IoT Air Purifier Makes A Great Case Study In Reverse Engineering

Here at Hackaday, about the only thing we like more than writing up tales of reverse engineering heroics is writing up tales of reverse engineering heroics that succeed in jailbreaking expensive widgets from their needless IoT dependency. It’s got a real “stick it to the man” vibe that’s hard to resist.

The thing is, we rarely see a reverse engineering write-up as thorough as the one [James Warner] did while integrating an IoT air purifier into Home Assistant, so we just had to make sure we called this one out. Buckle up; it’s a long, detailed post that really gets down into the weeds, but not unnecessarily so. [James] doesn’t cloud-shame the appliance manufacturer, so we can’t be sure who built this, but it’s someone who thought it’d be a swell idea to make the thing completely dependent on their servers for remote control via smartphone. The reverse engineering effort started with a quick look at the phone app, but when that didn’t pay off in any useful way, [James] started snooping on what the device was talking about using Wireshark.

One thing led to another, wires were soldered to the serial pins on the ESP32 on the purifier’s main board, and with the help of a FlipperZero as a UART bridge, the firmware was soon in hand. This gave [James] clues about the filesystem, which led to a whole Ghidra side quest into learning how to flash the firmware. [James] then dug into the meat of the problem: figuring out the packet structure used to talk to the server, and getting the private key used to encrypt the packets. This allowed a classic man-in-the-middle attack to figure out the contents of each packet and eventually, an MQTT bridge to let Home Assistant control the purifier.

If it sounds like we glossed over a lot, we know — this article is like a master class on reverse engineering. [James] pulled a lot of tools out of his kit for this, and the write-up is clear and concise. You may not have the same mystery fan to work with, but this would be a great place to start reverse engineering just about anything.

Thanks to [ThoriumBR] for the tip.

Decompiling Sonic Runners

Usually, when you hear about games being decompiled and rebuilt, the games are often decades-old relics, loving and saved from the ravages of time. [MattKC] recently set out to decompile the 2015 game Sonic Runners.

The game was a 2D endless runner released on mobile platforms. Despite getting praise for the gameplay, it received mixed reviews for the pop-up ads and pay-to-play elements. A little over a year later, the game was discontinued. However, the game required a constant online connection, so once the servers were offline, it rendered the over five million downloads unplayable.

A team of developers worked to reverse engineer the server, and with a little bit of binary hacking, the client could be patched to connect to a community-hosted server instead. However, as phones with notched displays came out and suggestions for improvements stacked up, the community realized a new client would bring immense benefits. Compared to many decompilation projects, Sonic Runners was pretty easy as it uses Unity, which means most of the code is in C#. Unfortunately, the build of Unity used by the game is from 2012, meaning many of the tools designed for much later versions of Unity were inoperable.

However, one native code library called UnmanagedProcess was designed to confuse reverse engineering efforts. The library handled AES encryption and communication with the server. Luckily, the library was a later addition, and earlier versions of its functions still lingered in the C# code. Since an open source server already existed, it was trivial to validate the changes. Additionally, all the shaders were in OpenGL Shading Language (GLSL), which meant rewriting them in High-Level Shading Language (HLSL) and checking that they matched the original GLSL when building for Android.

Now the client has new game modes, no ads, and a proper offline mode. The community continues adding new features and refining the game, which is very satisfying. If you’re curious about reverse engineering, [Matthew Alt] can help you get started.

Continue reading “Decompiling Sonic Runners

Screenshot of the code decompiled after these patches are applied, showing that all the register writes are nicely decompiled and appropriate register names are shown in the code

Making Ghidra Play Nice With RP2040

Developing firmware for RP2040 is undeniably fun, what’s with all these PIOs. However, sometimes you will want to switch it around and reverse-engineer some RP2040 firmware instead. If you’ve ever tried using Ghidra for that, your experience might have been seriously lackluster due to the decompiled output not making sense when it comes to addresses – thankfully, [Wejn] has now released patches for Ghidra’s companion, SVD-Loader, that turn it all around, and there’s a blog post to go with these.

SVD-Loader, while an indispensable tool for ARM work, didn’t work at all with the RP2040 due to a bug – fixed foremost. Then, [Wejn] turned to a pecularity of the RP2040 – Atomic Register Access, that changes addressing in a way where the usual decompile flow will result in nonsense addresses. Having brought a ton of memory map data into the equation, [Wejn] rewrote the decoding and got it to a point where peripheral accesses now map to nicely readable register writes in decompiled code – an entirely different picture!

You can already apply the patches yourself if you desire. As usual, there’s still things left in TODO for proper quality of life during your Ghidra dive, but the decompiled code makes way more sense now than it did before. Now, if you ever encounter a RP2040-powered water cooler or an air quality meter, you are ready to take a stab at its flash contents. Not yet familiar with the Ghidra life? Well, our own HackadayU has just the learning course for you!

