Revealing Capcom’s Custom Silicon Security

April 3, 2017 by Mike Szczys 52 Comments

Ask any security professional and they’ll tell you, when an attacker has hardware access it’s game over. You would think this easily applies to arcade games too — the very nature of placing the hardware in the wild means you’ve let all your secrets out. Capcom is the exception to this scenario. They developed their arcade boards to die with their secrets through a “suicide” system. All these decades later we’re beginning to get a clear look at the custom silicon that went into Capcom’s coin-op security.

Alas, this is a “part 1” article and like petulant children, we want all of our presents right now! But have patience, [Eduardo Cruz] over at ArcadeHacker is the storyteller you want to listen to on this topic. He is part of the team that figured out how to “de-suicide” the CP2 protections on old arcade games. We learned of that process last September when the guide was put out. [Eduardo] is now going through all the amazing things they learned while figuring out that process.

These machines — which had numerous titles like Super Street Fighter II and Marvel vs. Capcom — used battery-backed ram to store an encryption key. If someone tampered with the system the key would be lost and the code stored within undecipherable thanks to “two four-round Feistel ciphers with a 64-bit key”. The other scenario is that battery’s shelf life simply expires and the code is also lost. This was the real motivation behind the desuicide project.

An overview of the hardware shows that Capcom employed at least 11 types of custom silicon. As the board revisions became more eloquent, the number of chips dropped, but they continued to employ the trick of supplying each with battery power, hiding the actual location of the encryption key, and even the 68000 processor core itself. There is a 6-pin header that also suicides the boards; this has been a head-scratcher for those doing the reverse engineering. We assume it’s for an optional case-switch, a digital way to ensure you void the warranty for looking under the hood.

Thanks for walking us through this hardware [Eduardo], we can’t wait for the next installment in the series!

Closer Look At Everyone’s Favorite Blinky

March 10, 2017 by Mike Szczys 18 Comments

Admit it, you love looking at silicon die shots, especially when you have help walking through the functionality of all the different sections. This one’s really easy for a couple of reasons. [electronupdate] pointed his microscope at the die on a WS2812.

The WS2812 is an addressible RGB LED that is often called a Neopixel (a brand name assigned to it by Adafruit). The part is packaged in a 5×5 mm housing with a clear window on the front. This lets you easily see the diodes as they are illuminated, but also makes it easy to get a look at the die for the logic circuit controlling the part.

This die is responsible for reading data as it is shifted in, shifting it out to the next LED in the chain, and setting each of the three diodes accordingly. The funcitonality is simple which makes it a lot easier to figure out what each part of the die contributes to the effort. The diode drivers are a dead giveaway because a bonding wire connected to part of their footprint. It’s quite interesting to hear that the fourth footprint was likely used in testing — sound off in the comments if you can speculate on what those tests included.

We had no trouble spotting logic circuitry. This exploration doesn’t drill down to the gate level like a lot of [Ken Shirriff’s] silicon reverse engineering but the process that [electronupdate] uses is equally fun. He grabs a tiny solar cell and scopes it while the diodes are running to pick up on the PWM pattern used to fade each LED. That’s a neat little trick to keep in your back pocket for use in confirming your theories about clock rate and implementation when reverse engineering someone else’s work.

Continue reading “Closer Look At Everyone’s Favorite Blinky” →

Arduino Into NAND Reader

March 10, 2017 by Elliot Williams 31 Comments

[James Tate] is starting up a project to make a “Super Reverse-Engineering Tool”. First on his list? A simple NAND flash reader, for exactly the same reason that Willie Sutton robbed banks: because that’s where the binaries are.

As it stands, [James]’s first version of this tool is probably not what you want to use if you’re dumping a lot of NAND flash modules. His Arduino code reads the NAND using the notoriously slow digital_read() and digital_write() commands and then dumps it over the serial port at 115,200 baud. We’re not sure which is the binding constraint, but neither of these methods are built for speed.

Instead, the code is built for hackability. It’s pretty modular, and if you’ve got a NAND flash that needs other low-level bit twiddling to give up its data, you should be able to get something up and working quickly, start it running, and then go have a coffee for a few days. When you come back, the data will be dumped and you will have only invested a few minutes of human time in the project.

With TSOP breakout boards selling for cheap, all that prevents you from reading out the sweet memory contents of a random device is a few bucks and some patience. If you haven’t ever done so, pull something out of your junk bin and give it a shot! If you’re feeling DIY, or need to read a flash in place, check out this crazy solder-on hack. Or if you can spring for an FTDI FT2233H breakout board, you can read a NAND flash fast using essentially the same techniques as those presented here.

