Extracting content from an LCP "protected" ePub
52 comments
·March 16, 2025grayhatter
> KOReader never contacted us: I don't think they know how low the certification fee would be
It's between 350USD (per platform) and 1,700USD per year. So the possible range is between 1700USD, and 3k USD... Yeah, that's totally reasonable for a FOSS project where the lower yearly cost is 110% of the amount they make in donations every year.
captn3m0
Readium was also responsible for the takedown on the noDRM repo, a few years ago: https://news.ycombinator.com/item?id=29870151
The repo came back, but without the readium DRM code: https://github.com/noDRM/DeDRM_tools/blob/master/DeDRM_plugi...
damnitbuilds
To further Streisand this, I think the restored repo is here:
https://repo.or.cz/DeDRM_tools-LCP.gitjoecool1029
It works. Though I've found it only works for LCP epubs, not pdf's.
MyOutfitIsVague
It doesn't work for the newest encryption scheme for epubs. Current epubs downloaded from NetGalley won't decrypt with it, unfortunately.
null
dvngnt_
Do book drms even make sens? i can understand games, but how do you encrypt words that are meant to be read. People used to record music on the radio. It seems easier to ocr a book and generate text that way.
snailmailman
A big place where this gets used is to make Kindle ebooks only able to be read on a kindle.
Any time they update and change the DRM there’s a brief period where newly-released amazon kindle books essentially cannot be read anywhere except kindle hardware and official kindle apps. People have pretty consistently found ways around the DRM (for now). But amazon is always trying to crack down on this.
myaccountonhn
It's also employed by digital libraries to enable lending of books.
Zak
DRM on media almost never makes sense from an anti-piracy perspective. Any reasonably popular book, movie, or TV show is on The Pirate Bay within a single-digit number of hours of its release.
It makes a lot of sense from a lock-in perspective, though I'm not certain why that leads to publishers insisting on it.
lxgr
You can always do OCR on the paper book, so if the easiest way to circumvent some ebook DRM were OCR, the vendor would probably consider that a resounding success.
notpushkin
Yeah, I wouldn’t share this so openly. Instead – like they said – build a one-click downloader, then go fill the shadow libraries with a bunch of trusted accomplices. (This is slightly less legal, though.)
lxgr
Very curious (and nervous, as I can imagine more bad outcomes than good ones) as somebody that frequently lends ebooks from libraries supporting LCP. (The only thing worse than "controlled" digital lending would be no digital lending at all.)
LCP is as close to the platonic ideal of DRM as it gets: Essentially no obfuscation; cryptography largely something to point at when filing DMCA takedown requests. For better or worse, I suspect we're about to get some new case law for what constitutes an effective technical measure.
easterncalculus
.mobi as a TLD for a book blog on the removal of DRM is especially appropriate.
null
baruchel
A more straightforward way to do it, IMHO, is to use Thorium in conjunction with a Python script called lcpdedrm. If I remember well, that script isn't available directly any longer, but it is easy to look around and find copies of it. Then use Thorium for locally saving the file and use the Python script for removing the DRM.
miki123211
Why do you even need Thorium for this?
If the files are just AES-encrypted and the links are there, as the linked article suggest, it seems that it would be easy to create a standalone script to download and decrypt these.
edent
(OP here) I discussed how the DRM works in an earlier blog post - https://shkspr.mobi/blog/2025/03/some-thoughts-on-lcp-ebook-...
Essentially, the key for decrypting the files is made up of the book owner's passphrase and the super-secret key embedded in the closed-source binary.
I wasn't able to reverse engineer the binary or extract that key.
ShrimpHawk
The key is b3a07c4d42880e69398e05392405050efeea0664c0b638b7c986556fa9b58d77b31a40eb6a4fdba1e4537229d9f779daad1cc41ee968153cb71f27dc9696d40f
null
null
edent
The lcpdedrm script is, if I remember correctly, only suitable for Profile 1.0, which has since been replaced with the newer 2.0 version.
ferbivore
> You can, for sure, publish information relative to your discoveries to the extent UK laws allow. After study, we'll do our best to make the technology more robust. If your discourse represents a circumvention of this technical protection measure, we'll command a take-down as a standard procedure.
