Update to the app.asar file in Rekordbox v6.6.5 breaks database unlocking

[dylanljones]

Pioneer changed the app.asar file contents in Rekordbox version 6.6.5.
The encryption password of the database key is no longer stored in plain text, which breaks the database unlocking.

Previously, the app.asar file contained JS files in plain text.
Since update 6.6.5 the JS files are now stored in a compiled format (.jsc).
The password should still be somewhere in the content of the file (jsc/controllers/auth_manager.jsc), but it can no longer be extracted easily.

Please feel free to join the discussion if you have any ideas!

Environment

• Rekordbox version: >=6.6.5

[morenoh149]

can a copy of the .jsc be shared in this thread?

[dylanljones]

I am not sure if it is a good idea to share parts of the source code of Pioneer here, but i can send you an Email if you want to have a look at the auth_manager.jsc file.
If you have Rekordbox 6.6.5 installed, it is also really easy to extract the file from the asar archive yourself. I made a little tool to print out or extract single files form an archive, if you are interested, it is here. The app.asar file is located in RBv6 program data directory in .../rekordbox 6.6.5/rekordboxAgent-win32-x64/resources

[cheung31]

@dylanljones would asarlib allow one to inspect the auth_manager.jsc for the password?

[dylanljones]

The asarlib package only extracts the contents of the archive, so it is not possible to read the password. The auth_manager.jsc is not stored in plain text, but the password should still be stored in the file somewhere, although scrambled.

[niderhoff]

Hey guys, just want to chime in and ask if I understand the problem correctly.

I am using pyrekordbox master installed from git, Rekordbox v 6.6.5 and I was trying to run the rekordbox 6 example code from the readme (https://github.com/dylanljones/pyrekordbox#rekordbox-6-database). I am directly using the example code, which I copied directly from the readme:

from pyrekordbox import Rekordbox6Database

db = Rekordbox6Database()

for content in db.content():
	print(content.Title, content.Artist.Name)

However, it would always give me the following error, which was a bit confusing to me at first glance: "WARNING:root:No Rekordbox 5 folder found in /Applications". Then it would crash.

Then I turned on the debugger and found that the problem must be inside the _get_rb6_config function which is invoked from config.py during import. It in turn invokes the _get_rb_config function, which I assume is for rekordbox 5, hence the confusing warning.

Apart from that, the function _get_rb6_config correctly identifies my master.db location.

The following procedures of said function include

# Read password from app.asar, see
# https://www.reddit.com/r/Rekordbox/comments/qou6nm/key_to_open_masterdb_file/

asar_data = read_rekordbox6_asar(conf["install_dir"])
match = re.search('pass: ".(.*?)"', asar_data).group(0)

It looks like something is read from the asar file but the regex does not match 'pass:' anywhere in the asar file. This results in a KeyError, because group(0) tries to index in an empty list and the error is not handled.

Question 1: Am I right in assuming that this line (i.e. the regex matching part) needs to be swapped out for some clever parsing of the asar_data which can read the obfuscated password?

You mention that

The asarlib package only extracts the contents of the archive, so it is not possible to read the password. The auth_manager.jsc is not stored in plain text, but the password should still be stored in the file somewhere, although scrambled.

After some googling I found that .jsc is most likely the nodejs equivalent of something like bytecode. So it would need to be de-compiled to be read properly, and according to my research that is quite a dead end, since there have been no public attempts to de-compile .jsc files generated with node > 8.4 in the past 2 years or so.

Question 2: You think this might be true or is it some other kind of obfuscation in place here? In general I am not very experienced in reverse engineering... any ideas how we could go about it?

I tried to extract the contents of the asar using asarlib but it failed because of some KeyError on (self.header["files"]) at some point in the extraction loop, so I could not verify or further analyze the structure or contents of the asar file.

[11ib]

Does anyone have the path to the auth_manager.jsc file? I couldn't find it on a fresh install of Rekordbox (6.6.8) on Windows.

[dylanljones]

Hey everybody, sorry for the late response!

@niderhoff, regarding question 1, you are totally right. Before we could just do a regex search, but ever since update 6.6.5 all the relevant files in the app.asar archive are scrambled. I also looked for a clever way to hack the .jsc file, but with no result.
So I think it really is a "compiled" version of a JavaScript file, but I have no clue how one could de-compile it. This should also answer your second question... But I still have some hope left that it can be reverse engineered somehow, however I am also not too experienced in that field.
The warning due to the missing Rekordbox v5 installation was a bad design decision on my part. Didn't notice it since I still have v5 installed, but I will fix that. Thanks for letting me know:) Also sorry to hear that asarlib failed, to be honest I only tested it with the app.asar from my Rekordbox installation.

@11ib, the auth_manager.jsc is stored in the app.asar file, which is a kind of archive that contains files and directories. There are tools out there to extract the contents (like the one I wrote, which is pretty buggy). The path for the archive on Windows is something like

C:\Program Files\Pioneer\rekordbox 6.5.3\rekordboxAgent-win32-x64\resources\app.asar

Hope that answers a few question, I wish I knew more. And thank you for your interest!

[niderhoff]

Apparently .jsc is compiled v8 bytecode. We can disassemble v8 bytecode, but it will not bring back javascript, but instead human readable v8 instructions: https://github.com/noelex/v8dasm. Maybe then we can look through it look for something that might look like the password.

Another route would be if you knew the format of the password (assuming it has not changed since rekordbox 6.4, you could search in the hex dump for a string which has roughly the same length and type of characters.)

