Reverse Engineering

292 Articles

An assortment of MemoryStick cards and devices, some of them, arguably cursed, like a MemoryStick-slot-connected camera.

Hacker Challenges MemoryStick To A Fight And Wins

March 20, 2022 by 24 Comments

It’s amazing when a skilled hacker reverse-engineers a proprietary format and shares the nitty-gritty with everyone. Today is a day when we get one such write-up – about MemoryStick. It is one of those proprietary formats, a staple of Sony equipment, these SD-card-like storage devices were evidently designed to help pad Sony’s pockets, as we can see from the tight lock-in and inflated prices. As such, this format has always remained unapproachable to hackers. No more – [Dmitry Grinberg] is here with an extensive breakdown of MemoryStick protocol and internals.

If you ever want to read about a protocol that is not exactly sanely designed, from physical layer quirks to things like inexplicable large differences between MemoryStick and MemoryStick Pro, this will be an entertaining read for hackers of all calibers. Dmitry doesn’t just describe the bad parts of the design, however, as much as that rant is entertaining to read – most of the page is taken by register summaries, struct descriptions and insights, the substance about MemoryStick that we never got.

One sentence is taken to link to a related side project of [Dmitry] that’s a rabbithole on its own – he has binary patched MemoryStick drivers for PalmOS to add MemoryStick Pro support to some of the Sony Clie handhelds. Given the aforementioned differences between non-Pro and Pro standards, it’s a monumental undertaking for a device older than some of this site’s readers, and we can’t help but be impressed.

To finish the write-up off, [Dmitry] shares with us some MemoryStick bit-banging examples for the STM32. Anyone who ever wanted to approach MemoryStick, be it for making converter adapters to revive old tech, data recovery or preservation purposes, or simply hacker curiosity, now can feel a bit less alone in their efforts.

We are glad to see such great hacking on the MemoryStick front – it’s much needed, to the point where our only article mentioning MemoryStick is about avoiding use of the MemoryStick slot altogether. [Dmitry] is just the right person for reverse-engineering jobs like this, with extensive reverse-engineering history we’ve been keeping track of – his recent reverse-engineering journey of an unknown microcontroller in cheap E-Ink devices is to behold.

Modules described in the article (two copies of the challenge shown, so, two lines of modules)

Spaceship Repair CTF Covers Hardware Hacker Essentials

March 3, 2022 by 15 Comments

At even vaguely infosec-related conferences, CTFs are a staple. For KernelCon 2021, [Tyler Rosonke] resolved to create a challenge breaking the traditions, entertaining and teaching people in a different way, while satisfying the constraints of that year’s remote participation plans. His imagination went wild in all the right places, and a beautifully executed multi-step hardware challenge was built – only in two copies!

Story behind the challenge? Your broken spaceship has to be repaired so that you can escape the planet you’re stuck on. The idea was to get a skilled, seasoned hacker solving challenges for our learning and amusement – and that turned out to be none other than [Joe “Kingpin” Grand]!

The modules themselves are what caught our attention. Designed to cover a wide array of hardware hacker skills, they cover soldering, signal sniffing, logic gates, EEPROM dumping and more – and you have to apply all of these successfully for liftoff. If you thought “there’s gotta be a 555 involved”, you weren’t wrong, either, there’s a module where you have to reconfigure a circuit with one!

KernelCon is a volunteer-driven infosec conference in Omaha, and its 2022 installment starts in a month – we can’t wait to see what it brings! Anyone doing hardware CTFs will have something to learn from their stories, it seems. The hacking session, from start to finish, was recorded for our viewing pleasure; linked below as an hour and a half video, it should be a great background for your own evening of reverse-engineering for leisure!

This isn’t the first time we’ve covered [Tyler]’s handiwork, either. In 2020, he programmed a batch of KernelCon badges while employing clothespins as ISP clips. Security conferences have most certainly learned just how much fun you can have with hardware, and if you ever need a case study for that, our review of 2019 CypherCon won’t leave you hanging.

Continue reading “Spaceship Repair CTF Covers Hardware Hacker Essentials”

Two revisions of Wenting's custom SSD board - earlier revision on the left, later, sleeker and more complete, on the right.

Custom SSD Gives New Life To Handheld Atom PC

February 25, 2022 by 12 Comments

People don’t usually go as far as [Wenting Zhang] has – designing a new IDE SSD board for a portable x86 computer made in 2006. That said, it’s been jaw-dropping to witness the astounding amount of reverse-engineering and design effort being handwaved away.

The Benq S6 is a small MID (Miniaturized Internet Device) with an Atom CPU, an x86 machine in all but looks. Its non-standard SSD’s two gigabytes of storage, however, heavily limit the OS choice – Windows XP would hardly fit on there, and while a small Linux distro could manage better, it’s, and we quote, “not as exciting”. A lot of people would stop there and use an external drive, or a stack of adapters necessitating unsightly modifications to the case – [Wenting] went further and broke the “stack of adapters” stereotype into shards with his design journey.

