[aleaksah] got himself a Mi Smart Kettle Pro, a kettle with Bluetooth connectivity, and a smartphone app to go with it. Despite all the smarts, it couldn’t be turned on remotely. Energized with his vision of an ideal smart home where he can turn the kettle on in the morning right as he wakes up, he set out to right this injustice. (Russian, translated) First, he tore the kettle down, intending to dump the firmware, modify it, and flash it back. Sounds simple enough — where’s the catch?
This kettle is built around the QN9022 controller, from the fairly open QN902X family of chips. QN9022 requires an external SPI flash chip for code, as opposed to its siblings QN9020 and QN9021 which have internal flash akin to ESP8285. You’d think dumping the firmware would just be a matter of reading that flash, but the firmware is encrypted at rest, with a key unique to each MCU and stored internally. As microcontroller reads the flash chip contents, they’re decrypted transparently before being executed. So, some other way had to be found, involving the MCU itself as the only entity with access to the decryption key.
Continue reading “Dumping Encrypted-At-Rest Firmware Of Xiaomi Smart Kettle”
Despite being a computer with some extra chips, synthesizers today are still quite expensive. They used to cost far more, but we tend to think of them as instruments instead of computers. And just because it is an instrument doesn’t mean someone like [Peter Sobot] can’t crack it open and patch the OS inside.
The synth in question is a Kurzweil K2500, released in 1996 with a Motorola 68000. Rather than directly start pulling out parts on the kitchen table, [Peter] began by doing some online research. The K2500 operating system is still available online, and a quick pass through Ghidra showed some proper instructions, meaning the file likely wasn’t encrypted.
He found the part of the code that reads in a new firmware file and checks the header and checksum. Certain functions were very high in memory, and a quick consultation of the service manual yielded an answer: it was the volatile RAM. With that tidbit, [Peter] was able to find the function that copied chunks of the new ROM file to RAM and start decoding the file correctly. [Peter] changed a few strings, made sure the checksums were correct, and he was ready to flash. The actual tweaks that [Peter] are made are left up to the reader, but the techniques to get a working decompiled build and a viable ROM image to flash apply to many projects. One benefit is now the K2000 simulates correctly in MAME due to his spelunking. He has his flashing script up on GitHub for the curious.
Ghidra is perfect for this kind of thing. We’ve seen people tweaking their water coolers with it. It opens to door towards tweaking anything to your liking.
You don’t necessarily have to live in a cold climate to experience how roads start to deteriorate once cracks begin forming in the asphalt surface. Even more frustrating than the potholes, dips, and road erosion is the snarled traffic that results from closing lanes to repair them. Researchers at the Georgia Tech Research Institute have developed a way to detect and quickly fix these cracks with minimal human interaction, making the process a bit less painful than before.
The automatic road patcher resides on a trailer which is towed behind a service vehicle at 5 km/h. Cameras mounted near the front of the device detect cracks down to 3mm in width using an array of LED lights to guide the way. Once a fault has been detected, nozzles mounted under the trailer blast the road with liquid tar to seal the crack before it becomes a real problem.
The system seems to work reasonably well in the tests we’ve seen, and researchers are tweaking the processing software to make the rig even more effective before rolling it out on a wider scale.