The controller after the rebuild, looking just like the stock controller but with an external antenna attached

An Extensive Walkthrough On Building Your Own KSP Controller

January 3, 2024 by Arya Voronova 10 Comments

Having a game-tailored controller is a level-up in more ways than one, letting you perform in-game actions quickly and intuitively, instead of trying to map your actions to a clunky combination of keyboard and mouse movements. [abzman] took the Pelco KBD300A, a DVR-intended camera controller panel with a joystick, reverse-engineered it, and then rebuilt it into a Kerbal Space Program controller. What’s more, he documented every detail along the way!

The write-up is so extensive, it’s four separate posts — all of them worth reading without a doubt. In the first post, he describes the original hardware, the process of reverse-engineering it, and a few tips for your own RE journeys. Next, he covers about making his own board, showing all the small decisions he’s had to make, with plenty of KiCad screenshots. If you are on the lookout for designing such a board, there’s plenty to learn!

The original hardware didn’t go down without a fight — the third post talks about taming the seven-segment displays, the onboard joystick, and fighting with the key matrix wired in exactly the way you wouldn’t want. In the end, he shows us how you could tie a controller easily into Kerbal Space Program.

One more piece of hardware liberated, one more win for the hacker world. Whether it’s a Macintosh SE, a classic ThinkPad, or even a generic rotary tool, these upgrades are always a joy to see. If you wanted to learn to do such an upgrade yourself, here’s us showing how you can pull this off with a classic Sony Vaio!

37C3: When Apple Ditches Lightning, Hack USB-C

December 30, 2023 by Elliot Williams 11 Comments

[Thomas Roth], aka [Ghidraninja], and author of the [Stacksmashing] YouTube channel, investigated Apple’s Lightning port and created a cool debugging tool that allowed one to get JTAG on the device. Then, Apple went to USB-C for their new phones, and all his work went to waste. Oh well, start again — and take a look at USB-C.

Turns out, though, that the iPhone 15 uses the vendor-defined messages (VDM) capability of USB-PD to get all sorts of fun features out. Others had explored the VDM capabilities on Mac notebooks, and it turns out that the VDM messages on the phone are the same. Some more fiddling, and he got a serial port and JTAG up and running. But JTAG is locked down in the production devices, so that will have to wait for an iPhone 15 jailbreak. So he went poking around elsewhere.

He found some other funny signals that turned out to be System Power Management Interface (SPMI), one of the horribly closed and NDA-documented dialects owned by the MIPI Alliance. Digging around on the Interwebs, he found enough documentation to build an open-source SPMI plugin that he said should be out on his GitHub soon.

The end result? He reworked his old Lightning hardware tool for USB-C and poked around enough in the various available protocols to get a foothold on serial, JTAG, and SPMI. This is just the beginning, but if you’re interested in playing with the new iPhone, this talk is a great place to start. Want to know all about USB-C? We’ve got plenty of reading for you.

Unbricking Trains, Uncovering Shady Behavior

December 28, 2023 by Elliot Williams 48 Comments

The first clue was that a number of locomotives started malfunctioning with exactly 1,000,000 km on the odometer. And when the company with the contract for servicing them couldn’t figure out why, they typed “Polish hackers” into a search engine, and found our heroes [Redford], [q3k], and [MrTick]. What follows is a story of industrial skullduggery, CAN bus sniffing, obscure reverse engineering, and heavy rolling stock, and a fantastically entertaining talk.

Cutting straight to the punchline, the manufacturer of the engines in question apparently also makes a lot of money on the service contracts, and included logic bombs in the firmware that would ensure that revenue stream while thwarting independent repair shops. They also included “cheat codes” that simply unlocked the conditions, which the Polish hackers uncovered as well. Perhaps the most blatant evidence of malfeasance, though, was that there were actually checks in some versions of the firmware that geofenced out the competitors’ repair shops.

We shouldn’t spoil too much more of the talk, and there’s active investigation and legal action pending, but the smoking guns are incredibly smoky. The theme of this year’s Chaos Communication Congress is “Unlocked”, and you couldn’t ask for a better demonstration of why it’s absolutely in the public interest that hackers gotta hack. Of course, [Daniel Lange] and [Felix Domke]’s reverse engineering of the VW Dieselgate ECU shenanigans, another all-time favorite, also comes to mind.

Reverse-Engineering The Stadia Controller Bluetooth Switching Procedure

December 19, 2023 by Maya Posch 11 Comments

Ever since the demise of Google’s Stadia game streaming service, the associated Stadia controllers have found themselves in limbo, with the only way to switch them from the proprietary WiFi mode to Bluetooth by connecting to a special Google website. Yet as [Gary] found out, all this website does is flash a firmware file via WebUSB and WebHID over the original Stadia firmware with a generic Bluetooth controller firmware image. This is the reason why it’s a one-way process, but this wasn’t to [Gary]’s liking, so he figured out how to flash the controller himself, with the option to flash the original Stadia firmware or something else on it later, too.

[Gary]’s stadiatool follows the same procedure as the Google Stadia website, just implemented in Python and outside the control of Google. Although Google has recently announced that it will keep the Bluetooth switching website online one year longer – until December 31st 2024 – at some point this service will go away and only projects like [Gary]’s together with squirreled away firmware images can still save any stray Stadia controllers that will inevitably discovered in the back of a warehouse in the future.

Although we reported on the demise of Stadia when it happened in January of 2023, as Ars Technica notes it was common in 2022 to buy into Stadia and get a controller manufactured in the 2019 launch year, suggesting massive overproduction.

