high definition fuzzing; exploring hdmi vulnerabilities
TRANSCRIPT
![Page 1: High Definition Fuzzing; Exploring HDMI vulnerabilities](https://reader031.vdocuments.net/reader031/viewer/2022021815/58730c931a28ab99088b6f27/html5/thumbnails/1.jpg)
HIGH-DEF FUZZINGEXPLORING VULNERABILITIES IN
HDMI-CEC name = "Joshua Smith" job = "Senior Security Researcher" job += "HP Zero Day Initiative" irc = "kernelsmith" twit = "@kernelsmith"
![Page 2: High Definition Fuzzing; Exploring HDMI vulnerabilities](https://reader031.vdocuments.net/reader031/viewer/2022021815/58730c931a28ab99088b6f27/html5/thumbnails/2.jpg)
Which of the following is false?1. Have had 10 knee surgeries... and 5 others2. Worked at JHUAPL... did mostly weapon sys assessments3. Was voted "most athletic" in high school... don't judge a
book by its cover ;)4. Previously ran assessments at the 92d Info. Warfare
Aggressor Sq. (USAF)... now 92d Info. Ops. Sq - vulnassessments/pentests/red teams
5. Have a B.S. in Computer Engineering from RPI...Aeronautical. Also, an MIS & some CS from JHU
6. Am an external Metasploit dev... since Feb 2013
7. Had C2 of 50 nuclear ICBMs on 9/11... interesting story
![Page 3: High Definition Fuzzing; Exploring HDMI vulnerabilities](https://reader031.vdocuments.net/reader031/viewer/2022021815/58730c931a28ab99088b6f27/html5/thumbnails/3.jpg)
OverviewWhat is CECSpecs & ImplementationsDesign DetailsProtocolAttack Vectors & SurfaceFuzzing CECSome ResultsFuture Work
![Page 4: High Definition Fuzzing; Exploring HDMI vulnerabilities](https://reader031.vdocuments.net/reader031/viewer/2022021815/58730c931a28ab99088b6f27/html5/thumbnails/4.jpg)
Why?Wanted to research an area that was relatively untouchedFor me: assembly > C/C++ and RISC > CISCAnother attack vector for mobile devices via:
Mobile High-Definition Link (MHL)SlimportMany car stereos as well
My son is completely obsessed with cords/wires, espHDMI
![Page 5: High Definition Fuzzing; Exploring HDMI vulnerabilities](https://reader031.vdocuments.net/reader031/viewer/2022021815/58730c931a28ab99088b6f27/html5/thumbnails/5.jpg)
Previous ResearchHDMI – Hacking Displays Made Interesting
Andy DavisBlackHat EU 2012GUI Python CEC fuzzer
Somewhat simplisticNo exception monitoringNo crash data gathering
![Page 6: High Definition Fuzzing; Exploring HDMI vulnerabilities](https://reader031.vdocuments.net/reader031/viewer/2022021815/58730c931a28ab99088b6f27/html5/thumbnails/6.jpg)
What is HDMI?High Def Multimedia Interface
HDMI is an interface specificationImplemented as cables & connectorsSuccessor to DVI
![Page 7: High Definition Fuzzing; Exploring HDMI vulnerabilities](https://reader031.vdocuments.net/reader031/viewer/2022021815/58730c931a28ab99088b6f27/html5/thumbnails/7.jpg)
What is CEC?Consumer Electronics ControlFeature defined in the HDMI specAllows user to command & control up to 15 devicesCan relay commands from remotesIt's what automatically changes your TV inputVendor-extendableAdopted by some other technologies
![Page 8: High Definition Fuzzing; Exploring HDMI vulnerabilities](https://reader031.vdocuments.net/reader031/viewer/2022021815/58730c931a28ab99088b6f27/html5/thumbnails/8.jpg)
That Don't LookLike HDMI!Still has CEC however
SlimportThink ~ Amazon, Google, Blackberry, LG G+
Mobile High-Definition Link (MHL)Think ~ HTC, LG Optimus+, Samsung (not G6)Remote Control Protocol
![Page 9: High Definition Fuzzing; Exploring HDMI vulnerabilities](https://reader031.vdocuments.net/reader031/viewer/2022021815/58730c931a28ab99088b6f27/html5/thumbnails/9.jpg)
Specs & FeaturesHistory
Ver Published Features
1.0 Dec 2002 Boring stuff
1.1 May 2004 Boring stuff
1.2 Aug 2005 Boring stuff
1.2a* Dec 2005 Fully spec'd CEC
* This is the good stuff, for vulnerabilities anyway
