Matthew [wrongbaud] Alt Is Fighting The Good Fight

September 30, 2022 by Tom Nardi 6 Comments

In a perfect world, all of our electronic devices would come with complete documentation, and there’d be open source libraries available for interfacing them with whatever we wanted. There’d never be arbitrary lockouts preventing us from using a piece of hardware in a way the manufacturer didn’t approve of, and the “cloud” wouldn’t be a black-box server in some data center on the other side of the planet, but a transparent and flexible infrastructure for securely storing and sharing information.

Unfortunately, that’s not the world we live in. What’s worse, rather than moving towards that electronic utopia, the industry appears to be heading in the opposite direction. It seems like every month we hear about another service shutting down and leaving viable hardware to twist in the wind. Just yesterday Google announced they’d be retiring their Stadia game streaming service early next year — leaving users with unique Internet-connected controllers that will no longer have a back-end to communicate with.

Luckily for us, there’s folks like Matthew [wrongbaud] Alt out there. This prolific hacker specializes in reverse engineering, and has a knack not just for figuring out how things work, but in communicating those findings with others. His conquests have graced these pages many times, and we were fortunate enough to have him helm the Introduction to Reverse Engineering with Ghidra class for HackadayU back in 2020. This week, he stopped by the Hack Chat to talk about the past, present, and future of reverse engineering.

Matthew got his start in reverse engineering during college, when he was working in a shop that specialized in tuning engine control units (ECUs). He was responsible for figuring out how the ECUs functioned, which ultimately would allow them to be modified to improve engine performance beyond the vehicle’s stock configuration. Sometimes that involved uploading modified calibration data, or disabling functions that were detrimental to engine performance. These software changes could potentially increase engine output by as much as 50 HP, though he says that sometimes the goal was to simply increase throttle response so the vehicle would feel more aggressive on the road.

Moving on to the tools of the trade, Matthew explained why he prefers using Ghidra for embedded targets over classic reverse engineering tools like IDA Pro. As an example he points to a recent project where he used Ghidra’s API and intermediary language PCode to crack passwords in Game Boy Advance games. Though he does mention that IDA still has its place if you’re looking to peek into some Windows C++ software.

Matthew also pointed to new techniques and tools for working with fault injection which have opened up a lot of exciting possibilities over the last few years. In fact, he says tools like ChipWhisperer will become invaluable as newer devices adopt advanced security features. When gadgets are using secure boot and encrypted firmware, gaining access is going to take a bit more than just finding an unleaded serial port on the board. Glitching attacks will become more commonplace, so you might as well get up to speed now.

Colin O’Flynn’s ChipWhisperer makes side-channel power analysis and glitching attacks far more accessible.

To that end, Matthew pointed out a number of instructional courses that he and other hardware hackers such as Joe Grand have put together for those who want to get started with practical reverse engineering and have some disposable income. For those who’d rather work though it on their own, he dropped links to several Capture-the-Flag (CTF) events and wargames you can use to hone your skills.

We’d like to thank Matthew Alt for not just stopping by the Hack Chat, but for being such a good friend to the Hackaday community. His work has been inspirational for all of us here, and it’s always exciting when he’s penned a new blog post detailing another challenge bested. The next time your favorite MegaCorp releases some anti-consumer gadget, you can take some comfort in knowing he’s still out there bending hardware to his will.

The Hack Chat is a weekly online chat session hosted by leading experts from all corners of the hardware hacking universe. It’s a great way for hackers connect in a fun and informal way, but if you can’t make it live, these overview posts as well as the transcripts posted to Hackaday.io make sure you don’t miss out.

Introducing FISSURE: A Toolbox For The RF Hacker

August 27, 2022 by Dan Maloney 4 Comments

No matter what the job at hand is, if you’re going to tackle it, you’re going to need the right kit of tools. And if your job includes making sense out of any of the signals in the virtual soup of RF energy we all live in, then you’re going to need something like the FISSURE RF framework.

Exactly what FISSURE is is pretty clear from its acronym, which stands for Frequency Independent SDR-Based Signal Understanding and Reverse Engineering. This is all pretty new — it looks like [Chris Poore] presented a talk at DEFCON a few weeks back about using FISSURE to analyze powerline communications between semi-trucks and their trailers, and they’ve got a talk scheduled for next month’s GNU Radio Conference as well. We’ve been looking through all the material we can find on FISSURE, and it appears to be an RF hacker’s dream come true. They’ve got a few examples on Twitter, like brute-forcing an old garage door opener with a security code set by a ten-position DIP switch, and sending tire pressure monitoring system (TPMS) signals to a car. They also mention some of the framework’s capabilities on the GitHub README; we’re especially interested in packet crafting for various protocols. The video below has some more examples of what FISSURE can do.

