19 comments

[ 3.3 ms ] story [ 53.7 ms ] thread
Having the firmware image just be a boring old tarball + hash sounds super nice. I wish more devices were this open, and I hope Rode won't see this and decide to lock the firmware upgrades down.
why was disclosure the objective? wouldn't you want to keep this interface open?
I understand the hacker rationale to have fun owning the device, and i would like it to stay that way.

But... please do not forget that the CRA will put a heavy blanket on that fire.

Its still crazy to me that everyone has a pocket AI-hacker ready to inspect firmware and modify their devices now. You just put the agent on it and it gives you access in minutes. You would have to be a Hotz tier hacker if you wanted to do anything close to this only last year, or at the very least extremely patient for long hours.
I really want to know how he solved this problem, which I also face:

>last year i bought a Rodecaster Duo to solve some audio woes to allow myself and my girlfriend to have microphones to our respective computers when gaming together and talking on discord in the same room without any echo

Nice writeup and great domain. I don't know Zola and don't know if this is a common template or a custom jobbie but it's lovely.
I think "my audio interface is a 64-bit Linux computer" would've sounded far more interesting to me as a title. Perhaps a decade or two ago, the functionality of that device would've likely been implemented on a small 16-bit or 32-bit SoC running an RTOS like VxWorks.

Given how many physical controls it has, turning it into a game console seems like a logical next step.

Current ram/storage squeeze aside, chips are cheap. Cheap as chips.

Hard to beat the cost and compatibility of linux too.

Good old local Aussie guys write this. If you had something you wanted to report I'd just give them a call. We almost speak English down here.
It's a Sydney company. But parts are now manifactured in China. So who added this backdoor to listen to its customers? The CIA has similar companies doing it over popular loudspeakers. Could also be the Chinese.
It runs jack audio. This thing is literally jack in the box!
Yeah, this is pretty common once a device has any real DSP in it. There's usually some stripped-down Linux on an ARM SoC underneath, and the vendor BSP just happens to ship with sshd on.

Not necessarily malice, more like nobody on the audio side really owns the rootfs.

The big question is whether it's only listening on the USB-side network, or on the actual LAN. First one is annoying. Second one would actually bother me.

Linux defaults are unfortunately not great for production of devices of this nature. By comparison, android ships with 3 default image types, eng, userdebug, and user. By creating this system of preconfigured defaults, it makes it easy to avoid this sort of mistake.
is he happy that rode has an ssh to his device? the guy is like too nice. where's the outrage?
I think many vendors think security is synonymous with "hard to clone". This us why they require signed images and so on.
The thing I always come back to with this stuff is that "signed firmware" and "open firmware" aren't actually opposites, they just get treated that way. Ship it with verification on by default, fine, but let the owner enroll their own key (or flip a jumper, or hold a button on boot, whatever). Basically nobody does this outside of a couple of Chromebooks and some networking gear, so every conversation about firmware security ends up being a fight between "lock it down" and "leave it wide open" instead of "let the person who paid for the hardware decide."

Rode shipping a tarball + hash is great. Just hoping that if they ever do tighten it up, they tighten it in a way that still lets me put whatever I want on a thing I own.