Photo of the spectrophotometer in question, with a screenshot of the decoding software on the right

Exporting Data From Old Gear Through LCD Sniffing

[Jure Spiler] was at a flea market and got himself a spectrophotometer — a device that measures absorbance and transmittance of light at different wavelengths. This particular model seems to be about 25 years old, and it’s controlled by a built-in keyboard and uses a graphical LCD to display collected data. That might have been acceptable when it was made, but it wasn’t enough for [Jure]. Since he wanted to plot the spectrophotometry data and be able to save it into a CSV file, hacking ensued.

He decided to tap into the the display communication lines. This 128×64 graphical display, PC-1206B, uses a 8-bit interface, so with a 16-channel logic analyzer, he could see the data being sent to the display. He even wrote decoder software – taking CSV files from the logic analyzer and using primitive optical recognition on the decoded pixels to determine the digits being shown, and drawing a nice wavelength to absorbance graph. From there, he set out to make a standalone device sniffing the data bus and creating a stream of data he could send to a computer for storage and processing.

[Jure] stumbled into a roadblock, however, when he tried to use an Arduino for this task. Even using a sped-up GPIO library (as opposed to notoriously inefficient digitalRead), he couldn’t get a readout frequency higher than 80 KHz – with the required IO readout rate deemed as 1 MHz, something else would be called for. We do wonder if something like RP2040 with its PIO machinery would be better for making such captures.

At that point, however, he found out that there’s undocumented serial output on one of the pins of the spectrophotometer’s expansion port, and is currently investigating that, having shelved the LCD sniffing direction. Nevertheless, this serves as yet another example for us, for those times when an LCD connection is all that we can make use of.

We’ve seen hackers sniff LCD interfaces to get data from reflow ovens, take screenshots from Game Boys and even equip them with HDMI and VGA ports afterwards. With a skill like this, you can even give a new life to a vintage calculator with a decayed display! Got an LCD-equipped device but unsure about which specific controller it uses? We’ve talked about that!

Continue reading “Exporting Data From Old Gear Through LCD Sniffing”

A Gaggle Of Boards Makes For An I2C Playground

It’s not much of a stretch to assume that the majority of Hackaday readers are at least familiar with I2C. In fact, there’s an excellent chance that anyone who’s ever done more with an Arduino than blink the onboard LED has at one time or another used the serial communication protocol to talk to a sensor, display, or other external gadget. Of course, just because most of us have used it in a few projects doesn’t mean we truly understand it.

If you’re looking to brush up on your I2C knowledge, you could do worse than to follow the guide [András Tevesz] recently wrote up. With a title like Hardware Hacking 101: E01 I2C Sniffing, How to Listen to Your Arduino’s I2C Bus, you know you’re in for a good time. While the document is arguably geared more towards security researchers than electronic hobbyists, the concepts presented can be useful even if you’re just trying to debug your own projects. Continue reading “A Gaggle Of Boards Makes For An I2C Playground”

A Crash Course On Sniffing Bluetooth Low Energy

Bluetooth Low Energy (BLE) is everywhere these days. If you fire up a scanner on your phone and walk around the neighborhood, we’d be willing to bet you’d pick up dozens if not hundreds of devices. By extension, from fitness bands to light bulbs, it’s equally likely that you’re going to want to talk to some of these BLE gadgets at some point. But how?

Well, watching this three part video series from [Stuart Patterson] would be a good start. He covers how to get a cheap nRF52480 BLE dongle configured for sniffing, pulling the packets out of the air with Wireshark, and perhaps most crucially, how to duplicate the commands coming from a device’s companion application on the ESP32.

Testing out the sniffed commands.

The first video in the series is focused on getting a Windows box setup for BLE sniffing, so readers who aren’t currently living under Microsoft’s boot heel may want to skip ahead to the second installment. That’s where things really start heating up, as [Stuart] demonstrates how you can intercept commands being sent to the target device.

It’s worth noting that little attempt is made to actually decode what the commands mean. In this particular application, it’s enough to simply replay the commands using the ESP32’s BLE hardware, which is explained in the third video. Obviously this technique might not work on more advanced devices, but it should still give you a solid base to work from.

In the end, [Stuart] takes an LED lamp that could only be controlled with a smartphone application and turns it into something he can talk to on his own terms. Once the ESP32 can send commands to the lamp, it only takes a bit more code to spin up a web interface or REST API so you can control the device from your computer or other gadget on the network. While naturally the finer points will differ, this same overall workflow should allow you to get control of whatever BLE gizmo you’ve got your eye on.

Continue reading “A Crash Course On Sniffing Bluetooth Low Energy”

Unlocking SIM Cards With A Logic Analyzer

[Jason Gin] wanted to reuse the SIM card that came with a ZTE WF721 wireless terminal he got from AT&T, but as he expected, it was locked to the device. Unfortunately, the terminal has no function to change the PIN and none of the defaults he tried seemed to work. The only thing left to do was crack it open and sniff the PIN with a logic analyzer.

This project is a fantastic example of the kind of reverse engineering you can pull off with even a cheap logic analyzer and a keen eye, but also perfectly illustrates the fact that having physical access to a device largely negates any security measures the manufacturer tries to implement. [Jason] already knew what the SIM unlock command would look like; he just needed to capture the exchange between the WF721 and SIM card, find the correct byte sequence, and look at the bytes directly after it.

Finding the test pads on the rear of the SIM slot, he wired his DSLogic Plus logic analyzer up to the VCC, CLK, RST, and I/O pins, then found a convenient place to attach his ground wire. After a bit of fiddling, he determined the SIM card was being run at 4 MHz, so he needed to configure a baud rate of 250 kbit/s to read the UART messages passing between the devices.

