It warms our hearts when the community gets together. [esar] needed to get a decrypted HDMI stream for his home theater system. A tip-off in the comments and a ton of good old-fashioned hacking resulted in a HDMI splitter converted into a full-featured HDMI decrypter. Here’s the story.
His amazing custom Ambilight clone got profiled here, and someone asked him in the comments if it worked when High-bandwidth Digital Content Protection (HDCP) is on. [esar] lamented that it didn’t. Hackaday readers to the rescue. [Alan Hightower] and [RoyTheReaper] pointed [esar] to the fact that HDMI splitters need to decrypt and re-encrypt the signal to pass it on, and pointed him to a trick to knock out the on-board microcontroller. [esar] took off from there.
Unfortunately, taking the micro out of the picture messed with a lot of other HDMI functionality. So [esar] started digging in the datasheets for the HDMI splitter chip, looking for registers relevant to the re-encryption. If he could get in between the microcontroller and the splitter chip on the I2C bus and disable the re-encryption, he’d be set.
If you’re at all interested in I2C hacking or abusing HDMI splitters, you need to read his post because he details all of the tribulations and triumphs. He first tries just brute-forcing the I2C by overwriting a 1 bit with a 0. This (correctly) signals the micro that there’s been a conflict on the bus, so it re-sends the command again. Dead end.
He then found another signal that the receiver could use say that it wasn’t decrypting. He tried sending this continuously to the splitter so that it would stop encrypting. That worked, but only for one channel, some of the time. It turns out that his code was taking too long in his bit-banged I2C code. He fixes this up and all is well? Well, 90% of the way there.
To hammer down the last 10% of the functionality, [esar] buys a couple more splitters, experiments around with another splitter chipset that works with 3D, and solders some more wires to enable the Audio Return Channel. And after a ton of well-documented hard work, he wins in the end.
This is *fantastic* – HDCP needs to die a slow, agonizing death. I *must* build a few of these.
Same. I’ve got a Chromecast that I currently can’t use due to HDCP, but finding out that was the issue was difficult – Google refuses to allow their customer support (what they have of it) to tell users about it, instead invariably sending them on a wild goose chase of factory resets and generic suggestions to update the software on the TV.
But hey, it’s not like Google ever swore to be a force for good in the world or anything…
Awesome work.
I’m sure reading, writing or even thinking about stripping HDCP is a serious DMCA violation, doubt it’ll last long
Only if the intent is to redistribute the protected content, or at least that’s the way I read it back when I looked at the text of the DCMA. I am not a lawyer, though, so I don’t know what loopholes in the law the RIAA and MPAA would call upon if they did want to get hacks like this pulled.
It wont matter to the MPAA.. They’ll still scream bloody murder and pretend to be a victim until federal agents kick down the hacker’s door..
Doubt it? Just like torrent tracker sites are not against the law because they are technically not sharing anything… Yep.. Laws really matter don’t they?
DMCA only applies in the USA. Sorry you cannot participate in the technical discussion.
Tell that to Swedish website owners who are on the run for their lives..
Who are not on the run for the DMCA. They were tried in Sweden for breaking Swedish laws.
Crap DMCA style laws, but Swedish laws none the less.
A law that didn’t exsist untill the MPAA started throwing a fit and having the United States put international pressure on Sweden until they forced Sweden to adopt the DMCA..
This is being fixed:
Welcome to the Epoch of Law Laundering.
DRM is just a waste of electricity – read this https://plus.google.com/+IanHickson/posts/iPmatxBYuj2
I’m deeply saddened the DMCA hasn’t been seriously challenged in a criminal case in high courts. I suspect it will not stand. The law defines little to no level of standard when it comes to a minimum sophistication for an access control mechanism. One could cipher content and supply the complete instructions on how to reverse the cipher along side the content with an electronic notice saying ‘only authorized agents are allowed to decipher this content’ and that would suffice for DMCA litigation. It doesn’t force IP holders to do any due diligence to protect their investment before unleashing the Juris Doctors. It’s like leaving the keys in and all the doors open to your car in a bad neighborhood for hours and complaining it was stripped to the bone on your return. HDCP was already compromised before the standard was ratified by the consortium; yet there is active litigation pending for using the pre-ratification knowledge. /boggle
Anti-paraphernalia laws that ban facilitation agents of a crime but do not address the crime itself – regardless if there even is a crime – are not only bad but are in most cases unconstitutional; and worse blanket criminalize fair use. I wouldn’t be surprised if the RIAA/MPAA/et al. are actively working to keep the DMCA around. It provides more value to them as a tool for take down notices, threats of litigation, and criminal prosecution than it would if seriously challenged and likely over-turned.
