A solar inverter that asks for a password on its display

Decompiling Software To Fix An Old Solar Inverter

October 20, 2022 by Robin Kearey 16 Comments

It’s a fact of life that electronic devices become obsolete after a few years. Sometimes this is because technology has moved on, but it can also happen that a perfectly functional device becomes near-useless simply because the original manufacturer no longer supports it. When [Buy It Fix It] found a pair of second-hand Power-One Aurora solar inverters, he ran into an issue for which he needed access to the service menu, which happened to be password-protected. The original manufacturer had ceased to exist, and the current owner of the brand name was unable to help, so [Buy It Fix It] had to resort to reverse engineering to find the password.

Thanks to the Wayback Machine over at the Internet Archive, [Buy It Fix It] was able to download the PC software bundle that originally came with the inverters. But in order to access all features, a password was required that could only be obtained by registering the unit with the manufacturer. That wasn’t going to happen, so [Buy It Fix It] fired up dnSpy, a decompiler and debugger for .NET programs. After a bit of searching he found the section that checked the password, and by simply copying that section into a new program he was able to make his own key generator.

With the service password now available, [Buy It Fix It] was able to set the inverter to the correct voltage setting and hook it up to his solar panels. Interestingly, the program code also had references to “PONG”, “Tetris” and “tiramisu” at various places; these turned out to be Easter eggs in the code, containing simple versions of those two games as well as a photo of the Italian dessert.

Inside the software archive was also another program that enabled the programming of low-level functions within the inverter, things that few users would ever need to touch. This program was not written in .NET but in C or something similar, so it required the use of x32dbg to look at the machine code. Again, this program was password-protected, but the master password was simply stored as the unencrypted string “91951” — the last five digits of the manufacturer’s old phone number.

The inverter was not actually working when [Buy It Fix It] first got it, and his repair video (also embedded below) is also well worth watching if you’re into power electronics repair. Hacking solar inverters to enable more features is often possible, but of course it’s much easier if the entire design is open source.

Continue reading “Decompiling Software To Fix An Old Solar Inverter” →

An LCD mounted inside a Roland synthesizer

Reverse-Engineering A Display Protocol To Repair A Roland Synthesizer

October 15, 2022 by Robin Kearey 26 Comments

Repairing electronic devices isn’t as hard as it used to be. Thanks to the internet, it’s easy to find datasheets and application notes for any standard component inside your gadget, and once you’ve found the faulty one, you simply buy a replacement from one of a million web shops — assuming you don’t end up with a fake, of course. When it comes to non-standard components, however, things get more difficult, as [dpeddi] found out when a friend asked him for help in repairing a Roland Juno-G synthesizer with a broken display.

The main issue here was the fact that the display in question was a custom design, with no replacement or documentation available. The only thing [dpeddi] could figure out from the service manual was the basic pinout, which showed a parallel interface with two lines labelled “chip select” — an indication that the display contained two separate controllers. But the exact protocol and data format was not documented, so [dpeddi] brought out his logic analyzer to try and decode the signals generated by the synthesizer.

After a bit of trial and error, he was able to figure out the protocol: it looked like the display contained two KS0713-type LCD controllers, each controlling one half of the screen. Finding a compatible replacement was still proving difficult, so [dpeddi] decided instead to decode the original signals using a microcontroller and show the picture on a modern LCD driven by SPI. After some intial experiments with an ESP32, it turned out that the task of reading two reasonably fast parallel buses and driving an even faster serial one was a bit too much for the ESP, so [dpeddi] upgraded to a Raspberry Pi Pico. This worked a treat, and thanks to a 3D-printed mounting bracket, the new display also fit snugly inside the Roland’s case.

The Pico’s code is available on [dpeddi]’s GitHub page, so if you’ve also got a dodgy display in your Juno-G you can simply download it and use it to plug in a brand-new display. However, the method of reverse-engineering an existing display protocol and translating it to that of a new one is pretty universal and should come in handy when working with any type of electronic device: say, a vintage calculator or multimeter, or even another synthesizer.

Fixing A 30-year Old Roland Bug

October 5, 2022 by Matthew Carlson 12 Comments

The Roland CM-500 is a digital synthesizer sound module released in 1991 that combines two incredibly powerful engines into one unit. However, in 2005 enthusiasts of the Roland MT-25 (one of the engines that went into the CM-500) noticed a difference between the vibrato rate on the MT-25 and the CM-500, rendering it less useful as now midi files would need to be adjusted before they sounded correct. Now thirty-something years later, there is a fix through the efforts of [Sergey Mikayev] and a fantastic writeup by [Cloudschatze].

They reached out to Roland Japan, who decided that since the device’s lifecycle had ended, no investigation was warranted. That led the community to start comparing the differences between the two systems. One noticeable difference was the change from an Intel 8098 to an 80C198. In theory, the latter is a superset of the former, but there are a few differences. First, the crystal frequency is divided by three rather than two, which means the period of the LFO would change even if the crystal stayed the same. Changing the 12 MHz crystal out for 8 MHz gave the LFO the correct period, but it broke the timings on the MIDI connection. However, this is just setting the serial baud rate divisor, which requires changing a few bytes.

Replace the ROM chip with a socket so you can slot your newly flashed PDIP-28 64kx8 ROM into a quick desoldering. Then swap the crystal, and you’ll have a machine that matches the MT-25 perfectly. The forum post has comparison audio files for your enjoyment. Finally, if you’re curious about other fixes requiring an inspiring amount of effort and dedication, here’s a game installer that was brought back from the dead by a determined hacker.

