diff --git a/libwvdrmengine/cdm/core/test/generic_crypto_unittest.cpp b/libwvdrmengine/cdm/core/test/generic_crypto_unittest.cpp
index 254b3d40..809d3128 100644
--- a/libwvdrmengine/cdm/core/test/generic_crypto_unittest.cpp
+++ b/libwvdrmengine/cdm/core/test/generic_crypto_unittest.cpp
@@ -16,6 +16,7 @@
 #include "log.h"
 #include "oec_session_util.h"
 #include "../../oemcrypto/mock/src/oemcrypto_key_mock.h"
+#include "oemcrypto_session_tests_helper.h"
 #include "properties.h"
 #include "string_conversions.h"
 #include "url_request.h"
@@ -34,7 +35,8 @@ std::string g_provisioning_service_certificate;
 
 namespace wvcdm {
 
-class WvGenericOperationsTest : public testing::Test {
+class WvGenericOperationsTest : public testing::Test,
+                                public wvoec::SessionUtil {
  public:
   WvGenericOperationsTest() : crypto_session_(NULL) {}
 
@@ -49,10 +51,8 @@ class WvGenericOperationsTest : public testing::Test {
     g_license_service_certificate.assign(config.license_service_certificate());
     g_provisioning_server.assign(config.provisioning_server());
 
-    // TODO(fredgc or gmorgan): This should be updated for provisioning 3.0
-    // Load test keybox. This keybox will be used by any CryptoSession
-    // created by the CDM under test.
-    ASSERT_EQ(OEMCrypto_SUCCESS, OEMCrypto_LoadTestKeybox());
+    // Ensure that OEMCrypto has a test keybox if needed.
+    EnsureTestKeys();
 
     // Perform CdmEngine setup
     cdm_engine_.reset(new CdmEngine(&file_system_));
diff --git a/libwvdrmengine/oemcrypto/mock/src/oemcrypto_key_mock.cpp b/libwvdrmengine/oemcrypto/mock/src/oemcrypto_key_mock.cpp
index 18f0eeef..8f7832bd 100644
--- a/libwvdrmengine/oemcrypto/mock/src/oemcrypto_key_mock.cpp
+++ b/libwvdrmengine/oemcrypto/mock/src/oemcrypto_key_mock.cpp
@@ -18,8 +18,9 @@ bool KeyControlBlock::Validate() {
       memcmp(verification_, "kc09", 4) &&  // add in version 9 api
       memcmp(verification_, "kc10", 4) &&  // add in version 10 api
       memcmp(verification_, "kc11", 4) &&  // add in version 11 api
-      memcmp(verification_, "kc12", 4) &&  // add in version 11 api
-      memcmp(verification_, "kc13", 4)) {  // add in version 13 api
+      memcmp(verification_, "kc12", 4) &&  // add in version 12 api
+      memcmp(verification_, "kc13", 4) &&  // add in version 13 api
+      memcmp(verification_, "kc14", 4)) {  // add in version 14 api
     LOGE("KCB: BAD verification string: %4.4s", verification_);
     valid_ = false;
   } else {
diff --git a/libwvdrmengine/oemcrypto/mock/src/oemcrypto_mock.cpp b/libwvdrmengine/oemcrypto/mock/src/oemcrypto_mock.cpp
index 6c5ee661..9adf9670 100644
--- a/libwvdrmengine/oemcrypto/mock/src/oemcrypto_mock.cpp
+++ b/libwvdrmengine/oemcrypto/mock/src/oemcrypto_mock.cpp
@@ -1338,7 +1338,7 @@ extern "C" OEMCryptoResult OEMCrypto_DeriveKeysFromSessionKey(
   return OEMCrypto_SUCCESS;
 }
 
-extern "C" uint32_t OEMCrypto_APIVersion() { return 13; }
+extern "C" uint32_t OEMCrypto_APIVersion() { return 14; }
 
 extern "C" uint8_t OEMCrypto_Security_Patch_Level() {
   uint8_t security_patch_level = crypto_engine->config_security_patch_level();
@@ -1378,6 +1378,11 @@ extern "C" OEMCryptoResult OEMCrypto_GetHDCPCapability(
   return OEMCrypto_SUCCESS;
 }
 
