Remoticon 2021: Unbinare Brings A Reverse-Engineering Toolkit Into Recycling

Unbinare is a small Belgian company at the forefront of hacking e-waste into something useful, collaborating with recycling and refurbishing companies. Reverse-engineering is a novel way to approach recycling, but it’s arguably one of the most promising ways that we are not trying at scale yet. At Hackaday Remoticon 2021, Maurits Fennis talked about Unbinare’s efforts in the field and presented us with a toolkit he has recently released as a part of his work, as well as described how his background as an artist has given him insights used to formulate foundational principles of Unbinare.

Image showing an Unbinare OISTER boardUnbinare’s tools are designed to work in harmony with each other, a requirement for any productive reverse-engineering effort. OI!STER is a general-purpose salvaged MCU research board, with sockets to adapt to different TQFP chip sizes. This board is Maurits’s experience in reverse-engineering condensed into a universal tool, including a myriad of connectors for different programming/debugging interfaces. We don’t know the board’s full scope, but the pictures show an STM32 chip inside the TQFP socket, abundant everywhere except your online retailer of choice. Apart from all the ways to break out the pins, OI!STER has sockets for power and clock glitching, letting you target these two omnipresent Achilles’ heels with a tool like ChipWhisperer.

Continue reading “Remoticon 2021: Unbinare Brings A Reverse-Engineering Toolkit Into Recycling”

An image showing a water cooler PCB on the desk, with probes and jumper wires connected to it.

Taking Water Cooler UX Into Your Own Hands With Ghidra

Readers not aware of what Ghidra is might imagine some kind of aftermarket water cooler firmware or mainboard – a usual hacker practice with reflow ovens. What [Robbe Derks] did is no less impressive and inspiring:  A water cooler firmware mod that adds hands-free water dispensing, without requiring any hardware mods or writing an alternative firmware from scratch.

Having disassembled the cooler, [Robbe] found a PIC18F6527 on the mainboard, and surprisingly, it didn’t have firmware readback protection. Even lack of a PICkit didn’t stop him – he just used an Arduino to dump the firmware, with the dumper code shared for us to reuse, and the resulting dumps available in the same repository.

From there, he involved Ghidra to disassemble the code, while documenting the process in a way we can all learn from, and showing off the nifty tricks Ghidra has up its sleeves. Careful planning had to be done to decide which functions to hook and when, where to locate all the extra logic so that there’s no undesirable interference between it and the main firmware, and an extra step taken to decompile the freshly-patched binary to verify that it looks workable before actually flashing the cooler with it.

The end result is a water cooler that works exactly as it ought to have worked, perhaps, if the people defining its user interaction principles were allowed to make it complex enough. We could argue whether this should have been a stock function at all, but either way, it is nice to know that we the hackers still have some of the power to make our appliances friendly — even when they don’t come with an OS. Certainly, every single one of us can think of an appliance long overdue for a usability boost like this. What are your examples?

We’ve covered quite a few Ghidra-involving hacks, but it never feels like we’ve had enough. What about patching an air quality meter to use Fahrenheit? Or another highly educational write-up on cracking GBA games? Perhaps, liberating a Linux-powered 4G router to reconfigure it beyond vendor-defined boundaries? If you have your own goal in mind and are looking to start your firmware reverse-engineering journey, we can say with certainty that you can’t go wrong with our HackadayU course on Ghidra.

Remoticon 2021: Uri Shaked Reverses The ESP32 WiFi

You know how when you’re working on a project, other side quests pop up left and right? You can choose to handle them briefly and summarily, or you can dive into them as projects in their own right. Well, Uri Shaked is the author of Wokwi, an online Arduino simulator that allows you to test our your code on emulated hardware. (It’s very, very cool.) Back in the day, Arduino meant AVR, and he put in some awesome effort on reverse engineering that chip in order to emulate it successfully. But then “Arduino” means so much more than just AVR these days, so Uri had to tackle the STM32 ARM chips and even the recent RP2040.

Arduino runs on the ESP32, too, so Uri put on his reverse engineering hat (literally) and took aim at that chip as well. But the ESP32 is a ton more complicated than any of these other microcontrollers, being based not only on the slightly niche Xtensa chip, but also having onboard WiFi and its associated binary firmware. Reverse engineering the ESP32’s WiFi is the side-quest that Uri embarks on, totally crushes, and documents for us in this standout Remoticon 2021 talk. Continue reading “Remoticon 2021: Uri Shaked Reverses The ESP32 WiFi”

Hackers And China

The open source world and Chinese manufacturing have a long relationship. Some fifteen years ago, the big topic was how companies could open-source their hardware designs and not get driven bankrupt by competition from overseas. Companies like Sparkfun, Adafruit, Arduino, Maple Labs, Pololu, and many more demonstrated that this wasn’t impossible after all.

Maybe ten years ago, Chinese firms started picking up interesting hacker projects and producing them. This gave us hits like the AVR transistor tester and the NanoVNA. In the last few years, we’ve seen open-source hardware and software projects that have deliberately targeted Chinese manufacturers, and won. We do the design and coding, they do the manufacturing, sales, and distribution.