Disgusting behaviour, as expected from the publishing industry I suppose. This "EDRLab" outfit appears to be little more than a non-profit front for Hachette.
nocoiner
The author’s response was just perfect though in both tone and substance.
“As you have raised the possibility of legal action, I think it is best that we terminate this conversation.”
Once someone shoots off about getting the lawyers involved, there’s really nothing more than can productively be said (unless, of course, you are prepared to get your own lawyers involved).
kristo
They make a software to help libraries lend ebooks for free. Without their DRM you either wouldn’t be able to borrow ebooks because publishers would never agree to it, or would be limited to kindle/libby to read them. They’re not perfect but how is it bad behavior to say you’ll issue a takedown notice if your copyright material is republished? I don’t really understand why they’re being treated as the enemy here?
MyOutfitIsVague
The effect, very often, is to force anybody with specific reading habits to buy Amazon or be unable to read their books. This is especially bad if you don't just buy books, but read through the library or especially if you get ARCs (advance reader copies, for pre-release reviews). Advance readers who don't have Kindle are jerked around constantly by DRM and especially changes in DRM schemes. It's really hard to not see this as collusion, as it suspiciously always works for the benefit of Amazon and the detriment of every single other person and company involved.
> how is it bad behavior to say you’ll issue a takedown notice if your copyright material is republished
It's not. That's not what happened here, though.
It is bad behavior when you threaten legal action against somebody working within their rights to legally allow people to read things that they paid for on devices that they've paid for. The DMCA has specific carve-outs for interoperability. Threatening legal action there is bully behavior. I'd argue that the ethics are pretty clear-cut here too. A ton of copyright law is incredibly badly balanced against the consumer and even against small artists in favor of the biggest players. If this was illegal, it would be the law that is unethical.
ziddoap
>I don’t really understand why they’re being treated as the enemy here?
The gross manipulation attempt is what did it for me.
"We were planning to now focus on new accessibility features on our open-source Thorium Reader, better access to annotations for blind users and an advanced reading mode for dyslexic people. Too bad"
The legal threat at the end wasn't very cool, either.
grayhatter
> They’re not perfect but how is it bad behavior to say you’ll issue a takedown notice if your copyright material is republished?
That's not what they said. This is how you should have read their reply:
> If your discourse represents a circumvention of this technical protection measure, we'll command a take-down as a standard procedure.
If you say something we don't like, if we think we can make the argument that the information about methodology and implementation you share for free, is circumvention of our DRM, we'll follow our existing strategy to abuse the legal system silence you and prevent you from sharing information.
> I don’t really understand why they’re being treated as the enemy here?
Because they are the bad guy, they're actively working to make the world worse. They're pretending like if it wasn't for their kindness, access to these ebooks would be impossible. But in reality they only care about controlling other people by force. The legal threats, insane arguments about how it's better if how their DRM works is a secret, the intent of the software they're defending, and the messages they sent; are just ways or attempts to exert control what other people are allowed to do, or are allowed to know
I'd also like to discourage this argument generally
> Without their DRM you either wouldn’t be able to borrow ebooks because publishers would never agree to it, or would be limited to kindle/libby to read them
The (unfair) translation of this is: If it wasn't me abusing you, it would be so much worse! You should be saying thank you that it's me abusing you! Not complaining about how you don't like how you're being treated!
Everything can always be worse, the point is to make it better, not accept something harmful.
lxgr
> how is it bad behavior to say you’ll issue a takedown notice if your copyright material is republished?
Which copyrighted material is TFA republishing?
And where's the takedown notice? So far, there only seems to be an attempt of emotional blackmail ("take this down or we'll have to deprioritize our accessibility efforts").
> They make a software to help libraries lend ebooks for free.
Free to the library (?), but not free to the reader. (Readers indirectly pay for it via certification fees paid by the ereader vendor.)
It might well be the lesser evil compared to Kindle (closed ecosystem) and Adobe Digital Editions (words cannot describe the pain), but it's still a DRM scheme and as such restricts reading hardware/software choice, so I can see how its mere existence upsets people.
