Getting Root On A Chinese IP Camera

December 12, 2022 by Maya Posch 67 Comments

With so many cheap network-connected devices out there being Linux-powered, it’s very tempting to try and hack into them, usually via a serial interface. This was the goal of [Andrzej Szombierski] when he purchased a cheap Chinese IP camera using an XM530 ARM-based SoC to explore and ultimately get root access on. This camera’s firmware provides the usual web interface on its network side, but it also has a UART on its PCB, courtesy of the unpopulated four-pin header.

Merely firing up a serial terminal application and connecting to this UART is not enough to get access, of course. The first obstacle that [Andrzej] struggled with was that U-Boot was configured to not output Linux kernel boot messages. After tackling that issue with some creative hacking, the next challenge was to figure out the root password, using a dump of the firmware image, which led to even more exploration of the firmware and the encoding used for the root password.

Even if some part of these challenges were possibly more accidental than on purpose by the manufacturer, it shows how these SoC-based Linux devices can put up quite a fight. This then leaves the next question, of what to do with such an IP camera after you have gained root access?

DIY Comparatron Helps Trace Tiny, Complex Objects

December 11, 2022 by Donald Papp 21 Comments

Hackers frequently find themselves reverse-engineering or interfacing to existing hardware and devices, and when that interface needs to be a physical one, it really pays to be able to take accurate measurements.

This is easy to do when an object is big enough to fit inside calipers, or at least straight enough to be laid against a ruler. But what does one do when things are complex shapes, or especially small? That’s where [Cameron]’s DIY digital optical comparator comes in, and unlike commercial units it’s entirely within the reach (and budget) of a clever hacker.

The Comparatron is based off a CNC pen plotter, but instead of a pen, it has a USB microscope attached with the help of a 3D-printed fixture. Serving as a background is an LED-illuminated panel, the kind useful for tracing. The physical build instructions are here, but the image should give most mechanically-minded folks a pretty clear idea of how it fits together.

Continue reading “DIY Comparatron Helps Trace Tiny, Complex Objects” →

side by side, showing hardware experiments with capacitor gating through FETs, an initial revision of the modchip board with some fixes, and a newer, final, clean revision.

A Modchip To Root Starlink User Terminals Through Voltage Glitching

November 28, 2022 by Arya Voronova 36 Comments

A modchip is a small PCB that mounts directly on a larger board, tapping into points on that board to make it do something it wasn’t meant to do. We’ve typically seen modchips used with gaming consoles of yore, bypassing DRM protections in a way that a software hacks couldn’t quite do. As software complexity and therefore attack surface increased on newer consoles, software hacks have taken the stage. However, on more integrated pieces of hardware, we’ll still want to return to the old methods – and that’s what this modchip-based hack of a Starlink terminal brings us.

[Lennert Wouters]’ team has been poking and prodding at the Starlink User Terminal, trying to get root access, and needed to bypass the ARM Trusted Firmware boot-time integrity checks. The terminal’s PCB is satellite-dish-sized, so things like laser fault injection are hard to set up – hence, they went the voltage injection route. Much poking and prodding later, they developed a way to reliably glitch the CPU into verifying a faulty firmware, and got to a root shell – the journey described in a BlackHat talk embedded below. Continue reading “A Modchip To Root Starlink User Terminals Through Voltage Glitching” →

Unlocking A Locked-Down Inverter

November 25, 2022 by Jenny List 21 Comments

There was a time when a mains inverter was a heavy, expensive, and not particularly powerful item, but thanks to switch-mode technology we are now spoiled for choice. Most inverters still work with 12 V or 24 V supplies though, so when [Chris Jones] was looking for one to run from 36 V batteries, he found a limited supply. Sadly the Greenworks model he ended up with was affordable, but locked to a particular battery by means of a serial line between battery and inverter. Buy the special battery? No, he did what any hacker would do, and modified the inverter to do without it.

Tracing the serial link led to a mystery chip, probably a microcontroller but without available data. It in turn had a line to an 8051 derivative that seemed to be the brains of the operation. Acting on a hunch he pulled down the line with a resistor, and as if by magic, a working inverter appeared.

As you might expect, here at Hackaday we abhor such tricks by manufacturers, and thus any moves to circumvent them are to be applauded. It would be extremely interesting were anyone to have the Greenworks battery to subject to some reverse engineering of the profile.

Meanwhile if this is a little complex for you, there is a much simpler way to make a rough and ready inverter.

Reverse Engineering “The Seven Words (and More) You Can’t Say On TV”

November 21, 2022 by Dan Maloney 24 Comments

For as visionary as he was, [George Carlin] vastly underestimated the situation with his classic “Seven Words You Can’t Say on TV” bit. At least judging by [Ben Eater]’s reverse engineering of the “TVGuardian Foul Language Filter” device, it seems like the actual number is at least 20 times that.

