Reverse Engineering

297 Articles

Tricking A Smart Meter Into Working On The Bench

March 31, 2022 by 27 Comments

When the widget you’re working on is powered by a battery or a USB charger, running it on the bench is probably pretty safe. But when the object of your reverse-engineering desire is a residential electrical meter, things can get a little dicey.

Not that this elevated danger level has kept [Hash] from exploring the mysteries presented by smart meters. Still, with a desire to make things a little safer, he came up with a neat trick for safely powering electrical meters on the bench. [Hash] found that the internal switch-mode power supply on the meter backplane was easy enough to back-feed with a 12-volt bench supply, rather than supplying the meter with the full 240-volt AC supply it normally gets when plugged into a meter base (these are meters for the North American market, where split-phase 240-volt is the norm for residential connections.) But that wasn’t enough for the meter — it powered up, but stayed in a reset state without fully booting. Something more was needed to bring the meter fully to life.

That something proved to be a small AC signal. Normally, a resistor network divides the 240-volt supply down to about 3 volts, which is used by the sensing circuit in the meter. [Hash] found that injecting a 60-Hz, 600-mV sine wave signal with about a 3-volt DC bias into the sensing circuit was enough to spoof the meter into thinking it’s plugged into the meter base. The video below has a walkthrough of the hack, and some nice shots of the insides of the meters he’s been working with.

[Hash] has been working with these meters for a while now, and some of the stuff he’s learned is pure gold. Be sure to check out his 2021 Remoticon talk on meter hacking for all the fascinating details.

Continue reading “Tricking A Smart Meter Into Working On The Bench”

Version 1.8 of the 80386 ISA SBC in its assembled glory. (Credit: Alexandru Groza)

Building Your Own 80386DX ISA Single Board Microcomputer

March 30, 2022 by 36 Comments

Having grown up with 386-level systems during the early 90s like so many of us, [Alexandru Groza] experienced an intense longing to experience the nostalgia of these computer systems from an interesting angle: by building his own 80386DX-based single board computer. Courtesy of the 16-bit ISA form factor, the entire system fits into a 16-bit ISA backplane which then provides power and expansion slots for further functionality beyond what is integrated on the SBMC card.

Having started the project in 2019, it is now in the home stretch towards completion. Featuring an 80386DX and 80387DX FPU alongside 128 kB of cache and a grand total of 32 MB of RAM, an OPTi chipset was used to connect with the rest of the system alongside the standard 8042-class PS/2 keyboard and mouse controller. A large part of the fun of assembling such a system is that while the parts themselves are easy enough to obtain, finding datasheets is hard to impossible for some components.

Undeterred, some reverse-engineering of signaling on functional mainboards was sufficient to fill in the missing details. Helpfully, [Alexandru] provides the full schematics and BOM of the resulting board and takes us along with bootstrapping the system after obtaining the PCBs and components. After an initial facepalm moment due to an incorrectly inserted (and subsequently very dead) CPU and boot issues, ultimately [Alexandru] gave up on the v1.6 revision of the board

Fortunately the v1.8 revision with a logic analyzer led to a number of discoveries that has led to the system mostly working, minus what appears to be DMA-related issues. Even so, it is a remarkable achievement that demonstrates the complexity of these old systems.

Mockup of an LG SmartTV, showing the webOS logo, saying "debug status: DEBUG, SIGN Key: PRODKEY, Access USB Status: 0/100(C)", and showing a console prompt on the bottom.

What’s That AccessUSB Menu In My LG SmartTV?

March 30, 2022 by 23 Comments

One boring evening, [XenRE] was looking through service menus on their LG Smart TV (Russian, Google Translate), such menus accessible through use of undocumented IR remote codes. In other words, a fairly regular evening. They noticed an “Access USB Status” entry and thought the “Access USB” part looked peculiar. A few service manuals hinted that there’s a service mode you could access with an adapter made out of two back-to-back PL2303 USB-UART adapters – a few female-female jumper wires later, serial prompt greeted our hacker, and entering ‘debug’ into the prompt responded with some text, among it, “Access USB is NOT opened!!!”.

