Dissecting A Firmware Image

February 22, 2013 by Mike Szczys 18 Comments

dissecting-a-firmware-image

[Leland Flynn] did a great job of picking apart the firmware image for a Westell 9100EM FiOS router. Unfortunately he didn’t actually find the information he was looking for. But he’s not quite done poking around yet either. If you have never tried to make sense of an embedded Linux firmware image this serves as a great beginner’s example of how it’s done.

He was turned on to the project after port scanning his external IP and finding a random login prompt which he certainly didn’t set up. Some searching led him to believe this is some kind of back door for Verizon to push automatic firmware updates to his router. He figured why not see if he could yank the credentials and poke around inside of the machine?

He started by downloading the latest firmware upgrade. Running ‘hexdump’ and ‘strings’ gives him confirmation that the image is based on Linux. He’s then able to pick apart the package, getting at just the filesystem portion. His persistence takes him through extracting and decompressing three different filesystems. Even though he now has access to all of those files, broken symlinks meant a dead-end on his login search.

Digging Deeper Into The Apollo Saturn V LVDC

February 11, 2013 by Mike Szczys 11 Comments

LVDC-NAND-proto

[Fran] went all-out with her reverse engineering of the Apollo Saturn V LVDC board. Regular readers will remember that she was showing of the relic early this year when she took the board to her Dentist’s office to X-ray the circuit design. Since then she’s been hard at work trying to figure out how the thing functions using that look inside the board and components. When we say ‘hard at work’ we really mean it. Not only did she explore many different theories that resulted in dead ends, she also built her own version of the circuits to make sure they performed as she theorized. Above you can see her version of the NAND/AND gates used on the hardware.

We find her explanation of how the logic devices were originally fabricated to be very interesting. They started with a ceramic substrate and used additive processes to form the traces and add the gates. We’ve embedded her video explanation after the jump.

Continue reading “Digging Deeper Into The Apollo Saturn V LVDC” →

Finding 1s And 0s With A Microscope And Computer Vision

February 4, 2013 by Brian Benchoff 18 Comments

ROM

One day, [Adam] was asked if he would like to take part in a little project. A mad scientist come engineer at [Adam]’s job had just removed the plastic casing from a IC, and wanted a little help decoding the information on a masked ROM. These ROMs are basically just data etched directly into silicon, so the only way to actually read the data is with some nitric acid and a microscope. [Adam] was more than up for the challenge, but not wanting to count out thousands of 1s and 0s etched into a chip, he figured out a way to let a computer do it with some clever programming and computer vision.

[Adam] has used OpenCV before, but the macro image of the masked ROM had a lot of extraneous information; there were gaps in the columns of bits, and letting a computer do all the work would result in crap data. His solution was to semi-automate the process of counting 1s and 0s by selecting a grid by hand and letting image processing software do the rest of the work.

This work resulted in rompar, a tool to decode the data on de-packaged ROMs. It works very well – [Adam] was able to successfully decode the ROM and netted the machine codes for the object of his reverse engineering.

Reverse Engineering The Furby

January 28, 2013 by Brian Benchoff 17 Comments

Furby

Furby teardowns are a favorite of ours, and there’s nothing quite like flaying open a creepy talking deformed animatronic owl/hell beast. There’s a lot you can do with a set of screwdrivers and a pair of scissors, but it takes a real clever person to reverse engineer a Furby without any disassembly (Russian, here’s the translation).

The new Furby comes with an iOS and Android app that allows children to interact with the Furby by feeding it, giving it commands, and even translating the Furbish into English. These apps work by playing a WAV file encoded with commands that give the Furby something to eat, or tell it to dance a merry jig.

Commands are delivered with these WAV files by means of a 4-digit, 4-bit code, complete with checksums. There are ten bits the Furby actually responds on, meaning there are potentially 1024 different commands the Furby can accept.

[iafan] wrote a Perl script to listen in on the audio generated by the Android Furby app and correlated all the possible commands with actions taken by the Furby. Everything is up on a git, allowing anyone to play an audio file and control the Furby’s mood and actions.

With this it should be possible to remotely control a Furby, letting it dance whenever you receive an email, or making it angry whenever someone retweets you. It’s a lot more clever than just putting a Furby through a wood chipper, but considering how creepy these things are, we’re not going to say it’s better.

How The 8085 ALU Is Structured

January 25, 2013 by Mike Szczys 10 Comments

8085-alu-reverse-engineering

This is a microscopic photograph of an 8085 processor die. [Ken Shirriff] uses the image in his explanation of how the ALU works. It is only capable of five basic operations: ADD, OR, XOR, AND, and SHIFT-RIGHT. [Ken] mentions that the lack of SHIFT-LEFT is made up for by adding the number to itself which has the effect of multiplying a number by two; the same mathematical function performed by a shift operation.

His post details the gate arrangement for each ALU operation. This is clear and easy to follow, and was based on reverse engineering work already done by a team who meticulously decapped and photographed the dies.

Not long ago this explanation would have been voodoo to us. But we worked our way through The Elements of Computing Systems text-book by following the online Nand to Tetris course. It really demystifies the inner working of a chip like the 8085.

Now if you really want to understand this ALU you’ll build it for yourself inside of Minecraft.

[Thanks Ed]

Communication Protocol For An Indoor Helicopter

January 21, 2013 by Mike Szczys 6 Comments

propel-execuheli-ir-protocol-revealed

There’s a special type of satisfaction that comes from really understanding how something works at the end of a reverse engineering project. This grid above is the culmination of [Spencer’s] effort to reverse engineer the IR protocol of a Propel ExecuHeli indoor helicopter toy.

The first thing he looked at was the three different controller channels which can be selected to allow multiple helicopters to be used in the same area. [Spencer] was surprised that they all used the same carrier frequency. The secret must be in the coded packets so his next challenge was to figure out how the data was being transmitted via the Infrared signal. It turns out the packets are using pulse-length coding (we were unfamiliar with this protocol but you can read a bit more about it here). The last piece of the puzzle was to capture packets produced by each unique change of the control module. With each bit (except for bit 11) accounted for he can now format his own codes for a controller replacement. Perhaps he’s looking to make the helicopter autonomous?

In-depth Look At An LVCD Board From A Saturn V Rocket

January 9, 2013 by Mike Szczys 58 Comments

saturn-v-lvdc-board

Join [Fran] as she dons the hat of an electronics archaeologist when looking at this vintage circuit board from the space race. As part of her personal collection she somehow acquired a Launch Vehicle Digital Computer board for a Saturn V rocket. This particular unit was never used. But it would have been had the Apollo program continued.

[Fran] is enamored with this particular board because she believes it is the forerunner of modern digital circuit design and layout. Since routing circuit boards is part of what she does for a living you can see why this is important to her. Also, who isn’t excited by actual hardware from the space program? We’ve embedded two of her videos after the break. In the first she shows off the component to the camera and speaks briefly about it. But the second video has her heading to the dentist’s office for X-rays. The image above is a rotating X-ray machine, but it looks like the best imagery comes when a handheld gun is used. They get some great images of the traces, as well as the TTL components on the board itself.

Continue reading “In-depth Look At An LVCD Board From A Saturn V Rocket” →