Photo of the MCH2022 badge's screen, showing the "Hack me if you can" app's start splashscreen, saying "Service is accessible on IP ADDRESS : 1337"

MCH2022 Badge CTF Solved, With Plenty To Learn From

August 7, 2022 by Arya Voronova 3 Comments

Among all the things you could find at MCH2022, there were a few CTFs (Capture The Flag exercises) – in particular, every badge contained an application that you could try and break into – only two teams have cracked this one! [dojoe] was part of one of them, and he has composed an extensive reverse-engineering story for us – complete with Ghidra disassembly of Xtensa code, remote code execution attempts, ROP gadget creation, and no detail left aside.

There was a catch: badges handed out to the participants didn’t contain the actual flag. You had to develop an exploit using your personal badge that only contained a placeholder flag, then go to the badge tent and apply your exploit over the network to one of the few badges with the real flag on them. The app in question turned out to be an echo server – sending back everything it received; notably, certain messages made it crash. One man’s crashes are another man’s exploit possibilities, and after a few hacking sessions, [dojoe]’s team got their well-deserved place on the scoreboard.

If you always thought that firmware reverse-engineering sounds cool, and you also happen to own a MCH2022 badge, you should try and follow the intricately documented steps of [dojoe]’s writeup. Even for people with little low-level programming experience, repeating this hack is realistic thanks to his extensive explanations, and you will leave with way more reverse-engineering experience than you had before.

The MCH2022 badge is a featureful creation of intricate engineering, with the ESP32 portion only being part of the badge – we’re eager to hear about what you’ve accomplished or are about to accomplish given everything it has to offer!

A family of PixMob bracelets being coltrolled by an ESP32 with an IR transmitter attached to it. All the bracelets are shining a blue-ish color

PixMob Wristband Protocol Reverse-Engineering Groundwork

August 6, 2022 by Arya Voronova 38 Comments

The idea behind the PixMob wristband is simple — at a concert, organizers hand these out to the concertgoers, and during the show, infrared projectors are used to transmit commands so they all light up in sync. Sometimes, attendees would be allowed to take these bracelets home after the event, and a few hackers have taken a shot at reusing them.

The protocol is proprietary, however, and we haven’t yet seen anyone reuse these wristbands without tearing them apart or reflashing the microcontroller. [Dani Weidman] tells us, how with [Zach Resmer], they have laid the groundwork for reverse-engineering the protocol of these wristbands.

Our pair of hackers started by obtaining a number of recordings from a helpful stranger online, and went onto replaying these IR recordings to their wristbands. Most of them caused no reaction – presumably, being configuration packets, but three of them caused the wristbands to flash in different colors. They translated these recordings into binary packets, and Dani went through different possible combinations, tweaking bits here and there, transmitting the packets and seeing which ones got accepted as valid. In the end, they had about 100 valid packets, and even figured out some protocol peculiarities like color animation bytes and motion sensitivity mode enable packets.

The GitHub repository provides some decent documentation and even a video, example code you can run on an Arduino with an IR transmitter, and even some packets you can send out with a Flipper Zero. If you’re interested in learning more about the internals of this device, check out the teardown we featured back in 2019.

Books You Should Read: The Hardware Hacker’s Handbook

August 5, 2022 by Arya Voronova 37 Comments

Here on Hackaday, we routinely cover wonderful informative writeups on different areas of hardware hacking, and we even have our own university with courses that delve into topics one by one. I’ve had my own fair share of materials I’ve learned theory and practical aspects from over the years I’ve been hacking – as it stands, for over thirteen years. When such materials weren’t available on any particular topic, I’d go through hundreds of forum pages trawling for details on a specific topic, or spend hours fighting with an intricacy that everyone else considered obvious.

