Dummies Guide to Reverse Engineering

[Juan Carlos Jiménez] has reverse engineered a router — specifically, a Huawei HG533. While that in itself may not sound substantial, what he has done is write a series of blog posts which can act as a great tutorial for anyone wanting to get started with sniffing hardware. Over the five part series, he walks through the details of identifying the hardware serial ports which open up the doors to the firmware and looking at what’s going on under the hood.

The first part deals with finding the one or several debug ports on the hardware and identifying the three important pins – Rx, Tx and GND. That’s when he shows novices his first trick – shining a flashlight from under the PCB to find the pins that have trace connections (most likely Rx and Tx), those that don’t have any connections (most likely CTS and DTR) and those that have connections to the copper pour planes (most likely VCC and GND). The Tx signal will be pulled up and transmitting data when the device is powered up, while the Rx signal will be floating, making it easy to identify them. Finding the Baud rate, though, will require either a logic analyser, or you’ll have to play a bit of a guessing game.

Once you have access to the serial port and know its baud rate, it’s time to hook it up to your computer and use any one of the several ways of looking at what’s coming out of there — minicom, PuTTY or TeraTerm, for example. With access to the devices CLI, and some luck with finding credentials to log in if required, things start getting interesting.

Over the next part, he discusses how to follow the data paths, in this case, looking at the SPI signals between the main processor and the flash memory, and explaining how to use the logic analyser effectively and decode the information it captures. Moving further, he shows how you can hook up a USB to SPI bridge, connect it to the flash memory, take a memory dump of the firmware and read the extracted data. He wraps it up by digging in to the firmware and trying to glean some useful information.

It’s a great series and the detailed analysis he does of this particular piece of hardware, along with providing a lot of general tips, makes it a perfect starting point for those who need some help when getting started on debugging hardware.

Thanks, [gnif] for posting this tip.

Continue reading “Dummies Guide to Reverse Engineering”

Reverse Engineer a VFD after Exploring How They Work

[Dave Jones] got his hands on a really wide, 2-row Vacuum Fluorescent Display. We’ve come across these units in old equipment before and you can get them from the usual sources, both new and used, but you need to know how to drive them. This recent installment of the EEVblog reverse engineers this VFD.

The function of these displays is pretty easy to understand, and [Dave] covers that early in the video after the break. There is a cathode wire and phosphorescent coated anodes. When current is applied the anodes glow. To add control of which anodes are glowing a mesh grid is placed between the anodes and the cathode wire. Applying negative potential to the grid prevents the electrons from traveling to the anode so that area will not be lit.

Now driving this low-level stuff is not easy, but rest assured that most VFDs you find are going to have a driver attached to them. The reverse engineering is to figure out the protocol used to control that driver. On this board there is a 2-pin connector with a big electrolytic filtering cap which is a dead giveaway for power rails. Looking at the on-board processor which connects directly he ascertains that the input will be 5V regulated since this is what that chip will expect. Connecting his bench supply yields a blinking cursor! [Dave] goes on to pump parallel data and test out the control pins all using an Arduino. He finds success, sharing many great reverse engineering tips along the way.

We often call this type of thing a dark art, but that’s really just because there aren’t a lot of people who feel totally comfortable giving it a try. We think that needs to change, so follow this example and also go look at [Ben Heckendorn’s] recent LCD reverse engineering, then grab some equipment and give it a try for yourself. We want to hear about your accomplishments!

Continue reading “Reverse Engineer a VFD after Exploring How They Work”

Reverse Engineer then Drive LCD with FPGA

Fans of [Ben Heck] know that he has a soft spot for pinball machines and his projects that revolve around that topic tend to be pretty epic. This is a good example. At a trade show he saw an extra-wide format LCD screen which he thought would be perfect on a pinball build. He found out it’s a special module made for attaching to your car’s sun visor. The problem is that it only takes composite-in and he wanted higher quality video than that offers. The solution: reverse engineer the LCD protocol and implement it in an FPGA.

This project is a soup to nuts demonstration of replacing electronics drivers; the skill is certainly not limited to LCD modules. He starts by disassembling the hardware to find what look like differential signaling lines. With that in mind he hit the Internet looking for common video protocols which will help him figure out what he’s looking for. A four-channel oscilloscope sniffs the signal as the unit shows a blue screen with red words “NO SIGNAL”. That pattern is easy to spot since the pixels are mostly repeated except when red letters need to be displayed. Turns out the protocol is much like VGA with front porch, blanking, etc.

With copious notes about the timings [Ben] switches over to working with a Cyclone III FPGA to replace the screen’s stock controller. The product claims 800×234 resolution but when driving it using those parameters it doesn’t fill the entire screen. A bit more tweaking and he discovers the display actually has 1024×310 pixels. Bonus!

It’s going to take us a bit more study to figure out exactly how he boiled down the sniffed data to his single color-coded protocol sheet. But that’s half the fun! If you need a few more resources to understand how those signals work, check out one of our other favorite FPGA-LCD hacks.

Continue reading “Reverse Engineer then Drive LCD with FPGA”

Reverse Engineering a Wireless Studio Lighting Remote

If you want to take a photograph with a professional look, proper lighting is going to be critical. [Richard] has been using a commercial lighting solution in his studio. His Lencarta UltraPro 300 studio strobes provide adequate lighting and also have the ability to have various settings adjusted remotely. A single remote can control different lights setting each to its own parameters. [Richard] likes to automate as much as possible in his studio, so he thought that maybe he would be able to reverse engineer the remote control so he can more easily control his lighting.