Screenshot of the PS4 screen, showing a "Waiting to receive disc image file..." notification on the left, and a Windows commandline window with nc running on the right, sending an .iso file to some IP address - presumably the PS4

Subverting PS4 And PS5 Through The PS2 Emulator

October 3, 2022 by Arya Voronova 7 Comments

Game console hacking remains a fascinating area, and we’re glad when someone brings the spoils of exploration for us to marvel at. This time, we’re looking at the [mast1c0re] hack story by [cturt] – an effort to find bugs in PS2 emulation toolkit present on Sony PlayStation 4 and 5 consoles, proving fruitful in the end. What’s more, this exploit seems unpatchable – not technically, but under the Sony’s security practices, this emulator falls under the category of things they refuse to patch when identified.

In this story, we’re taken on a journey through the PS2 emulator internals, going through known-exploitable PS2 games and learning about a prospective entry point. Circling around it, collecting primitives and gadgets, bypassing ASLR on the way there, the emulator is eventually escaped, with a trove of insights shared along the way. As a demonstration, [cturt] successfully loaded a different PS2 game from outside the PS2 emulator, transferring it to the PS4 over WiFi! Continue reading “Subverting PS4 And PS5 Through The PS2 Emulator” →

An EMMC Gives Up Its Secrets

August 17, 2022 by Jenny List 32 Comments

An increasing phenomenon over the years since mobile phones morphed from simply telephones into general purpose pocket computers has been that of the dead device taking with it some treasured digital resource. In most cases this means the device has died, but doesn’t necessarily mean that that the data has completely gone. Inside the device will be an eMMC flash chip, and if that can be read then the data is safe. This applies to some single board computers too, and thus [Jeffmakes]’ adventures in recovering an eMMC from a dead Raspberry Pi CM4 are particularly interesting.

The whole thing relies on the eMMC presenting the same interface as an SD card, so while it comes in a multi-pin BGA package it can be addressed with surprisingly few wires. Using the PCB from another dead CM4 he traced the relevant connections from eMMC to SoC pads, and was thus able with some very fine soldering to construct an interface for an SD card reader. The disk could then be imaged in its entirety.

This work will be of huge use to experimenters who’ve fried their Compute Modules, but of course the information it contains will also be of use to retrieve those photos from the phone that fell in the bath. It’s not the first time we’ve taken a look at someone’s efforts in this area.

Did You See A John Deere Tractor Cracked At DEF CON?

August 17, 2022 by Jenny List 6 Comments

The Internet, or at least our corner of it, has been abuzz over the last few days with the news of a DEF CON talk by [Sick.Codes] in which he demonstrated the jailbreaking of the console computer from a John Deere tractor. Sadly we are left to wait the lengthy time until the talk is made public, and for now the most substantive information we have comes from a couple of Tweets. The first comes from [Sick.Codes] himself and shows a game of DOOM with a suitably agricultural theme, while the second is by [Kyle Wiens] and reveals the tractor underpinnings relying on outdated and un-patched operating systems.

You might ask why this is important and more than just another “Will it run DOOM” moment. The answer will probably be clear to long-term readers, and is that Deere have become the poster child for improper use of DRM to lock owners into their servicing and deny farmers the right to repair. Thus any breaches in their armor are of great interest, because they have the potential to free farmers world-wide from this unjust situation. As we’ve reported before the efforts to circumvent this have relied on cracked versions of the programming software, so this potential jailbreak of the tractor itself could represent a new avenue.

As far as we’re aware, this has so far taken place on the console modules in the lab and not in the field on a real tractor. So we’re unsure as to whether the door has been opened into the tractor’s brain, or merely into its interface. But the knowledge of which outdated software can be found on the devices will we hope lead further to what known vulnerabilities may be present, and in turn to greater insights into the machinery.

Were you in the audience at DEF CON for this talk? We’d be curious to know more. Meanwhile the Tweet is embedded below the break, for a little bit of agricultural DOOM action.

Continue reading “Did You See A John Deere Tractor Cracked At DEF CON?” →

Air Filter DRM? Hacker Opts Out With NFC Sticker

August 13, 2022 by Donald Papp 55 Comments

[Flamingo-tech]’s Xiaomi air purifier has a neat safety feature: it will refuse to run if a filter needs replacement. Of course, by “neat” we mean “annoying”. Especially when the purifier sure seems to judge a filter to be useless much earlier than it should. Is your environment relatively clean, and the filter still has legs? Are you using a secondary pre-filter to extend the actual filter’s life? Tough! Time’s up. Not only is this inefficient, but it’s wasteful.

Every Xiaomi filter contains an NTAG213 NFC tag with a unique ID and uses a unique password for communications, but how this password was generated (and therefore how to generate new ones) was not known. This meant that compatible tags recognized by the purifier could not be created. Until now, that is. [Flamingo-tech] has shared the discovery of how Xiaomi generates the password for communication between filter and purifier.

A small NFC sticker is now all it takes to have the purifier recognize a filter as new.

[Flamingo-tech] has long been a proponent of fooling Xiaomi purifiers into acting differently. In the past, this meant installing a modchip to hijack the DRM process. That’s a classic method of getting around nonsense DRM on things like label printers and dishwashers, but in this case, reverse-engineering efforts paid off.

It’s now possible to create simple NFC stickers that play by all the right rules. Is a filter’s time up according to the NFC sticker, but it’s clearly still good? Just peel that NFC sticker off and slap on a new one, and as far as the purifier is concerned, it’s a new filter!

If you’re interested in the reverse-engineering journey, there’s a GitHub repository with all the data. And for those interested in purchasing compatible NFC stickers, [Flamingo-tech] has some available for sale.