HackIt: Sony Invites You To Hack Its SmartWatch Firmware

June 14, 2013 by Mike Szczys 63 Comments

This is Sony’s smart watch, which has been around for a while now. It’s designed for use with your Android phone, and has always included an SDK that allows app developers to interact with it. But now Sony is taking it one big step further. They’ve published everything you need to know to hack your own firmware for the SmartWatch.

The navigation scheme for that articles includes five menu items at the bottom which you’ll want to dig through. The most interesting to us was the one labeled “SmartWatch hacker guide”. It lays bare the hardware used in the watch and how it’s peripheral component connect to each other. This starts with the STM32 (ARM) microcontroller that drives the watch. It goes on to document how the screen is addressed (SPI1) including the pin to turn it on and off. The same goes for the Bluetooth, accelerometer, buzzer, and touch sensors.

Firmware is updated via USB using Device Firmware Upgrade (DFU) mode. We don’t don’t see any way to connect an on-chip debugger. We searched to see if there is a JTAG port on the circuit board and it sounds like getting the watch apart without breaking it is pretty tough.

Now that you don’t need to stick to what Sony had planned for the device, what do you want to do with your strapless wristwatch?

[Thanks Brian]

Rigol DS1022C Hack Brings It Up To 100MHz Speed

May 16, 2013 by Mike Szczys 53 Comments

rigol-1022c-100MHz-hack

[Andreas Schuler] has been playing around with his Rigol DS1022C digital storage oscilloscope. It’s an older model which can capture samples at up to 25MHz, but [Andreas] claims to have quadrupled that using a service menu hack. His technique changes the settings to use the DS1022C at 100Mhz.

Usually a hack like this includes some test measurements that confirm the hardware is actually sampling at the higher rate, and is not just claiming that it has the ability to do so. We’d love to hear from you in the comments if you’ve got this piece of bench hardware and decided to try it for yourself. His method enters in a sequence of buttons from the system info menu. If done correctly this will add a service menu option that wasn’t there before. A bit of navigation leads you to the screen seen above, where you can change the model number to DS1102C. This is the more robust 100MHz cousin of the 1022.

If you think you’ve seen this hack before it’s probably because the Rigol 1052E was previously pulled to 100MHz with a firmware hack.

Dissecting A Firmware Image

February 22, 2013 by Mike Szczys 18 Comments

dissecting-a-firmware-image

[Leland Flynn] did a great job of picking apart the firmware image for a Westell 9100EM FiOS router. Unfortunately he didn’t actually find the information he was looking for. But he’s not quite done poking around yet either. If you have never tried to make sense of an embedded Linux firmware image this serves as a great beginner’s example of how it’s done.

He was turned on to the project after port scanning his external IP and finding a random login prompt which he certainly didn’t set up. Some searching led him to believe this is some kind of back door for Verizon to push automatic firmware updates to his router. He figured why not see if he could yank the credentials and poke around inside of the machine?

He started by downloading the latest firmware upgrade. Running ‘hexdump’ and ‘strings’ gives him confirmation that the image is based on Linux. He’s then able to pick apart the package, getting at just the filesystem portion. His persistence takes him through extracting and decompressing three different filesystems. Even though he now has access to all of those files, broken symlinks meant a dead-end on his login search.

Reverse Engineering ST-Link/V2 Firmware

January 7, 2013 by Mike Szczys 39 Comments

reverse-engineering-stlink-v2

The chip seen just above the center of this image is an ARM Cortex-M3. It provides the ability to interface and program the main chip on the STM32F3 Discovery board. The protocol used is the ST-Link/V2 which has become the standard for ST Microelectronics development boards. The thing is, that big ARM chip near the bottom of the image has multiple UARTs and bridging a couple of solder points will connect it to the ST-Link hardware. [Taylor Killian] wanted to figure out if there is built-in firmware support to make this a USB-to-serial converter and his path to the solution involved reverse engineering the ST-Link/V2 firmware.

The first part of the challenge was to get his hands on a firmware image. When you download the firmware update package the image is not included as a discrete file. Instead he had to sniff the USB traffic during a firmware update. He managed to isolate the file and chase down the encryption technique which is being used. It’s a fun read to see how he did this, and we’re looking forward to learning what he can accomplish now that’s got the goods he was after.

Upgrading A Voice Recorder With A Hex Editor

November 10, 2012 by Brian Benchoff 62 Comments

[Alex] just bought a really nice TEAC VR-20 audio recorder, a very capable recorder perfect for recording your thoughts or just making concert bootlegs. This model was recently replaced by the Tascam DR-08 audio recorder. It’s essentially the same thing, but the Tascam unit can record at 96kHz, whereas the TEAC can only record at 48kHz. [Alex] figured out a way to upgrade his less capable but cheaper VR-20 to record at a higher bit rate with just a simple firmware hack.

The mod began by downloading the firmware for both the TEAC VR-20 and the Tascam DR-08. Both of these sets of firmware were exactly the same size, and after downloading a hex editor, [Alex] found a huge difference in the first 20 bytes of the firmware – the portion that tells the microcontrollers what it actually is.

The solution to improving the bitrate for the TEAC VR-20 was as simple as copying the first 20 bytes from the TEAC firmware over to the first 20 bytes of the Tascam firmware. After that, it’s a simple matter of upgrading his TEAC and getting the ability to record at 96kHz.

A very, very simple hack that’s really just flipping a few bits. Not bad for a two-fold improvement in the recording capability of a handheld audio recorder.

Exploiting DFU Mode To Snag A Copy Of Firmware Upgrades

October 9, 2012 by Mike Szczys 11 Comments

[Travis Goodspeed] continues his work at educating the masses on how to reverse engineer closed hardware devices. This time around he’s showing us how to exploit the Device Firmware Updates protocol in order to get your hands on firmware images. It’s a relatively easy technique that uses a man-in-the-middle attack to dump the firmware image directly to a terminal window. This way you can get down to the nitty-gritty of decompiling and hex editing as quickly as possible.

For this hack he used his Facedancer board. We first saw the hardware used to emulate a USB device, allowing the user to send USB commands via software. Now it’s being used to emulate your victim hardware’s DFU mode. This is done by supplying the vendorID and productID of the victim, then pushing the firmware update as supplied by the manufacturer. In most cases this shouldn’t even require you to have the victim hardware on hand.

Bootloader Brings USB, Firmware Updating To The ATtiny85

October 9, 2012 by Brian Benchoff 14 Comments

[Jenna] sent in a very cool bootloader she thought people might like. It’s called Micronucleus and it turns the lowly ATtiny 85 into a chip with a USB interface capable of being upgraded via a ‘viral’ uploader program. Micronucleus weighs in at just over 2 kB, making it one of the smallest USB-compatible bootloaders currently available.

The USB support comes from V-USB, a project that puts a virtual USB port on a suite of AVR microcontrollers. With V-USB, it’s easy to turn a Tiny85 into a keyboard, custom joystick, data logger, or computer-attached LED display.

One very interesting feature of Micronucleus is the ‘viral updater’ feature. This feature takes a new piece of firmware, and writes it to a Tiny85, disabling the current bootloader. If you’re designing a project that should have a means of updating the firmware via USB instead of the usual AVR programmer, this might be the bootloader for you.

Not bad for a bootloader that emphasizes small code size. At just over 2 kB, it’s possible to use this bootloader on the similar, smaller, and somewhat cheaper ATtiny45.