Rooting The Amazon Fire TV Cube With An Arduino

November 7, 2018 by Tom Nardi 11 Comments

Amazon might not be happy about it, but at least part of the success of their Fire TV Stick was due to the large hacking and modification scene that cropped up around the Android-powered device. A quick search on YouTube for “Fire Stick Hack” will bring up a seemingly endless array of videos, some with millions of views, which will show viewers how to install unofficial software on the little media dongle. Now it looks like their latest media device, the Fire TV Cube, is starting to attract the same kind of attention.

The team at [Exploitee.rs] has recently taken the wraps off their research which shows the new Fire TV Cube can be rooted with nothing more than an Arduino and an HDMI cable you’re willing to cut apart. Of course, it’s a bit more complicated than just that, but between the video they’ve provided and their WiKi, it looks like all the information is out there for anyone who wants to crack open their own Cube. Just don’t be surprised if it puts you on the Amazon Naughty List.

The process starts by putting the device’s Amlogic S905Z into Device Firmware Upgrade (DFU) mode, which is done by sending the string “boot@USB” to the board over the HDMI port’s I2C interface. That’s where the HDMI cable comes in: you can cut into one and wire it right up to your Arduino and run the sketch [Exploitee.rs] has provided to send the appropriate command. Of course, if you want to get fancy, you could use an HDMI breakout board instead.

With the board in DFU mode in you gain read and write access to the device’s eMMC flash, but that doesn’t exactly get you in because there’s still secure boot to contend with. But as these things tend to go, the team was able to identify a second exploit which could be used in conjunction with DFU mode to trick the device into disabling signature verification. Now with the ability to run unsigned code on the Fire TV Cube, [Exploitee.rs] implemented fastboot to make it easier to flash their custom rooted firmware images to the hardware.

As with the Fire TV Stick before it, make sure you understand the risks involved when you switch off a device’s security features. They’re often there to protect the end user as much as the manufacturer.

Continue reading “Rooting The Amazon Fire TV Cube With An Arduino” →

DMCA Review: Big Win For Right To Repair, Zero For Right To Tinker

October 26, 2018 by Elliot Williams 35 Comments

This year’s Digital Millennium Copyright Act (DMCA) triennial review (PDF, legalese) contained some great news. Particularly, breaking encryption in a product in order to repair it has been deemed legal, and a previous exemption for reverse engineering 3D printer firmware to use the filament of your choice has been broadened. The infosec community got some clarification on penetration testing, and video game librarians and archivists came away with a big win on server software for online games.

Moreover, the process to renew a previous exemption has been streamlined — one used to be required to reapply from scratch every three years and now an exemption will stand unless circumstances have changed significantly. These changes, along with recent rulings by the Supreme Court are signs that some of the worst excesses of the DMCA’s anti-circumvention clause are being walked back, twenty years after being enacted. We have to applaud these developments.

However, the new right to repair clause seems to be restricted to restoring the device in question to its original specifications; if you’d like to hack a new feature into something that you own, you’re still out of luck. And while this review was generally favorable of opening up technology to enable fair use, they didn’t approve Bunnie Huang’s petition to allow decryption of the encryption method used over HDMI cables, so building your own HDMI devices that display encrypted streams is still out. And the changes to the 3D printer filament exemption is a reminder of the patchwork nature of this whole affair: it still only applies to 3D printer filament and not other devices that attempt to enforce the use of proprietary feedstock. Wait, what?

Finally, the Library of Congress only has authority to decide which acts of reverse engineering constitute defeating anti-circumvention measures. This review does not address the tools and information necessary to do so. “Manufacture and provision of — or trafficking in — products and services designed for the purposes of circumvention…” are covered elsewhere in the code. So while you are now allowed decrypt your John Deere software to fix your tractor, it’s not yet clear that designing and selling an ECU-unlocking tool, or even e-mailing someone the decryption key, is legal.

Could we hope for more? Sure! But making laws in a country as large as the US is a balancing act among many different interests, and the Library of Congress’s ruling is laudably clear about how they reached their decisions. The ruling itself is worth a read if you want to dive in, but be prepared to be overwhelmed in apparent minutiae. Or save yourself a little time and read on — we’ve got the highlights from a hacker’s perspective.

