34C3: Using Your Car As Video Game Controller

Despite the presence of human drivers, modern cars are controlled by computers. In his talk at the Chaos Communication Congress [Guillaume Heilles] and [P1kachu] demonstrate the potential of taking control of a car’s computer. This of course leads to the natural conclusion of emulate an Xbox controller and using the car to play computer games.

His research was limited by the fact that the only cars they had access to were the daily drivers of different members of [P1kachu]’s family, which meant that all tinkering had to be strictly non-destructive. Despite this, they achieved impressive results and deliver a great introduction into reverse engineering.

[P1kachu] used a RasPi and an OBD-II adapter to access the car’s CAN bus and begins the presentation with a quick overview of the protocol. He then briefly touches on security measures that he ran into, which are optional and their implementation varies widely between manufacturers. His first attempt to access the CAN bus was successfully blocked by a challenge-response algorithm doing its work. His mother’s convertible however provided no such obstacles and gaining access allowed him to map the position of the steering wheel and pedals to a game controller, using the car to play video games.

After this, [Guillaume] steps in and walks us through the teardown of a gadget that plugs into the OBD-II port and claims to do amazing things for your car’s mileage by reprogramming the ECU. The device was not brand specific and after having seen the variations in the ways different manufacturers implement the protocol, [Guillaume] and [P1kachu] doubted that the gadget was capable of even holding the information required to modify every known implementation out there. Listening to the output of the device, along with a quick analysis of the circuit followed by decapping the single chip they found, showed that their doubt was justified. The lecture closes with an extended Q&A that adds more information on car hacking. Those that don’t have access to a car can instead tear down hot glue guns, doppler modules or antique calculators.

Continue reading “34C3: Using Your Car As Video Game Controller”

34C3: Fitbit Sniffing and Firmware Hacking

If you walked into a gym and asked to sniff exercise equipment you would get some mighty strange looks. If you tell hackers you’ve sniffed a Fitbit, you might be asked to give a presentation. [Jiska] and [DanielAW] were not only able to sniff Bluetooth data from a run-of-the-mill Fitbit fitness tracker, they were also able to connect to the hardware with data lines using test points etched right on the board. Their Fitbit sniffing talk at 34C3 can be seen after the break. We appreciate their warning that opening a Fitbit will undoubtedly void your warranty since Fitbits don’t fare so well after the sealed case is cracked. It’s all in the name of science.

There’s some interesting background on how Fitbit generally work. For instance, the Fitbit pairs with your phone which needs to be validated with the cloud server. But once the cloud server sends back authentication credentials they will never change because they’re bound to to the device ID of the Fitbit. This process is vulnerable to replay attacks.

Data begin sent between the Fitbit and the phone can be encrypted, but there is a live mode that sends the data as plain text. The implementation seemed to be security by obscurity as a new Bluetooth handle is used for this mode. This technique prevents the need to send every encrypted packet to the server for decryption (which would be for every heartbeat packet). So far the fix for this has been the ability to disable live mode. If you have your own Fitbit to play with, sniffing live mode would be a fun place to start.

The hardware side of this hack begins by completely removing the PCB from the rubber case. The board is running an STM32 and the team wanted to get deep access by enabling GDB. Unfortunately, the debug pins were only enabled during reset and the stock firmware disables them at startup (as it should). The workaround was to rewrite the firmware so that the necessary GPIO remain active and there’s an interesting approach here. You may remember [Daniel Wegemer] from the Nexmon project that reverse engineered the Nexus 5 WiFi. He leveraged the binary patching he used on Nexmon to patch the Fitbit firmware to enable debugging support. Sneaky!

For more about 34C3 we have a cheatsheet of the first day and for more about Fitbit security, check out this WAV file.

Continue reading “34C3: Fitbit Sniffing and Firmware Hacking”

80’s Smartwatch Finally Plays Tetris

While the current generation of smartwatches have only been on the market for a few years, companies have been trying to put a computer on your wrist since as far back as the 80s with varying degrees of success. One such company was Seiko, who in 1984 unveiled the UC-2000: a delightfully antiquated attempt at bridging the gap between wristwatch and personal computer. Featuring a 4-bit CPU, 2 KB of RAM, and 6 KB of ROM, the UC-2000 was closer to a Tamagotchi than its modern day counterparts, but at least it could run BASIC.

Dumping registers

Ever since he saw the UC-2000 mentioned online, [Alexander] wanted to get one and try his hand at developing his own software for it. After securing one on eBay, the first challenge was getting it connected up to a modern computer. (Translated from Russian here.) [Alexander] managed to modernize the UC-2000’s novel induction based data transfer mechanism with help from a ATtiny85, which allowed him to get his own code on the watch, all that was left was figuring out how to write it.