![Page 10: High Definition Fuzzing; Exploring HDMI vulnerabilities](https://reader031.vdocuments.net/reader031/viewer/2022021815/58730c931a28ab99088b6f27/html5/thumbnails/10.jpg)
Specs & FeaturesHistory Continued
Ver Published Features
1.3-3c '06-'08 Whizz-bang A/V & new conns
1.4* May 2009 Features++: 4k, HEC, ARC, 3D, micro
2.0 Sep 2013 4k @60fps, Dual View, 3D++, CEC++
* Most widely deployed & available, more in a sec
![Page 11: High Definition Fuzzing; Exploring HDMI vulnerabilities](https://reader031.vdocuments.net/reader031/viewer/2022021815/58730c931a28ab99088b6f27/html5/thumbnails/11.jpg)
Interesting 1.4 FeaturesARC (Audio Return Channel)HEC (HDMI Ethernet Connection)
100Mb/sEnables traditional networking w/HDMI
![Page 12: High Definition Fuzzing; Exploring HDMI vulnerabilities](https://reader031.vdocuments.net/reader031/viewer/2022021815/58730c931a28ab99088b6f27/html5/thumbnails/12.jpg)
CEC Details1-wire bidirectional serial busSlow: 500 bit/sUses AV.link protocol to perform remote controlfunctionsFor HDMI:
CEC wiring is mandatoryCEC functionality (software support) is optional
![Page 13: High Definition Fuzzing; Exploring HDMI vulnerabilities](https://reader031.vdocuments.net/reader031/viewer/2022021815/58730c931a28ab99088b6f27/html5/thumbnails/13.jpg)
NotableImplementations
Commercial industry uses various trade namesAnynet+ (Samsung), Aquos Link (Sharp), BRAVIALink/Sync (Sony)SimpLink (LG), VIERA Link (Panasonic), EasyLink(Philips), etc
Open SourcelibCEC (dual commercial license)Android HDMI-CEC
![Page 14: High Definition Fuzzing; Exploring HDMI vulnerabilities](https://reader031.vdocuments.net/reader031/viewer/2022021815/58730c931a28ab99088b6f27/html5/thumbnails/14.jpg)
Android HDMI-CEC
CEC AddressingPHYSICAL
N.N.N.N where 0x0<=N<=0xFRoot display (TV) is always 0.0.0.0Required as CEC has a notion of switching
LOGICALL where 0x0<=L<=0xFRoot display (TV) is always 0Negotiated by product typeExample: first STB in system is always 3
![Page 15: High Definition Fuzzing; Exploring HDMI vulnerabilities](https://reader031.vdocuments.net/reader031/viewer/2022021815/58730c931a28ab99088b6f27/html5/thumbnails/15.jpg)
Logical AddressesAddress Device Address Device
0 TV 8 Playback Dev 2
1 Rec. Device 1 9 Rec Device 3
2 Rec. Device 2 10 Tuner 4
3 Tuner 1 11 Playback Dev 3
4 Playback Dev 1 12 Reserved
5 Audio System 13 Reserved
6 Tuner 2 14 Free Use
7 Tuner 3 15 Unreg/Broadcast
![Page 16: High Definition Fuzzing; Exploring HDMI vulnerabilities](https://reader031.vdocuments.net/reader031/viewer/2022021815/58730c931a28ab99088b6f27/html5/thumbnails/16.jpg)
CEC Protocol
![Page 17: High Definition Fuzzing; Exploring HDMI vulnerabilities](https://reader031.vdocuments.net/reader031/viewer/2022021815/58730c931a28ab99088b6f27/html5/thumbnails/17.jpg)
Header BlockSource Dest EoM Ack
3 2 1 0 3 2 1 0 E A(4bits) Logical address of source(4bits) Logical address of dest(2bits) Control bits (EoM & Ack)Example: 0100:0000:0:0 = Src 4, Dest 0
![Page 18: High Definition Fuzzing; Exploring HDMI vulnerabilities](https://reader031.vdocuments.net/reader031/viewer/2022021815/58730c931a28ab99088b6f27/html5/thumbnails/18.jpg)
Data BlockData EoM Ack
7 6 5 4 3 2 1 0 E A(8bits) Data (Big-endian/MSB first)(2bits) Control bits (EoM & Ack)Example: 01000001:1:0 = "A"
![Page 19: High Definition Fuzzing; Exploring HDMI vulnerabilities](https://reader031.vdocuments.net/reader031/viewer/2022021815/58730c931a28ab99088b6f27/html5/thumbnails/19.jpg)
Opcode BlockReally just a data block
Opcode EoM Ack
7 6 5 4 3 2 1 0 E A(8bits) Opcode (Big-endian/MSB first)(2bits) Control bits (EoM & Ack)Example: 10000010:1:0 = 0x82 (Active Source)
![Page 20: High Definition Fuzzing; Exploring HDMI vulnerabilities](https://reader031.vdocuments.net/reader031/viewer/2022021815/58730c931a28ab99088b6f27/html5/thumbnails/20.jpg)
CEC ProtocolThe long and short of it...
