HDMI breakout lets you sniff HDCP crypto keys

hdmi-breakout-cable

There’s two really useful parts to this hack which involves sniffing the HDMI protocol’s HDCP security keys. The first is just getting at the signals without disrupting communications between two HDCP capable devices. To do so [Adam Laurie] started by building an HDMI breakout cable that also serves as a pass-through. The board seen above is known as an HDMI screw terminal board. The image shows one cable connecting to itself during the fabrication process. What he did was cut one end off of an HDMI cable, then used a continuity tester to figure out which screw terminal connects with which bare wire. After all the wires are accounted for the end with the plug goes to his TV, with a second cable connecting between the board’s socket and his DVD player.

The rest of his post is dedicated to sniffing the security keys. His weapon of choice on this adventure turns out to be a Bus Pirate but it runs a little slow to capture all of the data. He switches to a tool of his own design, which runs on a 60MHz PIC32 demo board. With it he’s able to get the keys which make decrypting the protected data¬†possible.

Comments

  1. Nate True says:

    He actually switches back to using the Bus Pirate after upgrading the firmware. The issue wasn’t the speed of the Bus Pirate, it was that it didn’t detect the directional change of the I2C data

  2. Matt says:

    “I suspected, therefore, that the problem with the Bus Pirate was not speed at all, but mis-handling of a RESTART” << from the blog post.
    Don't you guys even read these things before posting them?

    Very interesting post, btw, and I'm only halfway through it.

    • Dave says:

      According to the buspirate documentation, “The I2C sniffer is implemented in software and seems to work up to 100kHz”. It’s quite likely that the bus he’s sniffing is running at a higher speed.

      The page does mention in the next paragraph that the restart issue went away with a firmware update of the buspirate.

  3. Earlz says:

    Yet again proving that DRM is just inconvenient for legitimate users and will never stop illegitimate users

    • geekmaster says:

      In that way, DRM laws are much like gun control laws, which make criminals feel safer while they do armed home invasions. No worries about a homeowner shooting back… :P

      • geekmaster says:

        In the above analogy, just think: DRM provider = armed criminal, legitimate user = home owner.

      • Volfram says:

        I wasn’t going to say it first, but yeah, gun control reminds me a lot of DRM. It doesn’t work, punishes all and only the wrong people, and actually increases rates of both gun crime and illegal gun sales.

        Given how popular Chicago is for the people promoting gun control, I can’t help but wonder if that’s their objective.

        • 911ducktail says:

          Life long Chicagoan, flaming liberal on 99.5% of things but, lover of all firearms with a massive collection that spans all shapes and sizes.

          The vast majority of firearms used in Chicago are purchased right over the border in indiana and Mississippi, neither of which have many restrictions on any type of purchase, at all. Gary Indiana, has historically been the murder capital of the world, and has no restrictions on purchasing

          I’m not sure why Chicago is held up as some paragon of example for gun rights advocates but they all tend to leave out the bit of *where* the guns come from that are used in Chicago.

          • myvoiceis says:

            “where” is Gary Indiana today as a matter of convenience, not necessity.

            Anyone who believes you can un-invent 300 year technology which is indistinguishable from hydraulic power transmission has already lost all touch with reality. Anyone with perspective can clearly see that there are much greater threats to our way of life than the sensational & exaggerated issue of gun violence.

            The minute you accept that you will not be able to remove firearms from the face of the earth you are now in the contentious territory of how much burden of inconvenience should be put on legitimate users & otherwise law abiding citizens in order to achieve minor successes in inconveniencing criminals.

            These trade-offs are too often evaluated based on preconceived notions about the appropriate level of burden and what amount of inconvenience exists to criminals. Very rarely are these opinions backed by case studies where impartial quantitative analysis reviews the issue with an unbiased eye.

            As a value proposition, someone who has no desire to own or carry firearms can easily weight the consideration of burdens on legitimate users too lightly. For someone who has little or no exposure to criminals they could easily dismiss the value of inconveniencing criminals.

            The point I’m getting at is I think the “where” of today is irrelevant. If you shore up the dyke in any given spot: the water will continue to flow with barely any change(if at all) in rate from the next weakest path of least resistance. This will continue until you’ve expended all your resources fighting the wrong battles.

            This sort of “fool’s errand” can easily be observed by using the TSA as a case study. Just like the TSA, the slope is never slippery enough because the “good guys” are always defending from a reactionary stance. Too often, the people who are fighting the “bad guys” have little to no stake in civil liberties and will continue using our freedoms as collateral damage in unwinnable wars.

            The idea that you can pre-empt crime by outlawing it’s symptoms is absurd.

            The more criminals you create in the process: the more you impoverish the citizenry with the rapidly diminishing returns of the pursuit.
            The more people you impoverish: the more criminals you create.

            It’s the type of predictable cycle which accomplishes nothing but “bread and circuses” for manufacturing a distinction between a “turd sandwich” & a “giant douche-bag”.

            If anyone thinks the best way to reduce crime in Chicago is to deprive children of their father & their families of a breadwinner I have a bridge you sell you.

            Crime isn’t the answer & neither are prisons.

            Educated voters have higher expectations of their congressmen & aren’t as easily satiated by “bread & circuses” wedge-issue shadow-boxing. So education takes a back seat to prisons in the federal budget, and the people worried about who will pay social security taxes when they retire deserve every bit of sand they are told to go pound.

      • qwerty says:

        > In that way, DRM laws are much like gun control laws

        I see your analogy, but quite disagree. Gun control laws could prevent someone to be able to defend his family from armed thugs, but also his little child from playing with the gun and killing someone or himself by mistake.
        Clearly a complex matter that cannot be resolved in a few lines in a technical blog.

        • Rob says:

          Gun control laws don’t stop little children from playing with improperly stored firearms. That’s an issue with the gun owner, not the gun or the laws. Personal responsibility.

        • steveg says:

          I’m sorry that’s a rather stupid argument, as a responsible gun owner and a father of a 9 year old boy i can tell you that not only does my son understand how dangerous a gun is and that it’s not a toy, but that all firearms are kept under lock and key. Any parent who would leave a loaded gun around for a kid to find obviously has bigger problems and could be doing many other things that could be endangering the life of said child. Bottom line it’s the parents responsibility to protect their child not the fedral governments. I have never seen a house containing both guns and children where the parents hadn’t taken the obvious safety measure of making sure the guns were locked up.

      • boing says:

        Outside of the US many countries have much stricter gun laws and, as a consequence, much fewer innocent adults and children killed from gun shot wounds.

  4. jeff says:

    I’m amazed that the 1gbps tmds signals survive passing through that!

    • Sven says:

      Consumer product data links have to be rather robust to survive cheap cables, barely followed specifications etc. As long as you don’t leave long unterminated loose wires dangling off the side there should be no problem.

  5. Karl Koscher says:

    Could the Bus Pirate theoretically support I2C clock stretching? If so, that might be an option…

  6. SteveC says:

    Only the public keys are passed, so this does not really help crack the DRM.

    Bunnies FPGA work shows exactly how the DRM is structured and with very minor changes can be used to decrypt the source video rather than encrypt the overlay video.

  7. johnmeacham says:

    To answer the question of why things still have HDCP, You are given a one cent discount off of the HDMI licence cost per port if you implement it.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 93,625 other followers