Continue reading “DMCA Review: Big Win For Right To Repair, Zero For Right To Tinker” →

Doing Logic Analysis To Get Around The CatGenie’s DRM

September 4, 2018 by Steven Dufresne 53 Comments

The CatGenie is an amazing device to watch in action, basically a self-cleaning litter box for cats that even does away with the need to replace the litter. It’s comparable to what the indoor flush toilet is for humans compared to maintaining a composting toilet. However, there is a problem. It uses costly soap cartridges which have to be replaced because an RFID reader and a usage counter prevent you from simply refilling them yourself.

[David Hamp-Gonsalves] reverse engineered the electronics so that he didn’t have to pay for the cartridges anymore. This has been done before and one of those who did it created a product called the CartridgeGenius, but it’s made and sold as a parttime project and there were none in stock. The cartridges have an RFID tag and another solution which we’ve covered before is to replace the RFID reader board with an Arduino. That’s the solution [David] adopted. So why write this post if this isn’t new?

The RFID reader board communicates with the rest of the CatGenie using I2C and he needed to know what was being transmitted. To do that he learned how to use a cheap logic analyzer to read the signals on the I2C wires, which makes this an interesting story. You can see the logic analyser output on his blog and GitHub repository along with mention of a timing issue he ran into. From what he learned, he wrote up Arduino code which sends the same signals. He and his cat are now sitting pretty.

What he didn’t do is make a video. But the CatGenie really is amazing to watch in action as it goes through its rather complex 30-35 minute process so we found a video of it doing its thing, shown at 3.5x speed, and included that below. If you’re into that sort of thing.

Continue reading “Doing Logic Analysis To Get Around The CatGenie’s DRM” →

Rolling Old School With Copy Protection From The 1980s

May 27, 2018 by Dan Maloney 48 Comments

Oh, for the old days when sailing the seas of piracy was as simple as hooking a couple of VCRs together with a dubbing cable. Sure, the video quality degraded with each generation, but it was so bad to start out with that not paying $25 for a copy of “Ghostbusters” was a value proposition. But then came The Man with all his “rules” and “laws” about not stealing, and suddenly tapes weren’t so easy to copy.

If you’ve ever wondered how copy protection worked in pre-digital media, wonder no more. [Technology Connections] has done a nice primer on one of the main copy protection scheme from the VHS days. It was dubbed “Analog Protection System” or “Analog Copy Protection” by Macrovision, the company that developed it. Ironically, Macrovision the company later morphed into the TiVo Corporation.

The idea for Macrovision copy protection was to leverage the difference between what a TV would accept as a valid analog signal and what the VCR could handle. It used the vertical blanking interval (VBI) in the analog signal, the time during which the electron beam returns to the top of the frame. Normally the VBI has signals that the VCR uses to set its recording levels, but Macrovision figured out that sending extra signals in the VBI fooled the VCR’s automatic gain controls into varying the brightness of the recorded scenes. They also messed with the vertical synchronization, and the effect was to make dubbed tapes unwatchable, even by 1985 standards.

Copy protection was pretty effective, and pretty clever given the constraints. With Digital Rights Management, it’s easier to put limits on almost anything — coffee makers, arcade games, and even kitty litter all sport copy protection these days. It almost makes us nostalgic for the 80s.

Continue reading “Rolling Old School With Copy Protection From The 1980s” →

Copyright Exception May Overrule Ability To Jailbreak 3D Printers

December 20, 2017 by Brian Benchoff 49 Comments

At the end of October, the US Patent and Trademark Office renewed a rule allowing anyone to ‘jailbreak’ a 3D printer to use unapproved filament. For those of you following along from countries that haven’t sent a man to the moon, a printer that requires proprietary filament is DRM, and exceptions to the legal enforceability DRM exist, provided these exceptions do not violate US copyright law. This rule allowing for the jailbreaking of 3D printers contains an exception so broad it may overturn the rule.

