Sorry for the long title. Some context to this: Readium LCP is a DRM-solution created and delivered by the non-profit foundation EDRLab (I guess we’ve learned by now that non-profit doesn’t equal good), based in France.

EDRLab is an international, non-profit development laboratory working on the deployment of an open, interoperable and accessible digital publishing ecosystem worldwide.

In recent years they’ve gained a large market share in the EU first and foremost, providing both regular e-book shops in many EU countries and libraries with this DRM (if you’re interested in some more technical information regarding this DRM solution, I’d recommend reading Terence’s previous blog post). What’s particular to this solution is that they’ve historically been very litigious about any attempts to DeDRM it. The most famous plugin for DeDRMing books in Calibre (mainly Adobe DRM) has been the NoDRM plugin, and they did release a DeDRM solution to LCP v1.0 but they were threatened with legal action with a DMCA takedown request (read more on Github).

In recent days, Terence Eden posted a fully legal solution on his blog on how to bypass their DRM. This was also posted to the /r/Calibre subreddit, see the following image: Reddit image I also made a thread on Lemmy here.

Nonetheless, after around a day the thread was removed on the Calibre subreddit. The only rule I could find that maybe could be applied to this (if it was illegal, and if Terence did this with any other material that wasn’t his own) is the rule against piracy. But it feels weird. Calibre subreddit post about rules Calibre subreddit rules

This subreddit has previously allowed, and still allow, discussions around the NoDRM plugin and how to DeDRM the Adobe DRM. What makes this fully legal solution of bypassing LCP any different? It can probably be deduced that the EDRLab foundation contacted the subreddits moderators, or reddit admins, and “threatened” them in order to have it taken down. Or guilt tripped them as they also did towards Terence. Aside from their previous DMCA takedown request to the NoDRM people, just look at their arrogant correspondence towards Terence (more in his blog post). Threatening him on no legal basis as well as somehow blaming their failure on developing accessibility tools to him posting about this solution:

“We were planning to now focus on new accessibility features on our open-source Thorium Reader, better access to annotations for blind users and an advanced reading mode for dyslexic people. Too bad; disturbances around LCP will force us to focus on a new round of security measures, ensuring the technology stays useful for ebook lending (stop reading after some time) and as a protection against oversharing.”

These are some of the reasons why I think a federated web will be necessary moving forth. I really dislike DRM, but also these methods that DRM organizations use in order to control the conversation. Thanks for reading and engaging with my small fixation on DRM and especially LCP :)

  • MonkderVierte@lemmy.ml
    9·
    2 days ago

    Putting it all together

    If you’ve unzipped the original ePub, you’ll see the internal directory structure. It should look something like this:

    ├── META-INF
│   └── container.xml
├── mimetype
└── OEBPS
    ├── content.opf
    ├── images
    │   ├── cover.jpg
    │   ├── image1.jpg
    │   └── image2.png
    ├── styles
    │   └── styles.css
    ├── content
    │   ├── 001-cover.xhtml
    │   ├── 002-about.xhtml
    │   ├── 003-title.xhtml
    │   ├── 004-chapter_01.xhtml
    │   ├── 005-chapter_02.xhtml
    │   └── 006-chapter_03.xhtml
    └── toc.ncx

    Add the extracted files into that exact structure. Then zip them. Rename the .zip to .epub. That’s it. You now have a DRM-free copy of the book that you purchased.

    BONUS! PDF Extraction

    LCP 2.0 PDFs are also extractable. Again, you’ll need to open your purchased PDF in Thorium with debug mode active. In the debugger, you should be able to find the URl for the decrypted PDF.

    It can be fetched with:

     JavaScriptfetch("thoriumhttps://0.0.0.0/pub/..../publication.pdf") .then(response => response.arrayBuffer())
  .then(buffer => {
    let base64 = btoa(
      new Uint8Array(buffer).reduce((data, byte) => data + String.fromCharCode(byte), '')
    );
    console.log(`${base64}`);
  });

    Copy the output and Base64 decode it. You’ll have an unencumbered PDF.

