Cracking the Case of Capcom’s CPS2 Security

We love a good deep-dive on a specialized piece of technology, the more obscure the better. You’re getting a sneak peek into a world that, by rights, you were never meant to know even existed. A handful of people developed the system, and as far as they knew, nobody would ever come through to analyze and investigate it to find out how it all went together. But they didn’t anticipate the tenacity of a curious hacker with time on their hands.

[Eduardo Cruz] has done a phenomenal job of documenting one such system, the anti-piracy mechanisms present in the Capcom CPS2 arcade board. He recently wrote in to tell us he’s posted his third and final entry on the system, this time focusing on figuring out what a mysterious six pin header on the CPS2 board did. Hearing from others that fiddling with this header occasionally caused the CPS2 board to automatically delete the game, he knew it must be something important. Hackaday Protip: If there’s a self-destruct mechanism attached to it, that’s probably the cool part.

He followed the traces from the header connector, identified on the silkscreen as C9, back to a custom Capcom IC labeled DL-1827. After decapping the DL-1827 and putting it under the microscope, [Eduardo] made a pretty surprising discovery: it wasn’t actually doing anything with the signals from the header at all. Once the chip is powered up, it simply acts as a pass-through for those signals, which are redirected to another chip: the DL-1525.

[Eduardo] notes that this deliberate attempt at obfuscating which chips are actually connected to different headers on the board is a classic trick that companies like Capcom would use to try to make it harder to hack into their boards. Once he figured out DL-1525 was what he was really after, he was able to use the information he gleaned from his earlier work to piece together the puzzle.

This particular CPS2 hacking journey only started last March, but [Eduardo] has been investigating the copy protection systems on arcade boards since 2014.

[Thanks to Arduino Enigma for the tip.]

USB Reverse Engineering: A Universal Guide

Every hacker knows what it is to venture down a rabbit hole. Whether it lasts an afternoon, a month, or decades, finding a new niche topic and exploring where it leads is a familiar experience for Hackaday readers.

[Glenn ‘devalias’ Grant] is a self-proclaimed regular rabbit hole diver and is conscious that, between forays into specific topics, short-term knowledge and state of mind can be lost. This time, whilst exploring reverse engineering USB devices, [Glenn] captured the best resources, information and tools – for his future self as well as others.

His guide is impressively comprehensive, and covers all the necessary areas in hardware and software. After formally defining a USB system, [Glenn] refers us to [LinuxVoice], for a nifty tutorial on writing a linux USB driver for an RC car, in Python. Moving on to hardware, a number of open-source and commercial options are discussed, including GoodFET, FaceDancer, and Daisho – an FPGA based monitoring tool for analysing USB 3.0, HDMI and Gigabit Ethernet. If you only need to sniff low speed USB, here’s a beautifully small packet snooper from last year’s Hackaday prize.

This is a guide which is well-informed, clearly structured, and includes TL;DR sections in the perfect places. It gives due credit to LibUSB and PyUSB, and even includes resources for USB over IP.

If you’re worried about USB hacks like BadUSB, perhaps you should checkout GoodUSB – a hardware firewall for USB devices.

Header image: Ed g2s (CC-SA 3.0).


Hacking a Cheap Laser Rangefinder

When a new piece of technology comes out, the price is generally so high that it keeps away everyone but the die hard early adopters. But with time the prices inch down enough that more people are willing to buy, which then drives the prices down even more, until eventually the economies of scale really kick in and the thing is so cheap that it’s almost an impulse buy. Linux SBCs, Blu-ray lasers, 3D printers; you name it and the hacker community has probably benefited from the fact that it’s not just the hacker community that’s interested anymore.

Which is exactly what’s started to happen with laser rangefinders. Once almost exclusively a military technology, you can now pick a basic “laser tape measure” for less than $40 USD from the normal overseas suppliers. Unfortunately, as [iliasam] found, they aren’t particularly well suited other tasks. For one there’s no official way of getting the data out of the thing, but the other problem is that the sample rate is less than one per second. Believing the hardware itself was promising enough, he set out to reverse engineer and replace the firmware running on one of these cheap laser rangefinders (Google Translate from Russian).

His blog post is an absolute wealth of information on how these devices operate, and a must read for anyone interested in reverse engineering. But the short version is that he figured out a way to reprogram the STM32F100C8T6 microcontroller used in the device, and develop his own firmware that addresses the usability concerns of this otherwise very promising gadget.

With some minor hoop jumping, the laser tape measure PCB can be hooked up to an ST-Link programmer, and the firmware provided by [iliasam] can be used to enable an easy to use serial interface. Perfect for pairing with an Arduino or Raspberry Pi to get fast and accurate range data without breaking the bank.

It probably won’t surprise you to see this isn’t the first time [iliasam] has gotten down and dirty with a laser rangefinder. This extremely impressive build from last year allowed for incredibly accurate 3D scans of his room, and before that he created his own rangefinder from scratch.

Continue reading “Hacking a Cheap Laser Rangefinder”

Reverse Engineering Bottle Threads for Fun and Profit

Recently, one of [Eric]’s clients asked him to design a bottle. Simple enough for a product designer, except that the client needed it to thread into a specific type of cap. And no, they don’t know the specs.

