The microcontroller described in the article, on the PCB taken out of the kettle

Dumping Encrypted-At-Rest Firmware Of Xiaomi Smart Kettle

May 4, 2022 by Arya Voronova 52 Comments

[aleaksah] got himself a Mi Smart Kettle Pro, a kettle with Bluetooth connectivity, and a smartphone app to go with it. Despite all the smarts, it couldn’t be turned on remotely. Energized with his vision of an ideal smart home where he can turn the kettle on in the morning right as he wakes up, he set out to right this injustice. (Russian, translated) First, he tore the kettle down, intending to dump the firmware, modify it, and flash it back. Sounds simple enough — where’s the catch?

This kettle is built around the QN9022 controller, from the fairly open QN902X family of chips. QN9022 requires an external SPI flash chip for code, as opposed to its siblings QN9020 and QN9021 which have internal flash akin to ESP8285. You’d think dumping the firmware would just be a matter of reading that flash, but the firmware is encrypted at rest, with a key unique to each MCU and stored internally. As microcontroller reads the flash chip contents, they’re decrypted transparently before being executed. So, some other way had to be found, involving the MCU itself as the only entity with access to the decryption key.

Continue reading “Dumping Encrypted-At-Rest Firmware Of Xiaomi Smart Kettle” →

Research: It’s Like Cheating, But Fair

April 23, 2022 by Elliot Williams 53 Comments

My niece’s two favorite classes in high school this year are “Intro to AI” and “Ethical Hacking”. (She goes to a much cooler high school than I did!) In “Hacking”, she had an assignment to figure out some bug in some body of code. She was staring and staring, figuring and figuring. She went to her teacher and said she couldn’t figure it out, and he asked her if she’d tried to search for the right keywords on the Internet.

My niece responded “this is homework, and that’d be cheating”, a line she surely must have learned in her previous not-so-cool high school. When the teacher responded with “but doing research is how you learn to do stuff”, my niece was hooked. The class wasn’t abstract or academic any more; it became real. No arbitrary rules. Game on!

But I know how she feels. Whether it’s stubborn independence, or a feeling that I’m cheating, I sometimes don’t do my research first. But attend any hacker talk, where they talk about how they broke some obscure system or pulled off an epic trick. What is the first step? “I looked all over the Internet for the datasheet.” (Video) “I found the SDK and that made it possible.” (Video) “Would you believe this protocol is already documented?” In any serious hack, there’s always ample room for your creativity and curiosity later on. If others have laid the groundwork for you, get on it.

If you have trouble overcoming your pride, or NIH syndrome, or whatever, bear this in mind: the reason we share information with other hackers is to give them a leg up. Whoever documented that protocol did it to help you. Not only is there no shame in cribbing from them, you’re essentially morally obliged to do so. And to say thanks along the way!

The BluePill board used for this hack, wired to the DYMO RFID reader, after all the wires for this hack have been soldered onto the BluePill board.

#FreeDMO Gets Rid Of DYMO Label Printer DRM

March 30, 2022 by Arya Voronova 51 Comments

DYMO 550 series printer marketing blurb says “The DYMO® LabelWriter® 550 Turbo label printer comes with unique Automatic Label Recognition™”, which, once translated from marketing-ese, means “this printer has DRM in its goshdarn thermal stickers”. Yes, DRM in the stickers that you typically buy in generic rolls. [FREEPDK] didn’t like that, either, and documents a #FreeDMO device to rid us of yet another consumer freedom limitation, the true hacker way.

The generic BluePill board and two resistors are all you need, and a few extra cables make the install clean and reversible – you could definitely solder to the DYMO printer’s PCBs if you needed, too. Essentially, you intercept the RFID reader connections, where the BluePill acts as an I2C peripheral and a controller at the same time, forwarding the data from an RFID reader and modifying it – but it can also absolutely emulate a predetermined label and skip the reader altogether. If you can benefit from this project’s discoveries, you should also take a bit of your time and, with help of your Android NFC-enabled phone, share your cartridge data in a separate repository to make thwarting future DRM improvements easier for all of us. Continue reading “#FreeDMO Gets Rid Of DYMO Label Printer DRM” →

An assortment of MemoryStick cards and devices, some of them, arguably cursed, like a MemoryStick-slot-connected camera.

