reverse engineering

386 Articles

33C3: Hunz Deconstructs The Amazon Dash Button

February 2, 2017 by 22 Comments

The Amazon Dash button is now in its second hardware revision, and in a talk at the 33rd Chaos Communications Congress, [Hunz] not only tears it apart and illuminates the differences with the first version, but he also manages to reverse engineer it enough to get his own code running. This opens up a whole raft of possibilities that go beyond the simple “intercept the IP traffic” style hacks that we’ve seen.

dash_block_diagramJust getting into the Dash is a bit of work, so buy two: one to cut apart and locate the parts that you have to avoid next time. Once you get in, everything is tiny! There are a lot of 0201 SMD parts. Hidden underneath a plastic blob (acetone!) is an Atmel ATSAMG55, a 120 MHz ARM Cortex-M4 with FPU, and a beefy CPU all around. There is also a 2.4 GHz radio with a built-in IP stack that handles all the WiFi, with built-in TLS support. Other parts include a boost voltage converter, a BTLE chipset, an LED, a microphone, and some SPI flash.

The strangest part of the device is the sleep mode. The voltage regulator is turned on by user button press and held on using a GPIO pin on the CPU. Once the microcontroller lets go of the power supply, all power is off until the button is pressed again. It’s hard to use any less power when sleeping. Even so, the microcontroller monitors the battery voltage and presumably phones home when it gets low.
Continue reading “33C3: Hunz Deconstructs The Amazon Dash Button”

Yes, You Can Reverse Engineer This 74181

January 7, 2017 by 21 Comments

[Ken Shirriff] is the gift that keeps on giving this new year. His latest is a reverse engineering of the 74181 Arithmetic Logic Unit (ALU). The great news is that the die image and complexity are both optimized for you to succeed at doing your own reverse engineering.

74181-openedWe have most recently seen [Ken] at work explaining his decapping and reverse engineering process at the Hackaday SuperCon followed soon after by his work on the 8008. That chip is crazy with complexity and a die-ogling noob (like several of us on the Hackaday crew) stands no chance of doing more than simply following along with what he explains. This time around, the 74181 is just right for the curious but not obsessed. Don’t believe me? The 8008 had around 3,500 transistors while the friendly 74181 hosts just 170. We like those odds!

A quick crash course in visually recognizing transistors will have you off to the races. [Ken] also provides reference for more complex devices. But where he really saves the day is in his schematic analysis. See, the traditional ‘textbook’ logic designs have been made faster in this chip and going through his explanation will get you back on track to follow the method behind the die’s madness.

[Ken] took his own photograph of the die. You can see the donor chip above which had its ceramic enclosure shattered with a brisk tap from a sharp chisel.

Rebonding An IC To Save Tatakae! Big Fighter

January 1, 2017 by 10 Comments

Preserving old arcade games is a niche pastime that can involve some pretty serious hacking skills. If the story here were just that someone pulled the chip from a game, took it apart, and figured out the ROM contents, that’d be pretty good. But the real story is way stranger than that.

Apparently, a bunch of devices were sent to a lab to be reverse engineered and were somehow lost. Nearly ten years later, the devices reappeared, and another group has taken the initiative to recover their contents. The chip in question was part of a 1989 arcade game called Tatakae! Big Fighter, and it had been hacked. Literally hacked. Like with an ax or something worse.

You can read the story of how the contents were recovered. You shouldn’t try this at home without a vent hood and other safety gear. However, they did rebond wires to the device using a clever trick and no exotic equipment (assuming you have some fairly good optical microscopes and a microprobe on a lens positioner).

Continue reading “Rebonding An IC To Save Tatakae! Big Fighter”

Ken Shirriff Takes Us Inside The IC, For Fun

December 27, 2016 by 13 Comments

[Ken Shirriff] has seen the insides of more integrated circuits than most people have seen bellybuttons. (This is an exaggeration.) But the point is, where we see a crazy jumble of circuitry, [Ken] sees a riddle to be solved, and he’s got a method that guides him through the madness.

