firmware

148 Articles

Zero To Custom MacroPad In 37 Easy Steps

October 21, 2024 by 5 Comments

[Jeremy Weatherford] clearly has a knack for explaining projects well enough for easy reproduction but goes way further than most and has created a four-part YouTube series detailing every step from project inception to the final assembly, covering all aspects of 3D modelling and PCB design for a custom MacroPad design. Many tools are introduced along the way, all of which help reduce complexity and, by extension, the scope for errors. As every beginner hacker knows, early successes breed confidence and make for better and more ambitious projects.

Part 1 covers the project motivation and scope and introduces a keyboard layout editor tool. This tool allows one to take a layout idea and generate a JSON file, which is then used to drive keyboard tools. XYZ to produce a usable KiCAD project. The tool only generates a PCB project and an associated netlist file. No schematic is created; you don’t need one for a simple layout.

A very basic keyboard layout

Part 2 is a walkthrough of the design process in KiCAD, culminating in ordering the PCB from JLCPCB and assembling the surface-mount parts. This particular design uses a controller based on the Sea-Picro RP2040 module, but there are many options if you have other preferences. [Jeremy] shows what’s possible with the selected suppliers, but you need not follow this step precisely if you have other ideas or want to use someone local.

Part 3 covers exporting the mechanical aspects of the PCB out of KiCAD and into a 3D CAD program, specifically OnShape. [Jeremy] covers some crucial details, such as how to read the mechanical drawing of the keys to work out where to place the top plate. It’s very easy to plough straight in at this stage and make a design which cannot be assembled! The plan is to use a simple laser-cut box with a bottom plate with mounting holes lining up with those on the PCB. A Top plate is created by taking the outline of the PCB and adding a little margin. An array of rectangular cutouts are designed for the keys to protrude, lining up perfectly with where the keys would be when mounted on the PCB below.  The sides of the case are formed from laser-cut sections that lock into each other and the laser-cut base—using the laser joint feature-script addon tool from the OnShape community channel. A second feature script addon is used to auto-layout the laser-cut components onto a single sheet. A CAM application called Kiri Moto is used to export for laser cutting and is available on the OnShape store.

Continue reading “Zero To Custom MacroPad In 37 Easy Steps”

MOTU Audio Interface Resurrected After Some Reverse Engineering

October 18, 2024 by 8 Comments

These days, when something electronic breaks, most folks just throw it away and get a new one. But as hackers, we prefer to find out what the actual problem is and fix it. [Bonsembiante] took that very tack when a MOTU brand audio interface wasn’t booting. As it turns out, a bit of investigative work led to a simple and viable fix.

The previous owner had tried to get the unit fixed multiple times without success. When it ended up on [Bonsembiante]’s bench, reverse engineering was the order of the day. Based around an embedded Linux system, there was lots to poke and prod at inside, it’s just that… the system wasn’t booting, wasn’t showing up over USB or Ethernet, or doing much of anything at all.

Extracting the firmware only revealed that the firmware was actually valid, so that was a dead end. However, after some work following the boot process along in Ghidra, with some external help, the problem was revealed. Something was causing the valid firmware to fail the bootloader’s checks—and with that fixed, the unit booted. You’ll have to read the article to get the full juicy story—it’s worth it!

We’ve seen [Bonsembiante’s] work here before, when they turned an old ADSL router into a functioning guitar pedal. Video after the break.

Continue reading “MOTU Audio Interface Resurrected After Some Reverse Engineering”

Hacking An IoT Camera Reveals Hard-Coded Root Password

July 24, 2024 by 24 Comments

Hacking — at least the kind where you’re breaking into stuff — is very much a learn-by-doing skill. There’s simply no substitute for getting your hands dirty and just trying something. But that doesn’t mean you can’t learn something by watching, with this root password exploit on a cheap IP video camera being a good look at the basics.

