This isn't true at all. Yes, LLMs have made it dramatically easier to analyse, debug and circumvent. Both for people who didn't have the skill to do this, and for people who know how to but just cannot be bothered because it's often a grind. This specific device turned out to be barely protected against anything. No encrypted firmware, no signature checking, and built-in SSH access. This would be extremely doable for any medium skilled person without an LLM with good motivation and effort.

You're referring to George Hotz, which is known for releasing the first PS3 hypervisor exploit. The PS3 was / is fully secured against attackers, of which the mere existence of a hypervisor layer is proof of. Producing an exploit required voltage glitching on physical hardware using an FPGA [1]. Perhaps an LLM can assist with mounting such an attack, but as there's no complete feedback loop, it still would require a lot of human effort.

[1] https://rdist.root.org/2010/01/27/how-the-ps3-hypervisor-was...

I suppose this could save a bit of time if you don't already have Wireshark installed, with a minor risk of hallucinations.

Other than this, he used Docker for some reason* to edit ~root/.ssh/authorized_keys and /etc/shadow in the firmware tarball, then wrote a quick Python script to send the relevant HID messages and copy the modified tarball to a volume mounted from a USB drive exposed by the device in response to one of the HID messages.

Maybe he used Claude to do some of this other stuff. Who knows? But the only thing in the post or the linked scripts that wasn't immediately obvious to me is why he installed the whois package in his Ubuntu container, but it turns out that, in Debian, the mkpasswd utility is installed by the whois package for historical reasons[1].

So basically, you have to be an insane hacker, or else have a basic working knowledge of Linux system administration (or at least know how to use the man(1) command; then again Google would probably suffice as an alternative) and how to write trivial programs in any language with bindings to a USB HID library.

* Presumably because he was on a Mac and didn't have a Linux box handy to generate the hashed password (which requires using glibc crypt(3) in a way that isn't compatible with macOS libc crypt(3), so nontrivial on a Mac).

Not sure why he needed password authentication in the first place, but, at the author's request, I won't shoot him.

I will, however, point out that, unless the sshd_config file on the device already set PermitRootLogin to something other than the default "prohibit-password", password authentication wouldn't have worked to log in as root, even with PasswordAuthentication set to "yes".

[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=116260

Not for long. Picture this: a robot receives instructions on what to physically solder in order to complete the desired modification task.

However, before it can send an image back to the vision-aware LLM guiding it, the PCB lights on fire along with the robot because said LLM confidently gave the wrong instructions.

Then, the robotic fire brigade shows up and mostly walks into walls unable to navigate anywhere useful.

The future is bright.

These were the same people that then went on to explain how they reverse-engineered the encryption keys of the PS3 to enable "fakesigned" code to be installed

LLMs have had no problem modifying software on an attached android phone. It's only a matter of time.

I’m very used to doing this stuff manually for various devices and software, but am also interested in tracking llm progress, and it seemed simple enough to get a rundown of what was happening while I did other work.

It was the first time I have messed around with hid devices though, so that was aided by claude

and yeah i’ve been bit by having to google how to get mkpasswd dozens of times over the years and used to have to do a lot of rootfs editing on a mac, so I got used to doing it in a container.

no real reason for wanting pw auth, I ended up turning it off afterwards but it’s been a bit since I wrote this

thanks for the comment!

Not to say it's not super useful, as we can see in the article

https://en.wikipedia.org/wiki/Virtual_machine_escape

the guy found this through looking at the firmware but nmap -p 22 would have also found this

So like the first thing you would do to attack the device

I found an issue exactly like this on an ISP-provided router. I am nowhere near geohot but also didn’t even do as much as the guy in the article lmao

A bit of time is an understatement.

I used Wireshark to analyze various things (mostly smart home) over the years, but now CC does in minutes what it would take me a few hours before - and provides dedicated, custom made panels for whatever I want.

As an example - debugging KNX magistrale in my home, previously it was either wireshark and a ton of regexes, handwritten scripts (or official software that was terrible), now you just tell CC what you want to extract, and you get beautiful real-time views of the activity.

One thing is previewing the traffic, but then CC can easily fetch docs for any device it finds on the network, if it has an API (official or not), utilize it and do whatever you want.

It would solve the issue in a similar way. One pc runs the mixer. The mixer has an input channel for local mic.

Other PC broadcasts their mic to the mixer, which comes in as 'channel 2'.

You can even have music playing on your local PC, either the mixer or broadcaster creates a local sink.

It's all then mixed in the mixer, there's 3 outputs. You could say use the main out to send to discord.

And the monitor line would be used to output Discord audio, which can then be relayed to the other PC for realtime listening.

It’s a printer that I think was released in ~2009 (I am not able to check right now), and in order to upgrade the RAM to 256MB I needed to do a firmware update.

I dreaded this, but then I found out that all you do to update the firmware was FTP a tarball to the printer over the network. I dropped it in with FileZilla, it spent a few minutes whirring, and my firmware was updated.

Then I got mad that firmware updates are ever more complicated than that. Let me FTP or SCP or SFTP a blob there, do a checksum or something for security reasons, and then do nothing else.

