Its still crazy to me that everyone has a pocket AI-hacker ready to inspect firmware and modify their devices now. You just put the agent on it and it gives you access in minutes. You would have to be a Hotz tier hacker if you wanted to do anything close to this only last year, or at the very least extremely patient for long hours.
This 1000% - I’ve used AI to enable SSH in one Phase One digital back I own, and to reverse engineer and patch the firmware on another to make the back think it’s a different back - Credo 50 to IQ250! The internals are literally the Sam.
its really nice to not have to spend hours looking thru packet captures and stuff, i enjoy digging but as i'm getting older I have less time to spend 16 hour days looking at random firmware blobs
Damn, maybe I can throw an agent at trying to unlock IMEI spoofing on my Unifi LTE modem. That one guy on twitter who does all the LTE modem unlocking never replied to my tweet :(
> You would have to be a Hotz tier hacker if you wanted to do anything close to this only last year
This isn't true at all. Yes, LLMs have made it dramatically easier to analyse, debug and circumvent. Both for people who didn't have the skill to do this, and for people who know how to but just cannot be bothered because it's often a grind. This specific device turned out to be barely protected against anything. No encrypted firmware, no signature checking, and built-in SSH access. This would be extremely doable for any medium skilled person without an LLM with good motivation and effort.
You're referring to George Hotz, which is known for releasing the first PS3 hypervisor exploit. The PS3 was / is fully secured against attackers, of which the mere existence of a hypervisor layer is proof of. Producing an exploit required voltage glitching on physical hardware using an FPGA [1]. Perhaps an LLM can assist with mounting such an attack, but as there's no complete feedback loop, it still would require a lot of human effort.
didn't PS3 have a hardcoded nonce for their ECDSA impl that allowed full key recovery? I would agree that I doubt LLMs let people mount side-channel attacks easily on consumer electronics though.
Yes indeed, that chain of exploits was all software and not hardware. Developed after the Hotz exploit and Sony subsequently shuttering OtherOS.
It didn't directly give access to anything however. IIRC they heavily relied on other complex exploits they developed themselves, as well as relying on earlier exploits they could access by rolling back the firmware by indeed abusing the ECDSA implementation. At least, that turned out to be the path of least resistance. Without earlier exploits, there would be less known about the system to work with.
Their presentation [1] [2] is still a very interesting watch.
The hacking aspect has been hit and miss for me. Just today I was trying to verify a fix for a CVE and even giving the agent the CVE description + details on how to exploit it and the code that fixed it, it couldn't write the exploit code correctly.
Not to say it's not super useful, as we can see in the article
Having the firmware image just be a boring old tarball + hash sounds super nice. I wish more devices were this open, and I hope Rode won't see this and decide to lock the firmware upgrades down.
In the off chance anybody from Rode sees this: This makes me want to purchase your gear. Don't change it.
It's funny this comes up now. Tomorrow I'm dragging my Zoom R20 recorder on-site to use as an overly-featured USB audio interface for a single-mic live stream. If I'd know this about Rode a week ago I'd have purchased one of these and could have left my R20 hooked-up in the home studio!
I’m guilty of using my Zoom R16 in a similar fashion; as USB audio interface most of the time for a couple of inputs.
The only thing that is a little sad about it is that for example the faders do nothing when the R16 is in USB audio interface mode.
It does however like to randomly turn on reverb and one other effect after power cycling. Which I sometimes forget and then wonder for half a second why the audio is sounding weird :P So there is some extra functionality that is available even in USB audio interface mode, although in this case not desirable for me to have enabled within it. If I want to add reverb or other effects when using the R16 as USB audio interface, I prefer to do so in the DAW. I would have liked to be able to use the faders though.
I'm running my R20 in USB interface / stereo mix mode and the faders do work. I didn't think about trying to apply any effects. I'll play with that, for fun, but I'd definitely add them in the DAW as well. (I really only use my R20 for multitrack recording and do all my effects in the DAW. I like it, and it can do a ton standalone, but my workflow really just needed a multitrack recorder and I could have probably spent a lot less. It just looked like fun...)
I had to upgrade the firmware in my HP printer a couple years ago.
