[Andreas Schuler] has been playing around with his Rigol DS1022C digital storage oscilloscope. It’s an older model which can capture samples at up to 25MHz, but [Andreas] claims to have quadrupled that using a service menu hack. His technique changes the settings to use the DS1022C at 100Mhz.
Usually a hack like this includes some test measurements that confirm the hardware is actually sampling at the higher rate, and is not just claiming that it has the ability to do so. We’d love to hear from you in the comments if you’ve got this piece of bench hardware and decided to try it for yourself. His method enters in a sequence of buttons from the system info menu. If done correctly this will add a service menu option that wasn’t there before. A bit of navigation leads you to the screen seen above, where you can change the model number to DS1102C. This is the more robust 100MHz cousin of the 1022.
If you think you’ve seen this hack before it’s probably because the Rigol 1052E was previously pulled to 100MHz with a firmware hack.
[Leland Flynn] did a great job of picking apart the firmware image for a Westell 9100EM FiOS router. Unfortunately he didn’t actually find the information he was looking for. But he’s not quite done poking around yet either. If you have never tried to make sense of an embedded Linux firmware image this serves as a great beginner’s example of how it’s done.
He was turned on to the project after port scanning his external IP and finding a random login prompt which he certainly didn’t set up. Some searching led him to believe this is some kind of back door for Verizon to push automatic firmware updates to his router. He figured why not see if he could yank the credentials and poke around inside of the machine?
He started by downloading the latest firmware upgrade. Running ‘hexdump’ and ‘strings’ gives him confirmation that the image is based on Linux. He’s then able to pick apart the package, getting at just the filesystem portion. His persistence takes him through extracting and decompressing three different filesystems. Even though he now has access to all of those files, broken symlinks meant a dead-end on his login search.
The chip seen just above the center of this image is an ARM Cortex-M3. It provides the ability to interface and program the main chip on the STM32F3 Discovery board. The protocol used is the ST-Link/V2 which has become the standard for ST Microelectronics development boards. The thing is, that big ARM chip near the bottom of the image has multiple UARTs and bridging a couple of solder points will connect it to the ST-Link hardware. [Taylor Killian] wanted to figure out if there is built-in firmware support to make this a USB-to-serial converter and his path to the solution involved reverse engineering the ST-Link/V2 firmware.
The first part of the challenge was to get his hands on a firmware image. When you download the firmware update package the image is not included as a discrete file. Instead he had to sniff the USB traffic during a firmware update. He managed to isolate the file and chase down the encryption technique which is being used. It’s a fun read to see how he did this, and we’re looking forward to learning what he can accomplish now that’s got the goods he was after.
[Alex] just bought a really nice TEAC VR-20 audio recorder, a very capable recorder perfect for recording your thoughts or just making concert bootlegs. This model was recently replaced by the Tascam DR-08 audio recorder. It’s essentially the same thing, but the Tascam unit can record at 96kHz, whereas the TEAC can only record at 48kHz. [Alex] figured out a way to upgrade his less capable but cheaper VR-20 to record at a higher bit rate with just a simple firmware hack.
The mod began by downloading the firmware for both the TEAC VR-20 and the Tascam DR-08. Both of these sets of firmware were exactly the same size, and after downloading a hex editor, [Alex] found a huge difference in the first 20 bytes of the firmware – the portion that tells the microcontrollers what it actually is.
The solution to improving the bitrate for the TEAC VR-20 was as simple as copying the first 20 bytes from the TEAC firmware over to the first 20 bytes of the Tascam firmware. After that, it’s a simple matter of upgrading his TEAC and getting the ability to record at 96kHz.
A very, very simple hack that’s really just flipping a few bits. Not bad for a two-fold improvement in the recording capability of a handheld audio recorder.
[Travis Goodspeed] continues his work at educating the masses on how to reverse engineer closed hardware devices. This time around he’s showing us how to exploit the Device Firmware Updates protocol in order to get your hands on firmware images. It’s a relatively easy technique that uses a man-in-the-middle attack to dump the firmware image directly to a terminal window. This way you can get down to the nitty-gritty of decompiling and hex editing as quickly as possible.
For this hack he used his Facedancer board. We first saw the hardware used to emulate a USB device, allowing the user to send USB commands via software. Now it’s being used to emulate your victim hardware’s DFU mode. This is done by supplying the vendorID and productID of the victim, then pushing the firmware update as supplied by the manufacturer. In most cases this shouldn’t even require you to have the victim hardware on hand.
[Jenna] sent in a very cool bootloader she thought people might like. It’s called Micronucleus and it turns the lowly ATtiny 85 into a chip with a USB interface capable of being upgraded via a ‘viral’ uploader program. Micronucleus weighs in at just over 2 kB, making it one of the smallest USB-compatible bootloaders currently available.
The USB support comes from V-USB, a project that puts a virtual USB port on a suite of AVR microcontrollers. With V-USB, it’s easy to turn a Tiny85 into a keyboard, custom joystick, data logger, or computer-attached LED display.
One very interesting feature of Micronucleus is the ‘viral updater’ feature. This feature takes a new piece of firmware, and writes it to a Tiny85, disabling the current bootloader. If you’re designing a project that should have a means of updating the firmware via USB instead of the usual AVR programmer, this might be the bootloader for you.
Not bad for a bootloader that emphasizes small code size. At just over 2 kB, it’s possible to use this bootloader on the similar, smaller, and somewhat cheaper ATtiny45.
Hard drive firmware is about the last place you want to find a bug. But that turned out to be the problem with [BBfoto’s] Seagate HDD which he was using in a RAID array. It stopped working completely, and he later found out the firmware has a bug that makes the drive think it’s permanently in a busy state. There’s a firmware upgrade available, but you have to apply it before the problem shows its face, otherwise you’re out of luck. Some searching led him to a hardware fix for the problem.
[Brad Garcia] put together the tutorial which illustrates the steps needed to unbrick the 7200.11 hard drive with the busy state bug. The image in the lower right shows the drive with a piece of paper between the PCB and the connectors which control the head. This is necessary to boot the drive without it hanging due to the bug. From there he issues serial commands to put it into Access Level 2, then removes the cardboard for the rest of the fix.
In the tutorial [Brad] uses a serial-TTL converter. [BBfoto] grabbed an Arduino instead, using it as a USB-ttl bridge.