How Star Trek Breached The Defences Of A Major Broadcaster

April 1, 2024 by Jenny List 40 Comments

Back in 2020 in the brief lull between COVID lockdowns in the UK, I found myself abruptly on the move, with a very short time indeed to move my possessions into storage. As I was going through the accumulated electronic detritus of over four decades, I happened upon a grey box with some wires hanging out of it, and more than a few memories. This was a Sky VideoCrypt decoder, and the wires were part of the so-called “Season” interface to attach it to the serial port of a PC. It had this modification in the hope of catching some unauthorised free satellite TV, and in its day this particular hack caused some headaches for the broadcaster.

When More Than 4 Channels Was A Novelty

Patrick Stewart, as Captain Jean-Luc Picard. Composite image, via Wikimedia commons. — Break encryption? This man can make it so. Stefan Kühn, CC BY-SA 3.0.

In the 1980s and early 1990s, there was very little in the way of digital broadcasting on either satellites or terrestrial networks, almost everything on TV was sent out as standard definition analogue video. The four terrestrial channels where I grew up were all free-to-air, and if you had a satellite dish you could point it at any one of a variety of satellites and receive more free-to-air channels if you didn’t mind most of them being in German. Premium satellite programming was encrypted though, either through a range of proprietary analogue schemes, or for the British broadcaster Sky’s offering, through their VideoCrypt system. This used a 64 kB buffer to store each line of video, and rotate it round any one of 256 points along its length, resulting in an unintelligible picture.

Sky was the UK’s big gorilla of premium broadcasters, a role they kept for many years, and which was only eroded by the advent of streaming services. As such they snapped up exclusive first access to much of the most desirable content of the day, restricting it to only their British pay-to-subscribe customers. A viewer in the UK who grumbled about Star Trek Next Generation not being on the BBC could at least cough up for Sky, but if they didn’t have a British address they were out of luck. It was in this commercial decision, whether it was based upon business or on licensing, that Sky unwittingly sowed the seeds of Videocrypt’s demise.

Continue reading “How Star Trek Breached The Defences Of A Major Broadcaster” →

The Intel 8088 And 8086 Processor’s Instruction Prefetch Circuitry

March 28, 2024 by Maya Posch 15 Comments

The 8088 die under a microscope, with main functional blocks labeled. This photo shows the chip's single metal layer; the polysilicon and silicon are underneath. (Credit: Ken Shirriff) — The 8088 die under a microscope, with main functional blocks labeled. This photo shows the chip’s single metal layer; the polysilicon and silicon are underneath. (Credit: Ken Shirriff)

Cache prefetching is what allows processors to have data and/or instructions ready for use in a fast local cache rather than having to wait for a fetch request to trickle through to system RAM and back again. The Intel 8088 (and its big brother 8086) processor was among the first microprocessors to implement (instruction) prefetching in hardware, which [Ken Shirriff] has analyzed based on die images of this famous processor. This follows last year’s deep-dive into the 8086’s prefetching hardware, with (unsurprisingly) many similarities between these two microprocessors, as well as a few differences that are mostly due to the 8088’s cut-down 8-bit data bus.

While the 8086 has 3 16-bit slots in the instruction prefetcher the 8088 gets 4 slots, each 8-bit. The prefetching hardware is part of the Bus Interface Unit (BIU), which effectively decouples the actual processor (Execution Unit, or EU) from the system RAM. While previous MPUs would be fully deterministic, with instructions being loaded from RAM and subsequently executed, the 8086 and 8088’s prefetching meant that such assumptions no longer were true. The added features in the BIU also meant that the instruction pointer (IP) and related registers moved to the BIU, while the ringbuffer logic around the queue had to somehow keep the queueing and pointer offsets into RAM working correctly.

Even though these days CPUs have much more complicated, multi-level caches that are measured in kilobytes and megabytes, it’s fascinating to see where it all began, with just a few bytes and relatively straight-forward hardware logic that you easily follow under a microscope.

Generator Control Panel Unlocked With Reverse Engineering Heroics

March 11, 2024 by Dan Maloney 11 Comments

Scoring an interesting bit of old gear on the second-hand market is always a bit of a thrill — right up to the point where you realize the previous owner set some kind of security code on it. Then it becomes a whole big thing to figure out, to the point of blunting the dopamine hit you got from the original purchase.

