Altium CricuitMaker reverse engineering

[CarloMara]

Hello guys,
It’s my first post here and I really hope it will be useful for the community.
After playing a little bit with Circuit maker I thought if I could make a dummy server to use the software also when I in offline mode.
After less than one day I can tell you the good news:
It is possible. I reverse engineered the protocol and it’s super simple. It takes only 16 steps to submit the changed file to Altium. Here (http://tinyurl.com/nn6bemr) you will find a short diagram of the protocol, if you want more detail I can give you everything.
As in everything this protocol has some downside, the major one is that it doesn’t use any kind of encryption to send the data nor it uses an ssl connection to the server. I think that it could be possible to send malicious files to any computer that is using CM. Also everything is sent as plain text, so lots of data can be extrapolated, like my computer account, what system I’m using.
I will send more detailed information, with all the details and the data that I dumped with wireshark.

Stay tuned!
CarloMara, with a big help from Ddavidebor!

[DerekG]

After playing a little bit with Circuit maker I thought if I could make a dummy server to use the software also when I in offline mode.

Great news. Keep the investigative results coming.

[EEVblog]

As in everything this protocol has some downside, the major one is that it doesn’t use any kind of encryption to send the data nor it uses an ssl connection to the server. I think that it could be possible to send malicious files to any computer that is using CM.

That sounds nasty.

[c4757p]

General rule of thumb: if the protocol is hidden so people can't tell without actual inspection if it's secure..... it's not. Nobody can be arsed with security unless they know they'll be in trouble otherwise.

[con-f-use]

As in everything this protocol has some downside, the major one is that it doesn’t use any kind of encryption to send the data nor it uses an ssl connection to the server. I think that it could be possible to send malicious files to any computer that is using CM.

If that's true, someone's head should roll!

[SeanB]

At the least they should have used a SSH secure tunnel or even a simple VPN to transmit the data, keying to the user ID at a minimum. This would be something over bugger all, and I wonder how this would cope with an ISP doing DPI and injecting an ad or other into the datastream.

Then again, it points to them doing the development on an internal network, and simply exposing it to the Internet at large. Wonder if they also exposed all the file shares and other internal facing protocols there as well. At a very least they should have put a decent edge appliance on to do multiple VPN connections, that is easy enough and the client side software is common and easy to use as well.

[codeboy2k]

more than likely they outsourced the web and Internet parts to a third party that they integrated with.  I've had to work with so many outsourcing firms that develop web apps that I know for a fact that these guys just copy and paste what they used in the past or find online, they use a mish-mash of libraries and glue code, copy and paste the code multiple times in multiple places in the source trees, and don't even think about security ever.

They get hired to write something that I have to look at and decipher later... it's always incomplete, insecure, and unmaintainable garbage.

I suspect that happened here too.

[ataradov]

Why not just pirate the full version? Legally the end result is the same, but you also get standard shortcuts.

This effort is good for exposing holes in their security, but does nothing for community, really.

[con-f-use]

...nothing but improving the user's security...

Also legally the damage to Altium is a lot smaller than pirating the full version. I'd say that is a significant difference.

[c4757p]

Pirating the full version is arguably theft - Altium never gave me anything. (Let's not have that argument, please? O0) Forcing CM to work differently is, IMO, a whole different category of things: "doing what I damn well please with the thing you gave me". The fact that the end result for Altium's bank accounts is similar - well, sucks for Altium, but that's their fault for putting something that cannibalizes their main product's sales on my computer for free...

[ataradov]

Well, there is difference for their bank account - they were collecting usage information. And now that goes away.

I don't know how Altium is distributed, but is not it the usual - download for free and then enter the key? In which case I don't see how this thing is different from running a crack and using a stolen key.

PS: Just to be clear, I'm mostly playing devil's advocate. I really don't care about Altium full or limited.

[free_electron]

but what is the point of working offline ? even if you can spoof the server : you lose access to the parts library !
You may be able to do some routing in off-line mode, but schematic work is impossible as you cannot place new parts.
You could only shuffle wires , netnames or traces. any parts modification / adding requires live connection.

[funkathustra]

I have to applaud Altium for not going too DRM-crazy with respect to CircuitMaker.

You don't have to actually spoof the server to work offline (as long as you authenticated when you fired up CircuitMaker). Once you're connected, you can easily work on arbitrary projects (cloud-based or not) by dragging them into the software to open. By default, they live in your AppData folder, but can be copied/moved elsewhere if you'd like.

I'm not going to go into the details, because I think it's disingenuous to use CircuitMaker for proprietary designs, but there are project-specific settings you can change to allow you to work on projects locally without ever having to commit -- even to generate outputs.

I have no idea if Altium is going to tighten things up for a later release to more strongly enforce their community sharing requirements, but as of right now, it's implemented in a way to give power users quite a bit of flexibility.

[T3sl4co1l]

but what is the point of working offline ? even if you can spoof the server : you lose access to the parts library !
You may be able to do some routing in off-line mode, but schematic work is impossible as you cannot place new parts.
You could only shuffle wires , netnames or traces. any parts modification / adding requires live connection.

Scraping their servers to make offline copies might be a useful approach.

Tim

[free_electron]

but what is the point of working offline ? even if you can spoof the server : you lose access to the parts library !
You may be able to do some routing in off-line mode, but schematic work is impossible as you cannot place new parts.
You could only shuffle wires , netnames or traces. any parts modification / adding requires live connection.

Scraping their servers to make offline copies might be a useful approach.

Tim

that doesn't work. You would need to install your own vault server. as far as i know CM is actually pulling data  from a gigantic altium vault.