0F - Broadcast ping1 F :82 :10:00Source Dest (Bcast) Opcode (Active Src) Param (PA of src)1 0 :64 :44:65:66:43:6F:6E:20:32:33Source Dest (TV) Opcode (Set OSD String) Msg params44: Display control flags, rest is ASCII stringS D :OP :41:41:41:41:41:41:41:41:41:41:41:41:41:41Source Dest Opcode Msg params
![Page 21: High Definition Fuzzing; Exploring HDMI vulnerabilities](https://reader031.vdocuments.net/reader031/viewer/2022021815/58730c931a28ab99088b6f27/html5/thumbnails/21.jpg)
CEC ProtocolPinging and Polling
The "Ping"EOM bit in header is set to 1Used to poll for devices etc (fuzz monitor?)
Source & dest addresses will be differentAlso used for allocating Logical Addresses
Source & dest addresses are the same
![Page 22: High Definition Fuzzing; Exploring HDMI vulnerabilities](https://reader031.vdocuments.net/reader031/viewer/2022021815/58730c931a28ab99088b6f27/html5/thumbnails/22.jpg)
CEC ProtocolAdditional Info
Big-endian/MSB firstText is only printable ASCII (0x20 <= A <= 0x7E)Messages can be directly addressed, broadcast, or eitherShould ignore a message coming from address 15, unless:
Message invokes a broadcast responseMessage has been sent by a CEC SwitchThe message is Standby
![Page 23: High Definition Fuzzing; Exploring HDMI vulnerabilities](https://reader031.vdocuments.net/reader031/viewer/2022021815/58730c931a28ab99088b6f27/html5/thumbnails/23.jpg)
CEC ProtocolTransmission (Flow) Control
3 mechanisms to provide reliable frame transfer1. Frame re-transmissions (1 to 5)2. Flow control3. Frame validation (ignore msgs w/wrong #args)A message is assumed correctly received when:
It has been transmitted and acknowledgedA message is assumed to have been acted upon when:
Sender does not receive Feature Abort w/in 1secMight be useful during fuzzing
![Page 24: High Definition Fuzzing; Exploring HDMI vulnerabilities](https://reader031.vdocuments.net/reader031/viewer/2022021815/58730c931a28ab99088b6f27/html5/thumbnails/24.jpg)
Attack Vectors &Thoughts
HDMI-network exploitation via CECHDMI Ethernet Channel (HEC)
Network connectivity to things thought un-networkedGreat place to hideRange of targetable devices
TVs, BluRays, receivers, "TV Sticks", game consoles?Mobile phones & tablets
Devices implementing MHL/SlimportKnown popular mobile devices that implement MHL
![Page 25: High Definition Fuzzing; Exploring HDMI vulnerabilities](https://reader031.vdocuments.net/reader031/viewer/2022021815/58730c931a28ab99088b6f27/html5/thumbnails/25.jpg)
Known popular mobile devices that implement MHL
Attack SurfaceCEC commandsCEC vendor-specific commandsHEC commandsHEC functionality
![Page 26: High Definition Fuzzing; Exploring HDMI vulnerabilities](https://reader031.vdocuments.net/reader031/viewer/2022021815/58730c931a28ab99088b6f27/html5/thumbnails/26.jpg)
Finding VulnsApproaches
Identify "at-risk" messages & fuzzSource Code Analysis
Hard to come by except libCEC & AndroidReverse Engineering
Can be hard to get all the firmwarezExpect different architectures
MIPS, ARM, ARC etcMIPS is generally most popular so far
![Page 27: High Definition Fuzzing; Exploring HDMI vulnerabilities](https://reader031.vdocuments.net/reader031/viewer/2022021815/58730c931a28ab99088b6f27/html5/thumbnails/27.jpg)
Interesting MessagesString operations
Set OSD Name (0x47)Preferred name for use in any OSD (menus)
Set OSD String (0x64)Text string to the TV for display
Set Timer Program Title (0x67)Set the name of a program associated w/a timer
Vendor-specific MessagesBecause who knows what they might do
![Page 28: High Definition Fuzzing; Exploring HDMI vulnerabilities](https://reader031.vdocuments.net/reader031/viewer/2022021815/58730c931a28ab99088b6f27/html5/thumbnails/28.jpg)
In Order to FuzzWe Need to Answer Some Questions
How can we send arbitrary CEC commands?How can we detect if a crash occurred?
