Reverse Engineering

211 Articles

ROG Ally Community Rebuilds The Proprietary Asus EGPU

October 1, 2024 by 15 Comments

As far as impressive hacks go, this one is more than enough for your daily quota. You might remember the ROG Ally, a Steam Deck-like x86 gaming console that’s graced our pages a couple lf times. Now, this is a big one – from the ROG Ally community, we get a fully open-source eGPU adapter for the ROG Ally, built by reverse-engineering the proprietary and overpriced eGPU sold by Asus.

We’ve seen this journey unfold over a year’s time, and the result is glorious – two different PCBs, one of them an upgraded drop-in replacement board for the original eGPU, and another designed to fit a common eGPU form-factor adapter. The connector on the ROG Ally is semi-proprietary, but its cable could be obtained as a repair part. From there, it was a matter of scrupulous pinout reverse-engineering, logic analyzer protocol captures, ACPI and BIOS decompiling, multiple PCB revisions and months of work – what we got is a masterpiece of community effort.

Do you want to learn how the reverse-engineering process has unfolded? Check out the Diary.md – it’s certainly got something for you to learn, especially if you plan to walk a similar path; then, make sure to read up all the other resources on the GitHub, too! This achievement follows a trend from the ROG Ally community, with us having featured dual-screen mods and battery replacements before – if it continues the same way, who knows, maybe next time we will see a BGA replacement or laser fault injection.

IPhone 15 Gets Dual SIM Through FPC Patch

September 30, 2024 by 11 Comments

It can often feel like modern devices are less hackable than their thicker and far less integrated predecessors, but perhaps it’s just that our techniques need to catch up. Here’s an outstanding hack that adds a dual SIM slot to a US-sold eSIM iPhone 15/15 Pro, while preserving its exclusive mmwave module. No doubt, making use of the boardview files and schematics, it shows us that smartphone modding isn’t dead — it could be that we need to acknowledge the new tools we now have at our disposal.

When different hardware features are region-locked, sometimes you want to get the best of both worlds. This mod lets you go the entire length seamlessly, no bodges. It uses a lovely looking flexible printed circuit (FPC) patch board to tap into a debug header with SIM slot signals, and provides a customized Li-ion pouch cell with a cutout for the SIM slot. There’s just the small matter of using a CNC mill to make a cutout in the case where the SIM slot will go, and you’ll need to cut a buried trace to disable the eSIM module. Hey, we mentioned our skills needed to catch up, right? From there, it appears that iOS recognizes the new two SIM slots seamlessly.

The video is impressive and absolutely worth a watch if modding is your passion, and if you have a suitable CNC and a soldering iron, you can likely install this mod for yourself. Of course, you lose some things, like waterproofing, the eSIM feature, and your warranty. However, nothing could detract from this being a fully functional modkit for a modern-day phone, an inspiration for us all. Now, perhaps one of us can take a look at building a mod helping us do parts transplants between phones, parts pairing be damned.

Continue reading “IPhone 15 Gets Dual SIM Through FPC Patch”

Man-in-the-Middle PCB Unlocks HP Ink Cartridges

September 28, 2024 by 149 Comments

It’s a well-known secret that inkjet ink is being kept at artificially high prices, which is why many opt to forego ‘genuine’ manufacturer cartridges and get third-party ones instead. Many of these third-party ones are so-called re-manufactured ones, where a third-party refills an empty OEM cartridge. This is increasingly being done due to digital rights management (DRM) reasons, with tracking chips added to each cartridge. These chip prohibit e.g. the manual refilling of empty cartridges with a syringe, but with the right tweak or attack can be bypassed, with [Jay Summet] showing off an interesting HP cartridge DRM bypass using a physical man-in-the-middle-attack.

