Reverse Engineering

231 Articles

Human-Interfacing Devices: HID Over I2C

April 17, 2024 by 20 Comments

In the previous two HID articles, we talked about stealing HID descriptors, learned about a number of cool tools you can use for HID hacking on Linux, and created a touchscreen device. This time, let’s talk about an underappreciated HID standard, but one that you might be using right now as you’re reading this article – I2C-HID, or HID over I2C.

HID as a protocol can be tunneled over many different channels. If you’ve used a Bluetooth keyboard, for instance, you’ve used tunneled HID. For about ten years now, I2C-HID has been heavily present in laptop space, it was initially used in touchpads, later in touchscreens, and now also in sensor hubs. Yes, you can expose sensor data over HID, and if you have a clamshell (foldable) laptop, that’s how the rotation-determining accelerometer exposes its data to your OS.

This capacitive touchscreen controller is not I2C-HID, even though it is I2C. By [Raymond Spekking], CC-BY-SA 4.0
Not every I2C-connected input device is I2C-HID. For instance, if you’ve seen older tablets with I2C-connected touchscreens, don’t get your hopes up, as they likely don’t use HID – it’s just a complex-ish I2C device, with enough proprietary registers and commands to drive you crazy even if your logic analysis skills are on point. I2C-HID is nowhere near that, and it’s also way better than PS/2 we used before – an x86-only interface with limited capabilities, already almost extinct from even x86 boards, and further threatened in this increasingly RISCy world. I2C-HID is low-power, especially compared to USB, as capable as HID goes, compatible with existing HID software, and ubiquitous enough that you surely already have an I2C port available on your SBC.

In modern world of input devices, I2C-HID is spreading, and the coolest thing is that it’s standardized. The standardization means a lot of great things for us hackers. For one, unlike all of those I2C touchscreen controllers, HID-I2C devices are easier to reuse; as much as information on them might be lacking at the moment, that’s what we’re combating right now as we speak! If you are using a recent laptop, the touchpad is most likely I2C-HID. Today, let’s take a look at converting one of those touchpads to USB HID.

A Hackable Platform

Continue reading “Human-Interfacing Devices: HID Over I2C”

Porting Modern Windows Applications To Windows 95

April 14, 2024 by 82 Comments

Windows 95 was an amazing operating system that would forever transform the world of home computing, setting the standard for user interaction on a desktop and quite possibly was the OS which had the longest queue of people lining up on launch day to snag a boxed copy. This raises the question of why we still don’t write software for this amazing OS, because ignoring the minor quibbles of ‘security patches’ and ‘modern hardware compatibility’, it’s still has pretty much the same Win32 API as supported in Windows 11, plus it doesn’t even spy on you, or show you ads. This line of reasoning led [MattKC] recently to look at easy ways to port modern applications to Windows 95.

In the video, the available options are ticked off, starting with straight Win32 API. Of course, nobody writes for the Win32 API for fun or to improve their mental well-being, and frameworks like WxWidgets and QuteQt have dropped support for Windows 9x and generally anything pre-Win2k for years now. The easiest option therefore might be Microsoft’s .NET framework, which in its (still supported) 2.0 iteration actually supports Windows 98 SE, or basically within spitting distance of running it on the original Win95.

Continue reading “Porting Modern Windows Applications To Windows 95”

How Star Trek Breached The Defences Of A Major Broadcaster

April 1, 2024 by 40 Comments

Back in 2020 in the brief lull between COVID lockdowns in the UK, I found myself abruptly on the move, with a very short time indeed to move my possessions into storage. As I was going through the accumulated electronic detritus of over four decades, I happened upon a grey box with some wires hanging out of it, and more than a few memories. This was a Sky VideoCrypt decoder, and the wires were part of the so-called “Season” interface to attach it to the serial port of a PC. It had this modification in the hope of catching some unauthorised free satellite TV, and in its day this particular hack caused some headaches for the broadcaster.

When More Than 4 Channels Was A Novelty

Patrick Stewart, as Captain Jean-Luc Picard. Composite image, via Wikimedia commons.
Break encryption? This man can make it so. Stefan Kühn, CC BY-SA 3.0.