Matthew [wrongbaud] Alt Is Fighting The Good Fight

In a perfect world, all of our electronic devices would come with complete documentation, and there’d be open source libraries available for interfacing them with whatever we wanted. There’d never be arbitrary lockouts preventing us from using a piece of hardware in a way the manufacturer didn’t approve of, and the “cloud” wouldn’t be a black-box server in some data center on the other side of the planet, but a transparent and flexible infrastructure for securely storing and sharing information.

Unfortunately, that’s not the world we live in. What’s worse, rather than moving towards that electronic utopia, the industry appears to be heading in the opposite direction. It seems like every month we hear about another service shutting down and leaving viable hardware to twist in the wind. Just yesterday Google announced they’d be retiring their Stadia game streaming service early next year — leaving users with unique Internet-connected controllers that will no longer have a back-end to communicate with.

Matthew Alt

Luckily for us, there’s folks like Matthew [wrongbaud] Alt out there. This prolific hacker specializes in reverse engineering, and has a knack not just for figuring out how things work, but in communicating those findings with others. His conquests have graced these pages many times, and we were fortunate enough to have him helm the Introduction to Reverse Engineering with Ghidra class for HackadayU back in 2020. This week, he stopped by the Hack Chat to talk about the past, present, and future of reverse engineering.

Matthew got his start in reverse engineering during college, when he was working in a shop that specialized in tuning engine control units (ECUs). He was responsible for figuring out how the ECUs functioned, which ultimately would allow them to be modified to improve engine performance beyond the vehicle’s stock configuration. Sometimes that involved uploading modified calibration data, or disabling functions that were detrimental to engine performance. These software changes could potentially increase engine output by as much as 50 HP, though he says that sometimes the goal was to simply increase throttle response so the vehicle would feel more aggressive on the road.

Moving on to the tools of the trade, Matthew explained why he prefers using Ghidra for embedded targets over classic reverse engineering tools like IDA Pro. As an example he points to a recent project where he used Ghidra’s API and intermediary language PCode to crack passwords in Game Boy Advance games. Though he does mention that IDA still has its place if you’re looking to peek into some Windows C++ software.

Matthew also pointed to new techniques and tools for working with fault injection which have opened up a lot of exciting possibilities over the last few years. In fact, he says tools like ChipWhisperer will become invaluable as newer devices adopt advanced security features. When gadgets are using secure boot and encrypted firmware, gaining access is going to take a bit more than just finding an unleaded serial port on the board. Glitching attacks will become more commonplace, so you might as well get up to speed now.

Colin O’Flynn’s ChipWhisperer makes side-channel power analysis and glitching attacks far more accessible.

To that end, Matthew pointed out a number of instructional courses that he and other hardware hackers such as Joe Grand have put together for those who want to get started with practical reverse engineering and have some disposable income. For those who’d rather work though it on their own, he dropped links to several Capture-the-Flag (CTF) events and wargames you can use to hone your skills.

We’d like to thank Matthew Alt for not just stopping by the Hack Chat, but for being such a good friend to the Hackaday community. His work has been inspirational for all of us here, and it’s always exciting when he’s penned a new blog post detailing another challenge bested. The next time your favorite MegaCorp releases some anti-consumer gadget, you can take some comfort in knowing he’s still out there bending hardware to his will.

The Hack Chat is a weekly online chat session hosted by leading experts from all corners of the hardware hacking universe. It’s a great way for hackers connect in a fun and informal way, but if you can’t make it live, these overview posts as well as the transcripts posted to make sure you don’t miss out.

A Kurzweil K2500 piano

Patching The Kurzweil K2500 Synthesizer

Despite being a computer with some extra chips, synthesizers today are still quite expensive. They used to cost far more, but we tend to think of them as instruments instead of computers. And just because it is an instrument doesn’t mean someone like [Peter Sobot] can’t crack it open and patch the OS inside.

The synth in question is a Kurzweil K2500, released in 1996 with a Motorola 68000. Rather than directly start pulling out parts on the kitchen table, [Peter] began by doing some online research. The K2500 operating system is still available online, and a quick pass through Ghidra showed some proper instructions, meaning the file likely wasn’t encrypted.

He found the part of the code that reads in a new firmware file and checks the header and checksum. Certain functions were very high in memory, and a quick consultation of the service manual yielded an answer: it was the volatile RAM. With that tidbit, [Peter] was able to find the function that copied chunks of the new ROM file to RAM and start decoding the file correctly. [Peter] changed a few strings, made sure the checksums were correct, and he was ready to flash. The actual tweaks that [Peter] are made are left up to the reader, but the techniques to get a working decompiled build and a viable ROM image to flash apply to many projects. One benefit is now the K2000 simulates correctly in MAME due to his spelunking. He has his flashing script up on GitHub for the curious.

