Picture of a DualShock 4 controller PCB, with two joysticks on the sides

Challenging A Broken DualShock 4 Controller To A Duel

February 12, 2023 by Arya Voronova 2 Comments

A broken PlayStation controller would normally be a bummer, and if the issue is losing calibration that’s stored in a non-documented format, you might as well bin it. For [Al] of [Al’s blog], however, it’s a challenge, turning into a four-part story – so far. The first installment was published January 1st this year, and seeing the pure enthusiasm [Al] has reverse-engineering the DualShock 4 controller, you might guess that this is a New Year’s gift from someone who knows [Al] very well. The list of problems with the joystick is numerous, to begin with – it’s easier to list all the things that work properly, and it isn’t many of them. Perhaps, the firmware problem is is the most interesting one to start with. Continue reading “Challenging A Broken DualShock 4 Controller To A Duel” →

PCB mounted on 3D-printed holder, debug pins attached to Pi Pico on a breadboard. The battery is in the background, disconnected

Reverse Engineering E-Ink Price Tags

February 11, 2023 by Navarre Bartz 7 Comments

E-ink displays are great, but working with them can still be a bit tricky if you aren’t an OEM. [Jasper Devreker] got his hands on three e-ink shelf displays to reverse engineer.

After cracking the tag open, [Devreker] found a CC2510 microcontroller running the show. While the spec sheet shows a debug mode, this particular device has been debug locked making reading the device’s code problematic. Undaunted, he removed the decoupling capacitor from the DCOUPL pin and placed a MOSFET between it and the ground pin to perform a voltage glitch attack.

A Pi Pico was used to operate the MOSFET over PIO with the chip overclocked to 250 MHz to increase the precision and duration of the glitch. After some testing, a successful glitch pathway was found, but with only a 5% success rate. With two successive glitches in a row needed to read out a byte from the device, the process is not a fast one. Data pulled so far has shown to be valid code when fed into Ghidra, and this project page is being updated as progress continues.

If you want to delve further into hacking e-ink price tags, checkout this deep dive on the topic or this Universal E-paper Sniffer.

Reverse Engineering British Rail Tickets

February 9, 2023 by Jenny List 21 Comments

There was a time when to take a British rail journey was to receive a ticket barely changed since Victorian times — a small cardboard rectangle printed with the destination through which the inspector on the train would punch a hole. In recent decades these were replaced by credit-card-sized thin card, and now increasingly with scanable 2D codes from an app. These caught the attention of [eta], and she set about reverse engineering their operation.

The codes themselves are Aztec barcodes, similar to a QR code but with a single central fiducial mark. At first glance they resemble the codes used by non-UK ticketing systems, but she soon found out that they don’t follow the same standard. There followed a lengthy but fascinating trail of investigation, involving app decompilation of a dodgy copy of the ticket inspector app to find public keys, and then some work with a more reputably sourced app from another ticketing company.

Along the way it revealed a surprising amount of traveler data that maybe shouldn’t be in the public domain, and raises the question as to why the ticketing standard remains proprietary. It’s well worth a read.

If you’d like more UK rail ticket hacking, it formed the subject of a talk at EMF 2022.

Dumping script window, showing the bytes being dumped one by one from the STM chip

Need To Dump A Protected STM32F0x? Use Your Pico!

February 5, 2023 by Arya Voronova 21 Comments

Sometimes, security mechanisms can be bypassed if you just do things slightly out of the ordinary. For instance, readout protection on microcontrollers is a given nowadays, to the point where it’s intentionally enabled and relied upon as a major technical measure to protect intellectual property. The gist is — when you connect to a microcontroller over its debug interface and then ask to read its flash memory, it will politely refuse. However, [Racerxdl] shows us that in practice, it’s not flawless protection – for certain chips, you just need to be a little quicker than usual.

Usually, flashing and debugging software will chat with the microcontroller for a bit, and probe parameters before going for any direct requests. However, if you skip the courtesy and bluntly get to the point immediately right after power is applied to the microcontroller, you can intimidate them just enough to give you one byte of its memory before it refuses to cooperate further. Since that can be any byte you wish, you can read the entire flash — one byte at a time.

You need to power cycle the chip before you can progress, so the hardware does involve a bit more than just an SWD interface, and it will take a fair bit more time than reading out a non-protected chip the usual way; plus, of course, the debugging interface needs to be active for this in the first place, which isn’t always the case. However, it still beats paying a few thousand dollars for a factory in China to decap your chip and read it out using a fancy machine.

[Racerxdl] didn’t just write a proof-of-concept for this attack – they implemented it for one of our favourite chips, the RP2040. As such, you no longer need an unobtainium STM32 to dump an unobtainium STM32.

To be clear, [Racerxdl] didn’t design this attack — it’s been around for some time now. Credit for that goes to Johanes Obermaier. All in all, this is a wonderful reminder that seemingly reliable security mechanisms can be foiled by the simplest tricks. For instance, if your chip erases the flash when you unlock its protection, you can just tell it not to.

The Chipwhisperer adapter plugged into a ChipWhisperer, with the STM chip mentiuoned soldered on

ChipWhisperer Adapter Helps Reverse-Engineer A Controversial Game Cartridge

February 1, 2023 by Arya Voronova 7 Comments

The ChipWhisperer has been a breakthrough in hobbyist use of power analysis and glitching attacks on embedded hardware. If you own one, you surely have seen the IDC and SMA sockets on it – usable for connecting custom breakouts housing a chip you’re currently probing. Today, [MAVProxyUser] brings us a ChipWhisperer adapter for STM32F446ZEJx, which comes in a UFBGA144 package – and the adapter has quite a backstory to it.

