reverse engineering

381 Articles

CT Scans Help Reverse Engineer Mystery Module

August 7, 2022 by 15 Comments

The degree to which computed tomography has been a boon to medical science is hard to overstate. CT scans give doctors a look inside the body that gives far more information about the spatial relationship of structures than a plain X-ray can. And as it turns out, CT scans are pretty handy for reverse engineering mystery electronic modules, too.

The fact that the mystery module in question is from Apollo-era test hardware leaves little room for surprise that [Ken Shirriff] is the person behind this fascinating little project. You’ll recall that [Ken] recently radiographically reverse engineered a pluggable module of unknown nature, using plain X-ray images taken at different angles to determine that the undocumented Motorola module was stuffed full of discrete components that formed part of a square wave to sine wave converter.

The module for this project, a flip-flop from Motorola and in the same form factor, went into an industrial CT scanner from an outfit called Lumafield, where X-rays were taken from multiple angles. The images were reassembled into a three-dimensional view by the scanner’s software, which gave a stunningly clear view of the components embedded within the module’s epoxy body. The cordwood construction method is obvious, and it’s pretty easy to tell what each component is. The transistors are obvious, as are the capacitors and diodes. The resistors were a little more subtle, though — careful examination revealed that some are carbon composition, while others are carbon film. It’s even possible to pick out which diodes are Zeners.

The CT scan data, along with some more traditional probing for component values, let [Ken] reverse engineer the whole circuit, which turned out to be a little different than a regular J-K flip-flop. Getting a non-destructive look inside feels a little like sitting alongside the engineers who originally built these things, which is pretty cool.

Hacking The RF Protocol Of An Obscure Handheld Game

July 6, 2022 by 9 Comments

When you think old school handheld games, you probably imagine something like Nintendo’s Game Boy line or the Sega Game Gear. But outside of those now iconic systems, there was a vast subculture of oddball handheld games vying for a chunk of an adolescent’s weekly allowance. Many of these were legitimately terrible and frankly aren’t worth remembering, but a few offered unique features that were arguably ahead of their time.

One such game was Hasbro’s short-lived P-O-X. As explained by [Zachary Ennenga], the game didn’t spend much time on store shelves as its core concept of defeating undetectable alien invaders hell-bent on destroying our way of life proved to be more than a little problematic when it launched in September of 2001. But that doesn’t mean it didn’t have some cool ideas, such as a wireless ad-hoc multiplayer capability that let your game autonomously battle it out with other units that got close by.

Fascinated by this feature since his youth, [Zach] set out to study how this relatively cheap kid’s toy was able to pull this off back when even the flagship handheld consoles were still using physical link cables for multiplayer. He was aided in his quest by a particularly helpful patent, which not only gave him clues as to the frequency, data rate, modulation, and encoding of the RF signal, but even explained the game’s logic and overall structure. A lot of what was in the document seemed wishful thinking on the part of Hasbro, but reading through the marketing speak still uncovered some salient technical details.

A decoded P-O-X packet.

Armed with an RTL-SDR, GNU Radio, Inspectrum, and a bit of Python, [Zach] was able to identify the signal and begin the process of decoding it. This is where things get really interesting, as the details of his reverse engineering process are widely applicable for all sorts of unknown RF signals. Even if you’re like most people and have nearly zero interest in failed handheld games of the early 2000s, it’s well worth a read. The same techniques he uses to figure out the name and physical characteristics of the invisible foe his game is transmitting could one day help you figure out how to manipulate the data from that wireless weather station you’ve got in the backyard.

Once he figured out the major parts of the protocol, [Zach] moves on to creating his own packets and broadcasting them out in such a way that the real hardware will recognize it. He even comes up with some code that will automatically battle games which wander within range of his Yardstick One, which may come in handy during the inevitable P-O-X Renaissance.

While this might seem like a lot of effort to put into a game that most people have never even heard of, we’ll remind you that some of the greatest hacks to ever grace these pages have been born of similar pursuits. Even if you’re the only person in the world to directly benefit from your current line of research and experimentation, there’s still plenty of like-minded folks in this community that are all to happy to cheer you on from the sidelines.