A few months ago, the US Copyright Office renewed a rule stating that using unapproved filament in a 3D printer does not violate US Copyright law. The language of this rule includes the wording:

‘The exemption shall not extend to any computer program on a 3D printer that produces goods or materials for use in commerce the physical production of which is subject to legal or regulatory oversight…”

This exception is extraordinarily broad; any 3D printers can produce aircraft parts (subject to FAA approval) and medical devices (subject to FDA approval). In effect, if a 3D printer has the ability to produce objects subject to regulatory oversight, the exception allowing the use of filament not approved by the manufacturer does not apply. Additionally, it should be noted that any object produced on a 3D printer that is subject to regulatory oversight is already regulated — there’s no reason to drag the Copyright Office into the world of 3D printed ventilation masks or turbine blades.

[Michael Weinberg], ‘legal guy’ for Shapeways and President of the Open Source Hardware Association has filed a petition with the US Copyright Office, asking the Office to eliminate this exception to the existing rule surrounding DRM and 3D printers. You are encouraged to submit a comment in support of this petition by March 14th.

A Bit Of Mainstream Coverage For The Right To Repair

October 2, 2017 by Jenny List 80 Comments

Here at Hackaday, we write for a community of readers who are inquisitive about the technology surrounding them. You wouldn’t be here if you had never taken a screwdriver to a piece of equipment to see what makes it work. We know that as well as delving inside and modifying devices being core to the hardware hacker mindset, so is repairing. If something we own breaks, we try to work out why it broke, and what we can do to fix it.

Unfortunately, we live in an age in which fixing the things we own is becoming ever harder. Manufacturers either want to sell us now hardware rather than see us repair what breaks, or wish to exercise total control over the maintenance of their products. They make them physically impossible to repair, for example by gluing together a cellphone, or they lock down easy-to-repair items with restrictive software, for example tractors upon which every replacement part must be logged on a central computer.

This has been a huge issue in our community for a long time now, but to the Man In The Street it barely matters. To the people who matter, those who could change or influence the situation, it’s not even on the radar. Which makes a piece in the British high-end weekly newspaper The Economist particularly interesting. Entitled “A ‘right to repair’ movement tools up“, it lays out the issues and introduces the Repair Association, a political lobby group that campaigns for “Right to repair” laws in the individual states of the USA.

You might now be asking why this is important, why are we telling you something you already know? The answer lies in the publication in which it appears. The Economist is aimed at politicians and influencers worldwide. In other words, when we here at Hackaday talk about the right to repair, we’re preaching to the choir. When they do it at the Economist, they’re preaching to the crowd who can make a difference. And that’s important.

You may recognise the tractors mentioned earlier as the iconic green-and-yellow John Deere. We’ve written about their DRM before.

Neon sign, All Electronics Service, Portland, Visitor7 [CC BY-SA 3.0].

Impression Products V. Lexmark International: A Victory For Common Sense

June 4, 2017 by Jenny List 56 Comments

A few months ago we reported on a case coming before the United States Supreme Court that concerned recycled printer cartridges. Battling it out were Impression Products, a printer cartridge recycling company, and Lexmark, the printer manufacturer. At issue was a shrinkwrap licence on inkjet cartridges — a legal agreement deemed to have been activated by the customer opening the cartridge packaging — that tied a discounted price to a restriction on the cartridge’s reuse.

It was of concern to us because of the consequences it could have had for the rest of the hardware world, setting a potential precedent such that any piece of hardware could have conditions still attached to it when it has passed through more than one owner, without the original purchaser being aware of agreeing to any legal agreement. This would inevitably have a significant effect on the work of most Hackaday readers, and probably prohibit many of the projects we feature.

We are therefore very pleased to see that a few days ago the Supremes made their decision, and as the EFF reports, it went in favor of Impression Products, and us, the consumer. In their words, when a patent owner:

…chooses to sell an item, that product is no longer within the limits of the monopoly and instead becomes the private individual property of the purchaser, with the rights and benefits that come along with ownership.

In other words, when you buy a printer cartridge or any other piece of hardware, it is yours to do with as you wish. Continue reading “Impression Products V. Lexmark International: A Victory For Common Sense” →