firmware

153 Articles

Streaming Video From A Mouse

July 30, 2021 by 21 Comments

The first optical mice had to be used on a specially printed mousepad with a printed grid that the four-quadrant infrared sensor could detect. Later, mice swapped the infrared sensor for an optoelectric module (essentially a tiny, very low-resolution camera) and a powerful image processing. [8051enthusiast] was lying in bed one day when they decided to crack the firmware in their gaming mouse and eventually start streaming frames from the camera inside.

Step one was to analyze the protocol between the mouse and the host machine. Booting up a Windows VM and Wireshark allowed him to capture all the control transfers to the USB controller. Since it was a “programmable” gaming mouse that allowed a user to set macros, [8051enthusiast] could use the control transfers that would normally query that macro that had been set to return the memory at an arbitrary location. A little bit of tinkering later, and he now had a dump of the firmware. Looking at the most abundant bytes, it seems to match a profile similar to the Intel 8051. In a fascinating blur of reverse engineering, he traced the main structure of the program back from the function that sets the LED colors for the scroll wheel (which is dependent on the current DPI setting). Unfortunately, the firmware prevented the same macro mechanism from writing to arbitrary locations.

Looking through the code, a good old buffer overflow exploit seemed possible, but it caused the system to reset via watchdog. So he took another approach, invoking recovery mode and loading an entirely new firmware on the device, which a set_report control transfer can invoke.

Next, he moved onto the ADNS-9800 optical sensor (pictured in the top image provided by JACK Enterprises), which had a large encrypted blob in the firmware. Some poking around and deduction lead to a guess that the optical sensor was another 8051 system. With some clever reasoning and sheer determination, [8051enthusiast] was able to crack the XOR stream cipher encryption with a program that showed him versions of the disassembled assembly and allowed him to pick the one that was the most likely. With the firmware decrypted, he was able to see the encryption code and confirm his deducted algorithm.

With the sensor now cracked open, it was onto the 30 x 30 240 fps video stream. The sensor communicates over SPI, and the USB controller has to bit-bang the connection as it doesn’t have the hardware. Putting two custom firmware images on with a few extra functions was easy enough, but the 7 fps was somewhat lacking. The first optimization was loop unrolling and removing some sleeps in the firmware, which bought it up to 34 fps. By measuring the cycle counts of individual instructions, he was able to find some alternatives such as a mov instead of a setb that took one less cycle. Going from a 17 cycle loop to an 11 cycle loop and some other optimizations gave him 54 fps. Not content to stop there, he modified the ADNS-9800 firmware to continuously sample rather than waiting for the USB controller to finish processing. While this yielded 100 fps, there was still more to do: image compression. At a whopping 230 fps, [8051enthusiast] decided to call it done.

However, there was one last thing he wanted to do: control the mouse with the video stream. Writing some image processing into his Python-based program that received the image files allowed him to use the mouse, however impractically.

All in all, it’s an incredible journey by [8051enthusiast], and we would highly recommend reading the whole journey yourself. This isn’t the first time he’s modified the firmware of 8051-based devices, such as modifying the firmware of the WiFi chipset in his laptop.

[Thanks to JACK Enterprises over at Tindie for the use of the image of an ADNS9000].

 

Extracting The WiFi Firmware And Putting Back A Keylogger

July 20, 2021 by 35 Comments

In the interest of simplification or abstraction, we like to think of the laptop on the kitchen table as a single discrete unit of processing. In fact, there is a surprisingly large number of small processors alongside the many cores that make up the processor. [8051enthusiast] dove into the Realtek rtl8821ae WiFi chip on his laptop and extracted the firmware. The Realtek rtl8821ae chip is a fairly standard Realtek chip as seen in this unboxing (which is where the main image comes from).

True to his name, [8051enthusiast] was pleased to find that the rtl8821ae was clearly based on the Intel 8051. The firmware was loaded on startup from a known file path and loaded onto the chip sitting in an M.2 slot. Careful consideration, [8051enthusiast] reasoned that the firmware was using RTX51 Tiny, which is a small real-time kernel.

