reverse engineering

403 Articles

Remote control PCB next to its shell, with a breadboarded analog switch connected to the remote's onboard microcontroller, soldered to the pins responsible for button reading

Reusing Proprietary Wireless Sockets Without Wireless Hacking

January 31, 2022 by 9 Comments

Bending various proprietary devices to our will is a hacker’s rite of passage. When it comes to proprietary wall sockets, we’d often reverse-engineer and emulate their protocol – but you can absolutely take a shortcut and, like [oaox], spoof the button presses on the original remote! Buttons on such remotes tend to be multiplexed and read as a key matrix (provided there’s more than four of them), so you can’t just pull one of the pads to ground and expect to not confuse the microcontroller inside the remote. While reading a key matrix, the controller will typically drive rows one-by-one and read column states, and a row or column driven externally will result in the code perceiving an entire group of keys as “pressed” – however, a digitally-driven “switch” doesn’t have this issue!

One way to achieve this would be to use a transistor, but [oaox] played it safe and went for a 4066 analog multiplexer, which has a higher chance of working with any remote no matter the button configuration, for instance, even when the buttons are wired as part of a resistor network. As a bonus, the remote will still work, and you will still be able to use its buttons for the original purpose – as long as you keep your wiring job neat! When compared to reverse-engineering the protocol and using a wireless transmitter, this also has the benefit of being able to consistently work with even non-realtime devices like Raspberry Pi, and other devices that run an OS and aren’t able to guarantee consistent operation when driving a cheap GPIO-operated RF transmitter.

In the past, we’ve seen people trying to tackle this exact issue, resorting to RF protocol hacking in the end. We’ve talked about analog multiplexers and switches in the past, if you’d like figure out more ways to apply them to solve your hacking problems! Taking projects like these as your starting point, it’s not too far until you’re able to replace the drift-y joysticks on your Nintendo Switch with touchpads!

BBQ lighter fault injector

Blast Chips With This BBQ Lighter Fault Injection Tool

January 29, 2022 by 16 Comments

Looking to get into fault injection for your reverse engineering projects, but don’t have the cash to lay out for the necessary hardware? Fear not, for the tools to glitch a chip may be as close as the nearest barbecue grill.

If you don’t know what chip glitching is, perhaps a primer is in order. Glitching, more formally known as electromagnetic fault injection (EMFI), or simply fault injection, is a technique that uses a pulse of electromagnetic energy to induce a fault in a running microcontroller or microprocessor. If the pulse occurs at just the right time, it may force the processor to skip an instruction, leaving the system in a potentially exploitable state.

EMFI tools are commercially available — we even recently featured a kit to build your own — but [rqu]’s homebrew version is decidedly simpler and cheaper than just about anything else. It consists of a piezoelectric gas grill igniter, a little bit of enameled magnet wire, and half of a small toroidal ferrite core. The core fragment gets a few turns of wire, which then gets soldered to the terminals on the igniter. Pressing the button generates a high-voltage pulse, which gets turned into an electromagnetic pulse by the coil. There’s a video of the tool in use in the Twitter thread, showing it easily glitching a PIC running a simple loop program.

To be sure, a tool as simple as this won’t do the trick in every situation, but it’s a cheap way to start exploring the potential of fault injection.

Thanks to [Jonas] for the tip.

Reverse Engineering: Trash Printer Gives Up Its Control Panel Secrets

January 25, 2022 by 7 Comments

Many of us hardware-oriented types find it hard to walk past a lonely-looking discarded item of consumer electronics without thinking “If only I could lug that back to the car and take it home to play with” and [phooky] from NYC Resistor is no stranger to this sentiment. An old Epson WF-2540 inkjet printer was disassembled for its important ‘nutrients,’ you know, the good stuff like funky motors, encoders and switches. But what do you do with the control panel? After all, they’re usually very specific to the needs of the device they control, and don’t usually offer up much scope for reuse.

The RP2040 PIO is quite capable of pushing out those LCD pixels

[phooky] doesn’t usually bother with them, but this time decided to have a crack at it for fun. Inside, nothing out of the ordinary, with a large single-sided PCB for the key switches and LEDs, and a small PCB hosting the LCD display. The easy part was to figure out how the keyboard scanning was done, which turned out to be pretty simple, it just uses some 74-series shift register devices to scan the columns and clock out the row lines. A Raspberry Pi Pico module was pressed into service to scan the keyboard and enable a keyboard map to be created, by pure brute-force. No need to trace the circuit.

