Having the firmware image just be a boring old tarball + hash sounds super nice. I wish more devices were this open, and I hope Rode won't see this and decide to lock the firmware upgrades down.
Its still crazy to me that everyone has a pocket AI-hacker ready to inspect firmware and modify their devices now. You just put the agent on it and it gives you access in minutes. You would have to be a Hotz tier hacker if you wanted to do anything close to this only last year, or at the very least extremely patient for long hours.
I really want to know how he solved this problem, which I also face:
>last year i bought a Rodecaster Duo to solve some audio woes to allow myself and my girlfriend to have microphones to our respective computers when gaming together and talking on discord in the same room without any echo
I think "my audio interface is a 64-bit Linux computer" would've sounded far more interesting to me as a title. Perhaps a decade or two ago, the functionality of that device would've likely been implemented on a small 16-bit or 32-bit SoC running an RTOS like VxWorks.
Given how many physical controls it has, turning it into a game console seems like a logical next step.
It's a Sydney company. But parts are now manifactured in China. So who added this backdoor to listen to its customers? The CIA has similar companies doing it over popular loudspeakers. Could also be the Chinese.
Yeah, this is pretty common once a device has any real DSP in it. There's usually some stripped-down Linux on an ARM SoC underneath, and the vendor BSP just happens to ship with sshd on.
Not necessarily malice, more like nobody on the audio side really owns the rootfs.
The big question is whether it's only listening on the USB-side network, or on the actual LAN. First one is annoying. Second one would actually bother me.
Linux defaults are unfortunately not great for production of devices of this nature. By comparison, android ships with 3 default image types, eng, userdebug, and user. By creating this system of preconfigured defaults, it makes it easy to avoid this sort of mistake.
The thing I always come back to with this stuff is that "signed firmware" and "open firmware" aren't actually opposites, they just get treated that way. Ship it with verification on by default, fine, but let the owner enroll their own key (or flip a jumper, or hold a button on boot, whatever). Basically nobody does this outside of a couple of Chromebooks and some networking gear, so every conversation about firmware security ends up being a fight between "lock it down" and "leave it wide open" instead of "let the person who paid for the hardware decide."
Rode shipping a tarball + hash is great. Just hoping that if they ever do tighten it up, they tighten it in a way that still lets me put whatever I want on a thing I own.
19 comments
[ 3.3 ms ] story [ 53.7 ms ] threadBut... please do not forget that the CRA will put a heavy blanket on that fire.
>last year i bought a Rodecaster Duo to solve some audio woes to allow myself and my girlfriend to have microphones to our respective computers when gaming together and talking on discord in the same room without any echo
Given how many physical controls it has, turning it into a game console seems like a logical next step.
Hard to beat the cost and compatibility of linux too.
Not necessarily malice, more like nobody on the audio side really owns the rootfs.
The big question is whether it's only listening on the USB-side network, or on the actual LAN. First one is annoying. Second one would actually bother me.
Rode shipping a tarball + hash is great. Just hoping that if they ever do tighten it up, they tighten it in a way that still lets me put whatever I want on a thing I own.