refactor(netflix): support multiple video ranges and improve profile handling

- Add support for processing multiple video ranges in parallel
- Handle HYBRID range by fetching HDR10 and DV profiles separately
- Introduce get_profiles_for_range method to retrieve profiles for given range
- Refactor profile fetching logic with detailed logging and error handling
- Validate all requested video ranges are supported by the current codec
- Allow H.264 codec only with SDR range and enforce checks for multiple ranges
- Improve track hydration logic to avoid duplicates across ranges and profiles
- Add logging for multi-range processing and profile fetching details

.gitignore

@@ -1,5 +1,4 @@
 # unshackle
-unshackle.yaml
 unshackle.yml
 update_check.json
 *.mkv
@@ -25,7 +24,6 @@ unshackle/certs/
 unshackle/WVDs/
 unshackle/PRDs/
 temp/
-services/
 
 # Byte-compiled / optimized / DLL files
 __pycache__/
@@ -235,3 +233,4 @@ cython_debug/
 marimo/_static/
 marimo/_lsp/
 __marimo__/
+Cache

CHANGELOG.md

@@ -5,6 +5,43 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [1.4.4] - 2025-09-02
+
+### Added
+
+- **Enhanced DecryptLabs CDM Support**: Comprehensive remote CDM functionality
+  - Full support for Widevine, PlayReady, and ChromeCDM through DecryptLabsRemoteCDM
+  - Enhanced session management and caching support for remote WV/PR operations
+  - Support for cached keys and improved license handling
+  - New CDM configurations for Chrome and PlayReady devices with updated User-Agent and service certificate
+- **Advanced Configuration Options**: New device and language preferences
+  - Added configuration options for device certificate status list
+  - Enhanced language preference settings
+
+### Changed
+
+- **DRM Decryption Enhancements**: Streamlined decryption process
+  - Simplified decrypt method by removing unused parameter and streamlined logic
+  - Improved DecryptLabs CDM configurations with better device support
+
+### Fixed
+
+- **Matroska Tag Compliance**: Enhanced media container compatibility  
+  - Fixed Matroska tag compliance with official specification
+- **Application Branding**: Cleaned up version display
+  - Removed old devine version reference from banner to avoid developer confusion
+  - Updated branding while maintaining original GNU license compliance
+- **IP Information Handling**: Improved geolocation services
+  - Enhanced get_ip_info functionality with better failover handling
+  - Added support for 429 error handling and multiple API provider fallback
+  - Implemented cached IP info retrieval with fallback tester to avoid rate limiting
+- **Dependencies**: Streamlined package requirements
+  - Removed unnecessary data extra requirement from langcodes
+
+### Removed
+
+- Deprecated version references in application banner for clarity
+
 ## [1.4.3] - 2025-08-20
 
 ### Added

unshackle/commands/dl.py

@@ -66,6 +66,18 @@ from unshackle.core.vaults import Vaults
 
 
 class dl:
+    @staticmethod
+    def _truncate_pssh_for_display(pssh_string: str, drm_type: str) -> str:
+        """Truncate PSSH string for display when not in debug mode."""
+        if logging.root.level == logging.DEBUG or not pssh_string:
+            return pssh_string
+
+        max_width = console.width - len(drm_type) - 12
+        if len(pssh_string) <= max_width:
+            return pssh_string
+
+        return pssh_string[: max_width - 3] + "..."
+
     @click.command(
         short_help="Download, Decrypt, and Mux tracks for titles from a Service.",
         cls=Services,
@@ -643,9 +655,12 @@ class dl:
                                 self.log.warning(f"Skipping {color_range.name} video tracks as none are available.")
 
                     if vbitrate:
-                        title.tracks.select_video(lambda x: x.bitrate and x.bitrate // 1000 == vbitrate)
+                         # Tolerance: +100 kbps (upper), -800 kbps (lower)
+                        min_bitrate = max(0, vbitrate - 800)  # Don't go below 0
+                        max_bitrate = vbitrate + 200
+                        title.tracks.select_video(lambda x: x.bitrate and min_bitrate <= x.bitrate // 1000 <= max_bitrate)
                         if not title.tracks.videos:
-                            self.log.error(f"There's no {vbitrate}kbps Video Track...")
+                            self.log.error(f"There's no Video Track with bitrate between {min_bitrate}-{max_bitrate}kbps (requested {vbitrate}kbps)...")
                             sys.exit(1)
 
                     video_languages = [lang for lang in (v_lang or lang) if lang != "best"]
@@ -1167,7 +1182,13 @@ class dl:
                     final_filename = title.get_filename(media_info, show_service=not no_source)
 
                     if not no_folder and isinstance(title, (Episode, Song)):
-                        final_dir /= title.get_filename(media_info, show_service=not no_source, folder=True)
+                        if isinstance(title, Episode):
+                            # Create nested structure: {title}/Season {season:02}/{filename}
+                            final_dir /= title.get_filename(media_info, show_service=not no_source, folder=True)
+                            final_dir /= title.get_season_folder()
+                        else:
+                            # For Song, use existing logic
+                            final_dir /= title.get_filename(media_info, show_service=not no_source, folder=True)
 
                     final_dir.mkdir(parents=True, exist_ok=True)
                     final_path = final_dir / f"{final_filename}{muxed_path.suffix}"
@@ -1228,7 +1249,8 @@ class dl:
 
         if isinstance(drm, Widevine):
             with self.DRM_TABLE_LOCK:
-                cek_tree = Tree(Text.assemble(("Widevine", "cyan"), (f"({drm.pssh.dumps()})", "text"), overflow="fold"))
+                pssh_display = self._truncate_pssh_for_display(drm.pssh.dumps(), "Widevine")
+                cek_tree = Tree(Text.assemble(("Widevine", "cyan"), (f"({pssh_display})", "text"), overflow="fold"))
                 pre_existing_tree = next(
                     (x for x in table.columns[0].cells if isinstance(x, Tree) and x.label == cek_tree.label), None
                 )
@@ -1320,10 +1342,11 @@ class dl:
 
         elif isinstance(drm, PlayReady):
             with self.DRM_TABLE_LOCK:
+                pssh_display = self._truncate_pssh_for_display(drm.pssh_b64 or "", "PlayReady")
                 cek_tree = Tree(
                     Text.assemble(
                         ("PlayReady", "cyan"),
-                        (f"({drm.pssh_b64 or ''})", "text"),
+                        (f"({pssh_display})", "text"),
                         overflow="fold",
                     )
                 )

unshackle/commands/kv.py

@@ -12,84 +12,113 @@ from unshackle.core.vault import Vault
 from unshackle.core.vaults import Vaults
 
 
+def _load_vaults(vault_names: list[str]) -> Vaults:
+    """Load and validate vaults by name."""
+    vaults = Vaults()
+    for vault_name in vault_names:
+        vault_config = next((x for x in config.key_vaults if x["name"] == vault_name), None)
+        if not vault_config:
+            raise click.ClickException(f"Vault ({vault_name}) is not defined in the config.")
+
+        vault_type = vault_config["type"]
+        vault_args = vault_config.copy()
+        del vault_args["type"]
+
+        if not vaults.load(vault_type, **vault_args):
+            raise click.ClickException(f"Failed to load vault ({vault_name}).")
+
+    return vaults
+
+
+def _process_service_keys(from_vault: Vault, service: str, log: logging.Logger) -> dict[str, str]:
+    """Get and validate keys from a vault for a specific service."""
+    content_keys = list(from_vault.get_keys(service))
+
+    bad_keys = {kid: key for kid, key in content_keys if not key or key.count("0") == len(key)}
+    for kid, key in bad_keys.items():
+        log.warning(f"Skipping NULL key: {kid}:{key}")
+
+    return {kid: key for kid, key in content_keys if kid not in bad_keys}
+
+
+def _copy_service_data(to_vault: Vault, from_vault: Vault, service: str, log: logging.Logger) -> int:
+    """Copy data for a single service between vaults."""
+    content_keys = _process_service_keys(from_vault, service, log)
+    total_count = len(content_keys)
+
+    if total_count == 0:
+        log.info(f"{service}: No keys found in {from_vault}")
+        return 0
+
+    try:
+        added = to_vault.add_keys(service, content_keys)
+    except PermissionError:
+        log.warning(f"{service}: No permission to create table in {to_vault}, skipped")
+        return 0
+
+    existed = total_count - added
+
+    if added > 0 and existed > 0:
+        log.info(f"{service}: {added} added, {existed} skipped ({total_count} total)")
+    elif added > 0:
+        log.info(f"{service}: {added} added ({total_count} total)")
+    else:
+        log.info(f"{service}: {existed} skipped (all existed)")
+
+    return added
+
+
 @click.group(short_help="Manage and configure Key Vaults.", context_settings=context_settings)
 def kv() -> None:
     """Manage and configure Key Vaults."""
 
 
 @kv.command()
-@click.argument("to_vault", type=str)
-@click.argument("from_vaults", nargs=-1, type=click.UNPROCESSED)
+@click.argument("to_vault_name", type=str)
+@click.argument("from_vault_names", nargs=-1, type=click.UNPROCESSED)
 @click.option("-s", "--service", type=str, default=None, help="Only copy data to and from a specific service.")
-def copy(to_vault: str, from_vaults: list[str], service: Optional[str] = None) -> None:
+def copy(to_vault_name: str, from_vault_names: list[str], service: Optional[str] = None) -> None:
     """
     Copy data from multiple Key Vaults into a single Key Vault.
     Rows with matching KIDs are skipped unless there's no KEY set.
     Existing data is not deleted or altered.
 
-    The `to_vault` argument is the key vault you wish to copy data to.
+    The `to_vault_name` argument is the key vault you wish to copy data to.
     It should be the name of a Key Vault defined in the config.
 
