firmware

146 Articles

Hacking An IoT Camera Reveals Hard-Coded Root Password

July 24, 2024 by 21 Comments

Hacking — at least the kind where you’re breaking into stuff — is very much a learn-by-doing skill. There’s simply no substitute for getting your hands dirty and just trying something. But that doesn’t mean you can’t learn something by watching, with this root password exploit on a cheap IP video camera being a good look at the basics.

By way of background on this project, [Matt Brown] had previously torn into a VStarcam CB73 security camera, a more or less generic IP camera that he picked up on the cheap, and identified a flash memory chip from which he extracted the firmware. His initial goal was to see if the camera was contacting sketchy servers, and while searching the strings for the expected unsavory items, he found hard-coded IP addresses plus confirmation that the camera was running some Linux variant.

With evidence of sloppy coding practices, [Matt] set off on a search for a hard-coded root password. The second video covers this effort, which started with finding UART pins and getting a console session. Luckily, the bootloader wasn’t locked, which allowed [Matt] to force the camera to boot into a shell session and find the root password hash. With no luck brute-forcing the hash, he turned to Ghidra to understand the structure of a suspicious program in the firmware called encoder. After a little bit of poking and some endian twiddling, he was able to identify the hard-coded root password for every camera made by this outfit, and likely others as well.

Granted, the camera manufacturer made this a lot easier than it should have been, but with a lot of IoT stuff similarly afflicted by security as an afterthought, the skills on display here are probably broadly applicable. Kudos to [Matt] for the effort and the clear, concise presentation that makes us want to dig into the junk bin and get hacking.

Continue reading “Hacking An IoT Camera Reveals Hard-Coded Root Password”

Smartwatch Snitches On Itself And Enables Reverse Engineering

July 4, 2024 by 10 Comments

If something has a “smart” in its name, you know that it’s talking to someone else, and the topic of conversation is probably you. You may or may not like that, but that’s part of the deal when you buy these things. But with some smarts of your own, you might be able to make that widget talk to you rather than about you.

Such an opportunity presented itself to [Benjamen Lim] when a bunch of brand X smartwatches came his way. Without any documentation to guide him, [Benjamen] started with an inspection, which revealed a screen of debug info that included a mysterious IP address and port. Tearing one of the watches apart — a significant advantage to having multiple units to work with — revealed little other than an nRF52832 microcontroller along with WiFi and cellular chips. But the luckiest find was JTAG pins connected to pads on the watch face that mate with its charging cradle. That meant talking to the chip was only a spliced USB cable away.

Once he could connect to the watch, [Benjamen] was able to dump the firmware and fire up Ghidra. He decided to focus on the IP address the watch seemed fixated on, reasoning that it might be the address of an update server, and that patching the firmware with a different address could be handy. He couldn’t find the IP as a string in the firmware, but he did manage to find a sprintf-like format string for IP addresses, which led him to a likely memory location. Sure enough, the IP and port were right there, so he wrote a script to change the address to a server he had the keys for and flashed the watch.

So the score stands at [Benjamen] 1, smartwatch 0. It’s not clear what the goal of all this was, but we’d love to see if he comes up with something cool for these widgets. Even if there’s nothing else, it was a cool lesson in reverse engineering.

UV-K5 All-Band Mod, Part 2: Easier Install, Better Audio, And Two Antennas

June 20, 2024 by 46 Comments

OK, it’s official: the Quansheng UV-K5 is the king of hackable ham radios — especially now that a second version of the all-band hardware and firmware mod has been released, not to mention a new version of the radio.

If you need to get up to speed, check out our previous coverage of the all-band hack for the UV-K5, in which [Paul (OM0ET)] installs a tiny PCB to upgrade the radio’s receiver chip to an Si4732. Along with a few jumpers and some component replacements on the main board, these hardware mods made it possible for the transceiver, normally restricted to the VHF and UHF amateur radio bands, to receive everything down to the 20-meter band, in both AM and single-sideband modulations.

The new mod featured in the video below does all that and more, all while making the installation process slightly easier. The new PCB is on a flexible substrate and is considerably slimmer, and also sports an audio amplifier chip, to make up for the low audio output on SSB signals of the first version. Installation, which occupies the first third of the video below, is as simple as removing one SMD chip from the radio’s main board and tacking the PCB down in its footprint, followed by making a couple of connections with very fine enameled wire.

You could load the new firmware and call it a day at that point, but [Paul] decided to take things a step further and install a separate jack for a dedicated HF antenna. This means sacrificing the white LED on the top panel, which isn’t much of a sacrifice for most hams, to make room for the jack. Most of us would put a small SMA jack in, but [Paul] went for a BNC, which required some deft Dremel and knife work to fit in. He also used plain hookup wire to connect the jack, which sounds like a terrible idea; we’d probably use RG-316, but his mod didn’t sound that bad at all.

Keen to know more about the Quansheng UV-K5? Dive into the reverse-engineered schematics.

Continue reading “UV-K5 All-Band Mod, Part 2: Easier Install, Better Audio, And Two Antennas”

Hacked Oscilloscope Plays Breakout, Hints At More

April 18, 2024 by 8 Comments

You know things are getting real when the Dremel is one of the first tools you turn to after unboxing your new oscilloscope. But when your goal is to hack the scope to play Breakout, sometimes plastic needs to be sacrificed.

Granted, the scope in question, a Fnirsi DSO152, only cost [David Given] from Poking Technology a couple of bucks. And while the little instrument really isn’t that bad inside, it’s limited to a single channel and 200 kHz of bandwidth, so it’s not exactly lab quality. The big attractions for [David] were the CH32F103 microcontroller and the prominent debug port inside, not to mention the large color LCD panel.

