reverse engineering

385 Articles

Two revisions of Wenting's custom SSD board - earlier revision on the left, later, sleeker and more complete, on the right.

Custom SSD Gives New Life To Handheld Atom PC

February 25, 2022 by 12 Comments

People don’t usually go as far as [Wenting Zhang] has – designing a new IDE SSD board for a portable x86 computer made in 2006. That said, it’s been jaw-dropping to witness the astounding amount of reverse-engineering and design effort being handwaved away.

The Benq S6 is a small MID (Miniaturized Internet Device) with an Atom CPU, an x86 machine in all but looks. Its non-standard SSD’s two gigabytes of storage, however, heavily limit the OS choice – Windows XP would hardly fit on there, and while a small Linux distro could manage better, it’s, and we quote, “not as exciting”. A lot of people would stop there and use an external drive, or a stack of adapters necessitating unsightly modifications to the case – [Wenting] went further and broke the “stack of adapters” stereotype into shards with his design journey.

Tracing quite a few complex multi-layer boards into a unified and working schematic is no mean feat, especially with the SSD PCB being a host to two BGA chips, and given the sheer amount of pins in the IDE interface of the laptop’s original drive. Even the requirement for the SSD to be initialized didn’t stop him – a short fight with the manufacturer’s software ensued, but was no match for [Wenting]’s skills. The end result is a drop-in replacement SSD even thinner than the stock one.

This project is well-documented for all of us to learn from! Source code and PCB files are on GitHub, and [Wenting] has covered the journey in three different places at once – on Hackaday.io, in a YouTube video embedded down below, and also on his Twitter in form of regular posts. Now, having seen this happen, we all have one less excuse to take up a project seemingly so complex.

Hackers play with SSD upgrades and repurposing every now and then, sometimes designing proprietary-to-SATA adapters, and sometimes reusing custom SSD modules we’ve managed to get a stack of. If case mods are acceptable to you aesthetics-wise, we’ve seen an SSD upgrade for a Surface Pro 3 made possible that way.

Continue reading “Custom SSD Gives New Life To Handheld Atom PC”

Wordle Reverse-Engineering And Automated Solving

February 8, 2022 by 15 Comments
Simplified Absurdle decision tree for a single letter guess from a set of three possible options

We don’t know about you, but we have mixed feelings about online puzzle fads. On one hand, they are great tool to help keep one sharp, but they’re just everywhere. The latest social-media driven fad, Wordle, may be a little bit too prevalent for our liking, with social media timelines stuffed with updates about the thing. [Ed Locard] was getting a bit miffed with friends’ constant posts about ‘Today’s Wordle’, and was hoping they’d get back to posting pictures of their dogs instead, so did what any self-respecting hacker would do, and wrote a python script to automate solving Wordle puzzles, in a likely futile attempt to get them to stop posting.

Actually, [Ed] was more interested in building a solver for a related game, Absurdle, which is described as an adversarial variant of Wordle. This doesn’t actually select a single word, but uses your guesses so far to narrow down a large pool of possible words, keeping you guessing for longer. Which is pretty mean of it. Anyway, [Ed] came up with a tool called Pyrdle, (GitHub project) which is essentially a command version of Absurdle, that has the capability of also solving Wordle as a byproduct. It turns out the JS implementation of Wordle holds the entire possible wordlist, client-side, so the answer is already sitting in your browser. The real interest part of this project is the approach to automated problem solving of puzzles with a very large potential set of solutions. This makes for an interesting read, and infinitely more so than reading yet another Wordle post.

And one final note; if you’re not at all onboard with this, love Wordle, and can’t get enough, you might like to install [brackendawson]’s comically titled (command) notfoundle shell handler, for some puzzling feedback on your command-line slip-ups. Well, it amused us anyway.

Puzzle projects hit these pages once in a while. Here’s the annual Xmas GCHQ puzzle, If you’re more into physical puzzles, with an electronics focus (and can solder) check out the DEF CON 29 puzzle badge!

Linux Arcade Cab Gives Up Its Secrets Too Easily

February 1, 2022 by 9 Comments

Sometimes reverse engineering embedded systems can be a right old faff, with you needing to resort to all kinds of tricks such as power glitching in order to poke a tiny hole in the armour, giving you an way in. And, sometimes the door is just plain wide open. This detailed exploration of an off-the-shelf retro arcade machine, is definitely in that second camp, for an unknown reason. [Matthew Alt] of VoidStar Security, took a detailed look into how this unit works, which reads as a great introduction to how embedded Linux is constructed on these minimal systems.

Could this debug serial port be more obvious?

