Generator Control Panel Unlocked With Reverse Engineering Heroics

March 11, 2024 by Dan Maloney 11 Comments

Scoring an interesting bit of old gear on the second-hand market is always a bit of a thrill — right up to the point where you realize the previous owner set some kind of security code on it. Then it becomes a whole big thing to figure out, to the point of blunting the dopamine hit you got from the original purchase.

Fear not, though, because there’s dopamine aplenty if you can copy what [Buy it Fix it] did to decode the PIN on a used generator control panel. The panel appears to be from a marine generator, and while it powered up fine, the menu used to change the generator’s configuration options is locked by a four-digit PIN. The manufacturer will reset it, but that requires sending it back and paying a fee, probably considerable given the industrial nature of the gear.

Instead of paying up, [Buy it Fix it] decided to look for a memory chip that might store the PIN. He identified a likely suspect, a 24LC08B 8-Kb serial EEPROM, and popped it off to read its contents. Nothing was immediately obvious, but blanking the chip and reinstalling it cleared the PIN, so he at least knew it was stored on the chip. Many rounds of soldering and desoldering the chip followed, blanking out small sections of memory each time until the PIN was located. The video below edits out a lot of the rework, but gives the overall gist of the hack.

To be honest, we’re not sure if the amount of work [Buy it Fix it] put into this was less than taking a couple of hours to punch in PINs and brute-force it. Then again, if he hadn’t done the reverse engineering he wouldn’t have stumbled upon where the generator parameters like running time and power figures were stored. And it’s not really his style, either; we’ve seen him perform similar heroics on everything from tractors to solar inverters, after all.

Continue reading “Generator Control Panel Unlocked With Reverse Engineering Heroics” →

Phenolic board from an RC car - a well-known sight for a hacker

Pairing A New Remote To A Cheap RC Car

March 8, 2024 by Arya Voronova 9 Comments

The cheap little RC cars are abundant anywhere you are, and if you’ve ever disassembled one, you are familiar with how the PCB looks. A single-sided phenolic paper PCB with a mystery chip driving a bunch of through-hole transistors, a sprinkle of through-hole capacitors, and a few supporting components for the wire antenna. It might not feel reusable, but [Chris Jones] begs to differ, with a Twitter thread showing us how he’s paired a scrap board from one RC car with a remote control from another, all to help a little family project.

These mystery ICs turn out to be RC-car-on-a-chip modules, and Chris lucked out in that his IC has a detailed datasheet available, complete with code pulse examples for different commands. The datasheet for the chip in the remote control is nowhere to be found, though, so we have to dig deeper. How about scoping the RF output? Turns out the supported codes between the two ICs are basically identical! The scrap board wouldn’t move any motors though, so it was time to narrow down the issue.

The RC car board has a 128KHz oscillator, and scoping that has shown the issue – it was producing 217KHz for some reason. It turned out that the oscillator’s load resistor was 100 kiloohms instead of recommended 200k, and switching that put it back on course. We would assume that, wherever the original remote control for that car is, it is similarly mis-tuned, or otherwise the RC car could never have worked.

Through sheer luck and tactical application of an oscilloscope, the RC car moves again, paired to a remote it was never meant to be, and the family project moves forward. Got a RC car, but no remote? Perhaps a HackRF can help.

Gaming On A TP-Link TL-WDR4900 Wireless Router

March 5, 2024 by Maya Posch 18 Comments

When you look at your home router, the first thought that comes to mind probably isn’t about playing games on it. But that doesn’t stop [Manawyrm] and [tSYS] from taking on the task of turning the 2013-era TP-Link TL-WDR4900 router into a proper gaming machine using an external GPU. This is made possible by the PCIe lanes on the mainboard, courtesy of the PowerPC-based SoC (NXP QorIQ P1014) and remappable Base Address Registers (BARs). This router has been an OpenWRT-favorite for years due to its powerful hardware and feature set.

This mod required a custom miniPCIe PCB that got connected to the PCIe traces (after cutting the connection with the Atheros WiFi chipset). This allowed an external AMD Radeon HD 7470 GPU to be connected to the system, which showed up in OpenWRT. To make full use of this hardware by gaining access to the AMD GPU driver, full Debian Linux was needed. Fortunately, the distro had a special PowerPCSPE port that supports the e500v2 CPU core in the SoC. After this it was found that the amdgpu driver has issues on 32-bit platforms, for which an issue ticket got filed.

Using the legacy Radeon driver helped to overcome this issue, but then it was found that the big endian nature of the CPU tripped up the Grand Theft Auto: Vice City game code which has not been written with BE in mind. This took a lot of code patching to help fix this, but eventually the game was up and running, albeit with glitches. Whatever the cause of these graphical glitches was will remain unknown, as after updating everything things began to work normally.

So now it’s possible to convert a 2013-era router into a gaming console after patching in an external GPU, which actually could be useful in keeping more potential e-waste out of landfills.

Continue reading “Gaming On A TP-Link TL-WDR4900 Wireless Router” →

Hacking An Actual WiFi Toothbrush With An ESP32-C3

March 5, 2024 by Maya Posch 15 Comments

Following on the heels of a fortunately not real DDoS botnet composed of electric toothbrushes, [Aaron Christophel] got his hands on a sort-of-electric toothbrush which could totally be exploited for this purpose.

Evowera Planck Mini will never gonna give you up, never let you down. (Credit: Aaron Christophel)

The Evowera Planck Mini which he got is the smaller, children-oriented version of the Planck O1 (a more regular electric toothbrush). Both have a 0.96″ color LC display, but the O1 only has Bluetooth and requires a smartphone app. Meanwhile the Mini uses a pressure sensor for the brush along with motion sensors to keep track of the child’s teeth brushing efforts and to provide incentives.

