Injecting Code Into Mouse Firmware Should Be Your Next Hack

July 29, 2017 by Mike Szczys 22 Comments

Here’s a DEF CON talk that uses tools you likely have and it should be your next hacking adventure. In their Saturday morning talk [Mark Williams] and [Rob Stanely] walked through the process of adding their own custom code to a gaming mouse. The process is a crash course in altering a stock firmware binary while still retaining the original functionality.

The jumping off point for their work is the esports industry. The scope of esporting events has blown up in recent years. The International 2016 tournament drew 17,000 attendees with 5 million watching online. The prize pool of $20 million ($19 million of that crowdfunded through in-game purchases) is a big incentive to gain a competitive edge to win. Contestants are allowed to bring their own peripherals which begs the questions: can you alter a stock gaming mouse to do interesting things?

The steelseries Sensei mouse was selected for the hack because it has an overpowered mircocontroller: the STM32F103CB. With 128 KB of flash the researchers guessed there would be enough extra room for them to add code. STM32 chips are programmed over ST-Link, which is available very inexpensively through the ST Discovery boards. They chose the STM32F4DISCOVERY which runs around $20.

Perhaps the biggest leap in this project is that the firmware wasn’t read-protected. Once the data, clock, and ground pads on the underside of the board were connected to the Discovery board the firmware was easy to dump and the real fun began.

They first looked through the binary for a large block of zero values signifying unused space in flash. The injected firmware is designed to enumerate as a USB keyboard, open Notepad, then type out, save, and execute a PowerShell script before throwing back to the stock firmware (ensuring the mouse would still function as a mouse). Basically, this builds a USB Rubber Ducky into stock mouse firmware.

There are a few useful skills that make taking on this project a worthwhile learning experience. To compile your custom code correctly you need to choose the correct offset address for where it will end up once pasted into the firmware binary. The vector table of the original code must be rewritten to jump to the injected code first, and it will need to jump back to the mouse execution once it has run. The program flow on the left shows this. Both of these jumps require the program counter and registers to be saved and restored. The ARM stack is subtractive and the address will need to be updated to work with the added code.

The talk ended with a live demo that worked like a charm. You can check out the code in the MDHomeBrew repo. In this case the PowerShell script adds keyboard shortcuts for DOOM cheats. But like we said before, the experience of getting under the hood with the firmware binary is where the value will be for most people. With this success under your belt you can take on more difficult challenges like [Sprite_TM’s] gaming keyboard hack where the firmware couldn’t easily be dumped and an update binary was quite obsfucated.

Gecho Pocket Synth Looper

December 26, 2016 by Elliot Williams 2 Comments

[Mario] wrote us with his synthesizer project that’s currently up on Kickstarter. It looks like a good amount of fun to play with, as you can see in the video on the Kickstarter page. But it’s also built to be easily hackable.

On the hardware front, it’s a tiny four-layer board that’s crammed with parts. At the core is an STM32F4 microcontroller and a DAC. Indeed, the build was inspired by other folks’ work on the STM32F4 Discovery dev kit that has been used to make some pretty interesting synthesizer devices. [Mario]’s version adds two stereo headphone outputs, two microphone inputs, two IR reflective distance sensors used as control inputs, some buttons, and a ton of LEDs. And then it makes good use of all of them.

The firmware isn’t open source yet (poke! poke!) but it looks like it’s going to be. On his blog, [Mario] works through an example of adding a drum machine into the existing firmware, so it looks like it’ll be hackable.

Squeezing a lot of DSP functionality out of a single microcontroller is a feat. On a similar chip from a different manufacturer, [Paul Stoffregen]’s Teensy Audio Library could also be made to do a lot of the same things. But the real beauty of the Gecho project is that it has some interesting hardware features already built in and ready to go. It wouldn’t be a bad launching pad for your own musical or audio explorations.

New Part Day: ST’s 32-Bit 3D Printer Controller

July 19, 2016 by Brian Benchoff 57 Comments

There are a few 32-bit ARM-based 3D printer controller boards out there such as the Smoothieboard, the Azteeg X5 mini, [Traumflug]’s Gen5 electronics, whatever board is in the Monoprice MP Mini Select, and several others I will be criticized for not mentioning. All of these ARM boards provide smoother acceleration, better control, and ultimately better prints from whatever 3D printer they’re controlling. Now, out of the blue, there’s a new board. It’s an evaluation board from ST — much like those famous Discovery boards — that sells itself as a plug and play solution for 3D printers.

The heart of this board is an STM32F401 — not the king of the STM32 line or the fastest ARM microcontroller, but anything faster or more capable will add considerably more to the BOM for this board. This controller board features six of ST’s L6474 motor drivers with enough current for some beefy NEMA 23 stepper motors , a multi-zone heated bed, and connections for a WiFi module and external LCD and keypad. You can buy this board right now for $118. This board isn’t a game changer, but it is evidence the game has been changed.

As with all 3D printer controller boards, there are a few aspects that will leave users wanting more. This is a board meant for 12V heaters (except for the bed, which has a 24V, 20A output), and the stepper drivers can only go up to 16 microsteps. That said, there’s not much else to complain about. This offering comes with a 32-bit firmware called Marlin4ST. From a quick perusal, it looks like the familiar configuration.h is still there, and still does what it’s supposed to do.

This ST Discovery board is extremely capable, available now, and relatively cheap, but that’s not really the big story here. What this board represents is a reference design and working firmware for a 32-bit ARM-based printer controller. That’s the future, and with this board the future might come a little sooner.

Thanks [jagerboots] for sending this one in.

