Tearing Down Nintendo’s Alarmo Alarm Clock

All your Nintendo Alarmo are belong to mew~ (Credit: GaryOderNichts, Blogspot)

Most of us will probably have seen Nintendo’s latest gadget pop up recently. Rather than a Switch 2 announcement, we got greeted with a Nintendo-branded alarm clock. Featuring a 2.8″ color LCD and a range of sensors, it can detect and respond to a user, and even work as an alarm clock for the low, low price of €99. All of which takes the form of Nintendo-themed characters alongside some mini-games. Naturally this has led people like [Gary] to buy one to see just how hackable these alarm clocks are.

As can be expected from a ‘smart’ alarm clock it has 2.4 GHz WiFi connectivity for firmware and content download, as well as a 24 GHz millimeter wave presence sensor. Before [Gary] even had received his Alarmo, others had already torn into their unit, uncovering the main MCU (STM32H730ZBI6) alongside a 4 GB eMMC IC, as well as the MCU’s SWD pads on the PCB. This gave [Gary] a quick start with reverse-engineering, though of course the MCU was protected (readout protection, or RDP) against firmware dumps, but the main firmware could be dumped from the eMMC without issues.

After this [Gary] had a heap of fun decrypting the firmware, which seems to always get loaded into the external octal SPI RAM before execution, as per the boot sequence (see featured image). This boot sequence offers a few possibilities for inserting one’s own (properly signed) contents. As it turns out via the USB route arbitrary firmware binaries can be loaded, which provided a backdoor to defeat RDP. Unfortunately the MCU is further locked down with Secure Access Mode, which prevents dumping the firmware again.

So far firmware updates for the Alarmo have not nailed shut the USB backdoor, making further reverse-engineering quite easy for the time being. If you too wish to hack your Alarmo and maybe add some feline charm, you can check [Gary]’s GitHub project.

Have You Heard Of The Liquid Powder Display?

Over the decades the technology behind flat panel displays has continuously evolved, and we’ve seen many of them come and go. Among the popular ones there are a few that never quite made the big time, usually because a contemporary competitor took their market. An example is in a recent [Wenting Zhang] video, a mystery liquid powder display. We’d never heard of it, so we were intrigued.

The first segment of the video is an examination of the device, and a comparison with similar-looking ones such as a conventional LCD, or a Sharp Memory LCD. It’s clearly neither of those, and the answer finally came after a lot of research. A paper described a “Quick response liquid powder” as a mechanism for a novel display, and thus it was identified. It works by moving black and white electrically charged powder to flip a pixel from black to white, and its operation is not dissimilar to the liquid-based e-ink displays which evidently won that particular commercial battle.

The process of identifying the driver chip and pinout should be an essential watch for anyone with an interest in display reverse engineering. After a lot of adjusting timing and threshold voltages the dead pixels and weird effects fall away, and then it’s possible to display a not-too-high-quality image on this unusual display, through a custom PCB with an RP2040. Take a look at the video below the break.

We’ve seen [Wenting Zhang]’s work here a few times before, most recently in a very impressive mirror-less camera project.

Continue reading “Have You Heard Of The Liquid Powder Display?”

ROG Ally Community Rebuilds The Proprietary Asus EGPU

As far as impressive hacks go, this one is more than enough for your daily quota. You might remember the ROG Ally, a Steam Deck-like x86 gaming console that’s graced our pages a couple lf times. Now, this is a big one – from the ROG Ally community, we get a fully open-source eGPU adapter for the ROG Ally, built by reverse-engineering the proprietary and overpriced eGPU sold by Asus.

We’ve seen this journey unfold over a year’s time, and the result is glorious – two different PCBs, one of them an upgraded drop-in replacement board for the original eGPU, and another designed to fit a common eGPU form-factor adapter. The connector on the ROG Ally is semi-proprietary, but its cable could be obtained as a repair part. From there, it was a matter of scrupulous pinout reverse-engineering, logic analyzer protocol captures, ACPI and BIOS decompiling, multiple PCB revisions and months of work – what we got is a masterpiece of community effort.

Do you want to learn how the reverse-engineering process has unfolded? Check out the Diary.md – it’s certainly got something for you to learn, especially if you plan to walk a similar path; then, make sure to read up all the other resources on the GitHub, too! This achievement follows a trend from the ROG Ally community, with us having featured dual-screen mods and battery replacements before – if it continues the same way, who knows, maybe next time we will see a BGA replacement or laser fault injection.

IPhone 15 Gets Dual SIM Through FPC Patch

It can often feel like modern devices are less hackable than their thicker and far less integrated predecessors, but perhaps it’s just that our techniques need to catch up. Here’s an outstanding hack that adds a dual SIM slot to a US-sold eSIM iPhone 15/15 Pro, while preserving its exclusive mmwave module. No doubt, making use of the boardview files and schematics, it shows us that smartphone modding isn’t dead — it could be that we need to acknowledge the new tools we now have at our disposal.

When different hardware features are region-locked, sometimes you want to get the best of both worlds. This mod lets you go the entire length seamlessly, no bodges. It uses a lovely looking flexible printed circuit (FPC) patch board to tap into a debug header with SIM slot signals, and provides a customized Li-ion pouch cell with a cutout for the SIM slot. There’s just the small matter of using a CNC mill to make a cutout in the case where the SIM slot will go, and you’ll need to cut a buried trace to disable the eSIM module. Hey, we mentioned our skills needed to catch up, right? From there, it appears that iOS recognizes the new two SIM slots seamlessly.

