Version 1.8 of the 80386 ISA SBC in its assembled glory. (Credit: Alexandru Groza)

Building Your Own 80386DX ISA Single Board Microcomputer

March 30, 2022 by Maya Posch 36 Comments

Having grown up with 386-level systems during the early 90s like so many of us, [Alexandru Groza] experienced an intense longing to experience the nostalgia of these computer systems from an interesting angle: by building his own 80386DX-based single board computer. Courtesy of the 16-bit ISA form factor, the entire system fits into a 16-bit ISA backplane which then provides power and expansion slots for further functionality beyond what is integrated on the SBMC card.

Having started the project in 2019, it is now in the home stretch towards completion. Featuring an 80386DX and 80387DX FPU alongside 128 kB of cache and a grand total of 32 MB of RAM, an OPTi chipset was used to connect with the rest of the system alongside the standard 8042-class PS/2 keyboard and mouse controller. A large part of the fun of assembling such a system is that while the parts themselves are easy enough to obtain, finding datasheets is hard to impossible for some components.

Undeterred, some reverse-engineering of signaling on functional mainboards was sufficient to fill in the missing details. Helpfully, [Alexandru] provides the full schematics and BOM of the resulting board and takes us along with bootstrapping the system after obtaining the PCBs and components. After an initial facepalm moment due to an incorrectly inserted (and subsequently very dead) CPU and boot issues, ultimately [Alexandru] gave up on the v1.6 revision of the board

Fortunately the v1.8 revision with a logic analyzer led to a number of discoveries that has led to the system mostly working, minus what appears to be DMA-related issues. Even so, it is a remarkable achievement that demonstrates the complexity of these old systems.

What’s That AccessUSB Menu In My LG SmartTV?

March 30, 2022 by Arya Voronova 22 Comments

One boring evening, [XenRE] was looking through service menus on their LG Smart TV (Russian, Google Translate), such menus accessible through use of undocumented IR remote codes. In other words, a fairly regular evening. They noticed an “Access USB Status” entry and thought the “Access USB” part looked peculiar. A few service manuals hinted that there’s a service mode you could access with an adapter made out of two back-to-back PL2303 USB-UART adapters – a few female-female jumper wires later, serial prompt greeted our hacker, and entering ‘debug’ into the prompt responded with some text, among it, “Access USB is NOT opened!!!”.

[XenRE] found the WebOS firmware for the TV online, encrypted and compressed into a proprietary LG .epk format, but liberated with an open-source tool. A few modules referred to AccessUSB there, and one detour into investigating and explaining WebOS USB vendor lock-in implementation later, they programmed an STM32 with the same VID and PID as the mythical AccessUSB device found in relevant WebOS modules decompiled with IDA. By this point, AccessUSB could safely be assumed to be a service mode dongle. The TV didn’t quite start beeping in a different pattern as we’d expect in a sci-fi movie, but it did notify about a “new USB device” – and started asking for a 6-symbol service menu password instead of a 4-symbol one. Continue reading “What’s That AccessUSB Menu In My LG SmartTV?” →

The BluePill board used for this hack, wired to the DYMO RFID reader, after all the wires for this hack have been soldered onto the BluePill board.

#FreeDMO Gets Rid Of DYMO Label Printer DRM

March 30, 2022 by Arya Voronova 49 Comments

DYMO 550 series printer marketing blurb says “The DYMO® LabelWriter® 550 Turbo label printer comes with unique Automatic Label Recognition™”, which, once translated from marketing-ese, means “this printer has DRM in its goshdarn thermal stickers”. Yes, DRM in the stickers that you typically buy in generic rolls. [FREEPDK] didn’t like that, either, and documents a #FreeDMO device to rid us of yet another consumer freedom limitation, the true hacker way.

