Unbricking a BluRay Drive

All BluRay player, devices, and drives contain a key that unlocks the encryption and DRM present on BluRay discs. Since 2007, the consortium responsible for this DRM scheme has been pushing updates and revocation lists on individual BluRay releases. Putting one of these discs in your drive will brick the device, and this is the situation [stephen] found himself in when he tried to watch Machete Kills. Not wanting to update his software, he searched for a better solution to unbrick his drive.

Every time [stephen] played or ripped a disc, the software he was using passed a key to the drive. This key was compared to the revocation list present on the drive. When a match was found, the drive bricked itself. Figuring the revocation list must be stored on a chip in the device, [stephen] broke out the screwdriver and started looking around inside the drive.

There aren’t many chips inside a modern BluRay drive, but [stephen] did manage to find a few Flash chips. These Flash chips can be dumped to a computer using a BusPirate, and comparing the dump to a publicly available ‘Host Revocation List Record’, [stephen] was able to find the location on the Flash chip that contained the revocation list.

The next task was to replace the revocation list currently on the drive with an earlier one that wouldn’t brick his drive. [stephen]’s MakeMKV install made this very easy, as it keeps a record of all the revocation lists it runs across. Updating the Flash in the drive with this old list unbricked the drive.

This is only a temporary fix, as [stephen] still can’t put a new disc in the drive. A permanent fix would involve write protecting the Flash and preventing the drive from ever updating the revocation list again. This would be a very complex firmware hack, and [stephen] doesn’t even know what architecture the controller uses. Still, the drive works, saved from terrible DRM.

Resetting DRM On 3D Printer Filament

The Da Vinci 3D printer is, without a doubt, the future of printing plastic objects at home. It’s small, looks good on a desk, is fairly cheap, and most importantly for printer manufacturers, uses chipped filament cartridges that can’t be refilled.

[Oliver] over at Voltivo was trying to test their new printer filament with a Da Vinci and ran head-on into this problem of chipped filament. Digging around inside the filament cartridge, he found a measly 300 grams of filament and a small PCB with a Microchip 11LC010 EEPROM. This one kilobyte EEPROM contains all the data about what’s in the filament cartridge, including the length of filament remaining.

After dumping the EEPROM with an Arduino and looking at the hex file, [Oliver] discovered the amount of filament remaining was held in a single two-byte value. Resetting this value to 0xFFFF restores the filament counter to its virgin state, allowing him to refill the filament. A good thing, too; the cartridge filament is about twice as expensive as what we would normally buy.

 

Stripping Kindle DRM with Lego

DRM

Consider a book sitting on a shelf. You can lend it out to a friend, you don’t need a special device to read it, and if you are so inclined, you can photocopy it. This isn’t true with Kindle eBooks that place severe restrictions on what you can do with a book via DRM. Although it is possible to strip eBook DRM with a few programs on your computer, [Peter] came up with a fool-proof way that’s an amateur engineering marvel. He’s turning Kindle eBooks into plain text using Lego.

[Peter] is using a few bits of a Lego NTX system to press the, ‘next page’ button on his Kindle, then smash the space bar on his Mac to take a picture. These pictures are then sent to a cloud-based text recognition service. After a few hours of listening to plastic gears grinding, [Peter] has a copy of his eBook in plain text format sitting in his computer.

As impractical as it looks, using a robot, camera, and OCR is actually a really, really good way to turn eBooks plagued with DRM into a text file. Even if Amazon updates their DRM to make the current software cracking methods break, [Peter] will always have his Lego robot ready to scan a few hundred pages of text at a time.

Continue reading “Stripping Kindle DRM with Lego”

DRM Chair only works 8 times

chair

Download a song from iTunes, and you can only add that song to the music library of five other computers. Grab a copy of the latest Microsoft Office, and you’d better hope you won’t be upgrading your computer any time soon. Obviously DRM is a great tool for companies to make sure we only use software and data as intended, but outside planned obsolescence, there isn’t much in the way of DRM for physical objects.

This is where a team from the University of Art and Design in Lausanne, Switzerland comes in. They designed a chair that can only be sat upon eight times. After that, the chair falls apart necessitating the purchase of a new chair. Somewhere in the flat-pack furniture industry, someone is kicking themselves for not thinking of this sooner while another is wondering how they made a chair last so long.