Hacking An NFC E-Paper Display From Waveshare With Mystery MCU

December 18, 2023 by Maya Posch 15 Comments

These days e-paper (eInk) displays are everywhere, with stores being one of the largest users of smaller, monochrome versions of these persistent displays. This has also made them a solid target of hackers who seek to not only reverse-engineer and reuse discarded ones, but also ones sold to consumers, with [Aaron Christophel] recently reverse-engineering and flashing custom firmware (GitHub source) to a Waveshare 2.13″ NFC-Powered E-Paper display.

What’s perhaps most notable is how locked-down and devoid of documentation these devices are. The board [Aaron] looked at did not have any markings on the main IC, and Waveshare did not provide more information other than the Android and iOS apps. This led to some matching of various NFC-enabled MCUs with the pinout, with the Chivotech TN2115S2 rolling out as the most likely candidate. This is an 8 MHz Cortex-M0 MCU with not only NFC, but also an energy harvesting feature (up to 300 mW), which is why this e-paper tag can update the display without external power or a battery.

With the Chivotech datasheet being rather sparse, more reverse-engineering needed to be done, which included dumping the firmware and exploring it with Ghidra. During this, the secret key was discovered to make the Flash writeable along with how to control the peripherals and display. With this knowledge it’s now possible to make this tag display update without being limited by manufacturer-supplied tools and software, making it infinitely more useful.

Continue reading “Hacking An NFC E-Paper Display From Waveshare With Mystery MCU” →

The Dark Side Of Hacking XMas Lights, Literally

December 17, 2023 by Maya Posch 18 Comments

When looking at the piles of cheap RGB, Bluetooth-controlled LED strips you can find for sale just about anywhere these days, integrating them into a home-automation setup is very tempting. Normally these strips are controlled via a special smartphone app, that speaks whatever dodgy protocol was thrown together for the LED strip controller in question. Reverse-engineering this Bluetooth protocol is fairly easy these days, as [Will Cooke] describes in a recent tutorial, although for him there was a bit of a tragic ending with one particular RGB set.

With previous experiences reverse-engineering the Bluetooth protocol with Wireshark under his belt and having published the BJ_LED repository for LED strips that use the MohuanLED app, reverse-engineering this new LED strip with the associated “iDeal LED” app seemed fairly routine. Initially it was indeed routine, with just a curveball in the form of some encryption that the Jadx decompiler used on the app couldn’t help with. Fortunately the key ended up floating around on the internet, and the protocol was wide open. That’s when disaster struck.

While trying to throw payloads at the LED controller to find hidden modes and settings, [Will] found that he could indeed increase the brightness beyond what the app supported, but poking at lighting modes beyond the 10 presets gave a nasty shock. Modes 1 through 10 worked fine, 11 also did something new, but when the controller was asked to switch to mode 12, it shut off. Permanently. Whether this corrupted the firmware or caused some other issue is unknown, but it’s a clear warning that reverse-engineering comes with potentially fried hardware.

We hope that [Will] can get an autopsy performed on this controller to see the cause of this seemingly permanent failure that persisted across hard resets and disconnecting from power overnight. The protocol for this controller has been published on GitHub for those who’d like to take their chances.

LED lights: LadyAda, CC BY-SA 4.0.

The Logg Dogg: How A Mysterious Logging Robot Leads Down Twisting Forestry Paths

December 16, 2023 by Maya Posch 31 Comments

There are many places where you’d want to use remotely controlled robots, but perhaps forestry isn’t the first application to come to mind. Yet there are arguments to be made for replacing something like a big logging machine with grapple for a much smaller robot. The reduced ground pressure can be beneficial in fragile ecosystems, and removing the operator is much safer if felling a tree goes wrong.

This is where a US company called Forest Robots tried to come in, with their Logg Dogg, of which [Wes] over at Watch Wes Work found a very unique prototype abandoned in a barn, courtesy of Zuckerberg’s marketplace of wonders.

One of the two receivers on the Forest Robots' Logg Dogg logging robot prototype. (Credit: Watch Wes Work) — One of the two receivers on the Forest Robots’ Logg Dogg logging robot prototype. (Credit: Watch Wes Work)

After lugging the poor abandoned robot back into a warm repair shop, he set to work on figuring out what it was that he had bought. At the time he knew only that it was some kind of logging robot, but with no model number or name on the robot, it was tough to find information. Eventually he got tipped off about it being the Logg Dogg, with even a video of the robot in action, helpfully uploaded to YouTube by [Hankey Mountain Garage] and embedded below for your viewing pleasure.

As [Wes] noticed during teardown and inspection was that it has that distinct mix-and-match feel to it of a prototype, ranging from metric and US customary bolts to both European and US/Canadian supplied components. Although it has two RF receivers on the device, no remote(s) came with the device, and the seller only knew that it was already in the barn when they purchased the place. After getting the engine working again on the robot, [Wes] contacted one of the people behind the robot: [Dean Edwards], a professor at the University of Idaho, hoping to learn more about this robot and how it ended up abandoned in a barn.

Hopefully we’ll find out in a Part 2 whether [Wes] got a response, and whether this robot will get a second chance at life. Meanwhile, in countries such as Portugal such robots are already finding significant use, including for fire protection in its forests, tackling difficult terrain more easily than humans. With forest fires an increasing risk, perhaps the Logg Dogg and kin could find a use there.

Continue reading “The Logg Dogg: How A Mysterious Logging Robot Leads Down Twisting Forestry Paths” →