Reverse engineering and dismantling Kekz headphones
177 points by mtlynch 17 hours ago | 33 comments
  • taldo 12 hours ago |
    Ouch, open Cosmos DB with geolocation logs publicly accessible...
    • bux93 8 hours ago |
      It's only the locations of children.. Wait.. That doesn't sound good?
      • altairprime 5 hours ago |
        Hopefully someone who is in the EU buys one of these and files a formal complaint! I can't from across the ocean, sadly.
  • justinclift 11 hours ago |
    Ugh:

      ... the application tries not only uploading the ID3 Tags, but also geolocation data,
  which is most likely gathered from Wi-Fi triangulation from windows itself.
    That's likely breaking some EU GDPR rules, at the very least.

    Doesn't seem like that'd be an accidental thing?

    • polartx 10 hours ago |
      I would assume so since much of the code seems to have been stolen in the first place
      • consp 9 hours ago |
        Or made by a contractor or is cots in another region?
  • zkirill 11 hours ago |
    Awesome article. Just wondering, how can a hardware company voluntarily submit their device for reverse engineering and dismantling as a show of good faith? Given the right circumstances this is basically a free security audit and marketing for the company.
    • wpietri 11 hours ago |
      If a company wants somebody to do a hardware audit for marketing purposes, they should pay money for that. Please fairly value people's labor, especially when you seek to profit from it.
      • cheschire 11 hours ago |
        Well, influencers are able to work out alternative means of compensation because the content is more valuable than the work performed. For example a blogger that is renowned for teardowns might do the work in exchange for access to early release models so that their content is highly relevant. That is worth more than the hourly cost to perform the teardown work. Compensation negotiation is part of the art of that deal.
        • wpietri 11 hours ago |
          If an influencer is indeed able to monetize the content sufficient to match market price for the labor, then sure, that is also fairly valuing people's labor. But that's definitely not what's happening here.
          • Jerrrrrrry 5 hours ago |

              right circumstances
      • bigallen 11 hours ago |
        If someone wants to do the hardware audit for free, or in exchange for some kind of promotional exchange, is that a bad thing? I’d breakdown a lot of devices if I could get a duplicate one intact, for free
        • wpietri 11 hours ago |
          This was a low-priced consumer good, so I don't think anything is stopping you from doing teardowns like this on your own.
    • dylan604 9 hours ago |
      They could just provided schematics, blueprints, parts explosion graphics, etc.

      I have been a fan of the Sony MDR-7502 headphones since Moses was in a basket. They provide an explosion of each of the parts and their numbers so that you can order replacements. Granted, these are "old skool" dumb wired headphones, so no software is needed, nor are chips necessary to look up and what not.

      • spookie 9 hours ago |
        Same for the MDR-7506!

        Speaking of wireless, their battery problems over time have already bit me, will continue buying "dumb" ones in the future.

        • justinclift 4 hours ago |
          Wouldn't it have been amazing if they'd taken that attitude with the PlayStation series? :)
    • Retr0id 9 hours ago |
      Any company with sufficiently interesting hardware is welcome to send me a copy. Most hardware isn't very interesting though, so they'd likely have to pay me too.
    • throwup238 2 hours ago |
      iFixit offers their services to manufacturers: https://www.ifixit.com/solutions

      There are plenty of other consultants that do that too, but they don't have the same reach and brand recognition.

  • augunrik 10 hours ago |
    I love when people do this! Now we only need alternative software and the hardware is finally purchasable!

    Would be cooler if the hardware was more OS before but I take what I can get…

  • finaard 10 hours ago |
    This is pretty interesting to me for two reasons.

    First, I just came back from Germany where I've seen that thing in a shop. Didn't have much time to investigate due to the kids, but guessed that it's just NFC chips with data on the headphores.

    Second, I've been thinking about building a simple MP3-player for my kids for quite a while now, and (minus the obfuscation there) that's not far from what I've been thinking about doing.