Things got interesting when [phooky] started looking into the LCD interface, based on the Epson E02A46EA chip (good luck finding a datasheet for that one!) and quickly realised that documentation simply wasn’t available, and it would be necessary to do things the hard way. Poking around the lines from the main CPU (an Epson E01A9CA , whatever that is) the display clock was identified, as well as some control signals, and three lines for the RGB channels. By throwing a Saleae data capture into some ROM exploring software, the display configuration was determined to be a standard 320×120 unit.

The PIO unit of the RP2040 was used to generate the video waveforms and push the pixels out to the LCD controller, allowing the RP2040 board to be wired inside the case permanently, converting the control panel into a USB device ready for action!

Want to know a little more about reverse engineering junk (or not) items and repurposing them to your will? Checkout this hacking piece from a couple of weeks back. For something a little more advanced, you could try your hand at a spot of car ECU hacking.

Thanks [Perry] for the tip!

Hacking Is Hacking

January 15, 2022 by 5 Comments

Tom Nardi and I had a good laugh this week on the Podcast when he compared the ECU hacks that enabled turning a VW with steering assist into a self-driver to a hack last week that modified a water cooler to fill a particular cup. But it’s actually no joke — some of the very same techniques are used in both efforts, although the outcome of one is life-and-death, and the other is just some spilled ice-cold water.

This reminded me of Travis Goodspeed’s now-classic talk “In Praise of Junk Hacking” from way back in 2016. For background, this was a time when IoT devices and their security were in their relative infancy, and some members of the security community were throwing shade on the dissection of “mere” commercial crap. (Looked back on from today, where every other member of a Botnet is an IP camera, that argument didn’t age well.)

Travis’ response was that hacking on junk lets us focus on the process — the hack itself — rather than getting distracted by the outcome. Emotions run high when a security flaw affects millions of individuals, but when it’s a Tamagotchi or a pocket calculator, well, it doesn’t really matter, so you focus on the actual techniques. And as Travis points out, many of these techniques learned on junk will be useful when it counts. He learned about methods to defeat address-space randomization, for instance, from an old hack on the TI-85 calculator, which garbage-collected the variables that needed to be overwritten.

So I had junk hacking in the back of my mind when I was re-watching Hash Salehi’s great talk on his work reverse engineering smart meters. Funnily enough, he started off his reverse engineering journey eleven years ago with work on a robot vacuum cleaner’s LIDAR module. Junk hacking, for sure, but the same techniques taught him to work on devices that are significantly more serious. And in the craziest of Hackaday synergies, he even hat-tipped Travis’ talk in his video! Hacking is hacking!

This article is part of the Hackaday.com newsletter, delivered every seven days for each of the last 200+ weeks. It also includes our favorite articles from the last seven days that you can see on the web version of the newsletter. Want this type of article to hit your inbox every Friday morning? You should sign up!

The Year Of Owning It

January 8, 2022 by 41 Comments

Talking over the year in review on the Podcast, Tom Nardi and I were brainstorming what we thought was the single overarching trend in 2021, and we came up with many different topics: victories in the right to repair, increasingly dystopian service contracts, a flourishing of cyberdecks, and even greater prevalence of reverse engineering style hacks. And then we realized: they are all different faces of the same beast — people just want to own the devices that they own.

Like Dr. Jekyll and Mr. Hyde, our modern Internet-connected-everythings have two sides. On one side, we get so much additional functionality from having everything on the net. But on the other, if your car is always connected, it gives Toyota a means to make you pay a monthly fee to use a car fob, and if you have to use Cricut’s free online service to upload designs to the cutter, they can suddenly decide to start charging you. It allows Samsung to not only spy on whatever you’re currently watching on your smart TV, but to also brick it if they want to. More and more, we don’t actually own (in the sense of control) the devices that we own (in the sense of having purchased).

We don’t have to take it lying down. On the one hand, consumer protest made Cricut walk back their plans, and may do the same with Toyota. We can achieve a lot, collectively, by just talking about our grievances, and letting the firms in question know how we feel — naturally also with our wallets. But as hackers and all-around techie types, we can do even more. When something is broken because of a bad service, we can often fix it with firmware or by standing up our own version of the service. We can pwn them.

But there’s even more to the cyberdeck and the extreme DIY movements of the last few years than just the defense against lock-in or the liberating of hardware. There’s also the pride of truly owning something because you made it. Not just owning it because you bought it, or owning it because you control it, but owning it because you understand it and because you gave birth to it.