-    The `from_vaults` argument is the key vault(s) you wish to take
+    The `from_vault_names` argument is the key vault(s) you wish to take
     data from. You may supply multiple key vaults.
     """
-    if not from_vaults:
+    if not from_vault_names:
         raise click.ClickException("No Vaults were specified to copy data from.")
 
     log = logging.getLogger("kv")
 
-    vaults = Vaults()
-    for vault_name in [to_vault] + list(from_vaults):
-        vault = next((x for x in config.key_vaults if x["name"] == vault_name), None)
-        if not vault:
-            raise click.ClickException(f"Vault ({vault_name}) is not defined in the config.")
-        vault_type = vault["type"]
-        vault_args = vault.copy()
-        del vault_args["type"]
-        if not vaults.load(vault_type, **vault_args):
-            raise click.ClickException(f"Failed to load vault ({vault_name}).")
+    all_vault_names = [to_vault_name] + list(from_vault_names)
+    vaults = _load_vaults(all_vault_names)
 
-    to_vault: Vault = vaults.vaults[0]
-    from_vaults: list[Vault] = vaults.vaults[1:]
+    to_vault = vaults.vaults[0]
+    from_vaults = vaults.vaults[1:]
+
+    vault_names = ", ".join([v.name for v in from_vaults])
+    log.info(f"Copying data from {vault_names} → {to_vault.name}")
 
-    log.info(f"Copying data from {', '.join([x.name for x in from_vaults])}, into {to_vault.name}")
     if service:
         service = Services.get_tag(service)
-        log.info(f"Only copying data for service {service}")
+        log.info(f"Filtering by service: {service}")
 
     total_added = 0
     for from_vault in from_vaults:
-        if service:
-            services = [service]
-        else:
-            services = from_vault.get_services()
-
-        for service_ in services:
-            log.info(f"Getting data from {from_vault} for {service_}")
-            content_keys = list(from_vault.get_keys(service_))  # important as it's a generator we iterate twice
-
-            bad_keys = {kid: key for kid, key in content_keys if not key or key.count("0") == len(key)}
-
-            for kid, key in bad_keys.items():
-                log.warning(f"Cannot add a NULL Content Key to a Vault, skipping: {kid}:{key}")
-
-            content_keys = {kid: key for kid, key in content_keys if kid not in bad_keys}
-
-            total_count = len(content_keys)
-            log.info(f"Adding {total_count} Content Keys to {to_vault} for {service_}")
-
-            try:
-                added = to_vault.add_keys(service_, content_keys)
-            except PermissionError:
-                log.warning(f" - No permission to create table ({service_}) in {to_vault}, skipping...")
-                continue
+        services_to_copy = [service] if service else from_vault.get_services()
 
+        for service_tag in services_to_copy:
+            added = _copy_service_data(to_vault, from_vault, service_tag, log)
             total_added += added
-            existed = total_count - added
 
-            log.info(f"{to_vault} ({service_}): {added} newly added, {existed} already existed (skipped)")
-
-    log.info(f"{to_vault}: {total_added} total newly added")
+    if total_added > 0:
+        log.info(f"Successfully added {total_added} new keys to {to_vault}")
+    else:
+        log.info("Copy completed - no new keys to add")
 
 
 @kv.command()
@@ -106,9 +135,9 @@ def sync(ctx: click.Context, vaults: list[str], service: Optional[str] = None) -
     if not len(vaults) > 1:
         raise click.ClickException("You must provide more than one Vault to sync.")
 
-    ctx.invoke(copy, to_vault=vaults[0], from_vaults=vaults[1:], service=service)
+    ctx.invoke(copy, to_vault_name=vaults[0], from_vault_names=vaults[1:], service=service)
     for i in range(1, len(vaults)):
-        ctx.invoke(copy, to_vault=vaults[i], from_vaults=[vaults[i - 1]], service=service)
+        ctx.invoke(copy, to_vault_name=vaults[i], from_vault_names=[vaults[i - 1]], service=service)
 
 
 @kv.command()
@@ -135,15 +164,7 @@ def add(file: Path, service: str, vaults: list[str]) -> None:
     log = logging.getLogger("kv")
     service = Services.get_tag(service)
 
-    vaults_ = Vaults()
-    for vault_name in vaults:
-        vault = next((x for x in config.key_vaults if x["name"] == vault_name), None)
-        if not vault:
-            raise click.ClickException(f"Vault ({vault_name}) is not defined in the config.")
-        vault_type = vault["type"]
-        vault_args = vault.copy()
-        del vault_args["type"]
-        vaults_.load(vault_type, **vault_args)
+    vaults_ = _load_vaults(list(vaults))
 
     data = file.read_text(encoding="utf8")
     kid_keys: dict[str, str] = {}
@@ -173,15 +194,7 @@ def prepare(vaults: list[str]) -> None:
     """Create Service Tables on Vaults if not yet created."""
     log = logging.getLogger("kv")
 
-    vaults_ = Vaults()
-    for vault_name in vaults:
-        vault = next((x for x in config.key_vaults if x["name"] == vault_name), None)
-        if not vault:
-            raise click.ClickException(f"Vault ({vault_name}) is not defined in the config.")
-        vault_type = vault["type"]
-        vault_args = vault.copy()
-        del vault_args["type"]
-        vaults_.load(vault_type, **vault_args)
+    vaults_ = _load_vaults(vaults)
 
     for vault in vaults_:
         if hasattr(vault, "has_table") and hasattr(vault, "create_table"):

unshackle/core/cdm/decrypt_labs_remote_cdm.py

@@ -6,6 +6,7 @@ from typing import Any, Dict, List, Optional, Union
 from uuid import UUID
 
 import requests
+from pywidevine.cdm import Cdm as WidevineCdm
 from pywidevine.device import DeviceTypes
 from requests import Session
 
@@ -70,10 +71,26 @@ class DecryptLabsRemoteCDMExceptions:
 
 class DecryptLabsRemoteCDM:
     """
-    Decrypt Labs Remote CDM implementation compatible with pywidevine's CDM interface.
+    Decrypt Labs Remote CDM implementation with intelligent caching system.
 
     This class provides a drop-in replacement for pywidevine's local CDM using
-    Decrypt Labs' KeyXtractor API service.
+    Decrypt Labs' KeyXtractor API service, enhanced with smart caching logic
+    that minimizes unnecessary license requests.
+
+    Key Features:
+    - Compatible with both Widevine and PlayReady DRM schemes
+    - Intelligent caching that compares required vs. available keys
+    - Optimized caching for L1/L2 devices (leverages API auto-optimization)
+    - Automatic key combination for mixed cache/license scenarios
+    - Seamless fallback to license requests when keys are missing
+
+    Intelligent Caching System:
+    1. DRM classes (PlayReady/Widevine) provide required KIDs via set_required_kids()
+    2. get_license_challenge() first checks for cached keys
+    3. For L1/L2 devices, always attempts cached keys first (API optimized)
+    4. If cached keys satisfy requirements, returns empty challenge (no license needed)
+    5. If keys are missing, makes targeted license request for remaining keys
+    6. parse_license() combines cached and license keys intelligently
     """
 
     service_certificate_challenge = b"\x08\x04"
@@ -110,6 +127,7 @@ class DecryptLabsRemoteCDM:
         self.device_name = device_name
         self.service_name = service_name or ""
         self.vaults = vaults
+        self.uch = self.host != "https://keyxtractor.decryptlabs.com"
 
         self._device_type_str = device_type
         if device_type:
@@ -126,6 +144,7 @@ class DecryptLabsRemoteCDM:
 
         self._sessions: Dict[bytes, Dict[str, Any]] = {}
         self._pssh_b64 = None
+        self._required_kids: Optional[List[str]] = None
         self._http_session = Session()
         self._http_session.headers.update(
             {
@@ -159,6 +178,29 @@ class DecryptLabsRemoteCDM:
         """Store base64-encoded PSSH data for PlayReady compatibility."""
         self._pssh_b64 = pssh_b64
 
+    def set_required_kids(self, kids: List[Union[str, UUID]]) -> None:
+        """
+        Set the required Key IDs for intelligent caching decisions.
+
+        This method enables the CDM to make smart decisions about when to request
+        additional keys via license challenges. When cached keys are available,
+        the CDM will compare them against the required KIDs to determine if a
+        license request is still needed for missing keys.
+
+        Args:
+            kids: List of required Key IDs as UUIDs or hex strings
+
+        Note:
+            Should be called by DRM classes (PlayReady/Widevine) before making
+            license challenge requests to enable optimal caching behavior.
+        """
+        self._required_kids = []
+        for kid in kids:
+            if isinstance(kid, UUID):
+                self._required_kids.append(str(kid).replace("-", "").lower())
+            else:
+                self._required_kids.append(str(kid).replace("-", "").lower())
+
     def _generate_session_id(self) -> bytes:
         """Generate a unique session ID."""
         return secrets.token_bytes(16)
@@ -211,12 +253,14 @@ class DecryptLabsRemoteCDM:
             "pssh": None,
             "challenge": None,
             "decrypt_labs_session_id": None,
+            "tried_cache": False,
+            "cached_keys": None,
         }
         return session_id
 
     def close(self, session_id: bytes) -> None:
         """
-        Close a CDM session.
+        Close a CDM session and perform comprehensive cleanup.
 
         Args:
             session_id: Session identifier
@@ -227,6 +271,8 @@ class DecryptLabsRemoteCDM:
         if session_id not in self._sessions:
             raise DecryptLabsRemoteCDMExceptions.InvalidSession(f"Invalid session ID: {session_id.hex()}")
 
+        session = self._sessions[session_id]
+        session.clear()
         del self._sessions[session_id]
 
     def get_service_certificate(self, session_id: bytes) -> Optional[bytes]:
@@ -265,8 +311,13 @@ class DecryptLabsRemoteCDM:
             raise DecryptLabsRemoteCDMExceptions.InvalidSession(f"Invalid session ID: {session_id.hex()}")
 
         if certificate is None:
-            self._sessions[session_id]["service_certificate"] = None
-            return "Removed"
+            if not self._is_playready and self.device_name == "L1":
+                certificate = WidevineCdm.common_privacy_cert
+                self._sessions[session_id]["service_certificate"] = base64.b64decode(certificate)
+                return "Using default Widevine common privacy certificate for L1"
+            else:
+                self._sessions[session_id]["service_certificate"] = None
+                return "No certificate set (not required for this device type)"
 
         if isinstance(certificate, str):
             certificate = base64.b64decode(certificate)
@@ -291,57 +342,27 @@ class DecryptLabsRemoteCDM:
             raise DecryptLabsRemoteCDMExceptions.InvalidSession(f"Invalid session ID: {session_id.hex()}")
 
         session = self._sessions[session_id]
-        pssh = session.get("pssh")
-
-        if not pssh:
-            return False
-
-        if self.vaults:
-            key_ids = []
-            if hasattr(pssh, "key_ids"):
-                key_ids = pssh.key_ids
-            elif hasattr(pssh, "kids"):
-                key_ids = pssh.kids
-
-            for kid in key_ids:
-                key, _ = self.vaults.get_key(kid)
-                if key and key.count("0") != len(key):
-                    return True
-
-        if self.service_name:
-            try:
-                key_ids = []
-                if hasattr(pssh, "key_ids"):
-                    key_ids = [kid.hex for kid in pssh.key_ids]
-                elif hasattr(pssh, "kids"):
-                    key_ids = [kid.hex for kid in pssh.kids]
-
-                if key_ids:
-                    response = self._http_session.post(
-                        f"{self.host}/get-cached-keys",
-                        json={"service": self.service_name, "kid": key_ids},
-                        timeout=30,
-                    )
-
-                if response.status_code == 200:
-                    data = response.json()
-                    return (
-                        data.get("message") == "success"
-                        and "cached_keys" in data
-                        and isinstance(data["cached_keys"], list)
-                        and len(data["cached_keys"]) > 0
-                    )
-
-            except Exception:
-                pass
-
-        return False
+        session_keys = session.get("keys", [])
+        return len(session_keys) > 0
 
     def get_license_challenge(
         self, session_id: bytes, pssh_or_wrm: Any, license_type: str = "STREAMING", privacy_mode: bool = True
     ) -> bytes:
         """
-        Generate a license challenge using Decrypt Labs API.
+        Generate a license challenge using Decrypt Labs API with intelligent caching.
+
+        This method implements smart caching logic that:
+        1. First attempts to retrieve cached keys from the API
+        2. If required KIDs are set, compares cached keys against requirements
+        3. Only makes a license request if keys are missing
+        4. Returns empty challenge if all required keys are cached
+
+        The intelligent caching works as follows:
+        - For L1/L2 devices: Always prioritizes cached keys (API automatically optimizes)
+        - For other devices: Uses cache retry logic based on session state
+        - With required KIDs set: Only requests license for missing keys
+        - Without required KIDs: Returns any available cached keys
+        - For PlayReady: Combines cached keys with license keys seamlessly
 
