DEF CON: HDMI CEC Fuzzing

HDMI is implemented on just about every piece of sufficiently advanced consumer electronics. You can find it in low-end cellphones, and a single board Linux computer without HDMI is considered crippled. There’s some interesting stuff lurking around in the HDMI spec, and at DEF CON, [Joshua Smith] laid the Consumer Electronics Control (CEC) part of HDMI out on the line, and exposed a few vulnerabilities in this protocol that’s in everything with an HDMI port.

CEC is designed to control multiple devices over an HDMI connection; it allows your TV to be controlled from your set top box, your DVD player from your TV, and passing text from one device to another for an On Screen Display. It’s a 1-wire bidirectional bus with 500bits/second of bandwidth. There are a few open source implementations like libCEC, Android HDMI-CEC, and even an Arduino implementation. The circuit to interface a microcontroller with the single CEC pin is very simple – just a handful of jellybean parts.

[Joshua]’s work is based off a talk by [Andy Davis] from Blackhat 2012 (PDF), but greatly expands on this work. After looking at a ton of devices, [Joshua] was able to find some very cool vulnerabilities in a specific Panasonic TV and a Samsung Blu-ray player.

A certain CEC command directed towards the Panasonic TV sent a command to upload new firmware from an SD card. This is somewhat odd, as you would think firmware would be automagically downloaded from an SD card, just like thousands of other consumer electronics devices. For the Samsung Blu-Ray player, a few memcpy() calls were found to be accessed by CEC commands, but they’re not easily exploitable yet.

As far as vulnerabilities go, [Joshua] has a few ideas. Game consoles and BluRay players are ubiquitous, and the holy grail – setting up a network connection over HDMI Ethernet Channel (HEC) – are the keys to the castle in a device no one  would ever think of taking a close look at.

Future work includes a refactor of the current code, and digging into more devices. There are millions of CEC-capable devices out on the market right now, and the CEC commands themselves are not standardized. The only way for HDMI CEC to be a reliable tool is to figure out commands for these devices. It’s a lot of work, but makes for a great call to action to get more people investigating this very interesting and versatile protocol.

Adventures in Consumer Electronics Control (CEC)

[Valkyrie-MT] was frustrated by the inability to control TrueHD audio volume from his computer. That’s because digital audio passes through the cable to the receiver where the volume adjustments are done. This meant that his RF computer remote was no good because the receiver uses an IR remote. He set out to find a way to get around this and ended up working with the Consumer Electronics Control (CEC) protocol.

The CEC protocol is a 1-wire serial bus built into the HDMI standard. The solution he settled up required one solder connection on the motherboard as well as the internal USB translator module seen above. That translator box, called the RainShadow, is a PIC 18F87J50 controlled board that translates incoming commands from the USB connection and sends them out as CEC hex codes. A bit of code writing and [Valkyrie-MT] is in business. You can see in the video after the break that it’s not just controlling audio, he can now control the entire entertainment center including turning on the TV and setting it to the appropriate input.

Continue reading “Adventures in Consumer Electronics Control (CEC)”