The WiFi feature of the Mini appears to be for both firmware updates as well as to allow parents to monitor the brushing reports of their offspring in the associated smartphone app. With this feature provided by the ESP32-C3 SoC inside the device, the question was how secure it is.

As it turns out not very secure, with [Aaron] covering the exploit in a Twitter thread. As exploits go, it’s pretty straightforward: the toothbrush tries to connect to a default WiFi network (SSID evowera, pass 12345678), tries to acquire new firmware, and flashes this when found without any fuss. [Aaron] made sure to figure out the pin-out on the PCB inside the device as well, opening up new avenues for future hacking.

We’re great fans of [Aaron] and his efforts to breathe new life into gadgets through firmware hacking. His replacement firmware for the Xiaomi LYWSD03MMC Bluetooth thermometer is one of the best we’ve seen.

Continue reading “Hacking An Actual WiFi Toothbrush With An ESP32-C3” →

The FPC adapter shown soldered between the BGA chip and the phone's mainboard, with the phone shown to have successfully booted, displaying an unlock prompt on the screen

IPhone 6S NVMe Chip Tapped Using A Flexible PCB

March 3, 2024 by Arya Voronova 3 Comments

Psst! Hey kid! Want to reverse-engineer some iPhones? Well, did you know that modern iPhones use PCIe, and specifically, NVMe for their storage chips? And if so, have you ever wondered about sniffing those communications? Wonder no more, as this research team shows us how they tapped them with a flexible printed circuit (FPC) BGA interposer on an iPhone 6S, the first iPhone to use NVMe-based storage.

The research was done by [Mohamed Amine Khelif], [Jordane Lorandel], and [Olivier Romain], and it shows us all the nitty-gritty of getting at the NVMe chip — provided you’re comfortable with BGA soldering and perhaps got an X-ray machine handy to check for mistakes. As research progressed, they’ve successfully removed the memory chip dealing with underfill and BGA soldering nuances, and added an 1:1 interposer FR4 board for the first test, that proved to be successful. Then, they made an FPC interposer that also taps into the signal and data pins, soldered the flash chip on top of it, successfully booted the iPhone 6S, and scoped the data lines for us to see.

This is looking like the beginnings of a fun platform for iOS or iPhone hardware reverse-engineering, and we’re waiting for further results with bated breath! This team of researchers in particular is prolific, having already been poking at things like MITM attacks on I2C and PCIe, as well as IoT device and smartphone security research. We haven’t seen any Eagle CAD files for the interposers published, but thankfully, most of the know-how is about the soldering technique, and the paper describes plenty. Want to learn more about these chips? We’ve covered a different hacker taking a stab at reusing them before. Or perhaps, would you like to know NVMe in more depth? If so, we’ve got just the article for you.

We thank [FedX] for sharing this with us on the Hackaday Discord server!

The Thinkpad in question, with a Linux shell open on its screen, showing that the device mode has been successfully enabled

ThinkPad X1 Carbon Turned USB Device Through Relentless Digging

March 1, 2024 by Arya Voronova 15 Comments

In what’s perhaps one of the most impressive laptop reverse engineering posts in recent memory, [Andrey Konovalov] brings us an incredibly detailed story of how he’s discovered and successfully enabled a USB device controller in a ThinkPad X1 Carbon equipped with a 6th gen Intel CPU.

If you ever wanted to peek at the dirty secrets of a somewhat modern-day Intel CPU-based system, this write-up spares you no detail, and spans dozens of abstraction layers — from Linux drivers and modifying NVRAM to custom USB cable building and BIOS chip flashing, digging deep into undocumented PCH registers for the dessert.

All [Andrey] wanted was to avoid tinkering with an extra Raspberry Pi. While using a PCIe connected device controller, he’s found a reference to intel_xhci_usb_sw-role-switch in Linux sysfs, and dove into a rabbit hole, where he discovered that the IP core used for the laptop’s USB ports has a ‘device’ mode that can be enabled. A dig through ACPI tables confirmed this, but also highlighted that the device is disabled in BIOS. What’s more, it turned out to be locked away behind a hidden menu. Experiments in unlocking that menu ensued, in particular when it comes to bypassing Intel Boot Guard, a mechanism that checks BIOS image signatures before boot.

Continue reading “ThinkPad X1 Carbon Turned USB Device Through Relentless Digging” →

Pictures of the internals of the Starlink adapter

Restoring Starlink’s Missing Ethernet Ports

February 28, 2024 by Arya Voronova 29 Comments

Internet connectivity in remote areas can be a challenge, but recently SpaceX’s Starlink has emerged as a viable solution for many spots on the globe — including the Ukrainian frontlines. Unfortunately, in 2021 Starlink released a new version of their hardware, cost-optimized to the point of losing some nice features such as the built-in Ethernet RJ45 (8P8C) port, and their proposed workaround has some fundamental problems to it. [Oleg Kutkov], known for fixing Starlink terminals in wartime conditions, has released three posts on investigating those problems and, in the end, bringing the RJ45 ports back.

Starlink now uses an SPX connector with a proprietary pinout that carries two Ethernet connections at once: one to the Dishy uplink, and another one for LAN, with only the Dishy uplink being used by default. If you want LAN Ethernet connectivity, they’d like you to buy an adapter that plugs in the middle of the Dishy-router connection. Not only is the adapter requirement a bother, especially in a country where shipping is impeded, the SPX connector is also seriously fragile and prone to a few disastrous failure modes, from moisture sensitivity to straight up bad factory soldering.

Continue reading “Restoring Starlink’s Missing Ethernet Ports” →