![Page 29: High Definition Fuzzing; Exploring HDMI vulnerabilities](https://reader031.vdocuments.net/reader031/viewer/2022021815/58730c931a28ab99088b6f27/html5/thumbnails/29.jpg)
Sending MessagesHardware
~0 lap,desktops with HDMI-CECMany have HDMI, none have CEC
AdaptersPulse-Eight USB-HDMIRainShadow HDMI-CEC to USB Bridge
Raspberry PiRPi & P8 adapter both use libCEC :)
![Page 30: High Definition Fuzzing; Exploring HDMI vulnerabilities](https://reader031.vdocuments.net/reader031/viewer/2022021815/58730c931a28ab99088b6f27/html5/thumbnails/30.jpg)
Sending MessagesSoftware
Pulse-Eight driver is open source (libCEC)Dual-licensed actually (GPLv2/Commercial)Python SWIG-based bindingsSupports a handful of devices
![Page 31: High Definition Fuzzing; Exploring HDMI vulnerabilities](https://reader031.vdocuments.net/reader031/viewer/2022021815/58730c931a28ab99088b6f27/html5/thumbnails/31.jpg)
Fuzzing CEClibCEC
Can send CEC messages with:Raspberry Pi + libCECP8 USB-HDMI adapter + libCEC
But can we really send arbitrary CEC messages?lib.Transmit(CommandFromString("10:82:41:41:41:41:41:41:41"))
YES. It would appear at least.
To know for sure, had to ensure libCEC was not validating.
![Page 32: High Definition Fuzzing; Exploring HDMI vulnerabilities](https://reader031.vdocuments.net/reader031/viewer/2022021815/58730c931a28ab99088b6f27/html5/thumbnails/32.jpg)
Fuzzing ProcessIt has been done (Davis) with Python + RainbowTechserial API
I actually did not know this until late in the researchRainbowTech device has a nice simple serial APINot much complex functionalityI had already started down the path below
libCEC + Python since pyCecClient is already a thingCan use the P8 USB adapter and/or Raspberry Pi(s)May port to Ruby since SWIG & Ruby++
https://media.blackhat.com/bh-eu-12/Davis/bh-eu-12-Davis-HDMI-WP.pdf
![Page 33: High Definition Fuzzing; Exploring HDMI vulnerabilities](https://reader031.vdocuments.net/reader031/viewer/2022021815/58730c931a28ab99088b6f27/html5/thumbnails/33.jpg)
Fuzzing ProcessMajor Steps
ID Target and Inputs
Generate Fuzzed Data
Execute Fuzzed Data
Monitor for Exceptions
Determine Exploitability
Fuzzing: Brute Force Vulnerability Discovery (Sutton, Michael; Greene, Adam; Amini, Pedram)
![Page 34: High Definition Fuzzing; Exploring HDMI vulnerabilities](https://reader031.vdocuments.net/reader031/viewer/2022021815/58730c931a28ab99088b6f27/html5/thumbnails/34.jpg)
Generate Fuzzed DataStarted with "long" strings and string-based messagesFormat stringsParameter abuseVendor-specific messagesSimple bit-flippingAdopted some from Davis work
![Page 35: High Definition Fuzzing; Exploring HDMI vulnerabilities](https://reader031.vdocuments.net/reader031/viewer/2022021815/58730c931a28ab99088b6f27/html5/thumbnails/35.jpg)
Execute Fuzzed Data1. Poll device2. Send message
![Page 36: High Definition Fuzzing; Exploring HDMI vulnerabilities](https://reader031.vdocuments.net/reader031/viewer/2022021815/58730c931a28ab99088b6f27/html5/thumbnails/36.jpg)
Monitor for Exceptions1. Check for ack if applicable2. Poll again3. If debug, use that4. If shell, check if service/app still running5. If TV, will probably notice crash, fun, hard to automate6. If exception, record msg & state & debug details if avail