If you look hard enough, you can find splitters and other hardware whose designers were too lazy to implement the re-encryption side of things; some Etekcity splitters (I have a couple 1×2’s and a couple 1×4’s), Monoprice’s infamous DVI->HDMI active conversion box, and a lot of no-name HDMI “Audio Extractor” boxes, along with no-name splitters and switches, with built-in HDCP stripping, no mod required. It’s really inconsistent, is the issue — fairly certain Monoprice’s box (which was the go-to recommendation for a few years, in game streaming circles) has been revised to fix the implementation issue, and I’ve heard word that most of the Etekcity boxes have been revised as well. It’s awesome to know that, if some of my hardware breaks, I can go the mod route instead of hunting ebay for weird Chinese hardware that might do the trick.
i dont know nothin about hdmi but the glueing of components to the top of chips is pure genius. thanks for the idea !
Back in ye olde days when PCB rework was really common, it wasn’t uncommon to see smd bypass caps superglued to the top of chips and soldered to the pins with magnet wire.
Yep, just make sure to solder the caps after you superglue them…
The smoke burns my eyes!
and my lungs! I taste blood!
Wow.
This article explains alot!
Thanks for all the work!
NOW, DAT’S A HACK!! Incredible work on both the hardware (my aging eyesight cringes at the thought of tack soldering to an SMD board!) and the software – and f**k DCMA and the horse it rode in on!
look up HDFury…. That strips HDCP without hacking.
look at the price.
Thats probably where the fury comes in.
I bought the cheapest HDMI splitter I could find on aliexpress and it takes HDCP on the input, and there is none on any of the outputs. no mods needed at all. Even nicely sorts out my junk TV’s that go into DVI mode when plugged into a computer and wont take audio.
Link or it doesnt exist!
This showed up on howtogeek a couple of weeks ago
http://www.howtogeek.com/208917/htg-explains-how-hdcp-breaks-your-hdtv-and-how-to-fix-it/
they even try out a few for ya :) Way easier.
http://www.amazon.com/dp/B004F9LVXC/?tag=hotoge-20
for the tldrs in the room
Yeah, that’s the one (although mine had a different logo on it.. I guess it’s some sort of chinese OEM or something). Generally, the cheaper splitters (10-20 bucks) don’t do HDCP stripping, while the more expensive ones (20-25 bucks) do. I asked the sellers every time and the first one who answered “yes we do strip HDCP according to our customer’s reviews” was the one I bought.
Don’t buy it if they don’t answer, or say something like “yes we do support HDCP” (support != stripping ;-)
Somehow I expected my 15 minutes to be different… Yes, I also picked up a few ‘Porta’ splitters and have HDMI going down to an FPGA board helping a friend do a similar Ambilight clone. Most encryption schemes, HDCP being no exception, are designed to prevent 3rd party listening. So they have to be point to point in nature.
all this encryption crap is probibly why hdmi is such a piss poor standard. i think i had to blow $50 in repeaters, splitters and cables just to hook my big screen tv up to my computer. i was pulling my hair out long before i output any video.
im glad somone broke it so i can stick it to the man.
HDCP is a software level cipher only, It does not affect the hardware layer. While it’s possible the nonsensical values resulting from an HDCP transform could cause more actual bit transitions over TMDS encoding, it is extremely small resulting in no more than a couple percent rise in effective data rate. It’s likely your problems were a result of other causes inherent to the HDMI transmission medium and not attributable towards the encryption element – HDCP.
“HDCP is a software level cipher only, It does not affect the hardware layer.”
Nowhere in Lord Nothing’s post did he claim it affected the hardware, but it’s entirely reasonable to assume that the HDCP hardware features prevented the content from displaying on his chosen display. This is a CONSTANT problem for people.
