An EMMC Gives Up Its Secrets

An increasing phenomenon over the years since mobile phones morphed from simply telephones into general purpose pocket computers has been that of the dead device taking with it some treasured digital resource. In most cases this means the device has died, but doesn’t necessarily mean that that the data has completely gone. Inside the device will be an eMMC flash chip, and if that can be read then the data is safe. This applies to some single board computers too, and thus [Jeffmakes]’ adventures in recovering an eMMC from a dead Raspberry Pi CM4 are particularly interesting.

The whole thing relies on the eMMC presenting the same interface as an SD card, so while it comes in a multi-pin BGA package it can be addressed with surprisingly few wires. Using the PCB from another dead CM4 he traced the relevant connections from eMMC to SoC pads, and was thus able with some very fine soldering to construct an interface for an SD card reader. The disk could then be imaged in its entirety.

This work will be of huge use to experimenters who’ve fried their Compute Modules, but of course the information it contains will also be of use to retrieve those photos from the phone that fell in the bath. It’s not the first time we’ve taken a look at someone’s efforts in this area.

Did You See A John Deere Tractor Cracked At DEF CON?

The Internet, or at least our corner of it,  has been abuzz over the last few days with the news of a DEF CON talk by [Sick.Codes] in which he demonstrated the jailbreaking of the console computer from a John Deere tractor. Sadly we are left to wait the lengthy time until the talk is made public, and for now the most substantive information we have comes from a couple of Tweets. The first comes from [Sick.Codes] himself and shows a game of DOOM with a suitably agricultural theme, while the second is by [Kyle Wiens] and reveals the tractor underpinnings relying on outdated and un-patched operating systems.

You might ask why this is important and more than just another “Will it run DOOM” moment. The answer will probably be clear to long-term readers, and is that Deere have become the poster child for improper use of DRM to lock owners into their servicing and deny farmers the right to repair. Thus any breaches in their armor are of great interest, because they have the potential to free farmers world-wide from this unjust situation. As we’ve reported before the efforts to circumvent this have relied on cracked versions of the programming software, so this potential jailbreak of the tractor itself could represent a new avenue.

As far as we’re aware, this has so far taken place on the console modules in the lab and not in the field on a real tractor. So we’re unsure as to whether the door has been opened into the tractor’s brain, or merely into its interface. But the knowledge of which outdated software can be found on the devices will we hope lead further to what known vulnerabilities may be present, and in turn to greater insights into the machinery.

Were you in the audience at DEF CON for this talk? We’d be curious to know more. Meanwhile the Tweet is embedded below the break, for a little bit of agricultural DOOM action.

Continue reading “Did You See A John Deere Tractor Cracked At DEF CON?”

Air Filter DRM? Hacker Opts Out With NFC Sticker

[Flamingo-tech]’s Xiaomi air purifier has a neat safety feature: it will refuse to run if a filter needs replacement. Of course, by “neat” we mean “annoying”. Especially when the purifier sure seems to judge a filter to be useless much earlier than it should. Is your environment relatively clean, and the filter still has legs? Are you using a secondary pre-filter to extend the actual filter’s life? Tough! Time’s up. Not only is this inefficient, but it’s wasteful.

Every Xiaomi filter contains an NTAG213 NFC tag with a unique ID and uses a unique password for communications, but how this password was generated (and therefore how to generate new ones) was not known. This meant that compatible tags recognized by the purifier could not be created. Until now, that is. [Flamingo-tech] has shared the discovery of how Xiaomi generates the password for communication between filter and purifier.

A small NFC sticker is now all it takes to have the purifier recognize a filter as new.

[Flamingo-tech] has long been a proponent of fooling Xiaomi purifiers into acting differently. In the past, this meant installing a modchip to hijack the DRM process. That’s a classic method of getting around nonsense DRM on things like label printers and dishwashers, but in this case, reverse-engineering efforts paid off.

It’s now possible to create simple NFC stickers that play by all the right rules. Is a filter’s time up according to the NFC sticker, but it’s clearly still good? Just peel that NFC sticker off and slap on a new one, and as far as the purifier is concerned, it’s a new filter!

If you’re interested in the reverse-engineering journey, there’s a GitHub repository with all the data. And for those interested in purchasing compatible NFC stickers, [Flamingo-tech] has some available for sale.

