Reverse Engineering ST-Link/V2 Firmware

January 7, 2013 by Mike Szczys 39 Comments

reverse-engineering-stlink-v2

The chip seen just above the center of this image is an ARM Cortex-M3. It provides the ability to interface and program the main chip on the STM32F3 Discovery board. The protocol used is the ST-Link/V2 which has become the standard for ST Microelectronics development boards. The thing is, that big ARM chip near the bottom of the image has multiple UARTs and bridging a couple of solder points will connect it to the ST-Link hardware. [Taylor Killian] wanted to figure out if there is built-in firmware support to make this a USB-to-serial converter and his path to the solution involved reverse engineering the ST-Link/V2 firmware.

The first part of the challenge was to get his hands on a firmware image. When you download the firmware update package the image is not included as a discrete file. Instead he had to sniff the USB traffic during a firmware update. He managed to isolate the file and chase down the encryption technique which is being used. It’s a fun read to see how he did this, and we’re looking forward to learning what he can accomplish now that’s got the goods he was after.

Upgrading A Voice Recorder With A Hex Editor

November 10, 2012 by Brian Benchoff 62 Comments

[Alex] just bought a really nice TEAC VR-20 audio recorder, a very capable recorder perfect for recording your thoughts or just making concert bootlegs. This model was recently replaced by the Tascam DR-08 audio recorder. It’s essentially the same thing, but the Tascam unit can record at 96kHz, whereas the TEAC can only record at 48kHz. [Alex] figured out a way to upgrade his less capable but cheaper VR-20 to record at a higher bit rate with just a simple firmware hack.

The mod began by downloading the firmware for both the TEAC VR-20 and the Tascam DR-08. Both of these sets of firmware were exactly the same size, and after downloading a hex editor, [Alex] found a huge difference in the first 20 bytes of the firmware – the portion that tells the microcontrollers what it actually is.

The solution to improving the bitrate for the TEAC VR-20 was as simple as copying the first 20 bytes from the TEAC firmware over to the first 20 bytes of the Tascam firmware. After that, it’s a simple matter of upgrading his TEAC and getting the ability to record at 96kHz.

A very, very simple hack that’s really just flipping a few bits. Not bad for a two-fold improvement in the recording capability of a handheld audio recorder.

Exploiting DFU Mode To Snag A Copy Of Firmware Upgrades

October 9, 2012 by Mike Szczys 11 Comments

[Travis Goodspeed] continues his work at educating the masses on how to reverse engineer closed hardware devices. This time around he’s showing us how to exploit the Device Firmware Updates protocol in order to get your hands on firmware images. It’s a relatively easy technique that uses a man-in-the-middle attack to dump the firmware image directly to a terminal window. This way you can get down to the nitty-gritty of decompiling and hex editing as quickly as possible.

For this hack he used his Facedancer board. We first saw the hardware used to emulate a USB device, allowing the user to send USB commands via software. Now it’s being used to emulate your victim hardware’s DFU mode. This is done by supplying the vendorID and productID of the victim, then pushing the firmware update as supplied by the manufacturer. In most cases this shouldn’t even require you to have the victim hardware on hand.

Bootloader Brings USB, Firmware Updating To The ATtiny85

October 9, 2012 by Brian Benchoff 14 Comments

[Jenna] sent in a very cool bootloader she thought people might like. It’s called Micronucleus and it turns the lowly ATtiny 85 into a chip with a USB interface capable of being upgraded via a ‘viral’ uploader program. Micronucleus weighs in at just over 2 kB, making it one of the smallest USB-compatible bootloaders currently available.

The USB support comes from V-USB, a project that puts a virtual USB port on a suite of AVR microcontrollers. With V-USB, it’s easy to turn a Tiny85 into a keyboard, custom joystick, data logger, or computer-attached LED display.

One very interesting feature of Micronucleus is the ‘viral updater’ feature. This feature takes a new piece of firmware, and writes it to a Tiny85, disabling the current bootloader. If you’re designing a project that should have a means of updating the firmware via USB instead of the usual AVR programmer, this might be the bootloader for you.

Not bad for a bootloader that emphasizes small code size. At just over 2 kB, it’s possible to use this bootloader on the similar, smaller, and somewhat cheaper ATtiny45.

Recovering From A Seagate HDD Firmware Bug

July 30, 2012 by Mike Szczys 41 Comments

Hard drive firmware is about the last place you want to find a bug. But that turned out to be the problem with [BBfoto’s] Seagate HDD which he was using in a RAID array. It stopped working completely, and he later found out the firmware has a bug that makes the drive think it’s permanently in a busy state. There’s a firmware upgrade available, but you have to apply it before the problem shows its face, otherwise you’re out of luck. Some searching led him to a hardware fix for the problem.

[Brad Garcia] put together the tutorial which illustrates the steps needed to unbrick the 7200.11 hard drive with the busy state bug. The image in the lower right shows the drive with a piece of paper between the PCB and the connectors which control the head. This is necessary to boot the drive without it hanging due to the bug. From there he issues serial commands to put it into Access Level 2, then removes the cardboard for the rest of the fix.

In the tutorial [Brad] uses a serial-TTL converter. [BBfoto] grabbed an Arduino instead, using it as a USB-ttl bridge.

A Tale Of (un)bricking A $10k Microsoft Surface Unit

June 29, 2012 by Mike Szczys 20 Comments

We’ve all had that sinking feeling as a piece of hardware stops responding and the nasty thought of “did I just brick this thing?” rockets to the front of our minds. [Florian Echtler] recently experienced this in extremis as his hacking on the University of Munich’s Microsoft Surface 2.0 left it unresponsive. He says this is an 8,000 Euro piece of hardware, which translates to around $10,000! Obviously it was his top priority to get the thing working again.

So what’s the first thing you should do if you get your hands on a piece of hardware like this? Try to run Linux on the thing, of course. And [Florian] managed to make that happen pretty easily (there’s a quick proof-of-concept video after the break). He took a Linux kernel drive written for a different purpose and altered it to interface with the MS Surface. After working out a few error message he packaged it and called to good. Some time later the department called him and asked if his Linux kernel work might have anything to do with the display being dead. Yikes.

He dug into the driver and found that a bug may have caused the firmware on the USB interface chip to be overwritten. The big problem being that they don’t just distribute the image for this chip. So he ended up having to dump what was left from the EEPROM and rebuild the header byte by byte.

Continue reading “A Tale Of (un)bricking A $10k Microsoft Surface Unit” →

Getting Root On A Sony TV

June 20, 2012 by Brian Benchoff 138 Comments

The Sony Bravia series of HDTVs are a great piece of kit; they’re nice displays that usually have enough inputs for the craziest home theatre setups. These TVs also run Linux, but until now we haven’t seen anything that capitalizes on the fact these displays are wall-mounted Linux boxen. [Sam] sent in an exploit to root any Bravia TV – hopefully the first step towards replacing our home media server.

The exploit itself is a regular buffer overflow initialized by a Python script. The script sets up a Telnet server on any Sony Bravia with a USB port, and provides complete root access. [Sam] was able to get a Debian install running off a USB drive and all the Debian programs run correctly.

If you have a Bravia you’d like to test [Sam]’s script on, you’ll need a USB network adapter for the TV and a Telnet client to explore your TV’s file system. Right now there’s not much to do with a rooted Bravia, but at least now running XMBC or other media server on a TV is possible.

If anyone would like to start porting XMBC to a Bravia TV, [Sam] says he’s more than willing to help out. We’re not aware of any HDTV modding communities on the Internet, so if you’re part of one post a link in the comments.