Glitching USB Firmware for Fun

[Micah Elizabeth Scott], aka [scanlime], has been playing around with USB drawing tablets, and got to the point that she wanted with the firmware — to reverse engineer, see what’s going on, and who knows what else. Wacom didn’t design the devices to be user-updateable, so there aren’t copies of the ROMs floating around the web, and the tablet’s microcontroller seems to be locked down to boot.

With the easy avenues turning up dead ends, that means building some custom hardware to get it done and making a very detailed video documenting the project (embedded below). If you’re interested in chip power glitching attacks, and if you don’t suffer from short attention span, watch it, it’s a phenomenal introduction.

Continue reading “Glitching USB Firmware for Fun”

Seeking Treachery in a Questionably Sourced Phone

Have you ever considered sourcing an off-brand phone from the China markets? Why, or what stopped you? The answer is data and identity. You are trusting both when you decide to use a smartphone. Let’s face it, smartphones are a personality prosthesis in our society. They know your physical location, what your interests are, the people you hang out with, and how you spend your money. The keys to the castle are shared with these devices and you shouldn’t grant that kind of trust without knowing your phone is worthy of it.

But… what if that phone has amazing features at an equally amazing price? [ijsf] bought the phone and then made it earn the proper level of trust. The model in question is a Blackview BV6000s — pictured above in a tub of soapy water proving it’s IP68 claim. This thing has flagship specs but not a flagship name so [ijsf] took [Dave Jones’] advice and took it apart instead of turning it on. In this case, it is a complete ROM dump and disassembly.

The goals was to find malware — anything that is potentially leaking data. Nothing was found, which we think is because this phone isn’t nearly shady enough. We’d expect the bargain basement models (like this $3 wonder vaporware) to be more in line. That one actually has a carrier behind it which means they plan to recoup on usage charges. But suspiciously cheap phones may be using a business model that makes it back by stealing a chunk of your identity.

Two good things come out of [ijsf’s] writeup. First, it’s a decent guide to dumping and snooping in a ROM. Second, in addition to the fruitless search for thieving apps, the annoying bloatware was removed for a cleaner ‘stock’ image.

Nexmon Turns Nexus 5 (and RPi3!) Into WiFi Toolkit

Back in the day, when wardriving was still useful (read: before WPA2 was widespread), we used to wander around with a Zaurus in our pocket running Kismet. Today, every cellphone has WiFi and a significantly more powerful processor inside. But alas, the firmware is locked down.

mrmcd16-7748-deu-nexmon_-_make_wi-fi_hacking_on_smartphones_great_again_sdmp4-shot0005_thumbnailEnter the NexMon project. If you’ve got a Nexus 5 phone with the Broadcom BCM4339 WiFi chipset, you’ve now got a monitor-mode, packet-injecting workhorse in your pocket, and it looks a lot less creepy than that old Zaurus. But more to the point, NexMon is open. If you’d like to get inside what it took to reverse-engineer a hole into the phone’s WiFi, or make your own patches, here’s a great starting place.

But wait, there’s more! The recently released Raspberry Pi 3 has a similar Broadcom WiFi chipset, and has been given the same treatment, turning your RPi 3 into a wireless-sniffing powerhouse. How many Raspberry Pi “hacks” actually hack the Raspberry Pi? Well, here’s one.

We first learned of this project from a talk given at the MetaRhein-Main Chaos Days conference which took place last weekend. The NexMon talk (in German, but with slides in English) is just one of the many talks, all of which are available online.

The NexMon project is a standout, however. Not only do they reverse the WiFi firmware in the Nexus 5, but they show you how, and then apply the same methods to the RPi3. Kudos times three to [Matthias Schulz], [Daniel Wegemer], and [Matthias Hollick]!

Open Source SNES to USB Converter Lets You Emulate Legally

[Andrew Milkovich] was inspired build his own Super Nintendo cartridge reader based on a device we covered an eternity (in internet years) ago. The device mounts a real cartridge as a USB mass storage device, allowing you to play your games using an emulator directly from the cart.

This uses a Teensy++ 2.0  at its core. [Andrew] had to desolder the EEPROM pins from the SNES cartridge and reverse engineer the pinouts himself, but the end result was a device that could successfully read the cartridge without erasing it, no small accomplishment. The finished cartridge reader is build on some protoboard and we’d like to complement [Andrew] on his jumper routing on the underside of that board.

