01-09-2010, 04:34 PM
I was gonna write this up on my website, but, well, I've gotten a lot of my info from here for the past while, so I figured I'd share here first. Not to mention, posting links here is all verboten. 
Let me preface this with: This is all stuff I'm guessing AEBN doesn't mind being known. The best security method is one that's so secure that everyone can still know about it and not do anything to you. And so, here we are...
I finally got my hands on a real touch, and... Well, AEBN guys, if you're reading this, I owe your engineering team a round of drinks (after I slap them for abusing HID yet /again/. Seriously. Why do hardware engineers do that? We have WinUSB now! Stop making HID the whipping boy of your "I don't want to install a driver" needs!).
It's been a bit of a holy grail around here to subvert AEBN's security and make the real touch work without streaming videos. Well, kids, not gonna happen, at least, not in a pure software way.
You see, whenever you connect the real touch and start a movie, there's a network based challenge/response system that has to be executed to get the controls box to accept commands. It looks a little like this:
1. Send over a packet to control box, requesting a seed packet from the control box.
2. Receive seed packet. The seed packet seems to contain a constantly incrementing 16-bit value, 2 other 16 bit values that seem kinda random, and your 32-bit device serial number.
3. Repeat above steps again. Maybe to pull another random-ish seed value?
4. Send 2 clock values and your serial ID OVER THE NETWORK to AEBN. Seriously. Try starting a movie, pausing it, unplugging your network cable, and hitting lube burst. No go. You MUST be on the network for the device to function.
5. AEBN sends back a 128-bit value
6. Send 128-bit value to box
7. Receive success status
8. Start RealTouchin'.
9. Once done RealTouchin' (closing WMP or when you hit pause), send over an "off" packet that stops the box from processing new commands until auth steps happen again
Whenever you stop/start a movie, or pause then hit the Lube Burst button, and it pauses a little bit, that's because steps 1-6 are happening. It's phone home and reactivating itself. Now, you could have it phone home, activate, then crash out of whatever you used to activate it so it doesn't deauthenticate itself (I haven't actually tested this method yet), but you're still relying on AEBN to start the thing for you in the first place, so it's a bit of a moot point anyways.
This is smart for multiple reasons, and stupid for a few others. It's smart because the authentication algorithm is hosted in two hard to attack places.
- Remotely, the algorithm is an AEBN web service, so you can't sit there and just exhaust the 32-bit sample space created by the 2 clock values locally, assuming that's is even the correct way to do it. 'course, even if you did exhaust the space, most people wouldn't want to ship around a 64GB look up table just to get sucked off by their computer for free anyways, but it's more the principle of the matter for me.
- Locally, the algorithm is in the chip firmware, since you have to send it the value from the network to compare. Not only is the chip epoxied on the board, so much so that it's even hard to tap the chip lines, making popping the top damn near impossible, and even if you did, you'd need a badass microscope and a /lot/ of time. Really, do you care THAT much?
So, sure, steal all the movies you want. Unless the device phones home and activates itself, they ain't gonna do you shit for good. Not only that, AEBN finds out you've been stealing movies, they ban your serial number from the authentication service, and your RealTouch is dead as a doornail.
As for the stupid part... As with all DRM, the thing that worries me is that if AEBN goes under, or their server dies, the Real Touch goes with it unless they release their authentication method. Not only that, this means no truly standalone movies or control, ever. You'll always need network access, because the second anyone gets their hands on local software with the algorithm, a few minutes with a disassembler and it's all over (technically, at least. Legally, that's a minefield would kill every boner on the board forever were I to explain it. Thank you very much DMCA.).
Now, this doesn't stop people from building their own hardware boxes, which is fairly trivial, as RealAgent has proven. But, there's no such thing as a pure software solution here. You want your own control, you have to build your own hardware. However, controlling the RealTouch is arduino simple, and mimicing their control algorithm isn't too hard beyond that.
So yeah, I'm torn between having some respect for AEBN developing a pretty tight little scheme to control their business model, and angry 'cause I'm gonna have to throw together my own control board do to silly shit with the toy.
But don't waste your time on software. Not going to happen. Scott ain't been talkin' out his ass to the press, that's for sure.
