The BluePill board used for this hack, wired to the DYMO RFID reader, after all the wires for this hack have been soldered onto the BluePill board.

#FreeDMO Gets Rid Of DYMO Label Printer DRM

March 30, 2022 by Arya Voronova 49 Comments

DYMO 550 series printer marketing blurb says “The DYMO® LabelWriter® 550 Turbo label printer comes with unique Automatic Label Recognition™”, which, once translated from marketing-ese, means “this printer has DRM in its goshdarn thermal stickers”. Yes, DRM in the stickers that you typically buy in generic rolls. [FREEPDK] didn’t like that, either, and documents a #FreeDMO device to rid us of yet another consumer freedom limitation, the true hacker way.

The generic BluePill board and two resistors are all you need, and a few extra cables make the install clean and reversible – you could definitely solder to the DYMO printer’s PCBs if you needed, too. Essentially, you intercept the RFID reader connections, where the BluePill acts as an I2C peripheral and a controller at the same time, forwarding the data from an RFID reader and modifying it – but it can also absolutely emulate a predetermined label and skip the reader altogether. If you can benefit from this project’s discoveries, you should also take a bit of your time and, with help of your Android NFC-enabled phone, share your cartridge data in a separate repository to make thwarting future DRM improvements easier for all of us. Continue reading “#FreeDMO Gets Rid Of DYMO Label Printer DRM” →

[Ken Shirriff] Takes A Bite Of The Apple-I

March 23, 2022 by Al Williams 7 Comments

The Apple-I was a far cry from Apple’s later products. A $666 single-board computer, the product had some unique design features including using a shift register for video memory to save money. The shift registers of the day required high-current clock pulses that ranged from -11 to 5V and there was a DS0025 clock driver chip to handle the job. [Ken Shirriff] takes the unusual chip apart for us in a recent blog post.

The use of a shift register as memory isn’t a new idea. Really old computers like EDSAC used mercury delay lines as memory which was essentially a physical shift register. In those cases, the ALU and other processing only had to deal with a bit at a time, further simplifying things. For the Apple, there were seven shift registers to store 6-bits of display data and a cursor position. The 6 bits of character data drove — indirectly — a character generator ROM to convert the data into dots for the display.

Driving all those shift register flip flops requires a lot of clock current, so the DS0025 uses an unusual transistor design. There are 24 separate emitters in two groups. It acts like a large transistor, but you could also consider it as two 12-emitter transistors or 24 separate transistors in parallel. The metal wiring, interestingly enough, tapers because at the start of the conductor, the current for all 12 sub-transistors flows, but by the end, it is only the current for the last sub-transistor, so the conductor doesn’t have to be as wide. In addition, the two transistors have to have matched resistance which requires careful design so the transistors turn on at the same time.

The final result is an inverter that can provide 1.5 amps. This current helps overcome the relatively large capacitance in the shift register’s clock line. The clock rate was 1 MHz and the load capacitance was about 150 picofarads.

We enjoy [Ken’s] posts ranging from mysteries to space hardware. It is always interesting to see what is inside these devices or, at least, what was in the old devices we’ve all seen.

An assortment of MemoryStick cards and devices, some of them, arguably cursed, like a MemoryStick-slot-connected camera.

Hacker Challenges MemoryStick To A Fight And Wins

March 20, 2022 by Arya Voronova 24 Comments

It’s amazing when a skilled hacker reverse-engineers a proprietary format and shares the nitty-gritty with everyone. Today is a day when we get one such write-up – about MemoryStick. It is one of those proprietary formats, a staple of Sony equipment, these SD-card-like storage devices were evidently designed to help pad Sony’s pockets, as we can see from the tight lock-in and inflated prices. As such, this format has always remained unapproachable to hackers. No more – [Dmitry Grinberg] is here with an extensive breakdown of MemoryStick protocol and internals.

If you ever want to read about a protocol that is not exactly sanely designed, from physical layer quirks to things like inexplicable large differences between MemoryStick and MemoryStick Pro, this will be an entertaining read for hackers of all calibers. Dmitry doesn’t just describe the bad parts of the design, however, as much as that rant is entertaining to read – most of the page is taken by register summaries, struct descriptions and insights, the substance about MemoryStick that we never got.