This bypass takes the form of a flex PCB with contacts on both sides which align with those on the cartridge and those of the printer. What looks like a single IC in a QFN package is located on the cartridge side, with space for it created inside an apparently milled indentation in the cartridge’s plastic. This allows is to fit flush between the cartridge and HP inkjet printer, intercepting traffic and presumably telling the printer some sweet lies so that you can go on with that print job rather than dash out to the store to get some more overpriced Genuine HP-approved cartridges.

Not that HP isn’t aware or not ticked off about this, mind. Recently they threatened to brick HP printers that use third-party cartridges if detected, amidst vague handwaving about ‘hackers’ and ‘viruses’ and ‘protecting the users’ with their Dynamic Security DRM system. As the many lawsuits regarding this DRM system trickle their way through the legal system, it might be worth it to keep a monochrome laser printer standing by just in case the (HP) inkjet throws another vague error when all you want is to just print a text document.

Continue reading “Man-in-the-Middle PCB Unlocks HP Ink Cartridges”

Laser Fault Injection, Now With Optional Decapping

September 20, 2024 by 3 Comments

Whether the goal is reverse engineering, black hat exploitation, or just simple curiosity, getting inside the packages that protect integrated circuits has long been the Holy Grail of hacking. It isn’t easy, though; those inscrutable black epoxy blobs don’t give up their secrets easily, with most decapping methods being some combination of toxic and dangerous. Isn’t there something better than acid baths and spinning bits of tungsten carbide?

[Janne] over at Fraktal thinks so, and the answer he came up with is laser decapping. Specifically, this is an extension of the laser fault injection setup we recently covered, which uses a galvanometer-scanned IR laser to induce glitches in decapped microcontrollers to get past whatever security may be baked into the silicon. The current article continues that work and begins with a long and thorough review of various IC packaging technologies, including the important anatomical differences. There’s also a great review of the pros and cons of many decapping methods, covering everything from the chemical decomposition of epoxy resins to thermal methods. That’s followed by specific instructions on using the LFI rig to gradually ablate the epoxy and expose the die, which is then ready to reveal its secrets.

The benefit of leveraging the LFI rig for decapping is obvious — it’s an all-in-one tool for gaining access and executing fault injection. The usual caveats apply, of course, especially concerning safety; you’ll obviously want to avoid breathing the vaporized epoxy and remember that lasers and retinas don’t mix. But with due diligence, having a single low-cost tool to explore the innards of chips seems like a big win to us.

PC Floppy Copy Protection: Electronic Arts Interlock

September 17, 2024 by 8 Comments

Continuing the series on floppy copy protection, [GloriousCow] examines Electronic Arts’ Interlock system. This was used from 1984 to 1987 for at least fourteen titles released on both 5.25″ and 3.5″ floppies. Although not officially advertised, in the duplication mark sector the string ELECTRONIC ARTS IBM INTERLOCK. appears, hence the name. Compared to other copy protection systems like Softguard Superlok this Interlock protection poses a number of somewhat extreme measures to enforce the copy protection.

The disk surface of Side #0 of the 1984 mystery-adventure title, Murder on the Zinderneuf (Credit: GloriousCow)
The disk surface of Side #0 of the 1984 mystery-adventure title, Murder on the Zinderneuf (Credit: GloriousCow)

Other than the typical issues that come with copying so-called ‘booter’ floppies that do not use DOS but boot directly into the game, the protection track with Interlock is rather easy to spot, as seen on the right. It’s the track that lights up like a Christmas tree with meta data, consisting out of non-consecutive sector IDs. Of note is the use of ‘deleted’ sector data marks (DDAM), which is a rarity in normal usage. Along with the other peculiarities of this track it requires an exact query-response from the disk to be accepted as genuine, including timings. This meant that trying to boot a straight dump of the magnetic surface and trying to run it in an emulated system failed to work.

Reverse-engineering Interlock starts with the stage 0 bootloader from the first sector, which actually patches the End-of-Track (EOT) table parameter to make the ridiculous number of sectors on the special track work. The bootloader then loads a logo, which is the last thing you’ll see if your copy is imperfect.

