A Lesson in Blind Reverse Engineering – Signals Intelligence

spread sheet of binary data

In a fit of desperation, I turned to data mining tools and algorithms, but stepped back from the horror of that unspeakable knowledge before my mind was shattered. That way madness lies.

–[Rory O'hare]

Wise words. Wise words, indeed. Who among us hasn’t sat staring into the abyss of seemingly endless data without the slightest clue to what it means or even how to go about figuring out what it means? To literally feel the brain damage seeping in as you start to see ‘ones’ and ‘zeros’ reach out to you from every day electronic devices…like some ghost in the wires. But do not fear, wise hacker! For we have good news to report! [Rory O'hare] has dived into this very abyss, and has emerged successful.

While others were out and about playing games and doing whatever non-hackers do to entertain themselves, [Rory O'hare] decided to reach out and grab some random wireless signals for a little fun and excitement. And what he found was not just a strong, repeating signal at 433Mhz. Not just a signal that oozed with evidence of ASK. What he found was a challenge…a mystery that was begging to be solved. A way to test his skill set. Could he reverse engineer a signal by just looking at the signal alone? Read on, and find out.




Learning to Reverse Engineer on a Broken Printer

Lexmark Hack

When a Lexmark inkjet printer stopped working, [Mojobobo] was able to claim it as his own. He quickly realized that the machine was flooded with ink and not worth repairing, but that didn’t mean he couldn’t still find a use for it. When he learned that the printer’s firmware was not only upgradable but also unprotected, he knew he should be able to get the printer to do his own bidding.

[Mojobobo] started his journey with the motherboard. The unit still powered up, but it was asking to insert a “duplex module” before it would boot any further. [Mojobobo] first tried to find a way to trick the duplex module sensor, but was unsuccessful. His next step was to search for some kind of serial communications port. He didn’t have an oscilloscope, so instead he used a speaker with a wire probe. In theory, if the wire was pressed against an active serial port, he would be able to hear varying tones through the speaker. Sure enough, he found some interesting tones after probing around some ports next to a “JTAG” label. He looked up some information about the nearby chip and found that it included an SPI bus.

After some internet research, [Mojobobo] learned enough about SPI to have a rough idea of how to use it. Having limited tools available to him, he decided to use his Arduino to try to communicate with the motherboard. After wiring up a simple circuit, (and then re-wiring it) he was able to dump the first 4096 bytes of the motherboard’s boot loader to the Arduino via the SPI interface.

[Mojobobo's] next steps will be to find a faster way to dump the boot loader. At 9600 baud, he grew tired of waiting after three hours. Once he has the full boot loader he intends to search for a way to bypass the duplex sensor and get the board to finish booting. Then he may just use the printer for its scanning functions, or he might find other interesting uses for it.

Reverse Engineering Serial Ports


Can you spot the serial port in the pic above? You can probably see the potential pads, but how do you figure out which ones to connect to? [Craig] over at devttys0 put together an excellent tutorial on how to find serial ports. Using some extreme close-ups, [Craig] guides us through his thought process as he examines a board. He discusses some of the basics every hobbyist should know, such as how to make an educated guess about which ports are ground and VCC. He also explains the process to guessing the transmit/receive pins, although that is less straightforward.

Once you’ve identified the pins, you need to actually communicate with the device. Although there’s no easy way to guess the data, parity, and stop bits except for using the standard 8N1 and hoping for the best, [Craig] simplifies the process a bit with some software that helps to quickly identify the baud rate. Hopefully you’ll share [Craig's] good fortune if you reach this point, greeted by boot messages that allow you further access.

Android and Arduino RF Outlet Selector


Cyber Monday may be behind us, but there are always some hackable, inexpensive electronics to be had. [Stephen's] wireless Android/Arduino outlet hack may be the perfect holiday project on the cheap, especially considering you can once again snag the right remote controlled outlets from Home Depot. This project is similar to other remote control outlet builds we’ve seen here, but for around $6 per outlet: a tough price to beat.

[Stephen] Frankenstein’d an inexpensive RF device from Amazon into his build, hooking the Arduino up to the 4 pins on the transmitter. The first step was to reverse engineer the communication for the outlet, which was accomplished through some down and dirty Arduino logic analyzing. The final circuit included a standard Arduino Ethernet shield, which [Stephen] hooked up to his router and configured to run as a web server. Most of the code was borrowed from the RC-Switch outlet project, but the protocols from that build are based on US standards and did not quite fit [Stephen's] needs, so he turned to a similar Instructables project to work out the finer details.

Stick around after the break for a quick video demonstration, then check out another wireless outlet hack for inspiration.

[Read more...]

Reverse engineering the die of a ULN2003 transistor array


We’re no strangers to looking at uncapped silicon. This time around it’s not just a show and tell, as one transistor form a ULN2003 chip is reverse engineered.

The photo above is just one slice from a picture of the chip after having its plastic housing remove (decapped). It might be a stretch to call this reverse engineering. It’s more of a tutorial on how to take a functional schematic and figure out how each component is placed on a photograph of a chip die. Datasheets usually include these schematics so that engineers know what to expect from the hardware. But knowing what a resistor or transistor looks like on the die is another story altogether.

The problem is that you can’t just look at a two dimensional image like the one above. These semiconducting elements are manufactured in three dimensions. The article illustrates where the N and P type materials are located on the transistor using a high-res photo and a reference diagram.

If you want to photograph your own chip dies there are a few ways to decap them at home.

Reverse engineering Solari soft flap displays

This is a side view of the guts of a one character Solari soft flap module. This is the type of mechanical display used in some transportation hubs that have a flap for each letter. The motor turns the flaps through the alphabet until it gets to the target letter. Recently [Boz] had a client approach him who needed a custom controller for a 20-character soft flap display.

The process started out with a magnifying glass and multimeter which yielded a rather complicated hand-drawn schematic. An optical encoder is used to judge which character is currently displayed. After analyzing the output using an oscilloscope [Boz] designed a PIC based driver board which is controlling the display seen in the clip after the break.

The great thing about these displays is that they don’t use any electricity except when they change letters. This sounds like the predecessor of ePaper and makes us wonder if there are any companies developing high-contrast ePaper to replace soft-flap digits?

[Read more...]

Reverse engineering old PDA software

[Troy Wright] acquired a lot of twenty broken Dell Axim PDAs. This type hardware was quite popular a decade ago, but looks archaic when compared to a modern cell phone. That’s why he was able to get them for a song. After a bit of work he managed to resurrect eight of the units, but was dismayed to find there’s no published method for controlling the back light from software. For some reason this is a deal-breaker for his project. But he knew it was possible because there are some apps for the device which are able to set the back light level. So he found out how to do it by reverse engineering the software.

The trick is to get a hold of the code. Since it’s not open source [Troy] used IDA, a graphical disassember and debug suite. He had some idea of what he was hunting for as the Windows CE developer documentation does mention a way to directly control the graphical hardware independently from the display driver. A few hours of pawing through assembly language, setting break points, and testing eventually led him to the solution.