Fear not, though, because there’s dopamine aplenty if you can copy what [Buy it Fix it] did to decode the PIN on a used generator control panel. The panel appears to be from a marine generator, and while it powered up fine, the menu used to change the generator’s configuration options is locked by a four-digit PIN. The manufacturer will reset it, but that requires sending it back and paying a fee, probably considerable given the industrial nature of the gear.

Instead of paying up, [Buy it Fix it] decided to look for a memory chip that might store the PIN. He identified a likely suspect, a 24LC08B 8-Kb serial EEPROM, and popped it off to read its contents. Nothing was immediately obvious, but blanking the chip and reinstalling it cleared the PIN, so he at least knew it was stored on the chip. Many rounds of soldering and desoldering the chip followed, blanking out small sections of memory each time until the PIN was located. The video below edits out a lot of the rework, but gives the overall gist of the hack.

To be honest, we’re not sure if the amount of work [Buy it Fix it] put into this was less than taking a couple of hours to punch in PINs and brute-force it. Then again, if he hadn’t done the reverse engineering he wouldn’t have stumbled upon where the generator parameters like running time and power figures were stored. And it’s not really his style, either; we’ve seen him perform similar heroics on everything from tractors to solar inverters, after all.

Continue reading “Generator Control Panel Unlocked With Reverse Engineering Heroics” →

Phenolic board from an RC car - a well-known sight for a hacker

Pairing A New Remote To A Cheap RC Car

March 8, 2024 by Arya Voronova 10 Comments

The cheap little RC cars are abundant anywhere you are, and if you’ve ever disassembled one, you are familiar with how the PCB looks. A single-sided phenolic paper PCB with a mystery chip driving a bunch of through-hole transistors, a sprinkle of through-hole capacitors, and a few supporting components for the wire antenna. It might not feel reusable, but [Chris Jones] begs to differ, with a Twitter thread showing us how he’s paired a scrap board from one RC car with a remote control from another, all to help a little family project.

These mystery ICs turn out to be RC-car-on-a-chip modules, and Chris lucked out in that his IC has a detailed datasheet available, complete with code pulse examples for different commands. The datasheet for the chip in the remote control is nowhere to be found, though, so we have to dig deeper. How about scoping the RF output? Turns out the supported codes between the two ICs are basically identical! The scrap board wouldn’t move any motors though, so it was time to narrow down the issue.

The RC car board has a 128KHz oscillator, and scoping that has shown the issue – it was producing 217KHz for some reason. It turned out that the oscillator’s load resistor was 100 kiloohms instead of recommended 200k, and switching that put it back on course. We would assume that, wherever the original remote control for that car is, it is similarly mis-tuned, or otherwise the RC car could never have worked.

Through sheer luck and tactical application of an oscilloscope, the RC car moves again, paired to a remote it was never meant to be, and the family project moves forward. Got a RC car, but no remote? Perhaps a HackRF can help.

Gaming On A TP-Link TL-WDR4900 Wireless Router

March 5, 2024 by Maya Posch 18 Comments

When you look at your home router, the first thought that comes to mind probably isn’t about playing games on it. But that doesn’t stop [Manawyrm] and [tSYS] from taking on the task of turning the 2013-era TP-Link TL-WDR4900 router into a proper gaming machine using an external GPU. This is made possible by the PCIe lanes on the mainboard, courtesy of the PowerPC-based SoC (NXP QorIQ P1014) and remappable Base Address Registers (BARs). This router has been an OpenWRT-favorite for years due to its powerful hardware and feature set.

This mod required a custom miniPCIe PCB that got connected to the PCIe traces (after cutting the connection with the Atheros WiFi chipset). This allowed an external AMD Radeon HD 7470 GPU to be connected to the system, which showed up in OpenWRT. To make full use of this hardware by gaining access to the AMD GPU driver, full Debian Linux was needed. Fortunately, the distro had a special PowerPCSPE port that supports the e500v2 CPU core in the SoC. After this it was found that the amdgpu driver has issues on 32-bit platforms, for which an issue ticket got filed.

