: 4075
Joined: Wed Nov 26, 2008 2:26 am
Contact:

Re: AACS errors on Fedora FC 19 X64

Post by mike admin »

Can you please post the link to a bug here - I'm curious.
belegdol
Posts: 26
Joined: Mon Mar 05, 2012 5:30 pm

Re: AACS errors on Fedora FC 19 X64

Post by belegdol »

https://bugzilla.redhat.com/show_bug.cgi?id=1042715

There is almost nothing specific there, as the legal stuff cannot be discussed in public
gchen98
Posts: 1
Joined: Fri Jan 10, 2014 4:31 pm

Re: AACS errors on Fedora FC 19 X64

Post by gchen98 »

Thanks for the following guys! This worked for me and I am actually running F18, just in case anyone with an older version of Fedora is coming across this problem too.
nevergonnahappen4me wrote:I upgraded to F20 just to test this, and can confirm, my earlier suggestion does result in a segmentation fault in F20 (it worked just fine in F19, I promise).

In F20, you can run './configure' as usual, then edit the Makefile, adding ' -DOPENSSL_NO_EC' to the line that starts with 'CFLAGS='. Build and install normally after that.
Post Reply