Once he found the bytes that signified successful unlocking, he was able to work his way backwards and determine the unlock command and its PIN code. It turns out the PIN was even being sent over the wire in plain text, though with the way security is often handled these days, we can’t say it surprises us. All [Jason] had to do then was put the SIM in his phone and punch in the sniffed PIN when prompted.

Could [Jason] have just run out to the store and picked up a prepaid SIM instead of cracking open this wireless terminal and sniffing its communications with a logic analyzer? Of course. But where’s the fun in that?

This Thermal Printer Has Serious Game

[Dhole], like the fox, isn’t the first to connect his computer to a Game Boy printer but he has done a remarkable job of documenting the process so well that anyone can follow. The operation is described well enough that it isn’t necessary to scrutinize his code, so don’t be put off if C and Rust are not your first choices. The whole thing is written like a story in three chapters.

The first chapter is about hacking a link cable between two Game Boys. First, he explains the necessity and process of setting the speed of his microcontroller, a NUCLEO-F411RE development board by STMicroelectronics. Once the rate is set, he builds a sniffer by observing the traffic on the cable and listens in on two Game Boys playing Tetris in competition mode. We can’t help but think that some 8-bit cheating would be possible if Tetris thought your opponent instantly had a screen overflowing with tetrominoes. Spying on a couple of Game Boys meant that no undue stress was put on the printer.

Chapter two built on the first chapter by using the protocol to understand how the printer expects to be spoken to. There is plenty of documentation about this already, and it is thoughtfully referenced. It becomes possible to convince a Game Boy that the connected microcontroller is a printer so it will oblige by sending an image. Since there isn’t a reason to wait for printing hardware, the transfer is nearly instantaneous. In the image above, you can see a picture of [Dhole] taken by a Game Boy camera.

The final chapter, now that all the protocols are understood, is also the climax where the computer and microcontroller convince the printer they are a Game Boy that wants to print an image. In the finale, we get another lesson about measuring controller frequency without an oscilloscope. If you are looking for the hack, there it is. There is a handful of success in the form of old receipts with superimposed grayscale images since virgin thermal printer paper by Nintendo costs as much as a used printer.

This story had a happy ending but grab your reading glasses for the smallest Game Boy and here’s someone who wrote their own Game Boy color game.

34C3: Fitbit Sniffing And Firmware Hacking

If you walked into a gym and asked to sniff exercise equipment you would get some mighty strange looks. If you tell hackers you’ve sniffed a Fitbit, you might be asked to give a presentation. [Jiska] and [DanielAW] were not only able to sniff Bluetooth data from a run-of-the-mill Fitbit fitness tracker, they were also able to connect to the hardware with data lines using test points etched right on the board. Their Fitbit sniffing talk at 34C3 can be seen after the break. We appreciate their warning that opening a Fitbit will undoubtedly void your warranty since Fitbits don’t fare so well after the sealed case is cracked. It’s all in the name of science.

There’s some interesting background on how Fitbit generally work. For instance, the Fitbit pairs with your phone which needs to be validated with the cloud server. But once the cloud server sends back authentication credentials they will never change because they’re bound to to the device ID of the Fitbit. This process is vulnerable to replay attacks.

Data begin sent between the Fitbit and the phone can be encrypted, but there is a live mode that sends the data as plain text. The implementation seemed to be security by obscurity as a new Bluetooth handle is used for this mode. This technique prevents the need to send every encrypted packet to the server for decryption (which would be for every heartbeat packet). So far the fix for this has been the ability to disable live mode. If you have your own Fitbit to play with, sniffing live mode would be a fun place to start.

The hardware side of this hack begins by completely removing the PCB from the rubber case. The board is running an STM32 and the team wanted to get deep access by enabling GDB. Unfortunately, the debug pins were only enabled during reset and the stock firmware disables them at startup (as it should). The workaround was to rewrite the firmware so that the necessary GPIO remain active and there’s an interesting approach here. You may remember [Daniel Wegemer] from the Nexmon project that reverse engineered the Nexus 5 WiFi. He leveraged the binary patching he used on Nexmon to patch the Fitbit firmware to enable debugging support. Sneaky!

For more about 34C3 we have a cheatsheet of the first day and for more about Fitbit security, check out this WAV file.

Continue reading “34C3: Fitbit Sniffing And Firmware Hacking”

WiFi Fob Acquaints OLED With ESP

When you think of WiFi in projects it’s easy to get into the rut of assuming the goal is to add WiFi to something. This particular build actually brings WiFi awareness to you, in terms of sniffing what’s going on with the signals around you and displaying them for instant feedback.

[0miker0] is working on the project as his entry in the Square Inch Project. It’s an adapter board that has a footprint for the 2×4 pin header of an ESP8266-01 module, and hosts the components and solder pads for a 128×64 OLED display. These are becoming rather ubiquitous and it’s not hard to figure out why. They’re relatively inexpensive, low-power, high-contrast, and require very few support components. From the schematic in the GitHub Repo it looks like 5 resistors and 7 caps.

The video below shows off two firmware modes so far. The first is an AP scan that reads out some information, the second is a weather-display program. Anyone who’s worked with the ESP modules knows that they have the potential to gather all kinds of data about WiFi signals — one of our favorite demos of this is when [cnlohr] used it to create a 3d light painted map of his WiFi signal strength. Chuck a rechargeable LiPo on this thing, tweak the example code for your needs, and you have a new gadget for wardriving-nouveau.

Continue reading “WiFi Fob Acquaints OLED With ESP”