custom firmware

18 Articles

ESP32 Turned Handy SWD Flasher For NRF52 Chips

July 1, 2021 by 9 Comments

Got an nRF52 or nRF51 device you need to flash? Got an ESP32 laying around collecting dust? If so, then firmware hacking extraordinaire [Aaron Christophel] has the open source code you need. His new project allows the affordable WiFi-enabled microcontroller to read and write to the internal flash of Nordic nRF52 series chips via their SWD interface. As long as you’ve got some jumper wires and a web browser, you’re good to go.

In the first video below [Aaron] demonstrates the technique with the PineTime smartwatch, but the process will be more or less the same regardless of what your target device is. Just connect the CLK and DIO lines to pins GPIO 21 and GPIO 19 of the ESP32, point your web browser to its address on the local network, and you’ll be presented with a straightforward user interface for reading and writing the chip’s flash.

As demonstrated in the second video, with a few more wires and a MOSFET, the ESP32 firmware is also able to perform a power glitch exploit on the chip that will allow you to read the contents of its flash even if the APPROTECT feature has been enabled. [Aaron] isn’t taking any credit for this technique though, pointing instead to the research performed by [LimitedResults] to explain the nuts and bolts of the attack.

We’re always excited when a message from [Aaron] hits the inbox, since more often that not it means another device has received an open source firmware replacement. From his earlier work with cheap fitness trackers to his wildly successful Bluetooth environmental sensor hacking, we don’t think this guy has ever seen a stock firmware that he didn’t want to immediately send to /dev/null.

Continue reading “ESP32 Turned Handy SWD Flasher For NRF52 Chips”

Custom Firmware Teaches USB Relay Board New Tricks

June 14, 2021 by 15 Comments

If you’re looking for a quick and easy way to control a few devices from your computer, a cheap USB relay board might be the ideal solution. These are fairly simple gadgets, consisting of little more than a microcontroller and a handful of relays. But that doesn’t mean there isn’t room for improvement, and as [Michał Słomkowski] recently demonstrated, flashing these boards with a custom firmware allows the user to modify their default functionality.

In his case, [Michał] wanted to build a power strip that would cut the power to any devices plugged into it once his computer went to sleep. Unfortunately, he couldn’t just check to see if there was 5 V on the line as his motherboard kept the USB ports powered up all the time. But with some modifications to the relay board’s firmware, he reasoned he should be able to detect if there was any USB activity by watching for the start-of-frame packet that goes out every millisecond when the bus is active.

Wiring up the ATtiny45 for flashing.

Now [Michał] isn’t claiming to be the first person to come up with a custom firmware for one of these boards, in fact, he credits an existing open source firmware project as an inspiration for his work. But he did create an entirely new GPLv3 firmware for these ATtiny45 powered devices, which includes among other improvements the latest version of V-USB. As it so happens, V-USB includes start-of-frame packet detection out of the box, which made it much easier to implement his activity detection code.

With the new firmware flashed to the relay board’s chip, [Michał] put it in an enclosure and wired up the outlets. But there was still one missing piece of the puzzle. It seems that Linux won’t actually send out the start-of-frame packets unless its actively communicating with a USB device, as part of the so-called “selective suspend” power saving feature. Luckily there is support for disabling this feature for specific devices based on their Vendor/Product ID pair, so after a little udev fiddling, everything was working as expected.

We love custom firmware projects here at Hackaday. Not only do they keep proprietary software out of our devices, but they often unlock new and expanded capabilities which otherwise would be hidden behind artificial paywalls.

Exploring The World Of Nintendo 3DS Homebrew

April 28, 2021 by 20 Comments

When Nintendo officially ended production of the 3DS in September 2020, it wasn’t exactly a surprise. For one thing, some variation of the handheld system had been on the market since 2011. Which is not to say the product line had become stagnant: the system received a considerable mid-generation refresh, and there was even a more affordable variant introduced that dropped the eponymous stereoscopic 3D effect, but nearly a decade is still a fairly long life in the gaming industry. Of course Nintendo’s focus on the Switch, a hybrid device that blurs the line between console and handheld games, undoubtedly played a part in the decision to retire what could effectively be seen as a competing product.

While putting the 3DS out to pasture might have been the logical business move, a quick check on eBay seems to tell a different story. Whether it’s COVID keeping people indoors and increasing the demand for at-home entertainment, or the incredible library of classic and modern games the system has access to, the fact is that a used 3DS in good condition is worth more today than it was when it was brand new on the shelf this time last year.

I’ve certainly made more expensive mistakes.

In short, this was the worst possible time for me to decide that I finally wanted to buy a 3DS. Then one day I noticed the average price for a Japanese model was far lower than that of its American counterpart. I knew the hardware was identical, but could the firmware be changed?

An evening’s worth of research told me the swap was indeed possible, but inadvisable due to the difficulty and potential for unexpected behavior. Of course, that’s never stopped me before.

So after waiting the better part of a month for my mint condition 3DS to arrive from the land of the rising sun, I set out to explore the wide and wonderful world of Nintendo 3DS hacking.

Continue reading “Exploring The World Of Nintendo 3DS Homebrew”

Exploring Custom Firmware On Xiaomi Thermometers

December 8, 2020 by 55 Comments

If we’ve learned anything over the years, it’s that hackers love to know what the temperature is. Seriously. A stroll through the archives here at Hackaday uncovers an overwhelming number of bespoke gadgets for recording, displaying, and transmitting the current conditions. From outdoor weather stations to an ESP8266 with a DHT11 soldered on, there’s no shortage of prior art should you want to start collecting your own environmental data.

