Glitching USB Firmware For Fun

[Micah Elizabeth Scott], aka [scanlime], has been playing around with USB drawing tablets, and got to the point that she wanted with the firmware — to reverse engineer, see what’s going on, and who knows what else. Wacom didn’t design the devices to be user-updateable, so there aren’t copies of the ROMs floating around the web, and the tablet’s microcontroller seems to be locked down to boot.

With the easy avenues turning up dead ends, that means building some custom hardware to get it done and making a very detailed video documenting the project (embedded below). If you’re interested in chip power glitching attacks, and if you don’t suffer from short attention span, watch it, it’s a phenomenal introduction.

Continue reading “Glitching USB Firmware For Fun”

Dumping U8Plus Smartwatch ROM Via Vibration Motor

[Lee] continues with his exploration of the U8Plus (a cheap smartwatch). He hasn’t got it all cracked, yet, but he did manage to get a dump of the device’s ROM using an unusual method. At first, [Lee] thought that the JTAG interface (or, at least, the pins presumed to be the JTAG interface) would be a good way to explore the device. However, none of the people experimenting with the device have managed to get it to work.

Instead, [Lee] went through the serial bootloader and dumped the flash memory. He found out, though, that the bootloader refused to read the ROM area. It would, however, load and run a program. Unfortunately, no one has found how to access the UART device directly, but they have found how to drive the vibration motor.

[Lee] took off the vibration motor and used it as an output port for a simple program to dump the ROM. An Arduino picked up the data at a low baud rate and produced an output file. This should allow more understanding of how to drive the watch hardware.

We covered the initial teardown of this watch earlier this year. Of course, if you don’t want to reverse engineer a smartwatch, you could always build your own.

“Hello Barbie” Not An IoT Nightmare After All

Security researchers can be a grim crowd. Everything, when looked at closely enough, is insecure at some level, and this leads to a lot of pessimism in the industry. So it’s a bit of a shock to see a security report that’s filled with neither doom nor gloom.

We’d previously covered Somerset Recon’s initial teardown of “Hello Barbie” and were waiting with bated breath for the firmware dump and some real reverse engineering. Well, it happened and basically everything looks alright (PDF report). The Somerset folks desoldered the chip, dumped the flash ROM, and when the IDA-dust settled, Mattel used firmware that’s similar to what everyone else uses to run Amazon cloud service agents, but aimed at the “toytalk.com” network instead. In short, it uses a tested and basically sound firmware.

The web services that the creepy talking doll connected to were another story, and were full of holes that were being actively patched throughout Somerset’s investigation, but we were only really interested in the firmware anyway, and that looked OK. Not everything is horror stories in IoT security. Some stories do have a happy ending. Barbie can sleep well tonight.

Saving Old Voices By Dumping ROMs

Some people collect stamps. Others collect porcelain miniatures. [David Viens] collects voice synthesizers and their ROMs. In this video, he just got his hands on the ultra-rare Electronic Voice Alert (EVA) from early 1980s Chrysler automobiles (video embedded below the break).

Back in the 1980s, speech synthesis was in its golden years following the development of TI’s linear-predictive coding speech chips. These are the bits of silicon that gave voice to the Speak and Spell, numerous video game machines, and the TI 99/4A computer’s speech module. And, apparently, some models of Chrysler cars.

IMG_0695We tracked [David]’s website down. He posted a brief entry describing his emulation and ROM-dumping setup. He says he used it for testing out his (software) TMS5200 speech-synthesizer emulation.

The board appears to have a socket for a TMS-series voice synthesizer chip and another slot for the ROM. It looks like an FTDI 2232 USB-serial converter is being used in bit-bang mode with some custom code driving everything, and presumably sniffing data in the middle. We’d love to see a bunch more detail.

The best part of the video, aside from the ROM-dumping goodness, comes at the end when [David] tosses the ROM’s contents into his own chipspeech emulator and starts playing “your engine oil pressure is critical” up and down the keyboard. Fantastic.

Continue reading “Saving Old Voices By Dumping ROMs”