[cryptography] Non-governmental exploitation of crypto flaws?

Peter Gutmann pgut001 at cs.auckland.ac.nz
Sun Nov 27 22:52:24 EST 2011


Landon Hurley <ljrhurley at gmail.com> writes:

>So would the recent $200 hardware break of hdmi encryption.

HDCP was a social, political, and economic fail, not necessarily a crypto
fail. I certainly don't want to denigrate the work that the guys the the Ruhr
Uni did, but you've been able to buy commercial HDCP strippers for years for a
few tens of dollars.  Here's an article on this that I wrote a few years ago
but never posted because I wasn't sure whether shining too much light on their
existence would be a good thing.

-- Snip --

Digital Macrovision scrubbers

Some years ago you could buy video signal stabilisers (still sold today) which
were useful for cleaning up video signals that had, for example, a noisy
black-level signal that screws up your receiver's AGC and a poor sync signal
that causes sync loss in your receiver.  Well, that was the official story in
any case, in practice they had one and only one purpose and that was to remove
Macrovision when feeding the signal to a VCR or some equivalent device (most
TV sets weren't affected by the above so there was no need to "stabilise" the
signal).

The digital equivalent of the video signal stabiliser is the HDMI splitter.
These take an input HDMI signal (with HDCP if present) and output an HDMI or
DVI signal, not necessarily with HDCP present.  HDCP strippers have been
around for awhile, initially they were explicitly advertised and sold as such
(which made their manufacturers obvious targets for reprisals) but now as HDMI
becomes commoditised we're seeing the predictable flood of cheap Chinese-made
HDMI splitters and repeaters that, um, forget to turn on HDCP on the output.

I recently got a chance to play with a fairly new model that a friend of mine
had bought for some work that his company is doing.  He's a professional video
producer and had been having problems with being prevented from editing his
own content by HDCP (cue my recent shortcomings-of-DRM analysis :-).  For an
unrelated reason he'd needed to feed an HDMI signal to two different editing
devices and so bought (in his words) "the cheapest, nastiest no-name HDMI
splitter I could find".

When he hooked it up to his video-editing gear he was surprised to see that
although he was feeding it input with HDCP, the output was clear of HDCP (one
of the advantages of having access to multi-thousand dollar video editing
equipment is that you get a lot more info than just a blank or noise-filled
screen).  He's since performed a series of tests on it with a range of gear
(including, for example, sending BluRay output to a non-HDCP DVI monitor that
normally results in no content being displayed) and it works just fine.

So what's inside this thing?  The entire content is just a basic board with a
bunch of HDMI splitter chips and an all-in-one 8051 to control them, probably
a $10 BOM for the lot.  The splitters are 1->2 devices and you can cascade
them, so to get 1->4 you use 1->2 and then 2->4 with a tree of three chips.
8-way just adds one more stage.

Looking at the datasheets for them, everything in these chips is software-
controlled.  In this case they just cleared the HDCP_ENC_OUT bit in a control
register and there was no more HDCP on the output.  In fact the cascade nature
of operation of these devices practically requires this, in order to avoid
running an HDCP setup for each link in the cascade (which according to Silicon
Image's FAQ can take up to five or six seconds per link, so for a three-level
cascade you're looking at up to 15s delay between changing the HDMI "channel"
and actually seeing any output from the box) so of necessity you need to turn
off HDCP for the links inside the box, with the result that you've got plain
HDMI running between the individual devices even if the output did still have
HDCP enabled.

Even if the firmware in the controller didn't already disable HDCP it'd be a
fairly simple patch to flip the required single bit in the control register
write in order to disable it.  In addition the keys are stored in external
EEPROMs (since putting EEPROM cells onto VLSI chips is a royal pain to do) so
you can grab the HDCP keys off those (they're supposedly encrypted, but lots
of vendors have made claims like this in the past, whether they really are is
still being investigated).  Heck, if you were really lazy and didn't want to
patch the software you could insert an ATtiny into the I2C control line (which
is used for controlling the HDMI chips from the 8051) and rewrite any accesses
to the HDCP registers so that it's disabled, the entire control code in the
ATtiny would be:

  while 1
    read I2C command from input;
    if( bit pattern == "store data Y to register X" )
      flip bit in data Y;
    write I2C command to output;

(hmm, modchips for HDMI... I claim dibs on hacking next year's Defcon badge to
do this!).  Anyway, back to this specific device, it really is "the cheapest,
nastiest no-name HDMI splitter", the circuit board looks like it's been
assembled by Stevie Wonder, I've found it online for about USD 35 but again
as it's commoditised I'd expect competition to cause the price to drop.

The reason why manufacturers are doing this is obvious, all that DRM does is
make your product cost more and be less interoperable, leading to dissatisfied
consumers and product returns due to DRM-induced "faulty" products.  Anyone
who omits the DRM therefore gains an advantage over their competitors.  In the
US and Europe this makes you an instant target for lawyers, but for a fly-by-
night manufacturer in Shenzhen who'll have a new identity the day after the
current batch clears manufacturing this is of little concern.  The
economically rational thing to do therefore is to pretend to do DRM but
actually disable it, and that's exactly what these no-name HDMI devices are
doing.

-- Snip --

So HDCP was dead as soon as it was launched, no matter how strong the crypto
was, because it required that product manufacturers comprehensively shoot
themselves in the foot as part of deploying it.

Peter.



More information about the cryptography mailing list