Reverse Engineering An RGB Keyboard Under Linux

April 14, 2020 by Tom Nardi 5 Comments

Hardware support under Linux is far better than it ever has been in the past. These days, most things “just work” out of the box, and you probably won’t have to compile any custom kernel modules. Certainly a far cry from where things were a decade ago. But that doesn’t mean everything will work to 100% of its abilities. Take for example, the Duck keyboard that [Cynthia Revström] has. Sure it works as a basic keyboard under any OS, but getting those fancy RGB LEDs working is another story entirely.

Don’t get the wrong idea here, [Cynthia] isn’t just trying to get the keyboard to flash along to music; the goal was to use the RGB lighting of the Ducky keyboard for notifications that the user can’t possibly ignore. Even the most laser-focused among us would have a hard time not noticing that the entire keyboard is blinking red. But the “DuckyRGB” software that you need to do something like that is Windows-only and apparently distributed via a sketchy Google Drive link. Yikes.

The first step to creating an alternative was to spin up a Windows VM and install DuckyRGB. From there, Wireshark could listen in between the virtual computer and the Ducky keyboard to see what the software was sending over the wire. After identifying a version number being sent in the clear, [Cynthia] was able to isolate the LED commands by searching for the hex color codes. From there, it was a relatively simple matter of writing some glue code to connect it up to an alert service and get notifications going.

There was only one problem; the keyboard didn’t work anymore. Turns out the tool that [Cynthia] wrote to control the keyboard’s LEDs was claiming the device so the kernel couldn’t access it for normal input. It took a detour with HIDAPI to get everyone playing together nicely, and now changing the color of your Ducky keyboard on Linux doesn’t turn it into a paperweight.

Even if you don’t have a Ducky keyboard, or aren’t particularly interested in having its LEDs blinked at you if you do, this project is a phenomenal example of practical USB reverse engineering. [Cynthia] says the inspiration for this project came from friend [Ben Cox], who’s write-up on creating USB userspace drivers we covered last year. If you’ve got and old USB gadget with Windows-only drivers, maybe it’s time you take a crack at unlocking it.

Bike Lock Secures Car

April 11, 2020 by Bryan Cockfield 13 Comments

[Buttim] loses his car a lot, which might sound a little bit like the plot from an early-00s movie, but he assures us that it’s a common enough thing. In a big city, and after several days of not driving one’s car, it can be possible to at least forget where you parked. There are a lot of ways of solving this problem, but the solution almost fell right into his lap: repurposing a lock from a bike share bicycle. (The build is in three parts: Part 2 and Part 3.)

These locks are loaded with features, like GPS, a cellular modem, accelerometers, and in this case, an ARM processor. It took a huge amount of work for [Buttim] to get anything to work on the device, but after using a vulnerability to dump the firmware and load his own code on the device, spending an enormous amount of time trying to figure out where all the circuit traces went through layers of insulation intended to harden the lock from humidity, and building his own Python-based programmer for it, he has basically free reign over the device.

To that end, once he figured out how it all worked, he put it to use in his car. The device functions as a GPS tracker and reports its location over the cellular network so it can’t become lost again. As a bonus, he was able to use the accelerometers to alert him if his car was moving without him knowing, so it turned into a theft deterrent as well. Besides that, though, his ability to get into the device’s firmware reminded us of a recent attempt to get access to an ARM platform.

A Hacker’s Guide To JTAG

April 8, 2020 by Tom Nardi 6 Comments

If you’re reading Hackaday, you’ve almost certainly heard of JTAG. There’s an excellent chance you’ve even used it once or twice to reflash an unruly piece of hardware. But how well do you actually know JTAG? More specifically, do you know how useful it can be when reverse engineering hardware?

Whether you’re a JTAG veteran or a novice, this phenomenal guide written by [wrongbaud] is sure to teach you a thing or two. Starting with a low-level explanation of how the interface actually works, the guide takes you though discovering JTAG ports on unknown targets, the current state-of-the-art in open source tools to interact with the device, and finally shows a real-world example of pulling and analyzing a gadget’s firmware.

There’s no way to do his write-up justice with a breakdown or a summary, so we won’t even try. Just get comfortable, maybe grab a drink, and dive in. It’s certainly not a short read, but there isn’t a wasted word on the page. Every piece of the puzzle, from how to figure out an unlabeled pinout to determining the instruction length, is explained in exactly the amount of detail you’re looking for. This is a guide for hackers written by a hacker, and it shows.

It will probably come as no surprise to find this isn’t the first time [wrongbaud] has done a deep dive like this. Over the last few months we’ve been covering his series of practical reverse engineering guides, and each one has been an invaluable resource. Perfect study guides for when a global pandemic has you stuck in the house.

Linux Fu: Tracing System Calls

April 7, 2020 by Al Williams 11 Comments

One of the nice things about Linux and similar operating systems is that you can investigate something to any level you wish. If a program has a problem you can decompile it, debug it, trace it, and — if necessary — even dig into the source code for the kernel and most of the libraries the program is probably using. However, the tools to do this aren’t ones you use every day. One very interesting tool is strace. Using it you can see what system calls any program makes and that can sometimes give you important clues about how the program works or, probably more often, why it doesn’t work.

