reverse engineering

403 Articles

Porting QMK To A Cheap Mechanical Keyboard

October 4, 2020 by 14 Comments

Over the last couple of years, we’ve seen an incredible number of DIY keyboard builds come our way. Some have had their switches nestled into laser-cut aluminum and others 3D printed plastic. They may be soldered together on a custom PCB, or meticulously hand-wired. But however they were built, they almost all shared one thing in common: they ran some variant of the open source QMK keyboard firmware.

But what if you just want to run an open firmware on the keyboard you picked up for $50 bucks on Amazon? That’s exactly where [Stephen Peery] found himself nine months ago with this DK63 gaming keyboard. Since so many of these small RGB LED mechanical keyboards are very similar to existing open source designs, he wondered what it would take to blow out the original firmware and replace it with a build of QMK.

While [Stephen] doesn’t have everything working 100% yet, he’s nearly reached the end of his epic reverse engineering journey. The first step was tearing apart the keyboard and identifying all the components it used, then pulling the original firmware out of the updater. From there, between Ghidra and Serial Wire Debug, he was able to figure out most of what the stock firmware was doing so he could replicate it in QMK.

According to his README, the RGB LEDs and Bluetooth functionality don’t currently work, but other than that it seems QMK is up and running. If you’re OK with those concessions, he has information on the page about flashing his build of QMK to the stock DK63 with the ST-Link V2 so you can give it a shot. Though you do so at your own risk; we wouldn’t recommend doing this on your only keyboard.

We’ve seen commercially manufactured keyboards running QMK before, but it usually involves completely replacing the original controller with new electronics. That [Stephen] got this all working on stock hardware so other owners can follow in his footsteps is really a considerable accomplishment.

[Thanks to Baldpower for the tip.]

What’s Inside An FPGA? Ken Shirriff Has (Again) The Answer

September 21, 2020 by 13 Comments

FPGAs are somewhat the IPv6 of integrated circuits — they’ve been around longer than you might think, they let you do awesome things that people are intrigued by initially, but they’ve never really broke out of their niches until rather recently. There’s still a bit of a myth and mystery surrounding them, and as with any technology that has grown vastly in complexity over the years, it’s sometimes best to go back to its very beginning in order to understand it. Well, who’d be better at taking an extra close look at a chip than [Ken Shirriff], so in his latest endeavor, he reverse engineered the very first FPGA known to the world: the Xilinx XC2064.

If you ever wished for a breadboard-friendly FPGA, the XC2064 can scratch that itch, although with its modest 64 configurable logic blocks, there isn’t all that much else it can do — certainly not compared to even the smallest and cheapest of its modern successors. And that’s the beauty of this chip as a reverse engineering target, there’s nothing else than the core essence of an FPGA. After introducing the general concepts of FPGAs, [Ken] (who isn’t known to be too shy to decap a chip in order to look inside) continued in known manner with die pictures in order to map the internal components’ schematics to the actual silicon and to make sense of it all. His ultimate goal: to fully understand and dissect the XC2064’s bitstream.

Of course, reverse engineering FPGA bitstreams isn’t new, and with little doubt, building a toolchain based on its results helped to put Lattice on the map in the maker community (which they didn’t seem to value at first, but still soon enough). We probably won’t see the same happening for Xilinx, but who knows what [Ken]’s up to next, and what others will make of this.

A Deep Dive Into The Sterzo Steering Plate

September 11, 2020 by 15 Comments

Pedaling in place isn’t the most exciting pastime, so it’s no surprise that modern technology is being used to make the in-home biking experience a bit more interactive. With a stand on the rear wheel providing resistance, and a movable steering plate under the front to read the handlebar angle, you can now use your standard bike as the “controller” in a virtual environment provided by software such as Zwift.

Paving the way towards a DIY Sterzo clone

[Keith Wakeham] wanted to take a closer look at how Zwift communicated with his Sterzo steering device, and it turned into a pretty epic bout of exploration and reverse engineering. As the video after the break shows, he didn’t just go from sniffing the device’s proprietary Bluetooth Low Energy (BLE) communications protocol to figuring out how to emulate it in software so you could roll your own Zwift peripheral. He also tore the device apart, pulled the firmware from its microcontroller, and postulated how you could build your own low-cost clone device that would work with the existing software.

Even if you have absolutely zero interest in virtual biking, the video [Keith] has put together for this project is really a must watch. Have you ever wanted to sniff and reverse engineer BLE communications? Looking for a real-world example of pulling the firmware off of a consumer device? Maybe in the market for some tips on how to identify unknown ICs on a board? All of that, and quite a bit more, is covered in this nearly hour long hacking tour de force.

On the other hand, if you are interested in adding your own hardware to Zwift, then this look at getting an unsupported stationary bike working with it should be useful.

Continue reading “A Deep Dive Into The Sterzo Steering Plate”

Hacking D-Link Firmware

August 24, 2020 by 15 Comments

When [0xRickSanchez] found some D-Link firmware he couldn’t unpack, he was curious to find out why. The firmware had a new encryption method which was doing its job of preventing tampering and static analysis. Of course, he had to figure out how to get around it and is documenting his work in a series of blog posts.

