HTTP Live Streaming with fragmented MP4 (fMP4 HLS)

When streaming fMP4 over HLS, Apple specifies the ‘cbcs’ encryption scheme for encrypting content. This is the only encryption scheme of the 3rd edition of the Common Encryption (CENC) specification that Apple supports.

Because the ‘cbcs’ is part of CENC, adding it to Origin’s fMP4 HLS output requires you to signal the encryption information as being compatible with CENC in addition to signaling the information for HLS.

Signaling the CENC related information is done with the parameters that start with iss, while the information necessary for HLS is signaled using the parameters starting with hls. The result is that the CEK and KIV need to be signaled twice.

Adding ‘cbcs’ encryption to fMP4 HLS output

Below an example command-line for adding encryption according to CENC’s ‘cbcs’ scheme. Please read HTTP Live Streaming with fragmented MP4 (fMP4 HLS) for some necessary background information.

#!/bin/bash

CEK=3a2a1b68dd2bd9b2eeb25e84c4776668
KID=10000000100010001000100000000001
KIV=f9d9d5f5f3b5bc0372856df068f9f6a2

#Store binary representation of CEK in cek.key file
echo ${CEK} | xxd -p -r > cek.key

mp4split -o tos-fmp4-hls-cbcs.ism \
  --hls.fmp4 \
  --iss.key=${KID}:${CEK} \
  --iss.key_iv=${KIV} \
  --hls.key=:${CEK} \
  --hls.key_iv=${KIV} \
  --hls.license_server_url=cek.key \
  --hls.playout=sample_aes \
  tears-of-steel-aac-128k.cmfa \
  tears-of-steel-avc1-2200k.cmfv

Note

In case you are only concerned with adding encryption to your fMP4 HLS according to CENC’s ‘cbcs’ scheme, the KID that you input as the first part of the value for the --iss.key parameter can be blank, because Apple does not specify the use of a KID. The same is true for the value signaled for --iss.license_server_url, which is not relevant in such cases either.

Adding FairPlay DRM to fMP4 HLS output

Find below an example command-line for adding FairPlay DRM with encryption according to CENC’s ‘cbcs’ scheme. Please read HTTP Live Streaming with fragmented MP4 (fMP4 HLS) for some necessary background information. The ‘<license-server-url>’ that you pass on the command-line using --hls.license_server_url is dependent on your FairPlay implementation (i.e., you have to provide the exact information yourself).

#!/bin/bash

CEK=3a2a1b68dd2bd9b2eeb25e84c4776668
KID=10000000100010001000100000000001
KIV=f9d9d5f5f3b5bc0372856df068f9f6a2

mp4split -o tos-fmp4-hls-cbcs.ism \
  --hls.fmp4 \
  --iss.key=${KID}:${CEK} \
  --iss.key_iv=${KIV} \
  --hls.key=:${CEK} \
  --hls.key_iv=${KIV} \
  --hls.license_server_url=<license-server-url> \
  --hls.playout=sample_aes_streamingkeydelivery \
  tears-of-steel-aac-128k.cmfa \
  tears-of-steel-avc1-2200k.cmfv

Note

In case you do not require any multi-DRM functionality and are only concerned with adding FairPlay, the KID that you input as the first part of the value for the --iss.key parameter can be a dummy, because Apple does not specify the use of a KID. The same goes for the value signaled for --iss.license_server_url, which is not relevant in such cases either.

Adding PlayReady DRM to fMP4 HLS output

PlayReady requires the DRM related information to be signaled in a base64 encoded PlayReady Object, which you should provide yourself. This PlayReady Object will be a blob of data that you can pass on the command-line using the --iss.drm_specific_data. Unified Origin will extract the PlayReady Header (WRMHeader encoded as UTF16) from the PlayReady Object and signal it in the playlist.

#!/bin/bash

KID=10000000100010001000100000000001
CEK=5b7d5b7d5b7d5b7d5b7d5b7d5b7d5b7d
KIV=3B3A3B3A3B3A3B3A3B3A3B3A3B3A3B3A
PR_OBJECT=uAIAAAEAAQCuAjwAVwBSAE0ASABFAEEARABFAFIAIAB4AG0AbABuAHMAPQAiAGgAdAB0AHAAOgAvAC8AcwBjAGgAZQBtAGEAcwAuAG0AaQBjAHIAbwBzAG8AZgB0AC4AYwBvAG0ALwBEAFIATQAvADIAMAAwADcALwAwADMALwBQAGwAYQB5AFIAZQBhAGQAeQBIAGUAYQBkAGUAcgAiACAAdgBlAHIAcwBpAG8AbgA9ACIANAAuADMALgAwAC4AMAAiAD4APABEAEEAVABBAD4APABMAEEAXwBVAFIATAA+AGgAdAB0AHAAOgAvAC8AZQB4AHAAZQByAGkAbQBlAG4AdABhAGwAMQAuAGEAegB1AHIAZQB3AGUAYgBzAGkAdABlAHMALgBuAGUAdAAvAHIAaQBnAGgAdABzAG0AYQBuAGEAZwBlAHIALgBhAHMAbQB4AD8AYwBmAGcAPQAoAGMAawA6AFcAMwAxAGIAZgBWAHQAOQBXADMAMQBiAGYAVgB0ADkAVwAzADEAYgBmAFEAPQA9ACwAYwBrAHQAOgBBAEUAUwAxADIAOABCAGkAdABDAEIAQwApADwALwBMAEEAXwBVAFIATAA+ADwAUABSAE8AVABFAEMAVABJAE4ARgBPAD4APABLAEkARABTAD4APABLAEkARAAgAEEATABHAEkARAA9ACIAQQBFAFMAQwBCAEMAIgAgAFYAQQBMAFUARQA9ACIAQQBBAEEAQQBFAEEAQQBRAEEAQgBBAFEAQQBCAEEAQQBBAEEAQQBBAEEAUQA9AD0AIgA+ADwALwBLAEkARAA+ADwALwBLAEkARABTAD4APAAvAFAAUgBPAFQARQBDAFQASQBOAEYATwA+ADwALwBEAEEAVABBAD4APAAvAFcAUgBNAEgARQBBAEQARQBSAD4A

mp4split -o hls-fmp4-playready.ism \
  --hls.fmp4 \
  --iss.key=$KID:$CEK \
  --iss.key_iv=$KIV \
  --iss.drm_specific_data=$PR_OBJECT \
  --hls.playout=playready \
  --hls.minimum_fragment_length=6 \
  cmaf/tears-of-steel-aac-64k.cmfa \
  cmaf/tears-of-steel-aac-128k.cmfa \
  cmaf/tears-of-steel-avc1-400k.cmfv \
  cmaf/tears-of-steel-avc1-750k.cmfv \
  cmaf/tears-of-steel-avc1-1000k.cmfv \
  cmaf/tears-of-steel-avc1-1500k.cmfv \
  cmaf/tears-of-steel-avc1-2200k.cmfv

Note

Currently (March 2018), the playout support for PlayReady with ‘cbcs’ encryption is very limited. The only known client to support this combination is the XBox with the latest updates installed.