reverse engineering

403 Articles

80’s Smartwatch Finally Plays Tetris

November 14, 2017 by 19 Comments

While the current generation of smartwatches have only been on the market for a few years, companies have been trying to put a computer on your wrist since as far back as the 80s with varying degrees of success. One such company was Seiko, who in 1984 unveiled the UC-2000: a delightfully antiquated attempt at bridging the gap between wristwatch and personal computer. Featuring a 4-bit CPU, 2 KB of RAM, and 6 KB of ROM, the UC-2000 was closer to a Tamagotchi than its modern day counterparts, but at least it could run BASIC.

Dumping registers

Ever since he saw the UC-2000 mentioned online, [Alexander] wanted to get one and try his hand at developing his own software for it. After securing one on eBay, the first challenge was getting it connected up to a modern computer. (Translated from Russian here.) [Alexander] managed to modernize the UC-2000’s novel induction based data transfer mechanism with help from a ATtiny85, which allowed him to get his own code on the watch, all that was left was figuring out how to write it.

With extremely limited published information, and no toolchain, [Alexander] did an incredible job of figuring out the assembly required to interact with the hardware. Along the way he made a number of discoveries which set his plans back, such as the fact that there is no way to directly control individual pixels on the screen; all graphics would have to be done with the built-in symbols.

The culmination of all this hard work? Playing Tetris, naturally. Though [Alexander] admits that limitations of the device’s hardware meant the game had to be simplified a bit, he’s almost certainly having more fun than any of the UC-2000’s original owners did with this device. He’s setup a GitHub repository for anyone who wishes to join him in this brave new world of vintage wrist computing.

[Alexander] isn’t the only one experimenting with fringe wearable computers. We’ve seen our fair share of interesting smartwatches, featuring everything from novel input methods to complete scratch-builds.

Continue reading “80’s Smartwatch Finally Plays Tetris”

Reverse Engineering The Nintendo Switch Joy-Cons

November 6, 2017 by 26 Comments

The Switch is Nintendo’s latest effort in the console world. One of its unique features is the Joy-Cons, a pair of controllers that can either attach directly to the console’s screen or be removed and used individually. But how do they work? [dekuNukem] decided to find out.

The reverse engineering efforts begin with disassembly. Surprisingly, there is no silkscreen present on the board to highlight test points or part numbers. This is likely to conflate intended to stymie community efforts to work with the hardware, as different teams may create their own designations for components. Conversely, the chips inside still have their identifying markings present, which does ease identification somewhat.

There are some interesting choices made – the majority of the buttons are scanned in a matrix configuration by the on-board microcontroller, making it harder to spoof button presses. The controllers communicate over Bluetooth, switching to a physical serial connection when attached directly to the screen. This runs at a blistering 3,125,000 BPS after the initial handshake is completed.

Overall it’s a fairly comprehensive reverse engineering effort, and [dekuNukem] has provided excellent detail in the writeup for anyone else looking to get involved. There’s still some work left to do, like investigating the rumble messages, but it’s an excellent start and very comprehensive.

Perhaps you’re more interested in older Nintendo hardware? Check out this comprehensive effort to figure out NES console-to-cartridge security methods.

Reverse Engineering Guitar Hero

September 25, 2017 by 11 Comments

What do you do when a ten-year-old video game has a bug in it? If you are [ExileLord] you fix it, even if you don’t have the source code. Want to know how? Luckily, he produced a video showing all the details of how he tracked the bug down and fixed it. You can see the video below. You may or may not care about Guitar Hero, but the exercise of reverse engineering and patching the game is a great example of the tools and logic required to reverse engineer any binary software, especially a Windows binary.

The tool of choice is IDA, an interactive debugger and disassembler. The crash thows an exception and since [ExileLord] has done some work on the game before, he was able to find a function that was creating a screen element that eventually led to the crash.

Continue reading “Reverse Engineering Guitar Hero”

Fake Ram: Identifying A Counterfeit Chip

August 22, 2017 by 26 Comments

[Robert Baruch‏] had something strange on his hands. He had carefully decapped 74LS189 16×4 static RAM, only to find that it wasn’t a RAM at all. The silicon die inside the plastic package even had analog elements, which is not what one would expect to find in an SRAM. But what was it? A quick tweet brought in the cavalry, in the form of chip analysis expert [Ken Shirriff].

