Alice Averlong🏳️⚧️oooh, the redbox uses full AES encryption!
and they always use the same key which is embedded in the executable right next to the encrypt() and decrypt() functions. well done, guys
correction: they hardcode two separate keys in the two separate places (that I've found so far) which use AES.
this code is enterprise as hell
you need the url for the base client? well you use Redbox.Rental.Services.KioskClientService.KioskClientServiceBaseUrl which is a property that'll ask the ServiceLocator to find an instance of IConfiguration to get the KioskClientServiceBaseUrl object out of it
they wrote their code as a fuckton of C# services that are always HTTP POSTing at each other
HTTP is, as always, the poor man's IPC
they logged the first six digits and last 4 digits of every credit card transaction.
HAVE YOU EVEN HEARD OF PCI?
Edit: this is technically allowed by PCI.
1234 56## #### 7890
can I buy a vowel?
I'm trying to tar up a redbox install and upload it, but each time the tar gets past 50% we find another file with PII in it
OH HEY BAD NEWS:
when someone opens up the hard drive of a redbox unit, they can pull a file which has a complete list of titles ever rented, and the email addresses of the people who rented them, and where and when
the unit I've got an image for has records going back to at least 2015.
I was able to easily match one of them to a real name
I have 2471 transactions here.
Somebody I'll call Dave Fakename rented The Giver and The Maze Runner in Morganton, NC on 2015-05-23 at 6:43pm
found a THIRD set of encryption code.
this one is 3des instead of AES, and YEP they still hardcode the passkeys
this one is 3des instead of AES, and YEP they still hardcode the passkeys
Redbox.HAL.Configuration
.ConfigurationFileService implements IConfigurationFileService
STOP MAKING SERVICES AND FACTORIES AND INTERFACES AND JUST READ THE FUCKING JSON FILE YOU ENTERPRISE FUCKERS
AND HEY YOU DON'T NEED A SEPARATE C# CLASS FOR EACH XML FILE YOU LOAD
YOU CAN JUST HAVE AN XMLLOADER CLASS AND A GENERIC CONFIG FILE. PLEASE
this is the kind of code you get when you hire 20 new grads who technically know C# but none of them has written any software before
so these people wrote a mostly C# program, with some lua for glue scripting.
and then they implemented their own language. it's some bastardized version of BASIC
it's a compiled (to bytecode? I think?) cooperative-multitasking BASIC.
and god I wish it was the only one of those I'd ever seen
okay by "compiling" they mean "parsing". The output of the compiler is a list of tokens, the input is a text file
example code:
POP START-DECK
POP START-SLOT
POP END-DECK
POP END-SLOT
IF END-SLOT > MAX-SLOT-PER-DECK
SET END-SLOT MAX-SLOT-PER-DECK
ENDIF
Foone's official list of things they never expected to implement their own multitasking programming language, yet found one anyway:
* Redbox vending machine motors
* Wheel of Fortune (2011, Wii)
Redbox.HAL.IPC.Framework.ClientSessionFactory
PLEASE, NO MORE FACTORIES
MY CHILDREN ARE STARVING
oh good they implemented both an internal C# dynamic plugin loading system, as well as the ability to craft arbitrary Invoke()s over TCP/HTTP.
So you can call any C# function from anywhere on the machine, I think?
So, quick summary:
Redbox went bankrupt and the machines are getting in the hands of individuals. The disk image has been dumped. The software is being reverse engineered: they're not currently very useful, since they need to talk to a server that's gone.
But progress is being made
the devices themselves are windows 7 machines talking to the disc library. It's a small group of services talking to each other, mainly over HTTP
it's primarily written in enterprise-as-fuck C#, with some lua scripting, and the "HS" scripting language which seems to be proprietary to redbox machines.
I'm currently trying to acquire one so I can do more hands-on reverse engineering, but for now I'm focusing on the software and how it all interacts
and I'm told Doom has already been run on them. It's windows 7, it can run many doom sourceports.
With a little extra work you could probably play native MS-DOS Doom on them
MORE FUN FACTS:
it turns out the device has a database on it which lists the location of every single other redbox machine. full addresses.
If you got here from hackernews, you can pay me here:
I mean, it'd be nice if anyone else gave me money, I could really use it. But it's not required, unless you found this on hackernews.
Ryan Finnie
LucifarGundam
Ben Stokman@foone this thread makes me feel a lot better about my code.
Alexis@benjistokman @foone I haven't written code since copying BASIC verbatim from an old magazine for fun, and this makes me feel a lot better about my code.
b_rawr.tar.xz@foone so why did that error message ask you to dial a number then??
Rora Borealis@foone There is a halfway decent chance I might be able to assist. AMA not directly about the hardware and I will see what I can dig up from memory. Be advised, I am intermittently on and might forget to check for days at a time.
rk: it’s hyphen-minus actuallyOhhh I do love me an embedded scripting language. Do you know if there’s any info on the HS language, or if you have time would you mind posting a sample or two?
