Sucking PIC Firmware Out of an Old APC Battery Backup

reverse-engineering-pic-firmware-of-APC-power-supply

Looking at this huge Uninterruptible Power Supply we are a little envious. It’s meant to hang on the wall of a utility room and power your critical devices. [Radek Hvizdos] has had it in service for quite some time, and when he started thinking of replacing the internal battery he decided to see if he could also extend the functionality. To do so he needed to get at the firmware of the chip controlling the device. And so began his adventure of dumping the firmware from the read-protected PIC 18F452.

The challenge of dumping code from a write-protected chip is in itself a fun project. But [Radek] was actually interested in fixing bugs and adding features. The wishlist feature we’d be most interested in is a kind of triage for shutting down devices as the internal battery starts to run low. Nice! But starting from scratch with the firmware is a no-go. You can see the two places where he connected to the PCB. The upper is for using a PIC programmer. The lower is an I2C connection used to dump the EEPROM with an improvised Bus Pirate.

In the end it was improper lock bit settings that opened the door to grabbing the firmware. The bootloader section of the PIC is not locked, and neither is the ability to read from FLASH at run-time. These two combined allowed him to write his own code which, when flashed to the bootloader section, dumps the rest of the firmware so that it may be combined into a complete file afterward. Since posting this fascinating article he has made a follow-up about disassembling the code.

Reverse Engineering a D-Link Backdoor

Here’s one true hack (Google cache link) for our dear Hackaday readers. On a Saturday night, as [Craig] didn’t have anything else to do, he decided to download the firmware of an old D-Link DIR-100 router (because who wouldn’t?). His goal was to see what interesting things he could find in it. He fired up binwalk to extract the SquashFS file system, then opened the router webserver on the multi-processor disassembler/debugger IDA. [Craig] discovered that the webserver is actually a modified version of thttpd, providing the administrative interface for the router. As you can see in the picture above, it seems Alphanetworks (a spin-off of D-Link) performed the modifications.

Luckily for [Craig], the guys at Alphanetworks were kind enough to prepend many of their custom function names with the string “alpha”. Looking at the disassembly of the http identification functions revealed that a backdoor is implemented on the firmware. If one malicious user has the string “xmlset_roodkcableoj28840ybtide” as his browser user agent, no authentication is required to gain access to the router. One of the comments on the reddit thread points out that reading that string backwords results in: “edit by (04882) joel backdoor”.

Hacking a Medion WiFi streaming radio found at Aldi

hacking-medion-streaming-wifi

On a shopping trip at Aldi [Aaron Christophel] came across this Medion streaming device which connects to your home network via WiFi and works as an Internet radio. He couldn’t resist buying one, and managed to do quite a bit of hacking on the device (translated) once he got it home.

His first order of business was a hardware teardown. An inspection of the board showed what was obviously an unpopulated footprint for a USB mini jack. He added the component, thinking it would allow him to connect it to a computer, but that didn’t work. To investigate the issue further he connected to the device’s serial port using the hard-to-guess credentials root and password. It’s running a Linux kernel and the lsusb command revealed that the USB is enabled as host mode. This mean you can attach mass storage… sweet!

He also did some firmware hacking. Above is the confirmation screen for flashing his altered image file. This resulted in a custom splash screen when it boots up.

HackIt: Sony invites you to hack its SmartWatch firmware

sony-smartwatch-hacking

This is Sony’s smart watch, which has been around for a while now. It’s designed for use with your Android phone, and has always included an SDK that allows app developers to interact with it. But now Sony is taking it one big step further. They’ve published everything you need to know to hack your own firmware for the SmartWatch.

The navigation scheme for that articles includes five menu items at the bottom which you’ll want to dig through. The most interesting to us was the one labeled “SmartWatch hacker guide”. It lays bare the hardware used in the watch and how it’s peripheral component connect to each other. This starts with the STM32 (ARM) microcontroller that drives the watch. It goes on to document how the screen is addressed (SPI1) including the pin to turn it on and off. The same goes for the Bluetooth, accelerometer, buzzer, and touch sensors.

Firmware is updated via USB using Device Firmware Upgrade (DFU) mode. We don’t don’t see any way to connect an on-chip debugger. We searched to see if there is a JTAG port on the circuit board and it sounds like getting the watch apart without breaking it is pretty tough.

Now that you don’t need to stick to what Sony had planned for the device, what do you want to do with your strapless wristwatch?

[Thanks Brian]

Rigol DS1022C hack brings it up to 100MHz speed

rigol-1022c-100MHz-hack

[Andreas Schuler] has been playing around with his Rigol DS1022C digital storage oscilloscope. It’s an older model which can capture samples at up to 25MHz, but [Andreas] claims to have quadrupled that using a service menu hack. His technique changes the settings to use the DS1022C at 100Mhz.

Usually a hack like this includes some test measurements that confirm the hardware is actually sampling at the higher rate, and is not just claiming that it has the ability to do so. We’d love to hear from you in the comments if you’ve got this piece of bench hardware and decided to try it for yourself. His method enters in a sequence of buttons from the system info menu. If done correctly this will add a service menu option that wasn’t there before. A bit of navigation leads you to the screen seen above, where you can change the model number to DS1102C. This is the more robust 100MHz cousin of the 1022.

If you think you’ve seen this hack before it’s probably because the Rigol 1052E was previously pulled to 100MHz with a firmware hack.

Dissecting a firmware image

dissecting-a-firmware-image

[Leland Flynn] did a great job of picking apart the firmware image for a Westell 9100EM FiOS router. Unfortunately he didn’t actually find the information he was looking for. But he’s not quite done poking around yet either. If you have never tried to make sense of an embedded Linux firmware image this serves as a great beginner’s example of how it’s done.

He was turned on to the project after port scanning his external IP and finding a random login prompt which he certainly didn’t set up. Some searching led him to believe this is some kind of back door for Verizon to push automatic firmware updates to his router. He figured why not see if he could yank the credentials and poke around inside of the machine?

He started by downloading the latest firmware upgrade. Running ‘hexdump’ and ‘strings’ gives him confirmation that the image is based on Linux. He’s then able to pick apart the package, getting at just the filesystem portion. His persistence takes him through extracting and decompressing three different filesystems. Even though he now has access to all of those files, broken symlinks meant a dead-end on his login search.

Reverse engineering ST-Link/V2 firmware

reverse-engineering-stlink-v2

The chip seen just above the center of this image is an ARM Cortex-M3. It provides the ability to interface and program the main chip on the STM32F3 Discovery board. The protocol used is the ST-Link/V2 which has become the standard for ST Microelectronics development boards. The thing is, that big ARM chip near the bottom of the image has multiple UARTs and bridging a couple of solder points will connect it to the ST-Link hardware. [Taylor Killian] wanted to figure out if there is built-in firmware support to make this a USB-to-serial converter and his path to the solution involved reverse engineering the ST-Link/V2 firmware.

The first part of the challenge was to get his hands on a firmware image. When you download the firmware update package the image is not included as a discrete file. Instead he had to sniff the USB traffic during a firmware update. He managed to isolate the file and chase down the encryption technique which is being used. It’s a fun read to see how he did this, and we’re looking forward to learning what he can accomplish now that’s got the goods he was after.

Follow

Get every new post delivered to your Inbox.

Join 92,260 other followers