Ghidra is perfect for this kind of thing. We’ve seen people tweaking their water coolers with it. It opens to door towards tweaking anything to your liking.

Baby Steps Toward DIY Autonomous Driving: VW Golf Edition

Nice thermal design, but conformal coating and no ID marks make this tough to reverse engineer

[Willem Melching] owns a 2010 Volkswagen Golf – a very common vehicle in Europe – and noticed that whilst the electronic steering rack supports the usual Lane Keep Assist (LKAS) system, and would be theoretically capable of operating in a far more advanced configuration using openpilot, there were some shortcomings in VW’s implementation which means that it would not function for long enough to make it viable. Being very interested in and clearly extremely capable at reverse engineering car ECUs and hacking them into submission, [Willem] set about documenting his journey to unlocking openpilot support for his own vehicle.

And what a journey it was! The four-part blog series is beautifully written, showing every gory detail and all tools used along the way. The first part shows the Electronic Power Steering (EPS) ECU from a 2010 Volkswagen Golf Mk6 module (which rides on the back of the three-phase steering rack motor) being cracked open to reveal an interesting multi-chip module approach, with bare die directly bonded to a pair of substrate PCBs, that are in turn, bonded to the back of the motor casing, presumably for heat dissipation reasons. Clever design, but frustrating at the same time as this makes part identification somewhat tricker!

Entropy less the 1.0, and zero sections indicate no encryption applied

[Willem] uses a variety of tools and tricks to power up and sniff the ECU traffic on the CAN bus, when hooked up to a SAE J2534-compliant debug tool, eventually determining it speaks the VW-specific TP2.0 CAN bus protocol, and managed to grab enough traffic to check that it was possible to use the standard KWP2000 diagnostic protocol to access some interesting data. Next was a very deep dive into reverse engineering update images found online, by first making some trivial XOR operations, then looking at an entropy plot of the file using Binwalk to determine if he really did have code, and if it was encrypted or not, After running cpu_rec, it was determined the CPU was a Renesas V850. Then the real work started – loading the image into Ghidra to start making some guesses of the architecture of the code, to work out what needed patching to make the desired changes. In the final part of the series, [Willem] extracts and uses the bootloader procedure to partially patch the code configuration area of his vehicle and unlocks the goal he was aiming at – remote control of his steering. (OK, the real goal was running openpilot.)

In our opinion, this is a very interesting, if long, read showing a fascinating subject expertly executed. But we do want to stress, that the vehicular EPS module is an ASIL-D safety tested device, so any hacks you do to a road-going vehicle will most definitely void your insurance (not to mention your warranty) if discovered in the event of a claim.

Older ECUs are a bit easier to hack, if you can pull the EPROM, and people out there are producing modules for allsorts of vehicular hacking. So plenty to tinker with!

An image showing a water cooler PCB on the desk, with probes and jumper wires connected to it.

Taking Water Cooler UX Into Your Own Hands With Ghidra

Readers not aware of what Ghidra is might imagine some kind of aftermarket water cooler firmware or mainboard – a usual hacker practice with reflow ovens. What [Robbe Derks] did is no less impressive and inspiring:  A water cooler firmware mod that adds hands-free water dispensing, without requiring any hardware mods or writing an alternative firmware from scratch.

Having disassembled the cooler, [Robbe] found a PIC18F6527 on the mainboard, and surprisingly, it didn’t have firmware readback protection. Even lack of a PICkit didn’t stop him – he just used an Arduino to dump the firmware, with the dumper code shared for us to reuse, and the resulting dumps available in the same repository.

From there, he involved Ghidra to disassemble the code, while documenting the process in a way we can all learn from, and showing off the nifty tricks Ghidra has up its sleeves. Careful planning had to be done to decide which functions to hook and when, where to locate all the extra logic so that there’s no undesirable interference between it and the main firmware, and an extra step taken to decompile the freshly-patched binary to verify that it looks workable before actually flashing the cooler with it.

The end result is a water cooler that works exactly as it ought to have worked, perhaps, if the people defining its user interaction principles were allowed to make it complex enough. We could argue whether this should have been a stock function at all, but either way, it is nice to know that we the hackers still have some of the power to make our appliances friendly — even when they don’t come with an OS. Certainly, every single one of us can think of an appliance long overdue for a usability boost like this. What are your examples?

We’ve covered quite a few Ghidra-involving hacks, but it never feels like we’ve had enough. What about patching an air quality meter to use Fahrenheit? Or another highly educational write-up on cracking GBA games? Perhaps, liberating a Linux-powered 4G router to reconfigure it beyond vendor-defined boundaries? If you have your own goal in mind and are looking to start your firmware reverse-engineering journey, we can say with certainty that you can’t go wrong with our HackadayU course on Ghidra.