Software Hacks

902 Articles

The Internet – On A Casio Calculator!

July 18, 2021 by 12 Comments

Over the years we’ve become used to seeing some impressive hacks of high-end calculator software and hardware, most often associated with the Z80-based models from Texas Instruments. But of course, TI are far from the only player in this arena. It’s nice for a change to see a Casio receiving some attention. The Casio fx series of graphical calculators can now communicate with the world, thanks to the work of [Manawyrm] in porting a TCP/IP stack to them.

As can be seen in the video below, lurking in the calculator’s menu system is an IRC client, there is also a terminal application and a webserver which you can even visit online (Please be aware that it’s only a calculator though, so an onslaught of Hackaday readers clicking the link may bring it down). The Casio doesn’t have a network interface of its own, so instead, it speaks SLIP over the serial port. In this endeavor, it uses a UART driver sourced from [TobleMiner].

It’s always good to see a neglected platform get some love, and also to note that this is an unusual outing for an SH4 CPU outside its most familiar home in the Sega Dreamcast. It’s a surprise then to read that the SH4 in a calculator of all products, is a custom version that lacks an FPU. This deficiency doesn’t mean it can’t be overclocked though, as this very old Hackaday article describes.

Continue reading “The Internet – On A Casio Calculator!”

Cracking A GBA Game With NSA Tools

July 16, 2021 by 1 Comment

[Wrongbaud] is a huge fan of Japanese kaiju-style movies, including Godzilla and King Kong. In honor of the release of a new movie, he has decided to tackle a few projects to see how both of these monsters can hold their own against other legendary monsters. In this project, he is using Ghidra, named after another legendary kaiju, against the password system of the Game Boy Advance game Kong: King of Atlantis.

Since this project is a how-to, [wrongbaud] shows how to search Ghidra for existing scripts that might already have the functionality needed for GBA analysis and emulation. When not, he also illustrates how to write scripts to automate code analysis, and then moves on to cracking the level password system on the game.

The key to finding the passwords on this game was looking for values in the code that were seven characters long, and after some searching [wrongbaud] is finally able to zero in on the code responsible for handling passwords. Once found a brute force method was automated to find viable passwords, and from there the game was officially pwned. For anyone interested in security, reverse engineering, or just the way that binaries work, it’s quite the detailed breakdown. Of course, it’s not the only example we have seen that uses this software tool to extract passwords.

You Are Doomed To Learn WebAssembly

July 15, 2021 by 37 Comments

At first, Web browsers displayed HTML pages. But then people wanted those pages to do something. So we got — among other things — JavaScript. Then people wanted to do super complicated and compute-intensive things. So now we have WebAssembly. If you want to learn it, [diekmann] has a 4-part series that covers everything from getting started to porting Doom into your browser.

Paradoxically, instead of using a browser, he uses the wasm binary toolkit to run code more like a standard assembler. And wasm — what most people call WebAssembly — isn’t like most assemblers you know. Instead of labels, there are blocks that work much more like high-level language constructs such as while loops in C.

Continue reading “You Are Doomed To Learn WebAssembly”

Using Ghidra To Extract A Router Configuration Encryption Key

July 15, 2021 by 24 Comments

Who doesn’t know the struggle? Buying an interesting piece of hardware for a song and a dance, and then finding that the device’s firmware and/or configuration file is locked down with various encryption or obfuscation methods. This was the experience [Ali Raheem] had when he got a TP-Link TL-MR3020 V3 for a mere 18 British Pounds, intending to use this 4G-capable router to increase internet reliability.

Naturally this can all be done when staying inside the vendor-provided marked lines, which in this case meant ignoring the encrypted configuration files. As the owner of the hardware, this was of course unacceptable and thus [Ali] got a firmware image from the TP-Link site to see what could be gleaned from it in terms of encryption keys and other hints.

After obtaining the TP-Link-provided BIN file, the application of binwalk helpfully extracted the files embedded in it, followed by John the ripper decrypting the passwords in the /etc/passwd.bak file, and ultimately finding the encrypted /etc/default_config.xml file. Searching for this filename string in the rest of the extracted files led to /lib/libcmm.so.

