It warms our hearts when the community gets together. [esar] needed to get a decrypted HDMI stream for his home theater system. A tip-off in the comments and a ton of good old-fashioned hacking resulted in a HDMI splitter converted into a full-featured HDMI decrypter. Here’s the story.
His amazing custom Ambilight clone got profiled here, and someone asked him in the comments if it worked when High-bandwidth Digital Content Protection (HDCP) is on. [esar] lamented that it didn’t. Hackaday readers to the rescue. [Alan Hightower] and [RoyTheReaper] pointed [esar] to the fact that HDMI splitters need to decrypt and re-encrypt the signal to pass it on, and pointed him to a trick to knock out the on-board microcontroller. [esar] took off from there.
Unfortunately, taking the micro out of the picture messed with a lot of other HDMI functionality. So [esar] started digging in the datasheets for the HDMI splitter chip, looking for registers relevant to the re-encryption. If he could get in between the microcontroller and the splitter chip on the I2C bus and disable the re-encryption, he’d be set.
If you’re at all interested in I2C hacking or abusing HDMI splitters, you need to read his post because he details all of the tribulations and triumphs. He first tries just brute-forcing the I2C by overwriting a 1 bit with a 0. This (correctly) signals the micro that there’s been a conflict on the bus, so it re-sends the command again. Dead end.
He then found another signal that the receiver could use say that it wasn’t decrypting. He tried sending this continuously to the splitter so that it would stop encrypting. That worked, but only for one channel, some of the time. It turns out that his code was taking too long in his bit-banged I2C code. He fixes this up and all is well? Well, 90% of the way there.
To hammer down the last 10% of the functionality, [esar] buys a couple more splitters, experiments around with another splitter chipset that works with 3D, and solders some more wires to enable the Audio Return Channel. And after a ton of well-documented hard work, he wins in the end.
There’s two really useful parts to this hack which involves sniffing the HDMI protocol’s HDCP security keys. The first is just getting at the signals without disrupting communications between two HDCP capable devices. To do so [Adam Laurie] started by building an HDMI breakout cable that also serves as a pass-through. The board seen above is known as an HDMI screw terminal board. The image shows one cable connecting to itself during the fabrication process. What he did was cut one end off of an HDMI cable, then used a continuity tester to figure out which screw terminal connects with which bare wire. After all the wires are accounted for the end with the plug goes to his TV, with a second cable connecting between the board’s socket and his DVD player.
The rest of his post is dedicated to sniffing the security keys. His weapon of choice on this adventure turns out to be a Bus Pirate but it runs a little slow to capture all of the data. He switches to a tool of his own design, which runs on a 60MHz PIC32 demo board. With it he’s able to get the keys which make decrypting the protected data possible.
[bunnie] is up to his old tricks again. He successfully implemented a man-in-the-middle attack on HDCP-secured connections to overlay video in any HDMI video stream. There’s a bonus, too:
his hack doesn’t use the HDCP master-key. It doesn’t violate the DMCA at all.
HDCP is the awful encryption scheme that goes into HDMI-compatable devices. Before HDCP, injecting video overlays or even chroma keying was a valid interpretation of fair use. [bunnie] thinks that HDMI devices should have the same restrictions analog devices have, so he decided to funnel his own video into his TV.
The build uses the NeTV, a handy and cheap FPGA board with an HDMI input and output. [bunnie] got the FPGA to snoop the HDMI bus and decide if a pixel needs to be changed or not. This isn’t much different from what researchers in Germany did a few months ago, but unlike the academic security researchers, [bunnie] gives you a shopping list of what to buy.
As an example of his work, [bunnie] implemented something like a ‘tweet ticker’ on HDCP-encrypted video. There’s very little the NeTV setup can’t do from chroma keying, filters, or simply dumping the HDMI stream to a hard disk. Check out the slides from [bunnie]’s talk to get better idea of what he did.
[PAPPP] found a video of the talk in question. Check that out after the break.
Continue reading “Overlaying video on encrypted HDMI connections”
It’s been a little while since we talked about HDCP around here, but recent developments in the area of digital content protection are proving very interesting.