But that’s no problem, thought [Eric] as he turned on the exhaust fan and reached for the secret ingredient that would make casting the negative image of the threads a breeze. He mixed up the foul-smelling body filler with the requisite hardener and some lovely cyan toner powder and packed it into the cap with a tongue depressor. Then he capped off the cast by adding a small PVC collar to lengthen the cast so he has something to grab on to when it’s time to take it out.

Bondo does seem like a good choice for casting threads. You need something workable enough to twist out of there without breaking, but rigid enough that the small detail of the threads isn’t lost. For the release agent, [Eric] used Johnson’s Paste Wax. He notes from experience that it works particularly well with Bondo, and even seems to help it cure.

Once the Bondo hardened, [Eric] made sure it screwed in and out of the cap and then moved on to CAD modeling and 3D printing bottle prototypes until he was satisfied. We’ve got the video screwed in after the break to cap things off.

Did you know that you can also use toner powder to tint your epoxy resin? Just remember that it is particulate matter, and take precautions.

Continue reading “Reverse Engineering Bottle Threads for Fun and Profit”

Eavesdropping on a VGA Monitor’s Conversations

Did you ever wonder what your monitor and your computer are talking about behind your back? As it turns out, there’s quite a conversation going on while the monitor and the computer decide how to get along, and sniffing out VGA communications can reveal some pretty fascinating stuff about the I²C protocol.

To reverse engineer the configuration information exchanged between a VGA monitor and a video card, [Ken Shirriff] began by lopping a VGA cable in two. The inside of such cables is surprisingly complex, with separate shielding wires for each color and sync channel and a host of control wires, all bundled in multiple layers of shielding foil and braid to reduce EMI. [Ken] identified the clock and data lines used for the I²C interface and broke those out into a PocketBeagle for analysis using the tiny Linux machine’s I²C tools.

With a Python script to help decode the monitor’s Extended Display Identification Data (EDID) data, [Ken] was able to see everything the monitor knows about itself — manufacturer, serial number, all the supported resolution modes, and even deprecated timing and signal information left over from the days when CRTs ruled the desktop. Particularly interesting are the surprisingly limited capabilities of a VGA display in terms of color reproduction, as well as [Ken]’s detailed discussion on the I²C bus in general and how it works.

We always enjoy these looks under the hood that [Ken] is so good at, and we look forward to his reverse engineering write-ups. His recent efforts include a look at core memory from a 50-year old mainframe and reverse engineering at the silicon level.

How To Reverse Engineer Mechanical Designs for 3D Modeling

If you’re interested in 3D printing or CNC milling — or really any kind of fabrication — then duplicating or interfacing with an existing part is probably on your to-do list. The ability to print replacement parts when something breaks is often one of the top selling points of 3D printing. Want some proof? Just take a look at what people made for our Repairs You Can Print contest.

Of course, to do that you need to be able to make an accurate 3D model of the replacement part. That’s fairly straightforward if the part has simple geometry made up of a primitive solid or two. But, what about the more complicated parts you’re likely to come across?

In this article, I’m going to teach you how to reverse engineer and model those parts. Years ago, I worked for a medical device company where the business model was to duplicate out-of-patent medical products. That meant that my entire job was reverse engineering complex precision-made devices as accurately as possible. The goal was to reproduce products that were indistinguishable from the original, and because they were used for things like trauma reconstruction, it was critical that I got it right.

Continue reading “How To Reverse Engineer Mechanical Designs for 3D Modeling”

What’s Inside A Neonode Laser Sensor?

Every once in a while, you get your hands on a cool piece of hardware, and of course, it’s your first instinct to open it up and see how it works, right? Maybe see if it can be coaxed into doing just a little bit more than it says on the box? And so it was last Wednesday, when I was at the Embedded World trade fair, and stumbled on a cool touch display floating apparently in mid-air.

The display itself was a sort of focused Pepper’s Ghost illusion, reflected off of an expensive mirror made by Aska3D. I don’t know much more — I didn’t get to bring home one of the fancy glass plates — but it looked pretty good. But this display was interactive: you could touch the floating 2D projection as if it were actually there, and the software would respond. What was doing the touch response in mid-air? I’m a sucker for sensors, so I started asking questions and left with a small box of prototype Neonode zForce AIR sensor sticks to take apart.

The zForce sensors are essentially an array of IR lasers and photodiodes with some lenses that limit their field of view. The IR light hits your finger and bounces back to the photodiodes on the bar. Because the photodiodes have a limited angle over which they respond, they can be used to triangulate the distance of the finger above the display. Scanning quickly among the IR lasers and noting which photodiodes receive a reflection can locate a few fingertips in a 2D space, which explained the interactive part of the floating display. With one of these sensors, you can add a 2D touch surface to anything. It’s like an invisible laser harp that can also sense distance.

The intended purpose is fingertip detection, and that’s what the firmware is good at, but it must also be the case that it could detect the shape of arbitrary (concave) objects within its range, and that was going to be my hack. I got 90% of the way there in one night, thanks to affordable tools and free software that every hardware hacker should have in their toolbox. So read on for the unfortunate destruction of nice hardware, a tour through some useful command-line hardware-hacking tools, and gratuitous creation of animations from sniffed SPI-like data pulled off of some test points.

Continue reading “What’s Inside A Neonode Laser Sensor?”