Its still crazy to me that everyone has a pocket AI-hacker ready to inspect firmware and modify their devices now. You just put the agent on it and it gives you access in minutes. You would have to be a Hotz tier hacker if you wanted to do anything close to this only last year, or at the very least extremely patient for long hours.
throwaway89201 5 hours ago [-]
> You would have to be a Hotz tier hacker if you wanted to do anything close to this only last year
This isn't true at all. Yes, LLMs have made it dramatically easier to analyse, debug and circumvent. Both for people who didn't have the skill to do this, and for people who know how to but just cannot be bothered because it's often a grind. This specific device turned out to be barely protected against anything. No encrypted firmware, no signature checking, and built-in SSH access. This would be extremely doable for any medium skilled person without an LLM with good motivation and effort.
You're referring to George Hotz, which is known for releasing the first PS3 hypervisor exploit. The PS3 was / is fully secured against attackers, of which the mere existence of a hypervisor layer is proof of. Producing an exploit required voltage glitching on physical hardware using an FPGA [1]. Perhaps an LLM can assist with mounting such an attack, but as there's no complete feedback loop, it still would require a lot of human effort.
The hacking aspect has been hit and miss for me. Just today I was trying to verify a fix for a CVE and even giving the agent the CVE description + details on how to exploit it and the code that fixed it, it couldn't write the exploit code correctly.
Not to say it's not super useful, as we can see in the article
dpark 4 hours ago [-]
> fully secured against attackers, of which the mere existence of a hypervisor layer is proof of
The last one was 8 years ago. It's not a terribly common vuln anymore - not that it ever was.
KomoD 2 hours ago [-]
> The last one was 8 years ago
Not true. There's way more than that list. I could immediately think of 2 more from last year: CVE-2025-22224 and CVE-2025-22225
mswphd 4 hours ago [-]
didn't PS3 have a hardcoded nonce for their ECDSA impl that allowed full key recovery? I would agree that I doubt LLMs let people mount side-channel attacks easily on consumer electronics though.
throwaway89201 4 hours ago [-]
Yes indeed, that chain of exploits was all software and not hardware. Developed after the Hotz exploit and Sony subsequently shuttering OtherOS.
It didn't directly give access to anything however. IIRC they heavily relied on other complex exploits they developed themselves, as well as relying on earlier exploits they could access by rolling back the firmware by indeed abusing the ECDSA implementation. At least, that turned out to be the path of least resistance. Without earlier exploits, there would be less known about the system to work with.
Their presentation [1] [2] is still a very interesting watch.
> Perhaps an LLM can assist with mounting such an attack, but as there's no complete feedback loop, it still would require a lot of human effort.
LLMs have had no problem modifying software on an attached android phone. It's only a matter of time.
buildbot 6 hours ago [-]
This 1000% - I’ve used AI to enable SSH in one Phase One digital back I own, and to reverse engineer and patch the firmware on another to make the back think it’s a different back - Credo 50 to IQ250! The internals are literally the Sam.
Almondsetat 6 hours ago [-]
I'm sorry, are you trusting an LLM to touch a camera that costs like a new car?
buildbot 4 hours ago [-]
Only a little bit of touching for the really expensive one. The Credo 50 was less than 1K though.
Also Phase One Support/Repair is absolutely phenomenal and unless you toast the sensor; repairs are “fairly” economical.
magenta4 4 hours ago [-]
[dead]
hhh 6 hours ago [-]
its really nice to not have to spend hours looking thru packet captures and stuff, i enjoy digging but as i'm getting older I have less time to spend 16 hour days looking at random firmware blobs
throwaway173738 2 hours ago [-]
If it’s embedded Linux with no HAB it’s not hard to make “adjustments.” Just use file and binwalk to figure out what it is and break it open.
Thaxll 4 hours ago [-]
LLM are not capable of doing that for most things. Having an open ssh device does not require any special "skill".
strbean 6 hours ago [-]
Damn, maybe I can throw an agent at trying to unlock IMEI spoofing on my Unifi LTE modem. That one guy on twitter who does all the LTE modem unlocking never replied to my tweet :(
akdev1l 42 minutes ago [-]
there’s barely any hacking here
the guy found this through looking at the firmware but nmap -p 22 would have also found this
So like the first thing you would do to attack the device
I found an issue exactly like this on an ISP-provided router. I am nowhere near geohot but also didn’t even do as much as the guy in the article lmao
yonatan8070 8 hours ago [-]
Having the firmware image just be a boring old tarball + hash sounds super nice. I wish more devices were this open, and I hope Rode won't see this and decide to lock the firmware upgrades down.