Using the legacy Radeon driver helped to overcome this issue, but then it was found that the big endian nature of the CPU tripped up the Grand Theft Auto: Vice City game code which has not been written with BE in mind. This took a lot of code patching to help fix this, but eventually the game was up and running, albeit with glitches. Whatever the cause of these graphical glitches was will remain unknown, as after updating everything things began to work normally.

So now it’s possible to convert a 2013-era router into a gaming console after patching in an external GPU, which actually could be useful in keeping more potential e-waste out of landfills.

Continue reading “Gaming On A TP-Link TL-WDR4900 Wireless Router” →

Hacking An Actual WiFi Toothbrush With An ESP32-C3

March 5, 2024 by Maya Posch 15 Comments

Following on the heels of a fortunately not real DDoS botnet composed of electric toothbrushes, [Aaron Christophel] got his hands on a sort-of-electric toothbrush which could totally be exploited for this purpose.

Evowera Planck Mini will never gonna give you up, never let you down. (Credit: Aaron Christophel)

The Evowera Planck Mini which he got is the smaller, children-oriented version of the Planck O1 (a more regular electric toothbrush). Both have a 0.96″ color LC display, but the O1 only has Bluetooth and requires a smartphone app. Meanwhile the Mini uses a pressure sensor for the brush along with motion sensors to keep track of the child’s teeth brushing efforts and to provide incentives.

The WiFi feature of the Mini appears to be for both firmware updates as well as to allow parents to monitor the brushing reports of their offspring in the associated smartphone app. With this feature provided by the ESP32-C3 SoC inside the device, the question was how secure it is.

As it turns out not very secure, with [Aaron] covering the exploit in a Twitter thread. As exploits go, it’s pretty straightforward: the toothbrush tries to connect to a default WiFi network (SSID evowera, pass 12345678), tries to acquire new firmware, and flashes this when found without any fuss. [Aaron] made sure to figure out the pin-out on the PCB inside the device as well, opening up new avenues for future hacking.

We’re great fans of [Aaron] and his efforts to breathe new life into gadgets through firmware hacking. His replacement firmware for the Xiaomi LYWSD03MMC Bluetooth thermometer is one of the best we’ve seen.

Continue reading “Hacking An Actual WiFi Toothbrush With An ESP32-C3” →

The FPC adapter shown soldered between the BGA chip and the phone's mainboard, with the phone shown to have successfully booted, displaying an unlock prompt on the screen

IPhone 6S NVMe Chip Tapped Using A Flexible PCB

March 3, 2024 by Arya Voronova 3 Comments

Psst! Hey kid! Want to reverse-engineer some iPhones? Well, did you know that modern iPhones use PCIe, and specifically, NVMe for their storage chips? And if so, have you ever wondered about sniffing those communications? Wonder no more, as this research team shows us how they tapped them with a flexible printed circuit (FPC) BGA interposer on an iPhone 6S, the first iPhone to use NVMe-based storage.

The research was done by [Mohamed Amine Khelif], [Jordane Lorandel], and [Olivier Romain], and it shows us all the nitty-gritty of getting at the NVMe chip — provided you’re comfortable with BGA soldering and perhaps got an X-ray machine handy to check for mistakes. As research progressed, they’ve successfully removed the memory chip dealing with underfill and BGA soldering nuances, and added an 1:1 interposer FR4 board for the first test, that proved to be successful. Then, they made an FPC interposer that also taps into the signal and data pins, soldered the flash chip on top of it, successfully booted the iPhone 6S, and scoped the data lines for us to see.

This is looking like the beginnings of a fun platform for iOS or iPhone hardware reverse-engineering, and we’re waiting for further results with bated breath! This team of researchers in particular is prolific, having already been poking at things like MITM attacks on I2C and PCIe, as well as IoT device and smartphone security research. We haven’t seen any Eagle CAD files for the interposers published, but thankfully, most of the know-how is about the soldering technique, and the paper describes plenty. Want to learn more about these chips? We’ve covered a different hacker taking a stab at reusing them before. Or perhaps, would you like to know NVMe in more depth? If so, we’ve got just the article for you.

We thank [FedX] for sharing this with us on the Hackaday Discord server!