2008-01-07

Hardware hacking or how I learned to love the DRM

[a photo of the device]My friend, roommate and/or wife (pick two) has a Sony Network Walkman NW-E507. Quite nice piece of hardware in and of itself—gotta love the shiny bright OLED (or whatever) display.

It has only one forthcoming, and a huge one at that. Designed from grounds-up with DRM in mind, it seems that the only way to upload music is to use Sony SonicStage software; it converts files to ATRAC3 (supposedly the only format the device can play), encrypts them and only after such preparation (and adding to a proprietary-binary-formatted directory files) they could be played back. Quite amazingly odd, if you ask me—especially given it's a USB Storage device.

What's worse, the software is only available for Windows and doesn't seem to work in wine at all. (appdb.winehq says someone succeeded in running it, but I have no patience trying different wines and crazy config files + dlls mix and match. Sorry.) This is quite a major headache, as recently I've convinced her to switch to Ubuntu (and now we're running a 100% windows-free household) and now she's effectively unable to use the player (well, only as a really cool looking portable radio).

After some googling, there seemed there is no way to drive it with linux. But then again, it seems to semiofficially support playing MP3 files—but they have to be encrypted, too. Looking deeper, I've found mlsony—an open-source plugin for winamp allowing to upload and download mp3s to the Walkman. It is written in rather clean C++, so it wouldn't be hard to port.

Now, what's cool is that it seems they have succeeded in reverse-engineering the encryption format; alas, the plugin needs a key, and to get the device key, you have to run another proprietary Sony program.

As it wouldn't work in wine either, I've had a choice: either going through hell of installing (or downloading a VM, anyways) and running windows just to get those fricking 16 bytes, or reverse engineering the app. Obviously the latter seemed more fun, so that's just what I've done.

After some fun with freeIDA, assembly and WINAPI (thank you ReactOS for a clean reference and clean header files!) I've finally revealed that getting the key is a piece of cake. Everything that needs to be done is to send special SCSI commands to the device; first to authorize you, and then to read the key.

You can even do that from command line. Just make sure you have sg3-utils and xxdinstalled and just do
echo 00 12 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | xxd -r -p | sg_raw -s 20 /dev/sg2 a3 00 00 00 00 00 00 bc 00 14 30 00; sg_raw -r 18 -o sonydid /dev/sg2 a4 00 00 00 00 00 00 bc 00 12 3f 00; cat sonydid | tail -c16 > key

There, you have your device key in the key file! Just be sure to substitute your walkman device for /dev/sg2.

(Keep in mind that I have not tested the key yet; I have disassembled the validation procedure of the Sony software, and the string I've obtained seems all right. If you need to know, the magic value is 03 01 01 00 00 00.)