The generic BluePill board and two resistors are all you need, and a few extra cables make the install clean and reversible – you could definitely solder to the DYMO printer’s PCBs if you needed, too. Essentially, you intercept the RFID reader connections, where the BluePill acts as an I2C peripheral and a controller at the same time, forwarding the data from an RFID reader and modifying it – but it can also absolutely emulate a predetermined label and skip the reader altogether. If you can benefit from this project’s discoveries, you should also take a bit of your time and, with help of your Android NFC-enabled phone, share your cartridge data in a separate repository to make thwarting future DRM improvements easier for all of us. Continue reading “#FreeDMO Gets Rid Of DYMO Label Printer DRM” →

[Ken Shirriff] Takes A Bite Of The Apple-I

March 23, 2022 by Al Williams 7 Comments

The Apple-I was a far cry from Apple’s later products. A $666 single-board computer, the product had some unique design features including using a shift register for video memory to save money. The shift registers of the day required high-current clock pulses that ranged from -11 to 5V and there was a DS0025 clock driver chip to handle the job. [Ken Shirriff] takes the unusual chip apart for us in a recent blog post.

The use of a shift register as memory isn’t a new idea. Really old computers like EDSAC used mercury delay lines as memory which was essentially a physical shift register. In those cases, the ALU and other processing only had to deal with a bit at a time, further simplifying things. For the Apple, there were seven shift registers to store 6-bits of display data and a cursor position. The 6 bits of character data drove — indirectly — a character generator ROM to convert the data into dots for the display.

Driving all those shift register flip flops requires a lot of clock current, so the DS0025 uses an unusual transistor design. There are 24 separate emitters in two groups. It acts like a large transistor, but you could also consider it as two 12-emitter transistors or 24 separate transistors in parallel. The metal wiring, interestingly enough, tapers because at the start of the conductor, the current for all 12 sub-transistors flows, but by the end, it is only the current for the last sub-transistor, so the conductor doesn’t have to be as wide. In addition, the two transistors have to have matched resistance which requires careful design so the transistors turn on at the same time.

The final result is an inverter that can provide 1.5 amps. This current helps overcome the relatively large capacitance in the shift register’s clock line. The clock rate was 1 MHz and the load capacitance was about 150 picofarads.

We enjoy [Ken’s] posts ranging from mysteries to space hardware. It is always interesting to see what is inside these devices or, at least, what was in the old devices we’ve all seen.

An assortment of MemoryStick cards and devices, some of them, arguably cursed, like a MemoryStick-slot-connected camera.

Hacker Challenges MemoryStick To A Fight And Wins

March 20, 2022 by Arya Voronova 24 Comments

It’s amazing when a skilled hacker reverse-engineers a proprietary format and shares the nitty-gritty with everyone. Today is a day when we get one such write-up – about MemoryStick. It is one of those proprietary formats, a staple of Sony equipment, these SD-card-like storage devices were evidently designed to help pad Sony’s pockets, as we can see from the tight lock-in and inflated prices. As such, this format has always remained unapproachable to hackers. No more – [Dmitry Grinberg] is here with an extensive breakdown of MemoryStick protocol and internals.

If you ever want to read about a protocol that is not exactly sanely designed, from physical layer quirks to things like inexplicable large differences between MemoryStick and MemoryStick Pro, this will be an entertaining read for hackers of all calibers. Dmitry doesn’t just describe the bad parts of the design, however, as much as that rant is entertaining to read – most of the page is taken by register summaries, struct descriptions and insights, the substance about MemoryStick that we never got.

One sentence is taken to link to a related side project of [Dmitry] that’s a rabbithole on its own – he has binary patched MemoryStick drivers for PalmOS to add MemoryStick Pro support to some of the Sony Clie handhelds. Given the aforementioned differences between non-Pro and Pro standards, it’s a monumental undertaking for a device older than some of this site’s readers, and we can’t help but be impressed.

To finish the write-up off, [Dmitry] shares with us some MemoryStick bit-banging examples for the STM32. Anyone who ever wanted to approach MemoryStick, be it for making converter adapters to revive old tech, data recovery or preservation purposes, or simply hacker curiosity, now can feel a bit less alone in their efforts.

We are glad to see such great hacking on the MemoryStick front – it’s much needed, to the point where our only article mentioning MemoryStick is about avoiding use of the MemoryStick slot altogether. [Dmitry] is just the right person for reverse-engineering jobs like this, with extensive reverse-engineering history we’ve been keeping track of – his recent reverse-engineering journey of an unknown microcontroller in cheap E-Ink devices is to behold.