Hackaday Links: March 28, 2016

March 28, 2016 by Brian Benchoff 15 Comments

[Tom] sent this in to be filed under the ‘not a hack’ category, but it’s actually very interesting. It’s the User’s Guide for the Falcon 9 rocket. It includes all the data necessary to put your payload on a Falcon 9 and send it into space. It’s a freakin’ datasheet for a rocket.

A year ago in Japan (and last week worldwide), Nintendo released Pokkén Tournament, a Pokemon fighting game. This game has a new controller, the Pokkén Tournament Pro Pad. There were a few cost-cutting measures in the production of this game pad, and it looks like this controller was supposed to have force feedback and LEDs. If any Pokemon fans want to take this controller apart and install some LEDs and motors just to see what happens, there’s a Hackaday write up in it for you.

There are a lot of options for slicing 3D objects for filament-based 3D printers. Cura, Slic3r, and MatterControl are easily capable of handing all the slicing needs you’ll ever have for a filament 3D printer. For sterolithography (resin) printers, the options for slicing are limited. [skarab] just put together a new slicer for SLA that runs entirely in JavaScript. If anyone wants to turn a Raspi or BeagleBone into a network controller for a resin printer, here’s your starting point. [skarab] will be working on smoothieboard integration soon.

The STM32F4 is an extremely capable ARM microcontroller. It can do VGA at relatively high resolutions, emulate a Game Boy cartridge, and can serve as the engine control unit in a 1996 Ford Aspire. There’s a lot of computing power here, but only one true litmus test: the STM32F4 can run Doom. [floppes] built this implementation of Doom on the STM32F429 Discovery board to run off of an external USB memory stick. The frame rate is at least as good as what it was back in 1993.

The Oculus Rift has just come to pass, but one lucky consumer got his early. The first person to preorder the Rift, [Ross Martin] of Anchorage, Alaska, got his facehugger directly from [Palmer Luckey] in a PR stunt on Saturday afternoon. Guess what [Ross] is doing with his Rift?

Embed With Elliot: ARM Makefile Madness

March 22, 2016 by Elliot Williams 47 Comments

To wrap up my quick tour through the wonderland of make and makefiles, we’re going to look at a pair of possible makefiles for building ARM projects. Although I’m specifically targeting the STM32F407, the chip on a dev board that I have on my desk, it’s reasonably straightforward to extend these to any of the ST ARM chips, and only a bit more work to extend it to any ARM processor.

If you followed along in the first two installments of this series, I demonstrated some basic usages of make that heavily leveraged the built-in rules. Then, we extended these rules to cross-compile for the AVR series of microcontrollers. Now we’re going to tackle a more complicated chip, and that’s going to mean compiling with support libraries. While not required, it’s a lot easier to get an LED blinking on the ARM platforms with some additional help.

One of the main contributions of an IDE like Arduino or mbed or similar is the ease of including external libraries through pull-down menus. If you’ve never built a makefile-based project before, you might be surprised how it’s not particularly more difficult to add libraries to your project.
Continue reading “Embed With Elliot: ARM Makefile Madness” →

Software Controlled Hard Drive Solenoid Engine

January 15, 2016 by Gerrit Coetzee 18 Comments

[Fabien-Chouteau] submitted his interesting solenoid engine. In an internal combustion, steam, or pneumatic piston engine, the motive force is produced by expanding gas. In [Fabien]’s little engine it is produced by the arm of a hard drive. Solenoid engines are usually just for show, and come in all shapes and sizes. If you want to move something using electricity an axial motor is probably a better bet. But if you want a challenge and a learning experience, this is hard to beat.

[Fabien] had some problems to solve before his motor made its first revolution. Just like a piston engine the timing needed to be exact. The arm firing at the wrong time could cause all sorts of trouble, the equivalent of backfire in a combustion engine. A STM32f4 discovery board was coupled with a Hall-effect sensor and a MOSFET. When the board read that the arm has moved back to the most efficient position for firing it sent a pulse through the coil. Just like a regular engine, getting the timing right makes all the difference. Once [Fabien] got it tuned up his motor could spin around at a steady 3000 rpm.

Continue reading “Software Controlled Hard Drive Solenoid Engine” →

Open Source ESC Developed For Longboard Commute

October 1, 2015 by Brian Benchoff 30 Comments

For electric and remote control vehicles – from quadcopters to electric longboards – the brains of the outfit is the Electronic Speed Controller (ESC). The ESC is just a device that drives a brushless motor in response to a servo signal, but in that simplicity is a lot of technology. For the last few months, [Ben] has been working on a completely open source ESC, and now he’s riding around on an electric longboard that’s powered by drivers created with his own hands.

The ESC [Ben] made is built around the STM32F4, a powerful ARM microcontroller that’s able to do a lot of computation in a small package. The firmware is based on ChibiOS, and there’s a USB port for connection to a sensible desktop-bound UI for adjusting parameters.

While most hobby ESCs are essentially black boxes shipped from China, there is a significant number of high performance RC pilots that modify the firmware on these devices. While these new firmwares do increase the performance and response of off-the-shelf ESCs, building a new ESC from scratch opens up a lot of doors. [Ben]’s ESC can be controlled through I2C, a UART, or even a CAN bus, greatly opening up the potential for interesting electronic flying machines. Even for ground-based vehicles, this ESC supports regenerative braking, sensor-driven operation, and on-board odometry.

While this isn’t an ESC for tiny racing quadcopters (it’s complete overkill for that task) this is a very nice ESC for bigger ground-based electric vehicles and larger aerial camera platforms. It’s something that could even be used to drive a small CNC mill, and certainly one of the most interesting pieces of open source hardware we’ve seen in a long time.

Continue reading “Open Source ESC Developed For Longboard Commute” →