The video is impressive and absolutely worth a watch if modding is your passion, and if you have a suitable CNC and a soldering iron, you can likely install this mod for yourself. Of course, you lose some things, like waterproofing, the eSIM feature, and your warranty. However, nothing could detract from this being a fully functional modkit for a modern-day phone, an inspiration for us all. Now, perhaps one of us can take a look at building a mod helping us do parts transplants between phones, parts pairing be damned.

Continue reading “IPhone 15 Gets Dual SIM Through FPC Patch”

Man-in-the-Middle PCB Unlocks HP Ink Cartridges

It’s a well-known secret that inkjet ink is being kept at artificially high prices, which is why many opt to forego ‘genuine’ manufacturer cartridges and get third-party ones instead. Many of these third-party ones are so-called re-manufactured ones, where a third-party refills an empty OEM cartridge. This is increasingly being done due to digital rights management (DRM) reasons, with tracking chips added to each cartridge. These chip prohibit e.g. the manual refilling of empty cartridges with a syringe, but with the right tweak or attack can be bypassed, with [Jay Summet] showing off an interesting HP cartridge DRM bypass using a physical man-in-the-middle-attack.

This bypass takes the form of a flex PCB with contacts on both sides which align with those on the cartridge and those of the printer. What looks like a single IC in a QFN package is located on the cartridge side, with space for it created inside an apparently milled indentation in the cartridge’s plastic. This allows is to fit flush between the cartridge and HP inkjet printer, intercepting traffic and presumably telling the printer some sweet lies so that you can go on with that print job rather than dash out to the store to get some more overpriced Genuine HP-approved cartridges.

Not that HP isn’t aware or not ticked off about this, mind. Recently they threatened to brick HP printers that use third-party cartridges if detected, amidst vague handwaving about ‘hackers’ and ‘viruses’ and ‘protecting the users’ with their Dynamic Security DRM system. As the many lawsuits regarding this DRM system trickle their way through the legal system, it might be worth it to keep a monochrome laser printer standing by just in case the (HP) inkjet throws another vague error when all you want is to just print a text document.

Continue reading “Man-in-the-Middle PCB Unlocks HP Ink Cartridges”

Laser Fault Injection, Now With Optional Decapping

Whether the goal is reverse engineering, black hat exploitation, or just simple curiosity, getting inside the packages that protect integrated circuits has long been the Holy Grail of hacking. It isn’t easy, though; those inscrutable black epoxy blobs don’t give up their secrets easily, with most decapping methods being some combination of toxic and dangerous. Isn’t there something better than acid baths and spinning bits of tungsten carbide?

[Janne] over at Fraktal thinks so, and the answer he came up with is laser decapping. Specifically, this is an extension of the laser fault injection setup we recently covered, which uses a galvanometer-scanned IR laser to induce glitches in decapped microcontrollers to get past whatever security may be baked into the silicon. The current article continues that work and begins with a long and thorough review of various IC packaging technologies, including the important anatomical differences. There’s also a great review of the pros and cons of many decapping methods, covering everything from the chemical decomposition of epoxy resins to thermal methods. That’s followed by specific instructions on using the LFI rig to gradually ablate the epoxy and expose the die, which is then ready to reveal its secrets.

The benefit of leveraging the LFI rig for decapping is obvious — it’s an all-in-one tool for gaining access and executing fault injection. The usual caveats apply, of course, especially concerning safety; you’ll obviously want to avoid breathing the vaporized epoxy and remember that lasers and retinas don’t mix. But with due diligence, having a single low-cost tool to explore the innards of chips seems like a big win to us.

PC Floppy Copy Protection: Electronic Arts Interlock

Continuing the series on floppy copy protection, [GloriousCow] examines Electronic Arts’ Interlock system. This was used from 1984 to 1987 for at least fourteen titles released on both 5.25″ and 3.5″ floppies. Although not officially advertised, in the duplication mark sector the string ELECTRONIC ARTS IBM INTERLOCK. appears, hence the name. Compared to other copy protection systems like Softguard Superlok this Interlock protection poses a number of somewhat extreme measures to enforce the copy protection.

The disk surface of Side #0 of the 1984 mystery-adventure title, Murder on the Zinderneuf (Credit: GloriousCow)
The disk surface of Side #0 of the 1984 mystery-adventure title, Murder on the Zinderneuf (Credit: GloriousCow)

Other than the typical issues that come with copying so-called ‘booter’ floppies that do not use DOS but boot directly into the game, the protection track with Interlock is rather easy to spot, as seen on the right. It’s the track that lights up like a Christmas tree with meta data, consisting out of non-consecutive sector IDs. Of note is the use of ‘deleted’ sector data marks (DDAM), which is a rarity in normal usage. Along with the other peculiarities of this track it requires an exact query-response from the disk to be accepted as genuine, including timings. This meant that trying to boot a straight dump of the magnetic surface and trying to run it in an emulated system failed to work.

Reverse-engineering Interlock starts with the stage 0 bootloader from the first sector, which actually patches the End-of-Track (EOT) table parameter to make the ridiculous number of sectors on the special track work. The bootloader then loads a logo, which is the last thing you’ll see if your copy is imperfect.

Decrypting the second stage bootloader required a bit of disassembly and reverse-engineering, which uncovered some measures against crackers. While the actual process of reverse-engineering and the uncovered details of Interlock are far too complex to summarize here, after many hours and the final victory over the handling of an intentional bad CRC the target game (Murder on the Zinderneuf from 1984) finally loaded in the emulator.

After confirming the process with a few other titles, it seems that Interlock is mostly broken, with the DOS-based title ArcticFox (1987) the last hurdle to clear. We just hope that [GloriousCow] is safe at this point from EA’s tame lawyers.

Interested in more copy protection deep dives? Check out the work [GloriousCow] has already done on investigating Softguard’s Superlok and Formaster’s Copy-Lock.