[Ken] immediately realized the part [Robert] had uncovered wasn’t a 74 series chip at all. The power and ground pins were in the wrong places. Even the transistors were small CMOS devices, where a 74 series part would use larger bipolar transistors. The most glaring difference between the mystery device and a real LS819 was the analog elements. The mystery chip had a resistor network, arranged as an R-2R ladder. This configuration is often used as a simple Digital to Analog Converter (DAC).

Further analysis of the part revealed that the DAC was driven by a mask ROM that was itself indexed using a linear feedback shift register. [Ken] used all this information to plot out the analog signal the chip would generate. It turned out to be a rather sorry looking sine wave.

The mystery part didn’t look like any function generator or audio chip of the era. [Ken] had to think about what sort of commodity part would use lookup tables to generate an audio waveform. The answer was as close as his telephone — a DTMF “touch tone” generator, specifically a knockoff of a Mostek MK5085.

Most investigators would have stopped there. Not [Ken] though. He delved into the construction and function of the DTMF generator. You can find the full analysis on his site. This isn’t [Ken’s] first rodeo with decapped chips. He’s previously examined the Intel 8008 and presented a talk on silicon reverse engineering at the 2016 Hackaday Superconference. [Robert] has also shown us how to pop the top of classic ceramic integrated circuits.

 

Reverse Engineering A BLE Service To Control A Light Bulb

August 13, 2017 by 18 Comments

So, you buy an Internet of Things light bulb, it’s a fun toy that allows you to bathe your environment in pretty colours at the touch of an app, but eventually you want more. You start to wonder how you might do more with it, and begin to investigate its inner workings. Then to your horror you discover that far from having bought a device with a convenient API for you to use, it has an impenetrable closed protocol that defies easy access.

This was the problem facing [Ayan Pahwa] when he bought a Syska Smartlight Rainbow LED bulb, and discovered that its Bluetooth Low Energy  interface used a closed protocol. But instead of giving up, he proceeded to reverse engineer the communication between bulb and app, and his write-up makes for an interesting read that provides a basic primer on some of BLE’s workings for the uninitiated.

BLE allows a device manufacturer to define their own device service specific to their functionality alongside standard ones for common device types. Using a handy Android app from Nordic Semiconductor he was able to identify the services defined for the light bulb, but sadly they lacked any human-readable information to help him as to their purpose. He thus had to sniff BLE packets directly, and lacking dedicated hardware for this task he relied on a developer feature built into Android versions since KitKat, allowing packets to be captured and logged. By analysing the resulting packet files he was able to identify the Texas Instruments chip inside the bulb, and to deduce the sequences required to control its colours. Then he was able to use the Bluez utilities to talk directly to it, and as if by magic, his colours appeared! Take a look at the video we’ve placed below the break.

Many of us may never need to reverse engineer a BLE device. But if we are BLE novices, after reading [Ayan]’s piece we will at least have some idea of its inner workings. And that can only be a positive thing.

Continue reading “Reverse Engineering A BLE Service To Control A Light Bulb”

Michael Ossmann Pulls DSSS Out Of Nowhere

July 29, 2017 by 23 Comments

[Michael Ossmann] spoke on Friday to a packed house in the wireless hacking village at DEF CON 25. There’s still a day and a half of talks remaining but it will be hard for anything to unseat his Reverse Engineering Direct Sequence Spread Spectrum (DSSS) talk as my favorite of the con.

DSSS is a technique used to transmit reliable data where low signal strength and high noise are likely. It’s used in GPS communications where the signal received from a satellite is often far too small for you to detect visually on a waterfall display. Yet we know that data is being received and decoded by every cell phone on the planet. It is also used for WiFi management packets, ZigBee, and found in proprietary systems especially any dealing with satellite communications.

[Michael] really pulled a rabbit out of a hat with his demos which detected the DSSS signal parameters in what appeared to be nothing but noise. You can see below the signal with and without noise; the latter is completely indiscernible as a signal at all to the eye, but can be detected using his techniques.

Strong DSSS Signal, no noise
Same DSSS signal not apparent

Detecting DSSS with Simple Math

[Michael] mentioned simple math tricks, and he wasn’t kidding. It’s easy to assume that someone as experienced in RF as he would have a different definition of ‘simple’ than we would. But truly, he’s using multiplication and subtraction to do an awful lot.

