[CNLohr] Reverses Vive, Valve Engineers Play Along

December 12, 2016 by Elliot Williams 11 Comments

[CNLohr] needs no introduction around these parts. He’s pulled off a few really epic hacks. Recently, he’s set his sights on writing a simple, easy to extend library to work with the HTC Vive VR controller equipment, and in particular the Watchman controller.

There’s been a lot of previous work on the device, so [Charles] wasn’t starting from scratch, and he live-streamed his work, allowing others to play along. In the process, two engineers who actually worked on the hardware in question, [Alan Yates] and [Ben Jackson], stopped by and gave some oblique hints and “warmer-cooler” guidance. A much-condensed version is up on YouTube (and embedded below). In the links, you’ll find code and the live streams in their original glory, if you want to see what went down blow by blow. Code and more docs are in this Gist.

Continue reading “[CNLohr] Reverses Vive, Valve Engineers Play Along” →

Reverse Engineering An ST-Link Programmer

December 10, 2016 by Elliot Williams 11 Comments

We’re not sure why [lujji] would want to hack ST’s ST-Link programmer firmware, but it’s definitely cool that he did, and his writeup is a great primer in hacking embedded devices in two parts: first he unpacks and decrypts the factory firmware and verifies that he can then upload his own encrypted firmware through the bootloader, and then he dumps the bootloader, figures out where it’s locking the firmware image, and sidesteps the protection.

[lujji]’s project was greatly helped out by having the firmware’s encryption keys from previous work by [Taylor Killian]. Once able to run his own code on an intact device, [lujji] wrote a quick routine that dumped the entire flash ROM contents out over the serial port. This gave him the bootloader binary, the missing piece in the two-part puzzle.

If you’ve ever broken copy protection of the mid-1990’s, you won’t be surprised what happened next. [lujji] located the routine where the bootloader adds in the read protection, and NOPped it out. After uploading firmware with this altered bootloader, [lujji] found that it wasn’t read-protected anymore. Game over!

We glossed over a couple useful tips and tricks along the way, so if you’re into reversing firmware, give [lujji]’s blog a look. If you just want a nice ARM programmer with UART capabilities, however, there’s no reason to go to these extremes. The Black Magic Probe project gives you equal functionality and it’s open source. Or given that the official ST-Link programmers are given away nearly free with every Nucleo board, just buying one is clearly the path of least resistance. But a nice hack like this is its own reward for those who want to take that path. Thanks, [lujji] for writing it up.

IPhone NVMe Chip Reversed With Custom Breakout Boards

November 18, 2016 by Brian Benchoff 36 Comments

Ever so slowly, the main storage in our computers has been moving from spinning disks, to SSDs over SATA, to Flash drives connected to a PCI something or other. The latest technology is NVMe — Non-Volitile Memory Express — a horribly named technology that puts a memory controller right on the chip. Intel has a PCI-based NVMe drive out, Samsung recently released an M.2 NVMe drive, and the iPhone 6S and 6S Plus are built around this storage technology.

New chips demand a reverse engineering session, and that’s exactly what [Ramtin Amin] did (Internet Archive). He took a few of these chips out of an iPhone, created a board that will read them, and managed to analyze the firmware.

Any reverse engineering will begin with desoldering the chip. This is easy enough, with the real trick being getting it working again outside whatever system it was removed from. For this, [Ramtin] built his own PCIe card with a ZIF socket. This socket was custom-made, but the good news is you can buy one from ITEAD. Yes, it is expensive — that’s what you get with a custom-made ZIF socket.

With the chip extracted, a custom PCIe card, and a bit of work with the NVMe implementation for Linux, [Ramtin] had just about everything working. Eventually, he was able to dump the entire file system on the chip, allowing anyone to theoretically back up the data on their iPhone or MacBook Air. Of course, and especially for the iPhone, this data is encrypted. It’s not possible to clone an iPhone using this method, but it is a remarkably deep dive into the hardware that makes our storage tick.

Glitching USB Firmware For Fun

October 4, 2016 by Elliot Williams 37 Comments

[Micah Elizabeth Scott], aka [scanlime], has been playing around with USB drawing tablets, and got to the point that she wanted with the firmware — to reverse engineer, see what’s going on, and who knows what else. Wacom didn’t design the devices to be user-updateable, so there aren’t copies of the ROMs floating around the web, and the tablet’s microcontroller seems to be locked down to boot.

