PogoPlug Hacking: A Step by Step Guide to Owning The Device

[Films By Kris Hardware] has started quite an interesting YouTube series on hacking and owning a PogoPlug Mobile v4. While this has been done many times in the past, he gives a great step by step tutorial. The series so far is quite impressive, going into great detail on how to gain root access to the device through serial a serial connection.

PogoPlugs are remote-access devices sporting ARM processor running at 800 MHz, which is supported by the Linux Kernel.  The version in question (PogoPlug Mobile v4) have been re-purposed in the past for things like an inexpensive PBX, an OpenWrt router and even a squeezebox replacement. Even if you don’t have a PogoPlug, this could be a great introduction to hacking any Linux-based consumer device.

So far, we’re at part three of what will be an eight-part series, so there’s going to be more to learn if you follow along. His videos have already covered how to connect via a serial port to the device, how to send commands, set the device up, and stop it calling home. This will enable the budding hacker to make the PogoPlug do their bidding. In this age of the cheap single-board Linux computer, hacking this type of device may be going out of style, but the skills you learn here probably won’t any time soon.

Continue reading “PogoPlug Hacking: A Step by Step Guide to Owning The Device”

Open Source Firmware For A Cheap Programmable Power Supply

A few months ago, someone clued us in on a neat little programmable power supply from the usual Chinese retailers. The DPS5005 is a programmable power supply that takes power from a big AC to DC wall wart and turns it into a tiny bench-top power supply. You can pick one of these things up for about thirty bucks, so if you already have a sufficiently large AC to DC converter you can build a nice 250 Watt power supply on the cheap.

[Johan] picked up one of these tiny programmable power supplies. His overall impression was positive, but like so many cheap products on AliExpress, there wasn’t a whole lot of polish to the interface. Additionally, the DPS5005 lacked the ability to be controlled over a serial port or WiFi.

This programmable power supply is built around an STM32, with the programming pads exposed and labeled on the PCB. The changes [Johan] wanted to make were all in software, leading him to develop OpenDPS, a firmware replacement for the DPS5005. Continue reading “Open Source Firmware For A Cheap Programmable Power Supply”

33C3: Hunz Deconstructs the Amazon Dash Button

The Amazon Dash button is now in its second hardware revision, and in a talk at the 33rd Chaos Communications Congress, [Hunz] not only tears it apart and illuminates the differences with the first version, but he also manages to reverse engineer it enough to get his own code running. This opens up a whole raft of possibilities that go beyond the simple “intercept the IP traffic” style hacks that we’ve seen.

dash_block_diagramJust getting into the Dash is a bit of work, so buy two: one to cut apart and locate the parts that you have to avoid next time. Once you get in, everything is tiny! There are a lot of 0201 SMD parts. Hidden underneath a plastic blob (acetone!) is an Atmel ATSAMG55, a 120 MHz ARM Cortex-M4 with FPU, and a beefy CPU all around. There is also a 2.4 GHz radio with a built-in IP stack that handles all the WiFi, with built-in TLS support. Other parts include a boost voltage converter, a BTLE chipset, an LED, a microphone, and some SPI flash.

The strangest part of the device is the sleep mode. The voltage regulator is turned on by user button press and held on using a GPIO pin on the CPU. Once the microcontroller lets go of the power supply, all power is off until the button is pressed again. It’s hard to use any less power when sleeping. Even so, the microcontroller monitors the battery voltage and presumably phones home when it gets low.
Continue reading “33C3: Hunz Deconstructs the Amazon Dash Button”

The Cardboard Computer

Every time we say “We’ve seen it all”, along comes a project that knocks us off. 60 year old [Mark Nesselhaus] likes to learn new things and he’s never worked with hardware at the gate level. So he’s building himself a 4-bit Computer, using only Diode-Transistor Logic. He’s assembling the whole thing on “card board” perf-board, with brass tacks for pads. Why — because he’s a thrifty guy who wants to use what he has lying around. Obviously, he’s got an endless supply of cardboard, tacks and Patience. The story sounds familiar. It started out as a simple 4-bit full adder project and then things got out of hand. You know he’s old school when he calls his multimeter an “analog VOM”!

