Reverse Engineering

167 Articles

The FPC adapter shown soldered between the BGA chip and the phone's mainboard, with the phone shown to have successfully booted, displaying an unlock prompt on the screen

IPhone 6S NVMe Chip Tapped Using A Flexible PCB

March 3, 2024 by 3 Comments

Psst! Hey kid! Want to reverse-engineer some iPhones? Well, did you know that modern iPhones use PCIe, and specifically, NVMe for their storage chips? And if so, have you ever wondered about sniffing those communications? Wonder no more, as this research team shows us how they tapped them with a flexible printed circuit (FPC) BGA interposer on an iPhone 6S, the first iPhone to use NVMe-based storage.

The research was done by [Mohamed Amine Khelif], [Jordane Lorandel], and [Olivier Romain], and it shows us all the nitty-gritty of getting at the NVMe chip — provided you’re comfortable with BGA soldering and perhaps got an X-ray machine handy to check for mistakes. As research progressed, they’ve successfully removed the memory chip dealing with underfill and BGA soldering nuances, and added an 1:1 interposer FR4 board for the first test, that proved to be successful. Then, they made an FPC interposer that also taps into the signal and data pins, soldered the flash chip on top of it, successfully booted the iPhone 6S, and scoped the data lines for us to see.

This is looking like the beginnings of a fun platform for iOS or iPhone hardware reverse-engineering, and we’re waiting for further results with bated breath! This team of researchers in particular is prolific, having already been poking at things like MITM attacks on I2C and PCIe, as well as IoT device and smartphone security research. We haven’t seen any Eagle CAD files for the interposers published, but thankfully, most of the know-how is about the soldering technique, and the paper describes plenty. Want to learn more about these chips? We’ve covered a different hacker taking a stab at reusing them before. Or perhaps, would you like to know NVMe in more depth? If so, we’ve got just the article for you.

We thank [FedX] for sharing this with us on the Hackaday Discord server!

The Thinkpad in question, with a Linux shell open on its screen, showing that the device mode has been successfully enabled

ThinkPad X1 Carbon Turned USB Device Through Relentless Digging

March 1, 2024 by 15 Comments

In what’s perhaps one of the most impressive laptop reverse engineering posts in recent memory, [Andrey Konovalov] brings us an incredibly detailed story of how he’s discovered and successfully enabled a USB device controller in a ThinkPad X1 Carbon equipped with a 6th gen Intel CPU.

If you ever wanted to peek at the dirty secrets of a somewhat modern-day Intel CPU-based system, this write-up spares you no detail, and spans dozens of abstraction layers — from Linux drivers and modifying NVRAM to custom USB cable building and BIOS chip flashing, digging deep into undocumented PCH registers for the dessert.

All [Andrey] wanted was to avoid tinkering with an extra Raspberry Pi. While using a PCIe connected device controller, he’s found a reference to intel_xhci_usb_sw-role-switch in Linux sysfs, and dove into a rabbit hole, where he discovered that the IP core used for the laptop’s USB ports has a ‘device’ mode that can be enabled. A dig through ACPI tables confirmed this, but also highlighted that the device is disabled in BIOS. What’s more, it turned out to be locked away behind a hidden menu. Experiments in unlocking that menu ensued, in particular when it comes to bypassing Intel Boot Guard, a mechanism that checks BIOS image signatures before boot.

Continue reading “ThinkPad X1 Carbon Turned USB Device Through Relentless Digging”

Pictures of the internals of the Starlink adapter

Restoring Starlink’s Missing Ethernet Ports

February 28, 2024 by 29 Comments

Internet connectivity in remote areas can be a challenge, but recently SpaceX’s Starlink has emerged as a viable solution for many spots on the globe — including the Ukrainian frontlines. Unfortunately, in 2021 Starlink released a new version of their hardware, cost-optimized to the point of losing some nice features such as the built-in Ethernet RJ45 (8P8C) port, and their proposed workaround has some fundamental problems to it. [Oleg Kutkov], known for fixing Starlink terminals in wartime conditions, has released three posts on investigating those problems and, in the end, bringing the RJ45 ports back.

Starlink now uses an SPX connector with a proprietary pinout that carries two Ethernet connections at once: one to the Dishy uplink, and another one for LAN, with only the Dishy uplink being used by default. If you want LAN Ethernet connectivity, they’d like you to buy an adapter that plugs in the middle of the Dishy-router connection. Not only is the adapter requirement a bother, especially in a country where shipping is impeded, the SPX connector is also seriously fragile and prone to a few disastrous failure modes, from moisture sensitivity to straight up bad factory soldering.

