Day 2 · 18 min read

Troubleshooting the SDK

Common error codes, log locations, isolation strategy.

A diagnostic ladder

When DRM playback fails, work top-down. Most issues fall out at the first or second rung:

Network: did the licence request reach the server?
Server: did the server build a licence?
CDM: did the CDM accept the licence?
Codec: is the codec actually decrypting?
Output: is HDCP / surface correct?

Rung 1 — network

Browser → check chrome://media-internals and the network tab.
Android → check Logcat for ExoPlayer + MediaDrm tags; check the licence service's access logs.
Confirm the request body is non-empty bytes (not an empty POST).
Confirm any auth headers / tokens are attached.

Rung 2 — server

If the server doesn't see the request: it's rung 1, not rung 2.

If it sees the request but errors:

Token validation? Is the auth header what the verifier expects?
Entitlement DB available?
Are the KIDs the request asks for present in your key store?
Did the SDK reject the request (signature error, unknown device cert)?

Log everything non-secret about the request: KIDs, device-cert hash, security level reported, policy chosen. Don't log raw request bytes or content keys.

Rung 3 — CDM

If the licence comes back but update() fails:

The licence may be malformed (rare unless the SDK was mis-called).
The CDM may not trust the signing chain (very rare with a real SDK).
The session may already be in a bad state (closed, invalidated).

On Android, look for these exceptions:

Exception	Likely root cause
`NotProvisionedException`	Device or per-origin cert not provisioned
`DeniedByServerException`	Server rejected (entitlement, policy)
`MediaDrmStateException`	Operation on a closed/invalid session
`UnsupportedSchemeException`	Widevine UUID not supported on this device
`ResourceBusyException`	No more session slots; check for leaks

Rung 4 — codec

Symptoms:

Green / corrupted frames → codec received encrypted samples without working crypto.
Slow decode / stutter → HW decoder couldn't be acquired; software fallback.
"No supported codec" → format/profile not supported on this SoC.

Mitigations:

Confirm cbcs vs cenc matches what the codec accepts on this device.
Confirm a secure surface is being used for L1 playback.
Check OEMCrypto version — older versions may not support newer schemes.

Rung 5 — output

HDCP version doesn't match policy → block.
Mirroring / casting → effective level may downgrade.
Analogue blocked by policy → silence on VGA / composite.

The CDM re-evaluates output protection every time it decrypts. A user yanking an HDMI cable mid-playback is a legitimate scenario the CDM handles by halting decryption.

Quick-reference error codes

A handful of error messages appear repeatedly in the wild:

EME error: NotSupportedError → robustness or codec not available; relax the request.
NotAllowedError → secure context missing (HTTPS).
MediaError code 4 → src not playable (manifest / codec / DRM).
Widevine: 1xx server-side errors → check licence service logs.

Exam tip

Memorise NotProvisionedException + the provisioning recovery flow. It's high-yield because the corrective action is unique to that exception.

No questions yet for troubleshooting. Add some in content/questions/troubleshooting.json.