Readers not aware of what Ghidra is might imagine some kind of aftermarket water cooler firmware or mainboard – a usual hacker practice with reflow ovens. What [Robbe Derks] did is no less impressive and inspiring: A water cooler firmware mod that adds hands-free water dispensing, without requiring any hardware mods or writing an alternative firmware from scratch.
Having disassembled the cooler, [Robbe] found a PIC18F6527 on the mainboard, and surprisingly, it didn’t have firmware readback protection. Even lack of a PICkit didn’t stop him – he just used an Arduino to dump the firmware, with the dumper code shared for us to reuse, and the resulting dumps available in the same repository.
From there, he involved Ghidra to disassemble the code, while documenting the process in a way we can all learn from, and showing off the nifty tricks Ghidra has up its sleeves. Careful planning had to be done to decide which functions to hook and when, where to locate all the extra logic so that there’s no undesirable interference between it and the main firmware, and an extra step taken to decompile the freshly-patched binary to verify that it looks workable before actually flashing the cooler with it.
The end result is a water cooler that works exactly as it ought to have worked, perhaps, if the people defining its user interaction principles were allowed to make it complex enough. We could argue whether this should have been a stock function at all, but either way, it is nice to know that we the hackers still have some of the power to make our appliances friendly — even when they don’t come with an OS. Certainly, every single one of us can think of an appliance long overdue for a usability boost like this. What are your examples?
We’ve covered quite a few Ghidra-involving hacks, but it never feels like we’ve had enough. What about patching an air quality meter to use Fahrenheit? Or another highly educational write-up on cracking GBA games? Perhaps, liberating a Linux-powered 4G router to reconfigure it beyond vendor-defined boundaries? If you have your own goal in mind and are looking to start your firmware reverse-engineering journey, we can say with certainty that you can’t go wrong with our HackadayU course on Ghidra.
Excellent stuff. This has to be my favorite style of article on Hackaday. I have to admit to never having disassembled someone’s firmware, but reading about the process of how to do it and then modify it is really satisfying. Thanks to Robbe Derks and hackaday for posting about this.
I recommend it, even if you just analyze your own firmware from an Arduino or similar. It’s very rewarding to have that “oh I know what is going on right here” feeling, and Ghidra makes it so you don’t necessarily need to read the disassembly to get that. (Depending on the complexity and your goals of course). AVR assembly from a classic Arduino also has the advantage of being pretty easy to read and understand. Nice and clean simple RISC, not the alphabet soup of x86.
https://en.wikipedia.org/wiki/Ghidra btw,
> is a free and open source reverse engineering tool developed by the National Security Agency (NSA) of the United States.
and that is why i won’t use this tool. I don’t trust it. I know it’s FLOSS and probably a lot of people have looked at the source, but still. The NSA is evil.
The NSA is neither good nor evil, they are merely people doing their jobs. I disagree with the approach management has taken but they are far from evil.
There’s a difference between not trusting it to properly disassemble a binary executable and not trusting it to do evil things on your computer. Do you not have a separate computer for all your illicit activities anyway?
I’ll leave it for you to determine if hacking firmware is the “illicit activity,” or if it’s all the other stuff…
Using Ghidra here is kind of chasing butterflies with a battle-axe… I heartily approve!
You bet, but it’s also the easiest way, I’d say.
> In the end, it took about 8 hours to get this project finished, which was spread out over multiple weeks. Considering that I usually fill my bottle once a day, and it takes about 50 seconds to do so, this will have a positive return-on-investment after only about 1.5 years!
Love it!
Excellent hack value :D Nothing quite like modifying a device to really enhance your sense of ownership.
Oh man. No general purpose registers in pic18 so it reuses global memory locations? What a pain to reverse engineer. Probably the hardest challenge I’ve had in Ghidra was with a Windows binary built with link time optimization so weird registers were used for parameter passing and stack locations were often reused in and between functions. Might be user error but it’s hard to teach Ghidra that there used to be an int at ebp-0x08 but now that same place is the start of a character buffer or something.
It was certainly a challenge compared to other architectures! Luckily the binary isn’t too complex