[XenRE] found the WebOS firmware for the TV online, encrypted and compressed into a proprietary LG .epk format, but liberated with an open-source tool. A few modules referred to AccessUSB there, and one detour into investigating and explaining WebOS USB vendor lock-in implementation later, they programmed an STM32 with the same VID and PID as the mythical AccessUSB device found in relevant WebOS modules decompiled with IDA. By this point, AccessUSB could safely be assumed to be a service mode dongle. The TV didn’t quite start beeping in a different pattern as we’d expect in a sci-fi movie, but it did notify about a “new USB device” – and started asking for a 6-symbol service menu password instead of a 4-symbol one. Continue reading “What’s That AccessUSB Menu In My LG SmartTV?”

The BluePill board used for this hack, wired to the DYMO RFID reader, after all the wires for this hack have been soldered onto the BluePill board.

#FreeDMO Gets Rid Of DYMO Label Printer DRM

March 30, 2022 by 51 Comments

DYMO 550 series printer marketing blurb says “The DYMO® LabelWriter® 550 Turbo label printer comes with unique Automatic Label Recognition™”, which, once translated from marketing-ese, means “this printer has DRM in its goshdarn thermal stickers”. Yes, DRM in the stickers that you typically buy in generic rolls. [FREEPDK] didn’t like that, either, and documents a #FreeDMO device to rid us of yet another consumer freedom limitation, the true hacker way.

The generic BluePill board and two resistors are all you need, and a few extra cables make the install clean and reversible – you could definitely solder to the DYMO printer’s PCBs if you needed, too. Essentially, you intercept the RFID reader connections, where the BluePill acts as an I2C peripheral and a controller at the same time, forwarding the data from an RFID reader and modifying it – but it can also absolutely emulate a predetermined label and skip the reader altogether. If you can benefit from this project’s discoveries, you should also take a bit of your time and, with help of your Android NFC-enabled phone, share your cartridge data in a separate repository to make thwarting future DRM improvements easier for all of us. Continue reading “#FreeDMO Gets Rid Of DYMO Label Printer DRM”

[Ken Shirriff] Takes A Bite Of The Apple-I

March 23, 2022 by 7 Comments

The Apple-I was a far cry from Apple’s later products. A $666 single-board computer, the product had some unique design features including using a shift register for video memory to save money. The shift registers of the day required high-current clock pulses that ranged from -11 to 5V and there was a DS0025 clock driver chip to handle the job. [Ken Shirriff] takes the unusual chip apart for us in a recent blog post.

The use of a shift register as memory isn’t a new idea. Really old computers like EDSAC used mercury delay lines as memory which was essentially a physical shift register. In those cases, the ALU and other processing only had to deal with a bit at a time, further simplifying things. For the Apple, there were seven shift registers to store 6-bits of display data and a cursor position. The 6 bits of character data drove — indirectly — a character generator ROM to convert the data into dots for the display.

Driving all those shift register flip flops requires a lot of clock current, so the DS0025 uses an unusual transistor design. There are 24 separate emitters in two groups. It acts like a large transistor, but you could also consider it as two 12-emitter transistors or 24 separate transistors in parallel. The metal wiring, interestingly enough, tapers because at the start of the conductor, the current for all 12 sub-transistors flows, but by the end, it is only the current for the last sub-transistor, so the conductor doesn’t have to be as wide. In addition, the two transistors have to have matched resistance which requires careful design so the transistors turn on at the same time.

The final result is an inverter that can provide 1.5 amps. This current helps overcome the relatively large capacitance in the shift register’s clock line. The clock rate was 1 MHz and the load capacitance was about 150 picofarads.

We enjoy [Ken’s] posts ranging from mysteries to space hardware. It is always interesting to see what is inside these devices or, at least, what was in the old devices we’ve all seen.

