Research: It’s Like Cheating, But Fair

April 23, 2022 by Elliot Williams 53 Comments

My niece’s two favorite classes in high school this year are “Intro to AI” and “Ethical Hacking”. (She goes to a much cooler high school than I did!) In “Hacking”, she had an assignment to figure out some bug in some body of code. She was staring and staring, figuring and figuring. She went to her teacher and said she couldn’t figure it out, and he asked her if she’d tried to search for the right keywords on the Internet.

My niece responded “this is homework, and that’d be cheating”, a line she surely must have learned in her previous not-so-cool high school. When the teacher responded with “but doing research is how you learn to do stuff”, my niece was hooked. The class wasn’t abstract or academic any more; it became real. No arbitrary rules. Game on!

But I know how she feels. Whether it’s stubborn independence, or a feeling that I’m cheating, I sometimes don’t do my research first. But attend any hacker talk, where they talk about how they broke some obscure system or pulled off an epic trick. What is the first step? “I looked all over the Internet for the datasheet.” (Video) “I found the SDK and that made it possible.” (Video) “Would you believe this protocol is already documented?” In any serious hack, there’s always ample room for your creativity and curiosity later on. If others have laid the groundwork for you, get on it.

If you have trouble overcoming your pride, or NIH syndrome, or whatever, bear this in mind: the reason we share information with other hackers is to give them a leg up. Whoever documented that protocol did it to help you. Not only is there no shame in cribbing from them, you’re essentially morally obliged to do so. And to say thanks along the way!

The BluePill board used for this hack, wired to the DYMO RFID reader, after all the wires for this hack have been soldered onto the BluePill board.

#FreeDMO Gets Rid Of DYMO Label Printer DRM

March 30, 2022 by Arya Voronova 49 Comments

DYMO 550 series printer marketing blurb says “The DYMO® LabelWriter® 550 Turbo label printer comes with unique Automatic Label Recognition™”, which, once translated from marketing-ese, means “this printer has DRM in its goshdarn thermal stickers”. Yes, DRM in the stickers that you typically buy in generic rolls. [FREEPDK] didn’t like that, either, and documents a #FreeDMO device to rid us of yet another consumer freedom limitation, the true hacker way.

The generic BluePill board and two resistors are all you need, and a few extra cables make the install clean and reversible – you could definitely solder to the DYMO printer’s PCBs if you needed, too. Essentially, you intercept the RFID reader connections, where the BluePill acts as an I2C peripheral and a controller at the same time, forwarding the data from an RFID reader and modifying it – but it can also absolutely emulate a predetermined label and skip the reader altogether. If you can benefit from this project’s discoveries, you should also take a bit of your time and, with help of your Android NFC-enabled phone, share your cartridge data in a separate repository to make thwarting future DRM improvements easier for all of us. Continue reading “#FreeDMO Gets Rid Of DYMO Label Printer DRM” →

An assortment of MemoryStick cards and devices, some of them, arguably cursed, like a MemoryStick-slot-connected camera.

Hacker Challenges MemoryStick To A Fight And Wins

March 20, 2022 by Arya Voronova 24 Comments

It’s amazing when a skilled hacker reverse-engineers a proprietary format and shares the nitty-gritty with everyone. Today is a day when we get one such write-up – about MemoryStick. It is one of those proprietary formats, a staple of Sony equipment, these SD-card-like storage devices were evidently designed to help pad Sony’s pockets, as we can see from the tight lock-in and inflated prices. As such, this format has always remained unapproachable to hackers. No more – [Dmitry Grinberg] is here with an extensive breakdown of MemoryStick protocol and internals.

If you ever want to read about a protocol that is not exactly sanely designed, from physical layer quirks to things like inexplicable large differences between MemoryStick and MemoryStick Pro, this will be an entertaining read for hackers of all calibers. Dmitry doesn’t just describe the bad parts of the design, however, as much as that rant is entertaining to read – most of the page is taken by register summaries, struct descriptions and insights, the substance about MemoryStick that we never got.

One sentence is taken to link to a related side project of [Dmitry] that’s a rabbithole on its own – he has binary patched MemoryStick drivers for PalmOS to add MemoryStick Pro support to some of the Sony Clie handhelds. Given the aforementioned differences between non-Pro and Pro standards, it’s a monumental undertaking for a device older than some of this site’s readers, and we can’t help but be impressed.