Continue reading “Restoring Starlink’s Missing Ethernet Ports”

Sketchy Logg Dogg Logging Robot Remote Control Hacking

February 20, 2024 by 9 Comments

When we last left [Wes] amidst the torn-open guts of his Logg Dogg logging robot, he had managed to revitalize the engine and dug into the hydraulics, but one big obstacle remained: the lack of the remote control unit. In today’s installment of the Logg Dogg series, [Wes] summarizes weeks of agony over creating a custom circuit based around a microcontroller, a joystick and a lot of relays and other bits and pieces to drive the solenoids inside the logging machine that control the hydraulics.

Giving the remote controller a bench test before connecting to the logging robot (Credit: Watch Wes Work)

Most of the struggle was actually with the firmware, as it had to not only control the usual on/off solenoids, but also a number of proportional solenoid valves which control things like the track speed by varying the hydraulic flow to the final drives.

This requires a PWM signal, which [Wes] generated using two MOSFETs in a closed-feedback system, probably because open loop controls with multi-ton hydraulic machinery are not the kind of excitement most people look forward to.

Ultimately he did get it sorted, and was able to take the Logg Dogg for its first walk since being rescued from a barn, which both parties seemed to rather enjoy. The background details of this machine and the project can be found in our first coverage.

We’re looking anxiously forward to the next episode, where the controller goes wireless and the sketchiness gets dialed down some more.

Continue reading “Sketchy Logg Dogg Logging Robot Remote Control Hacking”

Installing SteamOS And Windows On A Google Meet Video Conference Computer

February 19, 2024 by 19 Comments

The Lenovo Meet is a collaboration with Google to bring Google Meet to customers in a ready to install kit for conference rooms and similar. Also called the Google Meet Series One, it features a number of cameras, speakers, display and more, along with the base unit. It is this base unit that [Bringus Studios] on YouTube tried to install a different OS capable of running Steam games on in a recent video. Along the way many things were learned about this device, which is – unsurprisingly – just another ChromeOS box.

After removing the rubber bottom (which should have been softened with a hot air gun to prevent damage), the case can be opened with some gentle prying to reveal the laptop-like innards. Inside are an 8th gen Intel CPU (i7-8550U @ 1.8 GHz), a 128 GB SATA M.2, 2 GB DDR4 RAM, along with 2 more GB of DDR4 a MicroSD slot and a Google Coral DA1 TPU on the bottom of the mainboard. It should be easy to install Linux, Windows, etc. on this other than for the ChromeOS part, which locks down the non-UEFI BIOS firmware.

Continue reading “Installing SteamOS And Windows On A Google Meet Video Conference Computer”

WoWMIPS: A MIPS Emulator For Windows Applications

February 17, 2024 by 12 Comments

When Windows NT originally launched it had ports to a wide variety of platforms, ranging from Intel’s x86 and i860 to DEC’s Alpha as well as the MIPS architecture. Running Windows applications written for many of these platforms is a bit tricky these days, which [x86matthew] saw as a good reason to write a MIPS emulator. This isn’t just any old emulator, though. It maps 32-bit Windows applications targeted at the MIPS R4000 CPU to an x86 CPU instead. Since both platforms run in a little-endian, 32-bit mode, this theoretically should be a walk in the park.

The use of the Windows PE executable format is also the same, so the first task was to figure out how to load the MIPS PE binary in a way that made sense for an x86 platform. This involved some reverse-engineering of the MIPS ntdll.dll file to figure out how relocations on that platform were handled. Following this, the mapping of the instructions of the R4000 CPU to the (CISC) x86 ISA was pretty easy. Only Floating Point Unit (FPU) support was left as a future challenge. Memory access was left as direct access, meaning no sandboxing or isolation, for simplicity’s sake.

The final task was mapping the native API calls, which call almost directly into the underlying host Windows OS’s API, with a bit of glue logic. With all of this done, Windows NT applications originally written for 1990s MIPS ran just fine on a modern-day x86_64 PC running Windows — as long as you don’t need an FPU (for now).

An image of a cave drawing of horned cow. There is another one coming up behind it as well. There are four dots as described by the researchers on the main cow's back.

Writing – So Easy A Caveperson Could Do It

February 13, 2024 by 10 Comments

We modern humans tend to take writing for granted, and often forget that like any other technology, somebody had to invent it. Researchers from Cambridge believe they’ve determined the purpose of one of the earliest writing beta-tests.

Examining a database of images taken in caves throughout Europe and dated to the Upper Paleolithic, the researchers found “three of the most frequently occurring signs—the line <|>, the dot <•>, and the <Y>—functioned as units of communication.”

It appears the <|> and <.> symbols when “in close association with images of animals” denote time relating to lunar months of the year, starting with spring as the new year. The <Y> symbol appears to carry the meaning <To Give Birth> allowing early people a way to tell others information about the prey of a region, which would be pretty handy when hunting and gathering are your only options for food.

We’ve covered other ancient technologies like storytelling and abrasives. If you’re curious what the climate was like for our ancestors, perhaps paleoclimatology will tickle your fancy.