By way of background on this project, [Matt Brown] had previously torn into a VStarcam CB73 security camera, a more or less generic IP camera that he picked up on the cheap, and identified a flash memory chip from which he extracted the firmware. His initial goal was to see if the camera was contacting sketchy servers, and while searching the strings for the expected unsavory items, he found hard-coded IP addresses plus confirmation that the camera was running some Linux variant.

With evidence of sloppy coding practices, [Matt] set off on a search for a hard-coded root password. The second video covers this effort, which started with finding UART pins and getting a console session. Luckily, the bootloader wasn’t locked, which allowed [Matt] to force the camera to boot into a shell session and find the root password hash. With no luck brute-forcing the hash, he turned to Ghidra to understand the structure of a suspicious program in the firmware called encoder. After a little bit of poking and some endian twiddling, he was able to identify the hard-coded root password for every camera made by this outfit, and likely others as well.

Granted, the camera manufacturer made this a lot easier than it should have been, but with a lot of IoT stuff similarly afflicted by security as an afterthought, the skills on display here are probably broadly applicable. Kudos to [Matt] for the effort and the clear, concise presentation that makes us want to dig into the junk bin and get hacking.

Continue reading “Hacking An IoT Camera Reveals Hard-Coded Root Password”

Smartwatch Snitches On Itself And Enables Reverse Engineering

July 4, 2024 by 10 Comments

If something has a “smart” in its name, you know that it’s talking to someone else, and the topic of conversation is probably you. You may or may not like that, but that’s part of the deal when you buy these things. But with some smarts of your own, you might be able to make that widget talk to you rather than about you.

Such an opportunity presented itself to [Benjamen Lim] when a bunch of brand X smartwatches came his way. Without any documentation to guide him, [Benjamen] started with an inspection, which revealed a screen of debug info that included a mysterious IP address and port. Tearing one of the watches apart — a significant advantage to having multiple units to work with — revealed little other than an nRF52832 microcontroller along with WiFi and cellular chips. But the luckiest find was JTAG pins connected to pads on the watch face that mate with its charging cradle. That meant talking to the chip was only a spliced USB cable away.

Once he could connect to the watch, [Benjamen] was able to dump the firmware and fire up Ghidra. He decided to focus on the IP address the watch seemed fixated on, reasoning that it might be the address of an update server, and that patching the firmware with a different address could be handy. He couldn’t find the IP as a string in the firmware, but he did manage to find a sprintf-like format string for IP addresses, which led him to a likely memory location. Sure enough, the IP and port were right there, so he wrote a script to change the address to a server he had the keys for and flashed the watch.

So the score stands at [Benjamen] 1, smartwatch 0. It’s not clear what the goal of all this was, but we’d love to see if he comes up with something cool for these widgets. Even if there’s nothing else, it was a cool lesson in reverse engineering.

UV-K5 All-Band Mod, Part 2: Easier Install, Better Audio, And Two Antennas

June 20, 2024 by 47 Comments

OK, it’s official: the Quansheng UV-K5 is the king of hackable ham radios — especially now that a second version of the all-band hardware and firmware mod has been released, not to mention a new version of the radio.

If you need to get up to speed, check out our previous coverage of the all-band hack for the UV-K5, in which [Paul (OM0ET)] installs a tiny PCB to upgrade the radio’s receiver chip to an Si4732. Along with a few jumpers and some component replacements on the main board, these hardware mods made it possible for the transceiver, normally restricted to the VHF and UHF amateur radio bands, to receive everything down to the 20-meter band, in both AM and single-sideband modulations.

The new mod featured in the video below does all that and more, all while making the installation process slightly easier. The new PCB is on a flexible substrate and is considerably slimmer, and also sports an audio amplifier chip, to make up for the low audio output on SSB signals of the first version. Installation, which occupies the first third of the video below, is as simple as removing one SMD chip from the radio’s main board and tacking the PCB down in its footprint, followed by making a couple of connections with very fine enameled wire.

