Fixing A 30-year Old Roland Bug

October 5, 2022 by Matthew Carlson 12 Comments

The Roland CM-500 is a digital synthesizer sound module released in 1991 that combines two incredibly powerful engines into one unit. However, in 2005 enthusiasts of the Roland MT-25 (one of the engines that went into the CM-500) noticed a difference between the vibrato rate on the MT-25 and the CM-500, rendering it less useful as now midi files would need to be adjusted before they sounded correct. Now thirty-something years later, there is a fix through the efforts of [Sergey Mikayev] and a fantastic writeup by [Cloudschatze].

They reached out to Roland Japan, who decided that since the device’s lifecycle had ended, no investigation was warranted. That led the community to start comparing the differences between the two systems. One noticeable difference was the change from an Intel 8098 to an 80C198. In theory, the latter is a superset of the former, but there are a few differences. First, the crystal frequency is divided by three rather than two, which means the period of the LFO would change even if the crystal stayed the same. Changing the 12 MHz crystal out for 8 MHz gave the LFO the correct period, but it broke the timings on the MIDI connection. However, this is just setting the serial baud rate divisor, which requires changing a few bytes.

Replace the ROM chip with a socket so you can slot your newly flashed PDIP-28 64kx8 ROM into a quick desoldering. Then swap the crystal, and you’ll have a machine that matches the MT-25 perfectly. The forum post has comparison audio files for your enjoyment. Finally, if you’re curious about other fixes requiring an inspiring amount of effort and dedication, here’s a game installer that was brought back from the dead by a determined hacker.

Screenshot of the PS4 screen, showing a "Waiting to receive disc image file..." notification on the left, and a Windows commandline window with nc running on the right, sending an .iso file to some IP address - presumably the PS4

Subverting PS4 And PS5 Through The PS2 Emulator

October 3, 2022 by Arya Voronova 7 Comments

Game console hacking remains a fascinating area, and we’re glad when someone brings the spoils of exploration for us to marvel at. This time, we’re looking at the [mast1c0re] hack story by [cturt] – an effort to find bugs in PS2 emulation toolkit present on Sony PlayStation 4 and 5 consoles, proving fruitful in the end. What’s more, this exploit seems unpatchable – not technically, but under the Sony’s security practices, this emulator falls under the category of things they refuse to patch when identified.

In this story, we’re taken on a journey through the PS2 emulator internals, going through known-exploitable PS2 games and learning about a prospective entry point. Circling around it, collecting primitives and gadgets, bypassing ASLR on the way there, the emulator is eventually escaped, with a trove of insights shared along the way. As a demonstration, [cturt] successfully loaded a different PS2 game from outside the PS2 emulator, transferring it to the PS4 over WiFi! Continue reading “Subverting PS4 And PS5 Through The PS2 Emulator” →

An EMMC Gives Up Its Secrets

August 17, 2022 by Jenny List 32 Comments

An increasing phenomenon over the years since mobile phones morphed from simply telephones into general purpose pocket computers has been that of the dead device taking with it some treasured digital resource. In most cases this means the device has died, but doesn’t necessarily mean that that the data has completely gone. Inside the device will be an eMMC flash chip, and if that can be read then the data is safe. This applies to some single board computers too, and thus [Jeffmakes]’ adventures in recovering an eMMC from a dead Raspberry Pi CM4 are particularly interesting.

The whole thing relies on the eMMC presenting the same interface as an SD card, so while it comes in a multi-pin BGA package it can be addressed with surprisingly few wires. Using the PCB from another dead CM4 he traced the relevant connections from eMMC to SoC pads, and was thus able with some very fine soldering to construct an interface for an SD card reader. The disk could then be imaged in its entirety.

This work will be of huge use to experimenters who’ve fried their Compute Modules, but of course the information it contains will also be of use to retrieve those photos from the phone that fell in the bath. It’s not the first time we’ve taken a look at someone’s efforts in this area.

Did You See A John Deere Tractor Cracked At DEF CON?

August 17, 2022 by Jenny List 6 Comments

The Internet, or at least our corner of it, has been abuzz over the last few days with the news of a DEF CON talk by [Sick.Codes] in which he demonstrated the jailbreaking of the console computer from a John Deere tractor. Sadly we are left to wait the lengthy time until the talk is made public, and for now the most substantive information we have comes from a couple of Tweets. The first comes from [Sick.Codes] himself and shows a game of DOOM with a suitably agricultural theme, while the second is by [Kyle Wiens] and reveals the tractor underpinnings relying on outdated and un-patched operating systems.

You might ask why this is important and more than just another “Will it run DOOM” moment. The answer will probably be clear to long-term readers, and is that Deere have become the poster child for improper use of DRM to lock owners into their servicing and deny farmers the right to repair. Thus any breaches in their armor are of great interest, because they have the potential to free farmers world-wide from this unjust situation. As we’ve reported before the efforts to circumvent this have relied on cracked versions of the programming software, so this potential jailbreak of the tractor itself could represent a new avenue.