With extremely limited published information, and no toolchain, [Alexander] did an incredible job of figuring out the assembly required to interact with the hardware. Along the way he made a number of discoveries which set his plans back, such as the fact that there is no way to directly control individual pixels on the screen; all graphics would have to be done with the built-in symbols.

The culmination of all this hard work? Playing Tetris, naturally. Though [Alexander] admits that limitations of the device’s hardware meant the game had to be simplified a bit, he’s almost certainly having more fun than any of the UC-2000’s original owners did with this device. He’s setup a GitHub repository for anyone who wishes to join him in this brave new world of vintage wrist computing.

[Alexander] isn’t the only one experimenting with fringe wearable computers. We’ve seen our fair share of interesting smartwatches, featuring everything from novel input methods to complete scratch-builds.

Continue reading “80’s Smartwatch Finally Plays Tetris”

The Art Of The Silicon Chip

If you have followed the group of reverse engineers whose work on classic pieces of silicon we feature regularly here at Hackaday, you may well be familiar with the appearance of the various components that make up their gates and other functions. What you may not be familiar with, however, are the features that can occasionally be found which have no function other than the private amusement of the chip designers themselves. Alongside the transistors, resistors, and interconnects, there are sometimes little pieces of artwork inserted into unused spaces on the die, visible only to those fortunate enough to own a powerful microscope.

Fortunately those of us without such an instrument can also take a look at these works, thanks to the Smithsonian Institution, who have brought together a gallery of them on the web as part of their chip collection. In it we find cartoon characters such as Dilbert, favourites from children’s books such as Waldo, and the Japanese monster Godzilla. There are animals, cows, a leopard, a camel, and a porpoise, and of course company logos aplenty.

In a sense, these minuscule artworks are what our more strident commenters might describe as Not A Hack, but to dismiss them in such a manner would be to miss their point. Even in an age of huge teams of integrated circuit designers working with computerized tools rather than the lone geniuses of old with their hand drafting, we can still see little flashes of individuality with no practical or commercial purpose and with no audience except a very few. And we like that.

Also take a look at the work of [Ken Shirriff] for a masterclass in IC reverse engineering.

Amazing 3D-Scanner Teardown and Rebuild

0_10ea1b_776cdc71_origPour yourself a nice hot cup of tea, because [iliasam]’s latest work on a laser rangefinder (in Russian, translated here) is a long and interesting read. The shorter version is that he got his hands on a broken laser security scanner, nearly completely reverse-engineered it, got it working again, put it on a Roomba that was able to map out his apartment, and then re-designed it to become a tripod-mounted, full-room 3D scanner. Wow.

The scanner in question has a spinning mirror and a laser time-of-flight ranger, and is designed to shut down machinery when people enter a “no-go” region. As built, it returns ranges along a horizontal plane — it’s a 2D scanner. The conversion to a 3D scanner meant adding another axis, and to do this with sufficient precision required flipping the rig on its side, salvaging the fantastic bearings from a VHS machine, and driving it all with the surprisingly common A4988 stepper driver and an Arduino. A program on a PC reads in the data, and the stepper moves another 0.36 degrees. The results speak for themselves.

This isn’t [iliasam]’s first laser-rangefinder project, naturally. We’ve previously featured his homemade parallax-based ranger for use on a mobile robot, which is equally impressive. What amazes us most about these builds is the near-professional quality of the results pulled off on a shoestring budget.

Continue reading “Amazing 3D-Scanner Teardown and Rebuild”

Rebonding an IC to Save Tatakae! Big Fighter

Preserving old arcade games is a niche pastime that can involve some pretty serious hacking skills. If the story here were just that someone pulled the chip from a game, took it apart, and figured out the ROM contents, that’d be pretty good. But the real story is way stranger than that.

Apparently, a bunch of devices were sent to a lab to be reverse engineered and were somehow lost. Nearly ten years later, the devices reappeared, and another group has taken the initiative to recover their contents. The chip in question was part of a 1989 arcade game called Tatakae! Big Fighter, and it had been hacked. Literally hacked. Like with an ax or something worse.

You can read the story of how the contents were recovered. You shouldn’t try this at home without a vent hood and other safety gear. However, they did rebond wires to the device using a clever trick and no exotic equipment (assuming you have some fairly good optical microscopes and a microprobe on a lens positioner).

Continue reading “Rebonding an IC to Save Tatakae! Big Fighter”