Xbox Controller Provides Intro To SWD Hacking

February 11, 2020 by Tom Nardi 12 Comments

It’s amazing to see how much technology is packed into even the “simple” devices that we take for granted in modern life. Case in point, the third party Xbox controller that [wrongbaud] recently decided to tear into. Not knowing what to expect when he cracked open its crimson red case, inside he found an ARM Cortex microcontroller and a perfect excuse to play around with Serial Wire Debug (SWD).

Though even figuring out that much took a bit of work. As is depressingly common, all the interesting components on the controller’s PCB were locked away behind a black epoxy blob. He had no idea what chip was powering the controller, much less that debugging protocols it might support. But after poking around the board with his multimeter, he eventually found a few test points sitting at 3.3 V which he thought was likely some kind of a programming header. After observing that pulling the line labelled “RES” low reset the controller, he was fairly sure he’d stumbled upon a functional JTAG or SWD connection.

As [wrongbaud] explains in his detailed blog post, SWD is something of a JTAG successor that’s commonly used by ARM hardware. Using just two wires (data and clock), SWD provides hardware debugging capabilities on pin constrained platforms. It allows you to step through instructions, read and write to memory, even dump the firmware and flash something new.

For the rest of the post, [wrongbaud] walks the reader through working with an SWD target. From compiling the latest version of OpenOCD and wiring an FTDI adapter to the port, all the way to navigating through the firmware and unlocking the chip so you can upload your own code.

To prove he’s completely conquered the microcontroller, he ends the post by modifying the USB descriptor strings in the firmware to change what it says when the controller is plugged into the computer. From here, it won’t take much more to get some controller macros like rapid fire implemented; a topic we imagine he’ll be covering in the future.

This post follows something of a familiar formula for [wrongbaud]. As part of his continuing adventures in hardware hacking, he finds relatively cheap consumer devices and demonstrates how they can be used as practical testbeds for reverse engineering. You might not be interested in changing the ROM that a Mortal Kombat miniature arcade cabinet plays, but learning about the tools and techniques used to do it is going to be valuable for anyone who wants to bend silicon to their will.

The Multiyear Hunt For A Gameboy Game’s Bug

January 31, 2020 by Al Williams 7 Comments

[Enddrift] had a real problem trying to run a classic game, Hello Kitty Collection: Miracle Fashion Maker, into a GBA (Gameboy Advance) emulator. During startup, the game would hit an endless loop waiting for a read from a non-existent memory location and thus wouldn’t start under the emulator. The problem is, the game works on real hardware even though that memory doesn’t exist there, either.

To further complicate things, a similar bug exists when loading a saved game under Sonic Pinball Party. Then a hack for Pokemon Emerald surfaced that helped break the case. The story is pretty interesting.

Continue reading “The Multiyear Hunt For A Gameboy Game’s Bug” →

New Part Day: LED Driver Is FPGA Dev Board In Disguise

January 24, 2020 by Elliot Williams 51 Comments

Our new part of the day is the ColorLight 5A-75B, a board that’s meant to drive eight of those ubiquitous high-density color LED panels over gigabit Ethernet. If you were building a commercial LED wall, you’d screw a bunch of the LED panels together, daisy-chain a bunch of these boards to drive them, supply power, and you’d be done. Because of that high-volume application, these boards are inexpensive, around $15 each, and available as quickly as you can get stuff shipped from China.

But we’re not here to talk commercial applications. Managing fast Ethernet and pushing so many pixels in real time is a task best handled by an FPGA, and [Tom Verbeure] noticed that these things were essentially amazing FPGA development boards and started hacking on them. [q3k] put it up on GitHub, and you can follow along with the chubby75 reverse engineering project to dig into their secrets.

While the first generations of these boards used the old-standby Spartan 6, things got interesting for fans of open FPGA tools when newer versions were found using the Lattice ECP5-25 chips, the little brother of the stonking big chip [Sprite_TM] used on the 2019 Hackaday Supercon badge. If you want to grab one you’re looking for ColorLight boards marked with revision 6 or 7 as of this writing.

What does this mean? For the price of a gourmet hamburger, you get an FPGA that’s big enough to run a RISC-V softcore, two 166 MHz, 2 MB SDRAMS, flash for the FPGA bitstream, a bazillion digital outputs on 5 V level shifters, and two gigabit Ethernet ports. The JTAG port is broken out in 0.1″ headers, and it works with OpenOCD, which is ridiculously convenient. How’s that for a well-stocked budget FPGA dev board that’s served by a completely open toolchain? Continue reading “New Part Day: LED Driver Is FPGA Dev Board In Disguise” →

Reverse Engineering Yokis Home Automation Devices

January 21, 2020 by Tom Nardi 12 Comments

These days, it’s hard to keep track of all the companies that are trying to break into the home automation market. Whether they’re rebrands of somebody else’s product or completely new creations, it seems like every company has at least a few “smart” gadgets for you to choose from. We hadn’t heard of the Yokis devices that [Nicolas Maupu] has been working on before today, but thanks to his efforts to reverse engineer their protocol, we think they might become more popular with the hacking crowd.