Modules described in the article (two copies of the challenge shown, so, two lines of modules)

Spaceship Repair CTF Covers Hardware Hacker Essentials

March 3, 2022 by Arya Voronova 15 Comments

At even vaguely infosec-related conferences, CTFs are a staple. For KernelCon 2021, [Tyler Rosonke] resolved to create a challenge breaking the traditions, entertaining and teaching people in a different way, while satisfying the constraints of that year’s remote participation plans. His imagination went wild in all the right places, and a beautifully executed multi-step hardware challenge was built – only in two copies!

Story behind the challenge? Your broken spaceship has to be repaired so that you can escape the planet you’re stuck on. The idea was to get a skilled, seasoned hacker solving challenges for our learning and amusement – and that turned out to be none other than [Joe “Kingpin” Grand]!

The modules themselves are what caught our attention. Designed to cover a wide array of hardware hacker skills, they cover soldering, signal sniffing, logic gates, EEPROM dumping and more – and you have to apply all of these successfully for liftoff. If you thought “there’s gotta be a 555 involved”, you weren’t wrong, either, there’s a module where you have to reconfigure a circuit with one!

KernelCon is a volunteer-driven infosec conference in Omaha, and its 2022 installment starts in a month – we can’t wait to see what it brings! Anyone doing hardware CTFs will have something to learn from their stories, it seems. The hacking session, from start to finish, was recorded for our viewing pleasure; linked below as an hour and a half video, it should be a great background for your own evening of reverse-engineering for leisure!

This isn’t the first time we’ve covered [Tyler]’s handiwork, either. In 2020, he programmed a batch of KernelCon badges while employing clothespins as ISP clips. Security conferences have most certainly learned just how much fun you can have with hardware, and if you ever need a case study for that, our review of 2019 CypherCon won’t leave you hanging.

Continue reading “Spaceship Repair CTF Covers Hardware Hacker Essentials” →

Two revisions of Wenting's custom SSD board - earlier revision on the left, later, sleeker and more complete, on the right.

Custom SSD Gives New Life To Handheld Atom PC

February 25, 2022 by Arya Voronova 12 Comments

People don’t usually go as far as [Wenting Zhang] has – designing a new IDE SSD board for a portable x86 computer made in 2006. That said, it’s been jaw-dropping to witness the astounding amount of reverse-engineering and design effort being handwaved away.

The Benq S6 is a small MID (Miniaturized Internet Device) with an Atom CPU, an x86 machine in all but looks. Its non-standard SSD’s two gigabytes of storage, however, heavily limit the OS choice – Windows XP would hardly fit on there, and while a small Linux distro could manage better, it’s, and we quote, “not as exciting”. A lot of people would stop there and use an external drive, or a stack of adapters necessitating unsightly modifications to the case – [Wenting] went further and broke the “stack of adapters” stereotype into shards with his design journey.

Tracing quite a few complex multi-layer boards into a unified and working schematic is no mean feat, especially with the SSD PCB being a host to two BGA chips, and given the sheer amount of pins in the IDE interface of the laptop’s original drive. Even the requirement for the SSD to be initialized didn’t stop him – a short fight with the manufacturer’s software ensued, but was no match for [Wenting]’s skills. The end result is a drop-in replacement SSD even thinner than the stock one.

This project is well-documented for all of us to learn from! Source code and PCB files are on GitHub, and [Wenting] has covered the journey in three different places at once – on Hackaday.io, in a YouTube video embedded down below, and also on his Twitter in form of regular posts. Now, having seen this happen, we all have one less excuse to take up a project seemingly so complex.

Hackers play with SSD upgrades and repurposing every now and then, sometimes designing proprietary-to-SATA adapters, and sometimes reusing custom SSD modules we’ve managed to get a stack of. If case mods are acceptable to you aesthetics-wise, we’ve seen an SSD upgrade for a Surface Pro 3 made possible that way.

Continue reading “Custom SSD Gives New Life To Handheld Atom PC” →