EvanAnderson 6 hours ago [-]
In the off chance anybody from Rode sees this: This makes me want to purchase your gear. Don't change it.
It's funny this comes up now. Tomorrow I'm dragging my Zoom R20 recorder on-site to use as an overly-featured USB audio interface for a single-mic live stream. If I'd know this about Rode a week ago I'd have purchased one of these and could have left my R20 hooked-up in the home studio!
QuantumNomad_ 4 hours ago [-]
I’m guilty of using my Zoom R16 in a similar fashion; as USB audio interface most of the time for a couple of inputs.
The only thing that is a little sad about it is that for example the faders do nothing when the R16 is in USB audio interface mode.
It does however like to randomly turn on reverb and one other effect after power cycling. Which I sometimes forget and then wonder for half a second why the audio is sounding weird :P So there is some extra functionality that is available even in USB audio interface mode, although in this case not desirable for me to have enabled within it. If I want to add reverb or other effects when using the R16 as USB audio interface, I prefer to do so in the DAW. I would have liked to be able to use the faders though.
EvanAnderson 3 hours ago [-]
Interesting.
I'm running my R20 in USB interface / stereo mix mode and the faders do work. I didn't think about trying to apply any effects. I'll play with that, for fun, but I'd definitely add them in the DAW as well. (I really only use my R20 for multitrack recording and do all my effects in the DAW. I like it, and it can do a ton standalone, but my workflow really just needed a multitrack recorder and I could have probably spent a lot less. It just looked like fun...)
gamerslexus 11 minutes ago [-]
I don't want my audio interface to run SSH (and have some random authorized key added), personally.
tombert 5 hours ago [-]
I had to upgrade the firmware in my HP printer a couple years ago.
It’s a printer that I think was released in ~2009 (I am not able to check right now), and in order to upgrade the RAM to 256MB I needed to do a firmware update.
I dreaded this, but then I found out that all you do to update the firmware was FTP a tarball to the printer over the network. I dropped it in with FileZilla, it spent a few minutes whirring, and my firmware was updated.
Then I got mad that firmware updates are ever more complicated than that. Let me FTP or SCP or SFTP a blob there, do a checksum or something for security reasons, and then do nothing else.
thwarted 3 hours ago [-]
I think my favorite is wifi access points that support tftp to load a firmware image (with some kind of hardware switch to enable this state). These can be made effective unbrickable and it's really nice for experimenting.
ssl-3 1 hours ago [-]
> Let me FTP or SCP or SFTP a blob there, do a checksum or something for security reasons
Whose security are we talking about here? Mine, or the manufacturer's?
Gigachad 2 hours ago [-]
I think it should be locked down to require some kind of physical button input to enable the commands, putting it in some kind of "DFU" mode. Otherwise anything with USB access could brick your device by flashing a bad firmware.
userbinator 2 hours ago [-]
I think "my audio interface is a 64-bit Linux computer" would've sounded far more interesting to me as a title. Perhaps a decade or two ago, the functionality of that device would've likely been implemented on a small 16-bit or 32-bit SoC running an RTOS like VxWorks.
Given how many physical controls it has, turning it into a game console seems like a logical next step.
ssl-3 9 minutes ago [-]
My audio interface is a Linux computer with FPGAs inside (that actually get field-programmed), with two gigabit Ethernet jacks that each talk to different parts of the machine.
But I don't think anyone here would care about that. It's not such an unusual arrangement. In pro audio world it's actually kind of mundane.
Maybe I'll write about it more after I get the gumption to gain a root shell on it (or brick it, whichever comes first). I think you guys might find that part more interesting.
mianos 1 hours ago [-]
Good old local Aussie guys write this. If you had something you wanted to report I'd just give them a call. We almost speak English down here.
coldcity_again 6 hours ago [-]
Nice writeup and great domain. I don't know Zola and don't know if this is a common template or a custom jobbie but it's lovely.
I really want to know how he solved this problem, which I also face:
>last year i bought a Rodecaster Duo to solve some audio woes to allow myself and my girlfriend to have microphones to our respective computers when gaming together and talking on discord in the same room without any echo
hhh 6 hours ago [-]
the rodecaster can connect to two computers, and we are both generally in the same discord call. so we have both microphones routed into one input for a computer, and the other person joins with their mic muted and the audio just comes from one client. since the mixing is local there's no echo. email me if you have more questions :)
nazcan 1 hours ago [-]
So both mics will pick up both people (at least somewhat, in the same room) - but because there is no, I assume 20-100ms latency going through the system, to discord, and back - it avoids a slight difference in timing of the two mics picking up the same sound slightly differently. Is that right?