It’s a printer that I think was released in ~2009 (I am not able to check right now), and in order to upgrade the RAM to 256MB I needed to do a firmware update.
I dreaded this, but then I found out that all you do to update the firmware was FTP a tarball to the printer over the network. I dropped it in with FileZilla, it spent a few minutes whirring, and my firmware was updated.
Then I got mad that firmware updates are ever more complicated than that. Let me FTP or SCP or SFTP a blob there, do a checksum or something for security reasons, and then do nothing else.
I think my favorite is wifi access points that support tftp to load a firmware image (with some kind of hardware switch to enable this state). These can be made effective unbrickable and it's really nice for experimenting.
I think it should be locked down to require some kind of physical button input to enable the commands, putting it in some kind of "DFU" mode. Otherwise anything with USB access could brick your device by flashing a bad firmware.
I think "my audio interface is a 64-bit Linux computer" would've sounded far more interesting to me as a title. Perhaps a decade or two ago, the functionality of that device would've likely been implemented on a small 16-bit or 32-bit SoC running an RTOS like VxWorks.
Given how many physical controls it has, turning it into a game console seems like a logical next step.
I really want to know how he solved this problem, which I also face:
>last year i bought a Rodecaster Duo to solve some audio woes to allow myself and my girlfriend to have microphones to our respective computers when gaming together and talking on discord in the same room without any echo
the rodecaster can connect to two computers, and we are both generally in the same discord call. so we have both microphones routed into one input for a computer, and the other person joins with their mic muted and the audio just comes from one client. since the mixing is local there's no echo. email me if you have more questions :)
Not in the same league or form factor, but I have an old Jabra 65 headset, and the noise canceling is amazing. I can be playing my cello while unmuted on a call, and nobody can hear it.
I know headsets aren't everyone's cup of tea, but a mic close to the source (your mouth) with good noise canceling is a solid solution.
So both mics will pick up both people (at least somewhat, in the same room) - but because there is no, I assume 20-100ms latency going through the system, to discord, and back - it avoids a slight difference in timing of the two mics picking up the same sound slightly differently. Is that right?
Cyber Resilience Act [1], which is well-intentioned, and doesn't outright forbid user access to firmware, but most vendors will take the easy road and outright block user-modifiable software (if they didn't already), so that their completely closed source, obfuscated and vulnerable version is the only version allowed on their devices.
Well... if you look behind anything that plugs into a wall socket you will see that it has ( among many other things) a CE mark. Even things in the USofA have a CE mark.
If your new product cannot have its CE mark for whatever reason, you will not have the approbations to sell in the USA either.
What the CRA will do, is if you do not have a "CRA" compliant product, you will not have the CE mark. Which means you will not (with very high probability) have the other marks needed to sell outside Europe.
Maybe then you can just sell to your close family members who like you, but good luck if you get caught and it can be proven that your shitty device caused a fire ...
Good old local Aussie guys write this. If you had something you wanted to report I'd just give them a call. We almost speak English down here.
Its still crazy to me that everyone has a pocket AI-hacker ready to inspect firmware and modify their devices now. You just put the agent on it and it gives you access in minutes. You would have to be a Hotz tier hacker if you wanted to do anything close to this only last year, or at the very least extremely patient for long hours.
This 1000% - I’ve used AI to enable SSH in one Phase One digital back I own, and to reverse engineer and patch the firmware on another to make the back think it’s a different back - Credo 50 to IQ250! The internals are literally the Sam.
I'm sorry, are you trusting an LLM to touch a camera that costs like a new car?
Only a little bit of touching for the really expensive one. The Credo 50 was less than 1K though.
Also Phase One Support/Repair is absolutely phenomenal and unless you toast the sensor; repairs are “fairly” economical.
its really nice to not have to spend hours looking thru packet captures and stuff, i enjoy digging but as i'm getting older I have less time to spend 16 hour days looking at random firmware blobs
Damn, maybe I can throw an agent at trying to unlock IMEI spoofing on my Unifi LTE modem. That one guy on twitter who does all the LTE modem unlocking never replied to my tweet :(
> You would have to be a Hotz tier hacker if you wanted to do anything close to this only last year
This isn't true at all. Yes, LLMs have made it dramatically easier to analyse, debug and circumvent. Both for people who didn't have the skill to do this, and for people who know how to but just cannot be bothered because it's often a grind. This specific device turned out to be barely protected against anything. No encrypted firmware, no signature checking, and built-in SSH access. This would be extremely doable for any medium skilled person without an LLM with good motivation and effort.