         Args:
             session_id: Session identifier
@@ -350,11 +371,15 @@ class DecryptLabsRemoteCDM:
             privacy_mode: Whether to use privacy mode - for compatibility only
 
         Returns:
-            License challenge as bytes
+            License challenge as bytes, or empty bytes if cached keys satisfy requirements
 
         Raises:
             InvalidSession: If session ID is invalid
             requests.RequestException: If API request fails
+
+        Note:
+            Call set_required_kids() before this method for optimal caching behavior.
+            L1/L2 devices automatically use cached keys when available per API design.
         """
         _ = license_type, privacy_mode
 
@@ -365,12 +390,18 @@ class DecryptLabsRemoteCDM:
 
         session["pssh"] = pssh_or_wrm
         init_data = self._get_init_data_from_pssh(pssh_or_wrm)
+        already_tried_cache = session.get("tried_cache", False)
 
-        if self.has_cached_keys(session_id):
-            self._load_cached_keys(session_id)
-            return b""
+        if self.device_name in ["L1", "L2"]:
+            get_cached_keys = True
+        else:
+            get_cached_keys = not already_tried_cache
 
-        request_data = {"scheme": self.device_name, "init_data": init_data}
+        request_data = {
+            "scheme": self.device_name,
+            "init_data": init_data,
+            "get_cached_keys_if_exists": get_cached_keys,
+        }
 
         if self.device_name in ["L1", "L2", "SL2", "SL3"] and self.service_name:
             request_data["service"] = self.service_name
@@ -391,22 +422,108 @@ class DecryptLabsRemoteCDM:
                 error_msg += f" - Details: {data['details']}"
             if "error" in data:
                 error_msg += f" - Error: {data['error']}"
+
+            if "service_certificate is required" in str(data) and not session["service_certificate"]:
+                error_msg += " (No service certificate was provided to the CDM session)"
+
             raise requests.RequestException(f"API error: {error_msg}")
 
-        if data.get("message_type") == "cached-keys" or "cached_keys" in data:
+        message_type = data.get("message_type")
+
+        if message_type == "cached-keys" or "cached_keys" in data:
+            """
+            Handle cached keys response from API.
+
+            When the API returns cached keys, we need to determine if they satisfy
+            our requirements or if we need to make an additional license request
+            for missing keys.
+            """
             cached_keys = data.get("cached_keys", [])
-            session["keys"] = self._parse_cached_keys(cached_keys)
+            parsed_keys = self._parse_cached_keys(cached_keys)
+            session["keys"] = parsed_keys
+            session["tried_cache"] = True
+
+            if self._required_kids:
+                cached_kids = set()
+                for key in parsed_keys:
+                    if isinstance(key, dict) and "kid" in key:
+                        cached_kids.add(key["kid"].replace("-", "").lower())
+
+                required_kids = set(self._required_kids)
+                missing_kids = required_kids - cached_kids
+
+                if missing_kids:
+                    session["cached_keys"] = parsed_keys
+
+                    if self.device_name in ["L1", "L2"]:
+                        license_request_data = {
+                            "scheme": self.device_name,
+                            "init_data": init_data,
+                            "get_cached_keys_if_exists": False,
+                        }
+                        if self.service_name:
+                            license_request_data["service"] = self.service_name
+                        if session["service_certificate"]:
+                            license_request_data["service_certificate"] = base64.b64encode(
+                                session["service_certificate"]
+                            ).decode("utf-8")
+                    else:
+                        license_request_data = request_data.copy()
+                        license_request_data["get_cached_keys_if_exists"] = False
+
+                    session["decrypt_labs_session_id"] = None
+                    session["challenge"] = None
+                    session["tried_cache"] = False
+
+                    response = self._http_session.post(
+                        f"{self.host}/get-request", json=license_request_data, timeout=30
+                    )
+                    if response.status_code == 200:
+                        data = response.json()
+                        if data.get("message") == "success" and "challenge" in data:
+                            challenge = base64.b64decode(data["challenge"])
+                            session["challenge"] = challenge
+                            session["decrypt_labs_session_id"] = data["session_id"]
+                            return challenge
+
+                    return b""
+                else:
+                    return b""
+            else:
+                return b""
+
+        if message_type == "license-request" or "challenge" in data:
+            challenge = base64.b64decode(data["challenge"])
+            session["challenge"] = challenge
+            session["decrypt_labs_session_id"] = data["session_id"]
+            return challenge
+
+        error_msg = f"Unexpected API response format. message_type={message_type}, available_fields={list(data.keys())}"
+        if data.get("message"):
+            error_msg = f"API response: {data['message']} - {error_msg}"
+        if "details" in data:
+            error_msg += f" - Details: {data['details']}"
+        if "error" in data:
+            error_msg += f" - Error: {data['error']}"
+
+        if already_tried_cache and data.get("message") == "success":
             return b""
 
-        challenge = base64.b64decode(data["challenge"])
-        session["challenge"] = challenge
-        session["decrypt_labs_session_id"] = data["session_id"]
-
-        return challenge
+        raise requests.RequestException(error_msg)
 
     def parse_license(self, session_id: bytes, license_message: Union[bytes, str]) -> None:
         """
-        Parse license response using Decrypt Labs API.
+        Parse license response using Decrypt Labs API with intelligent key combination.
+
+        For PlayReady content with partial cached keys, this method intelligently
+        combines the cached keys with newly obtained license keys, avoiding
+        duplicates while ensuring all required keys are available.
+
+        The key combination process:
+        1. Extracts keys from the license response
+        2. If cached keys exist (PlayReady), combines them with license keys
+        3. Removes duplicate keys by comparing normalized KIDs
+        4. Updates the session with the complete key set
 
         Args:
             session_id: Session identifier
@@ -421,7 +538,7 @@ class DecryptLabsRemoteCDM:
 
         session = self._sessions[session_id]
 
-        if session["keys"]:
+        if session["keys"] and not (self.is_playready and "cached_keys" in session):
             return
 
         if not session.get("challenge") or not session.get("decrypt_labs_session_id"):
@@ -465,7 +582,49 @@ class DecryptLabsRemoteCDM:
                 error_msg += f" - Details: {data['details']}"
             raise requests.RequestException(f"License decrypt error: {error_msg}")
 
-        session["keys"] = self._parse_keys_response(data)
+        license_keys = self._parse_keys_response(data)
+
+        if self.is_playready and "cached_keys" in session:
+            """
+            Combine cached keys with license keys for PlayReady content.
+
+            This ensures we have both the cached keys (obtained earlier) and
+            any additional keys from the license response, without duplicates.
+            """
+            cached_keys = session.get("cached_keys", [])
+            all_keys = list(cached_keys)
+
+            for license_key in license_keys:
+                already_exists = False
+                license_kid = None
+                if isinstance(license_key, dict) and "kid" in license_key:
+                    license_kid = license_key["kid"].replace("-", "").lower()
+                elif hasattr(license_key, "kid"):
+                    license_kid = str(license_key.kid).replace("-", "").lower()
+                elif hasattr(license_key, "key_id"):
+                    license_kid = str(license_key.key_id).replace("-", "").lower()
+
+                if license_kid:
+                    for cached_key in cached_keys:
+                        cached_kid = None
+                        if isinstance(cached_key, dict) and "kid" in cached_key:
+                            cached_kid = cached_key["kid"].replace("-", "").lower()
+                        elif hasattr(cached_key, "kid"):
+                            cached_kid = str(cached_key.kid).replace("-", "").lower()
+                        elif hasattr(cached_key, "key_id"):
+                            cached_kid = str(cached_key.key_id).replace("-", "").lower()
+
+                        if cached_kid == license_kid:
+                            already_exists = True
+                            break
+
+                if not already_exists:
+                    all_keys.append(license_key)
+
+            session["keys"] = all_keys
+            session["cached_keys"] = None
+        else:
+            session["keys"] = license_keys
 
         if self.vaults and session["keys"]:
             key_dict = {UUID(hex=key["kid"]): key["key"] for key in session["keys"] if key["type"] == "CONTENT"}
@@ -496,49 +655,6 @@ class DecryptLabsRemoteCDM:
 
         return keys
 
-    def _load_cached_keys(self, session_id: bytes) -> None:
-        """Load cached keys from vaults and Decrypt Labs API."""
-        session = self._sessions[session_id]
-        pssh = session["pssh"]
-        keys = []
-
-        if self.vaults:
-            key_ids = []
-            if hasattr(pssh, "key_ids"):
-                key_ids = pssh.key_ids
-            elif hasattr(pssh, "kids"):
-                key_ids = pssh.kids
-
-            for kid in key_ids:
-                key, _ = self.vaults.get_key(kid)
-                if key and key.count("0") != len(key):
-                    keys.append({"kid": kid.hex, "key": key, "type": "CONTENT"})
-
-        if not keys and self.service_name:
-            try:
-                key_ids = []
-                if hasattr(pssh, "key_ids"):
-                    key_ids = [kid.hex for kid in pssh.key_ids]
-                elif hasattr(pssh, "kids"):
-                    key_ids = [kid.hex for kid in pssh.kids]
-
-                if key_ids:
-                    response = self._http_session.post(
-                        f"{self.host}/get-cached-keys",
-                        json={"service": self.service_name, "kid": key_ids},
-                        timeout=30,
-                    )
-
-                    if response.status_code == 200:
-                        data = response.json()
-                        if data.get("message") == "success" and "cached_keys" in data:
-                            keys = self._parse_cached_keys(data["cached_keys"])
-
-            except Exception:
-                pass
-
-        session["keys"] = keys
-
     def _parse_cached_keys(self, cached_keys_data: List[Dict[str, Any]]) -> List[Dict[str, Any]]:
         """Parse cached keys from API response.
 

unshackle/core/downloaders/aria2c.py

@@ -137,7 +137,6 @@ def download(
     if len(urls) > 1:
         split = 1
         file_allocation = "none"
-
     arguments = [
         # [Basic Options]
         "--input-file",
@@ -189,19 +188,36 @@ def download(
         p.stdin.close()
 
         while p.poll() is None:
+            # Get global statistics via RPC
             global_stats: dict[str, Any] = (
                 rpc(caller=partial(rpc_session.post, url=rpc_uri), secret=rpc_secret, method="aria2.getGlobalStat")
                 or {}
             )
 
             number_stopped = int(global_stats.get("numStoppedTotal", 0))
-            download_speed = int(global_stats.get("downloadSpeed", -1))
+            global_download_speed = int(global_stats.get("downloadSpeed", 0))
 