[Richard] started by opening up the remote and taking a look at the radio circuitry. He discovered the circuit uses a nRF24L01+ chip. He had previously picked up a couple of these on eBay, so his first thought was to just promiscuously snoop on the communications over the air. Unfortunately the chips can only listen in on up to six addresses at a time, and with a 40-bit address, this approach may have taken a while.

Not one to give up easily, [Richard] chose a new method of attack. First, he knew that the radio chip communicates to a master microcontroller via SPI. Second, he knew that the radio chip had no built-in memory. Therefore, the microcontroller must save the address in its own memory and then send it to the radio chip via the SPI bus. [Richard] figured if he could snoop on the SPI bus, he could find the address of the remote. With that information, he would be able to build another radio circuit to listen in over the air.

Using an Open Logic Sniffer, [Richard] was able to capture some of the SPI communications. Then, using the datasheet as a reference, he was able to isolate the communications that stored information int the radio chip’s address register. This same technique was used to decipher the radio channel. There was a bit more trial and error involved, as [Richard] later discovered that there were a few other important registers. He also discovered that the remote changed the address when actually transmitting data, so he had to update his receiver code to reflect this.

The receiver was built using another nRF24L01+ chip and an Arduino. Once the address and other registers were configured properly, [Richard’s] custom radio was able to pick up the radio commands being sent from the lighting remote. All [Richard] had to do at this point was press each button and record the communications data which resulted. The Arduino code for the receiver is available on the project page.

[Richard] took it an extra step and wrote his own library to talk to the flashes. He has made his library available on github for anyone who is interested.

A Lesson in Blind Reverse Engineering – Signals Intelligence

spread sheet of binary data

In a fit of desperation, I turned to data mining tools and algorithms, but stepped back from the horror of that unspeakable knowledge before my mind was shattered. That way madness lies.

–[Rory O’hare]

Wise words. Wise words, indeed. Who among us hasn’t sat staring into the abyss of seemingly endless data without the slightest clue to what it means or even how to go about figuring out what it means? To literally feel the brain damage seeping in as you start to see ‘ones’ and ‘zeros’ reach out to you from every day electronic devices…like some ghost in the wires. But do not fear, wise hacker! For we have good news to report! [Rory O’hare] has dived into this very abyss, and has emerged successful.

While others were out and about playing games and doing whatever non-hackers do to entertain themselves, [Rory O’hare] decided to reach out and grab some random wireless signals for a little fun and excitement. And what he found was not just a strong, repeating signal at 433Mhz. Not just a signal that oozed with evidence of ASK. What he found was a challenge…a mystery that was begging to be solved. A way to test his skill set. Could he reverse engineer a signal by just looking at the signal alone? Read on, and find out.




Learning to Reverse Engineer on a Broken Printer

Lexmark Hack

When a Lexmark inkjet printer stopped working, [Mojobobo] was able to claim it as his own. He quickly realized that the machine was flooded with ink and not worth repairing, but that didn’t mean he couldn’t still find a use for it. When he learned that the printer’s firmware was not only upgradable but also unprotected, he knew he should be able to get the printer to do his own bidding.

[Mojobobo] started his journey with the motherboard. The unit still powered up, but it was asking to insert a “duplex module” before it would boot any further. [Mojobobo] first tried to find a way to trick the duplex module sensor, but was unsuccessful. His next step was to search for some kind of serial communications port. He didn’t have an oscilloscope, so instead he used a speaker with a wire probe. In theory, if the wire was pressed against an active serial port, he would be able to hear varying tones through the speaker. Sure enough, he found some interesting tones after probing around some ports next to a “JTAG” label. He looked up some information about the nearby chip and found that it included an SPI bus.

After some internet research, [Mojobobo] learned enough about SPI to have a rough idea of how to use it. Having limited tools available to him, he decided to use his Arduino to try to communicate with the motherboard. After wiring up a simple circuit, (and then re-wiring it) he was able to dump the first 4096 bytes of the motherboard’s boot loader to the Arduino via the SPI interface.

[Mojobobo’s] next steps will be to find a faster way to dump the boot loader. At 9600 baud, he grew tired of waiting after three hours. Once he has the full boot loader he intends to search for a way to bypass the duplex sensor and get the board to finish booting. Then he may just use the printer for its scanning functions, or he might find other interesting uses for it.

Reverse Engineering Serial Ports

Can you spot the serial port in the pic above? You can probably see the potential pads, but how do you figure out which ones to connect to? [Craig] over at devttys0 put together an excellent tutorial on how to find serial ports. Using some extreme close-ups, [Craig] guides us through his thought process as he examines a board. He discusses some of the basics every hobbyist should know, such as how to make an educated guess about which ports are ground and VCC. He also explains the process to guessing the transmit/receive pins, although that is less straightforward.

Once you’ve identified the pins, you need to actually communicate with the device. Although there’s no easy way to guess the data, parity, and stop bits except for using the standard 8N1 and hoping for the best, [Craig] simplifies the process a bit with some software that helps to quickly identify the baud rate. Hopefully you’ll share [Craig’s] good fortune if you reach this point, greeted by boot messages that allow you further access.