reverse engineering

385 Articles

Rolling Your Own TiVo WiFi Adapter

October 14, 2020 by 16 Comments

The only thing more surprising than finding out TiVo actually put out a new 4K set-top box recently is learning that somehow they didn’t bother to build WiFi into the thing. You’re forced to buy a special wireless adapter to the tune of $60 USD to add the feature. We’d make a joke about the company living in the past, but frankly, it would be too easy.

Having to buy just one of these expensive dongles in 2020 would be insulting enough, but TiVo superfan [xxbiohazrdxx] needed four of them. Rather than hand nearly $250 to the antennae-headed overlords, they decided to reverse engineer the adapter and produce their own low-cost version. While the final result might not be as slim and svelte as the original, it does come in at less than 1/4 the price.

Operating under the assumption that the TiVo would only talk to a WiFi adapter based on the same Broadcom BCM43569 chipset used in the official one, [xxbiohazrdxx] started by trying to find a standard USB dongle that might be a drop-in replacement. Unfortunately, it looks like this particular chip was almost exclusively used in proprietary applications, most commonly as a WiFi board inside of smart TVs. But as it turns out, that wasn’t necessarily a deal breaker.

After some searching, [xxbiohazrdxx] eventually found the promising CyberTAN NU361-HS board. Not only was it based on the right chipset and ran from 5 volts, but its FCC ID entry had a complete pinout for the connector. This particular WiFi module is used in a number of budget TVs and is widely available as a spare part for less than $10. By combing the board and a USB breakout PCB inside of a 3D printed case, you’ve got a plug-and-play WiFi adapter that the TiVo thinks is the real deal.

There was a time when Hackaday was flooded with TiVo hacks, but it’s now been more than a decade since cheap carrier-provided DVRs ate the company’s lunch. Realistically, there’s an excellent chance that this post will be the only time a mention of the once-mighty DVR graces the front page in 2020. While the reign of the TiVo might be at its end, the impact it had as one of the first Linux-powered consumer devices will be etched in hacker history forever.

The Cable Modem To SDR Transformation

October 10, 2020 by 5 Comments

What do you do with an old cable modem in a closet? If you are [stdw] you reverse engineer it and turn it into a software-defined radio. The modem in question was a Motorola MB7220. After looking at a similar project using a different modem, it seemed like it should be doable.

Cracking open the case revealed two likely UART ports, one of which was active. The output from that UART provided a lot of info. The chip was a Broadcom BCM3383 which is a MIPS processor. It had eCos as an operating system. However, the bootloader eventually disables the UART, so there wasn’t much more investigation possible via the serial terminal.

The next step was to dump the flash memory. That required a little solder surgery to prevent the board from starting while the flash chip had power. It appeared that some key credentials and configuration data were present, but they were really backups. After doing a factory reset to remove the backups, the right data was apparent.

After some lengthy exploration, the diagnostic that builds a spectrum display gave up its data. At first, the data was just a small sample of what was really required, but it did show a local FM station as a spectrum. Eventually, the data loss rate was down to about 12% when streaming which is not great, but good enough. You can hear an audio clip of the reception. Not exactly crystal-clear quality, but not bad.

Of course, no one will use this for an FM radio. But it is a fascinating view into how far you can hack into a device like this if you have some skills and patience. There must be something about quarantine that is making people hack old gear, as we just recently saw a similar Netgear hack. Even cheap games aren’t safe.

Hacking A Netgear Router

October 7, 2020 by 7 Comments

Have you ever wanted to watch someone reverse engineer a piece of hardware and pick up some tips? You can’t be there while [Jeremy] tears open a Netgear N300 router, but you can see his process step by step in some presentation charts, and you’ll get a few ideas for the next time you want to do something like this.

The first part of the presentation might be a little basic for most Hackaday readers, but presumably, the intended audience might not know much about soldering or multimeters. But we enjoyed the methodology used to work out the UART pins on the board. We would have read the baud rate with the scope, which [Jeremy] does, but he also mentions a script to work it out and create a minicom profile that looked interesting.

Continue reading “Hacking A Netgear Router”

Porting QMK To A Cheap Mechanical Keyboard

October 4, 2020 by 14 Comments

Over the last couple of years, we’ve seen an incredible number of DIY keyboard builds come our way. Some have had their switches nestled into laser-cut aluminum and others 3D printed plastic. They may be soldered together on a custom PCB, or meticulously hand-wired. But however they were built, they almost all shared one thing in common: they ran some variant of the open source QMK keyboard firmware.

But what if you just want to run an open firmware on the keyboard you picked up for $50 bucks on Amazon? That’s exactly where [Stephen Peery] found himself nine months ago with this DK63 gaming keyboard. Since so many of these small RGB LED mechanical keyboards are very similar to existing open source designs, he wondered what it would take to blow out the original firmware and replace it with a build of QMK.