Reverse Engineering An Apollo-Era Module With X-Ray

June 29, 2022 by 9 Comments

The gear that helped us walk on the Moon nearly 60 years ago is still giving up its mysteries today, with some equipment from the Apollo era taking a little bit more effort to reverse engineer than others. A case in point is this radiographic reverse engineering of some Apollo test gear, pulled off by [Ken Shirriff] with help from his usual merry band of Apollo aficionados.

The item in question is a test set used for ground testing of the Up-Data Link, which received digital commands from mission controllers. Contrary to the highly integrated construction used in Apollo flight hardware, the test set, which was saved from a scrapyard, used more ad hoc construction, including cards populated by mysterious modules. The pluggable modules bear Motorola branding, and while they bear some resemblance to ICs, they’re clearly not.

[Ken] was able to do some preliminary reverse-engineering using methods we’ve seen him employ before, but ran into a dead end with his scope and meter without documentation. So the modules went under [John McMaster]’s X-ray beam for a peek inside. They discovered that the 13-pin modules are miniature analog circuits using cordwood construction, with common discrete passives stacked vertically between parallel PCBs. The module they imaged showed clear shadows of carbon composition resistors, metal-film capacitors, and some glass-body diodes. Different angles let [Ken] figure out the circuit, which appears to be part of a square wave to sine wave converter.

The bigger mystery here is why the original designer chose this method of construction. There must still be engineers out there who worked on stuff like this, so here’s hoping they chime in on this innovative method.

A Handy Breakout Board For E-Paper Hacking

June 15, 2022 by 5 Comments

If you follow the exploits of [Aaron Christophel] (and trust us, you should), you’ll know that for some time now he’s been rather obsessed with electronic price tags, specifically those with e-paper displays. It’s certainly not hard to see why — these low-power devices are perfect for ambient displays, and their integrated wireless capabilities mean you can put one in every room and update them from a central transmitter.

But with such a wide array of products on the market, [Aaron] has found himself doing a lot of e-paper reverse engineering. This involves sticking a logic analyzer between the display and the tag’s microcontroller, which he found to be a rather finicky task. That’s why he created the Universal E-Paper Sniffer: a breakout PCB that lets you snoop on display communication without having to resort to unpleasant methods like scratching off the solder mask to tap into the traces by hand.

It’s a pretty simple gadget: on either side, you’ve got a connector for 24 pin 0.5 mm pitch flat flex cable, which [Aaron] has identified as the most common interface for these displays, and in the middle you’ve got a standard 2.54 mm pitch header. There are no other components on the board, and all the traces go right through to the other side.

Add a few jumpers and a cheap logic analyzer, and you’re ready to sniff some SPI commands. Check out the video after the break for a general walk-through of what it looks like to start sniffing around a new display.

The Gerber files for the breakout are available for free, or you can chose to buy a fabricated board through PCBWay to kick [Aaron] a portion of the sale price. However you get one, we think this will be a handy little tool to have around if you find yourself bitten by the price tag hacking bug.

Continue reading “A Handy Breakout Board For E-Paper Hacking”

The Tools That Lovingly Tore Apart A Vintage Computer Game

June 11, 2022 by 9 Comments

The structure of computer game assets can be a bit of a mystery, even more so the older a game is, and some amount of reverse-engineering can be expected when pulling apart a game like 1995’s Night Light.

[voussoir] had fond memories of this game by GTE Entertainment, which had an interesting “flashlight” mechanic to serve the exploration theme. Spooky shapes in dark rooms would be revealed to be quite ordinary (and therefore not scary at all) once illuminated with a flashlight, which was directed by the mouse.

Extracting game assets was partly straightforward, thanks to many of them being laid out in a handy folder structure, with .bmp files for each level in a modest resolution. But there were also some unusual .mov files that were less than a second long, and those took a little more work to figure out.