A Deeper Dive Into Reverse Engineering With A CT Scanner

We’ve recently got a look at how [Ken Shirriff] used an industrial CT scanner as a reverse engineering tool. The results were spectacular, with pictures that clearly showed the internal arrangement of parts that haven’t seen the light of day since the module was potted back in the 60s. And now, [Ken]’s cohort [Curious Marc] has dropped a video with more detail on the wonderful machine, plus deep dives into more Apollo-era hardware

If you liked seeing the stills [Ken] used to reverse engineer the obscure flip-flop module, you’re going to love seeing [Marc] using the Lumafield scanner’s 3D software to non-destructively examine several Apollo artifacts. First to enter the sample chamber of the CT scanner was a sealed module called the Central Timing Equipment, which served as the master clock for the Apollo Command Module. The box’s magnesium case proved to be no barrier to the CT scanner’s beam, and the 3D model that was built up from a series of 2D images was astonishingly detailed. The best part about the virtual models is the ability to slice through them in any plane — [Marc] used this feature to hunt down the clock’s quartz crystal. Continue reading “A Deeper Dive Into Reverse Engineering With A CT Scanner”

CT Scans Help Reverse Engineer Mystery Module

The degree to which computed tomography has been a boon to medical science is hard to overstate. CT scans give doctors a look inside the body that gives far more information about the spatial relationship of structures than a plain X-ray can. And as it turns out, CT scans are pretty handy for reverse engineering mystery electronic modules, too.

The fact that the mystery module in question is from Apollo-era test hardware leaves little room for surprise that [Ken Shirriff] is the person behind this fascinating little project. You’ll recall that [Ken] recently radiographically reverse engineered a pluggable module of unknown nature, using plain X-ray images taken at different angles to determine that the undocumented Motorola module was stuffed full of discrete components that formed part of a square wave to sine wave converter.

The module for this project, a flip-flop from Motorola and in the same form factor, went into an industrial CT scanner from an outfit called Lumafield, where X-rays were taken from multiple angles. The images were reassembled into a three-dimensional view by the scanner’s software, which gave a stunningly clear view of the components embedded within the module’s epoxy body. The cordwood construction method is obvious, and it’s pretty easy to tell what each component is. The transistors are obvious, as are the capacitors and diodes. The resistors were a little more subtle, though — careful examination revealed that some are carbon composition, while others are carbon film. It’s even possible to pick out which diodes are Zeners.

The CT scan data, along with some more traditional probing for component values, let [Ken] reverse engineer the whole circuit, which turned out to be a little different than a regular J-K flip-flop. Getting a non-destructive look inside feels a little like sitting alongside the engineers who originally built these things, which is pretty cool.

Photo of the MCH2022 badge's screen, showing the "Hack me if you can" app's start splashscreen, saying "Service is accessible on IP ADDRESS : 1337"

MCH2022 Badge CTF Solved, With Plenty To Learn From

Among all the things you could find at MCH2022, there were a few CTFs (Capture The Flag exercises) – in particular, every badge contained an application that you could  try and break into – only two teams have cracked this one! [dojoe] was part of one of them, and he has composed an extensive reverse-engineering story for us – complete with Ghidra disassembly of Xtensa code, remote code execution attempts, ROP gadget creation, and no detail left aside.

There was a catch: badges handed out to the participants didn’t contain the actual flag. You had to develop an exploit using your personal badge that only contained a placeholder flag, then go to the badge tent and apply your exploit over the network to one of the few badges with the real flag on them. The app in question turned out to be an echo server – sending back everything it received; notably, certain messages made it crash. One man’s crashes are another man’s exploit possibilities, and after a few hacking sessions, [dojoe]’s team got their well-deserved place on the scoreboard.

If you always thought that firmware reverse-engineering sounds cool, and you also happen to own a MCH2022 badge, you should try and follow the intricately documented steps of [dojoe]’s writeup. Even for people with little low-level programming experience, repeating this hack is realistic thanks to his extensive explanations, and you will leave with way more reverse-engineering experience than you had before.

The MCH2022 badge is a featureful creation of intricate engineering, with the ESP32 portion only being part of the badge – we’re eager to hear about what you’ve accomplished or are about to accomplish given everything it has to offer!

A family of PixMob bracelets being coltrolled by an ESP32 with an IR transmitter attached to it. All the bracelets are shining a blue-ish color

PixMob Wristband Protocol Reverse-Engineering Groundwork

The idea behind the PixMob wristband is simple — at a concert, organizers hand these out to the concertgoers, and during the show, infrared projectors are used to transmit commands so they all light up in sync. Sometimes, attendees would be allowed to take these bracelets home after the event, and a few hackers have taken a shot at reusing them.

The protocol is proprietary, however, and we haven’t yet seen anyone reuse these wristbands without tearing them apart or reflashing the microcontroller. [Dani Weidman] tells us, how with [Zach Resmer], they have laid the groundwork for reverse-engineering the protocol of these wristbands.

Our pair of hackers started by obtaining a number of recordings from a helpful stranger online, and went onto replaying these IR recordings to their wristbands. Most of them caused no reaction – presumably, being configuration packets, but three of them caused the wristbands to flash in different colors. They translated these recordings into binary packets, and Dani went through different possible combinations, tweaking bits here and there, transmitting the packets and seeing which ones got accepted as valid. In the end, they had about 100 valid packets, and even figured out some protocol peculiarities like color animation bytes and motion sensitivity mode enable packets.

The GitHub repository provides some decent documentation and even a video, example code you can run on an Arduino with an IR transmitter, and even some packets you can send out with a  Flipper Zero. If you’re interested in learning more about the internals of this device, check out the teardown we featured back in 2019.