You could load the new firmware and call it a day at that point, but [Paul] decided to take things a step further and install a separate jack for a dedicated HF antenna. This means sacrificing the white LED on the top panel, which isn’t much of a sacrifice for most hams, to make room for the jack. Most of us would put a small SMA jack in, but [Paul] went for a BNC, which required some deft Dremel and knife work to fit in. He also used plain hookup wire to connect the jack, which sounds like a terrible idea; we’d probably use RG-316, but his mod didn’t sound that bad at all.

Keen to know more about the Quansheng UV-K5? Dive into the reverse-engineered schematics.

Continue reading “UV-K5 All-Band Mod, Part 2: Easier Install, Better Audio, And Two Antennas”

Hacked Oscilloscope Plays Breakout, Hints At More

April 18, 2024 by 8 Comments

You know things are getting real when the Dremel is one of the first tools you turn to after unboxing your new oscilloscope. But when your goal is to hack the scope to play Breakout, sometimes plastic needs to be sacrificed.

Granted, the scope in question, a Fnirsi DSO152, only cost [David Given] from Poking Technology a couple of bucks. And while the little instrument really isn’t that bad inside, it’s limited to a single channel and 200 kHz of bandwidth, so it’s not exactly lab quality. The big attractions for [David] were the CH32F103 microcontroller and the prominent debug port inside, not to mention the large color LCD panel.

[David]’s attack began with the debug port and case mods to allow access, but quickly ground to a halt when he accidentally erased the original firmware. But no matter — tracing out the pins is always an option. [David] made that easier by overlaying large photos of both sides of the board, which let him figure out which buttons went to which pins, and mapping for the display’s parallel interface. He didn’t mess with any of the analog stuff except to create a quick “Hello, oscilloscope!” program to output a square wave to the calibration pin. He did, however, create a display driver and port a game of breakout to the scope — video after the hop.

We’ve been seeing a lot of buzz around the CH32xx MCUs lately; seeing it start to show up in retail products is perhaps a leading indicator of where the cheap RISC chips are headed. We’ve seen a few interesting hacks with them, but we’ve also heard tell they can be hard to come by. Maybe getting one of these scopes to tear apart can fix that, though.

Continue reading “Hacked Oscilloscope Plays Breakout, Hints At More”

Open HT Surgery Gives Cheap Transceiver All-Band Capabilities

March 22, 2024 by 34 Comments

Watch out, Baofeng; there’s a new kid on the cheap handy talkie market, and judging by this hardware and firmware upgrade to the Quansheng UV-K5, the radio’s hackability is going to keep amateur radio operators busy for quite a while.

Like the ubiquitous Baofeng line of cheap transceivers, the Quansheng UV-K5 is designed to be a dual-band portable for hams to use on the 2-meter VHF and 70-centimeter UHF bands. While certainly a useful capability, these bands are usually quite range-limited, and generally require fixed repeaters to cover a decent geographic area. For long-range comms you want to be on the high-frequency (HF) bands, and you want modulations other than the FM-only offered by most of the cheap HT radios.

Luckily, there’s a fix for both problems, as [Paul (OM0ET)] outlines in the video below. It’s a two-step process that starts with installing a hardware kit to replace the radio’s stock receiver chip with the much more capable Si4732. The kit includes the chip mounted on a small PCB, a new RF choke, and a bunch of nearly invisible capacitors. The mods are straightforward but would certainly benefit from the help of a microscope, and perhaps a little hot air rework. Once the hardware is installed and the new firmware flashed, you have an HT that can receive signals down to the 20-meter band, with AM and SSB modulations, and a completely redesigned display with all kinds of goodies.

It’s important to note that this is a receive-only modification — you won’t be transmitting on the HF bands with this thing. However, it appears that the firmware allows you to switch back and forth between HF receive and VHF/UHF transceive, so the radio’s stock functionality is still there if you need it. But at $30 for the radio and $12 for the kit, who cares? Having a portable HF receiver could be pretty handy in some situations. This looks like yet another fun hack for this radio; we’ve seen a few recently, including a firmware-only band expansion and even a Trojan that adds a waterfall display and a game of Pong. Continue reading “Open HT Surgery Gives Cheap Transceiver All-Band Capabilities”