Here’s A Spy Movie-Grade Access Card Sniffing Implant

March 3, 2025 by Arya Voronova 17 Comments

Some of our devices look like they’re straight out of hacker movies. For instance, how about a small board you plant behind an RFID reader, collecting access card data and then replaying it when you next walk up the door? [Jakub Kramarz] brings us perhaps the best design on the DIY market, called The Tick – simple, flexible, cheap, tiny, and fully open-source.

Take off the reader, tap into the relevant wires and power pins (up to 25V input), and just leave the board there. It can do BLE or WiFi – over WiFi, you get a nice web UI showing you the data collected so far, and letting you send arbitrary data. It can do Wiegand like quite a few open-source projects, but it can also do arbitrary clock+data protocols, plus you can just wire it up quickly, and it will figure out the encoding.

We could imagine such a board inside a Cyberpunk DnD rulebook or used in Mr Robot as a plot point, except that this one is real and you can use it today for red teaming and security purposes. Not to say all applications would be NSA-catalog-adjacent pentesting – you could use such a bug to reverse-engineer your own garage door opener, for one.

A picture of the Alarmo running a tweaked firmware, showing a theme with (Debug) added to its name, obviously a firmware modification

Making The Alarmo Customizable, By Any Means Necessary

March 2, 2025 by Arya Voronova 6 Comments

Last year, Nintendo has released the Alarmo, a bedside-style alarm clock with a colourful display. Do you own one? You deserve full control over your device, of course. [KernelEquinox] has been reverse-engineering an Alarmo ever since getting one, and there’s no shortage of cool stuff you’ll be able to do with an Alarmo thanks to this work.

Now, just how can you improve upon the Alarmo? Looking through the Alarmo dev community site and threads on the subreddit, there are plenty of ideas, from themes to a ton of possible behaviour tweaks! In particular, Nintendo has already changed Alarmo’s behaviour in a way that is jarring to some users – a third-party development community will help us all make sure our Alarmos work exactly like we expect them to. Want to replace the sound files, tie your Alarmo into your smart home setup, write your apps, tweak the UI or default behaviour, fix a bug that irks you real bad, or access a debug menu? Or, ensure that Alarmo doesn’t contribute to light pollution in your room? All appears to be doable.

Like the Alarmo, but don’t own one yet? They’re limited-release for now, but it will be more widely available this March; we thank [KernelEquinox] for the work in making Alarmo hacker-friendly. If you’ve forgotten, this project started off thanks to the efforts of [Gary] last year. We covered it back then — cat pictures included!

The Bus Pirate 5 Sure Can Glitch

March 1, 2025 by Arya Voronova 2 Comments

Own a Bus Pirate 5? Now, it can do power glitching, thanks to [Matt Brugman’s] demo and contributions to the stock code. This is also a great demo of Bus Pirate’s capabilities and programmability! All you need is the Bus Pirate and a generic Arduino – load a glitch-vulnerable code example into the Arduino, get yourself a generic FET-based glitching setup, and you too can play.

The Arduino board outputs data over UART, and that’s used as a trigger for the Bus Pirate’s new glitch feature – now mainline, thanks to [Matt]’s pull request. It’s pretty feature-complete, too — all parameters are configurable, it can vary the glitching interval, as one would want, and the code checks for success conditions so that it can retry glitching automatically.

In this demo, it only took six consecutive attempts to successfully glitch the ATMega328P – wouldn’t you know it, the code that got glitched was pulled almost wholesale from an IoT device. Glitching remains an underappreciated vector for reverse-engineering, and there’s really no shortage of hacks it allows you to do – get yourself a FET, a Bus Pirate, or maybe just an ESP8266, and join the glitching-aware hackers club!

Want to know more about the Bus Pirate 5? Check out our hands-on review of the hacker multi-tool from last year.

Reverse-Engineering SKS Airspy Tire Pressure Sensors For Custom Firmware

February 25, 2025 by Maya Posch 17 Comments

Although a somewhat common feature on cars these days, tire pressure sensors (TPS) are also useful on bicycles. The SKS Airspy range of TPS products is one such example, which enables remote monitoring of the air pressure either to a special smartphone app (SKS MYBIKE) or to a Garmin device. Of course, proprietary solutions like this require reverse-engineering to liberate the hardware from nasty proprietary firmware limitations, which is exactly what [bitmeal] did with a custom firmware project.

Rather than the proprietary and closed communication protocol, the goal was to use the open ANT+ sensor instead, specifically the (non-certified) TPS profile which is supported by a range of cycling computers. Before this could happen the Airspy TPS hardware had to be first reverse-engineered so that new firmware could be developed and flashed. These devices use the nRF52832 IC, meaning that development tools are freely available. Flashing the custom firmware requires gaining access to the SWD interface, which will very likely void the warranty on a $160 – 240 device.

