Reverse Engineering

205 Articles

A Deeper Dive Into Reverse Engineering With A CT Scanner

August 10, 2022 by 6 Comments

We’ve recently got a look at how [Ken Shirriff] used an industrial CT scanner as a reverse engineering tool. The results were spectacular, with pictures that clearly showed the internal arrangement of parts that haven’t seen the light of day since the module was potted back in the 60s. And now, [Ken]’s cohort [Curious Marc] has dropped a video with more detail on the wonderful machine, plus deep dives into more Apollo-era hardware

If you liked seeing the stills [Ken] used to reverse engineer the obscure flip-flop module, you’re going to love seeing [Marc] using the Lumafield scanner’s 3D software to non-destructively examine several Apollo artifacts. First to enter the sample chamber of the CT scanner was a sealed module called the Central Timing Equipment, which served as the master clock for the Apollo Command Module. The box’s magnesium case proved to be no barrier to the CT scanner’s beam, and the 3D model that was built up from a series of 2D images was astonishingly detailed. The best part about the virtual models is the ability to slice through them in any plane — [Marc] used this feature to hunt down the clock’s quartz crystal. Continue reading “A Deeper Dive Into Reverse Engineering With A CT Scanner”

CT Scans Help Reverse Engineer Mystery Module

August 7, 2022 by 15 Comments

The degree to which computed tomography has been a boon to medical science is hard to overstate. CT scans give doctors a look inside the body that gives far more information about the spatial relationship of structures than a plain X-ray can. And as it turns out, CT scans are pretty handy for reverse engineering mystery electronic modules, too.

The fact that the mystery module in question is from Apollo-era test hardware leaves little room for surprise that [Ken Shirriff] is the person behind this fascinating little project. You’ll recall that [Ken] recently radiographically reverse engineered a pluggable module of unknown nature, using plain X-ray images taken at different angles to determine that the undocumented Motorola module was stuffed full of discrete components that formed part of a square wave to sine wave converter.

The module for this project, a flip-flop from Motorola and in the same form factor, went into an industrial CT scanner from an outfit called Lumafield, where X-rays were taken from multiple angles. The images were reassembled into a three-dimensional view by the scanner’s software, which gave a stunningly clear view of the components embedded within the module’s epoxy body. The cordwood construction method is obvious, and it’s pretty easy to tell what each component is. The transistors are obvious, as are the capacitors and diodes. The resistors were a little more subtle, though — careful examination revealed that some are carbon composition, while others are carbon film. It’s even possible to pick out which diodes are Zeners.

The CT scan data, along with some more traditional probing for component values, let [Ken] reverse engineer the whole circuit, which turned out to be a little different than a regular J-K flip-flop. Getting a non-destructive look inside feels a little like sitting alongside the engineers who originally built these things, which is pretty cool.

Photo of the MCH2022 badge's screen, showing the "Hack me if you can" app's start splashscreen, saying "Service is accessible on IP ADDRESS : 1337"

MCH2022 Badge CTF Solved, With Plenty To Learn From

August 7, 2022 by 3 Comments

Among all the things you could find at MCH2022, there were a few CTFs (Capture The Flag exercises) – in particular, every badge contained an application that you could  try and break into – only two teams have cracked this one! [dojoe] was part of one of them, and he has composed an extensive reverse-engineering story for us – complete with Ghidra disassembly of Xtensa code, remote code execution attempts, ROP gadget creation, and no detail left aside.

There was a catch: badges handed out to the participants didn’t contain the actual flag. You had to develop an exploit using your personal badge that only contained a placeholder flag, then go to the badge tent and apply your exploit over the network to one of the few badges with the real flag on them. The app in question turned out to be an echo server – sending back everything it received; notably, certain messages made it crash. One man’s crashes are another man’s exploit possibilities, and after a few hacking sessions, [dojoe]’s team got their well-deserved place on the scoreboard.

If you always thought that firmware reverse-engineering sounds cool, and you also happen to own a MCH2022 badge, you should try and follow the intricately documented steps of [dojoe]’s writeup. Even for people with little low-level programming experience, repeating this hack is realistic thanks to his extensive explanations, and you will leave with way more reverse-engineering experience than you had before.

The MCH2022 badge is a featureful creation of intricate engineering, with the ESP32 portion only being part of the badge – we’re eager to hear about what you’ve accomplished or are about to accomplish given everything it has to offer!

A family of PixMob bracelets being coltrolled by an ESP32 with an IR transmitter attached to it. All the bracelets are shining a blue-ish color

PixMob Wristband Protocol Reverse-Engineering Groundwork

August 6, 2022 by 38 Comments

The idea behind the PixMob wristband is simple — at a concert, organizers hand these out to the concertgoers, and during the show, infrared projectors are used to transmit commands so they all light up in sync. Sometimes, attendees would be allowed to take these bracelets home after the event, and a few hackers have taken a shot at reusing them.

The protocol is proprietary, however, and we haven’t yet seen anyone reuse these wristbands without tearing them apart or reflashing the microcontroller. [Dani Weidman] tells us, how with [Zach Resmer], they have laid the groundwork for reverse-engineering the protocol of these wristbands.

