Picture of the dumper board, with a ROM chip and a Pi Pico inserted

A Disposable Dumper For ROM Chips With A Pi Pico

ROM dumping is vital for preserving old hardware, and we’ve seen many hacks dedicated to letting someone dump a ROM and send its contents to some hacker stuck with a piece of technology that lost its firmware. However, that requires ROM dumping tools of some kind, and it’s often that the lucky ROM-equipped hacker doesn’t own such tools. Now, you could mail the chip to someone else, but postal services in many countries are known to be UDP-like — lossy and without delivery guarantees. The risk of leaving both hackers without a ROM chip is quite real, so, instead of mailing ROM chips or expensive devices around, [Amen] proposes a cheap and disposable flash dumping tool that you could mail instead.

The ROMs in question are 24-pin 2332 and 2364 chips, which run at 5 V and can easily be read with any microcontroller. Thus, his concept is a very simple board, with a Pi Pico and flash chip socket on it, as well as some resistors. Those are used to provide rudimentary GPIO over-voltage protection, since the RP2040 runs its GPIOs at 3.3 V. All the magic is in the software – the tool can both write the chip contents in the RP2040’s internal memory, as well as dump it over USB to the computer. Everything is open-source – if you ever need to dump a rare chip on the other side of the world, modify the design to your liking, order a few copies and then mail them to the hacker involved – losing such a package is way less significant than losing a ROM chip with last-of-its-kind firmware on it.

Old ROM chips are dying out, causing whole generations of hardware, like synths, to fade away – with tools like this one, you can lend a hand in preserving the legacy of many an industry and hobby, and many hackers do. Looking to learn about the basics of parallel flash dumping? This post from 2012 will be a good start, and then check out a more recent venture to learn how things are done with more recent parts.

Glitching USB Firmware For Fun

[Micah Elizabeth Scott], aka [scanlime], has been playing around with USB drawing tablets, and got to the point that she wanted with the firmware — to reverse engineer, see what’s going on, and who knows what else. Wacom didn’t design the devices to be user-updateable, so there aren’t copies of the ROMs floating around the web, and the tablet’s microcontroller seems to be locked down to boot.

With the easy avenues turning up dead ends, that means building some custom hardware to get it done and making a very detailed video documenting the project (embedded below). If you’re interested in chip power glitching attacks, and if you don’t suffer from short attention span, watch it, it’s a phenomenal introduction.

Continue reading “Glitching USB Firmware For Fun”

Dumping U8Plus Smartwatch ROM Via Vibration Motor

[Lee] continues with his exploration of the U8Plus (a cheap smartwatch). He hasn’t got it all cracked, yet, but he did manage to get a dump of the device’s ROM using an unusual method. At first, [Lee] thought that the JTAG interface (or, at least, the pins presumed to be the JTAG interface) would be a good way to explore the device. However, none of the people experimenting with the device have managed to get it to work.

Instead, [Lee] went through the serial bootloader and dumped the flash memory. He found out, though, that the bootloader refused to read the ROM area. It would, however, load and run a program. Unfortunately, no one has found how to access the UART device directly, but they have found how to drive the vibration motor.

[Lee] took off the vibration motor and used it as an output port for a simple program to dump the ROM. An Arduino picked up the data at a low baud rate and produced an output file. This should allow more understanding of how to drive the watch hardware.

We covered the initial teardown of this watch earlier this year. Of course, if you don’t want to reverse engineer a smartwatch, you could always build your own.

“Hello Barbie” Not An IoT Nightmare After All

Security researchers can be a grim crowd. Everything, when looked at closely enough, is insecure at some level, and this leads to a lot of pessimism in the industry. So it’s a bit of a shock to see a security report that’s filled with neither doom nor gloom.

We’d previously covered Somerset Recon’s initial teardown of “Hello Barbie” and were waiting with bated breath for the firmware dump and some real reverse engineering. Well, it happened and basically everything looks alright (PDF report). The Somerset folks desoldered the chip, dumped the flash ROM, and when the IDA-dust settled, Mattel used firmware that’s similar to what everyone else uses to run Amazon cloud service agents, but aimed at the “toytalk.com” network instead. In short, it uses a tested and basically sound firmware.

The web services that the creepy talking doll connected to were another story, and were full of holes that were being actively patched throughout Somerset’s investigation, but we were only really interested in the firmware anyway, and that looked OK. Not everything is horror stories in IoT security. Some stories do have a happy ending. Barbie can sleep well tonight.

Saving Old Voices By Dumping ROMs

Some people collect stamps. Others collect porcelain miniatures. [David Viens] collects voice synthesizers and their ROMs. In this video, he just got his hands on the ultra-rare Electronic Voice Alert (EVA) from early 1980s Chrysler automobiles (video embedded below the break).

Back in the 1980s, speech synthesis was in its golden years following the development of TI’s linear-predictive coding speech chips. These are the bits of silicon that gave voice to the Speak and Spell, numerous video game machines, and the TI 99/4A computer’s speech module. And, apparently, some models of Chrysler cars.

IMG_0695We tracked [David]’s website down. He posted a brief entry describing his emulation and ROM-dumping setup. He says he used it for testing out his (software) TMS5200 speech-synthesizer emulation.

The board appears to have a socket for a TMS-series voice synthesizer chip and another slot for the ROM. It looks like an FTDI 2232 USB-serial converter is being used in bit-bang mode with some custom code driving everything, and presumably sniffing data in the middle. We’d love to see a bunch more detail.

The best part of the video, aside from the ROM-dumping goodness, comes at the end when [David] tosses the ROM’s contents into his own chipspeech emulator and starts playing “your engine oil pressure is critical” up and down the keyboard. Fantastic.

Continue reading “Saving Old Voices By Dumping ROMs”