The hardware is the usual bartop cabinet, with dual controls and an LCD display, with just enough inside a metal enclosure to drive the show. Inside this, the main PCB has the expected minimal ARM-based application processor with its supporting circuit. The processor is the Rockchip RK3128, sporting a quad-core ARM Neon and a Mali400 GPU, but the main selling point is the excellent Linux support. You’ll likely see this chip or its relatives powering cheap Android TV boxes, and it’s the core of this nice looking ‘mini PC’ platform from firefly. Maybe something to consider seeing as though Raspberry Pis are currently so hard to come by?

Anyway, we digress a little, [Matthew] breaks it down for us in a very methodical way, first by identifying the main ICs and downloading the appropriate datasheets. Next he moves on to connectors, locating an internal non-user-facing USB micro port, which is definitely going to be of interest. Finally, the rather obvious un-populated 3-pin header is clearly identified as a serial port. This was captured using a Saleae clone, to verify it indeed was a UART interface and measure the baud rate. After doing that, he hooked it into a Raspberry Pi UART and by attaching the standard screen utility to the serial device, lo-and-behold, a boot log and a root prompt! This thing really is barn-door wide-open.

Is that a root prompt you have for me? Oh why yes it is!

Simply by plugging in a USB stick, the entire flash memory was copied over, partitions and all, giving a full backup in case subsequent hacking messed things up. Being based on U-Boot, it was a trivial matter of just keying in ‘Ctrl-C’ at boot time, and he was dropped straight into the U-Boot command line, and all configuration could be easily read out. By using U-Boot to low-level dump the SPI flash to an external USB device, via a RAM copy, he proved he could do the reverse and write the same image back to flash without breaking something, so it was now possible to reverse engineer the software, make changes and write it back. Automation of the process was done using Depthcharge on the Raspberry Pi, which was also good to read about. We will keep an eye on the blog for what he does with it next!

As we’ve covered earlier, embedded Linux really is everywhere, and once you’ve got hardware access and some software support, hacking in new tricks is not so hard either.

Remote control PCB next to its shell, with a breadboarded analog switch connected to the remote's onboard microcontroller, soldered to the pins responsible for button reading

Reusing Proprietary Wireless Sockets Without Wireless Hacking

January 31, 2022 by 9 Comments

Bending various proprietary devices to our will is a hacker’s rite of passage. When it comes to proprietary wall sockets, we’d often reverse-engineer and emulate their protocol – but you can absolutely take a shortcut and, like [oaox], spoof the button presses on the original remote! Buttons on such remotes tend to be multiplexed and read as a key matrix (provided there’s more than four of them), so you can’t just pull one of the pads to ground and expect to not confuse the microcontroller inside the remote. While reading a key matrix, the controller will typically drive rows one-by-one and read column states, and a row or column driven externally will result in the code perceiving an entire group of keys as “pressed” – however, a digitally-driven “switch” doesn’t have this issue!

One way to achieve this would be to use a transistor, but [oaox] played it safe and went for a 4066 analog multiplexer, which has a higher chance of working with any remote no matter the button configuration, for instance, even when the buttons are wired as part of a resistor network. As a bonus, the remote will still work, and you will still be able to use its buttons for the original purpose – as long as you keep your wiring job neat! When compared to reverse-engineering the protocol and using a wireless transmitter, this also has the benefit of being able to consistently work with even non-realtime devices like Raspberry Pi, and other devices that run an OS and aren’t able to guarantee consistent operation when driving a cheap GPIO-operated RF transmitter.

In the past, we’ve seen people trying to tackle this exact issue, resorting to RF protocol hacking in the end. We’ve talked about analog multiplexers and switches in the past, if you’d like figure out more ways to apply them to solve your hacking problems! Taking projects like these as your starting point, it’s not too far until you’re able to replace the drift-y joysticks on your Nintendo Switch with touchpads!

BBQ lighter fault injector

Blast Chips With This BBQ Lighter Fault Injection Tool

January 29, 2022 by 16 Comments

Looking to get into fault injection for your reverse engineering projects, but don’t have the cash to lay out for the necessary hardware? Fear not, for the tools to glitch a chip may be as close as the nearest barbecue grill.

If you don’t know what chip glitching is, perhaps a primer is in order. Glitching, more formally known as electromagnetic fault injection (EMFI), or simply fault injection, is a technique that uses a pulse of electromagnetic energy to induce a fault in a running microcontroller or microprocessor. If the pulse occurs at just the right time, it may force the processor to skip an instruction, leaving the system in a potentially exploitable state.