Looking at the entropy analysis showed the data to be totally random,  a good sign it was either encrypted or compressed. The target router cost about $200, but a similar cheaper router used the same encryption and thus this model became the hardware of choice for testing.

Continue reading “Hacking D-Link Firmware”

Breaking Smartphone NFC Firmware: The Gory Details

August 23, 2020 by 2 Comments

Near-field Communication (NFC) has been around a while and is used for example in access control, small data exchange, and of course in mobile payment systems. With such sensitive application areas, security is naturally a crucial element of the protocol, and therefore any lower-level access is usually heavily restricted and guarded.

This hardware is especially well-guarded in phones, and rooting your Android device won’t be of much help here. Well, that was of course only until [Christopher Wade] took a deep look into that subject, which he presented in his NFC firmware hacking talk at for this year’s DEF CON.

But before you cry out “duplicate!” in the comments now, [Jonathan Bennett] has indeed mentioned the talk in a recent This Week In Security article, but [Christopher] has since written up the content of his talk in a blog post that we thought deserves some additional attention.

To recap: [Christopher] took a rooted Samsung S6 and searched for vulnerabilities in the NFC chip’s safe firmware update process, in hopes to run a custom firmware image on it. Obviously, this wouldn’t be worth mentioning twice if he hadn’t succeeded, and he goes at serious length into describing how he got there. Picking a brain like his by reading up on the process he went through — from reverse engineering the firmware to actually exploiting a weakness that let him run his own code — is always fascinating and downright fun. And if you’re someone who prefers the code to do the talking, the exploits are on GitHub.

Naturally, [Christopher] disclosed his findings to Samsung, but the exploited vulnerability — and therefore the ability to reproduce this — has of course been out there for a long time already. Sure, you can use a Proxmark device to attack NFC, or the hardware we saw a few DEF CONs back, but a regular-looking phone will certainly raise a lot less suspicion at the checkout counter, and might open whole new possibilities for penetration testers. But then again, sometimes a regular app will be enough, as we’ve seen in this NFC vending machine hack.

Continue reading “Breaking Smartphone NFC Firmware: The Gory Details”

Exotic Device Gets Linux Support Via Wireshark And Rust

August 20, 2020 by 10 Comments

What can you do if you have a nice piece of hardware that kinda works out of the box, but doesn’t have support for your operating system to get the full functionality out of it? [Harry Gill] found himself in such a situation with a new all-in-one (AIO) water cooling system. It didn’t technically require any operating system interaction to perform its main task, but things like settings adjustments or reading back statistics were only possible with Windows. He thought it would be nice to have those features in Linux as well, and as the communication is done via USB, figured the obvious solution is to reverse engineer the protocol and simply replicate it.

His first step was to set up a dual boot system (his attempts at running the software in a VM didn’t go very well) which allowed him to capture the USB traffic with Wireshark and USBPcap. Then it would simply be a matter of analyzing the captures and writing some Linux software to make sense of the data. The go-to library for USB tasks would be libusb, which has bindings for plenty of languages, but as an avid Rust user, that choice was never really an issue anyway.

How to actually make use of the captured data was an entirely different story though, and without documentation or much help from the vendor, [Harry] resorted to good old trial and error to find out which byte does what. Eventually he succeeded and was able to get the additional features he wanted supported in Linux — check out the final code in the GitHub repository if you’re curious what this looks like in Rust.

Capturing the USB communication with Wireshark seems generally a great way to port unsupported features to Linux, as we’ve seen earlier with an RGB keyboard and the VGA frame grabber that inspired it. If you want to dig deeper into the subject, [Harry] listed a few resources regarding USB in general, but there’s plenty more to explore with reverse engineering USB.

Unbricking A $2,000 Exercise Bike With A Raspberry Pi Zero And Bluetooth Hacks

August 4, 2020 by 17 Comments

Really, how did we get the point in this world where an exercise bike can be bricked? Such was the pickle that [ptx2] was in when their $2,000 bike by Flywheel Home Sports was left without the essential feature of participating in virtual rides after Peloton bought the company. The solution? Reverse engineer the bike to get it working with another online cycling simulator.

Sniffing Flywheel Bluetotooth packets with Bluetility

We have to admit we weren’t aware of the array of choices that the virtual biking markets offers. [ptx2] went with Zwift, which like most of these platforms, lets you pilot a smart bike through virtual landscapes along with the avatars of hundreds of other virtual riders. A little Bluetooth snooping with Bluetility let [ptx2] identify the bytes in the Flywheel bike’s packets encoding both the rider’s cadence and the power exerted, which Zwift would need, along with the current resistance setting of the magnetic brake.

Integration into Zwift was a matter of emulating one of the smart bikes already supported by the program. This required some hacking on the Cycling Power Service, a Bluetooth service that Zwift uses to talk to the bike. The final configuration has a Raspberry Pi Zero W between the Flywheel bike and the Zwift app, and has logged about 2,000 miles of daily use. It still needs a motor to control the resistance along the virtual hills and valleys, but that’s a job for another day.

Hats off to [ptx2] for salvaging a $2,000 bike for the price of a Pi and some quality hacking time, and for sticking it to The Man a bit. We have to say that most bike hacks we see around here have to do with making less work for the rider, not more. This project was a refreshing change.

[Featured images: Zwift, Flywheel Sports]

[via r/gadgets]