    Next Steps

    That’s probably about as far as I am competent to take this.

    But, for now, a solution exists. If I ever buy an ePub with LCP Profile 2.0 encryption, I’ll be able to manually extract what I need from it - without reverse engineering the encryption scheme.

    Ethics

    Before I published this blog post, I publicised my findings on Mastodon. Shortly afterwards, I received a LinkedIn message from someone senior in the Readium consortium - the body which has created the LCP DRM.

    They said:

    ​ Hi Terence, You’ve found a way to hack LCP using Thorium. Bravo! We certainly didn’t sufficiently protect the system, we are already working on that. From your Mastodon messages, you want to post your solution on your blog. This is what triggers my message. From a manual solution, others will create a one-click solution. As you say, LCP is a “reasonably inoffensive” protection. We managed to convince publishers (even big US publishers) to adopt a solution that is flexible for readers and appreciated by public libraries and booksellers. Our gains are re-injected in open-source software and open standards (work on EPUB and Web Publications). If the DRM does not succeed, harder DRMs (for users) will be tested. I let you think about that aspect

    I did indeed think about that aspect. A day later I replied, saying:

    ​ Thank you for your message. Because Readium doesn’t freely licence its DRM, it has an adverse effect on me and other readers like me.

    • My eReader hardware is out of support from the manufacturer - it will never receive an update for LCP support.
    • My reading software (KOReader) have publicly stated that they cannot afford the fees you charge and will not be certified by you.
    • Kobo hardware cannot read LCP protected books.
    • There is no guarantee that LCP compatible software will be released for future platforms.

    In short, I want to read my books on

    my

    choice of hardware and software; not yours. I believe that everyone deserves the right to read on their platform of choice without having to seek permission from a 3rd party. The technique I have discovered is basic. It is an unsophisticated use of your app’s built-in debugging functionality. I have not reverse engineered your code, nor have I decrypted your secret keys. I will not be publishing any of your intellectual property. In the spirit of openness, I intend to publish my research this week, alongside our correspondence.

    Their reply, shortly before publication, contained what I consider to be a crude attempt at emotional manipulation.

    ​ Obviously, we are on different sides of the channel on the subject of DRMs. I agree there should be many more LCP-compliant apps and devices; one hundred is insufficient. KOReader never contacted us: I don’t think they know how low the certification fee would be (pricing is visible on the EDRLab website). FBReader, another open-source reading app, supports LCP on its downloadable version. Kobo support is coming. Also, too few people know that certification is free for specialised devices (e.g. braille and audio devices from Hims or Humanware). We were planning to now focus on new accessibility features on our open-source Thorium Reader, better access to annotations for blind users and an advanced reading mode for dyslexic people. Too bad; disturbances around LCP will force us to focus on a new round of security measures, ensuring the technology stays useful for ebook lending (stop reading after some time) and as a protection against oversharing. You can, for sure, publish information relative to your discoveries to the extent UK laws allow. After study, we’ll do our best to make the technology more robust. If your discourse represents a circumvention of this technical protection measure, we’ll command a take-down as a standard procedure.

    A bit of a self-own to admit that they failed to properly prioritise accessibility!

    Rather than rebut all their points, I decided to keep my reply succinct.

    As you have raised the possibility of legal action, I think it is best that we terminate this conversation.

    I sincerely believe that this post is a legitimate attempt to educate people about the deficiencies in Readium’s DRM scheme. Both readers and publishers need to be aware that their Thorium app easily allows access to unprotected content.

    I will, of course, publish any further correspondence related to this issue.

    • Yingwu@lemmy.dbzer0.comOPEnglish
      5·
      2 days ago

      Thanks for this! This should maybe be posted in a separate thread in a relevant community? !piracy@lemmy.dbzer0.com could be an alternative, but at the same time, DeDRMing does not always equal piracy (and is a legal thing to do in many countries in cases of personal backups etc).