Reverse Engineering

201 Articles

Sniffing Passwords, Rickrolling Toothbrushes

July 18, 2023 by 14 Comments

If you could dump the flash from your smart toothbrush and reverse engineer it, enabling you to play whatever you wanted on the vibrating motor, what would you do? Of course there’s no question: you’d never give up, or let down. Or at least that’s what [Aaron Christophel] did. (Videos, embedded below.)

But that’s just the victory lap. The race began with previous work by [Cyrill Künzi], who figured out that the NFC chip inside was used for a run-time counter, and managed to reset it by sniffing the password with an SDR as it was being transmitted. A great hack to be sure, but it only works for people with their own SDR setup.

With the goal of popularizing toothbrush-head-NFC-hacking, [Aaron] busted open the toothbrush itself, found the debug pins, dumped the flash, and got to reverse engineering. A pass through Ghidra got him to where the toothbrush reads the NFC tag ID from the toothbrush head. But how does it get from the ID to the password? It turns out that it runs a CRC on a device UID from the NFC tag itself and also a manufacturer’s string found in the NFC memory, and scramble-combines the two CRC values.

Sounds complicated, but the NFC UID can be read with a cellphone app, and the manufacturer’s string is also printed right on the toothbrush head itself for your convenience. Armed with these two numbers, you can calculate the password, and convince your toothbrush head that it’s brand new, all from the comfort of your smartphone! Isn’t technology grand?

We’re left guessing a little bit about the Rickroll hack, but we’d guess that once [Aaron] had the debug pins on the toothbrush’s microcontroller, he just couldn’t resist writing and flashing in a custom firmware. Talk about dedication.

[Aaron] has been doing extensive work on e-paper displays, but his recent work on the Sumup payment terminal is a sweet look at hacking into higher security devices with acupuncture needles.

Continue reading “Sniffing Passwords, Rickrolling Toothbrushes”

Tesla Door Phone Decoded (Not That Tesla)

July 18, 2023 by 6 Comments

[Danman] has digital door phones manufactured by Tesla — or at least, a Tesla, as they’re not to be confused with the carmaker, though. The problem is if someone comes to the door when no one’s home, there’s no remote indicator. The answer? Reverse engineer the protocol and fix it.

A quick dump on a storage scope showed the data clearly, but it wasn’t obvious what protocol it was using. After a little analysis, it proved the datastream used 4 PWM pulses as symbols with three symbols: one, zero, and stuffing sequence.

Once you can read the bits, it is easy to determine that each frame consists of a 16-bit destination and source address, along with a command byte and a checksum byte. Each station can have an ID from 000 to 999 although you can only dial up to number 323. Some nodes are special, and there are ways to address particular units.

Connecting to the hardware took a transformer for isolation. Honestly, unless you have this exact hardware, this isn’t likely to be something you can directly use. However, it is a great example of how you can figure out a specialized device and bend it to your will.

We love reverse engineering projects. In some cases, it is easier if you have a CT scan.

How Does Your McDonald’s Burger Get To You?

July 14, 2023 by 32 Comments

Table service and McDonalds sound as though they should be mutually exclusive as a fundamental of the giant chain’s fast food business model, but in many restaurants there’s the option of keying in the number from a plastic beacon when you order, placing the beacon on the table, and waiting for a staff member to bring your food. How does the system work? [Whiterose Infosec] scored one of the beacons, and subjected it to a teardown and some probing.

The beacon in question has the look of being an older model judging by the 2009 date codes on its radio module and the evident corrosion on its battery terminals. Its Bluetooth 4 SoC is end-of-life, so it’s possible that this represents a previous version of the system. It has a few other hardware features, including a magnet and a sensor designed to power the board down when it is stacked upon another beacon.

Probing its various interfaces revealed nothing, as did connecting to the device via Bluetooth. However some further research as well as asking some McD’s employees revealed some of its secret. It does little more than advertise its MAC address, and an array of Bluetooth base stations in the restaurant use that to triangulate its approximate position.

If you’ve ever pondered how these beacons work while munching on your McFood, you might also like to read about McVulnerabilities elsewhere in the system.

Reverse-Engineering Helps Typesetting Machine Punch Paper Tape Again

July 11, 2023 by 14 Comments

[Scott M. Baker] wants a paper tape punch for his retrocomputer collection. That’s fine with us, we don’t judge. In fact,  these electromechanical peripherals from the past have a lot going for them, especially the noise. But alas, such things are a little hard to come by these days, and rolling one from scratch would be a difficult proposition indeed. What to do?

Luckily, we live in the future, and eBay holds all sorts of wonders, including these typesetter keyboards from the 1970s, which [Scott] promptly reverse-engineered. We’ll get to the details in a minute, but first, can we just take a moment to think about the workflow these things were part of? These aren’t terminals — they lack any kind of IO apart from the punched paper tape they spewed out. The operator’s job was to punch in copy without any kind of feedback that they were hitting the right keys, and just sent the paper tap record of the session off to the typesetting machines. And you think your job sucks.

To give this thing an interface, [Scott] first had to revive the power supply, whose capacitors had seen sunnier days. With that out of the way, he set about understanding the CPU-less machine by analyzing its 7400-series logic, as well as planning how to make the native 6-bit output into a more manageable 8-bit. Thankfully, the tape punch already had solenoids for the top two bits, but finding a way to drive them wasn’t trivial.