Our pair of hackers started by obtaining a number of recordings from a helpful stranger online, and went onto replaying these IR recordings to their wristbands. Most of them caused no reaction – presumably, being configuration packets, but three of them caused the wristbands to flash in different colors. They translated these recordings into binary packets, and Dani went through different possible combinations, tweaking bits here and there, transmitting the packets and seeing which ones got accepted as valid. In the end, they had about 100 valid packets, and even figured out some protocol peculiarities like color animation bytes and motion sensitivity mode enable packets.

The GitHub repository provides some decent documentation and even a video, example code you can run on an Arduino with an IR transmitter, and even some packets you can send out with a  Flipper Zero. If you’re interested in learning more about the internals of this device, check out the teardown we featured back in 2019.

Books You Should Read: The Hardware Hacker’s Handbook

August 5, 2022 by 37 Comments

Here on Hackaday, we routinely cover wonderful informative writeups on different areas of hardware hacking, and we even have our own university with courses that delve into topics one by one. I’ve had my own fair share of materials I’ve learned theory and practical aspects from over the years I’ve been hacking – as it stands, for over thirteen years. When such materials weren’t available on any particular topic, I’d go through hundreds of forum pages trawling for details on a specific topic, or spend hours fighting with an intricacy that everyone else considered obvious.

Today, I’d like to highlight one of the most complete introductions to hardware hacking I’ve seen so far – from overall principles to technical details, spanning all levels of complexity, uniting theory and practice. This is The Hardware Hacking Handbook, by Jasper van Woudenberg and Colin O’Flynn. Across four hundred pages, you will find as complete of an introduction to subverting hardware as there is. None of the nuances are considered to be self-evident; instead, this book works to fill any gaps you might have, finding words to explain every relevant concept on levels from high to low.

Apart from the overall hardware hacking principles and examples, this book focuses on the areas of fault injection and power analysis – underappreciated areas of hardware security that you’d stand to learn, given that these two practices give you superpowers when it comes to taking control of hardware. It makes sense, since these areas are the focus of [Colin]’s and [Jasper]’s research, and they’re able to provide you something you wouldn’t learn elsewhere. You’d do well with a ChipWhisperer in hand if you wanted to repeat some of the things this book shows, but it’s not a requirement. For a start, the book’s theory of hardware hacking is something you would benefit from either way. Continue reading “Books You Should Read: The Hardware Hacker’s Handbook”

Photo of the head unit , with "Hacked by greenluigi1" in the center of the UI

Hacker Liberates Hyundai Head Unit, Writes Custom Apps

July 18, 2022 by 39 Comments

[greenluigi1] bought a Hyundai Ioniq car, and then, to our astonishment, absolutely demolished the Linux-based head unit firmware. By that, we mean that he bypassed all of the firmware update authentication mechanisms, reverse-engineered the firmware updates, and created subversive update files that gave him a root shell on his own unit. Then, he reverse-engineered the app framework running the dash and created his own app. Not just for show – after hooking into the APIs available to the dash and accessible through header files, he was able to monitor car state from his app, and even lock/unlock doors. In the end, the dash got completely conquered – and he even wrote a tutorial showing how anyone can compile their own apps for the Hyundai Ionic D-Audio 2V dash.

In this series of write-ups [greenluigi1] put together for us, he walks us through the entire hacking process — and they’re a real treat to read. He covers a wide variety of things: breaking encryption of .zip files, reprogramming efused MAC addresses on USB-Ethernet dongles, locating keys for encrypted firmware files, carefully placing backdoors into a Linux system, fighting cryptic C++ compilation errors and flag combinations while cross-compiling the software for the head unit, making plugins for proprietary undocumented frameworks; and many other reverse-engineering aspects that we will encounter when domesticating consumer hardware.

This marks a hacker’s victory over yet another computer in our life that we aren’t meant to modify, and a meticulously documented victory at that — helping each one of us fight back against “unmodifiable” gadgets like these. After reading these tutorials, you’ll leave with a good few new techniques under your belt. We’ve covered head units hacks like these before, for instance, for Subaru and Nissan, and each time it was a journey to behold.

Open Firmware For PinePhone LTE Modem – What’s Up With That?

July 12, 2022 by 30 Comments

In their monthly announcement, among all the cool things Pine64, they talked about the open firmware for PinePhone’s LTE modem. The firmware isn’t fully open – a few parts remain closed. And Pine emphasizes that they neither pre-install nor officially endorse this firmware, and PinePhones will keep shipping with the vendor-supplied modem firmware image instead.

That said, the new firmware is way more featureful – it has less bugs, more features, decreased power consumption, and its proprietary parts are few and far between. I’d like to note that, with a special build of this firmware, the PinePhone’s modem can run Doom – because, well, of course.

And with all that, it’s become way easier to install this firmware – there’s fwupd hooks now! You can think of fwupd as the equivalent of Windows Update for firmware, except not abusive, and aimed at Linux. A perfect fit for keeping your open-source devices as functional as they can be, in other words.

What’s the deal? If open firmware is that much cooler, why don’t more of our phones have open firmware options available? Continue reading “Open Firmware For PinePhone LTE Modem – What’s Up With That?”