HDMI Splitter is also a Decrypter

It warms our hearts when the community gets together. [esar] needed to get a decrypted HDMI stream for his home theater system. A tip-off in the comments and a ton of good old-fashioned hacking resulted in a HDMI splitter converted into a full-featured HDMI decrypter. Here’s the story.

His amazing custom Ambilight clone got profiled here, and someone asked him in the comments if it worked when High-bandwidth Digital Content Protection (HDCP) is on. [esar] lamented that it didn’t. Hackaday readers to the rescue. [Alan Hightower] and [RoyTheReaper] pointed [esar] to the fact that HDMI splitters need to decrypt and re-encrypt the signal to pass it on, and pointed him to a trick to knock out the on-board microcontroller. [esar] took off from there.

Unfortunately, taking the micro out of the picture messed with a lot of other HDMI functionality. So [esar] started digging in the datasheets for the HDMI splitter chip, looking for registers relevant to the re-encryption. If he could get in between the microcontroller and the splitter chip on the I2C bus and disable the re-encryption, he’d be set.

If you’re at all interested in I2C hacking or abusing HDMI splitters, you need to read his post because he details all of the tribulations and triumphs. He first tries just brute-forcing the I2C by overwriting a 1 bit with a 0. This (correctly) signals the micro that there’s been a conflict on the bus, so it re-sends the command again. Dead end.

He then found another signal that the receiver could use say that it wasn’t decrypting. He tried sending this continuously to the splitter so that it would stop encrypting. That worked, but only for one channel, some of the time. It turns out that his code was taking too long in his bit-banged I2C code. He fixes this up and all is well? Well, 90% of the way there.

To hammer down the last 10% of the functionality, [esar] buys a couple more splitters, experiments around with another splitter chipset that works with 3D, and solders some more wires to enable the Audio Return Channel. And after a ton of well-documented hard work, he wins in the end.

45 thoughts on “HDMI Splitter is also a Decrypter

    1. Only if the intent is to redistribute the protected content, or at least that’s the way I read it back when I looked at the text of the DCMA. I am not a lawyer, though, so I don’t know what loopholes in the law the RIAA and MPAA would call upon if they did want to get hacks like this pulled.

      1. It wont matter to the MPAA.. They’ll still scream bloody murder and pretend to be a victim until federal agents kick down the hacker’s door..

        Doubt it? Just like torrent tracker sites are not against the law because they are technically not sharing anything… Yep.. Laws really matter don’t they?

          1. A law that didn’t exsist untill the MPAA started throwing a fit and having the United States put international pressure on Sweden until they forced Sweden to adopt the DMCA..

    2. I’m deeply saddened the DMCA hasn’t been seriously challenged in a criminal case in high courts. I suspect it will not stand. The law defines little to no level of standard when it comes to a minimum sophistication for an access control mechanism. One could cipher content and supply the complete instructions on how to reverse the cipher along side the content with an electronic notice saying ‘only authorized agents are allowed to decipher this content’ and that would suffice for DMCA litigation. It doesn’t force IP holders to do any due diligence to protect their investment before unleashing the Juris Doctors. It’s like leaving the keys in and all the doors open to your car in a bad neighborhood for hours and complaining it was stripped to the bone on your return. HDCP was already compromised before the standard was ratified by the consortium; yet there is active litigation pending for using the pre-ratification knowledge. /boggle

      Anti-paraphernalia laws that ban facilitation agents of a crime but do not address the crime itself – regardless if there even is a crime – are not only bad but are in most cases unconstitutional; and worse blanket criminalize fair use. I wouldn’t be surprised if the RIAA/MPAA/et al. are actively working to keep the DMCA around. It provides more value to them as a tool for take down notices, threats of litigation, and criminal prosecution than it would if seriously challenged and likely over-turned.

  1. If you look hard enough, you can find splitters and other hardware whose designers were too lazy to implement the re-encryption side of things; some Etekcity splitters (I have a couple 1×2’s and a couple 1×4’s), Monoprice’s infamous DVI->HDMI active conversion box, and a lot of no-name HDMI “Audio Extractor” boxes, along with no-name splitters and switches, with built-in HDCP stripping, no mod required. It’s really inconsistent, is the issue — fairly certain Monoprice’s box (which was the go-to recommendation for a few years, in game streaming circles) has been revised to fix the implementation issue, and I’ve heard word that most of the Etekcity boxes have been revised as well. It’s awesome to know that, if some of my hardware breaks, I can go the mod route instead of hunting ebay for weird Chinese hardware that might do the trick.

    1. Back in ye olde days when PCB rework was really common, it wasn’t uncommon to see smd bypass caps superglued to the top of chips and soldered to the pins with magnet wire.

