HDCP falls to FPGA-based man-in-the-middle attack

fpga-hdcp-maninthemiddle-attack

It’s been a little while since we talked about HDCP around here, but recent developments in the area of digital content protection are proving very interesting.

You might remember that the Master Key for HDCP encryption was leaked last year, just a short while after Intel said that the protection had been cracked. While Intel admitted that HDCP had been broken, they shrugged off any suggestions that the information could be used to intercept HDCP data streams since they claimed a purpose-built processor would be required to do so. Citing that the process of creating such a component would be extremely cost-prohibitive, Intel hoped to quash interest in the subject, but things didn’t work out quite how they planned.

It seems that researchers in Germany have devised a way to build such a processor on an extremely reasonable budget. To achieve HDCP decryption on the fly, the researchers used a standard off the shelf Digilent Atlys Spartan-6 FPGA development board, which comes complete with HDMI input/output ports for easy access to the video stream in question. While not as cheap as this HDCP workaround we covered a few years ago, their solution should prove to be far more flexible than hard wiring an HDMI cable to your television’s mainboard.

The team claims that while their man-in-the-middle attack is effective and undetectable, it will be of little practical use to pirates. While we are aware that HDMI data streams generate a ton of data, this sort of talking in absolutes makes us laugh, as it often seems to backfire in the long run.

[via Tom’s Hardware]

48 thoughts on “HDCP falls to FPGA-based man-in-the-middle attack

  1. It won’t be useful for pirates because BD-ROMs can easily be decrypted.

    But for me? Infinitely useful. I have an older Dell 2405FPW which has much life left in it but no HDMI. It does have DVI-D and a HDMI->DVI adapter works great with my XBox 360.

    Despite the above, no HDCP support. If this can decrypt everything in real time I’ll definitely be putting my future in EE to good use.

      1. $200 will not buy a new monitor that’s than the 2405, sorry. I just recently bought a 2407 used for $200, that was quite a good deal. Maybe if you got lucky and found a great deal on a 2408, but it’s unlikely to happen.

  2. I wonder if this would violate the DMCA if I used it so I didn’t need 4 extra cables to hook up my surround sound system. Guys, I don’t want to record your stuff! I HAVE a DVR.

    I just want to be able to use HDMI all over with my receiver instead of the extra TOSLINK/Digital COAX cable!

    1. This particular board only has 3 full-speed HDMI ports, and are hard-wired for particular directions. I think you can get another 2 in/2 out with an add-on, but check Digilent’s site first.

    2. I’m no expert, but as I understand it, any circumvention of DRM, even to exercise your rights under fair use, is illegal under the DMCA.
      I really doubt you’re going to get sued over it though.

      1. It’s actually better than that if you’re in California, or anywhere else the 9th Circuit Court of Appeals has jurisdiction – it ruled that circumvention for fair-use purposes like education and private viewing was legal.

    3. Just by discussing this, we are all violating the DMCA. The DMCA goes so far as to make it illegal to search for security holes with the intention of patching them when found.

      If they release the code, I will probably buy one of these boards…the whole HDCP/cablecard BS is a big part of the reason I turned off my TV subscription. If I could use my PC as a DVR without the massive quality loss designed into the DVR from the TV company, without a $350 ATI cablecard adapter, and without the $15 monthly fee to rent a cablecard, the subscription would almost be worth the money.

    4. Be careful. Even *thinking* about breaking copy protection is a violation of the DMCA. In fact, the DMCA outlaws thinking of any kind (as well as most vital biological processes).

  3. The thing with the internet is, it only takes one crafty pirate with such a device and a high-performance disk array to rip something available only on an hdcp line for everyone on the internet to get it.

    I’ve heard talk of using this to record stuff like pay-per views off of cable boxes that require HDCP. Things where the only access to the content comes through a locked-down box from a service provider.

  4. I would assume that once you have the video stream decrypted, it’s trivial to use HDMI as a connection to a camera, or a PC with recording software, in addition to the monitor. Especially since the board used has 2 HDMI in, 2 HDMI out, but one of those is an unbuffered, HDMI Mini port, iirc. Plus, depending on how expensive the decryption is, you might be able to do some extra video processing before outputting the signal.

    1. You assume wrong. HDMI capture devices (even for unencrypted streams) are not common, or trivial, and doing high quality h264-encoding in real time is even less trivial.

      1. Huh? Just get a Blackmagic or AJA hdmi capture card. They capture extremely high quality, are pretty cheap, and don’t even require that great of a hard drive setup to capture to.

  5. ugh. the $350 number is STUPID. all you need is a decent sized FPGA chip with HDMI IOs. and why oh why do they say this will be “of no great practical use for pirates”??? even if pirates go with a stock board that’s $350, it’s not a ton of money.