Now obviously we’re big fans of DIY it here, that’s sort of the point of the whole website. But there’s no denying that it can be hard to compete with the economies of scale, especially when dealing with imported goods. Even the most experienced hardware hacker would have trouble building something like the Xiaomi LYWSD03MMC. For as little as $4 USD each, you’ve got a slick energy efficient sensor with an integrated LCD that broadcasts the current temperature and humidity over Bluetooth Low Energy.

You could probably build your own…but why?

It’s pretty much the ideal platform for setting up a whole-house environmental monitoring system except for one detail: it’s designed to work as part of Xiaomi’s home automation system, and not necessarily the hacked-together setups that folks like us have going on at home. But that was before Aaron Christophel got on the case.

We first brought news of his ambitious project to create an open source firmware for these low-cost sensors last month, and unsurprisingly it generated quite a bit of interest. After all, folks taking existing pieces of hardware, making them better, and sharing how they did it with the world is a core tenet of this community.

Believing that such a well crafted projected deserved a second look, and frankly because I wanted to start monitoring the conditions in my own home on the cheap, I decided to order a pack of Xiaomi thermometers and dive in.

Continue reading “Exploring Custom Firmware On Xiaomi Thermometers”

Custom Firmware For Cheap Bluetooth Thermometers

November 17, 2020 by 52 Comments

The Xiaomi LYWSD03MMC temperature and humidity sensor is ridiculously cheap. If you’re buying a few at a time, you can expect to pay as little as $5 USD a pop for these handy Bluetooth Low Energy environmental sensors. Unfortunately, that low price tag comes with a bit of a catch: you can only read the data with the official Xiaomi smartphone application or by linking it to one of the company’s smart home hubs. Or at least, that used to be the case.

Over the past year, [Aaron Christophel] has been working on a replacement firmware for these Xiomi sensors that unlocks the data so you can use it however you see fit. In addition, it allows the user to tweak various features and settings that were previously unavailable. For example, you can disable the little ASCII-art smiley face that usually shows on the LCD to indicate the relative comfort level of the room.

The new firmware publishes the temperature, humidity, and battery level every minute through a BLE advertisement broadcast. In other words, that means client devices can read data from the sensor without having to be paired. Scraping this data is quite simple, and the GitHub page includes a breakdown of what each byte in the broadcast message means. Avoiding direct connections not only makes it easier to quickly read the values from multiple thermometers, but should keep the device’s CR2032 battery going for longer.

But perhaps the most impressive part of this project is how you get the custom firmware installed. You don’t need to crack the case or solder up a programmer. Just load the flasher page on a computer and browser combo that supports Web Bluetooth (a smartphone is probably the best bet), point it to the MAC address of the thermometer you want to flash, and hit the button. [Aaron] is no stranger to developing user-friendly OTA installers for his firmware projects, but even for him, it’s quite impressive.

Continue reading “Custom Firmware For Cheap Bluetooth Thermometers”

Teaching A Pocket Logic Analyzer (Many) New Tricks

October 1, 2020 by 8 Comments

A few years ago, low-cost pocket digital oscilloscopes aimed at the hacker and maker crowd started hitting the market and gained quite a following. While few would consider them to be a replacement for a proper bench scope, they’re cheap and convenient enough that it’s hard to complain. Manufacturers are apparently looking to expand on the concept, as we’re now seeing similarly priced and sized logic analyzers pop up from the usual sources.

[Gabriel Valky] got his hands on a sub-$100 USD model known as the LA104, and decided that the stock software didn’t quite deliver. So he started a project to create a new open source firmware for the affordable gadget that greatly expands its core functionalities. The code has even been ported to a few of those digital oscilloscopes, as it turns out (perhaps unsurprisingly) that they aren’t too far removed internally.

Controlling addressable LEDs with the LA104.

In the video after the break, [Gabriel] shows off some impressive radio tricks by adding a small CC1101 transceiver to the mix. This allows his modified LA104 to scan for and decode popular RF protocols in the 300 – 900 MHz range. His software even allows for the received packets to be modified and re-transmitted, which he demonstrates by pushing a fake temperature signal into a wireless weather station.

But that’s just the beginning. A perusal of the GitHub page for his replacement firmware shows just how many features have already been packed into this project. For example it can be used to control WS2812 LED strips, generate arbitrary PWM signals, log data from temperature sensors, interface with MIDI devices, and scan for I2C devices. Many of these functions can be controlled on the computer by utilizing a modern browser and WebUSB.

The replacement firmware that [Gabriel] has come up with for the LA104 is really an incredible accomplishment, and elevates an already intriguing piece of kit. Being able to pack all of these functions into something small and cheap enough you can toss into a bag is a very compelling prospect for hackers on the go.

Continue reading “Teaching A Pocket Logic Analyzer (Many) New Tricks”

Pulling Display Data Off Of A Fitness Tracker

October 27, 2019 by 1 Comment

[Aaron Christophel] writes in with yet another clever hack for his D6 Fitness Tracker. Using OpenOCD and Pygame, he shows how you can pull data right off the tracker’s screen and sent it to the computer.

This one appealed to us for its brevity. First [Aaron] launches the OpenOCD server which connects to the D6. Then, a short Python script connects to the server through telnet, reads the screen data, and uses a look-up table to turn the data into a duplicate display on the PC screen. If you’re more of a visual learner, there’s a demonstration video after the break.

The D6 is a popular fitness tracker that’s often re-branded and sold at a very low cost. [Aaron] is a big fan of these Nordic nRF52 powered devices, and we’ve covered some of his hacks before. If you’d like to learn more about these interesting little devices there’s quite a write-up on their inner-workings here.

Continue reading “Pulling Display Data Off Of A Fitness Tracker”