The solution was to bypass a buffer so that the bits for the desired character can be set with a Raspberry Pi and an ATF22V10 programmable logic device. That’s enough to force the punch to do its thing; actually getting it to talk to something else, perhaps even [Scott]’s Heathkit H-8 computer.

Continue reading “Reverse-Engineering Helps Typesetting Machine Punch Paper Tape Again”

Hackaday Prize 2023: Throwaway Temperature Logger To Useful ARM Dev Board

July 1, 2023 by 4 Comments

The global supply chain is a masterpiece of containerized logistics that allows a container to leave a factory in China and arrive on a British forecourt after only a few weeks, but along with the efficiency it brings a traceability and monitoring problem. If you are shipping perishable items such as medicines or foodstuffs, how can you be sure that they’ve remained refrigerated the whole journey through?

The answer comes in digital temperature loggers, and since these are throwaway devices [arduinocelentano] decided to look inside and see if they could be reused. The answer is positive, in that many models have the potential to be useful dev boards for very little money.

These devices usually take the form of a bulky USB dongle with an LCD display and a few buttons. Inside they invariably have a low-power ARM microcontroller and a battery as well as the temperature sensor and some flash memory to store the readings. The data is read by the customer through the USB port, and they’re single use with manufacturers paying only lip service to recycling, because the data must by necessity be impossible to erase or alter. Happily for all that, many of them appear to be well-designed internally, with the relevant debug and programming ports exposed and the ability to access the microcontroller. We look forward to seeing what comes of these boards, because while the worst of the chip shortage my now be receding it’s always good to find a new source.

The HackadayPrize 2023 is Sponsored by:

Flipper Zero “Smoking” A Smart Meter Is A Bad Look For Hardware Hackers

June 14, 2023 by 126 Comments

Alright, we’re calling it — we need a pejorative equivalent to “script kiddie” to describe someone using a Flipper Zero for annoyingly malign purposes. If you need an example, check out the apparent smart meter snuff video below.

The video was posted by [Peter Fairlie], who we assume is the operator of the Flipper Zero pictured. The hapless target smart meter is repeatedly switched on and off with the Flipper — some smart meters have contactors built in so that service can be disconnected remotely for non-payment or in emergencies — which rapidly starts and stops a nearby AC compressor. Eventually, the meter releases a puff of Magic Smoke, filling its transparent enclosure and obscuring the display. The Flipper’s operator mutters a few expletives at the results, but continues turning the meter on and off even more rapidly before eventually running away from the scene of the crime.

We qualify this as “apparent” because the minute we saw this over on RTL-SDR.com, we reached out to reverse engineer par excellence and smart meter aficionado [Hash] for an opinion. Spoiler alert: [Hash] thinks it’s an elaborate hoax; the debunking starts at the 4:32 mark in the second video below. The most damning evidence is that the model of smart meter shown in the video doesn’t even have a disconnect, so whatever [Peter] is controlling with the Flipper, it ain’t the meter. Also, [Hash] figured out where [Peter] lives — he doxxed himself in a previous video — and not only does the meter shown in the video not belong to the Canadian power company serving the house, StreetView shows that there’s a second meter, suggesting that this meter may have been set up specifically for the lulz.

It should go without saying that Hackaday is about as supportive of hardware experimentation as an organization can be. But there have to be some boundaries, and even if this particular video turns out to be a hoax, it clearly steps over the line. Stuff like this paints a poor picture of what hardware hacking is all about, and leads to unintended consequences that make it harder for all of us to get the tools we need.

Continue reading “Flipper Zero “Smoking” A Smart Meter Is A Bad Look For Hardware Hackers”

A Peek Inside A 747 Fuel Gauge

June 11, 2023 by 28 Comments

It isn’t that often that we civilians get the chance to closely examine the fantastic internals that make up the modern marvels of avionic engineering. Luckily for us, [Glen] got his hands on a 747 fuel gauge and tore it down for our benefit. Not only does he tear it down, but he also builds a controller to display values.

Unlike your typical automotive fuel gauge that reports the distance from the top of the tank to the fuel level, this gauge reports the number of pounds of fuel. The fact that the indicator pictured above can go all the way to 95,000 pounds of fuel hits home the sheer scale of the fuel tanks on a 747 compared to your Volvo. Of course, where this gets interesting is the teardown with the metal sleeve removed. A 400 HZ AC servo motor moves the pointer and counter through the gearing with the help of a feedback potentiometer. The resistance tolerance is only 3%, as there are adjustment knobs on the back. But the linearity spec is only 0.06%, putting this part in a different grade from most pots.

One of the indicators was in worse shape than the others, so [Glen] got to work tapping into the internals of the gauge to drive the motor directly. A custom AC power supply repurposed from another project provided power, and a Raspberry Pi Pico was the PID controller. For [Glen], it isn’t all roses. Unfortunately, a noisy spot around 22,500 prevents accurate placement around there.

The code is up on GitHub, and we love having a gauge on the desk to show whatever value we like. If you are curious about more 747 instruments, this retro control unit might interest you.

Continue reading “A Peek Inside A 747 Fuel Gauge”