[David]’s attack began with the debug port and case mods to allow access, but quickly ground to a halt when he accidentally erased the original firmware. But no matter — tracing out the pins is always an option. [David] made that easier by overlaying large photos of both sides of the board, which let him figure out which buttons went to which pins, and mapping for the display’s parallel interface. He didn’t mess with any of the analog stuff except to create a quick “Hello, oscilloscope!” program to output a square wave to the calibration pin. He did, however, create a display driver and port a game of breakout to the scope — video after the hop.

We’ve been seeing a lot of buzz around the CH32xx MCUs lately; seeing it start to show up in retail products is perhaps a leading indicator of where the cheap RISC chips are headed. We’ve seen a few interesting hacks with them, but we’ve also heard tell they can be hard to come by. Maybe getting one of these scopes to tear apart can fix that, though.

Continue reading “Hacked Oscilloscope Plays Breakout, Hints At More”

Open HT Surgery Gives Cheap Transceiver All-Band Capabilities

March 22, 2024 by 34 Comments

Watch out, Baofeng; there’s a new kid on the cheap handy talkie market, and judging by this hardware and firmware upgrade to the Quansheng UV-K5, the radio’s hackability is going to keep amateur radio operators busy for quite a while.

Like the ubiquitous Baofeng line of cheap transceivers, the Quansheng UV-K5 is designed to be a dual-band portable for hams to use on the 2-meter VHF and 70-centimeter UHF bands. While certainly a useful capability, these bands are usually quite range-limited, and generally require fixed repeaters to cover a decent geographic area. For long-range comms you want to be on the high-frequency (HF) bands, and you want modulations other than the FM-only offered by most of the cheap HT radios.

Luckily, there’s a fix for both problems, as [Paul (OM0ET)] outlines in the video below. It’s a two-step process that starts with installing a hardware kit to replace the radio’s stock receiver chip with the much more capable Si4732. The kit includes the chip mounted on a small PCB, a new RF choke, and a bunch of nearly invisible capacitors. The mods are straightforward but would certainly benefit from the help of a microscope, and perhaps a little hot air rework. Once the hardware is installed and the new firmware flashed, you have an HT that can receive signals down to the 20-meter band, with AM and SSB modulations, and a completely redesigned display with all kinds of goodies.

It’s important to note that this is a receive-only modification — you won’t be transmitting on the HF bands with this thing. However, it appears that the firmware allows you to switch back and forth between HF receive and VHF/UHF transceive, so the radio’s stock functionality is still there if you need it. But at $30 for the radio and $12 for the kit, who cares? Having a portable HF receiver could be pretty handy in some situations. This looks like yet another fun hack for this radio; we’ve seen a few recently, including a firmware-only band expansion and even a Trojan that adds a waterfall display and a game of Pong. Continue reading “Open HT Surgery Gives Cheap Transceiver All-Band Capabilities”

Custom Library Rescues Good LoRa Hardware From Bad Firmware

March 13, 2024 by 17 Comments

The range of hardware that comes on some dev boards these days is truly staggering. Those little LoRa boards are a prime example — ESP32 with WiFi and Bluetooth, a transceiver that covers a big chunk of the UHF band, and niceties like OLED displays and plenty of GPIO. But the firmware and docs? Well, if you can’t say something nice, don’t say anything at all. Or better yet, just roll your own.

Of course that doesn’t hold true for all the LoRa dev boards on the market, but [Rop] certainly found it to be the case for the Heltec HTIT-WB32LA. This board has all the bells and whistles and would be perfect for LoraWAN and Meshtastic applications, but it needed a little help getting it over the line. [Rop]’s contribution to this end is pretty comprehensive and is based on his fork of the RadioLib library, which incorporates a library that greatly reduces wear on the ESP32’s flash memory. In addition to full radio support, the library supports all the hardware on the board from the pushbutton to the display, power management and battery charging, and of course the blinkenlights.

[Jop] includes quite a few example applications, from the bare minimum needed to get the board spun up to a full-blown spectrum analyzer. It’s a nice piece of work, and a great give-back to the LoRa community. And if you want to put one of these modules to work, you’re certainly in the right place. We’ve got everything from LoRaWAN networks to the magic of Meshtastic, so take your pick and get hacking.

Recovering A Busted Video Capture Device With Firmware Flashing Tricks

February 3, 2024 by 6 Comments

Sometimes, you have a piece of hardware that just up and stops working on you. In today’s fast-paced world, it’s easy to toss something broken and move on. [BuyItFixIt], as you imagine, makes it their purpose to, well, fix things instead. Their latest efforts involved resurrecting a dead AVerMedia Live Gamer 2 Plus capture device sourced off eBay.

The device was advertised as being dead, with no power. Probing around the board when powered up showed that there was some basic activity going on with one of the flash chips, but the device simply wouldn’t spring to life. This suggested that perhaps the flash had become corrupted, which was confirmed when reading the chip mostly returned 0xFF. Sadly, the device was so badly bricked that the usual update methods via SD card simply wouldn’t work.

Eventually, hunting down a debug header provided a way in. [BuyItFixIt] was able to find a way to flash firmware over this connection instead, but there was a problem. The firmware they had was formatted for loading via SD card, and wouldn’t work for the debug mode entry route. Instead, getting the device going would require recovering firmware from a similar working device, and then using that as a guide to assemble a proper workable firmware update to get the device back to an operational state.

It’s a great tale of perseverance and triumph, particularly given many would give up after the first update attempt failed. We’ve seen [BuyItFixIt] pull off some heroic repairs before, too. Video after the break.

Continue reading “Recovering A Busted Video Capture Device With Firmware Flashing Tricks”