There’s a whole lot of interesting mechanics, optics, and electronics inside a Blu-ray drive, and [scanlime] a.k.a. [Micah Scott] thinks those bits can be reused for some interesting project. [Micah] is reverse engineering one of these drives, with the goal of turning it into a source of cheap, open source holograms and laser installations – something these devices were never meant to do. This means reverse engineering the 3 CPUs inside an external Blu-ray drive, making sense of the firmware, and making this drive do whatever [Micah] wants.
When the idea of reverse engineering a Blu-ray drive struck [Micah], she hopped on Amazon and found the most popular drive out there. It turns out, this is an excellent drive to reverse engineer – there are multiple firmware updates for this drive, an excellent source for the raw data that would be required to reverse engineer it.
[Micah]’s first effort to reverse engineer the drive seems a little bit odd; she turned the firmware image into a black and white graphic. Figuring out exactly what’s happening in the firmware with that is a fool’s errand, but by looking at the pure black and pure white parts of the graphic, [Micah] was able guess where the bootloader was, and how the firmware image is segmented. In other parts of the code, [Micah] saw thing vertical lines she recognized as ARM code. In another section, thin horizontal black bands revealed code for an 8051. These lines are only a product of how each architecture accesses code, and really only something [Micah] recognizes from doing this a few times before.
The current state of the project is a backdoor that is able to upload new firmware to the drive. It’s in no way a complete project; only the memory for the ARM processor is running new code, and [Micah] still has no idea what’s going on inside some of the other chips. Still, it’s a start, and the beginning of an open source firmware for a Blu-ray drive.
While [Micah] want’s to use these Blu-ray drives for laser graffiti, there are a number of other slightly more useful reasons for the build. With a DVD drive, you can hold a red blood cell in suspension, or use the laser inside to make graphene. Video below.
Apparently data visualization is a good tool for reverse engineering software and data.
https://www.youtube.com/watch?v=4bM3Gut1hIk
Wow. That is awesome.
Some of those 3d visualizations are beautiful.
Re graphene: IIRC dvd burners use a (relatively) high power 650nm red diode, and the laser used to create laser-scribed graphene is from a LightScribe label making drive which is a <10mW 780nm (788nm??) NIR diode. The same wavelength found in early CD-ROM drives I believe.
I have never shoulder-surfed a reverse engineering session. This is pretty impressive and interesting.
Then you should watch this: https://www.youtube.com/watch?v=7TedIzmguP0
This guy is a genius. There are other series where he reverse-engineers the FLIR Lepton thermal camera and an X-Ray machine too.
That’s quite a clever way to discover firmware regions she’s got. Cool stuff.
Crud… If this goes well, I guess I’m going to have to start making chips using photoresist on silicon wafers. Goodbye what remaining free time I might have had.
I’m interested in exactly this (and using drives like this for cheap microscopy). Would be nice to chat with you about it over email. Contact info is on my website.
I have to warn you about the only thing I’ve done a lot is making my own PCBs. It’s sadly very difficult, as a consumer, to get UV reactive coatings that are suitable for these sorts of things. All the coatings I currently use are relatively thick and only suitable to PCBs… Though riston claims to go to .4 mil, which does start to enter the large-feature IC area… I just don’t think that’s feasible.
Okay … all of that said … it looks like the last time I looked was a while ago. Some of these UV resins that are available look excellent for spin-coating, and bring this certainly within the realm of possibility! I think I’d be willing to put a bounty on further development in detailed control over these drivers. Even if I were to just make PCBs, you could do some pretty neat stuff should you get sub-mil precision on PCBs!
OK Last repost: can’t find your email. Your github email bounces.
Yeah! Making crappy ICs at home is in the realm of possibility today. And there are lots of other cool applications besides really precise PCBs. You could 3D print microfluidics chips cheaply, for example. Or play with metamaterials by etching precise copper arrays. There’s plenty out there to be revolutionized by cheap access.
Sorry about the messed up email. I thought my site was updated. http://owentrueblood.me/contact.html has a better email and I just fixed the email on my Github.
add Chris Gammell to that conversation, he is all about chip printers :P
viewing binary as graphics is a very good way of doing things, my first hex editor i wrote had a bitmap in it. you get used to telling the diff between code/data/images and even things like function start/ends, years later i saw them do it in the matrix.
A good friend of mine bought ‘Harry Halloway’s Hi/Lo monitor’ to write a space invaders game for his 8080 based “Interrac” computer. (It could be loaded in high memory or low memory…). He showed me re-locating it into the graphics area of the memory, and then would start shooting missiles at it until the monitor crashed :-) I guess is was more amusing back in 7th grade…
like the robotron enforcer bug
Never heard of Micah Scot befor. Good to have this person now on the radar. Impressive work.
So what you’re saying is that all those hacker scenes in movies had it right all along?
Amazing work.
How does Micah emulate arm core on the pc side? qemu? custom python emulator? there is nothing about that in the git repo :(
There is a bunch of reverse engineered DVD drives already, mainly to hack Xbox 360 copy protection and allow booting ISO images. Maybe some of them use earlier MTK parts, looking at them might be helpful,
ps: loved the cat helper
This is a bigger undertaking than the 360 hacks. Micah needs to reverse engineer how the peripherals work on each of the chips from just the executables. The 360 hacks only needed to dig deep enough to short circuit the disc type checks.
I’m surprised no one has mentioned the bitmap-reading hackers in Snow Crash yet! Looks like Neal Stephenson had it right on the money.
This might already be possible using software on the host computer with no modifications to the drive. IIRC the ATAPI spec (aka the standard for talking to most optical disk drives) permits completely raw disk access, even the sync and ECC markings.
I’m not sure how many operating systems expose these capabilities though. You might need to write a custom driver, or even work without an OS.
Guess I should have watched the video earlier, it’s a USB attached Blu-ray drive. Doesn’t matter, it still accepts the SCSI commands that ATAPI encapsulates, and it appears she can send these commands to the drive. I’d be surprised if she’s gone through this much trouble though if a raw write would work. I bet she knows something I don’t.
The main problem is the modulation, the very last step that removes the DC bias. With that in place there isn’t really any way to control the lower-frequency components of the signal you write.
If it were possible to turn off the modulation you could craft a burnable image that would do basically the right thing. I’d like to go farther than that, but if that much were easy it would be enough.
Did she figure out the DSP? Samsung… Most likely a Teak-lite (teak, oak, pine all DSPs from dspgroup). If it is a teak-lite *enjoy*
so why hasnt anyone come up with an automated de-soldering station, sucking the solder out of those trough-hole parts ?!
Until the mpaa starts flipping out and has the dev’s arrested.
wow!! i’m impressed. really..
real and realistic howto material hack, i like it.!
i you open an inline school in the art of material hack, i will very happy to subscribe..!!