  2. NOW, DAT’S A HACK!! Incredible work on both the hardware (my aging eyesight cringes at the thought of tack soldering to an SMD board!) and the software – and f**k DCMA and the horse it rode in on!

  3. I bought the cheapest HDMI splitter I could find on aliexpress and it takes HDCP on the input, and there is none on any of the outputs. no mods needed at all. Even nicely sorts out my junk TV’s that go into DVI mode when plugged into a computer and wont take audio.

        1. Yeah, that’s the one (although mine had a different logo on it.. I guess it’s some sort of chinese OEM or something). Generally, the cheaper splitters (10-20 bucks) don’t do HDCP stripping, while the more expensive ones (20-25 bucks) do. I asked the sellers every time and the first one who answered “yes we do strip HDCP according to our customer’s reviews” was the one I bought.
          Don’t buy it if they don’t answer, or say something like “yes we do support HDCP” (support != stripping ;-)

  4. Somehow I expected my 15 minutes to be different… Yes, I also picked up a few ‘Porta’ splitters and have HDMI going down to an FPGA board helping a friend do a similar Ambilight clone. Most encryption schemes, HDCP being no exception, are designed to prevent 3rd party listening. So they have to be point to point in nature.

  5. all this encryption crap is probibly why hdmi is such a piss poor standard. i think i had to blow $50 in repeaters, splitters and cables just to hook my big screen tv up to my computer. i was pulling my hair out long before i output any video.

    im glad somone broke it so i can stick it to the man.

    1. HDCP is a software level cipher only, It does not affect the hardware layer. While it’s possible the nonsensical values resulting from an HDCP transform could cause more actual bit transitions over TMDS encoding, it is extremely small resulting in no more than a couple percent rise in effective data rate. It’s likely your problems were a result of other causes inherent to the HDMI transmission medium and not attributable towards the encryption element – HDCP.

      1. “HDCP is a software level cipher only, It does not affect the hardware layer.”

        Nowhere in Lord Nothing’s post did he claim it affected the hardware, but it’s entirely reasonable to assume that the HDCP hardware features prevented the content from displaying on his chosen display. This is a CONSTANT problem for people.

        “While it’s possible the nonsensical values resulting from an HDCP transform could cause more actual bit transitions over TMDS encoding, it is extremely small resulting in no more than a couple percent rise in effective data rate.”

        You’re completely off the rails here. Where did any of this come from? It’s completely irrelevant to the discussion of HDCP constantly preventing legitimate content from being played an a consumer’s choice of display hardware.

        >It’s likely your problems were a result of other causes inherent to the HDMI transmission medium and not attributable towards the encryption element – HDCP.

        Wow. Stay off the pot. HDCP causes these sorts of problems EVERY DAY.

  6. Great hack! I’ve a Akasa HDMI 4×1 switch, so i immediatly opened it and discovered an EP9431 and another 20 pin little chip labelled 0C002 H1C1 (probably a Renesas MCU, maybe R8C family), so the global design is the same.
    According to Explore website (http://www.epmi.com.tw/products_s.php), EP9431 is a 4×1 HDMI switcher where the EP9132/34/42 are 1×2 or 4 splitters.
    Maybe this chip is close enough to allow the same hack? But i haven’t been able to find any EP9431 datasheet to check if it uses the same registers.

      1. You’re probably right. Only splitter and matrix chips does mention HDCP, like the EP9432 4×2 matrix chip. So the key thing to locate a potentially hackable device is that you shoud have at leat 2 outputs.

    1. I have no “in depth” knowledge about HDMI, but to me it seems unlikely that the switcher even touches the content.
      It can simply physically connect the data-signals of the active source to the sink.

  7. There are quite a number HDMI matrix switch. It’s possible to get a 4×2 (4 input / 2 output) for arround 50$.
    In this case it’s possible to display the same source to both output. I imagine the signal need to be decypted in this case.

    As other have mentionned cheap chinese HDMI spitter that just happen to “strip” HDCP are not new.

  8. This is awesome.
    All DRM needs to die, and it’s the duty of all citizens to own ‘circumvention devices’ and use them for perfectly ethical purposes.

    Remember the old saying, “you don’t own it if you can’t open it”, and all that.

    Thank you for this hack.

  9. A couple of years ago I designed a fast (sub second) HDMI switching solution for use in a monitor we were selling. Normally the chip chosen reads in the two content protected streams, switches the decrypted out to the LCD panel. However for the development board we feed the output to an HDMI driver. We were able to do this only for sample chips. For volume production the driver board design had to be submitted to ensure it didn’t open such a loophole, which it did not. I have keep that dev board ‘just in case’. The production was actually done by a company in Shenzhen, and I doubt they were audited to ensure the chips were actually used on the approved boards and I guess with other companies that is exactly what happens.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s