+extern "C" uint32_t OEMCrypto_GetAnalogOutputFlags() {
+// TODO(b/69867568, fredgc): parameterize this.
+  return 0;
+}
+
 extern "C" bool OEMCrypto_SupportsUsageTable() {
   bool supports_usage = crypto_engine->config_supports_usage_table();
   if (LogCategoryEnabled(kLoggingTraceOEMCryptoCalls)) {
diff --git a/libwvdrmengine/oemcrypto/test/oec_device_features.cpp b/libwvdrmengine/oemcrypto/test/oec_device_features.cpp
index 4d02b4d8..a30e01cd 100644
--- a/libwvdrmengine/oemcrypto/test/oec_device_features.cpp
+++ b/libwvdrmengine/oemcrypto/test/oec_device_features.cpp
@@ -138,6 +138,7 @@ std::string DeviceFeatures::RestrictFilter(const std::string& initial_filter) {
   if (api_version < 11)               FilterOut(&filter, "*API11*");
   if (api_version < 12)               FilterOut(&filter, "*API12*");
   if (api_version < 13)               FilterOut(&filter, "*API13*");
+  if (api_version < 14)               FilterOut(&filter, "*API14*");
   // Performance tests take a long time.  Filter them out if they are not
   // specifically requested.
   if (filter.find("Performance") == std::string::npos) {
diff --git a/libwvdrmengine/oemcrypto/test/oec_session_util.cpp b/libwvdrmengine/oemcrypto/test/oec_session_util.cpp
index 9dd26732..cde13158 100644
--- a/libwvdrmengine/oemcrypto/test/oec_session_util.cpp
+++ b/libwvdrmengine/oemcrypto/test/oec_session_util.cpp
@@ -528,7 +528,10 @@ void Session::FillRefreshMessage(size_t key_count, uint32_t control_bits,
     encrypted_license().keys[i].key_id_length = license_.keys[i].key_id_length;
     memcpy(encrypted_license().keys[i].key_id, license_.keys[i].key_id,
            encrypted_license().keys[i].key_id_length);
-    if (global_features.api_version == 13) {
+    if (global_features.api_version == 14) {
+      // For version 14, we require OEMCrypto to handle kc14 for all licenses.
+      memcpy(license_.keys[i].control.verification, "kc14", 4);
+    } else if (global_features.api_version == 13) {
       // For version 13, we require OEMCrypto to handle kc13 for all licenses.
       memcpy(encrypted_license().keys[i].control.verification, "kc13", 4);
     } else if (global_features.api_version == 12) {
diff --git a/libwvdrmengine/oemcrypto/test/oemcrypto_test.cpp b/libwvdrmengine/oemcrypto/test/oemcrypto_test.cpp
index 6e40c2ed..de2b516a 100644
--- a/libwvdrmengine/oemcrypto/test/oemcrypto_test.cpp
+++ b/libwvdrmengine/oemcrypto/test/oemcrypto_test.cpp
@@ -118,7 +118,7 @@ TEST_F(OEMCryptoClientTest, VersionNumber) {
     cout << "             OEMCrypto does not support usage tables." << endl;
   }
   ASSERT_GE(version, 8u);
-  ASSERT_LE(version, 13u);
+  ASSERT_LE(version, 14u);
 }
 
 TEST_F(OEMCryptoClientTest, ProvisioningDeclaredAPI12) {
@@ -1143,7 +1143,7 @@ TEST_P(SessionTestAlternateVerification, LoadKeys) {
 // the current API + 2.  We use +2 because we want to test at least 1
 // future API, and the ::testing::Range is not inclusive.
 INSTANTIATE_TEST_CASE_P(TestAll, SessionTestAlternateVerification,
-                        Range(8, 13 + 2));
+                        Range(8, 14 + 2));
 
 TEST_F(OEMCryptoSessionTests, LoadKeysBadSignature) {
   Session s;
diff --git a/libwvdrmengine/oemcrypto/test/oemcrypto_test_android.cpp b/libwvdrmengine/oemcrypto/test/oemcrypto_test_android.cpp
index f7e5a771..82f4ee2f 100644
--- a/libwvdrmengine/oemcrypto/test/oemcrypto_test_android.cpp
+++ b/libwvdrmengine/oemcrypto/test/oemcrypto_test_android.cpp
@@ -138,4 +138,12 @@ TEST_F(OEMCryptoAndroidOCTest, MinVersionNumber13) {
   ASSERT_GE(version, 13u);
 }
 
+// These tests are required for Pi Android devices.
+class OEMCryptoAndroidPiTest : public OEMCryptoAndroidOCTest {};
+
+TEST_F(OEMCryptoAndroidPiTest, MinVersionNumber14) {
+  uint32_t version = OEMCrypto_APIVersion();
+  ASSERT_GE(version, 14u);
+}
+
 }  // namespace wvoec