You might remember that the Master Key for HDCP encryption was leaked last year, just a short while after Intel said that the protection had been cracked. While Intel admitted that HDCP had been broken, they shrugged off any suggestions that the information could be used to intercept HDCP data streams since they claimed a purpose-built processor would be required to do so. Citing that the process of creating such a component would be extremely cost-prohibitive, Intel hoped to quash interest in the subject, but things didn’t work out quite how they planned.
It seems that researchers in Germany have devised a way to build such a processor on an extremely reasonable budget. To achieve HDCP decryption on the fly, the researchers used a standard off the shelf Digilent Atlys Spartan-6 FPGA development board, which comes complete with HDMI input/output ports for easy access to the video stream in question. While not as cheap as this HDCP workaround we covered a few years ago, their solution should prove to be far more flexible than hard wiring an HDMI cable to your television’s mainboard.
The team claims that while their man-in-the-middle attack is effective and undetectable, it will be of little practical use to pirates. While we are aware that HDMI data streams generate a ton of data, this sort of talking in absolutes makes us laugh, as it often seems to backfire in the long run.
[via Tom’s Hardware]
Pastebin has the HDCP master key that we talked about in a post last week. This is the encryption protocol used for HDMI content protection on media such as Blu-Ray and High Definition cable television.
The master key array is a 40×40 set of 56-bit hex used to generate the key sets. You get one brief paragraph at the top of the document explaining what to do with this information. If you ask us we’re more interested in how this set was determined. So for some background information read the key selection vector (KSV) Wikipedia page. That points us to an interesting discussion proposing that if 40 unique device-specific KSVs can be captured, they could be used to reverse-engineer the master key. And finally, a bit of insight from a Reddit user (make your own decision on the dependability of this information) commenting on the value of having the master key.
In his comment, [iHelix150] covers the revocation system that HDCP uses to ban devices that are being used to circumvent copy protection. He says that having the master key makes it possible to push your own revocation lists onto devices. Each time a list is written to your device (TV, Blu-ray, etc.) the version number field for the list is updated. If you push an update with nothing on the revocation list, and set the version number to a binary value of all 1’s it will prevent any more rewrites of the list. This means that any previously banned hardware will be allowed back into the chain or trust.
So far this probably means nothing for you. But it’s fun to watch the cat-and-mouse involved in the DRM struggle, isn’t it?
Intel says that HDCP has been cracked, but they also say that it’s unlikely this information will be used to unlock the copying of anything. Their reasoning for the second statement is that for someone to make this work they would need to produce a computer chip, not something that is worth the effort.
We question that logic. Not so much for Blu-Ray, which is the commonly associated media format that uses HDCP, but for HD digital cable programming. There are folks out there who would like to have the option of recording their HD television shows without renting a DVR from the cable company. CableCard tuners have been mostly absent from the market, making this type of recording difficult or impossible. Now that there’s a proven way to get the encryption key for HDCP how hard would it really be to create a man-in-the-middle device that uses that key to authenticate, decrypt, and funnel the audio and video to another encoder card? We know next-to-nothing about the protocol but why couldn’t any powerful processor, like an ARM, or even an FPGA (both rather inexpensive and readily available) be programmed for this task?
Leave a comment to let us know what you think about HDCP, and what the availability of the master-key really means.
Reader [GRitchie] wrote in with an interesting find in his new TV set: with just some minor soldering it was possible to tap into an unencrypted hi-def video stream.
HDCP (High-bandwidth Digital Content Protection), used by Blu-Ray players and cable or satellite receivers, normally ensures a DRM-protected link between the device and a compatible display. Any properly-licensed device that forwards HDCP content (such as an HDMI switch box) is expected to provide encrypted output; those that don’t may get blacklisted by the system and become expensive paperweights. It’s something of an annoyance for users who feel this oversteps fair use applications such as time-shifting.
[GRitchie] found that his new TV with “InstaPort” Fast HDMI Switching didn’t perform this re-encryption step between the set’s internal switcher and the next stage in decoding. Soldering just eight wires directly from the switching chip’s output to an HDMI cable provided an unencrypted output that could then be received by a PC for later replay.
What’s not clear at this point is whether the capability is peculiar to just this one make and model, or applies to anything with the new Fast HDMI Switching. If the latter, it will be interesting to see how this plays out…nearly all of the major HDTV manufacturers are evaluating InstaPort for new sets, which would make any attempt at HDCP blacklisting awkward, to say the least.