Protect your HDMI… with pliers and duct tape

Imagine that you invite a guest to a presentation within the company, offer to connect a video projector so that he shows his slides. This is a great opportunity to hack a video projector. We share the method of protection to start of the course “White hacker”.


Target

HDMI is used for audio and video transmission, but offers a number of additional features (HPD, CEC, HEAC, MHL). This increases the attack surface, and since the implementation of these features in embedded devices is less than ideal, an attacker can inject malicious code and your unsuspecting video equipment will threaten the security of the network. The monitor will be able to hack any device connected to it.

Imagine that you invite an external guest to a presentation within the company, offer to connect a video projector so that he shows his slides. This is a great opportunity to hack a video projector. The next time a person connects to this projector, their laptop will be hacked. And – voila, an innocent guest managed to penetrate the company’s network and gain access to confidential information.

The firewall blocks all additional interfaces and only allows the transmission of audio and video data. It is based on a study by Pierre-Michel Ricordel and José López Estevez of ANSSI/SDE/ST/LSF presented at the IT Security Conference STIC 2021. You can see some of the security and vulnerability studies of CEC and EDID at slide 4.

Application

The firewall comes with a generic HD profile, but may not match the monitor’s capabilities. The resulting image may be distorted or completely missing. Therefore, you must first copy the Extended Display Identification Data (EDID) information. This data contains supported permissions. You can read them using the I²C-based Display Data Channel (DDC) interface. Copy this EDID data to the HDMI firewall EEPROM and break the tab with pliers to enable write protection, which will prevent malicious payloads from being injected. You need to do this once for each monitor. You can copy the EDID using HDMI firewall programmer or according to the instructions in the section installation.

Connect the firewall to the protected monitor, then connect the cable that goes to the untrusted device on the HDMI firewall – this will protect the equipment.

To overwrite the firewall’s EEPROM in case you want to protect another monitor, you can disable the write protection again by placing a drop of solder on the two pads marked WP.

By default, the 5V supplied by the device is redirected to the monitor. To reduce the attack surface, you can disable this redirection by cutting the trace between the two pads marked 5V. But there is a risk: some monitors rely on this signal to determine when a device is connected.

Restrictions

High-bandwidth Digital Content Protection (HDCP) is not supported because the DDC interface is limited to EDID information.

Availability

Several HDMI firewalls are available on tindie.

Schematic in pdf format and gerber boards are available in release.

Should be integrated in the next version firewall programmer and possibly fixes reported by other users. I only tested my simple case on 6 monitors.

Working mode

To protect the monitor, the HDMI firewall only forwards audio/video (A/V) data signal lines (D0, D1, D2, CK). All other signal lines are not connected (CEC, SDA, SCL, utility/HEAC+, HPD). This will block all interfaces except audio/video (e.g. DDC, HPD, CEC, HEAC, MHL). The SDA/SCL lines for the DDC interface to provide EDID information to the device are connected to the EEPROM on the firewall. Here you need to copy the information about the monitor. This restricts the DDC interface to EDID information.

Installation

A copy of the EDID data is required for the correct application of the HDMI firewall.

These instructions are for Linux. For Windows, see the instructions provided on research slides, (not verified).

Install I²C device read/write tools:

sudo apt install i2c-tools

Give the user access to I²C (in /dev/i2c-*):

sudo modprobe i2c-dev

Now we need to figure out which I²C bus corresponds to the HDMI port. List available tires:

sudo i2cdetect -l

You will see something like this:

i2c-0	smbus     	SMBus PIIX4 adapter port 0 at 0b00	SMBus adapter
i2c-1	smbus     	SMBus PIIX4 adapter port 2 at 0b00	SMBus adapter
i2c-2	smbus     	SMBus PIIX4 adapter port 1 at 0b20	SMBus adapter
i2c-3	i2c       	AMDGPU DM i2c hw bus 0          	I2C adapter
i2c-4	i2c       	AMDGPU DM i2c hw bus 1          	I2C adapter
i2c-5	i2c       	AMDGPU DM i2c hw bus 2          	I2C adapter
i2c-6	i2c       	AMDGPU DM i2c hw bus 3          	I2C adapter
i2c-7	i2c       	AMDGPU DM aux hw bus 0          	I2C adapter
i2c-8	i2c       	AMDGPU DM aux hw bus 2          	I2C adapter
i2c-9	i2c       	AMDGPU DM aux hw bus 3          	I2C adapter
i2c-10	i2c       	DPMST                           	I2C adapter
i2c-11	i2c       	DPMST                           	I2C adapter

Candidate buses 3 to 9 used by the GPU (the number after i2c is in the first column).

Disconnect everything from the HDMI port and search for devices on each I²C bus (replace BUS with the bus number):

sudo i2cdetect -y BUS

Nothing is connected, so no device should be detected, and the output should look like this:

     0  1  2  3  4  5  6  7  8  9  a  b  c  d  e  f
00:                         -- -- -- -- -- -- -- --
10: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
20: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
30: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
40: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
50: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
60: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
70: -- -- -- -- -- -- -- --

Connect the device-side firewall to the HDMI port and search for devices again. If you see the following result, then you have found the I²C bus of the HDMI port. Otherwise, continue to the next bus.