It looks like FISSURE could be a lot of fun, and very handy for your RF analysis and reverse engineering work. If you’ve been using Universal Radio Hacker like we have, this looks similar, only more so. We’ll be downloading it soon and giving it a try, so be on the lookout for a hands-on report.

Continue reading “Introducing FISSURE: A Toolbox For The RF Hacker” →

Air Filter DRM? Hacker Opts Out With NFC Sticker

August 13, 2022 by Donald Papp 55 Comments

[Flamingo-tech]’s Xiaomi air purifier has a neat safety feature: it will refuse to run if a filter needs replacement. Of course, by “neat” we mean “annoying”. Especially when the purifier sure seems to judge a filter to be useless much earlier than it should. Is your environment relatively clean, and the filter still has legs? Are you using a secondary pre-filter to extend the actual filter’s life? Tough! Time’s up. Not only is this inefficient, but it’s wasteful.

Every Xiaomi filter contains an NTAG213 NFC tag with a unique ID and uses a unique password for communications, but how this password was generated (and therefore how to generate new ones) was not known. This meant that compatible tags recognized by the purifier could not be created. Until now, that is. [Flamingo-tech] has shared the discovery of how Xiaomi generates the password for communication between filter and purifier.

A small NFC sticker is now all it takes to have the purifier recognize a filter as new.

[Flamingo-tech] has long been a proponent of fooling Xiaomi purifiers into acting differently. In the past, this meant installing a modchip to hijack the DRM process. That’s a classic method of getting around nonsense DRM on things like label printers and dishwashers, but in this case, reverse-engineering efforts paid off.

It’s now possible to create simple NFC stickers that play by all the right rules. Is a filter’s time up according to the NFC sticker, but it’s clearly still good? Just peel that NFC sticker off and slap on a new one, and as far as the purifier is concerned, it’s a new filter!

If you’re interested in the reverse-engineering journey, there’s a GitHub repository with all the data. And for those interested in purchasing compatible NFC stickers, [Flamingo-tech] has some available for sale.

A Deeper Dive Into Reverse Engineering With A CT Scanner

August 10, 2022 by Dan Maloney 6 Comments

We’ve recently got a look at how [Ken Shirriff] used an industrial CT scanner as a reverse engineering tool. The results were spectacular, with pictures that clearly showed the internal arrangement of parts that haven’t seen the light of day since the module was potted back in the 60s. And now, [Ken]’s cohort [Curious Marc] has dropped a video with more detail on the wonderful machine, plus deep dives into more Apollo-era hardware

If you liked seeing the stills [Ken] used to reverse engineer the obscure flip-flop module, you’re going to love seeing [Marc] using the Lumafield scanner’s 3D software to non-destructively examine several Apollo artifacts. First to enter the sample chamber of the CT scanner was a sealed module called the Central Timing Equipment, which served as the master clock for the Apollo Command Module. The box’s magnesium case proved to be no barrier to the CT scanner’s beam, and the 3D model that was built up from a series of 2D images was astonishingly detailed. The best part about the virtual models is the ability to slice through them in any plane — [Marc] used this feature to hunt down the clock’s quartz crystal. Continue reading “A Deeper Dive Into Reverse Engineering With A CT Scanner” →

Mapping Out The LEDs On An Outlet Tester

August 9, 2022 by Tom Nardi 13 Comments

The concept of an outlet tester is pretty simple: plug the gadget into a suspect wall receptacle, and an array of LEDs light up in various patterns to alert the user to any wiring faults. They’re cheap, reliable, and instantaneous. Most people wouldn’t give them much more thought than that, but like any good hacker, [Yeo Kheng Meng] wanted to know how these devices worked.

After picking up a relatively advanced model that featured an LCD display capable of showing various stats such as detected voltage in addition to the standard trio of LEDs, he started by using some test leads to simulate various fault conditions to understand the basic principle behind its operation. The next step was to disassemble the unit, which is where things went briefly sideways — it wasn’t until [Yeo Kheng Meng] and a friend had nearly cut through the enclosure that they realized it wasn’t ultrasonically welded liked they assumed, and that the screws holding it together were actually hidden under a sticker. Oops.