-            if number_stopped:
-                yield dict(completed=number_stopped)
-            if download_speed != -1:
-                yield dict(downloaded=f"{filesize.decimal(download_speed)}/s")
+            # Get active downloads via RPC for detailed progress tracking
+            active_downloads: list[dict[str, Any]] = (
+                rpc(
+                    caller=partial(rpc_session.post, url=rpc_uri),
+                    secret=rpc_secret,
+                    method="aria2.tellActive",
+                )
+                or []
+            )
 
+            # Calculate totals from active downloads
+            total_downloaded_size = 0
+            total_content_size = 0
+            active_download_speed = 0
+            
+            for download in active_downloads:
+                total_downloaded_size += int(download.get("completedLength", 0))
+                total_content_size += int(download.get("totalLength", 0))
+                active_download_speed += int(download.get("downloadSpeed", 0))
+
+            # Get stopped downloads via RPC to check for errors and completion
             stopped_downloads: list[dict[str, Any]] = (
                 rpc(
                     caller=partial(rpc_session.post, url=rpc_uri),
@@ -212,22 +228,46 @@ def download(
                 or []
             )
 
-            for dl in stopped_downloads:
-                if dl["status"] == "error":
+            # Add completed downloads to totals and handle errors
+            for download in stopped_downloads:
+                if download["status"] == "complete":
+                    completed_length = int(download.get("completedLength", 0))
+                    total_downloaded_size += completed_length
+                    total_content_size += completed_length
+                elif download["status"] == "error":
                     used_uri = next(
                         uri["uri"]
-                        for file in dl["files"]
+                        for file in download["files"]
                         if file["selected"] == "true"
                         for uri in file["uris"]
                         if uri["status"] == "used"
                     )
-                    error = f"Download Error (#{dl['gid']}): {dl['errorMessage']} ({dl['errorCode']}), {used_uri}"
+                    error = f"Download Error (#{download['gid']}): {download['errorMessage']} ({download['errorCode']}), {used_uri}"
                     error_pretty = "\n          ".join(
                         textwrap.wrap(error, width=console.width - 20, initial_indent="")
                     )
                     console.log(Text.from_ansi("\n[Aria2c]: " + error_pretty))
                     raise ValueError(error)
 
+            # Yield progress information
+            if total_content_size > 0:
+                downloaded = f"{filesize.decimal(total_downloaded_size)}/{filesize.decimal(total_content_size)} {filesize.decimal(active_download_speed)}/s"
+                yield dict(
+                    downloaded=downloaded,
+                    total=total_content_size,
+                    completed=total_downloaded_size
+                )
+            elif global_download_speed > 0:
+                yield dict(
+                    downloaded=f"{filesize.decimal(global_download_speed)}/s",
+                    speed_bytes_per_sec=global_download_speed
+                )
+
+            # Yield completion count
+            if number_stopped:
+                yield dict(completed=number_stopped)
+
+            # Exit when all downloads are complete
             if number_stopped == len(urls):
                 rpc(caller=partial(rpc_session.post, url=rpc_uri), secret=rpc_secret, method="aria2.shutdown")
                 break
@@ -274,11 +314,14 @@ def aria2c(
 
     Yields the following download status updates while chunks are downloading:
 
-    - {total: 100} (100% download total)
-    - {completed: 1} (1% download progress out of 100%)
-    - {downloaded: "10.1 MB/s"} (currently downloading at a rate of 10.1 MB/s)
+    - {total: 100} (total number of URLs to download)
+    - {completed: 1} (number of completed downloads)
+    - {downloaded: "50.2 MB/128.5 MB 10.1 MB/s", total: 134742016, completed: 52428800} (progress data)
+    - {downloaded: "10.1 MB/s", speed_bytes_per_sec: 10485760} (speed fallback data)
 
     The data is in the same format accepted by rich's progress.update() function.
+    However, The `downloaded` and `speed_bytes_per_sec` keys are custom and not natively 
+    accepted by all rich progress bars.
 
     Parameters:
         urls: Web URL(s) to file(s) to download. You can use a dictionary with the key
@@ -318,6 +361,7 @@ def aria2c(
             stdout=subprocess.DEVNULL,
             stderr=subprocess.DEVNULL,
         )
+        time.sleep(1)
 
         try:
             yield from download(urls, output_dir, filename, headers, cookies, local_proxy, max_workers)

unshackle/core/drm/playready.py

@@ -256,44 +256,38 @@ class PlayReady:
         return keys
 
     def get_content_keys(self, cdm: PlayReadyCdm, certificate: Callable, licence: Callable) -> None:
-        for kid in self.kids:
-            if kid in self.content_keys:
-                continue
+        session_id = cdm.open()
+        try:
+            if hasattr(cdm, "set_pssh_b64") and self.pssh_b64:
+                cdm.set_pssh_b64(self.pssh_b64)
 
-            session_id = cdm.open()
-            try:
-                if hasattr(cdm, "set_pssh_b64") and self.pssh_b64:
-                    cdm.set_pssh_b64(self.pssh_b64)
+            if hasattr(cdm, "set_required_kids"):
+                cdm.set_required_kids(self.kids)
 
-                challenge = cdm.get_license_challenge(session_id, self.pssh.wrm_headers[0])
+            challenge = cdm.get_license_challenge(session_id, self.pssh.wrm_headers[0])
 
+            if challenge:
                 try:
                     license_res = licence(challenge=challenge)
-                except Exception:
-                    if hasattr(cdm, "use_cached_keys_as_fallback"):
-                        if cdm.use_cached_keys_as_fallback(session_id):
-                            keys = self._extract_keys_from_cdm(cdm, session_id)
-                            self.content_keys.update(keys)
-                            continue
+                    if isinstance(license_res, bytes):
+                        license_str = license_res.decode(errors="ignore")
+                    else:
+                        license_str = str(license_res)
 
+                    if "<License>" not in license_str:
+                        try:
+                            license_str = base64.b64decode(license_str + "===").decode()
+                        except Exception:
+                            pass
+
+                    cdm.parse_license(session_id, license_str)
+                except Exception:
                     raise
 
-                if isinstance(license_res, bytes):
-                    license_str = license_res.decode(errors="ignore")
-                else:
-                    license_str = str(license_res)
-
-                if "<License>" not in license_str:
-                    try:
-                        license_str = base64.b64decode(license_str + "===").decode()
-                    except Exception:
-                        pass
-
-                cdm.parse_license(session_id, license_str)
-                keys = self._extract_keys_from_cdm(cdm, session_id)
-                self.content_keys.update(keys)
-            finally:
-                cdm.close(session_id)
+            keys = self._extract_keys_from_cdm(cdm, session_id)
+            self.content_keys.update(keys)
+        finally:
+            cdm.close(session_id)
 
         if not self.content_keys:
             raise PlayReady.Exceptions.EmptyLicense("No Content Keys were within the License")

unshackle/core/drm/widevine.py

@@ -185,6 +185,9 @@ class Widevine:
                 if cert and hasattr(cdm, "set_service_certificate"):
                     cdm.set_service_certificate(session_id, cert)
 
+                if hasattr(cdm, "set_required_kids"):
+                    cdm.set_required_kids(self.kids)
+
                 challenge = cdm.get_license_challenge(session_id, self.pssh)
 
                 if hasattr(cdm, "has_cached_keys") and cdm.has_cached_keys(session_id):
@@ -218,6 +221,9 @@ class Widevine:
                 if cert and hasattr(cdm, "set_service_certificate"):
                     cdm.set_service_certificate(session_id, cert)
 
+                if hasattr(cdm, "set_required_kids"):
+                    cdm.set_required_kids(self.kids)
+
                 challenge = cdm.get_license_challenge(session_id, self.pssh)
 
                 if hasattr(cdm, "has_cached_keys") and cdm.has_cached_keys(session_id):

unshackle/core/titles/episode.py

@@ -92,14 +92,14 @@ class Episode(Title):
         primary_audio_track = next(iter(media_info.audio_tracks), None)
         unique_audio_languages = len({x.language.split("-")[0] for x in media_info.audio_tracks if x.language})
 
-        # Title [Year] SXXEXX Name (or Title [Year] SXX if folder)
+        # Title [Year] SXXEXX Name (or just Title for main folder)
         if folder:
             name = f"{self.title}"
             if self.year and config.series_year:
-                name += f" {self.year}"
-            name += f" S{self.season:02}"
+                name += f" ({self.year})"
+            return name
         else:
-            name = "{title}{year} S{season:02}E{number:02} {name}".format(
+            name = "{title}{year} S{season:02}E{number:02} - {name} -".format(
                 title=self.title.replace("$", "S"),  # e.g., Arli$$
                 year=f" {self.year}" if self.year and config.series_year else "",
                 season=self.season,
@@ -128,19 +128,19 @@ class Episode(Title):
                 name += f" {resolution}p"
 
             # Service
-            if show_service:
-                name += f" {self.service.__name__}"
+            # if show_service:
+            #     name += f" {self.service.__name__}"
 
-            # 'WEB-DL'
-            name += " WEB-DL"
+            # # 'WEB-DL'
+            # name += " WEB-DL"
 
-            # DUAL
-            if unique_audio_languages == 2:
-                name += " DUAL"
+            # # DUAL
+            # if unique_audio_languages == 2:
+            #     name += " DUAL"
 
-            # MULTi
-            if unique_audio_languages > 2:
-                name += " MULTi"
+            # # MULTi
+            # if unique_audio_languages > 2:
+            #     name += " MULTi"
 
             # Audio Codec + Channels (+ feature)
             if primary_audio_track:
@@ -181,14 +181,20 @@ class Episode(Title):
                     name += " HFR"
                 name += f" {VIDEO_CODEC_MAP.get(codec, codec)}"
 
-            if config.tag:
-                name += f"-{config.tag}"
+            # if config.tag:
+            #     name += f"-{config.tag}"
 
             return sanitize_filename(name)
         else:
             # Simple naming style without technical details - use spaces instead of dots
             return sanitize_filename(name, " ")
 
+    def get_season_folder(self) -> str:
+        """
+        Get the season folder name in the format 'Season XX'.
+        """
+        return f"Season {self.season:02d}"
+
 
 class Series(SortedKeyList, ABC):
     def __init__(self, iterable: Optional[Iterable] = None):

unshackle/core/titles/movie.py

@@ -56,7 +56,7 @@ class Movie(Title):
         unique_audio_languages = len({x.language.split("-")[0] for x in media_info.audio_tracks if x.language})
 
         # Name (Year)
-        name = str(self).replace("$", "S")  # e.g., Arli$$
+        name = str(self).replace("$", "S") + " -"  # e.g., Arli$$
 
         if config.scene_naming:
             # Resolution
@@ -78,20 +78,20 @@ class Movie(Title):
                     resolution = int(primary_video_track.width * (9 / 16))
                 name += f" {resolution}p"
 
-            # Service
-            if show_service:
-                name += f" {self.service.__name__}"
+            # # Service
+            # if show_service:
+            #     name += f" {self.service.__name__}"
 