It's funny this comes up now. Tomorrow I'm dragging my Zoom R20 recorder on-site to use as an overly-featured USB audio interface for a single-mic live stream. If I'd know this about Rode a week ago I'd have purchased one of these and could have left my R20 hooked-up in the home studio!

They're all firmware restricted to justify buying more expensive models, in one way or another way.

DNG support would be pretty awesome too.

It didn't directly give access to anything however. IIRC they heavily relied on other complex exploits they developed themselves, as well as relying on earlier exploits they could access by rolling back the firmware by indeed abusing the ECDSA implementation. At least, that turned out to be the path of least resistance. Without earlier exploits, there would be less known about the system to work with.

Their presentation [1] [2] is still a very interesting watch.

[1] https://www.youtube.com/watch?v=5E0DkoQjCmI

[2] https://fahrplan.events.ccc.de/congress/2010/Fahrplan/attach...

Also Phase One Support/Repair is absolutely phenomenal and unless you toast the sensor; repairs are “fairly” economical.

Fortunately the first stage bootloader (which may have been in ROM) was intact, and had debugging commands that allowed reading and writing bytes of memory one at a time, and to jump to a specific memory address.

After using IDA to find the compressed firmware in the update blob and figure out how the update process worked, I was then able to use an expect script to use bootloader commands to slowly poke the firmware and the code that decompressed and copied the updated firmware to flash (extracted from the firmware itself after decompressing it with zlib) into RAM a byte at a time, then to jump to the uploaded code to finish the installation.

Worked like a charm, and enabled me to continue using the device for several years until I no longer had a use for it.

I know headsets aren't everyone's cup of tea, but a mic close to the source (your mouth) with good noise canceling is a solid solution.

Whose security are we talking about here? Mine, or the manufacturer's?

The only thing that is a little sad about it is that for example the faders do nothing when the R16 is in USB audio interface mode.

It does however like to randomly turn on reverb and one other effect after power cycling. Which I sometimes forget and then wonder for half a second why the audio is sounding weird :P So there is some extra functionality that is available even in USB audio interface mode, although in this case not desirable for me to have enabled within it. If I want to add reverb or other effects when using the R16 as USB audio interface, I prefer to do so in the DAW. I would have liked to be able to use the faders though.

Very cool!

[1] https://en.wikipedia.org/wiki/Cyber_Resilience_Act

It used to be completely open lol

Not true. There's way more than that list. I could immediately think of 2 more from last year: CVE-2025-22224 and CVE-2025-22225

I'm running my R20 in USB interface / stereo mix mode and the faders do work. I didn't think about trying to apply any effects. I'll play with that, for fun, but I'd definitely add them in the DAW as well. (I really only use my R20 for multitrack recording and do all my effects in the DAW. I like it, and it can do a ton standalone, but my workflow really just needed a multitrack recorder and I could have probably spent a lot less. It just looked like fun...)

Or maybe there's two people in the room, each on different channels altogether. In this case the other person is just uncorrelated background noise instead of a persistent echo.

Or, in-context: There's two people in the same room, both talking on the same Discord channel.

Anyway, audio routing is useful. Being able to route audio with two different PCs is a pretty neat feature of the rodecaster.

also the audio output of each computer is routed thru the box as well, so i can mix my girlfriend’s computer into her headphones as well as my microphone, so she can hear me with noise canceling headphones, or turn off my microphone if i’m working so she can do stuff without my mic in her ears.

Or if she’s watching a movie or something I can also add her computer audio to my headphones. There’s even a separate audio output for host 1 where you can put ‘chat’ on, like discord on a dedicated interface, so that your application audio is clear and isolated. It’s hella expensive but it really is a great device

Checksums are great for helping to validate data integrity. And data integrity can be related to security.

But over the last 25 years or so, I've grown to become pretty averse to phrasing that parse like "for security purposes".

If your new product cannot have its CE mark for whatever reason, you will not have the approbations to sell in the USA either.

What the CRA will do, is if you do not have a "CRA" compliant product, you will not have the CE mark. Which means you will not (with very high probability) have the other marks needed to sell outside Europe.

Maybe then you can just sell to your close family members who like you, but good luck if you get caught and it can be proven that your shitty device caused a fire ...

I worked for a US manufacturer that only sold directly in the US, and we never bothered getting CE certification on anything, just FCC. Lots of Europeans imported our products, but we left EU compliance up to them.

The size of the EU market didn't justify the costs of regulatory compliance.

A lot of consumer electronics need to be FCC compliant, which involves a process of proving that the device doesn't emit too much of the wrong EMI/RFI in the wrong places.

And safety-wise, we use tend to use ETL, UL, and CSA for testing. These are third-party Nationally Recognized Testing Labs, and their own marks are used on devices they approve. But they're only really concerned about the safety of a product. In very broad strokes: If the device is proven to be unlikely-enough to burn a house down or cause electrical shock to humans, then it gets approved.

CE is a whole different thing. No government body in the USA requires or respects a CE mark on consumer goods; that mark doesn't hold any legal weight here.

Whether good or bad, CE is just not how we roll on this side of the pond.

(Of course, none of that means that laws in the EU don't affect product availability and features here. Globalization be that way sometimes.)

Yeah, compliance is almost voluntary unless you're absolutely huge.

I understand your point though. Of course a US company that is only ever going to sell in the US does not need to bother with international marks.