With the easy avenues turning up dead ends, that means building some custom hardware to get it done and making a very detailed video documenting the project (embedded below). If you’re interested in chip power glitching attacks, and if you don’t suffer from short attention span, watch it, it’s a phenomenal introduction.

Continue reading “Glitching USB Firmware For Fun” →

Seeking Treachery In A Questionably Sourced Phone

September 26, 2016 by Mike Szczys 24 Comments

Have you ever considered sourcing an off-brand phone from the China markets? Why, or what stopped you? The answer is data and identity. You are trusting both when you decide to use a smartphone. Let’s face it, smartphones are a personality prosthesis in our society. They know your physical location, what your interests are, the people you hang out with, and how you spend your money. The keys to the castle are shared with these devices and you shouldn’t grant that kind of trust without knowing your phone is worthy of it.

But… what if that phone has amazing features at an equally amazing price? [ijsf] bought the phone and then made it earn the proper level of trust. The model in question is a Blackview BV6000s — pictured above in a tub of soapy water proving it’s IP68 claim. This thing has flagship specs but not a flagship name so [ijsf] took [Dave Jones’] advice and took it apart instead of turning it on. In this case, it is a complete ROM dump and disassembly.

The goals was to find malware — anything that is potentially leaking data. Nothing was found, which we think is because this phone isn’t nearly shady enough. We’d expect the bargain basement models (like this $3 ~~wonder~~ vaporware) to be more in line. That one actually has a carrier behind it which means they plan to recoup on usage charges. But suspiciously cheap phones may be using a business model that makes it back by stealing a chunk of your identity.

Two good things come out of [ijsf’s] writeup. First, it’s a decent guide to dumping and snooping in a ROM. Second, in addition to the fruitless search for thieving apps, the annoying bloatware was removed for a cleaner ‘stock’ image.

Nexmon Turns Nexus 5 (and RPi3!) Into WiFi Toolkit

September 8, 2016 by Elliot Williams 22 Comments

Back in the day, when wardriving was still useful (read: before WPA2 was widespread), we used to wander around with a Zaurus in our pocket running Kismet. Today, every cellphone has WiFi and a significantly more powerful processor inside. But alas, the firmware is locked down.

Enter the NexMon project. If you’ve got a Nexus 5 phone with the Broadcom BCM4339 WiFi chipset, you’ve now got a monitor-mode, packet-injecting workhorse in your pocket, and it looks a lot less creepy than that old Zaurus. But more to the point, NexMon is open. If you’d like to get inside what it took to reverse-engineer a hole into the phone’s WiFi, or make your own patches, here’s a great starting place.

But wait, there’s more! The recently released Raspberry Pi 3 has a similar Broadcom WiFi chipset, and has been given the same treatment, turning your RPi 3 into a wireless-sniffing powerhouse. How many Raspberry Pi “hacks” actually hack the Raspberry Pi? Well, here’s one.

We first learned of this project from a talk given at the MetaRhein-Main Chaos Days conference which took place last weekend. The NexMon talk (in German, but with slides in English) is just one of the many talks, all of which are available online.

The NexMon project is a standout, however. Not only do they reverse the WiFi firmware in the Nexus 5, but they show you how, and then apply the same methods to the RPi3. Kudos times three to [Matthias Schulz], [Daniel Wegemer], and [Matthias Hollick]!

Open Source SNES To USB Converter Lets You Emulate Legally

August 28, 2016 by Gerrit Coetzee 59 Comments

[Andrew Milkovich] was inspired build his own Super Nintendo cartridge reader based on a device we covered an eternity (in internet years) ago. The device mounts a real cartridge as a USB mass storage device, allowing you to play your games using an emulator directly from the cart.

This uses a Teensy++ 2.0 at its core. [Andrew] had to desolder the EEPROM pins from the SNES cartridge and reverse engineer the pinouts himself, but the end result was a device that could successfully read the cartridge without erasing it, no small accomplishment. The finished cartridge reader is build on some protoboard and we’d like to complement [Andrew] on his jumper routing on the underside of that board.

Of course, the experience of any console is just not the same without the original controller. So [Andrew] went a step further and made his own SNES controller to USB converter. This had the venerable Atmel ATmega328 at its core, and can be used separate from the cartridge reader if desired.