Even More Firmware In Your Firmware

There are many ways to update an embedded system in the field. Images can fly through the air one a time, travel by sneaker or hitch a ride on other passing data. OK, maybe that’s a stretch, but there are certainly a plethora of ways to get those sweet update bytes into a target system. How are those bytes assembled, and what are the tools that do the assembly? This is the problem I needed to solve.

Recall, my system wasn’t a particularly novel one (see the block diagram below). Just a few computers asking each other for an update over some serial busses. I had chosen to bundle the payload firmware images into the binary for the intermediate microcontroller which was to carry out the update process. The additional constraint was that the blending of the three firmware images (one carrier and two payload) needed to happen long after compile time, on a different system with a separate toolchain. There were ultimately two options that fit the bill.

The system thirsty for an update

Continue reading “Even More Firmware In Your Firmware”

Improving More Leaf Design Flaws

[Daniel] was recently featured here for his work in improving the default charging mode for the Nissan Leaf electric vehicle when using the emergency/trickle charger included with the car. His work made it possible to reduce the amount of incoming power from the car, if the charging plug looked like it might not be able to handle the full 1.2 kW -3 kW that these cars draw when charging. Thanks to that work, he was able to create another upgrade for these entry-level EVs, this time addressing a major Leaf design flaw that is known as Rapidgate.

The problem that these cars have is that they still have passive thermal management for their batteries, unlike most of their competitors now. This was fine in the early ’10s when this car was one of the first all-electric cars to market, but now its design age is catching up with it. On long trips at highway speed with many rapid charges in a row the batteries can overheat easily. When this happens, the car’s charging controller will not allow the car to rapid charge any more and severely limits the charge rate even at the rapid charging stations. [Daniel] was able to tweak the charging software in order to limit the rapid charging by default, reducing it from 45 kW to 35 kW and saving a significant amount of heat during charging than is otherwise possible.

While we’d like to see Nissan actually address the design issues with their car designs while making these straighforward software changes (or at least giving Leaf owners the options that improve charging experiences) we are at least happy that there are now other electric vehicles in the market that have at least addressed the battery thermal management issues that are common with all EVs. If you do own a Leaf though, be sure to check out [Daniel]’s original project related to charging these cars.

Continue reading “Improving More Leaf Design Flaws”

Putting The Firmware In Your Firmware

Performing over-the-air updates of devices in the field can be a tricky business. Reliability and recovery is of course key, but even getting the right bits to the right storage sectors can be a challenge. Recently I’ve been working on a project which called for the design of a new pathway to update some small microcontrollers which were decidedly inconvenient.

There are many pieces to a project like this; a bootloader to perform the actual updating, a robust communication protocol, recovery pathways, a file transfer mechanism, and more. What made these micros particularly inconvenient was that they weren’t network-connected themselves, but required a hop through another intermediate controller, which itself was also not connected to the network. Predictably, the otherwise simple “file transfer” step quickly ballooned out into a complex onion of tasks to complete before the rest of the project could continue. As they say, it’s micros all the way down.

The system de jour

Continue reading “Putting The Firmware In Your Firmware”

Hacking D-Link Firmware

When [0xRickSanchez] found some D-Link firmware he couldn’t unpack, he was curious to find out why. The firmware had a new encryption method which was doing its job of preventing tampering and static analysis. Of course, he had to figure out how to get around it and is documenting his work in a series of blog posts.

Looking at the entropy analysis showed the data to be totally random,  a good sign it was either encrypted or compressed. The target router cost about $200, but a similar cheaper router used the same encryption and thus this model became the hardware of choice for testing.

Continue reading “Hacking D-Link Firmware”

High-End Ham Radio Gives Up Its Firmware Secrets

Amateur radio operators have always been at the top of their game when they’ve been hacking radios. A ham license gives you permission to open up a radio and modify it, or even to build a radio from scratch. True, as technology has advanced the opportunities for old school radio hacking have diminished, but that doesn’t mean that the new computerized radios aren’t vulnerable to the diligent ham’s tender ministrations.

A case in point: the Kenwood TH-D74A’s firmware has been dumped and partially decoded. A somewhat informal collaboration between [Hash (AG5OW)] and [Travis Goodspeed (KK4VCZ)], the process that started with [Hash]’s teardown of his radio, seen in the video below. The radio, a tri-band handy talkie with capabilities miles beyond even the most complex of the cheap imports and with a price tag to match, had a serial port and JTAG connector. A JTAGulator allowed him to probe some of the secrets, but a full exploration required spending $140 on a spare PCB for the radio and some deft work removing the BGA-packaged Flash ROM and dumping its image to disk.

[Travis] picked up the analysis from there. He found three programs within the image, including the radio’s firmware and a bunch of strings used in the radio’s UI, in both English and Japanese. The work is far from complete, but the foundation is there for further exploration and potential future firmware patches to give the radio a different feature set.

This is a great case study in reverse engineering, and it’s really worth a trip down the rabbit hole to learn more. If you’re looking for a more formal exploration of reverse engineering, you could do a lot worse than HackadayU’s “Reverse Engineering with Ghidra” course, which just wrapping up. Watch for the class videos soon. Continue reading “High-End Ham Radio Gives Up Its Firmware Secrets”

Reviving A DOA Smart Bulb With Custom Firmware For Its ESP8266

There are some incredibly cheap WiFi smart bulbs on the market these days, but as is often the case, you tend to get what you pay for. When [Viktor] took delivery of his latest bargain basement bulb, the thing didn’t even work. So much for Quality Assurance. On the plus side, it was a great excuse to pop it open and replace the firmware.

For anyone wondering, [Viktor] never actually figured out why the bulb didn’t work. Its ESP8266-based control board was getting power, and data was getting spit out of the serial port when he connected it to the computer (although he never got the communications settings right to actually see what it was saying). But he also didn’t care much; once he confirmed that the hardware was good, he just uploaded the custom firmware he’d previously developed for another ESP8266 bulb.

Of course, it wasn’t quite that easy. The chances that both bulbs would have used the same GPIO pins to control the red, green, blue, and white LEDs were pretty slim. But after some testing and modifications to the code, he was able to fire them up. The other issue was a bit trickier, as it turned out the bulb’s flash chip was too small to hold his firmware’s web configuration pages. So he had to break out the hot air gun and replace the SPI flash chip with something a bit roomier. We suppose he could have just made smaller web pages… but where’s the fun in that?

Even with the chip swap, this looks a lot easier than building your own smart bulbs from scratch. With so many cheap ESP8266 bulbs on the market, it seems there’s never been a better time to code your own home lighting solution.

A Hoverboard As An Assistive Device

Assistive devices for people with disabilities can make an inestimable difference to their lives, but with a combination of technology, complexity, and often one-off builds for individual needs, they can be eye-wateringly expensive. When the recipient is a young person who may grow out of more than one device as they mature, this cost can be prohibitive. Some way to cut down on the expense is called for, and [Phil Malone] has identified the readily available hoverboard as a possible source of motive power for devices that need it.

Aside from being a children’s toy, hoverboards have been well and truly hacked; we’ve featured them in Hacky Racers, and as hacker camp transport. But this is an application which demands controllability and finesse not needed when careering round a dusty field. He’s taken that work and built upon it to produce a firmware that he calls HUGS, designed to make the hoverboard motors precisely controllable. It’s a departure from the norm in hoverboard hacking, but perhaps it can open up new vistas in the use of these versatile components.

There is much our community can do when it comes to improving access to assistive technologies, and we hope that this project can be one of the success stories. We would however caution every reader to avoid falling into the engineer savior trap.