HD Radio Cracked on Receiver-Side

One of the largest controversies involving the U.S. digital radio standard, HD Radio, has been its proprietary nature. The technology’s owner, iBiquity DTS Tessera Xperi Corporation, has refused to make public all the necessary technical information within the standard, dubbed by the National Radio Systems Committee as NRSC-5; this ostensibly prevents anyone from developing or manufacturing any HD-related transmission or reception technologies without express licensure from Xperi.
The specific “black box” that has kept the technology proprietary has been the algorithm Xperi uses to encode and decode HD audio signals. If you look at the publicly-available NRSC-5 documentation, you find no meaningful detail about this aspect of HD technology beyond a description of how it works.
This was a site of controversy during HD’s tortured development: initially, the standard was to utilize an algorithm derived from publicly-accessible code – but once the FCC gave the standard its blessing, then-developer iBiquity swapped out the codec under which the technology had been tested with a new one that it had ginned up wholly in-house. But it performed so poorly that HD’s proprietors replaced it again with the variant onboard transmitters and receivers today.
It was popularly assumed that this latest HD codec was essentially a tweak of the High Effeciency Advanced Audio Coding (HE-AAC) algorithm, most commonly known as a component the MPEG-4 suite. This algorithm is widely used by streaming services, media players, and other digital radio standards such as DAB+ and Digital Radio Mondiale. But the “special sauce” that iBiquity DTS Tessera Xperi Corporation had added to the codec supposedly rendered it “different” and thus under its firm control – key to HD Radio’s entire business model.
That control has now been broken, at least on the receiver-side. In early June, an Austin-based cybersecurity shop named Theori tweeted, “We have been busy analyzing your car’s radio signals. We are releasing code to receive and decode digital FM radio.” In a companion blog post, Theori explains in detail how they took the available NRSC-5 digital radio standards documentation, along with FM-HD programming from Austin’s public radio station KUT, and were able to construct the necessary FM-HD receiver code.
When it came to the black-box audio algorithm at HD’s heart, circumventing that was a piece of cake: “We found that it is essentially HE-AAC with some modifications,” reported Theori. Those modifications were “sufficiently minor” enough that they were able to adapt an open source variant of this codec to function as a stand-in.
After compiling the code on a USB receiver-stick popular with experimentation in software-defined radio (SDR) reception, Theori was able to not only decode the main FM-HD program stream, but also the HD subchannels that KUT provides. No word on whether or not this homebrew receiver can also decode and display program-associated data.
The code’s been in the wild for nearly a month now, released on GitHub by Theori’s Andrew Wesie. Within a week it was noted by those who developed the initial SDR receiver package on which this code is built, which has attracted dozens of interested comments from tinkerers around the world, one of whom has created a Facebook group to “share tips, scripts, reception reports, and provide or get help” and already built a front-end for the code that automates much of the compilation-process and settings-tweaking that is currently required to run it successfully.
The lack of reaction from Xperi to the revelation that the algorithm that keeps HD Radio a closed system is replaceable is quite curious. As a corporation wholly devoted to acquiring and milking intellectual property for maximum revenue – and in HD Radio’s case, a revenue-stream that comes almost entirely on the receiver-side – its lawyers might first assume an existential threat. If so, you’d think a flurry of cease-and-desists would have hit the interwebs by now. But considering that the HD system is just one dim star in Xperi’s growing IP constellation, it’s doubtful they employ staff to police the ‘net for HD-related infringement-cases.
Furthermore, it’s no simple feat to build your own FM-HD receiver and thereby wholly circumvent Xperi’s licensing regime, at least at present: you need specialized hardware and software, including a working knowledge of Linux. Auto manufacturers won’t swap out a chipset and Xperi-native code in their touchscreen center-stacks for what is essentially a homebrew reception rig that requires command-line literacy. At the mass-production and consumer-engagement level, it’s a no-brainer to continue to pay Xperi the per-unit licensing fees and be guaranteed a fully-functional HD reception experience.
If I were Xperi, I would encourage such tinkering, because in all honesty it’s effectively resuscitating the non-automotive (standalone) HD Radio receiver market. The collective intelligence of an open-source software development community may actually devise innovations to the HD platform that could be useful to the larger user base.
The hardware on which this code runs can also receive AM signals, and it’s well within Theori’s established capabilities to add HD reception for that band as well. They also believe “that [constructing] a NRSC-5 transmitter for reseach [sic] should also be straightforward,” given how easy it was to excise and replace the “proprietary” codec on the receiver-side. What happens when both elements of the HD Radio chain – transmission and reception – are unchained from the clutches of Xperi and its approved developers?
It’s also clear that Theori may be thinking about the implications of HD Radio’s engagement with our networked world on a level that Xperi may not. Theori expressed primary interest in HD Radio for its cybersecurity implications: “NRSC-5 allows a variety of data formats to be transmitted, unencrypted and unsigned, over-the-air to a large number of vehicles. . . .Every data format supported by a NRSC-5 receiver is a potential attack surface.”
The contemporary automobile is a rolling series of networked computers, some of which receive data from external sources. Digital radio is just another stream of data taken in and processed by the car. Since HD Radio can serve up data other than audio, what is the potentiality that malicious code could be embedded in an HD datastream and executed in the center stack?
The Theori post notes that building an HD transmitter “to fuzz a NRSC-5 receiver could produce interesting results,” but until there’s further development and testing there’s no clear answer to this. HD Radio was developed in the pre-Internet of Things era, where cybersecurity was more of an afterthought, and without much thought to how it might interact with the infotainment systems in which it is embedded (which is more the purview of the auto manufacturers themselves).
It is good to know that there are folks who are thinking about and working with HD Radio outside of its proprietary paradigm. Doing so strongly suggests that its future also lies outside this paradigm. How long might it take Xperi, the broadcast industry, and those who manufacture HD technology to get a clue and appreciate the implications?