An assortment of MemoryStick cards and devices, some of them, arguably cursed, like a MemoryStick-slot-connected camera.

Hacker Challenges MemoryStick To A Fight And Wins

March 20, 2022 by 24 Comments

It’s amazing when a skilled hacker reverse-engineers a proprietary format and shares the nitty-gritty with everyone. Today is a day when we get one such write-up – about MemoryStick. It is one of those proprietary formats, a staple of Sony equipment, these SD-card-like storage devices were evidently designed to help pad Sony’s pockets, as we can see from the tight lock-in and inflated prices. As such, this format has always remained unapproachable to hackers. No more – [Dmitry Grinberg] is here with an extensive breakdown of MemoryStick protocol and internals.

If you ever want to read about a protocol that is not exactly sanely designed, from physical layer quirks to things like inexplicable large differences between MemoryStick and MemoryStick Pro, this will be an entertaining read for hackers of all calibers. Dmitry doesn’t just describe the bad parts of the design, however, as much as that rant is entertaining to read – most of the page is taken by register summaries, struct descriptions and insights, the substance about MemoryStick that we never got.

One sentence is taken to link to a related side project of [Dmitry] that’s a rabbithole on its own – he has binary patched MemoryStick drivers for PalmOS to add MemoryStick Pro support to some of the Sony Clie handhelds. Given the aforementioned differences between non-Pro and Pro standards, it’s a monumental undertaking for a device older than some of this site’s readers, and we can’t help but be impressed.

To finish the write-up off, [Dmitry] shares with us some MemoryStick bit-banging examples for the STM32. Anyone who ever wanted to approach MemoryStick, be it for making converter adapters to revive old tech, data recovery or preservation purposes, or simply hacker curiosity, now can feel a bit less alone in their efforts.

We are glad to see such great hacking on the MemoryStick front – it’s much needed, to the point where our only article mentioning MemoryStick is about avoiding use of the MemoryStick slot altogether. [Dmitry] is just the right person for reverse-engineering jobs like this, with extensive reverse-engineering history we’ve been keeping track of – his recent reverse-engineering journey of an unknown microcontroller in cheap E-Ink devices is to behold.

Modules described in the article (two copies of the challenge shown, so, two lines of modules)

Spaceship Repair CTF Covers Hardware Hacker Essentials

March 3, 2022 by 15 Comments

At even vaguely infosec-related conferences, CTFs are a staple. For KernelCon 2021, [Tyler Rosonke] resolved to create a challenge breaking the traditions, entertaining and teaching people in a different way, while satisfying the constraints of that year’s remote participation plans. His imagination went wild in all the right places, and a beautifully executed multi-step hardware challenge was built – only in two copies!

Story behind the challenge? Your broken spaceship has to be repaired so that you can escape the planet you’re stuck on. The idea was to get a skilled, seasoned hacker solving challenges for our learning and amusement – and that turned out to be none other than [Joe “Kingpin” Grand]!

The modules themselves are what caught our attention. Designed to cover a wide array of hardware hacker skills, they cover soldering, signal sniffing, logic gates, EEPROM dumping and more – and you have to apply all of these successfully for liftoff. If you thought “there’s gotta be a 555 involved”, you weren’t wrong, either, there’s a module where you have to reconfigure a circuit with one!

KernelCon is a volunteer-driven infosec conference in Omaha, and its 2022 installment starts in a month – we can’t wait to see what it brings! Anyone doing hardware CTFs will have something to learn from their stories, it seems. The hacking session, from start to finish, was recorded for our viewing pleasure; linked below as an hour and a half video, it should be a great background for your own evening of reverse-engineering for leisure!

This isn’t the first time we’ve covered [Tyler]’s handiwork, either. In 2020, he programmed a batch of KernelCon badges while employing clothespins as ISP clips. Security conferences have most certainly learned just how much fun you can have with hardware, and if you ever need a case study for that, our review of 2019 CypherCon won’t leave you hanging.

Continue reading “Spaceship Repair CTF Covers Hardware Hacker Essentials”