“While it’s possible the nonsensical values resulting from an HDCP transform could cause more actual bit transitions over TMDS encoding, it is extremely small resulting in no more than a couple percent rise in effective data rate.”
You’re completely off the rails here. Where did any of this come from? It’s completely irrelevant to the discussion of HDCP constantly preventing legitimate content from being played an a consumer’s choice of display hardware.
>It’s likely your problems were a result of other causes inherent to the HDMI transmission medium and not attributable towards the encryption element – HDCP.
Wow. Stay off the pot. HDCP causes these sorts of problems EVERY DAY.
I bought an HDMI splitter which strips HDCP on eBay for about 20 bucks last year. Never been happier. Now I can record and stream my PS3 gaming in HD.
Link or it doesnt exist!
yeah we heard you the first time, oh non-user of search function. I gave you a whole other site in which to make dumbass comments.
Great hack! I’ve a Akasa HDMI 4×1 switch, so i immediatly opened it and discovered an EP9431 and another 20 pin little chip labelled 0C002 H1C1 (probably a Renesas MCU, maybe R8C family), so the global design is the same.
According to Explore website (http://www.epmi.com.tw/products_s.php), EP9431 is a 4×1 HDMI switcher where the EP9132/34/42 are 1×2 or 4 splitters.
Maybe this chip is close enough to allow the same hack? But i haven’t been able to find any EP9431 datasheet to check if it uses the same registers.
I’ve not looked at any switches, so this is a guess, but I think it won’t be necessary for a switch to decrypt/re-encrypt as there’s only ever one active source and one active sink. This block diagram also doesn’t mention HDCP:
http://www.epmi.com.tw/pro_d.php?pk=70
where the block diagram for the splitter does:
http://www.epmi.com.tw/pro_d.php?pk=65
You’re probably right. Only splitter and matrix chips does mention HDCP, like the EP9432 4×2 matrix chip. So the key thing to locate a potentially hackable device is that you shoud have at leat 2 outputs.
I have no “in depth” knowledge about HDMI, but to me it seems unlikely that the switcher even touches the content.
It can simply physically connect the data-signals of the active source to the sink.
There are quite a number HDMI matrix switch. It’s possible to get a 4×2 (4 input / 2 output) for arround 50$.
In this case it’s possible to display the same source to both output. I imagine the signal need to be decypted in this case.
As other have mentionned cheap chinese HDMI spitter that just happen to “strip” HDCP are not new.
This is awesome.
All DRM needs to die, and it’s the duty of all citizens to own ‘circumvention devices’ and use them for perfectly ethical purposes.
Remember the old saying, “you don’t own it if you can’t open it”, and all that.
Thank you for this hack.
remember if you’re interested in looking at this kind of stuff later to save the entire web page not just a bookmark. Pages like these have a habit of going missing over time.
A couple of years ago I designed a fast (sub second) HDMI switching solution for use in a monitor we were selling. Normally the chip chosen reads in the two content protected streams, switches the decrypted out to the LCD panel. However for the development board we feed the output to an HDMI driver. We were able to do this only for sample chips. For volume production the driver board design had to be submitted to ensure it didn’t open such a loophole, which it did not. I have keep that dev board ‘just in case’. The production was actually done by a company in Shenzhen, and I doubt they were audited to ensure the chips were actually used on the approved boards and I guess with other companies that is exactly what happens.
Wow, you took my “hack” and really ran with it. Great job!
I like how you did this. HDCP must die hard!
Is there an updated firmware for the HDFury Integral that is hacked to the hdcp check is still disabled?
Sadly, I don’t have enough electronics theory-and WAY less time-to ever build any kind of hardware based decrypter. Anyway, my only need for decrypting is to unlock out of Region blu-rays and also to regain fully functional zoom control
(like nearly all DVD players had) over them, but which BD Assn approved BD authoring software, like Oracle’s BD-J, disables by default. Note on the rear of your BD player how the BD Assn forces CE brands to make their players BD-J compliant. So far, the only solution (and not a bad one) I’ve found is JRiver player with RedFox AnyDVD HD, or your choice of compatible software decrypter, running in the background. That will allow JRiver to give you zoom control over any BD, though most of my Warners, Kino and Twilight Time BDs may have been authored with other software, as my Pioneer BD player’s zoom works on nearly all of them.