firmware

152 Articles

Extracting The WiFi Firmware And Putting Back A Keylogger

July 20, 2021 by 35 Comments

In the interest of simplification or abstraction, we like to think of the laptop on the kitchen table as a single discrete unit of processing. In fact, there is a surprisingly large number of small processors alongside the many cores that make up the processor. [8051enthusiast] dove into the Realtek rtl8821ae WiFi chip on his laptop and extracted the firmware. The Realtek rtl8821ae chip is a fairly standard Realtek chip as seen in this unboxing (which is where the main image comes from).

True to his name, [8051enthusiast] was pleased to find that the rtl8821ae was clearly based on the Intel 8051. The firmware was loaded on startup from a known file path and loaded onto the chip sitting in an M.2 slot. Careful consideration, [8051enthusiast] reasoned that the firmware was using RTX51 Tiny, which is a small real-time kernel.

The firmware is loaded at 0x4000 but it calls to code below that address, which means there is a ROM on the chip that contains some code. The easiest way to extract it would be to write some custom code that just copies the masked ROM back to the main CPU via the shared memory-mapped config space, but the firmware is checksummed by the masked ROM code. However, the checksum is just a 16-bit XOR. With a tweak in the kernel to allow accessing the shared config space from userspace, [8051enthusiast] was on his way to a complete firmware image.

Next, [8051enthusiast] looked at what could be done with his newfound hackability. The keyboard matrix is read by the Embedded Controller (EC), which happens to be another 8051 based microcontroller. There also happens to be an RX and a TX trace from the EC to the m.2 slot (where the rtl8821ae is). This has to do with 0x80 postcodes from the processor being routed out somewhere accessible via the EC. With a bit of custom code on both the EC and the WiFi chip, [8051enthusiast] had a keylogger that didn’t run on the main processor broadcasting the PS/2 keystrokes as UDP packets.

Of course, there are plenty of other 8051 based devices out there just waiting to be discovered. Like this 8051 based e-ink display controller.

[Main image source: Realtek RTL8821AE unboxing on YouTube by Евгений Горохов]

Commodore Inspired Watch Puts BASIC On Your Wrist

June 2, 2021 by 2 Comments

Ask a smart watch owner what their favorite wrist-mounted feature is, and they might say it’s having all their daily information available at a glance, or the ease with which they’re able to communicate with friends and family. If they don’t mention knocking out a few lines in their wearable BASIC interpreter, then you know you aren’t talking to [Nick Bild]. His “C64 Watch” firmware for the LILYGO T-Watch 2020 not only takes some visual inspiration from the Commodore 64, but also lets you relive those early computing glory days with a functional BASIC environment.

Originally [Nick] used a teeny tiny onscreen keyboard to tap out his BASIC programs, but finding the experience to be uncomfortably like torture, he switched over to using USB. Just plug the watch into your computer, open your favorite serial terminal, and you’ll have access to the customized version of TinyBasic Plus running on the watch. To make things  even easier, he’s looking at implementing a web-based terminal over WiFi so you don’t need to plug the watch in.

When you aren’t running BASIC you’ll be treated to a Commodore-themed watch face, complete with the classic READY. prompt. A small battery indicator is hidden up in the top-right corner, and tapping on the rainbow colored “C” will launch the menu. It’s pretty simplistic, but of course what else would you expect given the source material?

Looking ahead, [Nick] says he’d also like to implement a C64 emulator into the firmware so the watch could run original software. We’re a bit skeptical about how practical that would actually be, but we’ll reserve judgement until we see it in operation. He’s also hoping other Commodore aficionados will chime in with their own improvements and new features for the watch.

You might think that a Commodore 64 emulator on your wrist would be the most outlandish way to run your old games and software, but we’d say playing Turrican in a virtual reality microcosm of the 1980s takes the cake.

Continue reading “Commodore Inspired Watch Puts BASIC On Your Wrist”

Open-Source Thermostat Won’t Anger Your Landlord

February 6, 2021 by 51 Comments

[Nathan Petersen] built a Hackable Open-Source Thermostat to smooth out temperature fluctuations caused by the large hysteresis of the bimetallic strip thermostat in his apartment. While it may be tempting to adjust the “anticipator” to take care of the problem or even replace the bimetallic thermostat with an electronic version, building your own thermostat from scratch is a good way to add to your project portfolio while making your way through college. Plus, he got to hone his hardware and software design chops.

The hardware is designed around the STM32, using a cheap, minimal variant since the device just needs to sense temperature and control the furnace in on-off mode. The TMP117 high-accuracy, low-power, temperature sensor was selected for temperature measurement since accuracy was an essential feature of the project. Dry-contact output for the furnace is via a normally-open solid state relay (opto-isolator). For the user interface, instead of going the easy-route and using an I2C/SPI OLED or LCD display, [Nathan] used three 7-segment LED displays, each driven by an 8-channel constant current driver. The advantage is that the display can be viewed from across the room, and it’s brightness adjusted via PWM. Temperature set-point adjustment is via a simple slide potentiometer, whose analog voltage is read by the micro-controller ADC. To remind about battery replacement, a second ADC channel on the micro-controller monitors the battery voltage via a voltage divider. The PCB components are mostly surface mount, but the packages selected are easy enough to hand solder.