You're referring to George Hotz, which is known for releasing the first PS3 hypervisor exploit. The PS3 was / is fully secured against attackers, of which the mere existence of a hypervisor layer is proof of. Producing an exploit required voltage glitching on physical hardware using an FPGA [1]. Perhaps an LLM can assist with mounting such an attack, but as there's no complete feedback loop, it still would require a lot of human effort.
[1] https://rdist.root.org/2010/01/27/how-the-ps3-hypervisor-was...
> fully secured against attackers, of which the mere existence of a hypervisor layer is proof of
https://en.wikipedia.org/wiki/Virtual_machine_escape
The last one was 8 years ago. It's not a terribly common vuln anymore - not that it ever was.
> The last one was 8 years ago
Not true. There's way more than that list. I could immediately think of 2 more from last year: CVE-2025-22224 and CVE-2025-22225
didn't PS3 have a hardcoded nonce for their ECDSA impl that allowed full key recovery? I would agree that I doubt LLMs let people mount side-channel attacks easily on consumer electronics though.
Yes indeed, that chain of exploits was all software and not hardware. Developed after the Hotz exploit and Sony subsequently shuttering OtherOS.
It didn't directly give access to anything however. IIRC they heavily relied on other complex exploits they developed themselves, as well as relying on earlier exploits they could access by rolling back the firmware by indeed abusing the ECDSA implementation. At least, that turned out to be the path of least resistance. Without earlier exploits, there would be less known about the system to work with.
Their presentation [1] [2] is still a very interesting watch.
[1] https://www.youtube.com/watch?v=5E0DkoQjCmI
[2] https://fahrplan.events.ccc.de/congress/2010/Fahrplan/attach...
The hacking aspect has been hit and miss for me. Just today I was trying to verify a fix for a CVE and even giving the agent the CVE description + details on how to exploit it and the code that fixed it, it couldn't write the exploit code correctly.
Not to say it's not super useful, as we can see in the article
> Perhaps an LLM can assist with mounting such an attack, but as there's no complete feedback loop, it still would require a lot of human effort.
LLMs have had no problem modifying software on an attached android phone. It's only a matter of time.
LLM are not capable of doing that for most things. Having an open ssh device does not require any special "skill".
If it’s embedded Linux with no HAB it’s not hard to make “adjustments.” Just use file and binwalk to figure out what it is and break it open.
Having the firmware image just be a boring old tarball + hash sounds super nice. I wish more devices were this open, and I hope Rode won't see this and decide to lock the firmware upgrades down.
In the off chance anybody from Rode sees this: This makes me want to purchase your gear. Don't change it.
It's funny this comes up now. Tomorrow I'm dragging my Zoom R20 recorder on-site to use as an overly-featured USB audio interface for a single-mic live stream. If I'd know this about Rode a week ago I'd have purchased one of these and could have left my R20 hooked-up in the home studio!
I’m guilty of using my Zoom R16 in a similar fashion; as USB audio interface most of the time for a couple of inputs.
The only thing that is a little sad about it is that for example the faders do nothing when the R16 is in USB audio interface mode.
It does however like to randomly turn on reverb and one other effect after power cycling. Which I sometimes forget and then wonder for half a second why the audio is sounding weird :P So there is some extra functionality that is available even in USB audio interface mode, although in this case not desirable for me to have enabled within it. If I want to add reverb or other effects when using the R16 as USB audio interface, I prefer to do so in the DAW. I would have liked to be able to use the faders though.
Interesting.
I'm running my R20 in USB interface / stereo mix mode and the faders do work. I didn't think about trying to apply any effects. I'll play with that, for fun, but I'd definitely add them in the DAW as well. (I really only use my R20 for multitrack recording and do all my effects in the DAW. I like it, and it can do a ton standalone, but my workflow really just needed a multitrack recorder and I could have probably spent a lot less. It just looked like fun...)
