Mysterious Adder From 1960s Bendix G-20

[David Lovett] aka Usagi Electric is taking a dive into yet another old computer design, this one from the early 1960s. He recently obtained eight mystery circuit boards on-loan for the purpose of reverse engineering them. It turns out these came from an old mainframe called the Bendix G-20, a successor to the 1965 G-15 vacuum tube model. The cards are:

  • Full Adder
  • AND Gate
  • OR Gate
  • Emitter Follower
  • Flip Flop
  • Quad Inverting Amplifier
  • DLO Amplifier
  • Gated CPA

Most of these are pretty straightforward to figure out, but he ran into some troubles trying to understand the full adder board. The first issue is there is some uncertainty surrounding the logic level voltages. This system uses negative voltages, with -3.5 V representing a logic 1 … or is it a logic 0? And even taking into account this ambiguity, [David] is having a hard time deciphering how the adder works. It uses a bunch of diodes to implement a logic lookup table of an adder — except he is not able to make it match any known addition scheme. [David] has called out to the community for help on this one, and if you have any ideas how this adder works, visit his wiki linked above for more information and give him shout.

We don’t know how [David] squeezes in the time for these side projects, when he is so busy on the Centurion mini-computer restoration and the monstrous single-bit vacuum tube computer he is building.

Continue reading “Mysterious Adder From 1960s Bendix G-20”

Ubuntu 22.04 setup screen shown on the Google's Nest Hub display

Breaking Google Nest Hub’s Secure Boot

[frederic] tells a story about their team’s hack of a Google Nest Hub (2nd generation) — running Ubuntu on it, through bypassing Google’s boot image signature checks. As with many good hacks, it starts with FCC website pictures. Reverse-engineering a charger and USB daughterboard pin-out, they found a UART connection and broke it out with a custom adapter. With a debug console and insights into the process, they went on hacking, slicing through hardware and software until it was done with.

This story gives plenty of background and insight into both the code that was being investigated, and the way that attack targets were chosen. Through fuzzing, they found a buffer overflow in the bootloader code that could be triggered with help of a non-standard block size. USB flash drives tend to have these hard-coded, so they built a special firmware for a Pi Pico and shortly thereafter, achieved code execution. Then, they hooked into uboot functions and loaded Ubuntu, bypassing the boot image signature checks.

This is a wonderful documentation of a hacking journey, and an exciting read to boot (pun intended). The bug seems to have been patched for half a year now, so you probably can’t flash your Google Nest into Ubuntu anymore. However, you might be able to run an up-to-date Linux on your Amazon Echo.

We thank [Sven] for sharing this with us!

Screenshot of the OpenAsar config window, showing a few of the configuration options

OpenAsar Tweaks Discord’s Frontend, Improves Performance And Privacy

Not all hacking happens on hardware — every now and then, we ought to hack our software-based tools, too. [Ducko] tells us about a partially open-source rewrite of Discord’s Electron-based frontend. Web apps can be hard to tinker with, which is why such projects are to be appreciated. Now, this isn’t a reverse-engineering of Discord’s API or an alternative client per se, but it does offer a hopeful perspective on what the Discord client ought to do for us.

First of all, the client loads noticeably faster, not unlike the famous GTA Online speedup (which was also a user-driven improvement), with channel and server switching made less laggy —  and the Linux updater was de-cruft-ified as well. [Ducko] tells us how she got rid of the numerous NPM dependencies of the original code – it turned out that most of the dependencies could be easily replaced with Node.JS native APIs or Linux binaries like unzip.  Apart from much-appreciated performance improvements, there are also options like telemetry bypass, and customization mechanisms for your own theming. You won’t get Discord on your Apple ][ just yet, but the native client will be a bit friendlier towards you.

While Discord is ultimately a proprietary platform, we do it see used in cool hacks every now and then, like this tea mug temperature-tracking coaster. Would you like to code your own Discord bot? We wrote a walk-through for that. Last but not least, if you like what we wrote and you happen to also use Discord, you should check out the Hackaday Discord server!

The speaker PCB inside of the speaker, with a flash chip ZIF holder soldered to the SPI flash pads on the PCB

Bluetooth Speaker Domesticated Through Firmware Mod

This might sound like a familiar problem – you get a Bluetooth speaker, and it sounds nice, but it also emits all kinds of weird sounds every now and then. [Oleg Kutkov] got himself a Sven PS460 speaker with FM radio functionality, but didn’t like that the “power on” sound was persistently loud with no respect for the volume setting, and the low battery notification sounds were bothersome. So, he disassembled the speaker, located a flash chip next to the processor, and started hacking.

Using a TL866 and minipro software, he dumped the firmware, and started probing it with binwalk. The default set of options didn’t show anything interesting, but he decided to look for sound file signatures specifically, and successfully found a collection of MP3 files! Proper extraction of these was a bit tricky, but he figured out how to get them out, and loaded the entire assortment into Audacity.