[Nathan]’s Github repo provides the hardware and firmware source files. The board is designed in Altium, but folks using KiCad can use either the awesome Altium2KiCad converter or the online service for conversion. (The results, with some minor errors that can be easily fixed, are quite usable.) Serendipitously, his PCB layout worked like a charm the first time around, without requiring any rework or bodge wires.

The firmware is a few hundred lines of custom bare-metal C code, consisting of drivers to interface with the hardware peripherals, a UI section to handle the user interface, and the control section with the algorithm for running the furnace. [Nathan] walks us through his code, digging into some control theory and filtering basics. After making a few code tweaks and running the thermostat for some time, [Nathan] concludes that it is able to achieve +0.1°F / -0.5°F temperature regulation with furnace cycles lasting about 10-15 minutes (i.e. 4-6 cycles per hour). Obviously, his well insulated apartment and a decent furnace are also major contributing factors. Moving on, for the next version, [Nathan] wants to add data collection capabilities by adding some memory and SD card storage, and use an RTC to allow seasonal adjustments or time-based set-points.

This is his first attempt at a “functional’ useful project, but he does love to build the occasional toy, such as this POV Top.

Blue Pill As A Nerdy Swiss Army Knife

November 22, 2020 by 15 Comments

Not everyone can afford an oscilloscope, and some of us can’t find a USB logic analyzer half the time. But we can usually get our hands on a microcontroller kit, which can be turned into a makeshift instrument if given the appropriate code. A perfect example is buck50 developed by [Mark Rubin], an open source firmware to turn a STM32 “Blue Pill” into a multi-purpose test and measurement instrument.

buck50 comes with a plethora of functionality built in which includes an oscilloscope, logic analyzer, and bus monitor. The device is a two way street and also comes with GPIO control as well as PWM output. There’s really a remarkable amount of functionality crammed into the project. [Mark] provides a Python application that exposes a text based UI for configuring and using the device though commands and lots of commands which makes this really nerdy. There are a number of options to visualize the data captured which includes gnuplot, gtk wave and PulseView to name a few.

[Mark] does a fantastic job not only with the firmware but also with the documentation, and we really think this makes the project stand out. Commands are well documented and everything is available on [GitHub] for your hacking pleasure. And if you are about to order a Blue Pill online, you might want to check out the nitty-gritty of the clones that are floating around.

Thanks [JohnU] for the tip!

Remoticon Video: Firmware Reverse Engineering Workshop With Asmita Jha

November 19, 2020 by 4 Comments

Taking things apart to see how they work is an important part of understanding a system, and that goes for software as much as for hardware. You can get a jump start on your firmware reverse engineering skills with Asmita Jha’s workshop which was presented live at the Hackaday Remoticon. The video has just been published, and is found below along with a bit more on what she covered in her hands-on labs.

Continue reading “Remoticon Video: Firmware Reverse Engineering Workshop With Asmita Jha”

Hacking A Netgear Router

October 7, 2020 by 7 Comments

Have you ever wanted to watch someone reverse engineer a piece of hardware and pick up some tips? You can’t be there while [Jeremy] tears open a Netgear N300 router, but you can see his process step by step in some presentation charts, and you’ll get a few ideas for the next time you want to do something like this.

The first part of the presentation might be a little basic for most Hackaday readers, but presumably, the intended audience might not know much about soldering or multimeters. But we enjoyed the methodology used to work out the UART pins on the board. We would have read the baud rate with the scope, which [Jeremy] does, but he also mentions a script to work it out and create a minicom profile that looked interesting.

Continue reading “Hacking A Netgear Router”

Even More Firmware In Your Firmware

October 1, 2020 by 13 Comments

There are many ways to update an embedded system in the field. Images can fly through the air one a time, travel by sneaker or hitch a ride on other passing data. OK, maybe that’s a stretch, but there are certainly a plethora of ways to get those sweet update bytes into a target system. How are those bytes assembled, and what are the tools that do the assembly? This is the problem I needed to solve.

Recall, my system wasn’t a particularly novel one (see the block diagram below). Just a few computers asking each other for an update over some serial busses. I had chosen to bundle the payload firmware images into the binary for the intermediate microcontroller which was to carry out the update process. The additional constraint was that the blending of the three firmware images (one carrier and two payload) needed to happen long after compile time, on a different system with a separate toolchain. There were ultimately two options that fit the bill.

The system thirsty for an update

Continue reading “Even More Firmware In Your Firmware”