An OLED Photo Frame Powered By The ATtiny85

July 19, 2021 by Tom Nardi 10 Comments

Rolling your own digital picture frame that loads images from an SD card and displays them on an LCD with a modern microcontroller like the ESP32 is an afternoon project, even less if you pull in somebody else’s code. But what if you don’t have the latest and greatest hardware to work with?

Whether you look at it as a practical application or an interesting experiment in wringing more performance out of low-end hardware, [Assad Ebrahim]’s demonstration of displaying digital photographs on an OLED using the ATtiny85 is well worth a look. The whole thing can put put together on a scrap of perfboard with a handful of common components, and can cycle through the five images stored on the chip’s flash memory for up to 20 hours on a CR2032 coin cell.

As you might expect, the biggest challenge in this project is getting all the code and data to fit onto the ATtiny85. To that end [Assad] wrote his own minimal driver for the SSD1306 OLED display, as the traditional Adafruit code took up too much space. The driver is a pretty bare bones implementation, but it’s enough to initialize the screen and get it ready for incoming data. His code also handles emulating I2C over Atmel’s Universal Serial Interface (USI) at an acceptable clip, so long as you bump the chip up to 8 MHz.

For the images, [Assad] details the workflow he uses to take the high-resolution color files and turn them into an array of bytes for the display. Part of that it just scaling down and converting to 1-bit color, but there’s also a bit of custom Forth code in the mix that converts the resulting data into the format his code expects.

This isn’t the first time we’ve seen somebody use one of these common OLED displays in conjunction with the ATtiny85, and it’s interesting to see how their techniques compare. It’s not a combination we’d necessarily chose willingly, but sometimes you’ve got to work with whats available.

The Internet – On A Casio Calculator!

July 18, 2021 by Jenny List 12 Comments

Over the years we’ve become used to seeing some impressive hacks of high-end calculator software and hardware, most often associated with the Z80-based models from Texas Instruments. But of course, TI are far from the only player in this arena. It’s nice for a change to see a Casio receiving some attention. The Casio fx series of graphical calculators can now communicate with the world, thanks to the work of [Manawyrm] in porting a TCP/IP stack to them.

As can be seen in the video below, lurking in the calculator’s menu system is an IRC client, there is also a terminal application and a webserver which you can even visit online (Please be aware that it’s only a calculator though, so an onslaught of Hackaday readers clicking the link may bring it down). The Casio doesn’t have a network interface of its own, so instead, it speaks SLIP over the serial port. In this endeavor, it uses a UART driver sourced from [TobleMiner].

It’s always good to see a neglected platform get some love, and also to note that this is an unusual outing for an SH4 CPU outside its most familiar home in the Sega Dreamcast. It’s a surprise then to read that the SH4 in a calculator of all products, is a custom version that lacks an FPU. This deficiency doesn’t mean it can’t be overclocked though, as this very old Hackaday article describes.

Continue reading “The Internet – On A Casio Calculator!” →

Cracking A GBA Game With NSA Tools

July 16, 2021 by Bryan Cockfield 1 Comment

[Wrongbaud] is a huge fan of Japanese kaiju-style movies, including Godzilla and King Kong. In honor of the release of a new movie, he has decided to tackle a few projects to see how both of these monsters can hold their own against other legendary monsters. In this project, he is using Ghidra, named after another legendary kaiju, against the password system of the Game Boy Advance game Kong: King of Atlantis.

Since this project is a how-to, [wrongbaud] shows how to search Ghidra for existing scripts that might already have the functionality needed for GBA analysis and emulation. When not, he also illustrates how to write scripts to automate code analysis, and then moves on to cracking the level password system on the game.

The key to finding the passwords on this game was looking for values in the code that were seven characters long, and after some searching [wrongbaud] is finally able to zero in on the code responsible for handling passwords. Once found a brute force method was automated to find viable passwords, and from there the game was officially pwned. For anyone interested in security, reverse engineering, or just the way that binaries work, it’s quite the detailed breakdown. Of course, it’s not the only example we have seen that uses this software tool to extract passwords.

You Are Doomed To Learn WebAssembly

July 15, 2021 by Al Williams 37 Comments

At first, Web browsers displayed HTML pages. But then people wanted those pages to do something. So we got — among other things — JavaScript. Then people wanted to do super complicated and compute-intensive things. So now we have WebAssembly. If you want to learn it, [diekmann] has a 4-part series that covers everything from getting started to porting Doom into your browser.

Paradoxically, instead of using a browser, he uses the wasm binary toolkit to run code more like a standard assembler. And wasm — what most people call WebAssembly — isn’t like most assemblers you know. Instead of labels, there are blocks that work much more like high-level language constructs such as while loops in C.