From there, he decided to merely make the annoying sounds quieter – negating the “no respect for the volume setting” aspect somewhat. After he exported the sound pack out of Audacity, the file became noticeably smaller, so he zero-padded it, and finally inserted it back into the firmware. Testing revealed that it worked just as intended! As a bonus, he replaced the “battery low” indicator sound with something that most of us would appreciate. Check out the demo video at the end of his write-up.

Domesticating your Bluetooth speakers tends to be called for. If you can’t do that for whatever reason, you can rebuild them into an audio receiver – or perhaps, build your own Bluetooth speakers, with aesthetics included and annoyance omitted from the start.

iPhone 6 with Linux boot log on its screen

Boot Mainline Linux On Apple A7, A8 And A8X Devices

[Konrad Dybcio] tells about his journey booting Linux on A7/8/8X processors, playing around with an old iPhone 5 he’s got in a drawer. It’s been a two-year “revisit every now and then” journey, motivationally fueled by the things like Linux on M1 Macs announcement. In the end, what we have here is a way to boot mainline Linux on a few less-than-modern but still very usable iPhones, and a fun story about getting there.

[Konrad]’s work is based on the Sandcastle project research, but he couldn’t quite figure out how to make their code work, and had to make sense of it as he went. At some point, he got stuck on enabling the MMU, which was the main roadblock for a while. Joined by another developer intrigued by Apple hardware, they were hacking away at it, developing tools and neat tricks on their way, but to no avail. With the framebuffer accessible and no other decent debugging methods in sight, he tells about a code snippet they wrote that printed register values as valid barcodes Continue reading “Boot Mainline Linux On Apple A7, A8 And A8X Devices”

The Tools That Lovingly Tore Apart A Vintage Computer Game

The structure of computer game assets can be a bit of a mystery, even more so the older a game is, and some amount of reverse-engineering can be expected when pulling apart a game like 1995’s Night Light.

[voussoir] had fond memories of this game by GTE Entertainment, which had an interesting “flashlight” mechanic to serve the exploration theme. Spooky shapes in dark rooms would be revealed to be quite ordinary (and therefore not scary at all) once illuminated with a flashlight, which was directed by the mouse.

Extracting game assets was partly straightforward, thanks to many of them being laid out in a handy folder structure, with .bmp files for each level in a modest resolution. But there were also some unusual .mov files that were less than a second long, and those took a little more work to figure out.

It turns out that these unusual movie files were 80 frames in length, and each frame was a tile of a larger image. [voussoir] used ffmpeg to extract each frame, then wrote a Python script to stitch the tiles together. Behold! The results are high-resolution versions of each level’s artwork. Stitching the first 16 frames into a 4×4 grid yields a 1024×768 image, and the remaining 64 frames can be put into a 8×8 grid for a fantastic 2048×1376 version. The last piece was extracting audio, but sadly the ISO [voussoir] was using seems to have had errors, and not all the audio survived.

With intact assets in hand, [voussoir] was able to re-create the core of the game, which can be seen about halfway down into the writeup. Audio clues play simply while the flashlight effect is re-created in the browser with the game’s original level artwork, and it’s enough to ring those nostalgia bells. It’s a pretty successful project, even though not all of the assets have been tracked down, and not all of the audio was able to be extracted due to corruption. If you have any insights on that front, don’t keep them to yourself! Send [voussoir] an email, or chime in here in the comments.

Reverse engineering has a strong history when it comes to games, and has manifested itself in sometimes unusual ways, like the time Atari cracked the NES. Had the subsequent legal challenge gone differently, the game landscape might have looked very different today.

A light blue marker with a two-pin header replacing the tip, being pressed against the back of the keypad baord that's removed from the safe

Anyone Can Be The Master Of This Master Lock Safe

[Etienne Sellan] got one of these lovely $5 logic analyzers. As with any shiny new tool, he started looking for things to investigate with it, and his gaze fell on a Sentry Safe (produced by Master Lock). On the surface level, this keypad-equipped safe is designed decently when it comes to privilege separation. You can take the keypad board off and access its backside, but the keypad doesn’t make any decisions, it merely sends the digits to a different board embedded behind the safe’s door. The solenoid-connected board receives the PIN, verifies it, and then controls the solenoid that unlocks the safe.

[Etienne] hooked up a logic analyzer to the communication wire, which turned out to be a UART channel, and logged the keypad communication packets — both for password entry and for password change. Then, he wrote some Arduino code to send the same packets manually, which worked wonders. Bruteforcing wasn’t viable, however, due to rate limitation in the solenoid controller. Something drew his attention from there – if you want to change the password, the keypad requires you enter the factory code, unique to each safe and supplied in the instruction manual. That code entry is a separate kind of packet from the “change password” one.

More after the break…

Continue reading “Anyone Can Be The Master Of This Master Lock Safe”