Scope DRM spoofing to real Widevine property requests and add focused DRM coverage

[Copilot]

The DRM path was old, lightly guarded, and effectively untested. The main problem was that it could spoof responses based only on reply contents, which made the behavior too broad and unreliable.

• Tighten DRM interception behavior

  • Read the requested DRM property from the binder request Parcel.
  • Only spoof the two properties this feature is meant to own:
    • securityLevel
    • deviceUniqueId
  • Stop overriding unrelated DRM replies that merely happen to contain L2/L3 or a byte array.

• Extract DRM decision logic

  • Move the property-scoping and fallback behavior into a small dedicated helper.
  • Normalize configured security level values before applying them.
  • Keep the fallback explicit and aligned with the existing default DRM config behavior.

• Reduce fragility in the interceptor

  • Reuse a single SecureRandom instance for DRM ID generation.
  • Resolve the config root through Config instead of relying on a hardcoded path shape.

• Add focused coverage

  • Add direct unit tests for DRM override decisions:
    • tracked property detection
    • security level spoofing rules
    • invalid config fallback
    • deviceUniqueId gating on random_drm_on_boot
  • Extend source-level DRM safety tests to verify the interceptor now inspects the request Parcel and targets specific DRM properties.

Example of the behavioral change:

val propertyName = readTrackedPropertyName(data)

if (propertyName == DrmOverrideLogic.SECURITY_LEVEL_PROPERTY) {
    // Only spoof Widevine securityLevel
}

if (DrmOverrideLogic.shouldSpoofDeviceUniqueId(propertyName, isRandomDrmOnBootEnabled())) {
    // Only spoof deviceUniqueId when random DRM is enabled
}

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• android.googlesource.com
  • Triggering command: /home/REDACTED/work/_temp/ghcca-node/node/bin/node /home/REDACTED/work/_temp/ghcca-node/node/bin/node --enable-source-maps /home/REDACTED/work/_temp/copilot-developer-action-main/dist/index.js (dns block)
• dl.google.com
  • Triggering command: /usr/lib/jvm/temurin-17-jdk-amd64/bin/java /usr/lib/jvm/temurin-17-jdk-amd64/bin/java --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens=java.base/java.lang.invoke=ALL-UNNAMED --add-opens=java.base/java.util=ALL-UNNAMED --add-opens=java.prefs/java.util.prefs=ALL-UNNAMED --add-exports=jdk.compiler/com.sun.tools.javac.api=ALL-UNNAMED --add-exports=jdk.compiler/com.sun.tools.javac.util=ALL-UNNAMED --add-opens=java.base/java.util=ALL-UNNAMED --add-opens=java.prefs/java.util.prefs=ALL-UNNAMED --add-opens=java.base/java.nio.charset=ALL-UNNAMED --add-opens=java.base/java.net=ALL-UNNAMED --add-opens=java.base/java.util.concurrent=ALL-UNNAMED --add-opens=java.base/java.util.concurrent.atomic=ALL-UNNAMED --add-opens=java.xml/javax.xml.namespace=ALL-UNNAMED --add-opens=java.base/java.time=ALL-UNNAMED -Xmx2048m -Dfile.encoding=UTF-8 -Duser.country -Duser.language=en -Duser.variant (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

[appwrite]

Yiğit

Project ID: 67b294d30004942511a5

Functions (1)

Function	ID	Status	Logs
Bootloader Hook	67b296050015d6532253	Queued	View Logs

Tip

JWT tokens let functions act on behalf of users while preserving their permissions