The firmware is loaded at 0x4000 but it calls to code below that address, which means there is a ROM on the chip that contains some code. The easiest way to extract it would be to write some custom code that just copies the masked ROM back to the main CPU via the shared memory-mapped config space, but the firmware is checksummed by the masked ROM code. However, the checksum is just a 16-bit XOR. With a tweak in the kernel to allow accessing the shared config space from userspace, [8051enthusiast] was on his way to a complete firmware image.

Next, [8051enthusiast] looked at what could be done with his newfound hackability. The keyboard matrix is read by the Embedded Controller (EC), which happens to be another 8051 based microcontroller. There also happens to be an RX and a TX trace from the EC to the m.2 slot (where the rtl8821ae is). This has to do with 0x80 postcodes from the processor being routed out somewhere accessible via the EC. With a bit of custom code on both the EC and the WiFi chip, [8051enthusiast] had a keylogger that didn’t run on the main processor broadcasting the PS/2 keystrokes as UDP packets.

Of course, there are plenty of other 8051 based devices out there just waiting to be discovered. Like this 8051 based e-ink display controller.

[Main image source: Realtek RTL8821AE unboxing on YouTube by Евгений Горохов]

Commodore Inspired Watch Puts BASIC On Your Wrist

June 2, 2021 by 2 Comments

Ask a smart watch owner what their favorite wrist-mounted feature is, and they might say it’s having all their daily information available at a glance, or the ease with which they’re able to communicate with friends and family. If they don’t mention knocking out a few lines in their wearable BASIC interpreter, then you know you aren’t talking to [Nick Bild]. His “C64 Watch” firmware for the LILYGO T-Watch 2020 not only takes some visual inspiration from the Commodore 64, but also lets you relive those early computing glory days with a functional BASIC environment.

Originally [Nick] used a teeny tiny onscreen keyboard to tap out his BASIC programs, but finding the experience to be uncomfortably like torture, he switched over to using USB. Just plug the watch into your computer, open your favorite serial terminal, and you’ll have access to the customized version of TinyBasic Plus running on the watch. To make things  even easier, he’s looking at implementing a web-based terminal over WiFi so you don’t need to plug the watch in.

When you aren’t running BASIC you’ll be treated to a Commodore-themed watch face, complete with the classic READY. prompt. A small battery indicator is hidden up in the top-right corner, and tapping on the rainbow colored “C” will launch the menu. It’s pretty simplistic, but of course what else would you expect given the source material?

Looking ahead, [Nick] says he’d also like to implement a C64 emulator into the firmware so the watch could run original software. We’re a bit skeptical about how practical that would actually be, but we’ll reserve judgement until we see it in operation. He’s also hoping other Commodore aficionados will chime in with their own improvements and new features for the watch.

You might think that a Commodore 64 emulator on your wrist would be the most outlandish way to run your old games and software, but we’d say playing Turrican in a virtual reality microcosm of the 1980s takes the cake.

Continue reading “Commodore Inspired Watch Puts BASIC On Your Wrist”

Open-Source Thermostat Won’t Anger Your Landlord

February 6, 2021 by 51 Comments

[Nathan Petersen] built a Hackable Open-Source Thermostat to smooth out temperature fluctuations caused by the large hysteresis of the bimetallic strip thermostat in his apartment. While it may be tempting to adjust the “anticipator” to take care of the problem or even replace the bimetallic thermostat with an electronic version, building your own thermostat from scratch is a good way to add to your project portfolio while making your way through college. Plus, he got to hone his hardware and software design chops.

The hardware is designed around the STM32, using a cheap, minimal variant since the device just needs to sense temperature and control the furnace in on-off mode. The TMP117 high-accuracy, low-power, temperature sensor was selected for temperature measurement since accuracy was an essential feature of the project. Dry-contact output for the furnace is via a normally-open solid state relay (opto-isolator). For the user interface, instead of going the easy-route and using an I2C/SPI OLED or LCD display, [Nathan] used three 7-segment LED displays, each driven by an 8-channel constant current driver. The advantage is that the display can be viewed from across the room, and it’s brightness adjusted via PWM. Temperature set-point adjustment is via a simple slide potentiometer, whose analog voltage is read by the micro-controller ADC. To remind about battery replacement, a second ADC channel on the micro-controller monitors the battery voltage via a voltage divider. The PCB components are mostly surface mount, but the packages selected are easy enough to hand solder.