Tracing quite a few complex multi-layer boards into a unified and working schematic is no mean feat, especially with the SSD PCB being a host to two BGA chips, and given the sheer amount of pins in the IDE interface of the laptop’s original drive. Even the requirement for the SSD to be initialized didn’t stop him – a short fight with the manufacturer’s software ensued, but was no match for [Wenting]’s skills. The end result is a drop-in replacement SSD even thinner than the stock one.

This project is well-documented for all of us to learn from! Source code and PCB files are on GitHub, and [Wenting] has covered the journey in three different places at once – on Hackaday.io, in a YouTube video embedded down below, and also on his Twitter in form of regular posts. Now, having seen this happen, we all have one less excuse to take up a project seemingly so complex.

Hackers play with SSD upgrades and repurposing every now and then, sometimes designing proprietary-to-SATA adapters, and sometimes reusing custom SSD modules we’ve managed to get a stack of. If case mods are acceptable to you aesthetics-wise, we’ve seen an SSD upgrade for a Surface Pro 3 made possible that way.

Continue reading “Custom SSD Gives New Life To Handheld Atom PC”

Remoticon 2021: Unbinare Brings A Reverse-Engineering Toolkit Into Recycling

January 6, 2022 by 5 Comments

Unbinare is a small Belgian company at the forefront of hacking e-waste into something useful, collaborating with recycling and refurbishing companies. Reverse-engineering is a novel way to approach recycling, but it’s arguably one of the most promising ways that we are not trying at scale yet. At Hackaday Remoticon 2021, Maurits Fennis talked about Unbinare’s efforts in the field and presented us with a toolkit he has recently released as a part of his work, as well as described how his background as an artist has given him insights used to formulate foundational principles of Unbinare.

Image showing an Unbinare OISTER boardUnbinare’s tools are designed to work in harmony with each other, a requirement for any productive reverse-engineering effort. OI!STER is a general-purpose salvaged MCU research board, with sockets to adapt to different TQFP chip sizes. This board is Maurits’s experience in reverse-engineering condensed into a universal tool, including a myriad of connectors for different programming/debugging interfaces. We don’t know the board’s full scope, but the pictures show an STM32 chip inside the TQFP socket, abundant everywhere except your online retailer of choice. Apart from all the ways to break out the pins, OI!STER has sockets for power and clock glitching, letting you target these two omnipresent Achilles’ heels with a tool like ChipWhisperer.

Continue reading “Remoticon 2021: Unbinare Brings A Reverse-Engineering Toolkit Into Recycling”

An image showing a water cooler PCB on the desk, with probes and jumper wires connected to it.

Taking Water Cooler UX Into Your Own Hands With Ghidra

January 2, 2022 by 12 Comments

Readers not aware of what Ghidra is might imagine some kind of aftermarket water cooler firmware or mainboard – a usual hacker practice with reflow ovens. What [Robbe Derks] did is no less impressive and inspiring:  A water cooler firmware mod that adds hands-free water dispensing, without requiring any hardware mods or writing an alternative firmware from scratch.

Having disassembled the cooler, [Robbe] found a PIC18F6527 on the mainboard, and surprisingly, it didn’t have firmware readback protection. Even lack of a PICkit didn’t stop him – he just used an Arduino to dump the firmware, with the dumper code shared for us to reuse, and the resulting dumps available in the same repository.

From there, he involved Ghidra to disassemble the code, while documenting the process in a way we can all learn from, and showing off the nifty tricks Ghidra has up its sleeves. Careful planning had to be done to decide which functions to hook and when, where to locate all the extra logic so that there’s no undesirable interference between it and the main firmware, and an extra step taken to decompile the freshly-patched binary to verify that it looks workable before actually flashing the cooler with it.

The end result is a water cooler that works exactly as it ought to have worked, perhaps, if the people defining its user interaction principles were allowed to make it complex enough. We could argue whether this should have been a stock function at all, but either way, it is nice to know that we the hackers still have some of the power to make our appliances friendly — even when they don’t come with an OS. Certainly, every single one of us can think of an appliance long overdue for a usability boost like this. What are your examples?

We’ve covered quite a few Ghidra-involving hacks, but it never feels like we’ve had enough. What about patching an air quality meter to use Fahrenheit? Or another highly educational write-up on cracking GBA games? Perhaps, liberating a Linux-powered 4G router to reconfigure it beyond vendor-defined boundaries? If you have your own goal in mind and are looking to start your firmware reverse-engineering journey, we can say with certainty that you can’t go wrong with our HackadayU course on Ghidra.