Cracking Litter Box DRM

January 19, 2015 by Brian Benchoff 120 Comments

DRM on a specific brand of cat litter box has been cracked. In other news, DRM on cat litter boxes exists.

[Jorge] moved into a new apartment with a feline companion and wanted one of those fancy, auto-cleaning litter boxes. Apparently only one such device exists, the CatGenie. This ‘Rolls Royce of cat litter boxes’ uses little pieces of plastic granules as ‘functional medium’ that are scooped up, cleaned, and returned to use. These granules are washed with a cartridge full of fresh-smelling cleaning solution that comes in a container with an RFID tag. Yep, DRM’ed cat boxes. Welcome to the future.

After cruising around the Internet, [Jorge] found a CatGenie community that has released open source firmware for a litter box and something called a CartridgeGenius, a drop-in replacement for the cartridge tag reader in the litter box. It simulates both the RFID tag and its reader, allowing any robotic litter box owner to select between 120 cycle cartridges, 60 cycle cartridges, a maintenance cartridge, and set the fill level of those cartridges.

Previously, [Jorge] was spending about $350 a year on the solution to clean these plastic granules, so in a few months this CartridgeGenius has already paid for itself.

DRM Protection Removed For… Coffee?

December 16, 2014 by Bryan Cockfield 75 Comments

Keurig, the manufacturer of a single-serve coffee brewing system, has a very wide following amongst coffee drinkers. Their K-cup (pre-packaged coffee grounds with a coffee filter, all in a plastic container) is an interesting concept and makes brewing a single cup of coffee much more efficient over making a whole pot. Their newer line of coffee makers, the Keurig 2.0, has some interesting (and annoying) security features though, which [Kate Gray] has found an interesting and simple way around.

The DRM security in these coffee makers is intended to keep third-party “cups” from being used in the Keurig. It can recognize an authentic Keurig cup, and can stop the operation of the coffee pot if a knockoff is placed in the machine. We can only assume that this is because Keurig makes a heap of cash by selling its canisters of coffee. One simple solution was already covered a few days ago by taping an authentic lid to the machine. This one doesn’t require any authentic pods but just removes one wire from a wiring harness inside of the case.

There are other ways around the security on these devices, but when [Kate Gray] actually investigated, she found the security decidedly lacking. With something this simple, one can only speculate how much Keurig has really invested in making sure users don’t use third-party cups of coffee in their machines, but it also brings up the classic question of who really owns hardware if we can’t use it in the way we want, rather than the way the manufacturer wants.

You can read more about the project on its Reddit page. Thanks to [MyOwnDemon] for the tip!

Dead Simple Hack Allows For “Rebel” Keurig K-Cups

December 10, 2014 by Rick Osgood 141 Comments

If you haven’t actually used a Keurig coffee machine, then you’ve probably at least seen one. They are supposed to make brewing coffee simple. You just take one of the Keurig “k-cups” and place it into the machine. The machine will punch a hole in the foil top and run the water through the k-cup. Your flavored beverage of choice comes out the other side. It’s a simple idea, run by a more complex machine. A machine that is complicated enough to have a security vulnerability.

Unfortunately newer versions of these machines have a sort of DRM, or lockout chip. In order to prevent unofficial k-cups from being manufactured and sold, the Keurig machines have a way to detect which cups are legitimate and which are counterfeit. It appears as though the machine identifies the lid specifically as being genuine.

It turns out this “lockout” technology is very simple to defeat. All one needs to do is cut the lid off of a legitimate Keurig k-cup and place it on top of your counterfeit cup. The system will read the real lid and allow you to brew to your heart’s content. A more convenient solution involves cutting off just the small portion of the lid that contains the Keurig logo. This then gets taped directly to the Keurig machine itself. This way you can still easily replace the cups without having to fuss with the extra lid every time.

It’s a simple hack, but it’s interesting to see that even coffee machines are being sold with limiting technology these days. This is the kind of stuff we would have joked about five or ten years ago. Yet here we are, with a coffee machine security vulnerability. Check out the video demonstration below. Continue reading “Dead Simple Hack Allows For “Rebel” Keurig K-Cups” →

Unbricking A BluRay Drive

September 8, 2014 by Brian Benchoff 79 Comments

All BluRay player, devices, and drives contain a key that unlocks the encryption and DRM present on BluRay discs. Since 2007, the consortium responsible for this DRM scheme has been pushing updates and revocation lists on individual BluRay releases. Putting one of these discs in your drive will brick the device, and this is the situation [stephen] found himself in when he tried to watch Machete Kills. Not wanting to update his software, he searched for a better solution to unbrick his drive.