As far as we’re aware, this has so far taken place on the console modules in the lab and not in the field on a real tractor. So we’re unsure as to whether the door has been opened into the tractor’s brain, or merely into its interface. But the knowledge of which outdated software can be found on the devices will we hope lead further to what known vulnerabilities may be present, and in turn to greater insights into the machinery.

Were you in the audience at DEF CON for this talk? We’d be curious to know more. Meanwhile the Tweet is embedded below the break, for a little bit of agricultural DOOM action.

Continue reading “Did You See A John Deere Tractor Cracked At DEF CON?” →

Air Filter DRM? Hacker Opts Out With NFC Sticker

August 13, 2022 by Donald Papp 55 Comments

[Flamingo-tech]’s Xiaomi air purifier has a neat safety feature: it will refuse to run if a filter needs replacement. Of course, by “neat” we mean “annoying”. Especially when the purifier sure seems to judge a filter to be useless much earlier than it should. Is your environment relatively clean, and the filter still has legs? Are you using a secondary pre-filter to extend the actual filter’s life? Tough! Time’s up. Not only is this inefficient, but it’s wasteful.

Every Xiaomi filter contains an NTAG213 NFC tag with a unique ID and uses a unique password for communications, but how this password was generated (and therefore how to generate new ones) was not known. This meant that compatible tags recognized by the purifier could not be created. Until now, that is. [Flamingo-tech] has shared the discovery of how Xiaomi generates the password for communication between filter and purifier.

A small NFC sticker is now all it takes to have the purifier recognize a filter as new.

[Flamingo-tech] has long been a proponent of fooling Xiaomi purifiers into acting differently. In the past, this meant installing a modchip to hijack the DRM process. That’s a classic method of getting around nonsense DRM on things like label printers and dishwashers, but in this case, reverse-engineering efforts paid off.

It’s now possible to create simple NFC stickers that play by all the right rules. Is a filter’s time up according to the NFC sticker, but it’s clearly still good? Just peel that NFC sticker off and slap on a new one, and as far as the purifier is concerned, it’s a new filter!

If you’re interested in the reverse-engineering journey, there’s a GitHub repository with all the data. And for those interested in purchasing compatible NFC stickers, [Flamingo-tech] has some available for sale.

A Deeper Dive Into Reverse Engineering With A CT Scanner

August 10, 2022 by Dan Maloney 6 Comments

We’ve recently got a look at how [Ken Shirriff] used an industrial CT scanner as a reverse engineering tool. The results were spectacular, with pictures that clearly showed the internal arrangement of parts that haven’t seen the light of day since the module was potted back in the 60s. And now, [Ken]’s cohort [Curious Marc] has dropped a video with more detail on the wonderful machine, plus deep dives into more Apollo-era hardware

If you liked seeing the stills [Ken] used to reverse engineer the obscure flip-flop module, you’re going to love seeing [Marc] using the Lumafield scanner’s 3D software to non-destructively examine several Apollo artifacts. First to enter the sample chamber of the CT scanner was a sealed module called the Central Timing Equipment, which served as the master clock for the Apollo Command Module. The box’s magnesium case proved to be no barrier to the CT scanner’s beam, and the 3D model that was built up from a series of 2D images was astonishingly detailed. The best part about the virtual models is the ability to slice through them in any plane — [Marc] used this feature to hunt down the clock’s quartz crystal. Continue reading “A Deeper Dive Into Reverse Engineering With A CT Scanner” →

CT Scans Help Reverse Engineer Mystery Module

August 7, 2022 by Dan Maloney 15 Comments

The degree to which computed tomography has been a boon to medical science is hard to overstate. CT scans give doctors a look inside the body that gives far more information about the spatial relationship of structures than a plain X-ray can. And as it turns out, CT scans are pretty handy for reverse engineering mystery electronic modules, too.

The fact that the mystery module in question is from Apollo-era test hardware leaves little room for surprise that [Ken Shirriff] is the person behind this fascinating little project. You’ll recall that [Ken] recently radiographically reverse engineered a pluggable module of unknown nature, using plain X-ray images taken at different angles to determine that the undocumented Motorola module was stuffed full of discrete components that formed part of a square wave to sine wave converter.

The module for this project, a flip-flop from Motorola and in the same form factor, went into an industrial CT scanner from an outfit called Lumafield, where X-rays were taken from multiple angles. The images were reassembled into a three-dimensional view by the scanner’s software, which gave a stunningly clear view of the components embedded within the module’s epoxy body. The cordwood construction method is obvious, and it’s pretty easy to tell what each component is. The transistors are obvious, as are the capacitors and diodes. The resistors were a little more subtle, though — careful examination revealed that some are carbon composition, while others are carbon film. It’s even possible to pick out which diodes are Zeners.

The CT scan data, along with some more traditional probing for component values, let [Ken] reverse engineer the whole circuit, which turned out to be a little different than a regular J-K flip-flop. Getting a non-destructive look inside feels a little like sitting alongside the engineers who originally built these things, which is pretty cool.