To begin at the beginning, a couple of weeks ago [Alec] over at everyone’s favorite nerd hangout Technology Connections did a video on the TVGuardian, a device that attempted to clean up the language of live TV and recorded programming. Go watch that video for the details, but for a brief summary, TVGuardian worked by scanning the closed caption text for naughty words and phrases, muted the audio when something suggestive was found in a lookup table, and inserted a closed caption substitute for the offensive content. In his video, [Alec] pined for a way to look at the list of verboten words, and [Ben] accepted the challenge.

The naughty word list ended up living on a 93LC86 serial EEPROM, which [Ben] removed from his TVGuardian for further exploration. Rather than just plug it into a programmer and dumping the contents, he decided to roll his own decoder with an Arduino, because that’s more fun. And can we just point out our ongoing amazement that [Ben] is able to make watching someone else code interesting?

The resulting NSFW word list is titillating, of course, and the video would be plenty satisfying if that’s where it ended. But [Ben] went further and figured out how the list is organized, how the dirty-to-clean substitutions are made, and even how certain words are whitelisted. That last bit resulted in the revelation that Hollywood legend [Dick Van Dyke] gets a special whitelisting, lest his name becomes sanitized to a hilarious [Jerk Van Gay].

Hats off to [Alec] for inspiring [Ben]’s fascinating reverse engineering effort here.

Continue reading “Reverse Engineering “The Seven Words (and More) You Can’t Say On TV”” →

Scramblepad Teardown Reveals Complicated, Expensive Innards

November 18, 2022 by Donald Papp 28 Comments

What’s a Scramblepad? It’s a type of number pad in which the numbers aren’t in fixed locations, and can only be seen from a narrow viewing angle. Every time the pad is activated, the buttons have different numbers. That way, a constant numerical code isn’t telegraphed by either button wear, or finger positions when punching it in. [Glen Akins] got his hands on one last year and figured out how to interface to it, and shared loads of nice photos and details about just how complicated this device was on the inside.

Just one of the many layers inside the Scramblepad.

Patented in 1982 and used for access control, a Scramblepad aimed to avoid the risk of someone inferring a code by watching a user punch it in, while also preventing information leakage via wear and tear on the keys themselves. They were designed to solve some specific issues, but as [Glen] points out, there are many good reasons they aren’t used today. Not only is their accessibility poor (they only worked at a certain height and viewing angle, and aren’t accessible to sight-impaired folks) but on top of that they are complex, expensive, and not vandal-proof.

[Glen]’s Scramblepad might be obsolete, but with its black build, sharp lines, and red LED 7-segment displays it has an undeniable style. It also includes an RFID reader, allowing it to act as a kind of two-factor access control.

On the inside, the reader is a hefty piece of hardware with multiple layers of PCBs and antennas. Despite all the electronics crammed into the Scramblepad, all by itself it doesn’t do much. A central controller is what actually controls door access, and the pad communicates to this board via an unencrypted, proprietary protocol. [Glen] went through the work of decoding this, and designed a simplified board that he plans to use for his own door access controller.

In the meantime, it’s a great peek inside a neat piece of hardware. You can see [Glen]’s Scramblepad in action in the short video embedded below.

Continue reading “Scramblepad Teardown Reveals Complicated, Expensive Innards” →

Reverse Engineering Reveals EV Charger Has A Sense Of Security

November 16, 2022 by Dan Maloney 11 Comments

As more and more electric vehicles penetrate the market, there’s going to have to be a proportional rise in the number of charging stations that are built into parking garages, apartment complexes, and even private homes. And the more that happens, the more chargers we’re going to start seeing where security is at best an afterthought in their design.

But as this EV charger teardown and reverse engineering shows, it doesn’t necessarily have to be that way. The charger is a Zaptec Pro station that can do up to 22 kW, and the analysis was done by [Harrison Sand] and [Andreas Claesson]. These are just the kinds of chargers that will likely be widely installed over the next decade, and there’s surprisingly little to them. [Harrison] and [Andreas] found a pair of PCBs, one for the power electronics and one for the control circuits. The latter supports a number of connectivity options, like 4G, WiFi, and Bluetooth, plus some RFID and powerline communications. There are two microcontrollers, a PIC and an ARM Cortex-A7.

Despite the ARM chip, the board seemed to lack an obvious JTAG port, and while some unpopulated pads did end up having a UART line, there was no shell access possible. An on-board micro SD card slot seemed an obvious target for attack, and some of the Linux images they tried yielded at least a partial boot-up, but without knowing the specific hardware configuration on the board, that’s just shooting in the dark. That’s when the NAND flash chip was popped off the board to dump the firmware, which allowed them to extract the devicetree and build a custom bootloader to finally own root.

The article has a lot of fascinating details on the exploit and what they discovered after getting in, like the fact that even if you had the factory-set Bluetooth PIN, you wouldn’t be able to get free charging. So overall, a pretty good security setup, even if they were able to get in by dumping the firmware. This all reminds us a little of the smart meter reverse engineering our friend [Hash] has been doing, in terms of both methodology and results.

Thanks to [Thinkerer] for the tip.