-            # 'WEB-DL'
-            name += " WEB-DL"
+            # # 'WEB-DL'
+            # name += " WEB-DL"
 
-            # DUAL
-            if unique_audio_languages == 2:
-                name += " DUAL"
+            # # DUAL
+            # if unique_audio_languages == 2:
+            #     name += " DUAL"
 
-            # MULTi
-            if unique_audio_languages > 2:
-                name += " MULTi"
+            # # MULTi
+            # if unique_audio_languages > 2:
+            #     name += " MULTi"
 
             # Audio Codec + Channels (+ feature)
             if primary_audio_track:
@@ -132,8 +132,8 @@ class Movie(Title):
                     name += " HFR"
                 name += f" {VIDEO_CODEC_MAP.get(codec, codec)}"
 
-            if config.tag:
-                name += f"-{config.tag}"
+            # if config.tag:
+            #     name += f"-{config.tag}"
 
             return sanitize_filename(name)
         else:

unshackle/core/utilities.py

@@ -20,6 +20,7 @@ import requests
 from construct import ValidationError
 from langcodes import Language, closest_match
 from pymp4.parser import Box
+from requests.adapters import HTTPAdapter
 from unidecode import unidecode
 
 from unshackle.core.cacher import Cacher
@@ -99,9 +100,9 @@ def sanitize_filename(filename: str, spacer: str = ".") -> str:
     # remove or replace further characters as needed
     filename = "".join(c for c in filename if unicodedata.category(c) != "Mn")  # hidden characters
     filename = filename.replace("/", " & ").replace(";", " & ")  # e.g. multi-episode filenames
-    filename = re.sub(r"[:; ]", spacer, filename)  # structural chars to (spacer)
-    filename = re.sub(r"[\\*!?¿,'\"" "()<>|$#~]", "", filename)  # not filename safe chars
-    filename = re.sub(rf"[{spacer}]{{2,}}", spacer, filename)  # remove extra neighbouring (spacer)s
+    filename = re.sub(r"[;]", spacer, filename)  # structural chars to (spacer)
+    filename = re.sub(r"[\\:*!?¿,'\"""<>|$#~]", "", filename)  # not filename safe chars
+    # filename = re.sub(rf"[{spacer}]{{2,}}", spacer, filename)  # remove extra neighbouring (spacer)s
 
     return filename
 
@@ -241,7 +242,10 @@ def get_ip_info(session: Optional[requests.Session] = None) -> dict:
     If you provide a Requests Session with a Proxy, that proxies IP information
     is what will be returned.
     """
-    return (session or requests.Session()).get("https://ipinfo.io/json").json()
+    request = session or requests.Session()
+    request.adapters["http://"] = HTTPAdapter(max_retries=3)
+    request.adapters["https://"] = HTTPAdapter(max_retries=3)
+    return request.get("https://ipinfo.io/json", timeout=3).json()
 
 
 def get_cached_ip_info(session: Optional[requests.Session] = None) -> Optional[dict]:

unshackle/core/utils/tags.py

@@ -8,10 +8,10 @@ import tempfile
 from difflib import SequenceMatcher
 from pathlib import Path
 from typing import Optional, Tuple
+from xml.sax.saxutils import escape
 
 import requests
 from requests.adapters import HTTPAdapter, Retry
-from xml.sax.saxutils import escape
 
 from unshackle.core import binaries
 from unshackle.core.config import config
@@ -350,13 +350,25 @@ def tag_file(path: Path, title: Title, tmdb_id: Optional[int] | None = None) ->
                 if simkl_tmdb_id:
                     tmdb_id = simkl_tmdb_id
 
-                show_ids = simkl_data.get("show", {}).get("ids", {})
-                if show_ids.get("imdb"):
-                    standard_tags["IMDB"] = show_ids["imdb"]
-                if show_ids.get("tvdb"):
-                    standard_tags["TVDB"] = str(show_ids["tvdb"])
-                if show_ids.get("tmdbtv"):
-                    standard_tags["TMDB"] = f"tv/{show_ids['tmdbtv']}"
+                # Handle TV show data from Simkl
+                if simkl_data.get("type") == "episode" and "show" in simkl_data:
+                    show_ids = simkl_data.get("show", {}).get("ids", {})
+                    if show_ids.get("imdb"):
+                        standard_tags["IMDB"] = show_ids["imdb"]
+                    if show_ids.get("tvdb"):
+                        standard_tags["TVDB2"] = f"series/{show_ids['tvdb']}"
+                    if show_ids.get("tmdbtv"):
+                        standard_tags["TMDB"] = f"tv/{show_ids['tmdbtv']}"
+
+                # Handle movie data from Simkl
+                elif simkl_data.get("type") == "movie" and "movie" in simkl_data:
+                    movie_ids = simkl_data.get("movie", {}).get("ids", {})
+                    if movie_ids.get("imdb"):
+                        standard_tags["IMDB"] = movie_ids["imdb"]
+                    if movie_ids.get("tvdb"):
+                        standard_tags["TVDB2"] = f"movies/{movie_ids['tvdb']}"
+                    if movie_ids.get("tmdb"):
+                        standard_tags["TMDB"] = f"movie/{movie_ids['tmdb']}"
 
         # Use TMDB API for additional metadata (either from provided ID or Simkl lookup)
         api_key = _api_key()
@@ -389,7 +401,10 @@ def tag_file(path: Path, title: Title, tmdb_id: Optional[int] | None = None) ->
             standard_tags["IMDB"] = imdb_id
         tvdb_id = ids.get("tvdb_id")
         if tvdb_id:
-            standard_tags["TVDB"] = str(tvdb_id)
+            if kind == "movie":
+                standard_tags["TVDB2"] = f"movies/{tvdb_id}"
+            else:
+                standard_tags["TVDB2"] = f"series/{tvdb_id}"
 
     merged_tags = {
         **custom_tags,

unshackle/services/EXAMPLE/__init__.py

@@ -282,6 +282,10 @@ class EXAMPLE(Service):
 
         return chapters
 
+    def get_widevine_service_certificate(self, **_: any) -> str:
+        """Return the Widevine service certificate from config, if available."""
+        return self.config.get("certificate")
+
     def get_playready_license(self, *, challenge: bytes, title: Title_T, track: AnyTrack) -> Optional[bytes]:
         """Retrieve a PlayReady license for a given track."""
 

unshackle/services/Netflix/MSL/MSLKeys.py

@@ -0,0 +1,10 @@
+from .MSLObject import MSLObject
+
+
+class MSLKeys(MSLObject):
+    def __init__(self, encryption=None, sign=None, rsa=None, mastertoken=None, cdm_session=None):
+        self.encryption = encryption
+        self.sign = sign
+        self.rsa = rsa
+        self.mastertoken = mastertoken
+        self.cdm_session = cdm_session

unshackle/services/Netflix/MSL/MSLObject.py

@@ -0,0 +1,6 @@
+import jsonpickle
+
+
+class MSLObject:
+    def __repr__(self):
+        return "<{} {}>".format(self.__class__.__name__, jsonpickle.encode(self, unpicklable=False))