It turns out that these unusual movie files were 80 frames in length, and each frame was a tile of a larger image. [voussoir] used ffmpeg to extract each frame, then wrote a Python script to stitch the tiles together. Behold! The results are high-resolution versions of each level’s artwork. Stitching the first 16 frames into a 4×4 grid yields a 1024×768 image, and the remaining 64 frames can be put into a 8×8 grid for a fantastic 2048×1376 version. The last piece was extracting audio, but sadly the ISO [voussoir] was using seems to have had errors, and not all the audio survived.

With intact assets in hand, [voussoir] was able to re-create the core of the game, which can be seen about halfway down into the writeup. Audio clues play simply while the flashlight effect is re-created in the browser with the game’s original level artwork, and it’s enough to ring those nostalgia bells. It’s a pretty successful project, even though not all of the assets have been tracked down, and not all of the audio was able to be extracted due to corruption. If you have any insights on that front, don’t keep them to yourself! Send [voussoir] an email, or chime in here in the comments.

Reverse engineering has a strong history when it comes to games, and has manifested itself in sometimes unusual ways, like the time Atari cracked the NES. Had the subsequent legal challenge gone differently, the game landscape might have looked very different today.

The microcontroller described in the article, on the PCB taken out of the kettle

Dumping Encrypted-At-Rest Firmware Of Xiaomi Smart Kettle

May 4, 2022 by 52 Comments

[aleaksah] got himself a Mi Smart Kettle Pro, a kettle with Bluetooth connectivity, and a smartphone app to go with it. Despite all the smarts, it couldn’t be turned on remotely. Energized with his vision of an ideal smart home where he can turn the kettle on in the morning right as he wakes up, he set out to right this injustice. (Russian, translated) First, he tore the kettle down, intending to dump the firmware, modify it, and flash it back. Sounds simple enough — where’s the catch?

This kettle is built around the QN9022 controller, from the fairly open QN902X family of chips. QN9022 requires an external SPI flash chip for code, as opposed to its siblings QN9020 and QN9021 which have internal flash akin to ESP8285. You’d think dumping the firmware would just be a matter of reading that flash, but the firmware is encrypted at rest, with a key unique to each MCU and stored internally. As microcontroller reads the flash chip contents, they’re decrypted transparently before being executed. So, some other way had to be found, involving the MCU itself as the only entity with access to the decryption key.

Continue reading “Dumping Encrypted-At-Rest Firmware Of Xiaomi Smart Kettle”

Research: It’s Like Cheating, But Fair

April 23, 2022 by 53 Comments

My niece’s two favorite classes in high school this year are “Intro to AI” and “Ethical Hacking”. (She goes to a much cooler high school than I did!) In “Hacking”, she had an assignment to figure out some bug in some body of code. She was staring and staring, figuring and figuring. She went to her teacher and said she couldn’t figure it out, and he asked her if she’d tried to search for the right keywords on the Internet.

My niece responded “this is homework, and that’d be cheating”, a line she surely must have learned in her previous not-so-cool high school. When the teacher responded with “but doing research is how you learn to do stuff”, my niece was hooked. The class wasn’t abstract or academic any more; it became real. No arbitrary rules. Game on!

But I know how she feels. Whether it’s stubborn independence, or a feeling that I’m cheating, I sometimes don’t do my research first. But attend any hacker talk, where they talk about how they broke some obscure system or pulled off an epic trick. What is the first step? “I looked all over the Internet for the datasheet.” (Video) “I found the SDK and that made it possible.” (Video) “Would you believe this protocol is already documented?” In any serious hack, there’s always ample room for your creativity and curiosity later on. If others have laid the groundwork for you, get on it.

If you have trouble overcoming your pride, or NIH syndrome, or whatever, bear this in mind: the reason we share information with other hackers is to give them a leg up. Whoever documented that protocol did it to help you. Not only is there no shame in cribbing from them, you’re essentially morally obliged to do so. And to say thanks along the way!

This article is part of the Hackaday.com newsletter, delivered every seven days for each of the last 200+ weeks. It also includes our favorite articles from the last seven days that you can see on the web version of the newsletter. Want this type of article to hit your inbox every Friday morning? You should sign up!