[DanielMS93]

Any progress on this guys? i'm hitting the same issue i believe

[dylanljones]

Hey, sorry for the inactivity, have a lot of other stuff going on right now.
Sadly no progress so far, but I am looking into a few things! The key is still the same as in earlier Rekordbox versions, but i would really like to avoid just hard-coding it for legal reasons (as discussed at the end of this blog of rekordcloud).

[niderhoff]

Hey Dylan I might have a idea, can I contact you somehow?

[dylanljones]

Sorry, just realized my Email wasn't showing up. It should be on my profile now. You can contact me there!

[DanielMS93]

Could we use blackbox for credentials?

…

On Wed, 26 Jul 2023 at 23:04, Dylan ***@***.***> wrote: Hey, sorry for the inactivity, have a lot of other stuff going on right now. Sadly no progress so far, but I am looking into a few things! The key is still the same as in earlier Rekordbox versions, but i would *really* like to avoid just hard-coding it for legal reasons (as discussed at the end of this <https://rekord.cloud/blog/technical-inspection-of-rekordbox-6-and-its-new-internals> blog of rekordcloud). — Reply to this email directly, view it on GitHub <#64 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AKXEGX3WRCOYZEHVZUUDUY3XSGH5XANCNFSM6AAAAAARRGJTAQ> . You are receiving this because you commented.Message ID: ***@***.***>

[puhitaku]

The disassembly of a simple hello world shows that the string "Hello World!" is stored in a "Constant pool" as-is, like other usual executables.

$ cat app.js
function foo() {
    console.log("Hello World!")
}

foo()

$ node --print-bytecode --print-bytecode-filter=foo app.js
[generated bytecode for function: foo (0x1f66e1498a39 <SharedFunctionInfo foo>)]
Bytecode length: 19
Parameter count 1
Register count 3
Frame size 24
OSR urgency: 0
Bytecode age: 0
   21 S> 0x1f66e1499ac0 @    0 : 21 00 00          LdaGlobal [0], [0]
         0x1f66e1499ac3 @    3 : c3                Star1
   29 E> 0x1f66e1499ac4 @    4 : 2d f9 01 02       GetNamedProperty r1, [1], [2]
         0x1f66e1499ac8 @    8 : c4                Star0
         0x1f66e1499ac9 @    9 : 13 02             LdaConstant [2]
         0x1f66e1499acb @   11 : c2                Star2
   29 E> 0x1f66e1499acc @   12 : 5e fa f9 f8 04    CallProperty1 r0, r1, r2, [4]
         0x1f66e1499ad1 @   17 : 0e                LdaUndefined
   49 S> 0x1f66e1499ad2 @   18 : a9                Return
Constant pool (size = 3)
0x1f66e1499a61: [FixedArray] in OldSpace
 - map: 0x12fa427812e1 <Map>
 - length: 3
           0: 0x12fa42784a01 <String[7]: #console>
           1: 0x32d47820c731 <String[3]: #log>
           2: 0x1f66e14999f9 <String[12]: #Hello World!>
Handler Table (size = 0)
Source Position Table (size = 10)
0x1f66e1499ad9 <ByteArray[10]>
Hello World!

I compiled the app.js into jsc and the constant is still intact in the binary.

$ npm install -g bytenode
$ bytenode -n -c app.js
$ grep "Hello World!" app.jsc
Binary file app.jsc matches

As @dylanljones pointed out, the key is the same as in the previous version, and the key may be stored in the jsc intact if it is not obfuscated in a way we don't expect.

Expecting that the key is a string literal, this gives us a way to "match" the key string that fulfills the known format with surrounding fingerprints of constants. Embedding the match condition (not the key itself) in this repository will not cause any legal concerns.

How about this idea?

[puhitaku]

I wish I could get Rekordbox older than 6.6.5 ...

[dylanljones]

Hi @puhitaku,

thanks for joining in on the discussion! Sadly, the key is not a string literal and is obfuscated in some way. I already tried to match the known key - without any success...
Do you know if there is an option for that when generating the .jsc? If so, there might be a way to reverse the obfuscation.

@DanielMS93, thank you for the hint! As far as i understand, blackbox just encrypts the 'shipped' keys, right? I did not spend a lot of time looking into it yet, but it seems we still would have to ship the (encrypted) key, right? But i will look a bit more into blackbox:)

[dylanljones]

Maybe we should use some workaround until we have figured out how to de-obfuscate the .jsc files (as some other projects do, see issue #77)

[niderhoff]

One could pass the key to the db handler. This is how it would look:

from pyrekordbox import Rekordbox6Database

db = Rekordbox6Database(key="<insert key here>")

for content in db.get_content():
    print(content.Title, content.Artist.Name)

playlist = db.get_playlist()[0]
for song in playlist.Songs:
    content = song.Content
    print(content.Title, content.Artist.Name)

if you had an old installation, rb.cache file, or the key noted down, you can just use it like thit.

If not one could go to #77 where someone linked to another repository where the developer(s) have embedded the key into the code.

[dylanljones]

The key of the Rekordbox v6 database can now be downloaded and cached from external sources (mainly the projects in #77) using the command line interface:

python -m pyrekordbox download-key

This is still just a workaround, it still would be nice to find a way to extract the key from the .jsc-files, especially if Pioneer decides to change the key (maybe in Rekordbox v7?). In the mean time this fix should get the project running for everyone:)

If anyone finds some more sources for the key, feel free to add them to the CLI or post the links here in case the other projects remove the key!