It’s still work in progress, but he’s made a lot of it in the past year. [Mark] started off by emulating the 4-bit full adder featured on Simon Inns’ Waiting for Friday blog. This is the ALU around which the rest of his project is built. With the ALU done, he decided to keep going and next built a 4-to-16 line decoder — check out the thumbnail image to see the rats nest of jumbled wires. Next on his list were several flip flops — R-S, J-K and D types, which would be useful as program counters. This is when he bumped into problems with signal levels, timing and triggering. He decided to allow himself the luxury of adding one IC to his build — a 555 based clock generator. But he still needed some pulse shaping circuitry to make it work consistently.

from right, Input, +5V, nc, gnd
LED Driver : from left, Gnd, NC, +5V, Input

[Mark] also built a finite-state-machine sequencer based on the work done by Rory Mangles TinyTim project. He finished building some multiplexers and demultiplexers, and it appears he may be using a whole bank of 14 wall switches for address, input and control functions. For the output display, he assembled a panel using LED’s recovered from a $1 Christmas light string. Something seems amiss with his LED driver, though — 2mA with LED on and >2.5mA with LED off. The LED appears to be connected across the collector and emitter of the PNP transistor. Chime in with your comments.

This build seems to be shaping along the lines of the Megaprocessor that we’ve swooned over a couple of times in the past. Keep at it, [Mark]!

Continue reading “The Cardboard Computer”

Ken Shirriff Takes Us Inside the IC, For Fun

[Ken Shirriff] has seen the insides of more integrated circuits than most people have seen bellybuttons. (This is an exaggeration.) But the point is, where we see a crazy jumble of circuitry, [Ken] sees a riddle to be solved, and he’s got a method that guides him through the madness.

In his talk at the 2016 Hackaday SuperConference, [Ken] stepped the audience through a number of famous chips, showing how he approaches them and how you could do the same if you wanted to, or needed to. Reading an IC from a photo is not for the faint of heart, but with a little perseverance, it can give you the keys to the kingdom. We’re stoked that [Ken] shared his methods with us, and gave us some deeper insight into a handful of classic silicon, from the Z80 processor to the 555 timer and LM7805 voltage regulator, and beyond.

Continue reading “Ken Shirriff Takes Us Inside the IC, For Fun”

33C3: Chris Gerlinsky Cracks Pay TV

People who have incredible competence in a wide range of fields are rare, and it can appear deceptively simple when they present their work. [Chris Gerlinksy]’s talk on breaking the encryption used on satellite and cable pay TV set-top boxes was like that. (Download the slides, as PDF.) The end result of his work is that he gets to watch anything on pay TV, but getting to watch free wrestling matches is hardly the point of an epic hack like this.

The talk spans hardware reverse engineering of the set-top box itself, chip decapping, visual ROM recovery, software reverse analysis, chip glitching, creation of custom glitching hardware, several levels of crypto, and a lot of very educated guessing. Along the way, you’ll learn everything there is to know about how broadcast streams are encrypted and delivered. Watch this talk now.

Some of the coolest bits:

  • Reading out the masked ROM from looking at it with a microscope never fails to amaze us.
  • A custom chip-glitcher rig was built, and is shown in a few iterations, finally ending up in a “fancy” project box. But it’s the kind of thing you could build at home: a microcontroller controlling a switch on a breadboard.
  • The encoder chip stores its memory in RAM: [Chris] uses a beautiful home-brew method of desoldering the power pins, connecting them up to a battery, and desoldering the chip from the board for further analysis.
  • The chip runs entirely in RAM, forcing [Chris] to re-glitch the chip and insert his payload code every time it resets. And it resets a lot, because the designers added reset vectors between the bytes of the desired keys. Very sneaky.
  • All of this was done by sacrificing only one truckload of set-top boxes.

Our jaw dropped repeatedly during this presentation. Go watch it now.

[CNLohr] Reverses Vive, Valve Engineers Play Along

[CNLohr] needs no introduction around these parts. He’s pulled off a few really epic hacks. Recently, he’s set his sights on writing a simple, easy to extend library to work with the HTC Vive VR controller equipment, and in particular the Watchman controller.

There’s been a lot of previous work on the device, so [Charles] wasn’t starting from scratch, and he live-streamed his work, allowing others to play along. In the process, two engineers who actually worked on the hardware in question, [Alan Yates] and [Ben Jackson], stopped by and gave some oblique hints and “warmer-cooler” guidance. A much-condensed version is up on YouTube (and embedded below). In the links, you’ll find code and the live streams in their original glory, if you want to see what went down blow by blow. Code and more docs are in this Gist.

Continue reading “[CNLohr] Reverses Vive, Valve Engineers Play Along”