Today, I’d like to highlight one of the most complete introductions to hardware hacking I’ve seen so far – from overall principles to technical details, spanning all levels of complexity, uniting theory and practice. This is The Hardware Hacking Handbook, by Jasper van Woudenberg and Colin O’Flynn. Across four hundred pages, you will find as complete of an introduction to subverting hardware as there is. None of the nuances are considered to be self-evident; instead, this book works to fill any gaps you might have, finding words to explain every relevant concept on levels from high to low.

Apart from the overall hardware hacking principles and examples, this book focuses on the areas of fault injection and power analysis – underappreciated areas of hardware security that you’d stand to learn, given that these two practices give you superpowers when it comes to taking control of hardware. It makes sense, since these areas are the focus of [Colin]’s and [Jasper]’s research, and they’re able to provide you something you wouldn’t learn elsewhere. You’d do well with a ChipWhisperer in hand if you wanted to repeat some of the things this book shows, but it’s not a requirement. For a start, the book’s theory of hardware hacking is something you would benefit from either way. Continue reading “Books You Should Read: The Hardware Hacker’s Handbook” →

Photo of the head unit , with "Hacked by greenluigi1" in the center of the UI

Hacker Liberates Hyundai Head Unit, Writes Custom Apps

July 18, 2022 by Arya Voronova 39 Comments

[greenluigi1] bought a Hyundai Ioniq car, and then, to our astonishment, absolutely demolished the Linux-based head unit firmware. By that, we mean that he bypassed all of the firmware update authentication mechanisms, reverse-engineered the firmware updates, and created subversive update files that gave him a root shell on his own unit. Then, he reverse-engineered the app framework running the dash and created his own app. Not just for show – after hooking into the APIs available to the dash and accessible through header files, he was able to monitor car state from his app, and even lock/unlock doors. In the end, the dash got completely conquered – and he even wrote a tutorial showing how anyone can compile their own apps for the Hyundai Ionic D-Audio 2V dash.

In this series of write-ups [greenluigi1] put together for us, he walks us through the entire hacking process — and they’re a real treat to read. He covers a wide variety of things: breaking encryption of .zip files, reprogramming efused MAC addresses on USB-Ethernet dongles, locating keys for encrypted firmware files, carefully placing backdoors into a Linux system, fighting cryptic C++ compilation errors and flag combinations while cross-compiling the software for the head unit, making plugins for proprietary undocumented frameworks; and many other reverse-engineering aspects that we will encounter when domesticating consumer hardware.

This marks a hacker’s victory over yet another computer in our life that we aren’t meant to modify, and a meticulously documented victory at that — helping each one of us fight back against “unmodifiable” gadgets like these. After reading these tutorials, you’ll leave with a good few new techniques under your belt. We’ve covered head units hacks like these before, for instance, for Subaru and Nissan, and each time it was a journey to behold.

Open Firmware For PinePhone LTE Modem – What’s Up With That?

July 12, 2022 by Arya Voronova 30 Comments

In their monthly announcement, among all the cool things Pine64, they talked about the open firmware for PinePhone’s LTE modem. The firmware isn’t fully open – a few parts remain closed. And Pine emphasizes that they neither pre-install nor officially endorse this firmware, and PinePhones will keep shipping with the vendor-supplied modem firmware image instead.

That said, the new firmware is way more featureful – it has less bugs, more features, decreased power consumption, and its proprietary parts are few and far between. I’d like to note that, with a special build of this firmware, the PinePhone’s modem can run Doom – because, well, of course.

And with all that, it’s become way easier to install this firmware – there’s fwupd hooks now! You can think of fwupd as the equivalent of Windows Update for firmware, except not abusive, and aimed at Linux. A perfect fit for keeping your open-source devices as functional as they can be, in other words.