Let’s consider the least complex use of the command. Suppose you want to make symlink from testxmit.grc to the /tmp directory. That command is simple:

ln -sf testxmit.grc /tmp

But if you tell strace to run it, the command becomes:

strace ln -sf testxmit.grc /tmp

You might want to redirect the output to a file using the shell or the -o option, though. Some commands generate a lot and often the first page or two of output isn’t really what you care about anyway. Continue reading “Linux Fu: Tracing System Calls” →

Subwoofer Gets Arduino Brain Transplant

April 6, 2020 by Tom Nardi 15 Comments

The Samsung PS-WTX500 subwoofer is designed to be used as part of a 5.1 channel home theater system, but not just any system. It contains the amplifiers for all the channels, but they’ll only function when the subwoofer is connected to the matching receiver. [Alejandro Zarate] figured there must be some way to unlock the system’s full functionality without being limited to the original receiver, he just needed to reverse engineer how the subwoofer worked.

All the wires tuck underneath the Arduino

The result is a fantastically well documented write-up that covers the whole process, starting with how [Alejandro] identified and researched the Pulsus PS9829B Digital Audio Processor (DAP). Documentation for this particular chip seems hard to come by, but he was able to find a similar chip from the same manufacturer that was close enough to put him on the right track. From there, he started studying the SPI communications between the DAP and the subwoofer’s S3P70F4 microcontroller.

After analyzing the communication between the two chips, [Alejandro] pulled the S3P70F4 off the board and wired an Arduino Pro Mini 328 in its place. The Arduino was quite a bit larger than the original microcontroller, but with some careful wiring, he manged a very professional looking installation. Short of coming up with a custom PCB adapter, we don’t think it could look much better.

With some relatively straightforward code and a listing of the captured byte sequences, the Arduino was able to power up the PS-WTX500’s amplifiers and handle the incoming audio signal as a stand-alone device.

In the past we’ve seen a similar trick done with the ESP8266, which had the added benefit of enabling WiFi control of the speakers. We’re all for adding modern functionality to older hardware, even if you’ve got to hang it off the back as an external module.

Continue reading “Subwoofer Gets Arduino Brain Transplant” →

A NES Motherboard For The Open Source Generation

March 22, 2020 by Jenny List 36 Comments

As the original hardware from the golden era of 8-bit computer gaming becomes a bit long in the tooth, keeping it alive has become something of a concern for enthusiasts. There have been a succession of remanufactured parts for many of the major platforms of the day, and now thanks to [Redherring32] it’s the turn of the NES console.

The OpenTendo is a completely open-source replacement for an original front-loading Nintendo Entertainment System motherboard, using both original or after-market Nintendo CPU and PPU chips, and other still readily available components. It doesn’t incorporate Nintendo’s CIC lockout chip — Drew Littrell wrote a great article on how that security feature worked — but if you really need the authenticity there is also the NullCIC project that can simulate that component.

It’s an interesting exercise in reverse engineering as well as a chance to look at the NES at the chip level. Also for Nintendo-heads, it provides all the component footprints and schematic items in KiCAD format. Will many be built? Given that the NES was the best-selling console of its time there should be no shortage of originals to be found, but that in no way invalidates the effort put into this project. There will be NES consoles somewhere running for decades to come because of work such as this, simply remember that you don’t need to blow in the slot to make it work!

Teardown: Cobra XRS 9740 Radar Detector

March 18, 2020 by Tom Nardi 46 Comments

Drivers with a lead foot more often than not have Waze open on their phone so they can see if other drivers have spotted cops up ahead. But avoiding a speeding ticket used to involve a lot more hardware than software. Back before the smartphone revolution, that same driver would have had a radar detector on their dashboard. That’s not to say the gadgets are completely unused today, but between their relatively high cost (one of the top rated models on Amazon as of this writing costs over $300) and the inevitable false positives from so many vehicles on the road having their own radar and LIDAR systems, they’ve certainly become a less common sight over the years

The subject of today’s teardown is a perfect example of “Peak Radar Detector”. Manufactured back in 2007, the Cobra XRS 9740 would have been a fairly mid-range entry offering the sort of features that would have been desirable at the time. Over a decade ago, having an alphanumeric display, voice alerts, and a digital compass were all things worth shouting about on the box the thing was sold in. Though looking like some kind of Cardassian warship was apparently just an added bonus.

As the name implies these devices are primarily for detecting radar activity, but by this point they’d also been expanded to pick up infrared lasers and the strobe beacons on emergency vehicles. But false positives were always a problem, so the device allows the user to select which signals it should be on the lookout for. If you were getting some kind of interference that convinced the detector it was being bombarded with IR lasers, you could just turn that function off without having to pull the plug entirely.

But it’s important to remember that this device was built back when people were still unironically carrying around flip phones. Detecting laser and multi-band radars might sound like something pulled from the spec sheet of a stealth fighter jet, but this is still a piece of consumer electronics from more than a decade in the past. So let’s crack it open and take a look at what goes on inside a radar detector that’s only a few years away from being old enough to get its own driver’s license.

Continue reading “Teardown: Cobra XRS 9740 Radar Detector” →