Of course, the experience of any console is just not the same without the original controller. So [Andrew] went a step further and made his own SNES controller to USB converter. This had the venerable Atmel ATmega328 at its core, and can be used separate from the cartridge reader if desired.

Cracking The Sega Saturn After 20 Years

When it was released 20 years ago, the Sega Saturn was by far the most powerful video game console available. It was a revolutionary device, had incredible (for the time) graphics, and a huge library of IP Sega could draw from. The Saturn was quickly overshadowed by the Sony Playstation, and soon these devices found themselves unused, unloved, and fetching high prices on the collectors market.

After finding a Sega Saturn on a trip to Japan, [jhl] decided he would like to write some code for this machine. Unlike earlier consoles, where Flash cartridges are readily available, or later consoles, where writing directly to the on-board storage is easy, bringing up a development environment for the Saturn isn’t easy. The best method is installing a mod chip and working off of burned CDs. Instead of writing a game or two for the Saturn, [jhl] got distracted for a few years and developed an optical drive emulator.

cracking-the-sega-saturn-thumbAccording to [jhl], the design of the Sega Saturn is tremendously complicated. There’s an entire chip dedicated to controlling the CD drive, and after some serious reverse engineering work, [jhl] had it pretty much figured out. The question then was how to load data onto the Saturn. For that. [jhl] turned to the internal expansion port on the Saturn. This internal expansion port was designed to accept an MPEG decoder card for playing video CDs on the Saturn, but the connector presents the entire bus. By attaching a Game Boy Flash cartridge, [jhl] was able to dump the ROM on the CD controller.

With a little bit of work, a fast ARM microcontroller, and a CPLD for all the logic glue, [jhl] was built an adapter to push CD data to the Saturn through this internal expansion port. Not only is this a boon for homebrew Saturn development, but this build also completely replaces the CD drive in the Saturn – a common failure point in this 20-year-old machine.

The formal release for this ultimate Saturn crack isn’t out yet, but it’s coming shortly, allowing anyone who still has a Saturn to enjoy all those very blocky games and develop their own games. You can check out a short, amateur documentary made on [jhl]’s efforts below.

Continue reading “Cracking The Sega Saturn After 20 Years”

Put a Reverse Engineered Power Meter in Your Toolkit

It seems that one can buy cheap power meters online and, well, that’s it. They work just fine, but to use them for anything else (like datalogging or control or…) they need a bit more work. The good news is that [Thomas Scherrer], alias [OZ2CPU], just did that reverse engineering work for us.

Inside these budget power meters, you’ll find an LCD driver, a power-monitoring chip, and an STM32F030, which is a low-cost ARM Cortex M0 chip that’s fun to play with on its own. [Thomas] traced out the SPI lines that the power-monitoring chip uses to talk to the microcontroller and broke in to snoop on the signals. Once he got an understanding of all the data, tossing an ATmega88 chip on the SPI line lets him exfiltrate it over a convenient asynchronous serial interface.

If you’re going to do this hack yourself, you should note that the internals of the power meter run at line voltage — the 3.3 V that powers the microcontroller floats on top of the 230 V coming out of [Thomas]’s wall plug. He took the necessary precautions with an isolation transformer while testing the device, and didn’t get shocked. That means that to get the serial data out, you’ll need to use optoisolation (or radio!) on the serial lines.

Now that we know how this thing works on the inside, it’s open-season for power-management hacks. Toss a mains socket and an ESP8266 in a box and you’ve got a WiFi-logging power meter that you can use anywhere, all for under $20. Sweet.

Custom Firmware Unlocks Fitness Tracker

[Mikhail] sent us a teaser video for a hack he’d done (embedded below). He takes a Bluetooth LE fitness tracker dongle and reflashes it spit out the raw accelerometer data and trigger events. He then wrote a phone app that receives the data and uses the device as an alarm, an on/off switch, a data-logging device, and more.


We thought it was cool enough that we asked [Mikhail] for more detail, and he delivered in spades! Inside the device is a Nordic NRF51822, their ARM Cortex + Bluetooth chip, an accelerometer, and a bunch of LEDs. [Mikhail] mapped out the programming headers, erased the old flash, and re-filled it with his own code. He even added over-the-air DFU re-flashing capability so that he wouldn’t have to open up the case again.

Continue reading “Custom Firmware Unlocks Fitness Tracker”