Extracting secured firmware from Freescale Zigbee radios

decapped_MC13224

[Travis Goodspeed] recently tore down the Freescale MC13224 wireless radio chip in an effort to demonstrate how the device’s firmware could be read, even when locked down in “secure” mode. While you might not recognize the Freescale MC13224 radio by name alone, you are certainly familiar with some of its practical applications. Found in the QuahogCon and Ninja Party badges among other consumer goods, the popular Zigbee radio turned out to be a fairly easy conquest.

[Travis] first used acid to decap one of the microcontrollers to see what was going on under the plastic casing. Inside, he discovered a discrete flash memory chip, which he removed and repackaged using a wedge wire bonder. He was easily able to extract the firmware, however decapping and repackaging a flash chip isn’t necessarily the most user-friendly process.

After digging further, he discovered that holding one of the chip’s pins low during boot would allow him to run custom code that recovers the firmware image once the pin is pulled high once again. This far more practical means of firmware recovery can be easily facilitated via a circuit board revision, as [Travis] mentions in his blog.

Small POV device shows off some big features

We’ve already added the components needed to build [Rucalgary's] tiny POV device to our next parts order. The little device sets a new standard for tiny persistence of vision boards. Instead of relying on the user to find the best speed and timing for swinging the board around, [Rucalgary] used an accelerometer. This is the point at which we’d usually groan because of the cost of accelerometers. We’re still groaning but this time it’s for a different reason.

The accelerometer used here is a Freescale MMA7660. It’s an i2c device at a super low cost of less than $1.50. The reason we’re still groaning is that it comes in a DFN-10 package that is a bit harder to solder than SOIC, but if you’ve got patience and a good iron it can be done. An ATmega48 drives the device, with 8 LEDs and one button for input. On the back of the board there’s a holder for a CR2032 coin cell battery and a female SIL pin header for programming the device.

Check out the video demonstration embedded after the break. We love it that the message spells and aligns correct no matter which way the little board is waved.

[Read more...]

Doom II on epaper display

We love to see Doom ported to new hardware because it usually means that someone has found a way around the manufacturer’s security measures. But the most exciting thing for us to see this time is that Doom II is played on an epaper display. These are notorious for slow refresh rates, but as you can see in the video after the break, this one achieves an admirably fast page redraw.

According to a translation of the original forum post, the PocketBook 360° Plus boasts a 5″ E Ink Pearl screen, 533 MHz Freescale i.MX35 ARM11 processor, 128 Mb of RAM, 2 gigs of storage, and WiFi. No word on price for one of these babies as it seems they’ve not yet been release. Remind anyone of the green monochrome goodness from the original Game Boy?

[Read more...]

Chumby takes its first steps

nice screen image, though I doubt he'll ever catch us at that speed.

[Eric Gregory] has gone a bit mad scientist on the Chumby, turning it into a bipedal bot. We expected all kinds of cool chumby hacking, but we can’t say we saw this one coming. [Eric] points out that with a 454Mhz processor, 64MB of RAM, 2GB of expandable storage and a USB host port, the Chumby is more than capable as a robotics platform.  With the addition of a mysterious and soon to be announced sensor board, he has made this chumby into a walking biped. While anyone who can write programs for linux, or even write flash applications can create software for the chumby, [Eric] chose to port the Robot Vision Toolkit over. This opens the doors to people who can write in Basic or who have written for the C64 or Apple][. You can see a video of this guy in action after the break.

[Read more...]

DIY pulse oximeter

This pulse oximeter turned out very nicely. It is based around a Freescale microcontroller and detects pulse as well as oxygen saturation in your blood. The sensor is made of two wood pieces and allows two wavelengths of light to be shined through your finger. A sensor picks up the light on the other side of your stubby digit and the readings are compared to calculate saturation. Check out the finished project after the break.

We saw an Arduino-based oximeter a few months ago. These kind biometric hacks are rare around here. If you’ve got a well documented project don’t forget to tell us about it.

[Read more...]

Kindle 2 teardown

kindle2

The people at iFixit have shown that they’re still on top of their game by tearing down the new Kindle 2 eBook reader. The main processor is a 532MHz ARM-11 from Freescale. Interestly, there isn’t any significant circuitry behind the large keyboard; it seems its existence is just to hide the battery.

Related: previous teardowns on Hack a Day

[via Make]

Defcon 16: Badge details released


Defcon will once again be one-upping the sophistication of the conference attendee badges. Wired has just published a preview of this year’s badge. The core is a Freescale Flexis MC9S08JM60 processor. The badge has an IR transmitter and receiver on the front plus eight status LEDs. On the back (pictured below), there is a mode select button, CR123A battery, Data Matrix barcode, and an SD card slot. You can add a USB port to the badge and upload code to it using the built in USB bootloader. All the dev tools needed will be included on the conference CD or you can download the IDE in advance. The low barrier to entry should lead to some interesting hacks. In previous years, you needed a special dongle to program the hardware. There is no indication as to what the badge does out of the box. Releasing the badge early is a first for Defcon and the one pictured isn’t the attendee color, but we’re sure someone will still come up with a clone.

Now comes the fun part: What do you think the best use of this badge will be? Would Defcon be so cavalier as to equip everyone in the conference with a TV-B-Gone? I think our favorite possibility is if someone finds a security hole and manages to write an IR based worm to take over all the badges.

Defcon 14 introduced the first electronic badge which blinked in different patterns. Defcon 15 had a 95 LED scrolling marquee. [Joe Grand] will be posting more specific Defcon 16 badge details to his site after the opening ceremony. Check out more high resolution photos on Wired.

[Read more...]

Follow

Get every new post delivered to your Inbox.

Join 93,583 other followers