![Page 37: High Definition Fuzzing; Exploring HDMI vulnerabilities](https://reader031.vdocuments.net/reader031/viewer/2022021815/58730c931a28ab99088b6f27/html5/thumbnails/37.jpg)
If Shell but !DebuggerSamsung BluRay Player has BASHBut not 'watch'Fake it:
while true; do date ps aux | grep "[a]pp_player" if [ $? ne 0 ]; then # do crash investigation fi sleep 0.5done
![Page 38: High Definition Fuzzing; Exploring HDMI vulnerabilities](https://reader031.vdocuments.net/reader031/viewer/2022021815/58730c931a28ab99088b6f27/html5/thumbnails/38.jpg)
Also TTY Output[API_CECCMD_FeatureAbort] Return value is 0x31API_CECCMD_FeatureAbort(op:0xB4) start.[AP_INFOLINK/Fatal] 8:Starting background widget manager !!![TCFactory::GetOption] option = 37 value = 0[TCFactory::GetOption] option = 51 value = 0[API_CECCMD_FeatureAbort] Return value is 0x36verified = 1[AP_INFOLINK/Fatal] 9:CWidgetEngine::createSmartSideBar ret TRUE[AP_INFOLINK/Fatal] 10:CWidgetEngine::activateSmartSideBar ret TRUE
![Page 39: High Definition Fuzzing; Exploring HDMI vulnerabilities](https://reader031.vdocuments.net/reader031/viewer/2022021815/58730c931a28ab99088b6f27/html5/thumbnails/39.jpg)
DETERMINE EXPLOITABILITYThis is kind of an adventure unless debugSpecific to each device
![Page 40: High Definition Fuzzing; Exploring HDMI vulnerabilities](https://reader031.vdocuments.net/reader031/viewer/2022021815/58730c931a28ab99088b6f27/html5/thumbnails/40.jpg)
FuzzingComplications
Getting Hold of DevicesThey are around you however, just need to lookCan also emulate w/QEMU + firmware
Speed500 bits/sNot much we can do about thatFuzz multiple devices simultaneouslyRE targets to focus the fuzz
![Page 41: High Definition Fuzzing; Exploring HDMI vulnerabilities](https://reader031.vdocuments.net/reader031/viewer/2022021815/58730c931a28ab99088b6f27/html5/thumbnails/41.jpg)
FuzzingComplications Continued
DebuggingNeed to get access to the device
Probably no debuggerOften painful to compile one for itKeep an eye out for gdbserver files however
Collect DataDeduplicateRepro
![Page 42: High Definition Fuzzing; Exploring HDMI vulnerabilities](https://reader031.vdocuments.net/reader031/viewer/2022021815/58730c931a28ab99088b6f27/html5/thumbnails/42.jpg)
TargetsHome Theater Devices
Samsung Blu-ray Player (MIPS)Targeted because already have shell(Thx Ricky Lawshae & Jon Andersson)Local shell to get on & study device
Philips Blu-ray PlayerSamsung TVPanasonic TVChromecastAmazon Fire TV Stick
![Page 43: High Definition Fuzzing; Exploring HDMI vulnerabilities](https://reader031.vdocuments.net/reader031/viewer/2022021815/58730c931a28ab99088b6f27/html5/thumbnails/43.jpg)
TargetsMobile devices
Kindle FireGalaxy S5 (S6 dropped MHL)Galaxy NoteChromebook
![Page 44: High Definition Fuzzing; Exploring HDMI vulnerabilities](https://reader031.vdocuments.net/reader031/viewer/2022021815/58730c931a28ab99088b6f27/html5/thumbnails/44.jpg)
ResultsThere's definitely more to be done
![Page 45: High Definition Fuzzing; Exploring HDMI vulnerabilities](https://reader031.vdocuments.net/reader031/viewer/2022021815/58730c931a28ab99088b6f27/html5/thumbnails/45.jpg)
Issues DiscoveredPanasonic TVSamsung Blu-ray Player
![Page 46: High Definition Fuzzing; Exploring HDMI vulnerabilities](https://reader031.vdocuments.net/reader031/viewer/2022021815/58730c931a28ab99088b6f27/html5/thumbnails/46.jpg)
Panasonic Can HazUpgrade?