unshackle/services/Netflix/MSL/__init__.py

@@ -0,0 +1,416 @@
+import base64
+import gzip
+import json
+import logging
+import os
+import random
+import re
+import sys
+import time
+import zlib
+from datetime import datetime
+from io import BytesIO
+from typing import Optional, Any
+
+import jsonpickle
+import requests
+from Cryptodome.Cipher import AES, PKCS1_OAEP
+from Cryptodome.Hash import HMAC, SHA256
+from Cryptodome.PublicKey import RSA
+from Cryptodome.Random import get_random_bytes
+from Cryptodome.Util import Padding
+
+from unshackle.core.cacher import Cacher
+
+from .MSLKeys import MSLKeys
+from .schemes import EntityAuthenticationSchemes  # noqa: F401
+from .schemes import KeyExchangeSchemes
+from .schemes.EntityAuthentication import EntityAuthentication
+from .schemes.KeyExchangeRequest import KeyExchangeRequest
+from pywidevine import Cdm, PSSH, Key
+
+class MSL:
+    log = logging.getLogger("MSL")
+
+    def __init__(self, session, endpoint, sender, keys, message_id, user_auth=None):
+        self.session = session
+        self.endpoint = endpoint
+        self.sender = sender
+        self.keys = keys
+        self.user_auth = user_auth
+        self.message_id = message_id
+
+    @classmethod
+    def handshake(cls, scheme: KeyExchangeSchemes, session: requests.Session, endpoint: str, sender: str, cache: Cacher, cdm: Optional[Cdm] = None, config: Any = None):
+        cache = cache.get(sender)
+        message_id = random.randint(0, pow(2, 52))
+        msl_keys = MSL.load_cache_data(cache)
+
+        if msl_keys is not None:
+            cls.log.info("Using cached MSL data")
+        else:
+            msl_keys = MSLKeys()
+            if scheme != KeyExchangeSchemes.Widevine:
+                msl_keys.rsa = RSA.generate(2048)
+
+
+            if scheme == KeyExchangeSchemes.Widevine:
+                if not cdm:
+                    raise Exception('Key exchange scheme Widevine but CDM instance is None.')
+                
+                session_id = cdm.open()
+                msl_keys.cdm_session = session_id
+                cdm.set_service_certificate(session_id, config["certificate"])
+                challenge = cdm.get_license_challenge(
+                    session_id=session_id,
+                    pssh=PSSH("AAAANHBzc2gAAAAA7e+LqXnWSs6jyCfc1R0h7QAAABQIARIQAAAAAAPSZ0kAAAAAAAAAAA=="),
+                    license_type="OFFLINE",
+                    privacy_mode=True,
+
+                )
+                keyrequestdata = KeyExchangeRequest.Widevine(challenge)
+                entityauthdata = EntityAuthentication.Unauthenticated(sender)
+                # entityauthdata = EntityAuthentication.Widevine("TV", base64.b64encode(challenge).decode())
+            else:
+                entityauthdata = EntityAuthentication.Unauthenticated(sender)
+                keyrequestdata = KeyExchangeRequest.AsymmetricWrapped(
+                    keypairid="superKeyPair",
+                    mechanism="JWK_RSA",
+                    publickey=msl_keys.rsa.publickey().exportKey(format="DER")
+                )
+
+            data = jsonpickle.encode({
+                "entityauthdata": entityauthdata,
+                "headerdata": base64.b64encode(MSL.generate_msg_header(
+                    message_id=message_id,
+                    sender=sender,
+                    is_handshake=True,
+                    keyrequestdata=keyrequestdata
+                ).encode("utf-8")).decode("utf-8"),
+                "signature": ""
+            }, unpicklable=False)
+            data += json.dumps({
+                "payload": base64.b64encode(json.dumps({
+                    "messageid": message_id,
+                    "data": "",
+                    "sequencenumber": 1,
+                    "endofmsg": True
+                }).encode("utf-8")).decode("utf-8"),
+                "signature": ""
+            })
+
+            try:
+                r = session.post(
+                    url=endpoint,
+                    data=data
+                )
+            except requests.HTTPError as e:
+                raise Exception(f"- Key exchange failed, response data is unexpected: {e.response.text}")
+
+            key_exchange = r.json()  # expecting no payloads, so this is fine
+            if "errordata" in key_exchange:
+                raise Exception("- Key exchange failed: " + json.loads(base64.b64decode(
+                    key_exchange["errordata"]
+                ).decode())["errormsg"])
+
+            # parse the crypto keys
+            key_response_data = json.JSONDecoder().decode(base64.b64decode(
+                key_exchange["headerdata"]
+            ).decode("utf-8"))["keyresponsedata"]
+
+            if key_response_data["scheme"] != str(scheme):
+                raise Exception("- Key exchange scheme mismatch occurred")
+
+            key_data = key_response_data["keydata"]
+            if scheme == KeyExchangeSchemes.Widevine:
+                if not msl_keys.cdm_session:
+                    raise Exception("- No CDM session available")
+                if not cdm:
+                    raise Exception("- No CDM available")
+                cdm.parse_license(msl_keys.cdm_session, key_data["cdmkeyresponse"])
+                keys = cdm.get_keys(msl_keys.cdm_session)
+                cls.log.info(f"Keys: {keys}")
+                encryption_key = MSL.get_widevine_key(
+                    kid=base64.b64decode(key_data["encryptionkeyid"]),
+                    keys=keys,
+                    permissions=["allow_encrypt", "allow_decrypt"]
+                )
+                msl_keys.encryption = encryption_key
+                cls.log.info(f"Encryption key: {encryption_key}")
+                sign = MSL.get_widevine_key(
+                    kid=base64.b64decode(key_data["hmackeyid"]),
+                    keys=keys,
+                    permissions=["allow_sign", "allow_signature_verify"]
+                )
+                cls.log.info(f"Sign key: {sign}")
+                msl_keys.sign = sign
+            
+            elif scheme == KeyExchangeSchemes.AsymmetricWrapped:
+                cipher_rsa = PKCS1_OAEP.new(msl_keys.rsa)
+                msl_keys.encryption = MSL.base64key_decode(
+                    json.JSONDecoder().decode(cipher_rsa.decrypt(
+                        base64.b64decode(key_data["encryptionkey"])
+                    ).decode("utf-8"))["k"]
+                )
+                msl_keys.sign = MSL.base64key_decode(
+                    json.JSONDecoder().decode(cipher_rsa.decrypt(
+                        base64.b64decode(key_data["hmackey"])
+                    ).decode("utf-8"))["k"]
+                )
+            
+            msl_keys.mastertoken = key_response_data["mastertoken"]
+
+            MSL.cache_keys(msl_keys, cache)
+            cls.log.info("MSL handshake successful")
+        return cls(
+            session=session,
+            endpoint=endpoint,
+            sender=sender,
+            keys=msl_keys,
+            message_id=message_id
+        )
+
+    @staticmethod
+    def load_cache_data(cacher: Cacher):
+        if not cacher or cacher == {}:
+            return None
+        # with open(msl_keys_path, encoding="utf-8") as fd:
+        #     msl_keys = jsonpickle.decode(fd.read())
+        msl_keys = cacher.data
+        if msl_keys.rsa:
+            # noinspection PyTypeChecker
+            # expects RsaKey, but is a string, this is because jsonpickle can't pickle RsaKey object
+            # so as a workaround it exports to PEM, and then when reading, it imports that PEM back
+            # to an RsaKey :)
+            msl_keys.rsa = RSA.importKey(msl_keys.rsa)
+        # If it's expired or close to, return None as it's unusable
+        if msl_keys.mastertoken and ((datetime.utcfromtimestamp(int(json.JSONDecoder().decode(
+                base64.b64decode(msl_keys.mastertoken["tokendata"]).decode("utf-8")
+        )["expiration"])) - datetime.now()).total_seconds() / 60 / 60) < 10:
+            return None
+        return msl_keys
+
+    @staticmethod
+    def cache_keys(msl_keys, cache: Cacher):
+        # os.makedirs(os.path.dirname(cache), exist_ok=True)
+        if msl_keys.rsa:
+            # jsonpickle can't pickle RsaKey objects :(
+            msl_keys.rsa = msl_keys.rsa.export_key()
+        # with open(cache, "w", encoding="utf-8") as fd:
+        #     fd.write()
+        cache.set(msl_keys)
+        if msl_keys.rsa:
+            # re-import now
+            msl_keys.rsa = RSA.importKey(msl_keys.rsa)
+
+    @staticmethod
+    def generate_msg_header(message_id, sender, is_handshake, userauthdata=None, keyrequestdata=None,
+                            compression="GZIP"):
+        """
+        The MSL header carries all MSL data used for entity and user authentication, message encryption
+        and verification, and service tokens. Portions of the MSL header are encrypted.
+        https://github.com/Netflix/msl/wiki/Messages#header-data
+
+        :param message_id: number against which payload chunks are bound to protect against replay.
+        :param sender: ESN
+        :param is_handshake: This flag is set true if the message is a handshake message and will not include any
+        payload chunks. It will include keyrequestdata.
+        :param userauthdata: UserAuthData
+        :param keyrequestdata: KeyRequestData
+        :param compression: Supported compression algorithms.
+
+        :return: The base64 encoded JSON String of the header
+        """
+        header_data = {
+            "messageid": message_id,
+            "renewable": True,  # MUST be True if is_handshake
+            "handshake": is_handshake,
+            "capabilities": {
+                "compressionalgos": [compression] if compression else [],
+                "languages": ["en-US"],  # bcp-47
+                "encoderformats": ["JSON"]
+            },
+            "timestamp": int(time.time()),
+            # undocumented or unused:
+            "sender": sender,
+            "nonreplayable": False,
+            "recipient": "Netflix",
+        }
+        if userauthdata:
+            header_data["userauthdata"] = userauthdata
+        if keyrequestdata:
+            header_data["keyrequestdata"] = [keyrequestdata]
+        return jsonpickle.encode(header_data, unpicklable=False)
+
+    @classmethod
+    def get_widevine_key(cls, kid, keys: list[Key], permissions):
+        cls.log.info(f"KID: {Key.kid_to_uuid(kid)}")
+        for key in keys:
+            # cls.log.info(f"KEY: {key.kid_to_uuid}")
+            if key.kid != Key.kid_to_uuid(kid):
+                continue
+            if key.type != "OPERATOR_SESSION":
+                cls.log.warning(f"Widevine Key Exchange: Wrong key type (not operator session) key {key}")
+                continue
+            if not set(permissions) <= set(key.permissions):
+                cls.log.warning(f"Widevine Key Exchange: Incorrect permissions, key {key}, needed perms {permissions}")
+                continue
+            return key.key
+        return None
+
+    def send_message(self, endpoint, params, application_data, userauthdata=None):
+        message = self.create_message(application_data, userauthdata)
+        res = self.session.post(url=endpoint, data=message, params=params)
+        header, payload_data = self.parse_message(res.text)
+        if "errordata" in header:
+            raise Exception(
+                "- MSL response message contains an error: {}".format(
+                    json.loads(base64.b64decode(header["errordata"].encode("utf-8")).decode("utf-8"))
+                )
+            )
+        return header, payload_data
+
+    def create_message(self, application_data, userauthdata=None):
+        self.message_id += 1  # new message must ue a new message id
+        headerdata = self.encrypt(self.generate_msg_header(
+            message_id=self.message_id,
+            sender=self.sender,
+            is_handshake=False,
+            userauthdata=userauthdata
+        ))
+
+        header = json.dumps({
+            "headerdata": base64.b64encode(headerdata.encode("utf-8")).decode("utf-8"),
+            "signature": self.sign(headerdata).decode("utf-8"),
+            "mastertoken": self.keys.mastertoken
+        })
+
+        payload_chunks = [self.encrypt(json.dumps({
+            "messageid": self.message_id,
+            "data": self.gzip_compress(json.dumps(application_data).encode("utf-8")).decode("utf-8"),
+            "compressionalgo": "GZIP",
+            "sequencenumber": 1,  # todo ; use sequence_number from master token instead?
+            "endofmsg": True
+        }))]
+
+        message = header
+        for payload_chunk in payload_chunks:
+            message += json.dumps({
+                "payload": base64.b64encode(payload_chunk.encode("utf-8")).decode("utf-8"),
+                "signature": self.sign(payload_chunk).decode("utf-8")
+            })
+
+        return message
+
+    def decrypt_payload_chunks(self, payload_chunks):
+        """
+        Decrypt and extract data from payload chunks
+
+        :param payload_chunks: List of payload chunks
+        :return: json object
+        """
+        raw_data = ""
+
+        for payload_chunk in payload_chunks:
+            # todo ; verify signature of payload_chunk["signature"] against payload_chunk["payload"]
+            # expecting base64-encoded json string
+            payload_chunk = json.loads(base64.b64decode(payload_chunk["payload"]).decode("utf-8"))
+            # decrypt the payload
+            payload_decrypted = AES.new(
+                key=self.keys.encryption,
+                mode=AES.MODE_CBC,
+                iv=base64.b64decode(payload_chunk["iv"])
+            ).decrypt(base64.b64decode(payload_chunk["ciphertext"]))
+            payload_decrypted = Padding.unpad(payload_decrypted, 16)
+            payload_decrypted = json.loads(payload_decrypted.decode("utf-8"))
+            # decode and uncompress data if compressed
+            payload_data = base64.b64decode(payload_decrypted["data"])
+            if payload_decrypted.get("compressionalgo") == "GZIP":
+                payload_data = zlib.decompress(payload_data, 16 + zlib.MAX_WBITS)
+            raw_data += payload_data.decode("utf-8")
+
+        data = json.loads(raw_data)
+        if "error" in data:
+            error = data["error"]
+            error_display = error.get("display")
+            error_detail = re.sub(r" \(E3-[^)]+\)", "", error.get("detail", ""))
+
+            if error_display:
+               self.log.critical(f"- {error_display}")
+            if error_detail:
+               self.log.critical(f"- {error_detail}")
+
+            if not (error_display or error_detail):
+                self.log.critical(f"- {error}")
+
+            # sys.exit(1)
+
+        return data["result"]
+
+    def parse_message(self, message):
+        """
+        Parse an MSL message into a header and list of payload chunks
+
+        :param message: MSL message
+        :returns: a 2-item tuple containing message and list of payload chunks if available
+        """
+        parsed_message = json.loads("[{}]".format(message.replace("}{", "},{")))
+
+        header = parsed_message[0]
+        encrypted_payload_chunks = parsed_message[1:] if len(parsed_message) > 1 else []
+        if encrypted_payload_chunks:
+            payload_chunks = self.decrypt_payload_chunks(encrypted_payload_chunks)
+        else:
+            payload_chunks = {}
+
+        return header, payload_chunks
+
+    @staticmethod
+    def gzip_compress(data):
+        out = BytesIO()
+        with gzip.GzipFile(fileobj=out, mode="w") as fd:
+            fd.write(data)
+        return base64.b64encode(out.getvalue())
+
+    @staticmethod
+    def base64key_decode(payload):
+        length = len(payload) % 4
+        if length == 2:
+            payload += "=="
+        elif length == 3:
+            payload += "="
+        elif length != 0:
+            raise ValueError("Invalid base64 string")
+        return base64.urlsafe_b64decode(payload.encode("utf-8"))
+
+    def encrypt(self, plaintext):
+        """
+        Encrypt the given Plaintext with the encryption key
+        :param plaintext:
+        :return: Serialized JSON String of the encryption Envelope
+        """
+        iv = get_random_bytes(16)
+        return json.dumps({
+            "ciphertext": base64.b64encode(
+                AES.new(
+                    self.keys.encryption,
+                    AES.MODE_CBC,
+                    iv
+                ).encrypt(
+                    Padding.pad(plaintext.encode("utf-8"), 16)
+                )
+            ).decode("utf-8"),
+            "keyid": "{}_{}".format(self.sender, json.loads(
+                base64.b64decode(self.keys.mastertoken["tokendata"]).decode("utf-8")
+            )["sequencenumber"]),
+            "sha256": "AA==",
+            "iv": base64.b64encode(iv).decode("utf-8")
+        })
+
+    def sign(self, text):
+        """
+        Calculates the HMAC signature for the given text with the current sign key and SHA256
+        :param text:
+        :return: Base64 encoded signature
+        """
+        return base64.b64encode(HMAC.new(self.keys.sign, text.encode("utf-8"), SHA256).digest())

