Display case for my projects and writeups. I mostly work on InfoSec, hardware hacking and electronics.
This writeup is based on my limited testing of modifying one unit. This hack is also dangerous, due to the fact that it is done on live unit, containing lithium-based battery cell.
If you would cause a short circuit in the device, there is possibility that the battery would catch fire or explode.
Your mileage and amount of fireworks may vary.
I got my hands on Google’s Stadia controller. This device has been out since late 2019, so it’s relatively new product. I liked the look and feel of the device, but after learning that it has a built-in microphone, I wanted to look into disabling it.
Apparently the security aspect regarding Stadia controller and its ability to listen your conversations is not a new thing. For example Android Headlines reported about the possible privacy issues in late 2019.
Snippet from Android Headlines article:
Google also noted in a July 11 blog post that only around 0.2-percent of all audio snippets that are recorded are reviewed by language analysts. What’s more, that user accounts are said to not be associated with the snippets. Meaning the audio snippets are anonymous.
Further, reviewers are instructed not to transcribe any of the background audio. Does this mean that someone won’t? No. There’s always that possibility. In fact in that same blog post from July Google admitted that some audio had been leaked by a language analyst from its Dutch team.
Google also stated that it had taken precautions to prevent this from happening again in the future. The point is that the controller is not likely a big invasion of privacy. That also doesn’t mean that customer shouldn’t be made aware it has a built-in mic.
These statements worked as good motivation to investigate how to remove the microphone completely from my controller.
As always, you should start with the basics;
I found surprisingly little amount of material.
From youtube, I got one teardown by Gamers Nexus, which was done with a Dremel. This did not look very positive for my hack, as it was quite apparent that opening the device is not practical.
However, Gamers Nexus teardown resulted in a good view of microphone PCB;
The FCC-report (FCC ID: A4RH2B) also had one picture with microphone PCB;
Result: The microphone (metal covered unit on the middle of the small PCB) is mounted on a separate board, with spring loaded connectors from microphone PCB to the main board.
Okay, we know that the microphone is located on a separate PCB. There seems to be be nothing else on the board apart form the single component and the connectors.
My theory is that I could disable the microphone by drilling through the plastic cover and the PCB to remove the microphone from the board.
Not much else to do at this point than pick up the drill and test the theory. Worst case there is a power line just beneath the microphone hole and I will short the internal battery. As it is not practical to open the device, I cannot remove the internal battery before drilling into the unit.
So, first step was to take 3 mm drill, to get a feeling of how hard the plastic is.
As the plastic seemed to be rather soft, I took a 7mm drill and just slowly carved the plastic out by hand.
The black surface beneath the plastic is silkscreen of the PCB. You can also see that the tip of the drill has already carved out some of the silkscreen and the copper beneath it. This is where all of this could go wrong, with the metal drill shorting out power lines on the PCB.
We can already see a lot of the copper, with potential trace on the left bottom corner. It looks like most of the copper is ground, which makes sense, as these microphones are quite sensitive devices, so you want good amount of grounded copper beneath it.
Okay! we have punched through of the fibreglass-layer of FR4. You can already see some of the copper of the other side of the PCB.
Aaaand we are through! The last millimeters are quite tricky, as you want to only remove the PCB, but not to damage the headphone connector behind it.
After a bit of searching, I pulled the microphone out from the device. It looks pretty ordinary device, with four pads and hole on the bottom. The pads look a bit orange, due to the copper pads being still attached to the device. The underside also looks quite uneven, likely due to the component being glued on the PCB. This ensures that the microphone stays in place during shipment and use, with all of the vibrations happening inside the device.
And flipping the component, we can see that it has following markings:
S2404
4660
I could not find a match for this component, but my best guess would be that it is manufactured by Knowles Acoustics, due to similar marking convention.
UPDATE (06.01.2021): The microphone is likely an SPH0641LM or -LU. Thanks @shinmai for identifying the component!
It seems that the hack worked! The controller boots up and operates normally. It seems to not even be aware that one of the sensors is missing and google assistant is trying it’s best to listen what I mumble, but is unable to receive any signal.
Thanks for reading my writeup. Stay safe and keep on hacking!
https://9to5google.com/2019/11/27/stadia-controller-teardown/ https://www.androidheadlines.com/2019/11/stadia-controller-built-in-mic-privacy-concern.html