Reverse Engineering

224 Articles

Root, On An Amazon Echo Dot

July 22, 2023 by 41 Comments

The Amazon Echo has become an indispensable device for many people unconcerned by its privacy implications. It’s easy to forget that it’s not quite a new product anymore, with the oldest examples now long in the tooth enough to no longer receive security updates. A surprise is that far from being mere clients to Amazon cloud services, they in fact run a version of Android. This makes old dots interesting to experimenters, but first is it possible to gain root access? [Daniel B] has managed it, on a second-generation Echo Dot.

In a sense, this is nothing new, as root has previously been achieved on an Echo Dot through means of a patched kernel. Echo devices use a chain of trust boot process in which each successive step must verify the Amazon signing of the previous one. The kernel patch method breaks the ability to reboot the device with root access. [Daniel’s] method bypasses that chain of trust by using a custom pre-loader injected over USB through an exploit.

As an example, [Daniel] created a web server on his Dot, which can serve audio captured by the device. Don’t panic just yet — an analysis of the other security features suggests that this is not the dangerous exploit it might seem. It does however open up these powerful but now pretty cheap devices as potentially usable for other purposes, which can only be a good thing.

We’ve previously brought you [Daniel]’s work freeing the WiFi details from a Dot.

Reverse Engineering Reveals Hidden API In Abandonware Trail Camera

July 18, 2023 by 12 Comments

It sometimes seems like there are two kinds of cheap hardware devices: those dependent on proprietary software that is no longer available and those that are equally dependent but haven’t been abandoned just quite yet. But rest assured, abandonment is always on the table, and until then, you get to deal with poorly written apps that often suffer from a crippling lack of essential functionality.

Such was the case for the wireless game camera that [Chris Jones] scored on the cheap, but rather than suffering with the original software, he decided to reverse engineer the camera and turn it into something more useful. The eBay description was promising — Bluetooth LE! WiFi! — but the reality proved less so. To save the batteries, WiFi is off by default and can only be turned on by connecting to the camera via BLE using a janky and crash-prone Android app.

[Chris]’ first step in reverse engineering the camera was to snoop into the BLE by capturing the Bluetooth packets to a file and running them through Wireshark. This revealed a write command with the text “BT_KEY_ON” — very promising. After verifying that this command turned on the camera’s access point, [Chris] got to work capturing WiFi packets using PCAPDroid and analyzing the results, again with Wireshark. Using every function available in the OEM app eventually revealed the full API on the camera, which gives file system control, access to individual images, and even putting the camera into live video mode.

Continue reading “Reverse Engineering Reveals Hidden API In Abandonware Trail Camera”

Sniffing Passwords, Rickrolling Toothbrushes

July 18, 2023 by 14 Comments

If you could dump the flash from your smart toothbrush and reverse engineer it, enabling you to play whatever you wanted on the vibrating motor, what would you do? Of course there’s no question: you’d never give up, or let down. Or at least that’s what [Aaron Christophel] did. (Videos, embedded below.)

But that’s just the victory lap. The race began with previous work by [Cyrill Künzi], who figured out that the NFC chip inside was used for a run-time counter, and managed to reset it by sniffing the password with an SDR as it was being transmitted. A great hack to be sure, but it only works for people with their own SDR setup.

With the goal of popularizing toothbrush-head-NFC-hacking, [Aaron] busted open the toothbrush itself, found the debug pins, dumped the flash, and got to reverse engineering. A pass through Ghidra got him to where the toothbrush reads the NFC tag ID from the toothbrush head. But how does it get from the ID to the password? It turns out that it runs a CRC on a device UID from the NFC tag itself and also a manufacturer’s string found in the NFC memory, and scramble-combines the two CRC values.

Sounds complicated, but the NFC UID can be read with a cellphone app, and the manufacturer’s string is also printed right on the toothbrush head itself for your convenience. Armed with these two numbers, you can calculate the password, and convince your toothbrush head that it’s brand new, all from the comfort of your smartphone! Isn’t technology grand?

We’re left guessing a little bit about the Rickroll hack, but we’d guess that once [Aaron] had the debug pins on the toothbrush’s microcontroller, he just couldn’t resist writing and flashing in a custom firmware. Talk about dedication.

[Aaron] has been doing extensive work on e-paper displays, but his recent work on the Sumup payment terminal is a sweet look at hacking into higher security devices with acupuncture needles.

Continue reading “Sniffing Passwords, Rickrolling Toothbrushes”

Tesla Door Phone Decoded (Not That Tesla)

July 18, 2023 by 6 Comments

[Danman] has digital door phones manufactured by Tesla — or at least, a Tesla, as they’re not to be confused with the carmaker, though. The problem is if someone comes to the door when no one’s home, there’s no remote indicator. The answer? Reverse engineer the protocol and fix it.