Very cool!
donatj 4 hours ago [-]
Why connect it to both computers?
ssl-3 55 minutes ago [-]
It saves on rewiring stuff. Maybe there's only one person talking today. Maybe they're using PC A, or perhaps they're using PC B instead.
Or maybe there's two people in the room, each on different channels altogether. In this case the other person is just uncorrelated background noise instead of a persistent echo.
Or, in-context: There's two people in the same room, both talking on the same Discord channel.
Anyway, audio routing is useful. Being able to route audio with two different PCs is a pretty neat feature of the rodecaster.
montecarl 3 hours ago [-]
I get it! Thank you that is genius.
kQq9oHeAz6wLLS 4 hours ago [-]
Not in the same league or form factor, but I have an old Jabra 65 headset, and the noise canceling is amazing. I can be playing my cello while unmuted on a call, and nobody can hear it.
I know headsets aren't everyone's cup of tea, but a mic close to the source (your mouth) with good noise canceling is a solid solution.
NikolaNovak 6 hours ago [-]
Doesn't a headset with directional boom microphone do the trick? I may be misinterpreting the problem statement though :-).
realo 7 hours ago [-]
I understand the hacker rationale to have fun owning the device, and i would like it to stay that way.
But... please do not forget that the CRA will put a heavy blanket on that fire.
cwillu 5 hours ago [-]
TLA syndrome strikes again, I have no idea what CRA refers to here.
throwaway89201 5 hours ago [-]
Cyber Resilience Act [1], which is well-intentioned, and doesn't outright forbid user access to firmware, but most vendors will take the easy road and outright block user-modifiable software (if they didn't already), so that their completely closed source, obfuscated and vulnerable version is the only version allowed on their devices.
Ah, EU-only. That explains why I've never heard of it, among other things.
realo 2 hours ago [-]
Well... if you look behind anything that plugs into a wall socket you will see that it has ( among many other things) a CE mark. Even things in the USofA have a CE mark.
If your new product cannot have its CE mark for whatever reason, you will not have the approbations to sell in the USA either.
What the CRA will do, is if you do not have a "CRA" compliant product, you will not have the CE mark. Which means you will not (with very high probability) have the other marks needed to sell outside Europe.
Maybe then you can just sell to your close family members who like you, but good luck if you get caught and it can be proven that your shitty device caused a fire ...
ssl-3 34 minutes ago [-]
We don't place any value on the CE mark in the States.
A lot of consumer electronics need to be FCC compliant, which involves a process of proving that the device doesn't emit too much of the wrong EMI/RFI in the wrong places.
And safety-wise, we use tend to use ETL, UL, and CSA for testing. These are third-party Nationally Recognized Testing Labs, and their own marks are used on devices they approve. But they're only really concerned about the safety of a product. In very broad strokes: If the device is proven to be unlikely-enough to burn a house down or cause electrical shock to humans, then it gets approved.
CE is a whole different thing. No government body in the USA requires or respects a CE mark on consumer goods; that mark doesn't hold any legal weight here.
Whether good or bad, CE is just not how we roll on this side of the pond.
(Of course, none of that means that laws in the EU don't affect product availability and features here. Globalization be that way sometimes.)
9p 8 hours ago [-]
why was disclosure the objective? wouldn't you want to keep this interface open?
hhh 7 hours ago [-]
not really an objective, I hope RODE continues to keep it open
This isn't true at all. Yes, LLMs have made it dramatically easier to analyse, debug and circumvent. Both for people who didn't have the skill to do this, and for people who know how to but just cannot be bothered because it's often a grind. This specific device turned out to be barely protected against anything. No encrypted firmware, no signature checking, and built-in SSH access. This would be extremely doable for any medium skilled person without an LLM with good motivation and effort.
You're referring to George Hotz, which is known for releasing the first PS3 hypervisor exploit. The PS3 was / is fully secured against attackers, of which the mere existence of a hypervisor layer is proof of. Producing an exploit required voltage glitching on physical hardware using an FPGA [1]. Perhaps an LLM can assist with mounting such an attack, but as there's no complete feedback loop, it still would require a lot of human effort.
[1] https://rdist.root.org/2010/01/27/how-the-ps3-hypervisor-was...
Not to say it's not super useful, as we can see in the article
https://en.wikipedia.org/wiki/Virtual_machine_escape
Not true. There's way more than that list. I could immediately think of 2 more from last year: CVE-2025-22224 and CVE-2025-22225
It didn't directly give access to anything however. IIRC they heavily relied on other complex exploits they developed themselves, as well as relying on earlier exploits they could access by rolling back the firmware by indeed abusing the ECDSA implementation. At least, that turned out to be the path of least resistance. Without earlier exploits, there would be less known about the system to work with.