In retro gaming world, a crowdfunding campaign for a game called PAPRIUM has seen a huge success getting funded in 2017. However, the campaign has grossly underdelivered throughout the last five years, and out of those rare cartridges delivered to backers, quite a few have faulty hardware. Getting replacements isn’t realistic at this point, so the repair attempts and game preservation efforts have been ongoing. Trouble is – there are protection mechanisms against dumping the cartridges, and one of the protection mechanisms is the built-in flash read protection of the aforementioned STM32 found on the cartridge. This board adapts the chip to a ChipWhisperer interface for protection bypass exploration, and has quite a few configuration jumpers anyone facing a similar chip is able to use – Eagle files are out there as well, in case your chip needs a slightly different approach.

With reverse-engineering underway, are we likely to see this cartridge’s defenses fall? Our assessment is ‘yes’ – it’s not like there’s a shortage of mechanisms for bypassing security ; from modchips to EMP attacks to blasting the die with a laser, hardware-reliant security is, still, quite bypassable. All in all, despite the drama around the project, this is one more reference design for the ChipWhisperer, and a fun journey to look forward to.

A modchip described in the article - a small PCB with an epoxy blob on it, soldered to the Cisco switch PCB using four thin wires

Counterfeit Cisco Hardware Bypasses Security Checks With Modchips

February 1, 2023 by Arya Voronova 32 Comments

Some pictures recently surfaced on social media, showing a small PCB tapped into four points on Cisco-branded boards. What is this about? A NSA backdoor so data can be exfiltrated to some third party? Well, that’s theoretically possible, but it’s actually used for bypassing hardware authenticity checks in Cisco hardware being cloned — a sizable industry. Of course, “can’t believe it’s not Cisco” hardware is only valuable insofar that it’s able to run the Cisco software, and that’s where the bodge boards play a major role.

A 2020 report by F-Secure details an investigation, comparing three switches marked as Cisco 2960X – one known genuine and two known counterfeits. The counterfeits had the aforementioned implants either soldered to the bottom of the PCB or added to the board as a separate component, and the paper goes into why they’re important for successful counterfeiting.

Apparently, these chips emulate or bypass an I2C EEPROM containing part of the code executed during the boot sequence, and Cisco depends on this EEPROM’s contents for authenticity verification. Cisco software reads the EEPROM twice — once for verification, and once again for actually running it. The microcontroller included on the mod board can return a genuine binary with a valid signature on the first read, and a binary with hardware checks patched out for subsequent reads.

The paper will tell you about way more than this — it’s thorough yet captivating. As you’d expect, it devotes quite a bit of time to comparing genuine and counterfeit boards, showing that the cloning process is pretty to-the-T, save for some part substitutions. For instance, check out the PDF page 12 to see how via locations are exactly copied between PCBs in a bizarre way, or the Cisco file format and authenticity check analysis closer to the end of the report. All in all, the 38 pages of the document make for a fun foray into what makes Cisco authentication mechanisms tick, and what helps clone hardware makers bypass them.

Are such chips ever used for adding backdoors and data exfiltration? There’s no evidence of that, as much as that’s not to be excluded — bypassing anti-cloning protections would make other hijinks more viable no doubt, that said, only hardware authentication bypass measures were found so far. This mechanism also breaks during software updates, and absolutely, leaves some to be desired when it comes to its stated functionality. That said, such fun insights can help us, say, enforce right-to-repair, enable hardware reuse, and thwart many predatory business practices in areas where laws fail us.

The hack's author performing the operation described at his workdesk, with a separate camera window showing the acupuncture needles being used to touch the board points

Find SWD Points Quickly, No Extra Hardware Needed

January 31, 2023 by Arya Voronova 9 Comments

Say you’re tinkering with a smart device powered by a CPU that uses Serial Wire Debug (SWD), but doesn’t mark the testpoints. Finding SWD on a board — how hard could it be? With [Aaron Christophel]’s method, you can find the SWD interface on a PCB within a few minutes’ time. All you need is two needles, a known-to-be-ground connection, an SWD dongle of some kind, and a computer with an audio output. What’s best — you could easily transfer the gist of this method to other programming interface types!

The idea is simple: you wire the ground up, connect the needles to SWDIO and SWCLK, launch [Aaron]’s Python script, then start poking around all the unnamed test points. The script runs JLink software to probe for SWD devices attached to the probes — if an SWD interface isn’t found, it beeps idly, but as soon as the device is detected, your computer will start beeping at you in a lively manner. In this way, you don’t have to re-scan devices manually, solder to any test points except the GND one, or try and hold both probes on test points with one hand – the scanning process itself is hands-free.

Depending on how many points your board has and whether you try to optimize the process by probing points closest to the SWD pins on the CPU, you might hit the jackpot immediately, or you might have to poke around for a minute-two. That said, [Aaron]’s method seems to be the best you can do while remaining relatively extra-hardware-free, and if you want to make it a tinge more permanent, clothespins are there for you.

In case you don’t mind extra hardware – could we interest you in some 3D printed needle probe desks? There’s a wide variety of those, whether you’d like some tentacle-like ones, or ones that make your desk look like like an acupuncture table. Or, say, would you like a more automatic method of finding all kinds of debug interfaces? Then JTAGulator might be what you’re looking for.

Continue reading “Find SWD Points Quickly, No Extra Hardware Needed” →