  6. To paraphrase John Gilmore, ‘The internet interprets any and all impediments to free information exchange as damage and routes around them. Also, kittens’

    1. ‘The internet interprets any and all impediments to free information exchange as damage and routes around them. Also, kittens’

      “Kittens!?” Well that explains Lolcats.

    1. If all you want to do is pull out the audio then check out the HDFury.

      For folks with older HD ready analog TVs it is also great.

      Or… for people who simply want to easily and cheaply distribute video around the house/business etc…

  7. Finally, a way of doing an Ambilight clone *without* a PC driving the image.
    No need to store any of the information, just track the edge pixels on the HDMI feed, pull the colour and route it to an RGB LED. Simples.

    (okay, okay, I know, it’s still not that simple as that’s a lot of data to parse & track)

    1. @Sheldon –

      Only reason you’d need the FPGA setup is “if none of your equipment had a composite-out” (which may be your situation, fine, but that’s far from saying this is finally a way to make a PC-free Ambilight clone).

      There’s tons of composite video processing chips which could drive a PC-free Ambilight clone. You don’t need to actually watch the composite feed.. just watch the HDMI feed and route the composite feed to the ambilight. I’ve never seen a video device that shuts down the composite out port when HDMI out is also in use.

      1. Actually, I have. I have the “new” Cisco HD Explorer (forget the model number, used to be Scientific Atlanta) that disables video through composite when HDMI is connected.

        I found this out because my last receiver (that didn’t have problems) died. My connection is like this

        Cable Box -> HDMI -> Acer 23″ LCD in office
        Cable Box -> Component -> 32″ CRT in bedroom

        When the ACER has power, composite just sites ‘grey’ without anything on it. You can hear audio but that’s it. When the ACER is unplugged, the component outputs fine. I’ve also tried composite/svideo with the same results. :(

        This is in Orlando, FL w/BrightHouse

      2. You wouldn’t be able to use such a composite image grabber with multiple sources without some additional switching. So your ambilight would only be useful with one source at a time. I want something that can intercept the HDMI out from my receiver (which has inputs for all my sources) and pass it to the TV while simultaneously getting the color information for the ambilight.

  8. It is interesting, that it took this long for the first FPGA based stripper to be available to most of us.

    I know that it does not make sense for piracy (you would also need a HDMI capture card for your computer, or any other means of recoding HDMI video streams). However, there are so many useful things that could be built with this. Just think of 3D splitters (to route 3D movies to 2 separate projectors), Ambilight clones (as Sheldon noted), separating sound and video signals, video overlays, and so on…

    1. it took so long because it wasnt needed, you can just buy HDMI receiver chips preprogrammed with HDCP key that will output unencrypted video

      1. Not without a $5M+ indemnity policy and an NDA agreement with HDCP LLC you can’t. Check the license agreement for HDCP and you will see this.
        Now, you CAN find things from China like the HDFury, but they are violating the HDCP license agreement.

  9. If you are opting for an FPGA solution you might as well add some real time video compression functionality to the system and dump it straight to wherever.

  10. HDCP stripper cables cost $40 nowadays
    just google “Inteligentny kabel iHDMI plus CEC”
    they are available as hdmi-hdmi and hdmi-dvi. HDCP comes on one end … and vanishes in the middle :)

    1. I usually don’t have to buy cables like that, I just let the mice chew on a cable, and the signal will vanish in the middle :-)

    2. Bet their cable just uses one of the available codes to handshake and handle the HDCP stream, rather than stripping the protection like the FPGA does.

      1. this FPGA also uses one of the codes they calculated using master key
        supply key to HDMI receiver
        get video with receiver chip into FPGA
        pump video with another HDMI transmitter without HDCP

  11. [SHRUG] Interesting information in the article, and comments, to be aware of. I hadn’t turn on my TV after the morning of the big switch, and the lone station I expected to receive wasn’t to be received. Probably 10 years since I had the good stereo receiver on, the portable does fine for now. Hopefully I remember what tech what’s worth remembering, when I get a life again, and connect to the mainstream entertainment world.

  12. I’m really just not seeing the point. though, I would like to point out that if they bought the PCI-E FPGA board, after stripping the video signal, you could probably whip up an encoder and signal splitter (audio and video), which will then let you mux them on a computer using the built in FPGA.

    you can do all that, OR you could just rip a bluray directly. I mean, they have an article on how to do it on gizmodo. GIZMODO people. though I do see the purpose for video games, I dont know if the 360 supports anything higher than HDMI spec 1.2, because I know it doesn’t support the CEC extensions. but they have a box out that can record the output now that works on the PS3 and 360 and transcodes it automatically.

  13. This would be great for those of us in production who need to get the HDMI out of a BlueRay player and into a format like HD-SDI so it can be switched. I have worked with several film festivals that this would have been great for. Yes I know that it is possible to playback a file from a laptop but this is the real world and we get all sorts of file formats and mediums.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s