Their presentation [1] [2] is still a very interesting watch.
[1] https://www.youtube.com/watch?v=5E0DkoQjCmI
[2] https://fahrplan.events.ccc.de/congress/2010/Fahrplan/attach...
LLMs have had no problem modifying software on an attached android phone. It's only a matter of time.
Also Phase One Support/Repair is absolutely phenomenal and unless you toast the sensor; repairs are “fairly” economical.
the guy found this through looking at the firmware but nmap -p 22 would have also found this
So like the first thing you would do to attack the device
I found an issue exactly like this on an ISP-provided router. I am nowhere near geohot but also didn’t even do as much as the guy in the article lmao
It's funny this comes up now. Tomorrow I'm dragging my Zoom R20 recorder on-site to use as an overly-featured USB audio interface for a single-mic live stream. If I'd know this about Rode a week ago I'd have purchased one of these and could have left my R20 hooked-up in the home studio!
The only thing that is a little sad about it is that for example the faders do nothing when the R16 is in USB audio interface mode.
It does however like to randomly turn on reverb and one other effect after power cycling. Which I sometimes forget and then wonder for half a second why the audio is sounding weird :P So there is some extra functionality that is available even in USB audio interface mode, although in this case not desirable for me to have enabled within it. If I want to add reverb or other effects when using the R16 as USB audio interface, I prefer to do so in the DAW. I would have liked to be able to use the faders though.
I'm running my R20 in USB interface / stereo mix mode and the faders do work. I didn't think about trying to apply any effects. I'll play with that, for fun, but I'd definitely add them in the DAW as well. (I really only use my R20 for multitrack recording and do all my effects in the DAW. I like it, and it can do a ton standalone, but my workflow really just needed a multitrack recorder and I could have probably spent a lot less. It just looked like fun...)
It’s a printer that I think was released in ~2009 (I am not able to check right now), and in order to upgrade the RAM to 256MB I needed to do a firmware update.
I dreaded this, but then I found out that all you do to update the firmware was FTP a tarball to the printer over the network. I dropped it in with FileZilla, it spent a few minutes whirring, and my firmware was updated.
Then I got mad that firmware updates are ever more complicated than that. Let me FTP or SCP or SFTP a blob there, do a checksum or something for security reasons, and then do nothing else.
Whose security are we talking about here? Mine, or the manufacturer's?
Given how many physical controls it has, turning it into a game console seems like a logical next step.
But I don't think anyone here would care about that. It's not such an unusual arrangement. In pro audio world it's actually kind of mundane.
Maybe I'll write about it more after I get the gumption to gain a root shell on it (or brick it, whichever comes first). I think you guys might find that part more interesting.
>last year i bought a Rodecaster Duo to solve some audio woes to allow myself and my girlfriend to have microphones to our respective computers when gaming together and talking on discord in the same room without any echo
Very cool!
Or maybe there's two people in the room, each on different channels altogether. In this case the other person is just uncorrelated background noise instead of a persistent echo.
Or, in-context: There's two people in the same room, both talking on the same Discord channel.
Anyway, audio routing is useful. Being able to route audio with two different PCs is a pretty neat feature of the rodecaster.
I know headsets aren't everyone's cup of tea, but a mic close to the source (your mouth) with good noise canceling is a solid solution.
But... please do not forget that the CRA will put a heavy blanket on that fire.
[1] https://en.wikipedia.org/wiki/Cyber_Resilience_Act
If your new product cannot have its CE mark for whatever reason, you will not have the approbations to sell in the USA either.
What the CRA will do, is if you do not have a "CRA" compliant product, you will not have the CE mark. Which means you will not (with very high probability) have the other marks needed to sell outside Europe.
Maybe then you can just sell to your close family members who like you, but good luck if you get caught and it can be proven that your shitty device caused a fire ...
A lot of consumer electronics need to be FCC compliant, which involves a process of proving that the device doesn't emit too much of the wrong EMI/RFI in the wrong places.
And safety-wise, we use tend to use ETL, UL, and CSA for testing. These are third-party Nationally Recognized Testing Labs, and their own marks are used on devices they approve. But they're only really concerned about the safety of a product. In very broad strokes: If the device is proven to be unlikely-enough to burn a house down or cause electrical shock to humans, then it gets approved.
CE is a whole different thing. No government body in the USA requires or respects a CE mark on consumer goods; that mark doesn't hold any legal weight here.
Whether good or bad, CE is just not how we roll on this side of the pond.
(Of course, none of that means that laws in the EU don't affect product availability and features here. Globalization be that way sometimes.)
It used to be completely open lol