unshackle/services/Netflix/MSL/schemes/EntityAuthentication.py

@@ -0,0 +1,59 @@
+from .. import EntityAuthenticationSchemes
+from ..MSLObject import MSLObject
+
+
+# noinspection PyPep8Naming
+class EntityAuthentication(MSLObject):
+    def __init__(self, scheme, authdata):
+        """
+        Data used to identify and authenticate the entity associated with a message.
+        https://github.com/Netflix/msl/wiki/Entity-Authentication-%28Configuration%29
+
+        :param scheme: Entity Authentication Scheme identifier
+        :param authdata: Entity Authentication data
+        """
+        self.scheme = str(scheme)
+        self.authdata = authdata
+
+    @classmethod
+    def Unauthenticated(cls, identity):
+        """
+        The unauthenticated entity authentication scheme does not provide encryption or authentication and only
+        identifies the entity. Therefore entity identities can be harvested and spoofed. The benefit of this
+        authentication scheme is that the entity has control over its identity. This may be useful if the identity is
+        derived from or related to other data, or if retaining the identity is desired across state resets or in the
+        event of MSL errors requiring entity re-authentication.
+        """
+        return cls(
+            scheme=EntityAuthenticationSchemes.Unauthenticated,
+            authdata={"identity": identity}
+        )
+
+    @classmethod
+    def Widevine(cls, devtype, keyrequest):
+        """
+        The Widevine entity authentication scheme is used by devices with the Widevine CDM. It does not provide
+        encryption or authentication and only identifies the entity. Therefore entity identities can be harvested
+        and spoofed. The entity identity is composed from the provided device type and Widevine key request data. The
+        Widevine CDM properties can be extracted from the key request data.
+
+        When coupled with the Widevine key exchange scheme, the entity identity can be cryptographically validated by
+        comparing the entity authentication key request data against the key exchange key request data.
+
+        Note that the local entity will not know its entity identity when using this scheme.
+
+        > Devtype
+
+        An arbitrary value identifying the device type the local entity wishes to assume. The data inside the Widevine
+        key request may be optionally used to validate the claimed device type.
+
+        :param devtype: Local entity device type
+        :param keyrequest: Widevine key request
+        """
+        return cls(
+            scheme=EntityAuthenticationSchemes.Widevine,
+            authdata={
+                "devtype": devtype,
+                "keyrequest": keyrequest
+            }
+        )

unshackle/services/Netflix/MSL/schemes/KeyExchangeRequest.py

@@ -0,0 +1,80 @@
+import base64
+
+from .. import KeyExchangeSchemes
+from ..MSLObject import MSLObject
+
+
+# noinspection PyPep8Naming
+class KeyExchangeRequest(MSLObject):
+    def __init__(self, scheme, keydata):
+        """
+        Session key exchange data from a requesting entity.
+        https://github.com/Netflix/msl/wiki/Key-Exchange-%28Configuration%29
+
+        :param scheme: Key Exchange Scheme identifier
+        :param keydata: Key Request data
+        """
+        self.scheme = str(scheme)
+        self.keydata = keydata
+
+    @classmethod
+    def AsymmetricWrapped(cls, keypairid, mechanism, publickey):
+        """
+        Asymmetric wrapped key exchange uses a generated ephemeral asymmetric key pair for key exchange. It will
+        typically be used when there is no other data or keys from which to base secure key exchange.
+
+        This mechanism provides perfect forward secrecy but does not guarantee that session keys will only be available
+        to the requesting entity if the requesting MSL stack has been modified to perform the operation on behalf of a
+        third party.
+
+        > Key Pair ID
+
+        The key pair ID is included as a sanity check.
+
+        > Mechanism & Public Key
+
+        The following mechanisms are associated public key formats are currently supported.
+
+            Field 	    Public  Key Format 	Description
+            RSA 	    SPKI 	RSA-OAEP    encrypt/decrypt
+            ECC 	    SPKI 	ECIES       encrypt/decrypt
+            JWEJS_RSA 	SPKI 	RSA-OAEP    JSON Web Encryption JSON Serialization
+            JWE_RSA 	SPKI 	RSA-OAEP    JSON Web Encryption Compact Serialization
+            JWK_RSA 	SPKI 	RSA-OAEP    JSON Web Key
+            JWK_RSAES 	SPKI 	RSA PKCS#1  JSON Web Key
+
+        :param keypairid: key pair ID
+        :param mechanism: asymmetric key type
+        :param publickey: public key
+        """
+        return cls(
+            scheme=KeyExchangeSchemes.AsymmetricWrapped,
+            keydata={
+                "keypairid": keypairid,
+                "mechanism": mechanism,
+                "publickey": base64.b64encode(publickey).decode("utf-8")
+            }
+        )
+
+    @classmethod
+    def Widevine(cls, keyrequest):
+        """
+        Google Widevine provides a secure key exchange mechanism. When requested the Widevine component will issue a
+        one-time use key request. The Widevine server library can be used to authenticate the request and return
+        randomly generated symmetric keys in a protected key response bound to the request and Widevine client library.
+        The key response also specifies the key identities, types and their permitted usage.
+
+        The Widevine key request also contains a model identifier and a unique device identifier with an expectation of
+        long-term persistence. These values are available from the Widevine client library and can be retrieved from
+        the key request by the Widevine server library.
+
+        The Widevine client library will protect the returned keys from inspection or misuse.
+
+        :param keyrequest: Base64-encoded Widevine CDM license challenge (PSSH: b'\x0A\x7A\x00\x6C\x38\x2B')
+        """
+        if not isinstance(keyrequest, str):
+            keyrequest = base64.b64encode(keyrequest).decode()
+        return cls(
+            scheme=KeyExchangeSchemes.Widevine,
+            keydata={"keyrequest": keyrequest}
+        )

unshackle/services/Netflix/MSL/schemes/UserAuthentication.py

@@ -0,0 +1,59 @@
+from ..MSLObject import MSLObject
+from . import UserAuthenticationSchemes
+
+
+# noinspection PyPep8Naming
+class UserAuthentication(MSLObject):
+    def __init__(self, scheme, authdata):
+        """
+        Data used to identify and authenticate the user associated with a message.
+        https://github.com/Netflix/msl/wiki/User-Authentication-%28Configuration%29
+
+        :param scheme: User Authentication Scheme identifier
+        :param authdata: User Authentication data
+        """
+        self.scheme = str(scheme)
+        self.authdata = authdata
+
+    @classmethod
+    def EmailPassword(cls, email, password):
+        """
+        Email and password is a standard user authentication scheme in wide use.
+
+        :param email: user email address
+        :param password: user password
+        """
+        return cls(
+            scheme=UserAuthenticationSchemes.EmailPassword,
+            authdata={
+                "email": email,
+                "password": password
+            }
+        )
+
+    @classmethod
+    def NetflixIDCookies(cls, netflixid, securenetflixid):
+        """
+        Netflix ID HTTP cookies are used when the user has previously logged in to a web site. Possession of the
+        cookies serves as proof of user identity, in the same manner as they do when communicating with the web site.
+
+        The Netflix ID cookie and Secure Netflix ID cookie are HTTP cookies issued by the Netflix web site after
+        subscriber login. The Netflix ID cookie is encrypted and identifies the subscriber and analogous to a
+        subscriber’s username. The Secure Netflix ID cookie is tied to a Netflix ID cookie and only sent over HTTPS
+        and analogous to a subscriber’s password.
+
+        In some cases the Netflix ID and Secure Netflix ID cookies will be unavailable to the MSL stack or application.
+        If either or both of the Netflix ID or Secure Netflix ID cookies are absent in the above data structure the
+        HTTP cookie headers will be queried for it; this is only acceptable when HTTPS is used as the underlying
+        transport protocol.
+
+        :param netflixid: Netflix ID cookie
+        :param securenetflixid: Secure Netflix ID cookie
+        """
+        return cls(
+            scheme=UserAuthenticationSchemes.NetflixIDCookies,
+            authdata={
+                "netflixid": netflixid,
+                "securenetflixid": securenetflixid
+            }
+        )

unshackle/services/Netflix/MSL/schemes/__init__.py

@@ -0,0 +1,24 @@
+from enum import Enum
+
+
+class Scheme(Enum):
+    def __str__(self):
+        return str(self.value)
+
+
+class EntityAuthenticationSchemes(Scheme):
+    """https://github.com/Netflix/msl/wiki/Entity-Authentication-%28Configuration%29"""
+    Unauthenticated = "NONE"
+    Widevine = "WIDEVINE"
+
+
+class UserAuthenticationSchemes(Scheme):
+    """https://github.com/Netflix/msl/wiki/User-Authentication-%28Configuration%29"""
+    EmailPassword = "EMAIL_PASSWORD"
+    NetflixIDCookies = "NETFLIXID"
+
+
+class KeyExchangeSchemes(Scheme):
+    """https://github.com/Netflix/msl/wiki/Key-Exchange-%28Configuration%29"""
+    AsymmetricWrapped = "ASYMMETRIC_WRAPPED"
+    Widevine = "WIDEVINE"

unshackle/unshackle-example.yaml

@@ -117,7 +117,7 @@ remote_cdm:
     type: "decrypt_labs"
     device_name: "L1"  # Scheme identifier - must match exactly
     device_type: ANDROID
-    system_id: 4464 
+    system_id: 4464
     security_level: 1
     host: "https://keyxtractor.decryptlabs.com"
     secret: "your_decrypt_labs_api_key_here"