DSSS transmits binary values as a set called a chip. The chip for digital 1 might be 11100010010 with the digital 0 being the inverse of that. You can see this in the slide at the top of this article. Normal DSSS decoding compares the signal to expected values, using a correlation algorithm that multiplies the two and gives a score. If the score is high enough, 11 in this example, then a bit has been detected.

To reverse engineer this it is necessary to center on the correct frequency and then detect the chip encoding. GNU radio is the tool of choice for processing a DSSS capture from a SPOT Connect module designed to push simple messages to a satellite communication network. The first math trick is to multiply the signal by itself and then look at spectrum analysis to see if there is a noticeable spike indicating the center of the frequency. This can then be adjusted with an offset and smaller spikes on either side will be observed.

When visualized in a constellation view you begin to observe a center and two opposite clusters. The next math trick is to square the signal (multiply it by itself) and it will join those opposite clusters onto one side. What this accomplishes is a strong periodic component (the cycle from the center to the cluster and back again) which reveals the chip rate.

Detecting symbols within the chip is another math trick. Subtract each successive value in the signal from the last and you will mostly end up with zero (high signal minus high signal is zero, etc). But every time the signal spikes you’re looking at a transition point and the visualization begins to look like logic traced out on an oscilloscope. This technique can deal with small amounts of noise but becomes more robust with a bit of filtering.

This sort of exploration of the signal is both fun and interesting. But if you want to actually get some work done you need a tool. [Michael] built his own in the form of a python script that cobbles up a .cfile and spits out the frequency offset, chip rate, chip sequence length, and decoded chip sequence.

Running his sample file through with increasing levels of noise added, the script was rock solid on detecting the parameters of the signal. Interestingly, it is even measuring the 3 parts per million difference between the transmitter and receiver clocks in the detected chip rate value. What isn’t rock solid is the actual bit information, which begins to degrade as the noise is increased. But just establishing the parameters of the protocol being used is the biggest part of the battle and this is a dependable solution for doing that quickly and automatically.

You can give the script a try. It is part of [Michael’s] Clock Recovery repo. This talk was recorded and you should add it to your reminder list for after the con when talks begin to be published. To hold you over until then, we suggest you take a look at his RF Design workshop from the 2015 Hackaday Superconference.

RoGeorge Attacks A Pulse Meter

July 22, 2017 by 2 Comments

The “Crivit Sports” is an inexpensive chest-strap monitor that displays your current pulse rate on a dedicated wristwatch. This would be much more useful, and presumably more expensive, if it had a logging option, or any way to export your pulse data to a more capable device. So [RoGeorge] got to work. Each post of the (so-far) three-part series is worth a read, not the least because of the cool techniques used.

In part one, [RoGeorge] starts out by intercepting the signals. His RF sniffer? An oscilloscope probe shorted out in a loop around the heart monitor. Being able to read the signals, it was time to decode them. Doing pushups and decoding on-off keyed RF signals sounds like the ideal hacker training regimen, but instead [RoGeorge] used a signal generator, clipped to the chest monitor, to generate nice steady “heartbeats” and then read the codes off the scope without breaking a sweat.

With the encoding in hand, and some help from the Internet, he tested out his hypothesis in part two. Using an Arduino to generate the pulses logged in part one, he pulsed a coil and managed to get the heart rates displayed on the watch.

Which brings us to part three. What if there were other secrets to be discovered? Brute-forcing every possible RF signal and looking at the watch to see the result would be useful, but doing so for 8,192 possible codes would drive anyone insane. So [RoGeorge] taught himself OpenCV in Python and pointed a webcam at the watch. He wrote a routine that detected the heart icon blinking, a sign that the watch received a valid code, and then transmitted all possible codes to see which ones were valid. Besides discovering a few redundant codes, he didn’t learn much new from this exercise, but it’s a great technique.

We’re not sure what’s left to do on the Crivit. [RoGeorge] has already figured out the heart-rate data protocol, and could easily make his own logger. We are sure that we liked his thorough and automated approach to testing it all, from signal-generator-as-heartbeat to OpenCV as feedback in a brute-force routine. We can’t wait to see what’s up next.