Alice Averlong🏳️⚧️oooh, the redbox uses full AES encryption!
and they always use the same key which is embedded in the executable right next to the encrypt() and decrypt() functions. well done, guys
correction: they hardcode two separate keys in the two separate places (that I've found so far) which use AES.
this code is enterprise as hell
you need the url for the base client? well you use Redbox.Rental.Services.KioskClientService.KioskClientServiceBaseUrl which is a property that'll ask the ServiceLocator to find an instance of IConfiguration to get the KioskClientServiceBaseUrl object out of it
they wrote their code as a fuckton of C# services that are always HTTP POSTing at each other
HTTP is, as always, the poor man's IPC
they logged the first six digits and last 4 digits of every credit card transaction.
HAVE YOU EVEN HEARD OF PCI?
Edit: this is technically allowed by PCI.
1234 56## #### 7890
can I buy a vowel?
I'm trying to tar up a redbox install and upload it, but each time the tar gets past 50% we find another file with PII in it
Dan LieblingOH HEY BAD NEWS:
when someone opens up the hard drive of a redbox unit, they can pull a file which has a complete list of titles ever rented, and the email addresses of the people who rented them, and where and when
the unit I've got an image for has records going back to at least 2015.
I was able to easily match one of them to a real name
I have 2471 transactions here.
Somebody I'll call Dave Fakename rented The Giver and The Maze Runner in Morganton, NC on 2015-05-23 at 6:43pm
found a THIRD set of encryption code.
this one is 3des instead of AES, and YEP they still hardcode the passkeys
this one is 3des instead of AES, and YEP they still hardcode the passkeys
Redbox.HAL.Configuration
.ConfigurationFileService implements IConfigurationFileService
STOP MAKING SERVICES AND FACTORIES AND INTERFACES AND JUST READ THE FUCKING JSON FILE YOU ENTERPRISE FUCKERS
AND HEY YOU DON'T NEED A SEPARATE C# CLASS FOR EACH XML FILE YOU LOAD
YOU CAN JUST HAVE AN XMLLOADER CLASS AND A GENERIC CONFIG FILE. PLEASE
this is the kind of code you get when you hire 20 new grads who technically know C# but none of them has written any software before
so these people wrote a mostly C# program, with some lua for glue scripting.
and then they implemented their own language. it's some bastardized version of BASIC
it's a compiled (to bytecode? I think?) cooperative-multitasking BASIC.
and god I wish it was the only one of those I'd ever seen
okay by "compiling" they mean "parsing". The output of the compiler is a list of tokens, the input is a text file
example code:
POP START-DECK
POP START-SLOT
POP END-DECK
POP END-SLOT
IF END-SLOT > MAX-SLOT-PER-DECK
SET END-SLOT MAX-SLOT-PER-DECK
ENDIF
Foone's official list of things they never expected to implement their own multitasking programming language, yet found one anyway:
* Redbox vending machine motors
* Wheel of Fortune (2011, Wii)
Redbox.HAL.IPC.Framework.ClientSessionFactory
PLEASE, NO MORE FACTORIES
MY CHILDREN ARE STARVING
oh good they implemented both an internal C# dynamic plugin loading system, as well as the ability to craft arbitrary Invoke()s over TCP/HTTP.
So you can call any C# function from anywhere on the machine, I think?
So, quick summary:
Redbox went bankrupt and the machines are getting in the hands of individuals. The disk image has been dumped. The software is being reverse engineered: they're not currently very useful, since they need to talk to a server that's gone.
But progress is being made
the devices themselves are windows 7 machines talking to the disc library. It's a small group of services talking to each other, mainly over HTTP
it's primarily written in enterprise-as-fuck C#, with some lua scripting, and the "HS" scripting language which seems to be proprietary to redbox machines.
I'm currently trying to acquire one so I can do more hands-on reverse engineering, but for now I'm focusing on the software and how it all interacts
and I'm told Doom has already been run on them. It's windows 7, it can run many doom sourceports.
With a little extra work you could probably play native MS-DOS Doom on them
MORE FUN FACTS:
it turns out the device has a database on it which lists the location of every single other redbox machine. full addresses.
rk: it’s hyphen-minus actuallyOhhh I do love me an embedded scripting language. Do you know if there’s any info on the HS language, or if you have time would you mind posting a sample or two?
@rk there's no info, but there are some samples. I don't have access to the full ones right now, but here's a snippet from the discord:
GRIPPER STATUS
POP GRIPPER-STATUS
IF "FULL" == GRIPPER-STATUS
LOG "The gripper is full - please fix."
APPLOG "The gripper is obstructed - exiting."
RESULT CODE="ItemStuckInGripper" MESSAGE="There is a disc stuck in the picker."