To finish the write-up off, [Dmitry] shares with us some MemoryStick bit-banging examples for the STM32. Anyone who ever wanted to approach MemoryStick, be it for making converter adapters to revive old tech, data recovery or preservation purposes, or simply hacker curiosity, now can feel a bit less alone in their efforts.

We are glad to see such great hacking on the MemoryStick front – it’s much needed, to the point where our only article mentioning MemoryStick is about avoiding use of the MemoryStick slot altogether. [Dmitry] is just the right person for reverse-engineering jobs like this, with extensive reverse-engineering history we’ve been keeping track of – his recent reverse-engineering journey of an unknown microcontroller in cheap E-Ink devices is to behold.

Retro Breadboard Gives Up Its 1960s Secrets

March 13, 2022 by Dan Maloney 18 Comments

When we see [Ken Shirriff] reverse engineering something, it tends to be on the microscopic level. His usual forte is looking at die photos of strange and obsolete chips and figuring out how they work. And while we love those efforts, it’s nice to see him in the macro world this time with a teardown and repair of a 1960s-era solderless breadboard system.

If you’d swear the “Elite 2 Circuit Design Test System” featured in [Ken]’s post looks familiar, it’s probably because you caught his partner-in-crime [CuriousMarc]’s video on the very same unit, an eBay score that arrived in non-working condition. The breadboard, which retailed for $1,300 in 1969 — an eye-watering $10,000 today — was clearly not aimed at the hobbyist market. Truth be told, we didn’t even know that solderless breadboards were a thing until the mid-70s, but live and learn. This unit has all the bells and whistles, including three variable power supplies, an array of switches, buttons, indicator lamps, and jacks for external connections, and a pulse generator as well as a legit function generator.

Legit, that would be, if it actually worked. [Ken]’s contribution to the repair was a thorough teardown of the device followed by reverse-engineering the design. Seeing how this thing was designed around the constraints of 1969 technology is a real treat; the metal can transistor and ICs and the neat and tidy PCB layout are worth the price of admission alone. And the fact that neon lamps and their drivers were cheaper and easier to use than LEDs says a lot about the state of the art at the time.

As for the necessary repairs, [Marc]’s video leaves off before getting there. That’s fine, we’re sure he’ll put [Ken]’s analysis to good use, and we always enjoy [Marc]’s video series anyway. The Apollo flight comms series was a great one, too. Continue reading “Retro Breadboard Gives Up Its 1960s Secrets” →

Two revisions of Wenting's custom SSD board - earlier revision on the left, later, sleeker and more complete, on the right.

Custom SSD Gives New Life To Handheld Atom PC

February 25, 2022 by Arya Voronova 12 Comments

People don’t usually go as far as [Wenting Zhang] has – designing a new IDE SSD board for a portable x86 computer made in 2006. That said, it’s been jaw-dropping to witness the astounding amount of reverse-engineering and design effort being handwaved away.

The Benq S6 is a small MID (Miniaturized Internet Device) with an Atom CPU, an x86 machine in all but looks. Its non-standard SSD’s two gigabytes of storage, however, heavily limit the OS choice – Windows XP would hardly fit on there, and while a small Linux distro could manage better, it’s, and we quote, “not as exciting”. A lot of people would stop there and use an external drive, or a stack of adapters necessitating unsightly modifications to the case – [Wenting] went further and broke the “stack of adapters” stereotype into shards with his design journey.

Tracing quite a few complex multi-layer boards into a unified and working schematic is no mean feat, especially with the SSD PCB being a host to two BGA chips, and given the sheer amount of pins in the IDE interface of the laptop’s original drive. Even the requirement for the SSD to be initialized didn’t stop him – a short fight with the manufacturer’s software ensued, but was no match for [Wenting]’s skills. The end result is a drop-in replacement SSD even thinner than the stock one.

This project is well-documented for all of us to learn from! Source code and PCB files are on GitHub, and [Wenting] has covered the journey in three different places at once – on Hackaday.io, in a YouTube video embedded down below, and also on his Twitter in form of regular posts. Now, having seen this happen, we all have one less excuse to take up a project seemingly so complex.

Hackers play with SSD upgrades and repurposing every now and then, sometimes designing proprietary-to-SATA adapters, and sometimes reusing custom SSD modules we’ve managed to get a stack of. If case mods are acceptable to you aesthetics-wise, we’ve seen an SSD upgrade for a Surface Pro 3 made possible that way.