Open Source Firmware For A Cheap Programmable Power Supply

March 7, 2017 by Brian Benchoff 64 Comments

A few months ago, someone clued us in on a neat little programmable power supply from the usual Chinese retailers. The DPS5005 is a programmable power supply that takes power from a big AC to DC wall wart and turns it into a tiny bench-top power supply. You can pick one of these things up for about thirty bucks, so if you already have a sufficiently large AC to DC converter you can build a nice 250 Watt power supply on the cheap.

[Johan] picked up one of these tiny programmable power supplies. His overall impression was positive, but like so many cheap products on AliExpress, there wasn’t a whole lot of polish to the interface. Additionally, the DPS5005 lacked the ability to be controlled over a serial port or WiFi.

This programmable power supply is built around an STM32, with the programming pads exposed and labeled on the PCB. The changes [Johan] wanted to make were all in software, leading him to develop OpenDPS, a firmware replacement for the DPS5005. Continue reading “Open Source Firmware For A Cheap Programmable Power Supply” →

Another Day, Another “IoT” Backdoor

March 6, 2017 by Elliot Williams 48 Comments

As if you needed any reason other than “just for the heck of it” to hack into a gadget that you own, it looks like nearly all of the GSM-to-IP bridge devices make by DBLTek have a remotely accessible “secret” backdoor account built in. We got sent the link via Slashdot which in turn linked to this story on Techradar. Both include the scare-words “Chinese” and “IoT”, although the devices seem to be aimed at small businesses, but everything’s “IoT” these days, right?

What is scary, however, is that the backdoor isn’t just a sloppy debug account left in, but rather only accessible through an elaborate and custom login protocol. Worse still, when the company was contacted about the backdoor account, they “fixed” the problem not by removing the account, but by making the “secret” login procedure a few steps more complicated. Which is to say, they haven’t fixed the problem at all.

This issue was picked up by security firm Trustwave, but they can’t check out every device on the market all the time. We may be preaching to the choir here, but if you’re ever wondering why it’s important to be able to break into stuff that you own, here’s another reminder.

Universal Radio Hacker

February 23, 2017 by Jenny List 17 Comments

If you are fascinated by stories you read on sites like Hackaday in which people reverse engineer wireless protocols, you may have been tempted to hook up your RTL-SDR stick and have a go for yourself. Unfortunately then you may have encountered the rather steep learning curve that comes with these activities, and been repelled by a world with far more of the 1337 about it than you possess. You give up after an evening spent in command-line dependency hell, and move on to the next thing that catches your eye.

You could then be interested by [Jopohl]’s Universal Radio Hacker. It’s a handy piece of software for investigating unknown wireless protocols. It supports a range of software defined radios including the dirt-cheap RTL-SDR sticks, quickly demodulates any signals you identify, and provides a whole suite of tools to help you extract the data they contain. And for those of you scarred by dependency hell, installation is simple, at least for this Hackaday scribe. If you own an SDR transceiver, it can even send a reply.

To prove how straightforward the package is, we put an RTL stick into a spare USB port and ran the software. A little investigation of the menus found the spectrum analyser, with which we were able to identify the 433 MHz packets coming periodically from a wireless thermometer. Running the record function allowed us to capture several packets, after which we could use the interpretation and analysis screens to look at the binary stream for each one. All in the first ten minutes after installation, which in our view makes it an easy to use piece of software. It didn’t deliver blinding insight into the content of the packets, that still needs brain power, but at least if we were reverse engineering them we wouldn’t have wasted time fighting the software.

We’ve had so many reverse engineering wireless protocol stories over the years, to pick only a couple seems to miss the bulk of the story. However both this temperature sensor and this weather station show how fiddly it can be without a handy software package to make it easy.

Via Hacker News.

Amazing 3D-Scanner Teardown And Rebuild

February 6, 2017 by Elliot Williams 14 Comments

Pour yourself a nice hot cup of tea, because [iliasam]’s latest work on a laser rangefinder (in Russian, translated here) is a long and interesting read. The shorter version is that he got his hands on a broken laser security scanner, nearly completely reverse-engineered it, got it working again, put it on a Roomba that was able to map out his apartment, and then re-designed it to become a tripod-mounted, full-room 3D scanner. Wow.

The scanner in question has a spinning mirror and a laser time-of-flight ranger, and is designed to shut down machinery when people enter a “no-go” region. As built, it returns ranges along a horizontal plane — it’s a 2D scanner. The conversion to a 3D scanner meant adding another axis, and to do this with sufficient precision required flipping the rig on its side, salvaging the fantastic bearings from a VHS machine, and driving it all with the surprisingly common A4988 stepper driver and an Arduino. A program on a PC reads in the data, and the stepper moves another 0.36 degrees. The results speak for themselves.

This isn’t [iliasam]’s first laser-rangefinder project, naturally. We’ve previously featured his homemade parallax-based ranger for use on a mobile robot, which is equally impressive. What amazes us most about these builds is the near-professional quality of the results pulled off on a shoestring budget.

Continue reading “Amazing 3D-Scanner Teardown And Rebuild” →