But this is something else: the Bangle.js watch takes an essentially mediocre Chinese smartwatch and reflashes the firmware, and sells them as open-source smartwatches to the general public. These pre-hacked watches are being sold on Kickstarter, and although the works stands on the shoulders of previous hacker’s reverse engineering work on the non-open watch hardware, it’s being sold by the prime mover behind the Espruino JavaScript-on-embedded language, which it runs on.

We have a cheap commodity smartwatch, being sold with frankly mediocre firmware, taken over by hackers, re-flashed, re-branded, and sold by the hackers on Kickstarter. As a result of it being (forcibly) opened, there’s a decently sized app store of contributed open-source applications that’ll run on the platform, making it significantly more useful and hacker friendly than it was before.

Will this boost sales? Will China notice the hackers’ work? Will this, and similar projects, end up in yet another new hacker/China relationship? We’re watching.

Flipper Zero tool reading bank card, displaying data on LCD

What’s On Your Bank Card? Hacker Tool Teaches All About NFC And RFID

The Flipper Zero is a multipurpose hacker tool that aims to make the world of hardware hacking more accessible with a slick design, wide array of capabilities, and a fantastic looking UI. They are struggling with manufacturing delays like everyone else right now, but there’s a silver lining: the team’s updates are genuinely informative and in-depth. The latest update is all about RFID and NFC, and how the Flipper Zero can interact with a variety of contactless protocols.

Drawing of Flipper Zero and a variety of RFID tags
Popular 125 kHz protocols: EM-Marin, HID Prox II, and Indala

Contactless tags are broadly separated into low-frequency (125 kHz) and high-frequency tags (13.56 MHz), and it’s not really possible to identify which is which just by looking at the outside. Flipper Zero can interface with both, but the update at the link above goes into considerable detail about how these tags are used in the real world, and what they look like from both the outside and inside.

For example, 125 kHz tags have an antenna made from many turns of very fine wire, with no visible space between the loops. High-frequency tags on the other hand will have antennas with fewer loops, and visible space between them. To tell them apart, a bright light is often enough to see the antenna structure through thin plastic.

Low-frequency tags are “dumb” and incapable of encryption or two-way communication, but what about high-frequency (often referred to as NFC) like bank cards and applications like Apple Pay? One thing demonstrated is that mobile payment methods offer up considerably less information on demand than a physical bank or credit card. With a physical contactless card it’s possible to read the full card number, expiry date, and in some cases the name as well as recent transactions. Mobile payment systems (like Apple or Google Pay) don’t do that.

Like many others, we’re looking forward to it becoming available, sadly there is just no getting around component shortages that seem to be affecting everyone.

An RF Remote Is No Match For A Logic Analyser!

The Neewer NL660-2.4 Video Keylight has a handy remote control, which for [Tom Clement] has a major flaw in that it can’t restore the light to the state it had during its last power-on. He’s thus taken the trouble to reverse engineer it and create his own remote using a suitably-equipped Arduino clone.

The write-up is a step through primer for the would-be RF remote hacker, identifying the brains as an STM8 and the radio as an NRF24 clone before attempting to dump the firmware of the STM8. As might be expected the STM is protected, which only leaves the option of sniffing the connection between the two chips. The SPI pins are duly probed with a logic analyser, and the codes used by Neweer are extracted. As luck would have it there is a handy board called the RF Nano which is an Arduino Nano and an NRF24 in an Arduino Nano form factor, so a proof of concept remote could be written on an all-in-one module. You can find the result as a GitHub Gist, should you be curious.

We’ve seen Tom a few times before, particularly in his European BadgeLife work, as part of which he’s put a lot of effort into bringing browser-based WebUSB and WebSerial development to his work.

Teardown: Impassa SCW9057G-433 Alarm System

This series of monthly teardowns was started in early 2018 as an experiment, and since you fine folks keep reading them, I keep making them. But in truth, finding a new and interesting gadget every month can sometimes be a chore. Which is why I’m always so thankful when a reader actually sends something in that they’d like to see taken apart, as it absolves me from having to make the decision myself. Of course it also means I can’t be blamed if you don’t like it, so keep that in mind as well.

Coming our way from the tropical paradise of Eastern Pennsylvania, this month’s subject is an ADT branded Impassa SCW9057G-433 alarm system that was apparently pulled off the wall when our kind patron was moving house. As you might have guessed from the model number, this unit uses 433 MHz to communicate with various sensors and devices throughout the home, and also includes a 3G cellular connection that allows it to contact the alarm monitoring service even if the phone line has been cut.

Diagram of Impassa home security setup
The alarm can connect to a wide array of 433 MHz devices.

From how many of these are on eBay, and the research I’ve done on some home alarm system forums, it appears that you can actually pick one of these up on the second-hand market and spin your own whole-house alarm system without going through a monitoring company like ADT. The extensive documentation from Impassa covers how to wire and configure the device, and as long as the system isn’t locked when you get it, it seems like wiping the configuration and starting from scratch isn’t a problem.

If it’s possible to put together your own homebrew alarm system with one of these units at the core, then it seems the least we can do is take it apart and see what kind of potentially modifiable goodies are waiting under that shiny plastic exterior.

Continue reading “Teardown: Impassa SCW9057G-433 Alarm System”