Hackaday Links Column Banner

Hackaday Links: December 22, 2024

Early Monday morning, while many of us will be putting the finishing touches — or just beginning, ahem — on our Christmas preparations, solar scientists will hold their collective breath as they wait for word from the Parker Solar Probe’s record-setting passage through the sun’s atmosphere. The probe, which has been in a highly elliptical solar orbit since its 2018 launch, has been getting occasional gravitational nudges by close encounters with Venus. This has moved the perihelion ever closer to the sun’s surface, and on Monday morning it will make its closest approach yet, a mere 6.1 million kilometers from the roiling photosphere. That will put it inside the corona, the sun’s extremely energetic atmosphere, which we normally only see during total eclipses. Traveling at almost 700,000 kilometers per hour, it won’t be there very long, and it’ll be doing everything it needs to do autonomously since the high-energy plasma of the corona and the eight-light-minute distance makes remote control impossible. It’ll be a few days before communications are re-established and the data downloaded, which will make a nice present for the solar science community to unwrap.

Continue reading “Hackaday Links: December 22, 2024”

Unexpectedly Interesting Payphone Gives Up Its Secrets

Reverse engineering a payphone doesn’t sound like a very interesting project, at least in the United States, where payphones were little more than ruggedized versions of residential phones with a coin mechanism attached. Phones in other parts of the world were far more interesting, though, as this look at the mysteries of a payphone from Israel reveals (in Hebrew; English translation here.)

This is a project [Inbar Raz] worked on quite a while ago, but only got around to writing up recently. The payphone in question was sourced from the usual surplus market channels, and appears to have been removed from service by Israeli telecommunications company Bezeq only shortly before he found it. It was in pretty good shape, and was even still locked tight, making some amateur locksmithing the first order of the day. The internals of the phone are surprisingly complex, with a motherboard that looks more like something from a PC. Date codes on the chips and through-hole construction date the device to the early- to mid-1990s.

With physical access gained, [Inbar] turned to the firmware. An Atmel flash chip seemed a good place to look, and indeed he was able to pull code off the chip. That’s where things took a turn thanks to the CPU the code was written for — the CDP1806, a later version of the more popular but still fringe CDP1802. This required [Inbar] to fall down the rabbit hole of writing a new processor definition file for Ghidra so that the firmware could be reverse-engineered. This got him to the point of understanding 1806 assembly well enough that he was able to re-flash the phone to print debugging messages on the built-in 16×2 LCD screen, which allowed him to figure out which routines were being called under various error conditions.

It doesn’t appear that [Inbar] ever completed the reverse engineering project, but as he points out, what does that even mean? He got inside, took a look around, and made the phone do some cool things it couldn’t do before, and in the process made things easier for anyone working with 1806 processors in Ghidra. That’s a pretty complete win in our books.

Saving A Samsung TV From The Dreaded Boot Loop

[eigma] had a difficult problem. After pulling a TV out of the trash and bringing it home, it turned out it was suffering from a troubling boot loop issue that basically made it useless. As so many of us do, they decided to fix it…which ended up being a far bigger task than initially expected.

The TV in question was a Samsung UN40H5003AF. Powering it up would net a red standby light which would stay on for about eight seconds. Then it would flicker off, come back on, and repeat the cycle. So far, so bad. Investigation began with the usual—checking the power supplies and investigating the basics. No easy wins were found. A debug UART provided precious little information, and schematics proved hard to come by.

Eventually, though, investigation dialed in on a 4 MB SPI flash chip on the board. Dumping the chip revealed the firmware onboard was damaged and corrupt. Upon further tinkering, [eigma] figured that most of the dump looked valid. On a hunch, suspecting that maybe just a single bit was wrong, they came up with a crazy plan: use a script to brute-force flipping every single bit until the firmware’s CRC check came back valid. It took eighteen hours, but the script found a valid solution. Lo and behold, burning the fixed firmware to the TV brought it back to life.

It feels weird for a single bit flip to kill an entire TV, but this kind of failure isn’t unheard of. We’ve seen other dedicated hackers perform similar restorations previously. If you’re out there valiantly rescuing e-waste with these techniques, do tell us your story, won’t you?

Zero To Custom MacroPad In 37 Easy Steps

[Jeremy Weatherford] clearly has a knack for explaining projects well enough for easy reproduction but goes way further than most and has created a four-part YouTube series detailing every step from project inception to the final assembly, covering all aspects of 3D modelling and PCB design for a custom MacroPad design. Many tools are introduced along the way, all of which help reduce complexity and, by extension, the scope for errors. As every beginner hacker knows, early successes breed confidence and make for better and more ambitious projects.

Part 1 covers the project motivation and scope and introduces a keyboard layout editor tool. This tool allows one to take a layout idea and generate a JSON file, which is then used to drive keyboard tools. XYZ to produce a usable KiCAD project. The tool only generates a PCB project and an associated netlist file. No schematic is created; you don’t need one for a simple layout.

A very basic keyboard layout

Part 2 is a walkthrough of the design process in KiCAD, culminating in ordering the PCB from JLCPCB and assembling the surface-mount parts. This particular design uses a controller based on the Sea-Picro RP2040 module, but there are many options if you have other preferences. [Jeremy] shows what’s possible with the selected suppliers, but you need not follow this step precisely if you have other ideas or want to use someone local.

