Another Day, Another “IoT” Backdoor

March 6, 2017 by Elliot Williams 48 Comments

As if you needed any reason other than “just for the heck of it” to hack into a gadget that you own, it looks like nearly all of the GSM-to-IP bridge devices make by DBLTek have a remotely accessible “secret” backdoor account built in. We got sent the link via Slashdot which in turn linked to this story on Techradar. Both include the scare-words “Chinese” and “IoT”, although the devices seem to be aimed at small businesses, but everything’s “IoT” these days, right?

What is scary, however, is that the backdoor isn’t just a sloppy debug account left in, but rather only accessible through an elaborate and custom login protocol. Worse still, when the company was contacted about the backdoor account, they “fixed” the problem not by removing the account, but by making the “secret” login procedure a few steps more complicated. Which is to say, they haven’t fixed the problem at all.

This issue was picked up by security firm Trustwave, but they can’t check out every device on the market all the time. We may be preaching to the choir here, but if you’re ever wondering why it’s important to be able to break into stuff that you own, here’s another reminder.

Universal Radio Hacker

February 23, 2017 by Jenny List 18 Comments

If you are fascinated by stories you read on sites like Hackaday in which people reverse engineer wireless protocols, you may have been tempted to hook up your RTL-SDR stick and have a go for yourself. Unfortunately then you may have encountered the rather steep learning curve that comes with these activities, and been repelled by a world with far more of the 1337 about it than you possess. You give up after an evening spent in command-line dependency hell, and move on to the next thing that catches your eye.

You could then be interested by [Jopohl]’s Universal Radio Hacker. It’s a handy piece of software for investigating unknown wireless protocols. It supports a range of software defined radios including the dirt-cheap RTL-SDR sticks, quickly demodulates any signals you identify, and provides a whole suite of tools to help you extract the data they contain. And for those of you scarred by dependency hell, installation is simple, at least for this Hackaday scribe. If you own an SDR transceiver, it can even send a reply.

To prove how straightforward the package is, we put an RTL stick into a spare USB port and ran the software. A little investigation of the menus found the spectrum analyser, with which we were able to identify the 433 MHz packets coming periodically from a wireless thermometer. Running the record function allowed us to capture several packets, after which we could use the interpretation and analysis screens to look at the binary stream for each one. All in the first ten minutes after installation, which in our view makes it an easy to use piece of software. It didn’t deliver blinding insight into the content of the packets, that still needs brain power, but at least if we were reverse engineering them we wouldn’t have wasted time fighting the software.

We’ve had so many reverse engineering wireless protocol stories over the years, to pick only a couple seems to miss the bulk of the story. However both this temperature sensor and this weather station show how fiddly it can be without a handy software package to make it easy.

Via Hacker News.

Amazing 3D-Scanner Teardown And Rebuild

February 6, 2017 by Elliot Williams 14 Comments

Pour yourself a nice hot cup of tea, because [iliasam]’s latest work on a laser rangefinder (in Russian, translated here) is a long and interesting read. The shorter version is that he got his hands on a broken laser security scanner, nearly completely reverse-engineered it, got it working again, put it on a Roomba that was able to map out his apartment, and then re-designed it to become a tripod-mounted, full-room 3D scanner. Wow.

The scanner in question has a spinning mirror and a laser time-of-flight ranger, and is designed to shut down machinery when people enter a “no-go” region. As built, it returns ranges along a horizontal plane — it’s a 2D scanner. The conversion to a 3D scanner meant adding another axis, and to do this with sufficient precision required flipping the rig on its side, salvaging the fantastic bearings from a VHS machine, and driving it all with the surprisingly common A4988 stepper driver and an Arduino. A program on a PC reads in the data, and the stepper moves another 0.36 degrees. The results speak for themselves.

This isn’t [iliasam]’s first laser-rangefinder project, naturally. We’ve previously featured his homemade parallax-based ranger for use on a mobile robot, which is equally impressive. What amazes us most about these builds is the near-professional quality of the results pulled off on a shoestring budget.

Continue reading “Amazing 3D-Scanner Teardown And Rebuild” →

33C3: Hunz Deconstructs The Amazon Dash Button

February 2, 2017 by Elliot Williams 22 Comments

The Amazon Dash button is now in its second hardware revision, and in a talk at the 33rd Chaos Communications Congress, [Hunz] not only tears it apart and illuminates the differences with the first version, but he also manages to reverse engineer it enough to get his own code running. This opens up a whole raft of possibilities that go beyond the simple “intercept the IP traffic” style hacks that we’ve seen.