In his talk at the 2016 Hackaday SuperConference, [Ken] stepped the audience through a number of famous chips, showing how he approaches them and how you could do the same if you wanted to, or needed to. Reading an IC from a photo is not for the faint of heart, but with a little perseverance, it can give you the keys to the kingdom. We’re stoked that [Ken] shared his methods with us, and gave us some deeper insight into a handful of classic silicon, from the Z80 processor to the 555 timer and LM7805 voltage regulator, and beyond.

Continue reading “Ken Shirriff Takes Us Inside The IC, For Fun”

33C3: Chris Gerlinsky Cracks Pay TV

December 27, 2016 by 40 Comments

People who have incredible competence in a wide range of fields are rare, and it can appear deceptively simple when they present their work. [Chris Gerlinksy]’s talk on breaking the encryption used on satellite and cable pay TV set-top boxes was like that. (Download the slides, as PDF.) The end result of his work is that he gets to watch anything on pay TV, but getting to watch free wrestling matches is hardly the point of an epic hack like this.

The talk spans hardware reverse engineering of the set-top box itself, chip decapping, visual ROM recovery, software reverse analysis, chip glitching, creation of custom glitching hardware, several levels of crypto, and a lot of very educated guessing. Along the way, you’ll learn everything there is to know about how broadcast streams are encrypted and delivered. Watch this talk now.

Some of the coolest bits:

  • Reading out the masked ROM from looking at it with a microscope never fails to amaze us.
  • A custom chip-glitcher rig was built, and is shown in a few iterations, finally ending up in a “fancy” project box. But it’s the kind of thing you could build at home: a microcontroller controlling a switch on a breadboard.
  • The encoder chip stores its memory in RAM: [Chris] uses a beautiful home-brew method of desoldering the power pins, connecting them up to a battery, and desoldering the chip from the board for further analysis.
  • The chip runs entirely in RAM, forcing [Chris] to re-glitch the chip and insert his payload code every time it resets. And it resets a lot, because the designers added reset vectors between the bytes of the desired keys. Very sneaky.
  • All of this was done by sacrificing only one truckload of set-top boxes.

Our jaw dropped repeatedly during this presentation. Go watch it now.

Disassembly Required

December 23, 2016 by 29 Comments

If you really want to hack software, you are going to face a time when you have to take apart someone’s machine code. If you aren’t very organized, it might even be your own — source code does get lost. If you want to impress everyone, you’ll just read through the hex code (well, the really tough old birds will read it in binary). That was hard to do even when CPUs only had a handful of instructions.

A more practical approach is to use a tool called a disassembler. This is nothing more than a program that converts numeric machine code into symbolic instructions. The devil, of course, is in the details. Real programs are messy. The disassembler can’t always figure out the difference between code and data, for example. The transition points between data and code can also be tricky.

When Not to Use

If you are coding your own program in assembly,  a disassembler isn’t usually necessary. The disassembly can’t recover things like variable names, some function names, and — of course — comments. If you use a high-level language and you want to check your compiler output, you can easily have the compiler provide assembly language output (see below).

The real value of a disassembler is when you don’t have the source code. But it isn’t easy, especially for anything nontrivial. Be prepared to do a lot of detective work in most cases.

Continue reading “Disassembly Required”

TP-Link Debug Protocol Gives Up Keys To Kingdom

December 14, 2016 by 25 Comments

If the headline makes today’s hack sound like it was easy, rest assured that it wasn’t. But if you’re interested in embedded device hacking, read on.

[Andres] wanted to install a custom OS firmware on a cheap home router, so he bought a router known to be reflashable only to find that the newer version of the firmware made that difficult. We’ve all been there. But instead of throwing the device in the closet, [Andres] beat it into submission, discovering a bug in the firmware, exploiting it, and writing it up for the manufacturer.  (And just as we’re going to press: posting the code for the downgrade exploit here.)

This is not a weekend hack — this took a professional many hours of serious labor. But it was made a lot easier because TP-Link left a debugging protocol active, listening on the LAN interface, and not requiring authentication. [Andres] found most of the information he needed in patents, and soon had debugging insight into the running device.

Continue reading “TP-Link Debug Protocol Gives Up Keys To Kingdom”