EMFI tools are commercially available — we even recently featured a kit to build your own — but [rqu]’s homebrew version is decidedly simpler and cheaper than just about anything else. It consists of a piezoelectric gas grill igniter, a little bit of enameled magnet wire, and half of a small toroidal ferrite core. The core fragment gets a few turns of wire, which then gets soldered to the terminals on the igniter. Pressing the button generates a high-voltage pulse, which gets turned into an electromagnetic pulse by the coil. There’s a video of the tool in use in the Twitter thread, showing it easily glitching a PIC running a simple loop program.

To be sure, a tool as simple as this won’t do the trick in every situation, but it’s a cheap way to start exploring the potential of fault injection.

Thanks to [Jonas] for the tip.

Reverse Engineering: Trash Printer Gives Up Its Control Panel Secrets

January 25, 2022 by 7 Comments

Many of us hardware-oriented types find it hard to walk past a lonely-looking discarded item of consumer electronics without thinking “If only I could lug that back to the car and take it home to play with” and [phooky] from NYC Resistor is no stranger to this sentiment. An old Epson WF-2540 inkjet printer was disassembled for its important ‘nutrients,’ you know, the good stuff like funky motors, encoders and switches. But what do you do with the control panel? After all, they’re usually very specific to the needs of the device they control, and don’t usually offer up much scope for reuse.

The RP2040 PIO is quite capable of pushing out those LCD pixels

[phooky] doesn’t usually bother with them, but this time decided to have a crack at it for fun. Inside, nothing out of the ordinary, with a large single-sided PCB for the key switches and LEDs, and a small PCB hosting the LCD display. The easy part was to figure out how the keyboard scanning was done, which turned out to be pretty simple, it just uses some 74-series shift register devices to scan the columns and clock out the row lines. A Raspberry Pi Pico module was pressed into service to scan the keyboard and enable a keyboard map to be created, by pure brute-force. No need to trace the circuit.

Things got interesting when [phooky] started looking into the LCD interface, based on the Epson E02A46EA chip (good luck finding a datasheet for that one!) and quickly realised that documentation simply wasn’t available, and it would be necessary to do things the hard way. Poking around the lines from the main CPU (an Epson E01A9CA , whatever that is) the display clock was identified, as well as some control signals, and three lines for the RGB channels. By throwing a Saleae data capture into some ROM exploring software, the display configuration was determined to be a standard 320×120 unit.

The PIO unit of the RP2040 was used to generate the video waveforms and push the pixels out to the LCD controller, allowing the RP2040 board to be wired inside the case permanently, converting the control panel into a USB device ready for action!

Want to know a little more about reverse engineering junk (or not) items and repurposing them to your will? Checkout this hacking piece from a couple of weeks back. For something a little more advanced, you could try your hand at a spot of car ECU hacking.

Thanks [Perry] for the tip!

Hacking Is Hacking

January 15, 2022 by 5 Comments

Tom Nardi and I had a good laugh this week on the Podcast when he compared the ECU hacks that enabled turning a VW with steering assist into a self-driver to a hack last week that modified a water cooler to fill a particular cup. But it’s actually no joke — some of the very same techniques are used in both efforts, although the outcome of one is life-and-death, and the other is just some spilled ice-cold water.

This reminded me of Travis Goodspeed’s now-classic talk “In Praise of Junk Hacking” from way back in 2016. For background, this was a time when IoT devices and their security were in their relative infancy, and some members of the security community were throwing shade on the dissection of “mere” commercial crap. (Looked back on from today, where every other member of a Botnet is an IP camera, that argument didn’t age well.)

Travis’ response was that hacking on junk lets us focus on the process — the hack itself — rather than getting distracted by the outcome. Emotions run high when a security flaw affects millions of individuals, but when it’s a Tamagotchi or a pocket calculator, well, it doesn’t really matter, so you focus on the actual techniques. And as Travis points out, many of these techniques learned on junk will be useful when it counts. He learned about methods to defeat address-space randomization, for instance, from an old hack on the TI-85 calculator, which garbage-collected the variables that needed to be overwritten.

So I had junk hacking in the back of my mind when I was re-watching Hash Salehi’s great talk on his work reverse engineering smart meters. Funnily enough, he started off his reverse engineering journey eleven years ago with work on a robot vacuum cleaner’s LIDAR module. Junk hacking, for sure, but the same techniques taught him to work on devices that are significantly more serious. And in the craziest of Hackaday synergies, he even hat-tipped Travis’ talk in his video! Hacking is hacking!

This article is part of the Hackaday.com newsletter, delivered every seven days for each of the last 200+ weeks. It also includes our favorite articles from the last seven days that you can see on the web version of the newsletter. Want this type of article to hit your inbox every Friday morning? You should sign up!