Author: Arya Voronova

498 Articles

A screenshot of the drone monitoring application, showing spoofed drones and their coordinates

Can’t Disable DJI Drone ID? Spoof It With An ESP!

March 4, 2024 by 20 Comments

We have been alerted to a fun tool, a DJI DroneID spoofer software for ESP8266/ESP32 and some other popular MCUs. Last year, we’ve told you about DJI DroneID — a technology DJI added to their drones, which broadcasts data including the drone operator’s GPS position, which, in turn, appears to have resulted in Ukrainian casualties in the Ukraine war. The announcement tweet states that DJI has added mechanisms from downgrading firmware. Hence, the spoofer.

There’s no other hardware needed, well other than an ESP8266 or ESP32 devboard, anyway. After the break you can find a video tutorial from [Joshua Bardwell] that shows you how to upload the code using Arduino IDE, and even going through coordinate tweaks. If you ever reminisced about the concept of throwies and were wondering what kind of useful, well, there’s your answer: clone the Git repo, compile it, program some interesting coordinates in, and witness the imaginary drones fly.

All in all, we get a lovely addition to our shenanigan toolkits. Surely, someone could use a neural network to distinguish real drones from fake ones, but it’s nothing that can’t be solved with a bit of code. Looking for a less daring hack? Well, you can always add some automation to your DJI drone by poking at the RGB LED signals.

Continue reading “Can’t Disable DJI Drone ID? Spoof It With An ESP!”

The FPC adapter shown soldered between the BGA chip and the phone's mainboard, with the phone shown to have successfully booted, displaying an unlock prompt on the screen

IPhone 6S NVMe Chip Tapped Using A Flexible PCB

March 3, 2024 by 3 Comments

Psst! Hey kid! Want to reverse-engineer some iPhones? Well, did you know that modern iPhones use PCIe, and specifically, NVMe for their storage chips? And if so, have you ever wondered about sniffing those communications? Wonder no more, as this research team shows us how they tapped them with a flexible printed circuit (FPC) BGA interposer on an iPhone 6S, the first iPhone to use NVMe-based storage.

The research was done by [Mohamed Amine Khelif], [Jordane Lorandel], and [Olivier Romain], and it shows us all the nitty-gritty of getting at the NVMe chip — provided you’re comfortable with BGA soldering and perhaps got an X-ray machine handy to check for mistakes. As research progressed, they’ve successfully removed the memory chip dealing with underfill and BGA soldering nuances, and added an 1:1 interposer FR4 board for the first test, that proved to be successful. Then, they made an FPC interposer that also taps into the signal and data pins, soldered the flash chip on top of it, successfully booted the iPhone 6S, and scoped the data lines for us to see.

This is looking like the beginnings of a fun platform for iOS or iPhone hardware reverse-engineering, and we’re waiting for further results with bated breath! This team of researchers in particular is prolific, having already been poking at things like MITM attacks on I2C and PCIe, as well as IoT device and smartphone security research. We haven’t seen any Eagle CAD files for the interposers published, but thankfully, most of the know-how is about the soldering technique, and the paper describes plenty. Want to learn more about these chips? We’ve covered a different hacker taking a stab at reusing them before. Or perhaps, would you like to know NVMe in more depth? If so, we’ve got just the article for you.

We thank [FedX] for sharing this with us on the Hackaday Discord server!

a CH32V003 Linux-bearing PCB, single-sided, hand-etched, lovely

Bring Linux To CH32V003 Through, Yes, RISC-V Emulation

March 3, 2024 by 14 Comments

Like playing around with Linux on low-power devices? You’d be hard pressed to find a better example than the [tvlad1234]’s linux-ch32v003 project. It’s not just a one-off — it’s something you could build right now, since it requires hardly any extra parts.

With help of a 8 MB PSRAM chip for RAM supplementation purposes and an SD card, plus some careful tailoring of the Linux .config parameters, you get Linux on a chip never meant to even come close to handling this much power. The five minutes it takes to boot up to a prompt is part of the experience.

As usual with [tvlad1234]’s projects, there’s a fun twist to it! Running Linux on this chip is only possible thanks to [chlohr]’s mini-rv32ima project, which, as you might remember, is a RISC-V emulator. Yes, this runs Linux by running a RISC-V emulator on a RISC-V chip. The main reason for that is because the MCU can’t map the PSRAM chip into RAM, but if you use an emulator, memory mapping is only a matter of software. Having applied a fair amount of elbow grease, [tvlad1234] brings us buildroot and mainline Linux kernel configs you can compile to play with this — as well as a single-layer-ready KiCad board project on GitHub. Yep, you could literally etch a PCB for this project from single-sided copper-clad FR4 with a bit of FeCl3.

While the CH32V003 is undoubtedly a more impressive target for Linux, the RP2040 Linux project might be more approachable in terms of having most of the parts in your parts box. At least, up until we start valuing the CH32V003 for all the cool stuff it can do!

