Reverse Engineering ST-Link/V2 Firmware

January 7, 2013 by Mike Szczys 39 Comments

reverse-engineering-stlink-v2

The chip seen just above the center of this image is an ARM Cortex-M3. It provides the ability to interface and program the main chip on the STM32F3 Discovery board. The protocol used is the ST-Link/V2 which has become the standard for ST Microelectronics development boards. The thing is, that big ARM chip near the bottom of the image has multiple UARTs and bridging a couple of solder points will connect it to the ST-Link hardware. [Taylor Killian] wanted to figure out if there is built-in firmware support to make this a USB-to-serial converter and his path to the solution involved reverse engineering the ST-Link/V2 firmware.

The first part of the challenge was to get his hands on a firmware image. When you download the firmware update package the image is not included as a discrete file. Instead he had to sniff the USB traffic during a firmware update. He managed to isolate the file and chase down the encryption technique which is being used. It’s a fun read to see how he did this, and we’re looking forward to learning what he can accomplish now that’s got the goods he was after.

Tamagotchi Hacking, In Depth

December 31, 2012 by Caleb Kraft 26 Comments

In this strangely fascinating talk, you can follow along as [Natalie Silvanovich] reverse engineers some Tamagotchi. Even if you have no interest whatsoever in digital pets, you’ll probably pick up a trick or two by listening to how she went about taking over the toy. She can now push her own images to the screen, and evolve her Tamagotchi at will.

Listening to her story you might be able to pick up a few tricks as she takes almost every angle possible. She uncovers the black blobs, she attempts to socially engineer her way into datasheets, decaps chips, she dumps and breaks down code. It is also worth noting that, in the beginning, internet electronics enthusiasts were adamant that it just had a PIC processor inside and they were wrong. Having an internet full of experts is a wonderful thing, except when it isn’t.

Then again, having that internet full of experts might be her savior in the end, she’s missing a piece of software and asking if anyone has it available.

Continue reading “Tamagotchi Hacking, In Depth” →

Rooting Your AT&T U-verse Modem

December 13, 2012 by Mike Szczys 26 Comments

Unhappy with the performance of his U-verse modem [Jordan] decided to dig in and see if a bit of hacking could improve the situation. Motorola makes this exclusively for AT&T and there are no other modems on the market which can used instead. Luckily he was able to fix almost everything that was causing him grief. This can be done in one of two ways. The first is a hardware hack that gains access to a shell though the UART. The second is a method of rooting the device from its stock web interface.

We think the biggest improvement gained by hacking this router is true bridge mode. The hardware is more than capable of behaving this way but AT&T has disabled the feature with no option for an unmodified device to use it. By enabling it the modem does what a modem is supposed to do: translate between WAN and LAN. This allows routing to be handled by a router (novel idea huh?).

More Fun With Syma 107 Reverse Engineering

December 8, 2012 by Eric Evenchick 4 Comments

[Jim] used a logic analyzer to do some in depth analysis of the Syma 107G helicopter’s IR protocol. We’ve seen work to reverse engineer this protocol in the past, but [Jim] has improved upon it.

Instead of reading the IR output of the controller, [Jim] connected a Saleae Logic directly to the controller’s circuitry. This allowed him to get more accurate timing, which helped him find out some new things about the protocol. He used this to create a detailed explanation of the protocol.

One of the major findings is that the controller used a 3 byte control packet, which contradicts past reverse engineering of the device. There’s also a new explanation of how multiple channels work. This allows multiple helicopters to be flown without the controllers interfering.

The write up is quite detailed, and explains the reverse engineering process. It also provides great information for anyone wanting to hack one of these low cost helicopters. From the details [Jim] worked out, it would be fairly easy to implement the protocol on your own hardware.

Nikon WU-1a WiFi Dongle Hacking

November 10, 2012 by Mike Szczys 23 Comments

Here’s a pretty tricky piece of consumer electronics reverse engineering. [Joe Fitz] came across the Nikon WU-1a. It’s a dongle that plugs into a Nikon D3200 camera, producing a WiFi connection which can be picked up and controlled from a smart phone. The app shows you the current image from the viewfinder, allows you to snap the picture, then pulls down the picture afterwards. The problem is that the same functionality for his D800 camera will cost him $1200, when this dongle can be had for $60. That’s a powerful incentive to find a way to use the WU-1a with his camera model. This is more than just rerouting some wires. It involves sniffing the USB traffic and drilling down in the datasheets for the chips used in the hardware. We’re not certain, but he may have even rolled new firmware for the dongle.

Details are a bit scarce right now. Your best bet is to watch the video embedded after the break. There is also a set of slides which [Joe] put together for a talk at this weekend’s BsidesPDX. It will give you a general overview of the process he went through. But he also started a forum thread and we hope to learn much more from that as the conversation gets going.

Continue reading “Nikon WU-1a WiFi Dongle Hacking” →

Reverse Engineering A Syma 107 Toy Helicopter IR Protocol

August 27, 2012 by Mike Szczys 9 Comments

Half the fun of buying toys for your kids is getting your hands on them when they no longer play with them. [Kerry Wong] seems to be in this boat. He bought a Syma S107G helicopter for his son. The flying toy is IR controlled and he reverse engineered the protocol it uses. This isn’t the first time we’ve seen this type of thing with the toy. In fact, we already know the protocol has been sniffed and there is even a jammer project floating around out there. But we took a good look at this because of what you can learn from [Kerry’s] process.

He starts by connecting an IR photo diode to his oscilloscope. This gave him the timing between commands and allowed him to verify that the signals are encoded in a 38 kHz carrier signal. He then switched over to an IR module designed to demodulate this frequency. From there he captures and graphs all of the possible control configuration, establishing a timing and command set for the device. He finishes it off by building a replacement controller based on an Arduino. You can see a video of that hardware after the break.

Continue reading “Reverse Engineering A Syma 107 Toy Helicopter IR Protocol” →

Digital TV Converter Reverse Engineering

August 1, 2012 by Mike Szczys 16 Comments

Back when broadcast television was first switching over from analog to digital most people needed to get a converter box to watch DTV broadcasts. Remember that abomination that was “HD-Ready”? Those TVs could display an HD signal, but didn’t actually have a digital tuner in them. Nowadays all TVs come with one, so [Craig] found his old converter box was just gathering dust. So he cracked it open and reverse engineered how the DTV hardware works.

The hardware includes a Thompson TV tuner, IR receiver for the remote control, and the supporting components for an LGDT1111 SoC. This is an LG chip and after a little searching [Craig] got his hands on a block diagram that gave him a starting place for his exploration. The maker of the converter box was also nice enough to include a pin header for the UART. It’s populated and even has the pins labeled on the silk screen. We wish all hardware producers could be so kind. He proceeds to pull all the information he can through the terminal. This includes a dump of the bootloader, readout of the IR codes, and much more.