A quick dump on a storage scope showed the data clearly, but it wasn’t obvious what protocol it was using. After a little analysis, it proved the datastream used 4 PWM pulses as symbols with three symbols: one, zero, and stuffing sequence.

Once you can read the bits, it is easy to determine that each frame consists of a 16-bit destination and source address, along with a command byte and a checksum byte. Each station can have an ID from 000 to 999 although you can only dial up to number 323. Some nodes are special, and there are ways to address particular units.

Connecting to the hardware took a transformer for isolation. Honestly, unless you have this exact hardware, this isn’t likely to be something you can directly use. However, it is a great example of how you can figure out a specialized device and bend it to your will.

We love reverse engineering projects. In some cases, it is easier if you have a CT scan.

How Does Your McDonald’s Burger Get To You?

July 14, 2023 by 32 Comments

Table service and McDonalds sound as though they should be mutually exclusive as a fundamental of the giant chain’s fast food business model, but in many restaurants there’s the option of keying in the number from a plastic beacon when you order, placing the beacon on the table, and waiting for a staff member to bring your food. How does the system work? [Whiterose Infosec] scored one of the beacons, and subjected it to a teardown and some probing.

The beacon in question has the look of being an older model judging by the 2009 date codes on its radio module and the evident corrosion on its battery terminals. Its Bluetooth 4 SoC is end-of-life, so it’s possible that this represents a previous version of the system. It has a few other hardware features, including a magnet and a sensor designed to power the board down when it is stacked upon another beacon.

Probing its various interfaces revealed nothing, as did connecting to the device via Bluetooth. However some further research as well as asking some McD’s employees revealed some of its secret. It does little more than advertise its MAC address, and an array of Bluetooth base stations in the restaurant use that to triangulate its approximate position.

If you’ve ever pondered how these beacons work while munching on your McFood, you might also like to read about McVulnerabilities elsewhere in the system.

Reverse-Engineering Helps Typesetting Machine Punch Paper Tape Again

July 11, 2023 by 14 Comments

[Scott M. Baker] wants a paper tape punch for his retrocomputer collection. That’s fine with us, we don’t judge. In fact,  these electromechanical peripherals from the past have a lot going for them, especially the noise. But alas, such things are a little hard to come by these days, and rolling one from scratch would be a difficult proposition indeed. What to do?

Luckily, we live in the future, and eBay holds all sorts of wonders, including these typesetter keyboards from the 1970s, which [Scott] promptly reverse-engineered. We’ll get to the details in a minute, but first, can we just take a moment to think about the workflow these things were part of? These aren’t terminals — they lack any kind of IO apart from the punched paper tape they spewed out. The operator’s job was to punch in copy without any kind of feedback that they were hitting the right keys, and just sent the paper tap record of the session off to the typesetting machines. And you think your job sucks.

To give this thing an interface, [Scott] first had to revive the power supply, whose capacitors had seen sunnier days. With that out of the way, he set about understanding the CPU-less machine by analyzing its 7400-series logic, as well as planning how to make the native 6-bit output into a more manageable 8-bit. Thankfully, the tape punch already had solenoids for the top two bits, but finding a way to drive them wasn’t trivial.

The solution was to bypass a buffer so that the bits for the desired character can be set with a Raspberry Pi and an ATF22V10 programmable logic device. That’s enough to force the punch to do its thing; actually getting it to talk to something else, perhaps even [Scott]’s Heathkit H-8 computer.

Continue reading “Reverse-Engineering Helps Typesetting Machine Punch Paper Tape Again”

Hackaday Prize 2023: Throwaway Temperature Logger To Useful ARM Dev Board

July 1, 2023 by 4 Comments

The global supply chain is a masterpiece of containerized logistics that allows a container to leave a factory in China and arrive on a British forecourt after only a few weeks, but along with the efficiency it brings a traceability and monitoring problem. If you are shipping perishable items such as medicines or foodstuffs, how can you be sure that they’ve remained refrigerated the whole journey through?

The answer comes in digital temperature loggers, and since these are throwaway devices [arduinocelentano] decided to look inside and see if they could be reused. The answer is positive, in that many models have the potential to be useful dev boards for very little money.

These devices usually take the form of a bulky USB dongle with an LCD display and a few buttons. Inside they invariably have a low-power ARM microcontroller and a battery as well as the temperature sensor and some flash memory to store the readings. The data is read by the customer through the USB port, and they’re single use with manufacturers paying only lip service to recycling, because the data must by necessity be impossible to erase or alter. Happily for all that, many of them appear to be well-designed internally, with the relevant debug and programming ports exposed and the ability to access the microcontroller. We look forward to seeing what comes of these boards, because while the worst of the chip shortage my now be receding it’s always good to find a new source.

The HackadayPrize 2023 is Sponsored by: