Table of Contents

This document is based on atracdownload from the FreeMD repository. Also compare http://bertrik.sikken.nl/netmd/download.html

Downloading an ATRAC track to a NetMD unit

All upload commands start with:

00 18 00  08 00 46  f0 03 01 03  $o  ff

This is a standard AV/C frame for a vendor defined opcode, where the company ID is 080046 = Sony (same as for MAC addresses, for example). The f0 03 01 03 is unknown. m(1) … m is a nonce from the host and !m is a nonce from the device. These two 8-byte-values are concatenated to form a 16-byte value. The Retail MAC without padding of that value, using the root key of the EKB transferred as key for the MAC will be the session key.

For "Retail MAC" aka "CBC-MAC-Y" aka "ISO/IEC 9797-1, algorithm 3" see google. It basically is standard DES CBC-MAC for all but the last blocks, while the last block is encrypted using 3DES-CBC. The initial IV is zero.

6. TRANSFER CONTENT ID AND ENCRYPTION KEY

 
=> 00 18 00 08 00 46 f0 03 01 03 22 ff 00 00
   $m(1) ... $m(32)
<= 00 18 00 08 00 46 f0 03 01 03 22 00 00 00

$m(1) ... $m(32) is DES encrypted using the session key negotiated in the previous step. The corresponding plain text is

01 01 01 01 $c(1) ... $c(20) $k(1) ... $k(8)

where $c(1) ... $c(20) is the Content ID of the track to transfer (a kind of UUID to recognize the copyrighted work) and $k(1) ... $k(8) is the Key Encryption Key.

7. TRANSFER TRACK DATA

=> 00 18 00 08 00 46 f0 03 01 03 28 ff 00 01
   00 10 01 ff ff 00 $p $q 00 00 $r $s $t $u $v $w
<= 0f 18 00 08 00 46 f0 03 01 03 28 ff 00 01
   00 10 01 ff ff 00 $p $q 00 00 $r $s $t $u $v $w

ffff is a placeholder for the track number (indicated by 10 01). $p$q is the format, 0006 for SP, 9402 for LP2 and a800 for LP4. $r$s for LP2 and LP4 is the number of frames (of 96 bytes for LP4 or 192 bytes for LP2); $t$u$v$w is the number of bytes transferred through the bulk pipe. The number includes the packing overhead.

The meaning or $r$s for SP is not yet known.

The player returns twice from this command. First it just echoes it with the first byte being 0f. This indicates the player is ready to accept the data. From there, you can get the record mode and end position with the playback status and position calls. Now you are expected to transfer the data on endpoint 2 of the interface in bulk mode. After you did this, the player will return again:

<= 09 18 00 08 00 46 f0 03 01 03 28 ff 00 01
   00 10 01 00 !t 00 $p $q 00 00 $r $s $t $u $v $w
   $m(0) ... $m(32)

The track number of the recorded track is returned in !t.

u $v $k(1) … $k(8) $i(1) … u$v is the block size (usually 3f00), $k(x) is the key for DES CBC encryption of the data in this block, and t $m(1) ... $m(8)

<= 09 18 00 08 00 46 f0 03 01 03 48 00 00
   10 01 00 $t

$t is the track number. $m(x) is a simple authorization value: It's 0000000000000000 DES encrypted by the session key.

10. FORGET SESSION KEY

=> 00 18 00 08 00 46 f0 03 01 03 21 ff 00 00 00
<= 09 18 00 08 00 46 f0 03 01 03 21 00 00 00 00

11. END AUTHENTICATED SESSION

=> 00 18 00 08 00 46 f0 03 01 03 81 ff
<= 09 18 00 08 00 46 f0 03 01 03 81 00

Deleting a track (or checking it into the computer)

1. START AUTHENTICATED SESSION

=> 00 18 00 08 00 46 f0 03 01 03 80 ff 00 00 00 00 00
<= 09 18 00 08 00 46 f0 03 01 03 80 00 00 00 00 00 00

NOTE: You hear head movement.

2. REQUEST FOR LEAF ID

=> 00 18 00 08 00 46 f0 03 01 03 11 ff 00 00 00 00 00
<= 09 18 00 08 00 46 f0 03 01 03 11 00 01 00 00 21 cf 06 00 00

3. TRANSFER KEY MATERIAL

=> 00 18 00 08 00 46 f0 03 01 03 12 ff 00 38 00 00
   00 38 00 00 00 01 00 00 00 09 00 01 00 01 00 00
   00 00 01 ca be 07 2c 4d a7 ae f3 6c 8d 73 fa 60
   2b d1 0f f4 7d 45 9c 72 da 81 85 16 9d 73 49 00
   ff 6c 6a b9 61 6b 03 04 f9 ce
<= 09 18 00 08 00 46 f0 03 01 03 12 00 00 38 00 00
   00 38 00 00

4. GET TRACK DRM INFO/CONTENT ID/???

=> 00 18 00 08 00 46 f0 03 01 03 23 ff 10 01 00 $t

m $n $o $p $q $r $s t

<= 00 18 00 08 00 46 f0 03 01 03 40 00 00
   10 01 00 $t $m(1) ... $m(8)

m(1) … $m(8)

7. FORGET SESSION KEY

=> 00 18 00 08 00 46 f0 03 01 03 21 ff 00 00 00
<= 09 18 00 08 00 46 f0 03 01 03 21 00 00 00 00

8. END AUTHENTICATED SESSION

=> 00 18 00 08 00 46 f0 03 01 03 21 ff 00 00 00
<= 09 18 00 08 00 46 f0 03 01 03 81 00 00 00 00