The write-up includes some excellent PCB shots, and [Yeo Kheng Meng] was able to identify several components and ascertain their function. He was even able to find some datasheets, which isn’t always such an easy task with these low-cost devices. Unfortunately the MCU that controls the device’s more advanced features is locked away with a black epoxy blob, but he was able to come up with a schematic that explains the rather elegant logic behind the LED display.

This isn’t the first time [Yeo Kheng Meng] has taken apart an interesting piece of hardware for our viewing pleasure, and given the fine job he does of it, we hope it’s not the last either.

CT Scans Help Reverse Engineer Mystery Module

August 7, 2022 by Dan Maloney 15 Comments

The degree to which computed tomography has been a boon to medical science is hard to overstate. CT scans give doctors a look inside the body that gives far more information about the spatial relationship of structures than a plain X-ray can. And as it turns out, CT scans are pretty handy for reverse engineering mystery electronic modules, too.

The fact that the mystery module in question is from Apollo-era test hardware leaves little room for surprise that [Ken Shirriff] is the person behind this fascinating little project. You’ll recall that [Ken] recently radiographically reverse engineered a pluggable module of unknown nature, using plain X-ray images taken at different angles to determine that the undocumented Motorola module was stuffed full of discrete components that formed part of a square wave to sine wave converter.

The module for this project, a flip-flop from Motorola and in the same form factor, went into an industrial CT scanner from an outfit called Lumafield, where X-rays were taken from multiple angles. The images were reassembled into a three-dimensional view by the scanner’s software, which gave a stunningly clear view of the components embedded within the module’s epoxy body. The cordwood construction method is obvious, and it’s pretty easy to tell what each component is. The transistors are obvious, as are the capacitors and diodes. The resistors were a little more subtle, though — careful examination revealed that some are carbon composition, while others are carbon film. It’s even possible to pick out which diodes are Zeners.

The CT scan data, along with some more traditional probing for component values, let [Ken] reverse engineer the whole circuit, which turned out to be a little different than a regular J-K flip-flop. Getting a non-destructive look inside feels a little like sitting alongside the engineers who originally built these things, which is pretty cool.

Hacking The RF Protocol Of An Obscure Handheld Game

July 6, 2022 by Tom Nardi 9 Comments

When you think old school handheld games, you probably imagine something like Nintendo’s Game Boy line or the Sega Game Gear. But outside of those now iconic systems, there was a vast subculture of oddball handheld games vying for a chunk of an adolescent’s weekly allowance. Many of these were legitimately terrible and frankly aren’t worth remembering, but a few offered unique features that were arguably ahead of their time.

One such game was Hasbro’s short-lived P-O-X. As explained by [Zachary Ennenga], the game didn’t spend much time on store shelves as its core concept of defeating undetectable alien invaders hell-bent on destroying our way of life proved to be more than a little problematic when it launched in September of 2001. But that doesn’t mean it didn’t have some cool ideas, such as a wireless ad-hoc multiplayer capability that let your game autonomously battle it out with other units that got close by.

Fascinated by this feature since his youth, [Zach] set out to study how this relatively cheap kid’s toy was able to pull this off back when even the flagship handheld consoles were still using physical link cables for multiplayer. He was aided in his quest by a particularly helpful patent, which not only gave him clues as to the frequency, data rate, modulation, and encoding of the RF signal, but even explained the game’s logic and overall structure. A lot of what was in the document seemed wishful thinking on the part of Hasbro, but reading through the marketing speak still uncovered some salient technical details.

Armed with an RTL-SDR, GNU Radio, Inspectrum, and a bit of Python, [Zach] was able to identify the signal and begin the process of decoding it. This is where things get really interesting, as the details of his reverse engineering process are widely applicable for all sorts of unknown RF signals. Even if you’re like most people and have nearly zero interest in failed handheld games of the early 2000s, it’s well worth a read. The same techniques he uses to figure out the name and physical characteristics of the invisible foe his game is transmitting could one day help you figure out how to manipulate the data from that wireless weather station you’ve got in the backyard.

Once he figured out the major parts of the protocol, [Zach] moves on to creating his own packets and broadcasting them out in such a way that the real hardware will recognize it. He even comes up with some code that will automatically battle games which wander within range of his Yardstick One, which may come in handy during the inevitable P-O-X Renaissance.

While this might seem like a lot of effort to put into a game that most people have never even heard of, we’ll remind you that some of the greatest hacks to ever grace these pages have been born of similar pursuits. Even if you’re the only person in the world to directly benefit from your current line of research and experimentation, there’s still plenty of like-minded folks in this community that are all to happy to cheer you on from the sidelines.