Part 3 covers exporting the mechanical aspects of the PCB out of KiCAD and into a 3D CAD program, specifically OnShape. [Jeremy] covers some crucial details, such as how to read the mechanical drawing of the keys to work out where to place the top plate. It’s very easy to plough straight in at this stage and make a design which cannot be assembled! The plan is to use a simple laser-cut box with a bottom plate with mounting holes lining up with those on the PCB. A Top plate is created by taking the outline of the PCB and adding a little margin. An array of rectangular cutouts are designed for the keys to protrude, lining up perfectly with where the keys would be when mounted on the PCB below.  The sides of the case are formed from laser-cut sections that lock into each other and the laser-cut base—using the laser joint feature-script addon tool from the OnShape community channel. A second feature script addon is used to auto-layout the laser-cut components onto a single sheet. A CAM application called Kiri Moto is used to export for laser cutting and is available on the OnShape store.

Continue reading “Zero To Custom MacroPad In 37 Easy Steps”

MOTU Audio Interface Resurrected After Some Reverse Engineering

These days, when something electronic breaks, most folks just throw it away and get a new one. But as hackers, we prefer to find out what the actual problem is and fix it. [Bonsembiante] took that very tack when a MOTU brand audio interface wasn’t booting. As it turns out, a bit of investigative work led to a simple and viable fix.

The previous owner had tried to get the unit fixed multiple times without success. When it ended up on [Bonsembiante]’s bench, reverse engineering was the order of the day. Based around an embedded Linux system, there was lots to poke and prod at inside, it’s just that… the system wasn’t booting, wasn’t showing up over USB or Ethernet, or doing much of anything at all.

Extracting the firmware only revealed that the firmware was actually valid, so that was a dead end. However, after some work following the boot process along in Ghidra, with some external help, the problem was revealed. Something was causing the valid firmware to fail the bootloader’s checks—and with that fixed, the unit booted. You’ll have to read the article to get the full juicy story—it’s worth it!

We’ve seen [Bonsembiante’s] work here before, when they turned an old ADSL router into a functioning guitar pedal. Video after the break.

Continue reading “MOTU Audio Interface Resurrected After Some Reverse Engineering”

Hacking An IoT Camera Reveals Hard-Coded Root Password

Hacking — at least the kind where you’re breaking into stuff — is very much a learn-by-doing skill. There’s simply no substitute for getting your hands dirty and just trying something. But that doesn’t mean you can’t learn something by watching, with this root password exploit on a cheap IP video camera being a good look at the basics.

By way of background on this project, [Matt Brown] had previously torn into a VStarcam CB73 security camera, a more or less generic IP camera that he picked up on the cheap, and identified a flash memory chip from which he extracted the firmware. His initial goal was to see if the camera was contacting sketchy servers, and while searching the strings for the expected unsavory items, he found hard-coded IP addresses plus confirmation that the camera was running some Linux variant.

With evidence of sloppy coding practices, [Matt] set off on a search for a hard-coded root password. The second video covers this effort, which started with finding UART pins and getting a console session. Luckily, the bootloader wasn’t locked, which allowed [Matt] to force the camera to boot into a shell session and find the root password hash. With no luck brute-forcing the hash, he turned to Ghidra to understand the structure of a suspicious program in the firmware called encoder. After a little bit of poking and some endian twiddling, he was able to identify the hard-coded root password for every camera made by this outfit, and likely others as well.

Granted, the camera manufacturer made this a lot easier than it should have been, but with a lot of IoT stuff similarly afflicted by security as an afterthought, the skills on display here are probably broadly applicable. Kudos to [Matt] for the effort and the clear, concise presentation that makes us want to dig into the junk bin and get hacking.

Continue reading “Hacking An IoT Camera Reveals Hard-Coded Root Password”

Smartwatch Snitches On Itself And Enables Reverse Engineering

If something has a “smart” in its name, you know that it’s talking to someone else, and the topic of conversation is probably you. You may or may not like that, but that’s part of the deal when you buy these things. But with some smarts of your own, you might be able to make that widget talk to you rather than about you.

Such an opportunity presented itself to [Benjamen Lim] when a bunch of brand X smartwatches came his way. Without any documentation to guide him, [Benjamen] started with an inspection, which revealed a screen of debug info that included a mysterious IP address and port. Tearing one of the watches apart — a significant advantage to having multiple units to work with — revealed little other than an nRF52832 microcontroller along with WiFi and cellular chips. But the luckiest find was JTAG pins connected to pads on the watch face that mate with its charging cradle. That meant talking to the chip was only a spliced USB cable away.

Once he could connect to the watch, [Benjamen] was able to dump the firmware and fire up Ghidra. He decided to focus on the IP address the watch seemed fixated on, reasoning that it might be the address of an update server, and that patching the firmware with a different address could be handy. He couldn’t find the IP as a string in the firmware, but he did manage to find a sprintf-like format string for IP addresses, which led him to a likely memory location. Sure enough, the IP and port were right there, so he wrote a script to change the address to a server he had the keys for and flashed the watch.

So the score stands at [Benjamen] 1, smartwatch 0. It’s not clear what the goal of all this was, but we’d love to see if he comes up with something cool for these widgets. Even if there’s nothing else, it was a cool lesson in reverse engineering.