Hacker Challenges MemoryStick To A Fight And Wins

March 20, 2022 by Arya Voronova 24 Comments

It’s amazing when a skilled hacker reverse-engineers a proprietary format and shares the nitty-gritty with everyone. Today is a day when we get one such write-up – about MemoryStick. It is one of those proprietary formats, a staple of Sony equipment, these SD-card-like storage devices were evidently designed to help pad Sony’s pockets, as we can see from the tight lock-in and inflated prices. As such, this format has always remained unapproachable to hackers. No more – [Dmitry Grinberg] is here with an extensive breakdown of MemoryStick protocol and internals.

If you ever want to read about a protocol that is not exactly sanely designed, from physical layer quirks to things like inexplicable large differences between MemoryStick and MemoryStick Pro, this will be an entertaining read for hackers of all calibers. Dmitry doesn’t just describe the bad parts of the design, however, as much as that rant is entertaining to read – most of the page is taken by register summaries, struct descriptions and insights, the substance about MemoryStick that we never got.

One sentence is taken to link to a related side project of [Dmitry] that’s a rabbithole on its own – he has binary patched MemoryStick drivers for PalmOS to add MemoryStick Pro support to some of the Sony Clie handhelds. Given the aforementioned differences between non-Pro and Pro standards, it’s a monumental undertaking for a device older than some of this site’s readers, and we can’t help but be impressed.

To finish the write-up off, [Dmitry] shares with us some MemoryStick bit-banging examples for the STM32. Anyone who ever wanted to approach MemoryStick, be it for making converter adapters to revive old tech, data recovery or preservation purposes, or simply hacker curiosity, now can feel a bit less alone in their efforts.

We are glad to see such great hacking on the MemoryStick front – it’s much needed, to the point where our only article mentioning MemoryStick is about avoiding use of the MemoryStick slot altogether. [Dmitry] is just the right person for reverse-engineering jobs like this, with extensive reverse-engineering history we’ve been keeping track of – his recent reverse-engineering journey of an unknown microcontroller in cheap E-Ink devices is to behold.

Retro Breadboard Gives Up Its 1960s Secrets

March 13, 2022 by Dan Maloney 18 Comments

When we see [Ken Shirriff] reverse engineering something, it tends to be on the microscopic level. His usual forte is looking at die photos of strange and obsolete chips and figuring out how they work. And while we love those efforts, it’s nice to see him in the macro world this time with a teardown and repair of a 1960s-era solderless breadboard system.

If you’d swear the “Elite 2 Circuit Design Test System” featured in [Ken]’s post looks familiar, it’s probably because you caught his partner-in-crime [CuriousMarc]’s video on the very same unit, an eBay score that arrived in non-working condition. The breadboard, which retailed for $1,300 in 1969 — an eye-watering $10,000 today — was clearly not aimed at the hobbyist market. Truth be told, we didn’t even know that solderless breadboards were a thing until the mid-70s, but live and learn. This unit has all the bells and whistles, including three variable power supplies, an array of switches, buttons, indicator lamps, and jacks for external connections, and a pulse generator as well as a legit function generator.

Legit, that would be, if it actually worked. [Ken]’s contribution to the repair was a thorough teardown of the device followed by reverse-engineering the design. Seeing how this thing was designed around the constraints of 1969 technology is a real treat; the metal can transistor and ICs and the neat and tidy PCB layout are worth the price of admission alone. And the fact that neon lamps and their drivers were cheaper and easier to use than LEDs says a lot about the state of the art at the time.

As for the necessary repairs, [Marc]’s video leaves off before getting there. That’s fine, we’re sure he’ll put [Ken]’s analysis to good use, and we always enjoy [Marc]’s video series anyway. The Apollo flight comms series was a great one, too. Continue reading “Retro Breadboard Gives Up Its 1960s Secrets” →

Two revisions of Wenting's custom SSD board - earlier revision on the left, later, sleeker and more complete, on the right.