Continue reading “Custom SSD Gives New Life To Handheld Atom PC” →

Wordle Reverse-Engineering And Automated Solving

February 8, 2022 by Dave Rowntree 15 Comments

Simplified Absurdle decision tree for a single letter guess from a set of three possible options

We don’t know about you, but we have mixed feelings about online puzzle fads. On one hand, they are great tool to help keep one sharp, but they’re just everywhere. The latest social-media driven fad, Wordle, may be a little bit too prevalent for our liking, with social media timelines stuffed with updates about the thing. [Ed Locard] was getting a bit miffed with friends’ constant posts about ‘Today’s Wordle’, and was hoping they’d get back to posting pictures of their dogs instead, so did what any self-respecting hacker would do, and wrote a python script to automate solving Wordle puzzles, in a likely futile attempt to get them to stop posting.

Actually, [Ed] was more interested in building a solver for a related game, Absurdle, which is described as an adversarial variant of Wordle. This doesn’t actually select a single word, but uses your guesses so far to narrow down a large pool of possible words, keeping you guessing for longer. Which is pretty mean of it. Anyway, [Ed] came up with a tool called Pyrdle, (GitHub project) which is essentially a command version of Absurdle, that has the capability of also solving Wordle as a byproduct. It turns out the JS implementation of Wordle holds the entire possible wordlist, client-side, so the answer is already sitting in your browser. The real interest part of this project is the approach to automated problem solving of puzzles with a very large potential set of solutions. This makes for an interesting read, and infinitely more so than reading yet another Wordle post.

And one final note; if you’re not at all onboard with this, love Wordle, and can’t get enough, you might like to install [brackendawson]’s comically titled (command) notfoundle shell handler, for some puzzling feedback on your command-line slip-ups. Well, it amused us anyway.

Puzzle projects hit these pages once in a while. Here’s the annual Xmas GCHQ puzzle, If you’re more into physical puzzles, with an electronics focus (and can solder) check out the DEF CON 29 puzzle badge!

Linux Arcade Cab Gives Up Its Secrets Too Easily

February 1, 2022 by Dave Rowntree 9 Comments

Sometimes reverse engineering embedded systems can be a right old faff, with you needing to resort to all kinds of tricks such as power glitching in order to poke a tiny hole in the armour, giving you an way in. And, sometimes the door is just plain wide open. This detailed exploration of an off-the-shelf retro arcade machine, is definitely in that second camp, for an unknown reason. [Matthew Alt] of VoidStar Security, took a detailed look into how this unit works, which reads as a great introduction to how embedded Linux is constructed on these minimal systems.

Could this debug serial port be more obvious?

The hardware is the usual bartop cabinet, with dual controls and an LCD display, with just enough inside a metal enclosure to drive the show. Inside this, the main PCB has the expected minimal ARM-based application processor with its supporting circuit. The processor is the Rockchip RK3128, sporting a quad-core ARM Neon and a Mali400 GPU, but the main selling point is the excellent Linux support. You’ll likely see this chip or its relatives powering cheap Android TV boxes, and it’s the core of this nice looking ‘mini PC’ platform from firefly. Maybe something to consider seeing as though Raspberry Pis are currently so hard to come by?

Anyway, we digress a little, [Matthew] breaks it down for us in a very methodical way, first by identifying the main ICs and downloading the appropriate datasheets. Next he moves on to connectors, locating an internal non-user-facing USB micro port, which is definitely going to be of interest. Finally, the rather obvious un-populated 3-pin header is clearly identified as a serial port. This was captured using a Saleae clone, to verify it indeed was a UART interface and measure the baud rate. After doing that, he hooked it into a Raspberry Pi UART and by attaching the standard screen utility to the serial device, lo-and-behold, a boot log and a root prompt! This thing really is barn-door wide-open.

Is that a root prompt you have for me? Oh why yes it is!

Simply by plugging in a USB stick, the entire flash memory was copied over, partitions and all, giving a full backup in case subsequent hacking messed things up. Being based on U-Boot, it was a trivial matter of just keying in ‘Ctrl-C’ at boot time, and he was dropped straight into the U-Boot command line, and all configuration could be easily read out. By using U-Boot to low-level dump the SPI flash to an external USB device, via a RAM copy, he proved he could do the reverse and write the same image back to flash without breaking something, so it was now possible to reverse engineer the software, make changes and write it back. Automation of the process was done using Depthcharge on the Raspberry Pi, which was also good to read about. We will keep an eye on the blog for what he does with it next!

As we’ve covered earlier, embedded Linux really is everywhere, and once you’ve got hardware access and some software support, hacking in new tricks is not so hard either.