HDMI Breakout Lets You Sniff HDCP Crypto Keys

There’s two really useful parts to this hack which involves sniffing the HDMI protocol’s HDCP security keys. The first is just getting at the signals without disrupting communications between two HDCP capable devices. To do so [Adam Laurie] started by building an HDMI breakout cable that also serves as a pass-through. The board seen above is known as an HDMI screw terminal board. The image shows one cable connecting to itself during the fabrication process. What he did was cut one end off of an HDMI cable, then used a continuity tester to figure out which screw terminal connects with which bare wire. After all the wires are accounted for the end with the plug goes to his TV, with a second cable connecting between the board’s socket and his DVD player.

The rest of his post is dedicated to sniffing the security keys. His weapon of choice on this adventure turns out to be a Bus Pirate but it runs a little slow to capture all of the data. He switches to a tool of his own design, which runs on a 60MHz PIC32 demo board. With it he’s able to get the keys which make decrypting the protected data possible.

31 thoughts on “HDMI Breakout Lets You Sniff HDCP Crypto Keys

  1. “I suspected, therefore, that the problem with the Bus Pirate was not speed at all, but mis-handling of a RESTART” << from the blog post.
    Don't you guys even read these things before posting them?

    Very interesting post, btw, and I'm only halfway through it.

    1. According to the buspirate documentation, “The I2C sniffer is implemented in software and seems to work up to 100kHz”. It’s quite likely that the bus he’s sniffing is running at a higher speed.

      The page does mention in the next paragraph that the restart issue went away with a firmware update of the buspirate.

      1. I wasn’t going to say it first, but yeah, gun control reminds me a lot of DRM. It doesn’t work, punishes all and only the wrong people, and actually increases rates of both gun crime and illegal gun sales.

        Given how popular Chicago is for the people promoting gun control, I can’t help but wonder if that’s their objective.

        1. Life long Chicagoan, flaming liberal on 99.5% of things but, lover of all firearms with a massive collection that spans all shapes and sizes.

          The vast majority of firearms used in Chicago are purchased right over the border in indiana and Mississippi, neither of which have many restrictions on any type of purchase, at all. Gary Indiana, has historically been the murder capital of the world, and has no restrictions on purchasing

          I’m not sure why Chicago is held up as some paragon of example for gun rights advocates but they all tend to leave out the bit of *where* the guns come from that are used in Chicago.

          1. “where” is Gary Indiana today as a matter of convenience, not necessity.

            Anyone who believes you can un-invent 300 year technology which is indistinguishable from hydraulic power transmission has already lost all touch with reality. Anyone with perspective can clearly see that there are much greater threats to our way of life than the sensational & exaggerated issue of gun violence.

            The minute you accept that you will not be able to remove firearms from the face of the earth you are now in the contentious territory of how much burden of inconvenience should be put on legitimate users & otherwise law abiding citizens in order to achieve minor successes in inconveniencing criminals.

            These trade-offs are too often evaluated based on preconceived notions about the appropriate level of burden and what amount of inconvenience exists to criminals. Very rarely are these opinions backed by case studies where impartial quantitative analysis reviews the issue with an unbiased eye.

            As a value proposition, someone who has no desire to own or carry firearms can easily weight the consideration of burdens on legitimate users too lightly. For someone who has little or no exposure to criminals they could easily dismiss the value of inconveniencing criminals.

            The point I’m getting at is I think the “where” of today is irrelevant. If you shore up the dyke in any given spot: the water will continue to flow with barely any change(if at all) in rate from the next weakest path of least resistance. This will continue until you’ve expended all your resources fighting the wrong battles.

            This sort of “fool’s errand” can easily be observed by using the TSA as a case study. Just like the TSA, the slope is never slippery enough because the “good guys” are always defending from a reactionary stance. Too often, the people who are fighting the “bad guys” have little to no stake in civil liberties and will continue using our freedoms as collateral damage in unwinnable wars.

            The idea that you can pre-empt crime by outlawing it’s symptoms is absurd.

            The more criminals you create in the process: the more you impoverish the citizenry with the rapidly diminishing returns of the pursuit.
            The more people you impoverish: the more criminals you create.

            It’s the type of predictable cycle which accomplishes nothing but “bread and circuses” for manufacturing a distinction between a “turd sandwich” & a “giant douche-bag”.

            If anyone thinks the best way to reduce crime in Chicago is to deprive children of their father & their families of a breadwinner I have a bridge you sell you.

            Crime isn’t the answer & neither are prisons.

            Educated voters have higher expectations of their congressmen & aren’t as easily satiated by “bread & circuses” wedge-issue shadow-boxing. So education takes a back seat to prisons in the federal budget, and the people worried about who will pay social security taxes when they retire deserve every bit of sand they are told to go pound.

      2. > In that way, DRM laws are much like gun control laws

        I see your analogy, but quite disagree. Gun control laws could prevent someone to be able to defend his family from armed thugs, but also his little child from playing with the gun and killing someone or himself by mistake.
        Clearly a complex matter that cannot be resolved in a few lines in a technical blog.

        1. I’m sorry that’s a rather stupid argument, as a responsible gun owner and a father of a 9 year old boy i can tell you that not only does my son understand how dangerous a gun is and that it’s not a toy, but that all firearms are kept under lock and key. Any parent who would leave a loaded gun around for a kid to find obviously has bigger problems and could be doing many other things that could be endangering the life of said child. Bottom line it’s the parents responsibility to protect their child not the fedral governments. I have never seen a house containing both guns and children where the parents hadn’t taken the obvious safety measure of making sure the guns were locked up.

          1. Yep! I can defend my house from this criminal! Just give me 5 minutes to get my keys, unlock the cabinet, load the gun… What do you mean he’s already taken the TV and left?

          1. Carry any bladed instrument with a blade over 3″ long, or that can lock in position in the UK and find out (For reference, the law bringing this ban came in about 10 years *ahead* of the handgun ban).

            Banning of gravity blades/balisong/switchblade/flick knives – that was about 30 years earlier again.

      3. You’re a great troll, by the way. One simple analogy that will get the militant support of 50% of Americans and a few other people worldwide.

        Instant irrelevant argument on comment section. You deserve an award!

    1. Consumer product data links have to be rather robust to survive cheap cables, barely followed specifications etc. As long as you don’t leave long unterminated loose wires dangling off the side there should be no problem.

  2. Only the public keys are passed, so this does not really help crack the DRM.

    Bunnies FPGA work shows exactly how the DRM is structured and with very minor changes can be used to decrypt the source video rather than encrypt the overlay video.

    1. That must be why Chinese compaines are making so many HDMI splitters that don’t honor HDCP — the devices are not sold in the US and are not subject to it (and someone can purchase the devices online and they would not be blocked from import).

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.