Decrypting the second stage bootloader required a bit of disassembly and reverse-engineering, which uncovered some measures against crackers. While the actual process of reverse-engineering and the uncovered details of Interlock are far too complex to summarize here, after many hours and the final victory over the handling of an intentional bad CRC the target game (Murder on the Zinderneuf from 1984) finally loaded in the emulator.

After confirming the process with a few other titles, it seems that Interlock is mostly broken, with the DOS-based title ArcticFox (1987) the last hurdle to clear. We just hope that [GloriousCow] is safe at this point from EA’s tame lawyers.

Interested in more copy protection deep dives? Check out the work [GloriousCow] has already done on investigating Softguard’s Superlok and Formaster’s Copy-Lock.

PC Floppy Copy Protection: Softguard Superlok

September 9, 2024 by 15 Comments

Many have sought the holy grail of making commercial media both readable and copy-proof, especially once everyone began to copy those floppies. One of these attempts to make floppies copy-proof was Softguard’s Superlok. This in-depth look at this copy protection system by [GloriousCow] comes on the heels of a part one that covers Formaster’s Copy-Lock. Interestingly, Sierra switched from Copy-Lock to Superlok for their DOS version of games like King’s Quest, following the industry’s quest in search of this holy grail.

The way that Superlok works is that it loads a (hidden) executable called CPC.COM which proceeds to read the 128 byte key that is stored on a special track 6. With this key the game’s executable is decoded and fun can commence. Without a valid ‘Play’ disk containing the special track and CPC.COM executable all one is instead left with is a request by the game to ‘insert your ORIGINAL disk 1’.

Sierra’s King Quest v1.0 for DOS.

As one can see in the Norton Commander screenshot of a Sierra game disk, the hidden file is easily uncovered in any application that supports showing hidden files. However, CPC.COM couldn’t be executed directly; it needs to be executed from a memory buffer and passed the correct stack parameters. Sierra likely put in very little effort when implementing Softguard’s solution in their products, as Superlok supports changing the encryption key offset and other ways to make life hard for crackers.

Sierra was using version 2.3 of Superlok, but Softguard would also make a version 3.0. This is quite similar to 2.x, but has a gotcha in that it reads across the track index for the outer sector. This requires track wrapping to be implemented. Far from this kind of copy protection cracking being a recent thing, there was a thriving market for products that would circumvent these protections, all the way up to Central Point’s Copy II PC Option Board that would man-in-the-middle between the floppy disk drive and the CPU, intercepting data and render those copy protections pointless.

As for the fate of Softguard, by the end of the 1980s many of its customers were tiring of the cat-and-mouse game between crackers and Softguard, along with issues reported by legitimate users. Customers like Infographics Inc. dropped the Superlok protection by 1987 and by 1992 Softguard was out of business.

Reverse Engineering The Web API Of An Akaso EK7000 Action Camera

September 8, 2024 by 2 Comments

Recently, [Richard Audette] bought an Akaso EK7000 action camera for his daughter’s no-smartphones-allowed summer camp, which meant that after his daughter returned from said camp, he was free to tinker with this new toy. Although he was not interested in peeling open the camera to ogle its innards, [Richard] was very much into using the WiFi-based remote control without being forced into using the ‘Akaso Go’ smartphone app. To do this, he had to figure out the details of what the Android app does so that it could be replicated. He provided a fake camera WiFi hotspot for the app in order to learn its secrets.

Normally, the camera creates a WiFi hotspot with a specific SSID (iCam-AKASO_C_1e96) and password (1234567890) which the Android app connects to before contacting the camera’s IP address at 192.72.1.1. The app then shows a live view and allows you to copy over snapshots and videos. Initially, [Richard] tried to decompile the Android app using JADX, but the decompiled code contained so many URLs that it was hard to make heads or tails of it. In addition, the app supports many different Akaso camera models, making it harder to focus on the part for this particular camera.

Continue reading “Reverse Engineering The Web API Of An Akaso EK7000 Action Camera”