There’s two really useful parts to this hack which involves sniffing the HDMI protocol’s HDCP security keys. The first is just getting at the signals without disrupting communications between two HDCP capable devices. To do so [Adam Laurie] started by building an HDMI breakout cable that also serves as a pass-through. The board seen above is known as an HDMI screw terminal board. The image shows one cable connecting to itself during the fabrication process. What he did was cut one end off of an HDMI cable, then used a continuity tester to figure out which screw terminal connects with which bare wire. After all the wires are accounted for the end with the plug goes to his TV, with a second cable connecting between the board’s socket and his DVD player.
The rest of his post is dedicated to sniffing the security keys. His weapon of choice on this adventure turns out to be a Bus Pirate but it runs a little slow to capture all of the data. He switches to a tool of his own design, which runs on a 60MHz PIC32 demo board. With it he’s able to get the keys which make decrypting the protected data possible.
He actually switches back to using the Bus Pirate after upgrading the firmware. The issue wasn’t the speed of the Bus Pirate, it was that it didn’t detect the directional change of the I2C data
“I suspected, therefore, that the problem with the Bus Pirate was not speed at all, but mis-handling of a RESTART” << from the blog post.
Don't you guys even read these things before posting them?
Very interesting post, btw, and I'm only halfway through it.
According to the buspirate documentation, “The I2C sniffer is implemented in software and seems to work up to 100kHz”. It’s quite likely that the bus he’s sniffing is running at a higher speed.
The page does mention in the next paragraph that the restart issue went away with a firmware update of the buspirate.
Actually, it says he flashed the bus pirate with the latest firmware, “happy happy joy joy” and then shows output from the bus pirate.
Sorry, read too quickly.
Yes, the issue went away, and he seems to be using the bus pirate afterward.
I’m amazed that the 1gbps tmds signals survive passing through that!
Consumer product data links have to be rather robust to survive cheap cables, barely followed specifications etc. As long as you don’t leave long unterminated loose wires dangling off the side there should be no problem.
Could the Bus Pirate theoretically support I2C clock stretching? If so, that might be an option…
Only the public keys are passed, so this does not really help crack the DRM.
Bunnies FPGA work shows exactly how the DRM is structured and with very minor changes can be used to decrypt the source video rather than encrypt the overlay video.
Actually, if you can sniff enough negotiations (41), you can crack the master key. This has, in fact, already been done successfully. See “Implementing a Key Recovery Attack on the High-Bandwidth Digital Content Protection Protocol” ( )
To answer the question of why things still have HDCP, You are given a one cent discount off of the HDMI licence cost per port if you implement it.
That must be why Chinese compaines are making so many HDMI splitters that don’t honor HDCP — the devices are not sold in the US and are not subject to it (and someone can purchase the devices online and they would not be blocked from import).
Not to mention that ability to bypass the re-encryption portion of the splitters…