Hacking a hack: disassembly and sniffing of IM-ME binary

It’s fun to pick apart code, but it gets more difficult when you’re talking about binaries. [Joby Taffey] opened up the secrets to one of [Travis Goodspeed’s] hacks by disassembling and sniffing the data from a Zombie Gotcha game binary.

We looked in on [Travis’] work yesterday at creating a game using sprites on the IM-ME. He challenged readers to extract the 1-bit sprites from an iHex binary and that’s what got [Joby] started. He first tried to sniff the LCD data traces using a Bus Pirate but soon found the clock signal was much too fast for the device to reliably capture the signals. After looking into available source code from other IM-ME hacks [Joby] found how the SPI baud rate is set, then went to work searching for that in a disassembly of [Travis’] binary. Once found, he worked through the math necessary to slow down communication from 2.7 Mbit/s to 2400 bps and altered the binary data to match that change. This slower speed is more amenable to the Bus Pirate’s capabilities and allowed him to dump the sprite data as it was sent to the LCD screen.

[Thanks Travis]

IM-ME USB dongle hacking

This circuit board is from the USB dongle of a Girl Tech IM-ME. [Joby Taffey] took it apart and poked around to learn its secrets. These dongles come along with the pink pager that has become a popular low-cost hacking platform. But we haven’t seen much done with the dongle itself up until now.

[Joby] used the OpenBench Logic Sniffer to gain some insight on what’s going on here. The board has two chips on it, a Cypress CY7C63803 USB microcontroller which talks to the computer over USB and also communicates over SPI with a Chipcon CC1110 SoC radio. It looks like reprogramming the Cypress chip is a no-go, so he went to work on the CC1110. The inter-chip communications data that he acquired by sniffing the SPI lines gave him all he needed to reimplement the protocol using his own firmware. As a proof of concept he to reflashed the CC1110 and can now send and receive arbitrary commands from the dongle. There’s a tiny video after the break showing a script on the computer turning the dongle’s LED on and off.

Continue reading “IM-ME USB dongle hacking”

Pulling data from the IM-ME spectrum analyzer

A small, cheap spectrum analyzer with an LCD can be a fun thing to play with. But to be truly usefully you need access to raw data, and lots of it. [Travis Goodspeed] set out to make that possible by pulling data with a GoodFET and a Python script.

He started with [Michael Ossmann’s] IM-ME spectrum analyzer, which uses a CC1110 chip. The two of them are giving a lecture at Toorcon 12 (called Real Men Carry Pink Pagers) and this will be used as a demonstration device. After studying the datasheet he found the starting RAM address and did some further work to deciphered how the data is stored in it. From there it was a matter of working out the timing for grabbing the data, and coding a method for storing it. Now he’s looking for brave souls to help him trailblaze with this newly-discovered tool. It seems that if you know what you are doing, and have abundant patience, you can use this for a bit of old-fashioned reverse engineering.

PC side IM-ME hacks

[Paul Klemstine] is working on some PC-side software hacks for the IM-ME. We’ve seen a lot of hardware hacks for this device, such as controlling the display, firmware flashing, and using it as a spectrum analyzer, but if you don’t want to alter the device right away you can try [Paul’s] collection of hacks. Working with the code developed by [Ben Ryves] there is support for using the IM-ME as a command prompt, to control Win amp, and as a wireless keyboard. Crack out your C# skills and develop the next feature for this inexpensive device.

IM-ME spectrum analyzer

[Michael Ossmann] rolled out some firmware that makes his IM-ME into a Spectrum Analyzer. He met up with [Travis Goodspeed], who authored the IM-ME flashing guide, at SchmooCon and spent some time hacking wireless doo-dads in the hotel bar. Once he arrived home the new firmware was just a few coding sessions away from completion. It scans one frequency at a time, displaying the results in a 132 column graph on the screen. He also added a ribbon cable and header to the debug contacts so that future hacking would be as simple as plugging in the GoodFET.

[Thanks Jared and Travis]

Easy IM-ME flashing

[Travis Goodspeed] wrote a guide to firmware flashing for the IM-ME. He’s using a GoodFET open-source JTAG adapter that he designed to do the programming. This is really taking [Dave’s] work on the device and running with it.  The end goal being to develop an operating system for the device. If you haven’t read the past articles, once hacked this becomes a development board for the Chipcon CC1110 processor with keyboard, LCD screen, and wireless communications included.

IM-ME screen reverse engineered

[Dave] figured out the command set for the IM-ME terminal. It took a bit of sleuthing to get this pink plastic peripheral to give up these secrets. He used an oscilloscope to sniff out the SPI connections, then used a hacked IM-ME to capture the traffic from a factory-fresh unit. He managed to extrapolate how write data was being sent but he still couldn’t figure out how commands were differentiated from that data. With the info at hand he searched around the interwebs to find that the screen uses an ST7565S controller. Now he’s got custom firmware to make the LCD display do his bidding and we’re wondering what’s next?