Introducing FISSURE: A Toolbox For The RF Hacker

August 27, 2022 by Dan Maloney 4 Comments

No matter what the job at hand is, if you’re going to tackle it, you’re going to need the right kit of tools. And if your job includes making sense out of any of the signals in the virtual soup of RF energy we all live in, then you’re going to need something like the FISSURE RF framework.

Exactly what FISSURE is is pretty clear from its acronym, which stands for Frequency Independent SDR-Based Signal Understanding and Reverse Engineering. This is all pretty new — it looks like [Chris Poore] presented a talk at DEFCON a few weeks back about using FISSURE to analyze powerline communications between semi-trucks and their trailers, and they’ve got a talk scheduled for next month’s GNU Radio Conference as well. We’ve been looking through all the material we can find on FISSURE, and it appears to be an RF hacker’s dream come true. They’ve got a few examples on Twitter, like brute-forcing an old garage door opener with a security code set by a ten-position DIP switch, and sending tire pressure monitoring system (TPMS) signals to a car. They also mention some of the framework’s capabilities on the GitHub README; we’re especially interested in packet crafting for various protocols. The video below has some more examples of what FISSURE can do.

It looks like FISSURE could be a lot of fun, and very handy for your RF analysis and reverse engineering work. If you’ve been using Universal Radio Hacker like we have, this looks similar, only more so. We’ll be downloading it soon and giving it a try, so be on the lookout for a hands-on report.

Continue reading “Introducing FISSURE: A Toolbox For The RF Hacker” →

Air Filter DRM? Hacker Opts Out With NFC Sticker

August 13, 2022 by Donald Papp 55 Comments

[Flamingo-tech]’s Xiaomi air purifier has a neat safety feature: it will refuse to run if a filter needs replacement. Of course, by “neat” we mean “annoying”. Especially when the purifier sure seems to judge a filter to be useless much earlier than it should. Is your environment relatively clean, and the filter still has legs? Are you using a secondary pre-filter to extend the actual filter’s life? Tough! Time’s up. Not only is this inefficient, but it’s wasteful.

Every Xiaomi filter contains an NTAG213 NFC tag with a unique ID and uses a unique password for communications, but how this password was generated (and therefore how to generate new ones) was not known. This meant that compatible tags recognized by the purifier could not be created. Until now, that is. [Flamingo-tech] has shared the discovery of how Xiaomi generates the password for communication between filter and purifier.

A small NFC sticker is now all it takes to have the purifier recognize a filter as new.

[Flamingo-tech] has long been a proponent of fooling Xiaomi purifiers into acting differently. In the past, this meant installing a modchip to hijack the DRM process. That’s a classic method of getting around nonsense DRM on things like label printers and dishwashers, but in this case, reverse-engineering efforts paid off.

It’s now possible to create simple NFC stickers that play by all the right rules. Is a filter’s time up according to the NFC sticker, but it’s clearly still good? Just peel that NFC sticker off and slap on a new one, and as far as the purifier is concerned, it’s a new filter!

If you’re interested in the reverse-engineering journey, there’s a GitHub repository with all the data. And for those interested in purchasing compatible NFC stickers, [Flamingo-tech] has some available for sale.

A Deeper Dive Into Reverse Engineering With A CT Scanner

August 10, 2022 by Dan Maloney 6 Comments

We’ve recently got a look at how [Ken Shirriff] used an industrial CT scanner as a reverse engineering tool. The results were spectacular, with pictures that clearly showed the internal arrangement of parts that haven’t seen the light of day since the module was potted back in the 60s. And now, [Ken]’s cohort [Curious Marc] has dropped a video with more detail on the wonderful machine, plus deep dives into more Apollo-era hardware

If you liked seeing the stills [Ken] used to reverse engineer the obscure flip-flop module, you’re going to love seeing [Marc] using the Lumafield scanner’s 3D software to non-destructively examine several Apollo artifacts. First to enter the sample chamber of the CT scanner was a sealed module called the Central Timing Equipment, which served as the master clock for the Apollo Command Module. The box’s magnesium case proved to be no barrier to the CT scanner’s beam, and the 3D model that was built up from a series of 2D images was astonishingly detailed. The best part about the virtual models is the ability to slice through them in any plane — [Marc] used this feature to hunt down the clock’s quartz crystal. Continue reading “A Deeper Dive Into Reverse Engineering With A CT Scanner” →

Mapping Out The LEDs On An Outlet Tester

August 9, 2022 by Tom Nardi 13 Comments

The concept of an outlet tester is pretty simple: plug the gadget into a suspect wall receptacle, and an array of LEDs light up in various patterns to alert the user to any wiring faults. They’re cheap, reliable, and instantaneous. Most people wouldn’t give them much more thought than that, but like any good hacker, [Yeo Kheng Meng] wanted to know how these devices worked.

After picking up a relatively advanced model that featured an LCD display capable of showing various stats such as detected voltage in addition to the standard trio of LEDs, he started by using some test leads to simulate various fault conditions to understand the basic principle behind its operation. The next step was to disassemble the unit, which is where things went briefly sideways — it wasn’t until [Yeo Kheng Meng] and a friend had nearly cut through the enclosure that they realized it wasn’t ultrasonically welded liked they assumed, and that the screws holding it together were actually hidden under a sticker. Oops.

The write-up includes some excellent PCB shots, and [Yeo Kheng Meng] was able to identify several components and ascertain their function. He was even able to find some datasheets, which isn’t always such an easy task with these low-cost devices. Unfortunately the MCU that controls the device’s more advanced features is locked away with a black epoxy blob, but he was able to come up with a schematic that explains the rather elegant logic behind the LED display.