While [Stephen] doesn’t have everything working 100% yet, he’s nearly reached the end of his epic reverse engineering journey. The first step was tearing apart the keyboard and identifying all the components it used, then pulling the original firmware out of the updater. From there, between Ghidra and Serial Wire Debug, he was able to figure out most of what the stock firmware was doing so he could replicate it in QMK.

According to his README, the RGB LEDs and Bluetooth functionality don’t currently work, but other than that it seems QMK is up and running. If you’re OK with those concessions, he has information on the page about flashing his build of QMK to the stock DK63 with the ST-Link V2 so you can give it a shot. Though you do so at your own risk; we wouldn’t recommend doing this on your only keyboard.

We’ve seen commercially manufactured keyboards running QMK before, but it usually involves completely replacing the original controller with new electronics. That [Stephen] got this all working on stock hardware so other owners can follow in his footsteps is really a considerable accomplishment.

[Thanks to Baldpower for the tip.]

What’s Inside An FPGA? Ken Shirriff Has (Again) The Answer

September 21, 2020 by 13 Comments

FPGAs are somewhat the IPv6 of integrated circuits — they’ve been around longer than you might think, they let you do awesome things that people are intrigued by initially, but they’ve never really broke out of their niches until rather recently. There’s still a bit of a myth and mystery surrounding them, and as with any technology that has grown vastly in complexity over the years, it’s sometimes best to go back to its very beginning in order to understand it. Well, who’d be better at taking an extra close look at a chip than [Ken Shirriff], so in his latest endeavor, he reverse engineered the very first FPGA known to the world: the Xilinx XC2064.

If you ever wished for a breadboard-friendly FPGA, the XC2064 can scratch that itch, although with its modest 64 configurable logic blocks, there isn’t all that much else it can do — certainly not compared to even the smallest and cheapest of its modern successors. And that’s the beauty of this chip as a reverse engineering target, there’s nothing else than the core essence of an FPGA. After introducing the general concepts of FPGAs, [Ken] (who isn’t known to be too shy to decap a chip in order to look inside) continued in known manner with die pictures in order to map the internal components’ schematics to the actual silicon and to make sense of it all. His ultimate goal: to fully understand and dissect the XC2064’s bitstream.

Of course, reverse engineering FPGA bitstreams isn’t new, and with little doubt, building a toolchain based on its results helped to put Lattice on the map in the maker community (which they didn’t seem to value at first, but still soon enough). We probably won’t see the same happening for Xilinx, but who knows what [Ken]’s up to next, and what others will make of this.

A Deep Dive Into The Sterzo Steering Plate

September 11, 2020 by 15 Comments

Pedaling in place isn’t the most exciting pastime, so it’s no surprise that modern technology is being used to make the in-home biking experience a bit more interactive. With a stand on the rear wheel providing resistance, and a movable steering plate under the front to read the handlebar angle, you can now use your standard bike as the “controller” in a virtual environment provided by software such as Zwift.

Paving the way towards a DIY Sterzo clone

[Keith Wakeham] wanted to take a closer look at how Zwift communicated with his Sterzo steering device, and it turned into a pretty epic bout of exploration and reverse engineering. As the video after the break shows, he didn’t just go from sniffing the device’s proprietary Bluetooth Low Energy (BLE) communications protocol to figuring out how to emulate it in software so you could roll your own Zwift peripheral. He also tore the device apart, pulled the firmware from its microcontroller, and postulated how you could build your own low-cost clone device that would work with the existing software.

Even if you have absolutely zero interest in virtual biking, the video [Keith] has put together for this project is really a must watch. Have you ever wanted to sniff and reverse engineer BLE communications? Looking for a real-world example of pulling the firmware off of a consumer device? Maybe in the market for some tips on how to identify unknown ICs on a board? All of that, and quite a bit more, is covered in this nearly hour long hacking tour de force.

On the other hand, if you are interested in adding your own hardware to Zwift, then this look at getting an unsupported stationary bike working with it should be useful.

Continue reading “A Deep Dive Into The Sterzo Steering Plate”

Hacking D-Link Firmware

August 24, 2020 by 15 Comments

When [0xRickSanchez] found some D-Link firmware he couldn’t unpack, he was curious to find out why. The firmware had a new encryption method which was doing its job of preventing tampering and static analysis. Of course, he had to figure out how to get around it and is documenting his work in a series of blog posts.

Looking at the entropy analysis showed the data to be totally random,  a good sign it was either encrypted or compressed. The target router cost about $200, but a similar cheaper router used the same encryption and thus this model became the hardware of choice for testing.

Continue reading “Hacking D-Link Firmware”