EXIT "Gripper is obstructed."
ENDIF
Beautiful, thank you!
Comrade elronxenu
wb x64
Jim Spath@foone @rk "Win one for the Gripper."--Knute Rockne, tangentially https://archives.nd.edu/research/texts/rocknespeech.htm
Make 
🍁@foone Doom when? 😁
Stephan* :birders:@foone I understand 10% of what you are ranting about, but is was 100% fun to read 😆👍
Andrew@foone concept: fill it with Valve games and paint it orange
gudenau@foone It would be amazing if you could figure out a way to create a program that empties the machine and secure wipes the drives...
@gudenau yeah we've talked about that in the discord. We've compiled a list of places it stores PII
Asta [AMP]@foone probably not at all a security risk, no need to think twice about that one
the vessel of morganna
Kay Ohtie 🔜 FWA@foone I was gonna say it sounds like when someone's made their 5th website entirely by following the same Rails video tutorial they've used for the first 4, again, just massaging object names a little and praying they didn't break it.
Gaëtan Perrault@KayOhtie @foone a lot of this hardware days back to 2007 / 2008 when Redbox specifically contracted to make their own hardware for this. A lot of this stuff was probably made by a handful of contractors to start and then, eventually, a few handfuls of developers.
It basically peaked in 2013 at $2B in revenue, it only rolled out 300 new kiosks that year. And it peaked just above 43k kiosks. Their listing 24k kiosks to decommission, likely meaning each one has been in service since before 2013..
And it wasn't some well-funded startup with Tech talent from the Bay area. It was likely a bunch of people who hacked this together in the days when he would still use FTP to ship the new code to the server. I was doing that with .NET in 2010.
And by 2015 it was clear the ship was sinking. So nobody was going to spend money trying to bring this thing up to modern standards. Why bother?
Ziggy the Hamster ☎️ 4ZTH@foone I saw this with people that had been doing it for 20 years but clearly not very well.
They were smart enough to use PBKDF… but the output of this was always a constant because they seeded the RNG with the same value and used a random number as the password.
I tried to explain why that’s stupid and they argued that they have no way for the server to know the correct key if they did it differently. Yes, but … this is not a hard problem to solve?
Sabella@foone seven hells, Redbox is sounding like a checklist of how NOT to do infosec. 3DES?! in the year of our goddess 2024?!
dragonfrog@gothodile @foone the algorithm is completely irrelevant when the key is left in the lock. They could use the Caesar cipher without reducing security.
@dragonfrog @foone thanks for pointing that out! I would have NEVER known that in my four years as an infosec professional.
Bill Ricker@foone
that you have so _few_ transactions for nearly 10 years on that one drive may explain why redbox has ceased to be, has joined the parrot eternal.
(one rental per day is par for an AirBNB, but unless their costs were really really low that's very bad retail.)
Greg@greg @foone
Agreed, I have difficulty imagining cost of production being under $2k even with mass production.
Even if one presumes they dumped their own tapes essentially for free and only paid the IP holders a royalty upon rental so contents are free.
Did they pay grocers for square foot per month?
Investors need 10% or greater return on capital of the machine.
Amazing they lasted so long I guess.
Agreed, I have difficulty imagining cost of production being under $2k even with mass production.
Even if one presumes they dumped their own tapes essentially for free and only paid the IP holders a royalty upon rental so contents are free.
Did they pay grocers for square foot per month?
Investors need 10% or greater return on capital of the machine.
Amazing they lasted so long I guess.
The Lack ThereofRentals were $2.25 *per night*, automatically extended. There were various sales and bundles to start the loan ($1 first day on selected titles, $3.75 2-day rental, etc), but that was the core pricing.
You could also purchase the disc outright from the kiosk, too.
Another factor is you could return disks to any kiosk. Not all kiosks had the same selection, and some were bigger than others, I often went to a bigger kiosk inside Fred Meyer to rent a particular Blu-ray but then returned it to the sad little kiosk outside 7-11 closer to home. So it's possible some kiosks were primarily used as drop boxes while the actual revenue came from high traffic locations dispensing the rentals.
ocdtrekkie
Fries@foone damn what payment processor did they use?
Mg Avaris Clari
DJ Sundog@foone there's probably a german word for the combination of "big oof" and "as could be expected" but damned if I know what it is, but that, that's the vibe
Taylor
shaun
trusty falxter 🧠
vollkorn (DECT 5676/"korn")
GunChleoc
Enno Rehling
Tachibana Kanade@foone Rented from that unit or from any unit? Either way that doesn’t seem good
@h0m54r just from that unit.
~@foone huh. That feels like it should be illegal but somehow isn’t. The government *requesting* that data absolutely is…
Luuk@foone Well that’s lovely.