[Nathan]’s Github repo provides the hardware and firmware source files. The board is designed in Altium, but folks using KiCad can use either the awesome Altium2KiCad converter or the online service for conversion. (The results, with some minor errors that can be easily fixed, are quite usable.) Serendipitously, his PCB layout worked like a charm the first time around, without requiring any rework or bodge wires.

The firmware is a few hundred lines of custom bare-metal C code, consisting of drivers to interface with the hardware peripherals, a UI section to handle the user interface, and the control section with the algorithm for running the furnace. [Nathan] walks us through his code, digging into some control theory and filtering basics. After making a few code tweaks and running the thermostat for some time, [Nathan] concludes that it is able to achieve +0.1°F / -0.5°F temperature regulation with furnace cycles lasting about 10-15 minutes (i.e. 4-6 cycles per hour). Obviously, his well insulated apartment and a decent furnace are also major contributing factors. Moving on, for the next version, [Nathan] wants to add data collection capabilities by adding some memory and SD card storage, and use an RTC to allow seasonal adjustments or time-based set-points.

This is his first attempt at a “functional’ useful project, but he does love to build the occasional toy, such as this POV Top.

Blue Pill As A Nerdy Swiss Army Knife

November 22, 2020 by 15 Comments

Not everyone can afford an oscilloscope, and some of us can’t find a USB logic analyzer half the time. But we can usually get our hands on a microcontroller kit, which can be turned into a makeshift instrument if given the appropriate code. A perfect example is buck50 developed by [Mark Rubin], an open source firmware to turn a STM32 “Blue Pill” into a multi-purpose test and measurement instrument.

buck50 comes with a plethora of functionality built in which includes an oscilloscope, logic analyzer, and bus monitor. The device is a two way street and also comes with GPIO control as well as PWM output. There’s really a remarkable amount of functionality crammed into the project. [Mark] provides a Python application that exposes a text based UI for configuring and using the device though commands and lots of commands which makes this really nerdy. There are a number of options to visualize the data captured which includes gnuplot, gtk wave and PulseView to name a few.

[Mark] does a fantastic job not only with the firmware but also with the documentation, and we really think this makes the project stand out. Commands are well documented and everything is available on [GitHub] for your hacking pleasure. And if you are about to order a Blue Pill online, you might want to check out the nitty-gritty of the clones that are floating around.

Thanks [JohnU] for the tip!

Remoticon Video: Firmware Reverse Engineering Workshop With Asmita Jha

November 19, 2020 by 4 Comments

Taking things apart to see how they work is an important part of understanding a system, and that goes for software as much as for hardware. You can get a jump start on your firmware reverse engineering skills with Asmita Jha’s workshop which was presented live at the Hackaday Remoticon. The video has just been published, and is found below along with a bit more on what she covered in her hands-on labs.

Continue reading “Remoticon Video: Firmware Reverse Engineering Workshop With Asmita Jha”

Hacking A Netgear Router

October 7, 2020 by 7 Comments

Have you ever wanted to watch someone reverse engineer a piece of hardware and pick up some tips? You can’t be there while [Jeremy] tears open a Netgear N300 router, but you can see his process step by step in some presentation charts, and you’ll get a few ideas for the next time you want to do something like this.

The first part of the presentation might be a little basic for most Hackaday readers, but presumably, the intended audience might not know much about soldering or multimeters. But we enjoyed the methodology used to work out the UART pins on the board. We would have read the baud rate with the scope, which [Jeremy] does, but he also mentions a script to work it out and create a minicom profile that looked interesting.

Continue reading “Hacking A Netgear Router”