Every time [stephen] played or ripped a disc, the software he was using passed a key to the drive. This key was compared to the revocation list present on the drive. When a match was found, the drive bricked itself. Figuring the revocation list must be stored on a chip in the device, [stephen] broke out the screwdriver and started looking around inside the drive.

There aren’t many chips inside a modern BluRay drive, but [stephen] did manage to find a few Flash chips. These Flash chips can be dumped to a computer using a BusPirate, and comparing the dump to a publicly available ‘Host Revocation List Record’, [stephen] was able to find the location on the Flash chip that contained the revocation list.

The next task was to replace the revocation list currently on the drive with an earlier one that wouldn’t brick his drive. [stephen]’s MakeMKV install made this very easy, as it keeps a record of all the revocation lists it runs across. Updating the Flash in the drive with this old list unbricked the drive.

This is only a temporary fix, as [stephen] still can’t put a new disc in the drive. A permanent fix would involve write protecting the Flash and preventing the drive from ever updating the revocation list again. This would be a very complex firmware hack, and [stephen] doesn’t even know what architecture the controller uses. Still, the drive works, saved from terrible DRM.

Resetting DRM On 3D Printer Filament

April 10, 2014 by Brian Benchoff 94 Comments

The Da Vinci 3D printer is, without a doubt, the future of printing plastic objects at home. It’s small, looks good on a desk, is fairly cheap, and most importantly for printer manufacturers, uses chipped filament cartridges that can’t be refilled.

[Oliver] over at Voltivo was trying to test their new printer filament with a Da Vinci and ran head-on into this problem of chipped filament. Digging around inside the filament cartridge, he found a measly 300 grams of filament and a small PCB with a Microchip 11LC010 EEPROM. This one kilobyte EEPROM contains all the data about what’s in the filament cartridge, including the length of filament remaining.

After dumping the EEPROM with an Arduino and looking at the hex file, [Oliver] discovered the amount of filament remaining was held in a single two-byte value. Resetting this value to 0xFFFF restores the filament counter to its virgin state, allowing him to refill the filament. A good thing, too; the cartridge filament is about twice as expensive as what we would normally buy.

Stripping Kindle DRM With Lego

September 9, 2013 by Brian Benchoff 75 Comments

DRM

Consider a book sitting on a shelf. You can lend it out to a friend, you don’t need a special device to read it, and if you are so inclined, you can photocopy it. This isn’t true with Kindle eBooks that place severe restrictions on what you can do with a book via DRM. Although it is possible to strip eBook DRM with a few programs on your computer, [Peter] came up with a fool-proof way that’s an amateur engineering marvel. He’s turning Kindle eBooks into plain text using Lego.

[Peter] is using a few bits of a Lego NTX system to press the, ‘next page’ button on his Kindle, then smash the space bar on his Mac to take a picture. These pictures are then sent to a cloud-based text recognition service. After a few hours of listening to plastic gears grinding, [Peter] has a copy of his eBook in plain text format sitting in his computer.

As impractical as it looks, using a robot, camera, and OCR is actually a really, really good way to turn eBooks plagued with DRM into a text file. Even if Amazon updates their DRM to make the current software cracking methods break, [Peter] will always have his Lego robot ready to scan a few hundred pages of text at a time.

Continue reading “Stripping Kindle DRM With Lego” →

DRM Chair Only Works 8 Times

March 4, 2013 by Brian Benchoff 104 Comments

chair

Download a song from iTunes, and you can only add that song to the music library of five other computers. Grab a copy of the latest Microsoft Office, and you’d better hope you won’t be upgrading your computer any time soon. Obviously DRM is a great tool for companies to make sure we only use software and data as intended, but outside planned obsolescence, there isn’t much in the way of DRM for physical objects.

This is where a team from the University of Art and Design in Lausanne, Switzerland comes in. They designed a chair that can only be sat upon eight times. After that, the chair falls apart necessitating the purchase of a new chair. Somewhere in the flat-pack furniture industry, someone is kicking themselves for not thinking of this sooner while another is wondering how they made a chair last so long.

The design of the chair is fairly simple; all the joints of the chair are cast in wax with a piece of nichrome wire embedded in the wax. An Arduino with a small switch keeps track of how many times the chair has been used, while a solenoid taps out how many uses are left in the chair every time the user gets up. When the internal counter reaches zero, a relay sends power through the nichrome wire, melting the wax, and returning the chair to its native dowel rod and wooden board form.

Melting wax wasn’t the team’s first choice to rapidly disassemble a chair; their first experiments used gunpowder. This idea nearly worked, but it was soon realized no one on the team wanted to sit on a primed and loaded chair. You can see the videos of the wax model failing after the break.

Continue reading “DRM Chair Only Works 8 Times” →