unshackle/unshackle.yaml

@@ -0,0 +1,253 @@
+# Group or Username to postfix to the end of all download filenames following a dash
+tag: Kenzuya
+
+# Enable/disable tagging with group name (default: true)
+tag_group_name: true
+
+# Enable/disable tagging with IMDB/TMDB/TVDB details (default: true)
+tag_imdb_tmdb: true
+
+# Set terminal background color (custom option not in CONFIG.md)
+set_terminal_bg: false
+
+# Set file naming convention
+#  true for style - Prime.Suspect.S07E01.The.Final.Act.Part.One.1080p.ITV.WEB-DL.AAC2.0.H.264
+#  false for style - Prime Suspect S07E01 The Final Act - Part One
+scene_naming: true
+
+# Whether to include the year in series names for episodes and folders (default: true)
+#  true for style - Show Name (2023) S01E01 Episode Name
+#  false for style - Show Name S01E01 Episode Name
+series_year: false
+
+# Check for updates from GitHub repository on startup (default: true)
+update_checks: true
+
+# How often to check for updates, in hours (default: 24)
+update_check_interval: 24
+
+# Title caching configuration
+# Cache title metadata to reduce redundant API calls
+title_cache_enabled: true # Enable/disable title caching globally (default: true)
+title_cache_time: 1800 # Cache duration in seconds (default: 1800 = 30 minutes)
+title_cache_max_retention: 86400 # Maximum cache retention for fallback when API fails (default: 86400 = 24 hours)
+
+# Muxing configuration
+muxing:
+  set_title: true
+
+# Login credentials for each Service
+credentials:
+  # Direct credentials (no profile support)
+  EXAMPLE: email@example.com:password
+
+  # Per-profile credentials with default fallback
+  SERVICE_NAME:
+    default: default@email.com:password # Used when no -p/--profile is specified
+    profile1: user1@email.com:password1
+    profile2: user2@email.com:password2
+
+  # Per-profile credentials without default (requires -p/--profile)
+  SERVICE_NAME2:
+    john: john@example.com:johnspassword
+    jane: jane@example.com:janespassword
+
+  # You can also use list format for passwords with special characters
+  SERVICE_NAME3:
+    default: ["user@email.com", ":PasswordWith:Colons"]
+  
+  Netflix:
+    default: ["sako.sako1109@gmail.com", "sako1109"]
+    # default: ["pbgarena0838@gmail.com", "Andhika1978"]
+# Override default directories used across unshackle
+directories:
+  cache: Cache
+  # cookies: Cookies
+  dcsl: DCSL # Device Certificate Status List
+  downloads: Downloads
+  logs: Logs
+  temp: Temp
+  # wvds: WVDs
+  prds: PRDs
+  # Additional directories that can be configured:
+  # commands: Commands
+  # services:
+  #   - /path/to/services
+  #   - /other/path/to/services
+  # vaults: Vaults
+  # fonts: Fonts
+
+# Pre-define which Widevine or PlayReady device to use for each Service
+cdm:
+  # Global default CDM device (fallback for all services/profiles)
+  default: chromecdm
+
+  # Direct service-specific CDM
+  DIFFERENT_EXAMPLE: PRD_1
+
+  # Per-profile CDM configuration
+  EXAMPLE:
+    john_sd: chromecdm_903_l3 # Profile 'john_sd' uses Chrome CDM L3
+    jane_uhd: nexus_5_l1 # Profile 'jane_uhd' uses Nexus 5 L1
+    default: generic_android_l3 # Default CDM for this service
+
+# Use pywidevine Serve-compliant Remote CDMs
+remote_cdm:
+  - name: "chromecdm"
+    device_name: widevine
+    device_type: CHROME
+    system_id: 36586
+    security_level: 3
+    type: "decrypt_labs"
+    host: https://keyxtractor.decryptlabs.com
+    secret: 7547150416_41da0a32d6237d83_KeyXtractor_api_ext
+  - name: "android"
+    device_name: andorid
+    device_type: ANDROID
+    system_id: 8131
+    security_level: 1
+    type: "decrypt_labs"
+    host: https://keyxtractor.decryptlabs.com
+    secret: decrypt_labs_special_ultimate
+
+# Key Vaults store your obtained Content Encryption Keys (CEKs)
+# Use 'no_push: true' to prevent a vault from receiving pushed keys
+# while still allowing it to provide keys when requested
+key_vaults:
+  - type: SQLite
+    name: Local
+    path: key_store.db
+  - type: HTTP
+    name: "DRMLab Vault"
+    host: "https://api.drmlab.io/vault/"
+    username: "unshackle"
+    password: "gEX75q7I5YVkvgF5SUkcNd41IbGrDtTT"
+    api_mode: "json"
+  # Additional vault types:
+  # - type: API
+  #   name: "Remote Vault"
+  #   uri: "https://key-vault.example.com"
+  #   token: "secret_token"
+  #   no_push: true  # This vault will only provide keys, not receive them
+  # - type: MySQL
+  #   name: "MySQL Vault"
+  #   host: "127.0.0.1"
+  #   port: 3306
+  #   database: vault
+  #   username: user
+  #   password: pass
+  #   no_push: false  # Default behavior - vault both provides and receives keys
+
+# Choose what software to use to download data
+downloader: aria2c
+# Options: requests | aria2c | curl_impersonate | n_m3u8dl_re
+# Can also be a mapping:
+# downloader:
+#   NF: requests
+#   AMZN: n_m3u8dl_re
+#   DSNP: n_m3u8dl_re
+#   default: requests
+
+# aria2c downloader configuration
+aria2c:
+  max_concurrent_downloads: 4
+  max_connection_per_server: 3
+  split: 5
+  file_allocation: falloc # none | prealloc | falloc | trunc
+
+# N_m3u8DL-RE downloader configuration
+n_m3u8dl_re:
+  thread_count: 16
+  ad_keyword: "advertisement"
+  use_proxy: true
+
+# curl_impersonate downloader configuration
+curl_impersonate:
+  browser: chrome120
+
+# Pre-define default options and switches of the dl command
+dl:
+  sub_format: srt
+  downloads: 4
+  workers: 16
+  lang:
+    - orig
+    - id
+  EXAMPLE:
+    bitrate: CBR
+
+# Chapter Name to use when exporting a Chapter without a Name
+chapter_fallback_name: "Chapter {j:02}"
+
+# Case-Insensitive dictionary of headers for all Services
+headers:
+  Accept-Language: "en-US,en;q=0.8"
+  User-Agent: "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.75 Safari/537.36"
+
+# Override default filenames used across unshackle
+filenames:
+  log: "unshackle_{name}_{time}.log"
+  config: "config.yaml"
+  root_config: "unshackle.yaml"
+  chapters: "Chapters_{title}_{random}.txt"
+  subtitle: "Subtitle_{id}_{language}.srt"
+
+# API key for The Movie Database (TMDB)
+tmdb_api_key: "8f5c14ef648a0abdd262cf809e11fcd4"
+
+# conversion_method:
+# - auto (default): Smart routing - subby for WebVTT/SAMI, standard for others
+# - subby: Always use subby with advanced processing
+# - pycaption: Use only pycaption library (no SubtitleEdit, no subby)
+# - subtitleedit: Prefer SubtitleEdit when available, fall back to pycaption
+subtitle:
+  conversion_method: auto
+  sdh_method: auto
+
+# Configuration for pywidevine's serve functionality
+serve:
+  users:
+    secret_key_for_user:
+      devices:
+        - generic_nexus_4464_l3
+      username: user
+  # devices:
+  #   - '/path/to/device.wvd'
+
+# Configuration data for each Service
+services:
+  # Service-specific configuration goes here
+  # Profile-specific configurations can be nested under service names
+
+  # Example: with profile-specific device configs
+  EXAMPLE:
+    # Global service config
+    api_key: "service_api_key"
+
+    # Profile-specific device configurations
+    profiles:
+      john_sd:
+        device:
+          app_name: "AIV"
+          device_model: "SHIELD Android TV"
+      jane_uhd:
+        device:
+          app_name: "AIV"
+          device_model: "Fire TV Stick 4K"
+
+  # Example: Service with different regions per profile
+  SERVICE_NAME:
+    profiles:
+      us_account:
+        region: "US"
+        api_endpoint: "https://api.us.service.com"
+      uk_account:
+        region: "GB"
+        api_endpoint: "https://api.uk.service.com"
+
+# External proxy provider services
+proxy_providers:
+
+  surfsharkvpn:
+    username: GyDrhk88nC53gA72EKkHBZBP  # Service credentials from https://my.surfshark.com/vpn/manual-setup/main/openvpn
+    password: 2DDwZWTfeH6XbjVxQtKJdump  # Service credentials (not your login password)

unshackle/vaults/MySQL.py

@@ -131,16 +131,27 @@ class MySQL(Vault):
         if any(isinstance(kid, UUID) for kid, key_ in kid_keys.items()):
             kid_keys = {kid.hex if isinstance(kid, UUID) else kid: key_ for kid, key_ in kid_keys.items()}
 
+        if not kid_keys:
+            return 0
+
         conn = self.conn_factory.get()
         cursor = conn.cursor()
 
         try:
+            placeholders = ",".join(["%s"] * len(kid_keys))
+            cursor.execute(f"SELECT kid FROM `{service}` WHERE kid IN ({placeholders})", list(kid_keys.keys()))
+            existing_kids = {row["kid"] for row in cursor.fetchall()}
+
+            new_keys = {kid: key for kid, key in kid_keys.items() if kid not in existing_kids}
+
+            if not new_keys:
+                return 0
+
             cursor.executemany(
-                # TODO: SQL injection risk
-                f"INSERT IGNORE INTO `{service}` (kid, key_) VALUES (%s, %s)",
-                kid_keys.items(),
+                f"INSERT INTO `{service}` (kid, key_) VALUES (%s, %s)",
+                new_keys.items(),
             )
-            return cursor.rowcount
+            return len(new_keys)
         finally:
             conn.commit()
             cursor.close()

unshackle/vaults/SQLite.py

@@ -102,16 +102,27 @@ class SQLite(Vault):
         if any(isinstance(kid, UUID) for kid, key_ in kid_keys.items()):
             kid_keys = {kid.hex if isinstance(kid, UUID) else kid: key_ for kid, key_ in kid_keys.items()}
 
+        if not kid_keys:
+            return 0
+
         conn = self.conn_factory.get()
         cursor = conn.cursor()
 
         try:
+            placeholders = ",".join(["?"] * len(kid_keys))
+            cursor.execute(f"SELECT kid FROM `{service}` WHERE kid IN ({placeholders})", list(kid_keys.keys()))
+            existing_kids = {row[0] for row in cursor.fetchall()}
+
+            new_keys = {kid: key for kid, key in kid_keys.items() if kid not in existing_kids}
+
+            if not new_keys:
+                return 0
+
             cursor.executemany(
-                # TODO: SQL injection risk
-                f"INSERT OR IGNORE INTO `{service}` (kid, key_) VALUES (?, ?)",
-                kid_keys.items(),
+                f"INSERT INTO `{service}` (kid, key_) VALUES (?, ?)",
+                new_keys.items(),
             )
-            return cursor.rowcount
+            return len(new_keys)
         finally:
             conn.commit()
             cursor.close()