In the 1980s and early 1990s, there was very little in the way of digital broadcasting on either satellites or terrestrial networks, almost everything on TV was sent out as standard definition analogue video. The four terrestrial channels where I grew up were all free-to-air, and if you had a satellite dish you could point it at any one of a variety of satellites and receive more free-to-air channels if you didn’t mind most of them being in German. Premium satellite programming was encrypted though, either through a range of proprietary analogue schemes, or for the British broadcaster Sky’s offering, through their VideoCrypt system. This used a 64 kB buffer to store each line of video, and rotate it round any one of 256 points along its length, resulting in an unintelligible picture.

Sky was the UK’s big gorilla of premium broadcasters, a role they kept for many years, and which was only eroded by the advent of streaming services. As such they snapped up exclusive first access to much of the most desirable content of the day, restricting it to only their British pay-to-subscribe customers. A viewer in the UK who grumbled about Star Trek Next Generation not being on the BBC could at least cough up for Sky, but if they didn’t have a British address they were out of luck. It was in this commercial decision, whether it was based upon business or on licensing, that Sky unwittingly sowed the seeds of Videocrypt’s demise.

 

Continue reading “How Star Trek Breached The Defences Of A Major Broadcaster”

The Intel 8088 And 8086 Processor’s Instruction Prefetch Circuitry

March 28, 2024 by 15 Comments
The 8088 die under a microscope, with main functional blocks labeled. This photo shows the chip's single metal layer; the polysilicon and silicon are underneath. (Credit: Ken Shirriff)
The 8088 die under a microscope, with main functional blocks labeled. This photo shows the chip’s single metal layer; the polysilicon and silicon are underneath. (Credit: Ken Shirriff)

Cache prefetching is what allows processors to have data and/or instructions ready for use in a fast local cache rather than having to wait for a fetch request to trickle through to system RAM and back again. The Intel 8088  (and its big brother 8086) processor was among the first microprocessors to implement (instruction) prefetching in hardware, which [Ken Shirriff] has analyzed based on die images of this famous processor. This follows last year’s deep-dive into the 8086’s prefetching hardware, with (unsurprisingly) many similarities between these two microprocessors, as well as a few differences that are mostly due to the 8088’s cut-down 8-bit data bus.

While the 8086 has 3 16-bit slots in the instruction prefetcher the 8088 gets 4 slots, each 8-bit. The prefetching hardware is part of the Bus Interface Unit (BIU), which effectively decouples the actual processor (Execution Unit, or EU) from the system RAM. While previous MPUs would be fully deterministic, with instructions being loaded from RAM and subsequently executed, the 8086 and 8088’s prefetching meant that such assumptions no longer were true. The added features in the BIU also meant that the instruction pointer (IP) and related registers moved to the BIU, while the ringbuffer logic around the queue had to somehow keep the queueing and pointer offsets into RAM working correctly.

Even though these days CPUs have much more complicated, multi-level caches that are measured in kilobytes and megabytes, it’s fascinating to see where it all began, with just a few bytes and relatively straight-forward hardware logic that you easily follow under a microscope.

Generator Control Panel Unlocked With Reverse Engineering Heroics

March 11, 2024 by 11 Comments

Scoring an interesting bit of old gear on the second-hand market is always a bit of a thrill — right up to the point where you realize the previous owner set some kind of security code on it. Then it becomes a whole big thing to figure out, to the point of blunting the dopamine hit you got from the original purchase.

Fear not, though, because there’s dopamine aplenty if you can copy what [Buy it Fix it] did to decode the PIN on a used generator control panel. The panel appears to be from a marine generator, and while it powered up fine, the menu used to change the generator’s configuration options is locked by a four-digit PIN. The manufacturer will reset it, but that requires sending it back and paying a fee, probably considerable given the industrial nature of the gear.