Whichever way you’re into owning your own, I think that’s the single overarching trend of 2021 — both on the positive and proactive side and the negative and reactive. Talking about it, reverse engineering it, or building it yourself, 2021 was the year of owning it.

This article is part of the Hackaday.com newsletter, delivered every seven days for each of the last 200+ weeks. It also includes our favorite articles from the last seven days that you can see on the web version of the newsletter. Want this type of article to hit your inbox every Friday morning? You should sign up!

Baby Steps Toward DIY Autonomous Driving: VW Golf Edition

January 8, 2022 by 18 Comments
Nice thermal design, but conformal coating and no ID marks make this tough to reverse engineer

[Willem Melching] owns a 2010 Volkswagen Golf – a very common vehicle in Europe – and noticed that whilst the electronic steering rack supports the usual Lane Keep Assist (LKAS) system, and would be theoretically capable of operating in a far more advanced configuration using openpilot, there were some shortcomings in VW’s implementation which means that it would not function for long enough to make it viable. Being very interested in and clearly extremely capable at reverse engineering car ECUs and hacking them into submission, [Willem] set about documenting his journey to unlocking openpilot support for his own vehicle.

And what a journey it was! The four-part blog series is beautifully written, showing every gory detail and all tools used along the way. The first part shows the Electronic Power Steering (EPS) ECU from a 2010 Volkswagen Golf Mk6 module (which rides on the back of the three-phase steering rack motor) being cracked open to reveal an interesting multi-chip module approach, with bare die directly bonded to a pair of substrate PCBs, that are in turn, bonded to the back of the motor casing, presumably for heat dissipation reasons. Clever design, but frustrating at the same time as this makes part identification somewhat tricker!

Entropy less the 1.0, and zero sections indicate no encryption applied

[Willem] uses a variety of tools and tricks to power up and sniff the ECU traffic on the CAN bus, when hooked up to a SAE J2534-compliant debug tool, eventually determining it speaks the VW-specific TP2.0 CAN bus protocol, and managed to grab enough traffic to check that it was possible to use the standard KWP2000 diagnostic protocol to access some interesting data. Next was a very deep dive into reverse engineering update images found online, by first making some trivial XOR operations, then looking at an entropy plot of the file using Binwalk to determine if he really did have code, and if it was encrypted or not, After running cpu_rec, it was determined the CPU was a Renesas V850. Then the real work started – loading the image into Ghidra to start making some guesses of the architecture of the code, to work out what needed patching to make the desired changes. In the final part of the series, [Willem] extracts and uses the bootloader procedure to partially patch the code configuration area of his vehicle and unlocks the goal he was aiming at – remote control of his steering. (OK, the real goal was running openpilot.)

In our opinion, this is a very interesting, if long, read showing a fascinating subject expertly executed. But we do want to stress, that the vehicular EPS module is an ASIL-D safety tested device, so any hacks you do to a road-going vehicle will most definitely void your insurance (not to mention your warranty) if discovered in the event of a claim.

Older ECUs are a bit easier to hack, if you can pull the EPROM, and people out there are producing modules for allsorts of vehicular hacking. So plenty to tinker with!

Remoticon 2021: Unbinare Brings A Reverse-Engineering Toolkit Into Recycling

January 6, 2022 by 5 Comments

Unbinare is a small Belgian company at the forefront of hacking e-waste into something useful, collaborating with recycling and refurbishing companies. Reverse-engineering is a novel way to approach recycling, but it’s arguably one of the most promising ways that we are not trying at scale yet. At Hackaday Remoticon 2021, Maurits Fennis talked about Unbinare’s efforts in the field and presented us with a toolkit he has recently released as a part of his work, as well as described how his background as an artist has given him insights used to formulate foundational principles of Unbinare.

Image showing an Unbinare OISTER boardUnbinare’s tools are designed to work in harmony with each other, a requirement for any productive reverse-engineering effort. OI!STER is a general-purpose salvaged MCU research board, with sockets to adapt to different TQFP chip sizes. This board is Maurits’s experience in reverse-engineering condensed into a universal tool, including a myriad of connectors for different programming/debugging interfaces. We don’t know the board’s full scope, but the pictures show an STM32 chip inside the TQFP socket, abundant everywhere except your online retailer of choice. Apart from all the ways to break out the pins, OI!STER has sockets for power and clock glitching, letting you target these two omnipresent Achilles’ heels with a tool like ChipWhisperer.

Continue reading “Remoticon 2021: Unbinare Brings A Reverse-Engineering Toolkit Into Recycling”