A peek into the curious world of HDMI copy protection… with the Bus Pirate

hdmi-loop
Adam Laurie (a/k/a/ Major Malfunction) is a white hat hacker from London, UK, who has presented at a number of conferences worldwide. He’s also the Director at Aperature Labs, Ltd. Recently he explored the broken HDCP security mechanism used in HDMI. After building the HDMI breakout cable pictured above he examined the cable’s data lines using a USBEE protocol analyzer and noted that the HDCP key exchange was sent using I2C. From here he turned to the Bus Pirate for filtering the I2C data. He explains, “So now we’ve got access to the raw data, we need to be able to filter what we’re looking for and decode it fully. It is possible to write custom decoders for the USBEE, but to be fair, this device falls outside my “cheap” criteria – I only wanted to use it as a quick check that the pins I’m looking at are the correct ones, and that we see the type of data we expect to see. The device I had in mind to do the actual decoding is an off-the-shelf tool that can read, write and sniff I2C: the Bus Pirate. It’s extremely cheap as well, so fits the bill perfectly…” Thanks, Adam!

You can read the details on Adam’s exploration of HDCP with the BP in Adam’s Blog at Aperature Labs.

Get an assembled Bus Pirate for $30, including world-wide shipping. Also available from our friendly distributors.

Via the contact form.

This entry was posted in Bus Pirate, encryption, security and tagged , , .

Comments

  1. Alan Hightower says:

    The standard was broken before it was ever ratified. Pretty common knowledge for everyone in the industry. But that’s not the point. The fact the referenced blog post here is being made 12 years after it was broken is the point. And no one really cares about HDCP when AACS has also been broken for years. It about slowing people down. They can never be stopped.

    Even if you have the keys, you still need a history of the entire transmission as it’s an adaptive symmetric session algorithm and you have to decipher a very high bit rate TMDS stream to get the base-band content.

  2. John says:

    Adam mentioned he had problems with the Bus Pirate 3 and make his own hardware called GPHHT or something? It was to do with the speed of the sniffer/logic analyzer at 100KHz when HDMI comms were travelling at 400KHz.

    Would this issue be solved by the Bus Pirate version 4?

    Thanks

    • Oliver says:

      John, it was actually a software bug and a firmware update did solve his issue.

      Also from the menu, a 400k mode seem to be available, albeit not guaranteed to work?

      Does the BPv4 use a much faster crystal?

      • Ian says:

        The I2C is software (we should enable the hardware version now…long story) so the 400khz is best bet for output. The sniffer is dependent on the speed setting though.

        BPv4 is same speed, but has faster native USB interface.

  3. BruceS says:

    There’s a pretty good discussion of HDMI and HDCP here

    Implementation of MITM Attack on HDCP-Secured Links – Bunny Huang.

Leave a Comment

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Notify me of followup comments via e-mail. You can also subscribe without commenting.