Instead of paying up, [Buy it Fix it] decided to look for a memory chip that might store the PIN. He identified a likely suspect, a 24LC08B 8-Kb serial EEPROM, and popped it off to read its contents. Nothing was immediately obvious, but blanking the chip and reinstalling it cleared the PIN, so he at least knew it was stored on the chip. Many rounds of soldering and desoldering the chip followed, blanking out small sections of memory each time until the PIN was located. The video below edits out a lot of the rework, but gives the overall gist of the hack.

To be honest, we’re not sure if the amount of work [Buy it Fix it] put into this was less than taking a couple of hours to punch in PINs and brute-force it. Then again, if he hadn’t done the reverse engineering he wouldn’t have stumbled upon where the generator parameters like running time and power figures were stored. And it’s not really his style, either; we’ve seen him perform similar heroics on everything from tractors to solar inverters, after all.

Continue reading “Generator Control Panel Unlocked With Reverse Engineering Heroics”

Phenolic board from an RC car - a well-known sight for a hacker

Pairing A New Remote To A Cheap RC Car

March 8, 2024 by 10 Comments

The cheap little RC cars are abundant anywhere you are, and if you’ve ever disassembled one, you are familiar with how the PCB looks. A single-sided phenolic paper PCB with a mystery chip driving a bunch of through-hole transistors, a sprinkle of through-hole capacitors, and a few supporting components for the wire antenna. It might not feel reusable, but [Chris Jones] begs to differ, with a Twitter thread showing us how he’s paired a scrap board from one RC car with a remote control from another, all to help a little family project.

These mystery ICs turn out to be RC-car-on-a-chip modules, and Chris lucked out in that his IC has a detailed datasheet available, complete with code pulse examples for different commands. The datasheet for the chip in the remote control is nowhere to be found, though, so we have to dig deeper. How about scoping the RF output? Turns out the supported codes between the two ICs are basically identical! The scrap board wouldn’t move any motors though, so it was time to narrow down the issue.

The RC car board has a 128KHz oscillator, and scoping that has shown the issue – it was producing 217KHz for some reason. It turned out that the oscillator’s load resistor was 100 kiloohms instead of recommended 200k, and switching that put it back on course. We would assume that, wherever the original remote control for that car is, it is similarly mis-tuned, or otherwise the RC car could never have worked.

Through sheer luck and tactical application of an oscilloscope, the RC car moves again, paired to a remote it was never meant to be, and the family project moves forward. Got a RC car, but no remote? Perhaps a HackRF can help.

Gaming On A TP-Link TL-WDR4900 Wireless Router

March 5, 2024 by 18 Comments

When you look at your home router, the first thought that comes to mind probably isn’t about playing games on it. But that doesn’t stop [Manawyrm] and [tSYS] from taking on the task of turning the 2013-era TP-Link TL-WDR4900 router into a proper gaming machine using an external GPU. This is made possible by the PCIe lanes on the mainboard, courtesy of the PowerPC-based SoC (NXP QorIQ P1014) and remappable Base Address Registers (BARs). This router has been an OpenWRT-favorite for years due to its powerful hardware and feature set.

This mod required a custom miniPCIe PCB that got connected to the PCIe traces (after cutting the connection with the Atheros WiFi chipset). This allowed an external AMD Radeon HD 7470 GPU to be connected to the system, which showed up in OpenWRT. To make full use of this hardware by gaining access to the AMD GPU driver, full Debian Linux was needed. Fortunately, the distro had a special PowerPCSPE port that supports the e500v2 CPU core in the SoC. After this it was found that the amdgpu driver has issues on 32-bit platforms, for which an issue ticket got filed.

Using the legacy Radeon driver helped to overcome this issue, but then it was found that the big endian nature of the CPU tripped up the Grand Theft Auto: Vice City game code which has not been written with BE in mind. This took a lot of code patching to help fix this, but eventually the game was up and running, albeit with glitches. Whatever the cause of these graphical glitches was will remain unknown, as after updating everything things began to work normally.

So now it’s possible to convert a 2013-era router into a gaming console after patching in an external GPU, which actually could be useful in keeping more potential e-waste out of landfills.

Continue reading “Gaming On A TP-Link TL-WDR4900 Wireless Router”