Reverse Engineering

279 Articles

Showing the same thumbdrive plugged into the same USB-C port in two different orientations, enumerating as two different USB ports

Dirty USB-C Tricks: One Port For The Price Of Two

December 31, 2022 by 48 Comments

[RichardG] has noticed a weird discrepancy – his Ryzen mainboard ought to have had fourteen USB3 ports, but somehow, only exposed thirteen of them. Unlike other mainboards in this lineup, it also happens to have a USB-C port among these thirteen ports. These two things wouldn’t be related in any way, would they? Turns out, they are, and [RichardG] shows us a dirty USB-C trick that manufacturers pull on us for an unknown reason.

On a USB-C port using USB3, the USB3 TX and RX signals have to be routed to two different pin groups, depending on the plugged-in cable orientation. In a proper design, you would have a multiplexer chip detecting cable orientation, and routing the pins to one or the other. Turns out, quite a few manufacturers are choosing to wire up two separate ports to the USB-C connector instead.

In the extensive writeup on this problem, [Richard] explains how the USB-C port ought to be wired, how it’s wired instead, shows telltale signs of such a trick, and how to check if a USB-C port on your PC is miswired in the same way. He also ponders on whether this is compliant with the USB-C specification, but can’t quite find an answer. There’s a surprising amount of products and adapters doing this exact thing, too, all of them desktop PC accessories – perhaps, you bought a device with such a USB-C port and don’t know it.

As a conclusion, he debates making an adapter to break the stolen USB3 port out. This wouldn’t be the first time we’re cheated when it comes to USB ports – the USB2 devices with blue connectors come to mind.

Reverse Engineering Saves Weller With A Wonky LCD From The Trash Pile

December 25, 2022 by 15 Comments

There’s nothing more satisfying than finding a broken piece of gear in the trash and bringing it back to life. Satisfying, but also potentially more time-consuming — someone tossed it for a reason, after all. Figuring out what that reason is and finding a way to back it better is where the fun — and the peril — are.

Luckily, some pieces of equipment have a relatively short list of well-known failure modes, a fact that [Lauri Pirttiaho] relied on for this fix of an old Weller WD1 soldering station. The unit, sporting the familiar light blue Weller livery and more than a few scratches and dings, had an LCD that was DOA. Typically it’s the driver that’s the problem here, but [Lauri]’s diagnosis revealed it was the LCD module itself that was bad.

With OEM replacements being basically unobtainium at this point, the fix was to intercept the data heading from the driver to the old LCD and send it to a new, easily sourced 16×2 character LCD display. This began with an inspection of the display controller’s datasheet, and a bit of probing of the old display to find out which segments and backplanes map to which pins. A little bit of case modding allowed the new display to fit, the old controller chip was removed, and a PIC16 went into its place, in a tidy nest of Kapton tape and bodge wires. The PIC does the job of translating the original display, which had a fair number of custom icons and symbols, into sensible text-based equivalents and sending them to the 16×2 via I2C. The video below shows the hack in action; it honestly looks like it could have come from the factory like that.

The nice thing here is that [Lauri]’s fix applies to a whole range of Weller stations, so if you find one in the trash, you might be able to resuscitate it. Failing that, you could always roll your own Weller from (more-or-less) scratch.

Continue reading “Reverse Engineering Saves Weller With A Wonky LCD From The Trash Pile”

Old Robotic Vacuum Gets A New RC Lease On Life

December 22, 2022 by 8 Comments

To our way of thinking, the whole purpose behind robotic vacuum cleaners is their autonomy. They’re not particularly good at vacuuming, but they are persistent about it, and eventually get the job done with as little human intervention as possible. So why in the world would you want to convert a robotic vacuum to radio control?

For [Lucas], the answer was simple: it was a $20 yard sale find, so why not? Plus, he’s got some secret evil plan to repurpose the suckbot for autonomous room mapping, which sounds like a cool project that would benefit from a thorough knowledge of this little fellow’s anatomy and physiology. The bot in question is a Hoover Quest. Like [Lucas] we didn’t know that Hoover made robotic vacuums (Narrator: they probably don’t) but despite generally negative online reviews by users, he found it to be a sturdily built and very modular and repairable unit.

After an initial valiant attempt at reverse engineering the bot’s main board — a project we encourage [Lucas] to return to eventually — he settled for just characterizing the bot’s motors and sensors and building his own controller. The Raspberry Pi Zero he chose may seem like overkill, but he already had it set up to talk to a PS4 game controller, so it made sense — right up until he released the Magic Smoke within it. A backup Pi took the sting out of that, and as the brief video below shows, he was finally able to get the bot under his command.

