Eavesdropping on a VGA Monitor’s Conversations

Did you ever wonder what your monitor and your computer are talking about behind your back? As it turns out, there’s quite a conversation going on while the monitor and the computer decide how to get along, and sniffing out VGA communications can reveal some pretty fascinating stuff about the I²C protocol.

To reverse engineer the configuration information exchanged between a VGA monitor and a video card, [Ken Shirriff] began by lopping a VGA cable in two. The inside of such cables is surprisingly complex, with separate shielding wires for each color and sync channel and a host of control wires, all bundled in multiple layers of shielding foil and braid to reduce EMI. [Ken] identified the clock and data lines used for the I²C interface and broke those out into a PocketBeagle for analysis using the tiny Linux machine’s I²C tools.

With a Python script to help decode the monitor’s Extended Display Identification Data (EDID) data, [Ken] was able to see everything the monitor knows about itself — manufacturer, serial number, all the supported resolution modes, and even deprecated timing and signal information left over from the days when CRTs ruled the desktop. Particularly interesting are the surprisingly limited capabilities of a VGA display in terms of color reproduction, as well as [Ken]’s detailed discussion on the I²C bus in general and how it works.

We always enjoy these looks under the hood that [Ken] is so good at, and we look forward to his reverse engineering write-ups. His recent efforts include a look at core memory from a 50-year old mainframe and reverse engineering at the silicon level.

28 thoughts on “Eavesdropping on a VGA Monitor’s Conversations

  1. Why? Most GFX drivers give access to the I²C bus and one can read EDID without ripping cables apart (most X11 drivers do that). It is even possible to the I²C line of a VGA socket to talk to arbitrary devices.

        1. thanks. If I wanted to try to access this from Visual Studio, would I be limited to using C++? I always have the impression that C# for instance, is severely limited from accessing the underlying system.

  2. This EDID conversation can be as simple as a dumb i2c ROM soldered to the board with only VCC being fed from the monitor… or in some cases from the PC via the pin 9 (the monitor can be completely unplugged except the VGA cable… and the PC still “sees” the display)
    Source: https://en.wikipedia.org/wiki/VGA_connector

    I’ve seen some displays where this is connected to a control IC and some software to control the display.

    P.S. also the following have an EDID i2c connection:
    VGA (repeat inclusion for list purpose)
    LVDS (Panel-link)

    I’m not sure how DisplayPort does it, but so far I gather it uses a bi-directional lane for init+EDID. Corrections welcome, bashful and hateful replies will be reported.

    1. Could you tell more about the dumb i2c ROM? Do you have any IC numbers/names? Do you mean you can solder one of those I2C ROMs to a VGA connector, connect that assembly to the VGA monitor, and the monitor will program the I2C ROM with its data?

      1. I’ve done that kinf of thing on a laptop, it wouldn’t go past hardware self-check without a panel attached, and an external monitor connected to the HDMI port was not enough (plus I wanted no display at all, just the motherboard running). I unsoldered a chip from a broken videoprojector and wired it to the corresponding pins on the LVDS connector of the laptop logic board, and it booted. I was also able to dump the content in case I needed to save it using a simple arduino sketch, haven’t tried writing to it. The chip in question is a Microchip 24LC22A, there must be dozens of other references.

      2. Look at Microchip 24LC22A “2K VESA EDID Serial EEPROM”. I imagine chips like that are how how most cheap displays handle sending EDID.

        I went looking once because I wanted to build a cheap EDID emulator for an old AV system that lacked that capability.

  3. Okay, I’m never gonna get around to this, so I’ll mention it here in case someone takes it and runs with it: How robust are the i2c libraries that talk to the video hardware? Could a malicious monitor (say, one with an embedded computer emulating the EDID chip) send malformed responses and do nasty things to the computer?

    That threat model seems a little obscure and contrived, but now imagine a malicious projector at a venue frequented by VIPs…

  4. Dan Maloney – This is one of the techniques our guberment’ (USA) uses to “look up your skirt” (so to speak). It’s called TEMPEST – https://en.wikipedia.org/wiki/Tempest_(codename)#Public_research – A guy named Wim van Eck in 1985 proved a civilian could do what you’ve just described for about $15 USD and a analog TV set. Suffice it to say no such agency was not pleased with that public revelation. They knew about it back in WW2 but hoped we wouldn’t EVER.

    Brain wrote a HaD article about it: hackaday . com/2017/06/25/tempest-in-a-software-defined-radio

  5. >”Particularly interesting are the surprisingly limited capabilities of a VGA display in terms of color reproduction”

    There’s nothing surprising about it. The GPU hardware is limited to 8 bits per channel, and using a wider gamut would result in visible banding between color values, so standards like sRGB or AdobeRGB are fairly narrow in terms of the colors they can produce.

    In any case, the display color gamut is far wider than what nearly all consumer/prosumer printers can produce, and even the common publishing printers can, so it’s perfectly sufficient.

    You basically don’t need a wider gamut, because there’s nothing you can do with it. A monitor could be built that can display it, but no source material to display because all the cameras and scanners standardize to sRGB or AdobeRGB anyways. Editing can be done in different color spaces that bypass these limits, but again, you can’t see the difference because no device can display it.

  6. Some computers won’t enable their VGA port at boot unless a monitor is present, because it tries to read the EDID data. You can trick it with an emulator ( http://hallresearch.com/page/Products/EM-EDID-HD15 ), which can be reprogrammed without risking damage to the monitor. <–These guys also make emulators for HDMI as well, but they aren't cheap.

    Another great tool for reading EDID information is a free utility written by Deltacast: https://www.deltacast.tv/products/free-software/e-edid-editor .

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s