Custom SSD Gives New Life To Handheld Atom PC

February 25, 2022 by Arya Voronova 12 Comments

People don’t usually go as far as [Wenting Zhang] has – designing a new IDE SSD board for a portable x86 computer made in 2006. That said, it’s been jaw-dropping to witness the astounding amount of reverse-engineering and design effort being handwaved away.

The Benq S6 is a small MID (Miniaturized Internet Device) with an Atom CPU, an x86 machine in all but looks. Its non-standard SSD’s two gigabytes of storage, however, heavily limit the OS choice – Windows XP would hardly fit on there, and while a small Linux distro could manage better, it’s, and we quote, “not as exciting”. A lot of people would stop there and use an external drive, or a stack of adapters necessitating unsightly modifications to the case – [Wenting] went further and broke the “stack of adapters” stereotype into shards with his design journey.

Tracing quite a few complex multi-layer boards into a unified and working schematic is no mean feat, especially with the SSD PCB being a host to two BGA chips, and given the sheer amount of pins in the IDE interface of the laptop’s original drive. Even the requirement for the SSD to be initialized didn’t stop him – a short fight with the manufacturer’s software ensued, but was no match for [Wenting]’s skills. The end result is a drop-in replacement SSD even thinner than the stock one.

This project is well-documented for all of us to learn from! Source code and PCB files are on GitHub, and [Wenting] has covered the journey in three different places at once – on Hackaday.io, in a YouTube video embedded down below, and also on his Twitter in form of regular posts. Now, having seen this happen, we all have one less excuse to take up a project seemingly so complex.

Hackers play with SSD upgrades and repurposing every now and then, sometimes designing proprietary-to-SATA adapters, and sometimes reusing custom SSD modules we’ve managed to get a stack of. If case mods are acceptable to you aesthetics-wise, we’ve seen an SSD upgrade for a Surface Pro 3 made possible that way.

Continue reading “Custom SSD Gives New Life To Handheld Atom PC” →

Wordle Reverse-Engineering And Automated Solving

February 8, 2022 by Dave Rowntree 15 Comments

Simplified Absurdle decision tree for a single letter guess from a set of three possible options

We don’t know about you, but we have mixed feelings about online puzzle fads. On one hand, they are great tool to help keep one sharp, but they’re just everywhere. The latest social-media driven fad, Wordle, may be a little bit too prevalent for our liking, with social media timelines stuffed with updates about the thing. [Ed Locard] was getting a bit miffed with friends’ constant posts about ‘Today’s Wordle’, and was hoping they’d get back to posting pictures of their dogs instead, so did what any self-respecting hacker would do, and wrote a python script to automate solving Wordle puzzles, in a likely futile attempt to get them to stop posting.

Actually, [Ed] was more interested in building a solver for a related game, Absurdle, which is described as an adversarial variant of Wordle. This doesn’t actually select a single word, but uses your guesses so far to narrow down a large pool of possible words, keeping you guessing for longer. Which is pretty mean of it. Anyway, [Ed] came up with a tool called Pyrdle, (GitHub project) which is essentially a command version of Absurdle, that has the capability of also solving Wordle as a byproduct. It turns out the JS implementation of Wordle holds the entire possible wordlist, client-side, so the answer is already sitting in your browser. The real interest part of this project is the approach to automated problem solving of puzzles with a very large potential set of solutions. This makes for an interesting read, and infinitely more so than reading yet another Wordle post.

And one final note; if you’re not at all onboard with this, love Wordle, and can’t get enough, you might like to install [brackendawson]’s comically titled (command) notfoundle shell handler, for some puzzling feedback on your command-line slip-ups. Well, it amused us anyway.

Puzzle projects hit these pages once in a while. Here’s the annual Xmas GCHQ puzzle, If you’re more into physical puzzles, with an electronics focus (and can solder) check out the DEF CON 29 puzzle badge!