The design of the chair is fairly simple; all the joints of the chair are cast in wax with a piece of nichrome wire embedded in the wax. An Arduino with a small switch keeps track of how many times the chair has been used, while a solenoid taps out how many uses are left in the chair every time the user gets up. When the internal counter reaches zero, a relay sends power through the nichrome wire, melting the wax, and returning the chair to its native dowel rod and wooden board form.

Melting wax wasn’t the team’s first choice to rapidly disassemble a chair; their first experiments used gunpowder. This idea nearly worked, but it was soon realized no one on the team wanted to sit on a primed and loaded chair. You can see the videos of the wax model failing after the break.

Continue reading “DRM Chair only works 8 times”

Stripping DRM from OverDrive Media Console eBooks

stripping_drm_from_overdrive_media_center_ebooks

[Armin Tamzarian’s] local library recently started lending eBooks via the OverDrive Media Console system. He checked out a couple of books, which got him thinking about how the copy protection scheme was implemented. He wondered what recourse users had if they wanted to view a book they have already checked out on a different, or unsupported piece of hardware.

His research centers around Adobe’s ADEPT digital rights management scheme, which is used to protect the books offered on loan by OverDrive. The topic is broken down into three parts, starting with an introduction to the EPUB file structure, the OverDrive Media Console, as well as the aforementioned ADEPT DRM scheme.

The second part takes a close look at the OverDrive Media Console itself, where he uses the ineptkey and ineptepub utilities written by [I♥CABBAGES] to pull the RSA cipher keys from the EPUB data he uncovered. When he then tries to strip the ADEPT DRM layer from his books however, he discovers that OverDrive is using a non-compliant version of the ADEPT standard, which renders existing tools useless.

The final part of [Armin’s] discussion digs even deeper into the OverDrive Console’s inner workings, where he finds that the OverDrive Media Console stores quite a bit of information in an SQLite database. After a bit of digging, he finds all the data he needs to strip the DRM from his books. [Armin] also took the time to wrap all of his findings up into a neat little tool called OMCStrip, which as you may have guessed, strips the DRM from ADEPT-protected eBooks with ease.

DRM causes vulnerabilities

This image is from Microsoft's DRM page.

We often hear people touting the evilness of DRM, but usually they are talking about the idea of ownership. In this case, DRM is actually causing harm. It turns out that Microsoft’s msnetobj.dll, which is supposed to enforce DRM on your computer, stopping you from doing certain things like saving files you don’t “own” is open to 3 attacks.  Vulnerable to buffer overflow, integer overflow, and denial of service, this sucker is riddled with issues.

The vulnerabilities in this file aren’t groundbreaking. Buffer overflow is a common method to get to many systems. The problem here, according to some commenters at BoingBoing, is the fact that this DLL is called every time you open a media file.

[via BoingBoing]

The HDCP master key

Pastebin has the HDCP master key that we talked about in a post last week. This is the encryption protocol used for HDMI content protection on media such as Blu-Ray and High Definition cable television.

The master key array is a 40×40 set of 56-bit hex used to generate the key sets. You get one brief paragraph at the top of the document explaining what to do with this information. If you ask us we’re more interested in how this set was determined. So for some background information read the key selection vector (KSV) Wikipedia page. That points us to an interesting discussion proposing that if 40 unique device-specific KSVs can be captured, they could be used to reverse-engineer the master key. And finally, a bit of insight from a Reddit user (make your own decision on the dependability of this information) commenting on the value of having the master key.

In his comment, [iHelix150] covers the revocation system that HDCP uses to ban devices that are being used to circumvent copy protection. He says that having the master key makes it possible to push your own revocation lists onto devices. Each time a list is written to your device (TV, Blu-ray, etc.) the version number field for the list is updated. If you push an update with nothing on the revocation list, and set the version number to a binary value of all 1’s it will prevent any more rewrites of the list. This means that any previously banned hardware will be allowed back into the chain or trust.

So far this probably means nothing for you. But it’s fun to watch the cat-and-mouse involved in the DRM struggle, isn’t it?