What’s the deal? If open firmware is that much cooler, why don’t more of our phones have open firmware options available? Continue reading “Open Firmware For PinePhone LTE Modem – What’s Up With That?” →

Hacking The RF Protocol Of An Obscure Handheld Game

July 6, 2022 by Tom Nardi 9 Comments

When you think old school handheld games, you probably imagine something like Nintendo’s Game Boy line or the Sega Game Gear. But outside of those now iconic systems, there was a vast subculture of oddball handheld games vying for a chunk of an adolescent’s weekly allowance. Many of these were legitimately terrible and frankly aren’t worth remembering, but a few offered unique features that were arguably ahead of their time.

One such game was Hasbro’s short-lived P-O-X. As explained by [Zachary Ennenga], the game didn’t spend much time on store shelves as its core concept of defeating undetectable alien invaders hell-bent on destroying our way of life proved to be more than a little problematic when it launched in September of 2001. But that doesn’t mean it didn’t have some cool ideas, such as a wireless ad-hoc multiplayer capability that let your game autonomously battle it out with other units that got close by.

Fascinated by this feature since his youth, [Zach] set out to study how this relatively cheap kid’s toy was able to pull this off back when even the flagship handheld consoles were still using physical link cables for multiplayer. He was aided in his quest by a particularly helpful patent, which not only gave him clues as to the frequency, data rate, modulation, and encoding of the RF signal, but even explained the game’s logic and overall structure. A lot of what was in the document seemed wishful thinking on the part of Hasbro, but reading through the marketing speak still uncovered some salient technical details.

Armed with an RTL-SDR, GNU Radio, Inspectrum, and a bit of Python, [Zach] was able to identify the signal and begin the process of decoding it. This is where things get really interesting, as the details of his reverse engineering process are widely applicable for all sorts of unknown RF signals. Even if you’re like most people and have nearly zero interest in failed handheld games of the early 2000s, it’s well worth a read. The same techniques he uses to figure out the name and physical characteristics of the invisible foe his game is transmitting could one day help you figure out how to manipulate the data from that wireless weather station you’ve got in the backyard.

Once he figured out the major parts of the protocol, [Zach] moves on to creating his own packets and broadcasting them out in such a way that the real hardware will recognize it. He even comes up with some code that will automatically battle games which wander within range of his Yardstick One, which may come in handy during the inevitable P-O-X Renaissance.

While this might seem like a lot of effort to put into a game that most people have never even heard of, we’ll remind you that some of the greatest hacks to ever grace these pages have been born of similar pursuits. Even if you’re the only person in the world to directly benefit from your current line of research and experimentation, there’s still plenty of like-minded folks in this community that are all to happy to cheer you on from the sidelines.

Reverse Engineering An Apollo-Era Module With X-Ray

June 29, 2022 by Dan Maloney 9 Comments

The gear that helped us walk on the Moon nearly 60 years ago is still giving up its mysteries today, with some equipment from the Apollo era taking a little bit more effort to reverse engineer than others. A case in point is this radiographic reverse engineering of some Apollo test gear, pulled off by [Ken Shirriff] with help from his usual merry band of Apollo aficionados.

The item in question is a test set used for ground testing of the Up-Data Link, which received digital commands from mission controllers. Contrary to the highly integrated construction used in Apollo flight hardware, the test set, which was saved from a scrapyard, used more ad hoc construction, including cards populated by mysterious modules. The pluggable modules bear Motorola branding, and while they bear some resemblance to ICs, they’re clearly not.

[Ken] was able to do some preliminary reverse-engineering using methods we’ve seen him employ before, but ran into a dead end with his scope and meter without documentation. So the modules went under [John McMaster]’s X-ray beam for a peek inside. They discovered that the 13-pin modules are miniature analog circuits using cordwood construction, with common discrete passives stacked vertically between parallel PCBs. The module they imaged showed clear shadows of carbon composition resistors, metal-film capacitors, and some glass-body diodes. Different angles let [Ken] figure out the circuit, which appears to be part of a square wave to sine wave converter.

The bigger mystery here is why the original designer chose this method of construction. There must still be engineers out there who worked on stuff like this, so here’s hoping they chime in on this innovative method.