     0  1  2  3  4  5  6  7  8  9  a  b  c  d  e  f
00:                         -- -- -- -- -- -- -- --
10: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
20: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
30: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
40: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
50: 50 51 52 53 54 55 56 57 -- -- -- -- -- -- -- --
60: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
70: -- -- -- -- -- -- -- --

Connect the monitor you want to copy the EDID from directly to the HDMI port.

To dump the EDID, use the EEPROM module:

sudo modprobe eeprom

Display the EDID overview and make sure the model name matches your monitor (here DELL 2408WFP on bus number 4):

ddcmon 4

Checksum:               OK
EDID Version:           1.3
Manufacturer ID:        DEL
Model Number:           0xA02C
Model Name:             DELL 2408WFP
Serial Number:          G286H9642GLS
Manufacture Time:       2009-W23
Display Input:          Digital
Monitor Size (cm):      52x32
Gamma Factor:           2.20
DPMS Modes:             Active Off, Suspend, Standby
Color Mode:             RGB Multicolor
Vertical Sync (Hz):     56-76
Horizontal Sync (kHz):  30-83
Max Pixel Clock (MHz):  170
Timing:                 640x480 @ 60 Hz
Timing:                 640x480 @ 75 Hz
Timing:                 720x400 @ 70 Hz
Timing:                 800x600 @ 60 Hz
Timing:                 800x600 @ 72 Hz
Timing:                 800x600 @ 75 Hz
Timing:                 1024x768 @ 87 Hz (interlaced)
Timing:                 1024x768 @ 75 Hz
Timing:                 1152x864 @ 75 Hz
Timing:                 1280x1024 @ 60 Hz
Timing:                 1600x1200 @ 60 Hz
Timing:                 1920x1200 @ 60 Hz

Full EDID dump (replace BUS with the appropriate bus number):

cat /sys/bus/i2c/devices/BUS-0050/eeprom > edid.bin

Connect the HDMI firewall device port to the HDMI output. Make sure the write protection is disabled (plate broken, solder added to WP pads).

Writing data to the wrong I²C bus can permanently damage your computer or other devices.

Release I²C access to EEPROM:

sudo modprobe -r eeprom

Write the extracted EDID data to the HDMI firewall (replace BUS with the appropriate bus number):

for addr in `seq 0 255`; do echo $addr; sudo i2cset -y BUS 0x50 $addr 0x`xxd -p -l 1 -s $addr edid.bin`; done

Compare the original data with the data in the EEPROM:

# display original dumped data
xxd -g 1 edid.bin
# display data written on EEPROM
sudo i2cdump -y BUS 0x50

After successfully writing the EDID to the firewall’s memory, break the plate with pliers to protect the memory from being written. This will prevent the malicious payload from being stored. Now you can use the HDMI firewall (only for this monitor).

Feel free to wrap heat shrink tubing or duct tape around the firewall. This will prevent a short circuit when in contact with nearby metal objects.

Troubleshooting

If the monitor doesn’t detect the device or doesn’t display anything (but it should), try turning the 5V direct power back on (default) by soldering the 5V pads. The HDMI cable has a 5V line powered by the device. In our case, we use it to power the memory of the HDMI firewall. Forwarding to the monitor can be disabled by cutting the track on the 5V pins.

If the device does not detect the monitor or the HDMI firewall, or the EDID writing to the HDMI firewall fails, try connecting the firewall with a different quality HDMI cable.

Tips

xrandr

xrandr can dump EDIO information:

xrandr --properties

sysfs

sysfs also provides raw EDID information (change path accordingly):

edid-decode /sys/devices/pci0000:00/0000:00:08.1/0000:05:00.0/drm/card0/card0-HDMI-A-1/edid

I²C without root

To access I²C buses without root:

# add UDEV rule
cat << EOF | sudo tee /etc/udev/rules.d/20-i2c.rules
KERNEL=="i2c-[0-9]*", GROUP="i2c"
EOF
# give user access to devices (you have to re-login in for the change to take effect)
sudo groupadd i2c
sudo gpasswd -a $USER i2c
# reload rules
sudo udevadm control --reload-rules
sudo udevadm trigger

Erasing

If you want to clear firewall memory for use with another monitor:

for page in seq 50 57; do echo 0xpage; for addr in `seq 0 255`; do echo addr; sudo i2cset -y BUS 0xpage addr 0xff; done; done

edid-decode

To parse and display the complete EDID information, you can use edid-decode.

sudo apt-get install edid-decode
pikaur -S edid-decode-git

To view an EDID dump:

edid-decode edid.bin

edid-rw

EDID-RW makes it a bit easier to read and write the EDID.

Install these tools:

sudo apt-get install python3-smbus
pikaur -S python-smbus-git

Obtaining an EDID-RW:

git clone https://github.com/bulletmark/edid-rw
cd edid-rw/

To get EDID data from a connected monitor, run:

sudo ./edid-rw 4 > edid.bin

To write an EDID dump to the HDMI firewall’s memory:

sudo ./edid-rw -w 4 < edid.bin

To make sure the data is written correctly, read it:

sudo ./edid-rw 4 | edid-decode

And we will help you improve your skills or master a profession that is relevant at any time from the very beginning:

Choose another in-demand profession.

Similar Posts

Leave a Reply