JadeNB
> Disgusting behaviour, as expected from the publishing industry I suppose. This "EDRLab" outfit appears to be little more than a non-profit front for Hachette.
The quoted block is indeed disgusting, but it gets even weirder in the context of the full discussion, where the correspondent seems to be trying some sort of intellectual blackmail on the author of this article, saying that, as long as nobody talks about its deficiencies, DRM can be kept weak and inefficient—and so trying to blame increasingly cumbersome DRM on the people who want to access their material, rather than on the publishers. For example, with a nice and patronizing start:
> You've found a way to hack LCP using Thorium. Bravo! We certainly didn't sufficiently protect the system, we are already working on that. … If the DRM does not succeed, harder DRMs (for users) will be tested. I let you think about that aspect
Akronymus
> we are already working on that
so they worked on making harder to crack DRM before being informed of the weak DRM...
null
spudlyo
Granted, Readium LCP[0] may be one of the less odious DRM solutions out there for eBook contents, however it's still DRM. Handcuffs are still handcuffs regardless of how comfortably they fit.
DRM is in my view is too often used as a cudgel to mandate hardware and software level restrictions that take away the control of our own computing devices and environments. I personally hold that intellectual property isn't property, and is increasingly becoming a net negative to humanity as a whole. In the case of this article, there is an ominous threat of legal action against the disclosure of the author's work, potentially stifling the speech of a fellow hacker.
While I'm not unsympathetic to the plight of creatives, and their need to eat, I feel like the pendulum has swung so far to the interests of the copyright holders and away from the needs of the public that the bargain is no longer one I support.
Because of this stance, I find myself uncomfortably on the side of AI bros like Sam Altman who argue for the expansion of the fair use doctrine. I see AI as an accelerant in the erosion of IP's relevance and enforceability. With AI being able to crank out derivative works at scale, it blurs the lines between infringement and transformation. My hope is that the flood of such content makes enforcement impractical, and that it will further demonstrate that the IP emperor is naked.
ferbivore
Altman isn't on your side, or any side except his own. OpenAI insists both that they should be allowed to train models on any text they can gain access to, regardless of copyright or licensing (https://openai.com/index/openai-and-journalism/) and that you should not be allowed to train models on any text produced by their models (https://archive.is/20250130132153/https://www.nytimes.com/20...).
spudlyo
His ability to speak out of both sides of his mouth is why no one trusts him, and why I find it so uncomfortable to agree with anything he says.
npodbielski
Exactly. OpenAI and altman would be very happy to say that intelectual property does not apply to them but then enforce that law when they talk about their own intelectual property being used without their consent.
lxgr
> I find myself uncomfortably on the side of AI bros like Sam Altman who argue for the expansion of the fair use doctrine
Why? Are you training LLMs?
I highly doubt they'll fight a pro-consumer fight completely incidental to their objectives (if not detracting: don't need to buy the source textbook if you can ask ChatGPT about its contents as soon as it's released).
spudlyo
The enemy of my enemy is my friend. Anything done to strengthen fair use is in my opinion a positive outcome. Happy to see copyright holders go toe-to-toe against a bully their own size. If both OpenAI and entrenched IP interests get bloodied in this fight, it's a win-win.
lxgr
Contrary to this popular saying, real world friendship/enmity is not an anti-transitive relation.
I would expect most AI companies to be more than happy to throw consumers under the bus if it affords them a carve-out serving their own narrow interests.
damnitbuilds
In a courthouse in the near future:
"So, yeronner, I think you will agree that I was well within my rights to share a torrent of the new Batman movie, not for people to watch but so they could train their LLMS on it."
lxgr
Technically, you've got a point: https://xkcd.com/2173/ ("We trained a neural network to enjoy the latest Hollywood movies...")
> We were planning to now focus on new accessibility features on our open-source Thorium Reader, better access to annotations for blind users and an advanced reading mode for dyslexic people. Too bad; disturbances around LCP will force us to focus on a new round of security measures
This is so funny to me. "We might have gotten around to making our software accessible, if it weren't for you meddling kids!"