![Page 47: High Definition Fuzzing; Exploring HDMI vulnerabilities](https://reader031.vdocuments.net/reader031/viewer/2022021815/58730c931a28ab99088b6f27/html5/thumbnails/47.jpg)
Samsung's app_playerHandles CEC for BluRay playerPulled via Ricky's root shellDid some manual RE andRudimentary analysis with some ghetto IDAPython
banned = ['memcpy', 'strcpy', 'strncpy', 'etc...']for func in banned: print('Processing ' + func) for xref in idautils.CodeRefsTo(idc.LocByName(func), True): print(idc.Name( idc.GetFunctionAttr( xref, idc.FUNCATTR_START )) + ' disasm: ' + idc.GetDisasm(xref))
![Page 48: High Definition Fuzzing; Exploring HDMI vulnerabilities](https://reader031.vdocuments.net/reader031/viewer/2022021815/58730c931a28ab99088b6f27/html5/thumbnails/48.jpg)
Samsung's app_playerjalr $t9; strcpy => 333jalr $t9; strncpy => 409jalr $t9; memcpy => 310jalr $t9; [.*]printf => 11685/me wrings handsHowever, most are not called by CEC code :(
3 memcpy's, 2 of which I had already found manually73 printf's, but aren't (so far) exploitable conditions
![Page 49: High Definition Fuzzing; Exploring HDMI vulnerabilities](https://reader031.vdocuments.net/reader031/viewer/2022021815/58730c931a28ab99088b6f27/html5/thumbnails/49.jpg)
app_player
![Page 50: High Definition Fuzzing; Exploring HDMI vulnerabilities](https://reader031.vdocuments.net/reader031/viewer/2022021815/58730c931a28ab99088b6f27/html5/thumbnails/50.jpg)
Post exploitationEnable HECEnable LAN
Attack LAN services if necEnable higher speed exfil etc
Control an MHL deviceBeachhead for attacking other devicesHiding
![Page 51: High Definition Fuzzing; Exploring HDMI vulnerabilities](https://reader031.vdocuments.net/reader031/viewer/2022021815/58730c931a28ab99088b6f27/html5/thumbnails/51.jpg)
Future WorkUnuglify my PythonIntegrate into bigger/better fuzz frameworkExploit CEC & bind shell to network interfaceExploit CEC, enable HEC, bind shell to HEC interfaceExploit CEC & "bind" shell to HDMI interfaceExplore attack surface of:
HDMI: 3D, Audio Return Channel, more w/HECFeature adds to CEC (HDMI 2.0)
Moar devicesEmulation
![Page 52: High Definition Fuzzing; Exploring HDMI vulnerabilities](https://reader031.vdocuments.net/reader031/viewer/2022021815/58730c931a28ab99088b6f27/html5/thumbnails/52.jpg)
ConclusionBecoming more and more pervasive and invasiveOld vuln types may be new againMay be benefitting simply because code is newerHard, sometimes impossible, to upgrade, maintain,configureRisk = Vulnerabilty x Exposure x Impact
Exposure is growingImpact is probably highest for your privacy
![Page 53: High Definition Fuzzing; Exploring HDMI vulnerabilities](https://reader031.vdocuments.net/reader031/viewer/2022021815/58730c931a28ab99088b6f27/html5/thumbnails/53.jpg)
Links not yet tho
P8 USB-HDMI Adapter Simplified Wrapper & Interface Generator Reveal.js
github.com/ZDI/hdfuzzingblackhat.com/bh-eu-12-Davis-HDMIgithub.com/Pulse-Eight/libcechdmi.org
www.pulse-eight.comswig.org
github.com/hakimel/reveal.jscec-o-matic.com