- qDot, who's parents are probably so proud of what he uses his CS degree for.
Let me preface this with: This is all stuff I'm guessing AEBN doesn't mind being known. The best security method is one that's so secure that everyone can still know about it and not do anything to you. And so, here we are...
I finally got my hands on a real touch, and... Well, AEBN guys, if you're reading this, I owe your engineering team a round of drinks (after I slap them for abusing HID yet /again/. Seriously. Why do hardware engineers do that? We have WinUSB now! Stop making HID the whipping boy of your "I don't want to install a driver" needs!).
It's been a bit of a holy grail around here to subvert AEBN's security and make the real touch work without streaming videos. Well, kids, not gonna happen, at least, not in a pure software way.
You see, whenever you connect the real touch and start a movie, there's a network based challenge/response system that has to be executed to get the controls box to accept commands. It looks a little like this:
1. Send over a packet to control box, requesting a seed packet from the control box.
2. Receive seed packet. The seed packet seems to contain a constantly incrementing 16-bit value, 2 other 16 bit values that seem kinda random, and your 32-bit device serial number.
3. Repeat above steps again. Maybe to pull another random-ish seed value?
4. Send 2 clock values and your serial ID OVER THE NETWORK to AEBN. Seriously. Try starting a movie, pausing it, unplugging your network cable, and hitting lube burst. No go. You MUST be on the network for the device to function.
5. AEBN sends back a 128-bit value
6. Send 128-bit value to box
7. Receive success status
8. Start RealTouchin'.
9. Once done RealTouchin' (closing WMP or when you hit pause), send over an "off" packet that stops the box from processing new commands until auth steps happen again
Whenever you stop/start a movie, or pause then hit the Lube Burst button, and it pauses a little bit, that's because steps 1-6 are happening. It's phone home and reactivating itself. Now, you could have it phone home, activate, then crash out of whatever you used to activate it so it doesn't deauthenticate itself (I haven't actually tested this method yet), but you're still relying on AEBN to start the thing for you in the first place, so it's a bit of a moot point anyways.
This is smart for multiple reasons, and stupid for a few others. It's smart because the authentication algorithm is hosted in two hard to attack places.
- Remotely, the algorithm is an AEBN web service, so you can't sit there and just exhaust the 32-bit sample space created by the 2 clock values locally, assuming that's is even the correct way to do it. 'course, even if you did exhaust the space, most people wouldn't want to ship around a 64GB look up table just to get sucked off by their computer for free anyways, but it's more the principle of the matter for me.
- Locally, the algorithm is in the chip firmware, since you have to send it the value from the network to compare. Not only is the chip epoxied on the board, so much so that it's even hard to tap the chip lines, making popping the top damn near impossible, and even if you did, you'd need a badass microscope and a /lot/ of time. Really, do you care THAT much?
So, sure, steal all the movies you want. Unless the device phones home and activates itself, they ain't gonna do you shit for good. Not only that, AEBN finds out you've been stealing movies, they ban your serial number from the authentication service, and your RealTouch is dead as a doornail.
As for the stupid part... As with all DRM, the thing that worries me is that if AEBN goes under, or their server dies, the Real Touch goes with it unless they release their authentication method. Not only that, this means no truly standalone movies or control, ever. You'll always need network access, because the second anyone gets their hands on local software with the algorithm, a few minutes with a disassembler and it's all over (technically, at least. Legally, that's a minefield would kill every boner on the board forever were I to explain it. Thank you very much DMCA.).
Now, this doesn't stop people from building their own hardware boxes, which is fairly trivial, as RealAgent has proven. But, there's no such thing as a pure software solution here. You want your own control, you have to build your own hardware. However, controlling the RealTouch is arduino simple, and mimicing their control algorithm isn't too hard beyond that.
So yeah, I'm torn between having some respect for AEBN developing a pretty tight little scheme to control their business model, and angry 'cause I'm gonna have to throw together my own control board do to silly shit with the toy.
But don't waste your time on software. Not going to happen. Scott ain't been talkin' out his ass to the press, that's for sure.
- qDot, who's parents are probably so proud of what he uses his CS degree for.