@rk there's no info, but there are some samples. I don't have access to the full ones right now, but here's a snippet from the discord:
GRIPPER STATUS
POP GRIPPER-STATUS
IF "FULL" == GRIPPER-STATUS
LOG "The gripper is full - please fix."
APPLOG "The gripper is obstructed - exiting."
RESULT CODE="ItemStuckInGripper" MESSAGE="There is a disc stuck in the picker."
EXIT "Gripper is obstructed."
ENDIF
Beautiful, thank you!
Comrade elronxenu@elronxenu @rk I have no idea!
rrcook
Tom Walker
wb x64
Jim Spath@foone @rk "Win one for the Gripper."--Knute Rockne, tangentially https://archives.nd.edu/research/texts/rocknespeech.htm
Make 
🍁@foone Doom when? 😁
Stephan* :birders:@foone I understand 10% of what you are ranting about, but is was 100% fun to read 😆👍
Andrew@foone concept: fill it with Valve games and paint it orange
gudenau@foone It would be amazing if you could figure out a way to create a program that empties the machine and secure wipes the drives...
@gudenau yeah we've talked about that in the discord. We've compiled a list of places it stores PII
@foone probably not at all a security risk, no need to think twice about that one
the vessel of morganna
kawazoe@foone I've worked for a company that did this. Their justification was they targeted hardware that was so slow they had to offload those calls to a remote server over EDGE, but the same code had to run fast on desktop computers. By the time the project was ready for production, people had iPhone in their pockets, and 3G was getting replaced by LTE.
notorious rgb@foone no food only factories
europlus 
@foone (THANK YOU. I hate the factory paradigm)
@foone they wouldn't be starving if you sent them to the factory:V
Bill@foone But they need a factory to make the ClientSessionFactory. A ClientSessionFactoryFactory if you please.
Of course, we need somewhere to make the ClientSessionFactoryFactory...
Daveography 🇨🇦
THEY CAN WORK IN THE FACTORIES
Deirdre Saoirse Moen#import "HammerFactoryFactoryRant"
https://gwern.net/doc/cs/2005-09-30-smith-whyihateframeworks.html
Growlph Ibex@deirdresm @foone May I introduce you to FizzBuzz: Enterprise Edition
https://github.com/EnterpriseQualityCoding/FizzBuzzEnterpriseEdition
GitHub - EnterpriseQualityCoding/FizzBuzzEnterpriseEdition: FizzBuzz Enterprise Edition is a no-nonsense implementation of FizzBuzz made by serious businessmen for serious business purposes.
FizzBuzz Enterprise Edition is a no-nonsense implementation of FizzBuzz made by serious businessmen for serious business purposes. - EnterpriseQualityCoding/FizzBuzzEnterpriseEdition
Colin Curtin@foone I now really want the forbidden knowledge of wheel of fortune’s bespoke multitasking programming language
Kay Ohtie 🔜 FWA@foone I was gonna say it sounds like when someone's made their 5th website entirely by following the same Rails video tutorial they've used for the first 4, again, just massaging object names a little and praying they didn't break it.
Gaëtan Perrault@KayOhtie @foone a lot of this hardware days back to 2007 / 2008 when Redbox specifically contracted to make their own hardware for this. A lot of this stuff was probably made by a handful of contractors to start and then, eventually, a few handfuls of developers.
It basically peaked in 2013 at $2B in revenue, it only rolled out 300 new kiosks that year. And it peaked just above 43k kiosks. Their listing 24k kiosks to decommission, likely meaning each one has been in service since before 2013..
And it wasn't some well-funded startup with Tech talent from the Bay area. It was likely a bunch of people who hacked this together in the days when he would still use FTP to ship the new code to the server. I was doing that with .NET in 2010.
And by 2015 it was clear the ship was sinking. So nobody was going to spend money trying to bring this thing up to modern standards. Why bother?
Ziggy the Hamster ☎️ 4ZTH@foone I saw this with people that had been doing it for 20 years but clearly not very well.
They were smart enough to use PBKDF… but the output of this was always a constant because they seeded the RNG with the same value and used a random number as the password.
I tried to explain why that’s stupid and they argued that they have no way for the server to know the correct key if they did it differently. Yes, but … this is not a hard problem to solve?
Sabella@foone seven hells, Redbox is sounding like a checklist of how NOT to do infosec. 3DES?! in the year of our goddess 2024?!
dragonfrog@gothodile @foone the algorithm is completely irrelevant when the key is left in the lock. They could use the Caesar cipher without reducing security.
@dragonfrog @foone thanks for pointing that out! I would have NEVER known that in my four years as an infosec professional.