[Lucas] has more plans for his new little buddy, including integrating the original sensors and adding new ones. Given its intended mission, we’d say a lidar sensor would be a good addition, but that’s just a guess. Whatever he’s got in store for this, we’re keen to hear what happens.

Continue reading “Old Robotic Vacuum Gets A New RC Lease On Life”

The Story Behind The TVGuardian Curse Catcher

December 14, 2022 by 23 Comments

The recent flurry of videos and posts about the TVGuardian foul language filter brought back some fond memories. I was the chief engineer on this project for most of its lifespan. You’ve watched the teardowns, you’ve seen the reverse engineering, now here’s the inside scoop.

Gumby is Born

TVG Model 101 Gumby (Technology Connections)

Back in 1999, my company took on a redesign project for the TVG product, a box that replaced curse words in closed-captioning with sanitized equivalents. Our first task was to take an existing design that had been produced in limited volumes and improve it to be more easily manufactured.

The original PCB used all thru-hole components and didn’t scale well to large quantity production. Replacing the parts with their surface mount equivalents resulted in Model 101, internally named Gumby for reasons long lost. If you have a sharp eye, you will have noticed something odd about two parts on the board as shown in [Ben Eater]’s video. The Microchip PIC and the Zilog OSD chip had two overlapping footprints, one for thru-hole and one for SMD. Even though we preferred SMD parts, sometimes there were supply issues. This was a technique we used on several designs in our company to hedge our bets. It also allowed us to use a socketed ICs for testing and development. Continue reading “The Story Behind The TVGuardian Curse Catcher”

Getting Root On A Chinese IP Camera

December 12, 2022 by 67 Comments

With so many cheap network-connected devices out there being Linux-powered, it’s very tempting to try and hack into them, usually via a serial interface. This was the goal of [Andrzej Szombierski] when he purchased a cheap Chinese IP camera using an XM530 ARM-based SoC to explore and ultimately get root access on. This camera’s firmware provides the usual web interface on its network side, but it also has a UART on its PCB, courtesy of the unpopulated four-pin header.

Merely firing up a serial terminal application and connecting to this UART is not enough to get access, of course. The first obstacle that [Andrzej] struggled with was that U-Boot was configured to not output Linux kernel boot messages. After tackling that issue with some creative hacking, the next challenge was to figure out the root password, using a dump of the firmware image, which led to even more exploration of the firmware and the encoding used for the root password.

Even if some part of these challenges were possibly more accidental than on purpose by the manufacturer, it shows how these SoC-based Linux devices can put up quite a fight. This then leaves the next question, of what to do with such an IP camera after you have gained root access?

DIY Comparatron Helps Trace Tiny, Complex Objects

December 11, 2022 by 21 Comments

Hackers frequently find themselves reverse-engineering or interfacing to existing hardware and devices, and when that interface needs to be a physical one, it really pays to be able to take accurate measurements.

This is easy to do when an object is big enough to fit inside calipers, or at least straight enough to be laid against a ruler. But what does one do when things are complex shapes, or especially small? That’s where [Cameron]’s DIY digital optical comparator comes in, and unlike commercial units it’s entirely within the reach (and budget) of a clever hacker.

The Comparatron is based off a CNC pen plotter, but instead of a pen, it has a USB microscope attached with the help of a 3D-printed fixture. Serving as a background is an LED-illuminated panel, the kind useful for tracing. The physical build instructions are here, but the image should give most mechanically-minded folks a pretty clear idea of how it fits together.

Continue reading “DIY Comparatron Helps Trace Tiny, Complex Objects”

side by side, showing hardware experiments with capacitor gating through FETs, an initial revision of the modchip board with some fixes, and a newer, final, clean revision.

A Modchip To Root Starlink User Terminals Through Voltage Glitching

November 28, 2022 by 37 Comments

A modchip is a small PCB that mounts directly on a larger board, tapping into points on that board to make it do something it wasn’t meant to do. We’ve typically seen modchips used with gaming consoles of yore, bypassing DRM protections in a way that a software hacks couldn’t quite do. As software complexity and therefore attack surface increased on newer consoles, software hacks have taken the stage. However, on more integrated pieces of hardware, we’ll still want to return to the old methods – and that’s what this modchip-based hack of a Starlink terminal brings us.

[Lennert Wouters]’ team has been poking and prodding at the Starlink User Terminal, trying to get root access, and needed to bypass the ARM Trusted Firmware boot-time integrity checks. The terminal’s PCB is satellite-dish-sized, so things like laser fault injection are hard to set up – hence, they went the voltage injection route. Much poking and prodding later, they developed a way to reliably glitch the CPU into verifying a faulty firmware, and got to a root shell – the journey described in a BlackHat talk embedded below. Continue reading “A Modchip To Root Starlink User Terminals Through Voltage Glitching”