    • taldo 10 hours ago |
      There's also yotoplay.com, although that one does seem to require wi-fi and cloud thingies.
    • dud3333 9 hours ago |
      Google tonuino. There are readymade pcbs you can buy for it
    • nuitgaspard 9 hours ago |
      There have been multiple devices. I have been looking into the jooki box as well, which is quite hackable, tonibox is nice hardware (with already good firmware replacement), yoto is weird.
    • netsharc 8 hours ago |
      I was thinking of a steampunk music player using floppy disks: store a 32-bit (4 billion songs should be enough right?) ID onto a floppy, and have a player (it can be a Raspberry Pi with a USB floppy drive) read the ID, lookup the MP3 the ID corresponds to and play the MP3 from an attached storage device.

      Because floppies get bad sectors, the ID should be stored repeatedly on it, 4 bytes repeated to fill 1.38 MB should be redundant enough!

      I suppose without ID's, one can also store the artist name and song title, and do some text search to find the MP3. Or a YouTube video.

      • finaard 8 hours ago |
        I was thinking child friendly, so using NFC tags isn't such a bad idea - plus I have a few hundred spare ones in nice plastic casings. I'd also just store IDs on them, and either have the media files preloaded (as seems to be the case here), or have it download it from my media server on first use.

        Other thing I want (which they don't do) is the ability of resuming playback at the same position, even when putting it into a different player - that's one reason I still have some audio cassettes for the kids. No other medium I'm aware of does that kind of easy state saving. My idea there is to have the tags locked in the player in a way that gives me enough time to write the position if the user tries to remove it.

        • afandian 4 hours ago |
          I did this for my child and it worked well. Arduino compatible RFID module, ESP32 with and SD card and I2S. I ended up renaming the MP3s to match the card serial numbers, rather than program each one.
  • Retr0id 9 hours ago |
    > We could brute force the 4 Bytes. Without any further assumption, this would be 255**4 possibilities, which is way to many.

    The author comes up with a much simpler attack in the end, but a 2^32 bruteforce would also have been perfectly doable, taking ~seconds with optimized code on modern hardware.

    • consp 9 hours ago |
      While I agree, isn't figuring out what kind of obfuscation they used is part of the fun?
    • nuitgaspard 9 hours ago |
      Agreed :) the problem is though, that you have to decrypt the whole file everytime and not just a few bytes, which makes this still a little bit longer. You get files, which identify as mp3, but are garbage, and have to check multiple frames.

      But agreed bruteforcing 2*32 key is possible. The "way to many" was: "Way to many " for my taste.

      • Jerrrrrrry 7 hours ago |
        "ID3" should be the first few bytes.

        You could also put garbage data in nearly every frame and most modern codecs will fit it the best they can - for mp3 anyway.

        • nuitgaspard 5 hours ago |
          Jap...Checking for ID3 is not good enough in checking for correctly decrypted MP3. Brute Forcing with only small letters, you get approx 43k possibilities with "ID3" as the first 3 letters, that makes ~10% of all 26*4 possibilities. Jap, you only have to decrypt those 43k possibilities, but you have to look at the whole file.

          Even if you have garbage in the file, it is not the correct file, as the codec will ignore it, and the output is garbage.

          I haven't tried how many of these 43k actually work, or give you at least partialy good result.

          • Jerrrrrrry 10 minutes ago |
            On those 10%, look for another magic number, or entropy in general: correctly decrypted data must* have (usually) significantly lower entropy/randomness than encrypted data.

            A highly optimized (for this _exact_ context) hash/bloom function may yield comparable results, in general.

            Or you can compute an efficient delineation algorithm using the docs:

            https://www.loc.gov/preservation/digital/formats/fdd/fdd0001...

            If the so many bytes of the rolling context don't match any numbers, keep brut'in the key til you have magic numbers and non-random garbage.

  • throwaway48476 23 minutes ago |
    Excellent work an interesting read.