I had to upgrade the firmware in my HP printer a couple years ago.
It’s a printer that I think was released in ~2009 (I am not able to check right now), and in order to upgrade the RAM to 256MB I needed to do a firmware update.
I dreaded this, but then I found out that all you do to update the firmware was FTP a tarball to the printer over the network. I dropped it in with FileZilla, it spent a few minutes whirring, and my firmware was updated.
Then I got mad that firmware updates are ever more complicated than that. Let me FTP or SCP or SFTP a blob there, do a checksum or something for security reasons, and then do nothing else.
I think my favorite is wifi access points that support tftp to load a firmware image (with some kind of hardware switch to enable this state). These can be made effective unbrickable and it's really nice for experimenting.
> Let me FTP or SCP or SFTP a blob there, do a checksum or something for security reasons
Whose security are we talking about here? Mine, or the manufacturer's?
I think it should be locked down to require some kind of physical button input to enable the commands, putting it in some kind of "DFU" mode. Otherwise anything with USB access could brick your device by flashing a bad firmware.
I think "my audio interface is a 64-bit Linux computer" would've sounded far more interesting to me as a title. Perhaps a decade or two ago, the functionality of that device would've likely been implemented on a small 16-bit or 32-bit SoC running an RTOS like VxWorks.
Given how many physical controls it has, turning it into a game console seems like a logical next step.
Nice writeup and great domain. I don't know Zola and don't know if this is a common template or a custom jobbie but it's lovely.
Looks like the https://www.getzola.org/themes/radion/ theme
I really want to know how he solved this problem, which I also face:
>last year i bought a Rodecaster Duo to solve some audio woes to allow myself and my girlfriend to have microphones to our respective computers when gaming together and talking on discord in the same room without any echo
the rodecaster can connect to two computers, and we are both generally in the same discord call. so we have both microphones routed into one input for a computer, and the other person joins with their mic muted and the audio just comes from one client. since the mixing is local there's no echo. email me if you have more questions :)
Why connect it to both computers?
Not in the same league or form factor, but I have an old Jabra 65 headset, and the noise canceling is amazing. I can be playing my cello while unmuted on a call, and nobody can hear it.
I know headsets aren't everyone's cup of tea, but a mic close to the source (your mouth) with good noise canceling is a solid solution.
I get it! Thank you that is genius.
So both mics will pick up both people (at least somewhat, in the same room) - but because there is no, I assume 20-100ms latency going through the system, to discord, and back - it avoids a slight difference in timing of the two mics picking up the same sound slightly differently. Is that right?
Very cool!
Doesn't a headset with directional boom microphone do the trick? I may be misinterpreting the problem statement though :-).
why was disclosure the objective? wouldn't you want to keep this interface open?
not really an objective, I hope RODE continues to keep it open
https://github.com/ThomasStolt/Copy-Recordings-Off-Rodecaste...
It used to be completely open lol
That's sad.
I understand the hacker rationale to have fun owning the device, and i would like it to stay that way.
But... please do not forget that the CRA will put a heavy blanket on that fire.
TLA syndrome strikes again, I have no idea what CRA refers to here.
Cyber Resilience Act [1], which is well-intentioned, and doesn't outright forbid user access to firmware, but most vendors will take the easy road and outright block user-modifiable software (if they didn't already), so that their completely closed source, obfuscated and vulnerable version is the only version allowed on their devices.
[1] https://en.wikipedia.org/wiki/Cyber_Resilience_Act
Ah, EU-only. That explains why I've never heard of it, among other things.
Well... if you look behind anything that plugs into a wall socket you will see that it has ( among many other things) a CE mark. Even things in the USofA have a CE mark.
If your new product cannot have its CE mark for whatever reason, you will not have the approbations to sell in the USA either.
What the CRA will do, is if you do not have a "CRA" compliant product, you will not have the CE mark. Which means you will not (with very high probability) have the other marks needed to sell outside Europe.
Maybe then you can just sell to your close family members who like you, but good luck if you get caught and it can be proven that your shitty device caused a fire ...