One sentence is taken to link to a related side project of [Dmitry] that’s a rabbithole on its own – he has binary patched MemoryStick drivers for PalmOS to add MemoryStick Pro support to some of the Sony Clie handhelds. Given the aforementioned differences between non-Pro and Pro standards, it’s a monumental undertaking for a device older than some of this site’s readers, and we can’t help but be impressed.

To finish the write-up off, [Dmitry] shares with us some MemoryStick bit-banging examples for the STM32. Anyone who ever wanted to approach MemoryStick, be it for making converter adapters to revive old tech, data recovery or preservation purposes, or simply hacker curiosity, now can feel a bit less alone in their efforts.

We are glad to see such great hacking on the MemoryStick front – it’s much needed, to the point where our only article mentioning MemoryStick is about avoiding use of the MemoryStick slot altogether. [Dmitry] is just the right person for reverse-engineering jobs like this, with extensive reverse-engineering history we’ve been keeping track of – his recent reverse-engineering journey of an unknown microcontroller in cheap E-Ink devices is to behold.

Modules described in the article (two copies of the challenge shown, so, two lines of modules)

Spaceship Repair CTF Covers Hardware Hacker Essentials

March 3, 2022 by Arya Voronova 15 Comments

At even vaguely infosec-related conferences, CTFs are a staple. For KernelCon 2021, [Tyler Rosonke] resolved to create a challenge breaking the traditions, entertaining and teaching people in a different way, while satisfying the constraints of that year’s remote participation plans. His imagination went wild in all the right places, and a beautifully executed multi-step hardware challenge was built – only in two copies!

Story behind the challenge? Your broken spaceship has to be repaired so that you can escape the planet you’re stuck on. The idea was to get a skilled, seasoned hacker solving challenges for our learning and amusement – and that turned out to be none other than [Joe “Kingpin” Grand]!

The modules themselves are what caught our attention. Designed to cover a wide array of hardware hacker skills, they cover soldering, signal sniffing, logic gates, EEPROM dumping and more – and you have to apply all of these successfully for liftoff. If you thought “there’s gotta be a 555 involved”, you weren’t wrong, either, there’s a module where you have to reconfigure a circuit with one!

KernelCon is a volunteer-driven infosec conference in Omaha, and its 2022 installment starts in a month – we can’t wait to see what it brings! Anyone doing hardware CTFs will have something to learn from their stories, it seems. The hacking session, from start to finish, was recorded for our viewing pleasure; linked below as an hour and a half video, it should be a great background for your own evening of reverse-engineering for leisure!

This isn’t the first time we’ve covered [Tyler]’s handiwork, either. In 2020, he programmed a batch of KernelCon badges while employing clothespins as ISP clips. Security conferences have most certainly learned just how much fun you can have with hardware, and if you ever need a case study for that, our review of 2019 CypherCon won’t leave you hanging.

Continue reading “Spaceship Repair CTF Covers Hardware Hacker Essentials” →

Two revisions of Wenting's custom SSD board - earlier revision on the left, later, sleeker and more complete, on the right.

Custom SSD Gives New Life To Handheld Atom PC

February 25, 2022 by Arya Voronova 12 Comments

People don’t usually go as far as [Wenting Zhang] has – designing a new IDE SSD board for a portable x86 computer made in 2006. That said, it’s been jaw-dropping to witness the astounding amount of reverse-engineering and design effort being handwaved away.

The Benq S6 is a small MID (Miniaturized Internet Device) with an Atom CPU, an x86 machine in all but looks. Its non-standard SSD’s two gigabytes of storage, however, heavily limit the OS choice – Windows XP would hardly fit on there, and while a small Linux distro could manage better, it’s, and we quote, “not as exciting”. A lot of people would stop there and use an external drive, or a stack of adapters necessitating unsightly modifications to the case – [Wenting] went further and broke the “stack of adapters” stereotype into shards with his design journey.

Tracing quite a few complex multi-layer boards into a unified and working schematic is no mean feat, especially with the SSD PCB being a host to two BGA chips, and given the sheer amount of pins in the IDE interface of the laptop’s original drive. Even the requirement for the SSD to be initialized didn’t stop him – a short fight with the manufacturer’s software ensued, but was no match for [Wenting]’s skills. The end result is a drop-in replacement SSD even thinner than the stock one.