Just getting into the Dash is a bit of work, so buy two: one to cut apart and locate the parts that you have to avoid next time. Once you get in, everything is tiny! There are a lot of 0201 SMD parts. Hidden underneath a plastic blob (acetone!) is an Atmel ATSAMG55, a 120 MHz ARM Cortex-M4 with FPU, and a beefy CPU all around. There is also a 2.4 GHz radio with a built-in IP stack that handles all the WiFi, with built-in TLS support. Other parts include a boost voltage converter, a BTLE chipset, an LED, a microphone, and some SPI flash.

The strangest part of the device is the sleep mode. The voltage regulator is turned on by user button press and held on using a GPIO pin on the CPU. Once the microcontroller lets go of the power supply, all power is off until the button is pressed again. It’s hard to use any less power when sleeping. Even so, the microcontroller monitors the battery voltage and presumably phones home when it gets low.
Continue reading “33C3: Hunz Deconstructs The Amazon Dash Button” →

Yes, You Can Reverse Engineer This 74181

January 7, 2017 by Mike Szczys 21 Comments

[Ken Shirriff] is the gift that keeps on giving this new year. His latest is a reverse engineering of the 74181 Arithmetic Logic Unit (ALU). The great news is that the die image and complexity are both optimized for you to succeed at doing your own reverse engineering.

We have most recently seen [Ken] at work explaining his decapping and reverse engineering process at the Hackaday SuperCon followed soon after by his work on the 8008. That chip is crazy with complexity and a die-ogling noob (like several of us on the Hackaday crew) stands no chance of doing more than simply following along with what he explains. This time around, the 74181 is just right for the curious but not obsessed. Don’t believe me? The 8008 had around 3,500 transistors while the friendly 74181 hosts just 170. We like those odds!

A quick crash course in visually recognizing transistors will have you off to the races. [Ken] also provides reference for more complex devices. But where he really saves the day is in his schematic analysis. See, the traditional ‘textbook’ logic designs have been made faster in this chip and going through his explanation will get you back on track to follow the method behind the die’s madness.

[Ken] took his own photograph of the die. You can see the donor chip above which had its ceramic enclosure shattered with a brisk tap from a sharp chisel.

Rebonding An IC To Save Tatakae! Big Fighter

January 1, 2017 by Al Williams 10 Comments

Preserving old arcade games is a niche pastime that can involve some pretty serious hacking skills. If the story here were just that someone pulled the chip from a game, took it apart, and figured out the ROM contents, that’d be pretty good. But the real story is way stranger than that.

Apparently, a bunch of devices were sent to a lab to be reverse engineered and were somehow lost. Nearly ten years later, the devices reappeared, and another group has taken the initiative to recover their contents. The chip in question was part of a 1989 arcade game called Tatakae! Big Fighter, and it had been hacked. Literally hacked. Like with an ax or something worse.

You can read the story of how the contents were recovered. You shouldn’t try this at home without a vent hood and other safety gear. However, they did rebond wires to the device using a clever trick and no exotic equipment (assuming you have some fairly good optical microscopes and a microprobe on a lens positioner).

Continue reading “Rebonding An IC To Save Tatakae! Big Fighter” →

Ken Shirriff Takes Us Inside The IC, For Fun

December 27, 2016 by Elliot Williams 13 Comments

[Ken Shirriff] has seen the insides of more integrated circuits than most people have seen bellybuttons. (This is an exaggeration.) But the point is, where we see a crazy jumble of circuitry, [Ken] sees a riddle to be solved, and he’s got a method that guides him through the madness.

In his talk at the 2016 Hackaday SuperConference, [Ken] stepped the audience through a number of famous chips, showing how he approaches them and how you could do the same if you wanted to, or needed to. Reading an IC from a photo is not for the faint of heart, but with a little perseverance, it can give you the keys to the kingdom. We’re stoked that [Ken] shared his methods with us, and gave us some deeper insight into a handful of classic silicon, from the Z80 processor to the 555 timer and LM7805 voltage regulator, and beyond.