Even if you don’t have a Yokis MTV500ER dimmer or MTR2000ER switch of your own, we think the detailed account of how [Nicolas] figured out how to talk to these devices is worth a read. His first step was to connect his oscilloscope directly to the SPI lines on the remote to see what it was sending out. With an idea of what he was looking for, he then used an nRF24L01+ radio connected to an ESP8266 to pull packets out of the air so he could analyze their structure. This might seem like a very specialized process, but in reality most of the techniques demonstrated could be applicable for any unknown communications protocol of which you’ve got a hex dump.

On the other hand, if you do have some of these devices (or plan to get them), then the software [Nicolas] has put together looks very compelling. Essentially it’s an interactive firmware for the ESP8266 that allows it to serve as a bridge between the proprietary Yokis wireless protocol and a standard MQTT home automation system. When the microcontroller is connected to the computer you get a basic terminal interface that allows you to scan and pair for devices as well as toggle them on and off.

This bridge could be used to allow controlling your Yokis hardware with a custom handheld remote, or you could follow the example of our very own [Mike Szczys], and pull everything together with a bit of Node-RED.

Reverse Engineer PCBs With SprintLayout

December 31, 2019 by Al Williams 20 Comments

[Bwack] had some scanned pictures of an old Commodore card and wanted to recreate PC boards from it. It’s true that he could have just manually redrawn everything in a CAD package, but that’s tedious. Instead, he used SprintLayout 6.0 which allows you to import pictures and use them as a guide for recreating a PCB layout.

You can see the entire process including straightening the original scans. There are tools that make it very easy to place new structures over the original scanned images.

Continue reading “Reverse Engineer PCBs With SprintLayout” →

VGA Signal In A Browser Window, Thanks To Reverse Engineering

December 30, 2019 by Donald Papp 25 Comments

[Ben Cox] found some interesting USB devices on eBay. The Epiphan VGA2USB LR accepts VGA video on one end and presents it as a USB webcam-like video signal on the other. Never have to haul a VGA monitor out again? Sounds good to us! The devices are old and abandoned hardware, but they do claim Linux support, so one BUY button mash later and [Ben] was waiting patiently for them in the mail.

But when they did arrive, the devices didn’t enumerate as a USB UVC video device as expected. The vendor has a custom driver, support for which ended in Linux 4.9 — meaning none of [Ben]’s machines would run it. By now [Ben] was curious about how all this worked and began digging, aiming to create a userspace driver for the device. He was successful, and with his usual detail [Ben] explains not only the process he followed to troubleshoot the problem but also how these devices (and his driver) work. Skip to the end of the project page for the summary, but the whole thing is worth a read.

The resulting driver is not optimized, but will do about 7 fps. [Ben] even rigged up a small web server inside the driver to present a simple interface for the video in a pinch. It can even record its output to a video file, which is awfully handy. The code is available on his GitHub repository, so give it a look and maybe head to eBay for a bit of bargain-hunting of your own.

Software Defined Radio Gets Physical Control

December 12, 2019 by Tom Nardi 16 Comments

Software Defined Radio (SDR) is a great technology, but there’s something so satisfying about spinning a physical knob to cruise the airwaves. Wanting to restore that tactile experience, [Tysonpower] purchased a cheap USB volume knob and set out to get it working with his software. Unfortunately, getting it up and running took a lot more work than you’re probably expecting.

After verifying that the knob worked for volume control on his computer, [Tysonpower] decided to try and pull the firmware from the device’s STM32 microcontroller. Unfortunately, this is where things got tricky. It turned out the chip had Code Protection enabled, so when it was wired up to a programmer and put into DFU mode, the firmware got wiped. Oops.

That left [Tysonpower] with no choice but to write a new firmware from scratch, which naturally required reverse engineering the device’s hardware. Step one was reading up on STM32 development and getting the toolchain working, which paved the way to getting the knob’s LED to blink. A couple more hours worth of work and some multimeter poking later, and he was able to read the knob’s movement. He describes getting USB HID working as a nightmare due to lack of documentation, but eventually he got that sorted out as well.

The end result is a firmware allows the volume knob to mimic a mouse scroll wheel, which can be used for tuning in many SDR packages. But we think the real success story is the experience [Tysonpower] gained with reverse engineering and working with the STM32 platform. After all, sometimes the journey is just as important as the end result. Continue reading “Software Defined Radio Gets Physical Control” →