The SWD programmer is then attached to the 1.27 mm spaced SWD holes per the instructions on the GitHub page. After flashing the provided .hex file you can then connect to the TPS as an ANT+ device, but instructions are also provided for developing your own firmware.

Close up of a custom optical HDMI cable on a desk

Let There Be Light: The Engineering Of Optical HDMI

February 18, 2025 by Heidi Ulrich 15 Comments

In a recent video, [Shahriar] from The Signal Path has unveiled the intricate design and architecture of optical HDMI cables, offering a cost-effective solution to extend HDMI 2.0 connections beyond the limitations of traditional copper links. This exploration is particularly captivating for those passionate about innovative hardware hacks and signal transmission technologies.

[Shahriar] begins by dissecting the fundamentals of HDMI high-speed data transmission, focusing on the Transition Minimized Differential Signaling (TMDS) standard. He then transitions to the challenges of converting from twisted-pair copper to optical lanes, emphasizing the pivotal roles of Vertical-Cavity Surface-Emitting Lasers (VCSELs) and PIN photodiodes. These components are essential for transforming electrical signals into optical ones and vice versa, enabling data transmission over greater distances without significant signal degradation.

A standout aspect of this teardown is the detailed examination of the optical modules, highlighting the use of free-space optics and optical confinement techniques with lasers and detectors. [Shahriar] captures the eye diagram of the received high-speed lane and confirms the VCSELs’ optical wavelength at 850 nm. Additionally, he provides a microscopic inspection of the TX and RX chips, revealing the intricate VCSEL and photodetector arrays. His thorough analysis offers invaluable insights into the electronic architecture of optical HDMI cables, shedding light on the complexities of signal integrity and the innovative solutions employed to overcome them.

For enthusiasts eager to take a deeper look into the nuances of optical HDMI technology, [Shahriar]’s comprehensive teardown serves as an excellent resource. It not only gives an insight in the components and design choices involved, but also inspires further exploration into enhancing data transmission methods.

Continue reading “Let There Be Light: The Engineering Of Optical HDMI” →

Upgrading RAM On A Honda Infotainment System

February 10, 2025 by Maya Posch 5 Comments

Car infotainment systems somehow have become a staple in today’s automobiles, yet when it comes down to it they have all the elegance of a locked-down Android tablet. In the case of the Honda infotainment system that [dosdude1] got from a friend’s 2016/2017-era Honda Accord, it pretty much is just that. Powered by a dual-core Cortex-A15 SoC, it features a blazin’ 1 GB of RAM, 2 GB of storage and runs Android 4.2.2. It’s also well-known for crashing a lot, which is speculated to be caused by Out-of-RAM events, which is what the RAM upgrade is supposed to test.

After tearing down the unit and extracting the main board with the (Renesas) SoC and RAM, the SoC was identified as being an automotive part dating back to 2012. The 1 GB of RAM was split across two Micron-branded packages, leaving one of the memory channels on the SoC unused and not broken out. This left removing the original RAM chips to check what options the existing pads provided, specifically potential support for twin-die chips, but also address line 15 (A15). Unfortunately only the A15 line turned out to be connected.

This left double capacity (1 GB) chips as the sole option, meaning a total of 2 GB of RAM. After installation the infotainment system booted up, but only showed 1 GB installed. Cue hunting down the right RAM config bootstrap resistor, updating the boot flags and updating the firmware to work around the LINEOWarp hibernation image that retained the 1 GB configuration. Ultimately the upgrade seems to work, but until the unit is reinstalled in the car and tested it’s hard to say whether it fixes the stability issues.

Thanks to [Dylan] for the tip.

Continue reading “Upgrading RAM On A Honda Infotainment System” →

Hacking The 22€ BLE SR08 Smart Ring With Built-In Display

February 5, 2025 by Maya Posch 29 Comments

In the process of making everything ‘smart’, it would seem that rings have become the next target, and they keep getting new features. The ring that [Aaron Christophel] got his mittens on is the SR08, which appears to have been cloned by many manufacturers at this point. It’s got an OLED display, 1 MB Flash and a Renesas DA14585 powering it from a positively adorable 16 mAh LiPo battery.

The small scale makes it an absolute chore to reverse-engineer and develop with, which is why [Aaron] got the €35 DA14585 development kit from Renesas. Since this dev kit only comes with a 256 kB SPI Flash chip, he had to replace it with a 1 MB one. The reference PDFs, pinouts and custom demo firmware are provided on his GitHub account, all of which is also explained in the video.

Rather than hack the ring and destroy it like his first attempts, [Aaron] switched to using the Renesas Software Update OTA app to flash custom firmware instead. A CRC error is shown, but this can be safely ignored. The ring uses about 18 µA idle and 3 mA while driving the display, which is covered in the provided custom firmware for anyone who wants to try doing something interesting with these rings.

Continue reading “Hacking The 22€ BLE SR08 Smart Ring With Built-In Display” →