This project is well-documented for all of us to learn from! Source code and PCB files are on GitHub, and [Wenting] has covered the journey in three different places at once – on Hackaday.io, in a YouTube video embedded down below, and also on his Twitter in form of regular posts. Now, having seen this happen, we all have one less excuse to take up a project seemingly so complex.

Hackers play with SSD upgrades and repurposing every now and then, sometimes designing proprietary-to-SATA adapters, and sometimes reusing custom SSD modules we’ve managed to get a stack of. If case mods are acceptable to you aesthetics-wise, we’ve seen an SSD upgrade for a Surface Pro 3 made possible that way.

Continue reading “Custom SSD Gives New Life To Handheld Atom PC” →

Remoticon 2021: Unbinare Brings A Reverse-Engineering Toolkit Into Recycling

January 6, 2022 by Arya Voronova 5 Comments

Unbinare is a small Belgian company at the forefront of hacking e-waste into something useful, collaborating with recycling and refurbishing companies. Reverse-engineering is a novel way to approach recycling, but it’s arguably one of the most promising ways that we are not trying at scale yet. At Hackaday Remoticon 2021, Maurits Fennis talked about Unbinare’s efforts in the field and presented us with a toolkit he has recently released as a part of his work, as well as described how his background as an artist has given him insights used to formulate foundational principles of Unbinare.

Unbinare’s tools are designed to work in harmony with each other, a requirement for any productive reverse-engineering effort. OI!STER is a general-purpose salvaged MCU research board, with sockets to adapt to different TQFP chip sizes. This board is Maurits’s experience in reverse-engineering condensed into a universal tool, including a myriad of connectors for different programming/debugging interfaces. We don’t know the board’s full scope, but the pictures show an STM32 chip inside the TQFP socket, abundant everywhere except your online retailer of choice. Apart from all the ways to break out the pins, OI!STER has sockets for power and clock glitching, letting you target these two omnipresent Achilles’ heels with a tool like ChipWhisperer.

Continue reading “Remoticon 2021: Unbinare Brings A Reverse-Engineering Toolkit Into Recycling” →

An image showing a water cooler PCB on the desk, with probes and jumper wires connected to it.

Taking Water Cooler UX Into Your Own Hands With Ghidra

January 2, 2022 by Arya Voronova 12 Comments

Readers not aware of what Ghidra is might imagine some kind of aftermarket water cooler firmware or mainboard – a usual hacker practice with reflow ovens. What [Robbe Derks] did is no less impressive and inspiring: A water cooler firmware mod that adds hands-free water dispensing, without requiring any hardware mods or writing an alternative firmware from scratch.

Having disassembled the cooler, [Robbe] found a PIC18F6527 on the mainboard, and surprisingly, it didn’t have firmware readback protection. Even lack of a PICkit didn’t stop him – he just used an Arduino to dump the firmware, with the dumper code shared for us to reuse, and the resulting dumps available in the same repository.

From there, he involved Ghidra to disassemble the code, while documenting the process in a way we can all learn from, and showing off the nifty tricks Ghidra has up its sleeves. Careful planning had to be done to decide which functions to hook and when, where to locate all the extra logic so that there’s no undesirable interference between it and the main firmware, and an extra step taken to decompile the freshly-patched binary to verify that it looks workable before actually flashing the cooler with it.

The end result is a water cooler that works exactly as it ought to have worked, perhaps, if the people defining its user interaction principles were allowed to make it complex enough. We could argue whether this should have been a stock function at all, but either way, it is nice to know that we the hackers still have some of the power to make our appliances friendly — even when they don’t come with an OS. Certainly, every single one of us can think of an appliance long overdue for a usability boost like this. What are your examples?

We’ve covered quite a few Ghidra-involving hacks, but it never feels like we’ve had enough. What about patching an air quality meter to use Fahrenheit? Or another highly educational write-up on cracking GBA games? Perhaps, liberating a Linux-powered 4G router to reconfigure it beyond vendor-defined boundaries? If you have your own goal in mind and are looking to start your firmware reverse-engineering journey, we can say with certainty that you can’t go wrong with our HackadayU course on Ghidra.