Phone connected to the DIY LTE network playing a YouTube video, with antennas in the background

Building Your Own 4G LTE Base Station

March 3, 2024 by 14 Comments

We’ve seen quite a few DIY 2G networks over the years, but the 4G field has been relatively barren. Turns out, there’s an open source suite called srsRAN that lets you use an SDR for setting up an LTE network, and recently, we’ve found a blog post from [MaFrance351] (Google Translate) that teaches you everything you could need to know if you ever wanted to launch a LTE network for your personal research purposes.

For a start, you want a reasonably powerful computer, a transmit-capable full-duplex software defined radio (SDR), suitable antennas, some programmable SIM cards, and a few other bits and pieces like SIM card programmers and LTE-capable smartphones for testing purposes. Get your hardware ready and strap in, as [MaFrance351] guides you through setting up your own base station, with extreme amounts of detail outlining anything you could get caught up on.

Continue reading “Building Your Own 4G LTE Base Station”

A USB3SUN adapter, connected to a SPARCstation on one end and to a keyboard on another, with the OLED screen showing status icons

An Open SPARCstation USB Keyboard&Mouse Adapter

March 1, 2024 by 12 Comments

Got a SPARCstation? You might have had to deal with the proprietary DIN port used for keyboard and mouse input. However, you need not look for outdated hardware anymore – we’ve recently found an adapter project called [usb3sun], which lets you use a regular USB keyboard and mouse instead! Designed by [delan] from [the funny computer museum], the usb3sun adapter is featureful, open-source, and even comes with four blog posts describing its inner workings and development process!

Based on a Pi Pico board, this adapter has a ton of quality of life features – an OLED screen for status display, extra USB port and headers for debugging, a buzzer to emulate bell and click functions, power LEDs, and all the ports you would expect. The OLED screen is needed just because of how many features this adapter’s firmware has, and you’re bound to get more – the [usb3sun] firmware is being actively updated to this day. It’s as if this adapter aims to do all it possibly could help you with – for instance, one of the firmware updates has added idprom reprogramming features, which, as [delan] tells us, lets you boot your workstation with a dead NVRAM battery.

You can order the adapter PCBs yourself, you can breadboard it by following detailed instructions from [delan], or you can get a fully assembled and tested [usb3sun] adapter on Tindie! This adapter will seriously help you in your SPARCstation forays, and, if you don’t happen to own a SPARCstation, you can always emulate SunOS.

The Thinkpad in question, with a Linux shell open on its screen, showing that the device mode has been successfully enabled

ThinkPad X1 Carbon Turned USB Device Through Relentless Digging

March 1, 2024 by 15 Comments

In what’s perhaps one of the most impressive laptop reverse engineering posts in recent memory, [Andrey Konovalov] brings us an incredibly detailed story of how he’s discovered and successfully enabled a USB device controller in a ThinkPad X1 Carbon equipped with a 6th gen Intel CPU.

If you ever wanted to peek at the dirty secrets of a somewhat modern-day Intel CPU-based system, this write-up spares you no detail, and spans dozens of abstraction layers — from Linux drivers and modifying NVRAM to custom USB cable building and BIOS chip flashing, digging deep into undocumented PCH registers for the dessert.

All [Andrey] wanted was to avoid tinkering with an extra Raspberry Pi. While using a PCIe connected device controller, he’s found a reference to intel_xhci_usb_sw-role-switch in Linux sysfs, and dove into a rabbit hole, where he discovered that the IP core used for the laptop’s USB ports has a ‘device’ mode that can be enabled. A dig through ACPI tables confirmed this, but also highlighted that the device is disabled in BIOS. What’s more, it turned out to be locked away behind a hidden menu. Experiments in unlocking that menu ensued, in particular when it comes to bypassing Intel Boot Guard, a mechanism that checks BIOS image signatures before boot.

Continue reading “ThinkPad X1 Carbon Turned USB Device Through Relentless Digging”

Pictures of the internals of the Starlink adapter

Restoring Starlink’s Missing Ethernet Ports

February 28, 2024 by 29 Comments

Internet connectivity in remote areas can be a challenge, but recently SpaceX’s Starlink has emerged as a viable solution for many spots on the globe — including the Ukrainian frontlines. Unfortunately, in 2021 Starlink released a new version of their hardware, cost-optimized to the point of losing some nice features such as the built-in Ethernet RJ45 (8P8C) port, and their proposed workaround has some fundamental problems to it. [Oleg Kutkov], known for fixing Starlink terminals in wartime conditions, has released three posts on investigating those problems and, in the end, bringing the RJ45 ports back.

Starlink now uses an SPX connector with a proprietary pinout that carries two Ethernet connections at once: one to the Dishy uplink, and another one for LAN, with only the Dishy uplink being used by default. If you want LAN Ethernet connectivity, they’d like you to buy an adapter that plugs in the middle of the Dishy-router connection. Not only is the adapter requirement a bother, especially in a country where shipping is impeded, the SPX connector is also seriously fragile and prone to a few disastrous failure modes, from moisture sensitivity to straight up bad factory soldering.

Continue reading “Restoring Starlink’s Missing Ethernet Ports”