This isn’t the first time [Yeo Kheng Meng] has taken apart an interesting piece of hardware for our viewing pleasure, and given the fine job he does of it, we hope it’s not the last either.

CT Scans Help Reverse Engineer Mystery Module

August 7, 2022 by Dan Maloney 15 Comments

The degree to which computed tomography has been a boon to medical science is hard to overstate. CT scans give doctors a look inside the body that gives far more information about the spatial relationship of structures than a plain X-ray can. And as it turns out, CT scans are pretty handy for reverse engineering mystery electronic modules, too.

The fact that the mystery module in question is from Apollo-era test hardware leaves little room for surprise that [Ken Shirriff] is the person behind this fascinating little project. You’ll recall that [Ken] recently radiographically reverse engineered a pluggable module of unknown nature, using plain X-ray images taken at different angles to determine that the undocumented Motorola module was stuffed full of discrete components that formed part of a square wave to sine wave converter.

The module for this project, a flip-flop from Motorola and in the same form factor, went into an industrial CT scanner from an outfit called Lumafield, where X-rays were taken from multiple angles. The images were reassembled into a three-dimensional view by the scanner’s software, which gave a stunningly clear view of the components embedded within the module’s epoxy body. The cordwood construction method is obvious, and it’s pretty easy to tell what each component is. The transistors are obvious, as are the capacitors and diodes. The resistors were a little more subtle, though — careful examination revealed that some are carbon composition, while others are carbon film. It’s even possible to pick out which diodes are Zeners.

The CT scan data, along with some more traditional probing for component values, let [Ken] reverse engineer the whole circuit, which turned out to be a little different than a regular J-K flip-flop. Getting a non-destructive look inside feels a little like sitting alongside the engineers who originally built these things, which is pretty cool.

Hacking The RF Protocol Of An Obscure Handheld Game

July 6, 2022 by Tom Nardi 9 Comments

When you think old school handheld games, you probably imagine something like Nintendo’s Game Boy line or the Sega Game Gear. But outside of those now iconic systems, there was a vast subculture of oddball handheld games vying for a chunk of an adolescent’s weekly allowance. Many of these were legitimately terrible and frankly aren’t worth remembering, but a few offered unique features that were arguably ahead of their time.

One such game was Hasbro’s short-lived P-O-X. As explained by [Zachary Ennenga], the game didn’t spend much time on store shelves as its core concept of defeating undetectable alien invaders hell-bent on destroying our way of life proved to be more than a little problematic when it launched in September of 2001. But that doesn’t mean it didn’t have some cool ideas, such as a wireless ad-hoc multiplayer capability that let your game autonomously battle it out with other units that got close by.

Fascinated by this feature since his youth, [Zach] set out to study how this relatively cheap kid’s toy was able to pull this off back when even the flagship handheld consoles were still using physical link cables for multiplayer. He was aided in his quest by a particularly helpful patent, which not only gave him clues as to the frequency, data rate, modulation, and encoding of the RF signal, but even explained the game’s logic and overall structure. A lot of what was in the document seemed wishful thinking on the part of Hasbro, but reading through the marketing speak still uncovered some salient technical details.

Armed with an RTL-SDR, GNU Radio, Inspectrum, and a bit of Python, [Zach] was able to identify the signal and begin the process of decoding it. This is where things get really interesting, as the details of his reverse engineering process are widely applicable for all sorts of unknown RF signals. Even if you’re like most people and have nearly zero interest in failed handheld games of the early 2000s, it’s well worth a read. The same techniques he uses to figure out the name and physical characteristics of the invisible foe his game is transmitting could one day help you figure out how to manipulate the data from that wireless weather station you’ve got in the backyard.

Once he figured out the major parts of the protocol, [Zach] moves on to creating his own packets and broadcasting them out in such a way that the real hardware will recognize it. He even comes up with some code that will automatically battle games which wander within range of his Yardstick One, which may come in handy during the inevitable P-O-X Renaissance.

While this might seem like a lot of effort to put into a game that most people have never even heard of, we’ll remind you that some of the greatest hacks to ever grace these pages have been born of similar pursuits. Even if you’re the only person in the world to directly benefit from your current line of research and experimentation, there’s still plenty of like-minded folks in this community that are all to happy to cheer you on from the sidelines.

Reverse Engineering An Apollo-Era Module With X-Ray

June 29, 2022 by Dan Maloney 9 Comments

The gear that helped us walk on the Moon nearly 60 years ago is still giving up its mysteries today, with some equipment from the Apollo era taking a little bit more effort to reverse engineer than others. A case in point is this radiographic reverse engineering of some Apollo test gear, pulled off by [Ken Shirriff] with help from his usual merry band of Apollo aficionados.

The item in question is a test set used for ground testing of the Up-Data Link, which received digital commands from mission controllers. Contrary to the highly integrated construction used in Apollo flight hardware, the test set, which was saved from a scrapyard, used more ad hoc construction, including cards populated by mysterious modules. The pluggable modules bear Motorola branding, and while they bear some resemblance to ICs, they’re clearly not.

[Ken] was able to do some preliminary reverse-engineering using methods we’ve seen him employ before, but ran into a dead end with his scope and meter without documentation. So the modules went under [John McMaster]’s X-ray beam for a peek inside. They discovered that the 13-pin modules are miniature analog circuits using cordwood construction, with common discrete passives stacked vertically between parallel PCBs. The module they imaged showed clear shadows of carbon composition resistors, metal-film capacitors, and some glass-body diodes. Different angles let [Ken] figure out the circuit, which appears to be part of a square wave to sine wave converter.

The bigger mystery here is why the original designer chose this method of construction. There must still be engineers out there who worked on stuff like this, so here’s hoping they chime in on this innovative method.