Dropping this shared library file into Ghidra to disassemble its code, [Ali] found a function suspiciously called decryptFile. Inside was a reference to the global key string, which when tossed into OpenSSL and after some fiddling turned out to decrypt the XML configuration file in des-ecdb mode. From this point dropping in one’s own configuration files should be no problem after encrypting them to make the firmware happy. Nice work!

ESP32 Turned Handy SWD Flasher For NRF52 Chips

July 1, 2021 by 9 Comments

Got an nRF52 or nRF51 device you need to flash? Got an ESP32 laying around collecting dust? If so, then firmware hacking extraordinaire [Aaron Christophel] has the open source code you need. His new project allows the affordable WiFi-enabled microcontroller to read and write to the internal flash of Nordic nRF52 series chips via their SWD interface. As long as you’ve got some jumper wires and a web browser, you’re good to go.

In the first video below [Aaron] demonstrates the technique with the PineTime smartwatch, but the process will be more or less the same regardless of what your target device is. Just connect the CLK and DIO lines to pins GPIO 21 and GPIO 19 of the ESP32, point your web browser to its address on the local network, and you’ll be presented with a straightforward user interface for reading and writing the chip’s flash.

As demonstrated in the second video, with a few more wires and a MOSFET, the ESP32 firmware is also able to perform a power glitch exploit on the chip that will allow you to read the contents of its flash even if the APPROTECT feature has been enabled. [Aaron] isn’t taking any credit for this technique though, pointing instead to the research performed by [LimitedResults] to explain the nuts and bolts of the attack.

We’re always excited when a message from [Aaron] hits the inbox, since more often that not it means another device has received an open source firmware replacement. From his earlier work with cheap fitness trackers to his wildly successful Bluetooth environmental sensor hacking, we don’t think this guy has ever seen a stock firmware that he didn’t want to immediately send to /dev/null.

Continue reading “ESP32 Turned Handy SWD Flasher For NRF52 Chips”

SMART Response XE Turned Pocket BASIC Playground

June 29, 2021 by 13 Comments

Ever since the SMART Response XE was brought to our attention back in 2018, we’ve been keeping a close lookout for projects that make use of the Arduino-compatible educational gadget. Admittedly it’s taken a bit longer than we’d expected for the community to really start digging into the capabilities of the QWERTY handheld, but occasionally we see an effort like this port of BASIC to the SMART Response XE by [Dan Geiger] that reminds us of why we were so excited by this device to begin with.

This project combines the SMART Response XE support library by [Larry Bank] with Tiny BASIC Plus, which itself is an update of the Arduino BASIC port by [Michael Field]. The end result is a fun little BASIC handheld that has all the features and capabilities you’d expect, plus several device-specific commands that [Dan] has added such as BATT to check the battery voltage and MSAVE/MLOAD which will save and load BASIC programs to EEPROM.

To install the BASIC interpreter to your own SMART Response XE, [Dan] goes over the process of flashing it to the hardware using an AVR ISP MkII and a few pogo pins soldered to a bit of perboard. There are holes under the battery door of the device that exposes the programming pads on the PCB, so you don’t even need to crack open the case. Although if you are willing to crack open the case, you might as well add in a CC1101 transceiver so the handy little device can double as a spectrum analyzer.

Continue reading “SMART Response XE Turned Pocket BASIC Playground”

The Great Windows 11 Computer Extinction Experiment

June 29, 2021 by 294 Comments

There was a time when a new version of Windows was a really big deal, such the launch of Windows 95 for which the tones of the Rolling Stones’ Start me up could be heard across all manner of media outlets. Gradually over years this excitement has petered out, finally leaving us with Windows 10 that would, we were told, be the last ever version of the popular operating system and thence only receive continuous updates

But here we are in 2021, and a new Windows has been announced. Windows 11 will be the next latest and greatest from Redmond, but along with all the hoopla there has been an undercurrent of concern. Every new OS comes with a list of hardware requirements, but those for Windows 11 seem to go beyond the usual in their quest to cull older hardware. Aside from requiring Secure Boot and a Trusted Platform Module that’s caused a run on the devices, they’ve struck a load of surprisingly recent processors including those in some of their current Surface mobile PCs off their supported list, and it’s reported that they will even require laptops to have front-facing webcams if they wish to run Windows 11.

Continue reading “The Great Windows 11 Computer Extinction Experiment”