Continue reading “You Are Doomed To Learn WebAssembly” →

Using Ghidra To Extract A Router Configuration Encryption Key

July 15, 2021 by Maya Posch 24 Comments

Who doesn’t know the struggle? Buying an interesting piece of hardware for a song and a dance, and then finding that the device’s firmware and/or configuration file is locked down with various encryption or obfuscation methods. This was the experience [Ali Raheem] had when he got a TP-Link TL-MR3020 V3 for a mere 18 British Pounds, intending to use this 4G-capable router to increase internet reliability.

Naturally this can all be done when staying inside the vendor-provided marked lines, which in this case meant ignoring the encrypted configuration files. As the owner of the hardware, this was of course unacceptable and thus [Ali] got a firmware image from the TP-Link site to see what could be gleaned from it in terms of encryption keys and other hints.

After obtaining the TP-Link-provided BIN file, the application of binwalk helpfully extracted the files embedded in it, followed by John the ripper decrypting the passwords in the /etc/passwd.bak file, and ultimately finding the encrypted /etc/default_config.xml file. Searching for this filename string in the rest of the extracted files led to /lib/libcmm.so.

Dropping this shared library file into Ghidra to disassemble its code, [Ali] found a function suspiciously called decryptFile. Inside was a reference to the global key string, which when tossed into OpenSSL and after some fiddling turned out to decrypt the XML configuration file in des-ecdb mode. From this point dropping in one’s own configuration files should be no problem after encrypting them to make the firmware happy. Nice work!

ESP32 Turned Handy SWD Flasher For NRF52 Chips

July 1, 2021 by Tom Nardi 9 Comments

Got an nRF52 or nRF51 device you need to flash? Got an ESP32 laying around collecting dust? If so, then firmware hacking extraordinaire [Aaron Christophel] has the open source code you need. His new project allows the affordable WiFi-enabled microcontroller to read and write to the internal flash of Nordic nRF52 series chips via their SWD interface. As long as you’ve got some jumper wires and a web browser, you’re good to go.

In the first video below [Aaron] demonstrates the technique with the PineTime smartwatch, but the process will be more or less the same regardless of what your target device is. Just connect the CLK and DIO lines to pins GPIO 21 and GPIO 19 of the ESP32, point your web browser to its address on the local network, and you’ll be presented with a straightforward user interface for reading and writing the chip’s flash.

As demonstrated in the second video, with a few more wires and a MOSFET, the ESP32 firmware is also able to perform a power glitch exploit on the chip that will allow you to read the contents of its flash even if the APPROTECT feature has been enabled. [Aaron] isn’t taking any credit for this technique though, pointing instead to the research performed by [LimitedResults] to explain the nuts and bolts of the attack.

We’re always excited when a message from [Aaron] hits the inbox, since more often that not it means another device has received an open source firmware replacement. From his earlier work with cheap fitness trackers to his wildly successful Bluetooth environmental sensor hacking, we don’t think this guy has ever seen a stock firmware that he didn’t want to immediately send to /dev/null.

Continue reading “ESP32 Turned Handy SWD Flasher For NRF52 Chips” →

SMART Response XE Turned Pocket BASIC Playground

June 29, 2021 by Tom Nardi 13 Comments

Ever since the SMART Response XE was brought to our attention back in 2018, we’ve been keeping a close lookout for projects that make use of the Arduino-compatible educational gadget. Admittedly it’s taken a bit longer than we’d expected for the community to really start digging into the capabilities of the QWERTY handheld, but occasionally we see an effort like this port of BASIC to the SMART Response XE by [Dan Geiger] that reminds us of why we were so excited by this device to begin with.

This project combines the SMART Response XE support library by [Larry Bank] with Tiny BASIC Plus, which itself is an update of the Arduino BASIC port by [Michael Field]. The end result is a fun little BASIC handheld that has all the features and capabilities you’d expect, plus several device-specific commands that [Dan] has added such as BATT to check the battery voltage and MSAVE/MLOAD which will save and load BASIC programs to EEPROM.

To install the BASIC interpreter to your own SMART Response XE, [Dan] goes over the process of flashing it to the hardware using an AVR ISP MkII and a few pogo pins soldered to a bit of perboard. There are holes under the battery door of the device that exposes the programming pads on the PCB, so you don’t even need to crack open the case. Although if you are willing to crack open the case, you might as well add in a CC1101 transceiver so the handy little device can double as a spectrum analyzer.

Continue reading “SMART Response XE Turned Pocket BASIC Playground” →