I bought a Rodecaster Duo to solve some audio woes, and found that it has ssh enabled by default. I captured the firmware update process and created custom firmware to enable password authentication for ssh.

Hacker News is a community-driven platform for sharing and discussing technology news, startups, and programming-related topics. Through user submissions and comments, Hacker News offers insights into emerging technology trends, industry developments, and entrepreneurial ventures. Readers can participate in discussions, share their insights, and stay informed about the latest advancements in technology and innovation.

Hacker News

A developer bought a Rodecaster Duo audio interface and discovered it has SSH enabled by default with hardcoded public keys. By capturing the firmware update process via Wireshark and USBPcap, they reverse-engineered the HID-based update protocol (two ASCII commands: 'M' to enter update mode and 'U' to trigger flashing). The firmware is distributed as a plain gzipped tarball with no signature verification. Using this knowledge, they created custom firmware to enable password-based SSH authentication and add their own public key. The author reported the default SSH keys to RODE but received no response.

My audio interface has ssh enabled by default