Howdy y'all! In this friendly little tweety-box thread, I'd like to share my new project with you. It's called the GoodWatch, and it will be next month at Shmoocon. 1/n
A while back,
@david_rysk
asked me to dump the firmware of the Wersi SL-M2 51173 Slave Sound Generator, a plugin module for Wersi's DX10 synthesizer.
@p4ula
sent me three boards from Germany, and this thread will show the extraction process from the saw to the bits. 1/n
Geoff Chappell passed away today on his own terms, surrounded by family and while his good humor remained intact.
Please listen to a Beatles record and read a little assembly code in his honor.
Final drafts of the Second Book of PoC||GTFO have been delivered to
@nostarch
, containing all the articles from PoC||GTFO 9, 10, 11, 12, and 13. Look for it this summer wherever fine books are sold, and write plenty of notes in the margins.
Over the summer, I got nerd sniped with extracting bits from microscope photographs of mask ROMs. Here is my C++/Qt6 CAD tool for marking and extracting bits, including Design Rule Checks, a variety of export formats and a CLI.
The second collected volume of PoC||GTFO is available for pickup at
@defcon
, and also for preorder at
@nostarch
and wherever fine books are sold. Please write in the margins and give a second copy to a clever student.
Not all unlicensed NES games cloned Nintendo's CIC chip. Mig-29 Soviet Fighter by Camerica uses a voltage glitch to crash the console's CIC chip, so that the game can continue without generating the right sequence.
SW1 switches between two different glitching strategies.
I need some good photographs of the MYK78 Clipper Chip, but the best ones available are my own photos from grad school, and those aren't quite good enough.
So let's go step by step and see what's inside! 1/n
Not content to simply theorize about the parrot that traumatized RMS sufficiently to be a part of his speaking rider,
@dakami
provided the voice sample for an animatronic recreation of the parrot.
"RAAAAAWK! OPEN SOURCE!"
"RAAAAAWK! GNU SLASH LINUX!"
I managed to open source my Android app for reading, writing and executing shellcode in RF430 NFC tags this morning. (Backdoor password for the RF430TAL152H is redacted, but everything else is there.)
cc
@cryptax
@doegox
@PagetPhil
So the exploit is to pull a drill bit to 3.3V, then slowly turn it in the right spot while requesting writes over SATA. When the bond wire is broken, write protection will also break, and the EEPROM can be rewritten.
Ain't that nifty?
Finally, the only daily, global, free map of GPS interference has officially launched: Watch jamming around conflict zones develop over time. Wonder who's jamming GPS all around Moscow. Like all the best maps, it raises more questions than it answers!
I brought one hundred NFC Type 5 microcontroller boards to Shmoocon, which are OTA programmable from Android. You can have one for free if you install the compiler toolchain documented on the Github page.
After half a decade without one, I am proud to announce the first official PoC||GTFO website can be found at . Best viewed with Microsoft Internet Explorer 4 on Windows NT.
Does anyone know this three pin telephone standard from Yugoslavia? I'd like to adapt it to an American telephone line simulator, but I can't figure out the third pin.
There's no semblance of a dial tone or a ring with any pair of pins.
I find myself wondering what a Soviet ROM looks like, so let's tear apart the КР1801РЕ2 from a PDP11 clone, the Электроника БК. If 108 is the mask number, this should hold a part of the BASIC interpreter.
1/n
Dallas DS5002, an early secure microcontroller. Nonvolatile memory is encrypted with a 64-bit key. The chip is also available with an internal microprobe shield, but I don't think that was included in my sample. 1/n
You youngins won't believe this, but back in the day, we had source code listings in grocery store magazine racks, and the expectation was that by now everyone would learn enough to write their own short programs, rather than just the professionals who did it as a career.
Ever wanted to try your hand at decoding photographs of a mask ROM into a .bin file that you can emulate or disassemble, but didn't quite know where to begin? I wrote a tutorial around the GameBoy's boot ROM today, featuring MaskROMTool and Zorrom.
MK51, a single-chip RPN calculator from Электроника. The program ROM is on the right side, but bits are not surface visible. Maybe I can reveal them with delayering or a Dash etch.
For students who know C but haven't yet done firmware, I can't recommend enough this write up by
@jg_lim
. All the tools are described, and nothing is left as a magic trick or a mystery.
Back in January, I complained to
@evm_sec
about not having a decent database of Thumb2 functions to recover from statically linked firmware, so we wrote a web API at and clients for IDA, GHIDRA, and Binja. Upload 18 bytes of a function, download the name.
I finally have a bit-perfect copy of the MYK82 Fortezza chip's ROM. Comparing it against an older dump shows that I had only 0.1% of the bits wrong.
To get that perfect dump, I just marked two photographs and then reconciled errors until they matched.
In all my years of embedded systems,
@Voja_Antonic
is the only fellow I've ever bugged for an autograph. It embarrassed the hell out of him, as it annoys the hell out of me, but now that he's the first to ship a badge that runs BASIC, I regret nothing.
How often do you lock your car?
I bought my pickup without door keys, so I've been leaving it unlocked in the city for three or four years. It was finally broken into today, and I snapped a photo of the perpetrator.
The radio is based on the same CC1101 core that the GirlTech IMME used, so all the old IMME hacks are portable. My reflexive jammer for P25, Mike Ossmann's iClicker emulator, and Samy's OpenSesame can all be adapted to this platform. 10/n
Tempted to try a voltage glitching attack, but worried that you can't make the timing precise enough? Turns out it's possible to glitch out the firmware protection on the STM8 with a pair of 555 timers!
And while the GoodWatch10 was certainly the coolest hex editor watch to wear last month, things can be niftier. In this photo, it a GoodWatch20 is beaconing my
#hamradio
callsign to a Yaesu 817 as Morse code. 7/n
At
@reconmtl
in a couple of weeks, I'll be teaching how to reverse engineer ROMs from photographs.
Today I pushed an example to Github. This is a dump of the MYK82 chip in a Fortezza card, a successor to the Clipper Chip. 1/n
I'll be speaking about the GoodWatch project at Defcon's
@WiFi_Village
today, 11h00. Learn how to make your own, with frequency counter, hex editor, and years of battery life in a stylish Casio case.
Code and hardware at
The good folks at
@nostarch
are running a sale this weekend, so maybe it's time to order some fine technical books and build a crazy project with what you learn in them?
In case you missed it this weekend,
@BitBangingBytes
dumped the firmware from a Kenwood TH-D74 ham radio, and I posted some initial notes on reverse engineering the string localization and CAT commands at
If you pirated TV twenty years ago, could you kindly look through your smart card collection for any Nagra1 cards?
They look like this, and I'd very much like to have more of them for a history project, even though they have long been useless for watching TV.
It's always weird taking apart soviet electronics. This Электроника МК-52 uses white blobs instead of black blobs for its wire bonded chips.
Anyone know which blob holds the main ROM?
When you have a speaking lesson in
@duolingo
on Android, try hitting the button to speak immediately as the sentence appears.
Because of a race condition, Lily will speak for you and the speech recognition will pass.
I released a new build of for Windows and Mac today. It includes a new CLI tool for decoding ROM bits and has OpenGL enabled by default. Dual-screen support was added in the last release, but it's handy enough that I'll mention it again.
Lately I've been digging back into the MSP430F449, an old microcontroller that's used in some battery powered medical equipment. It has a 160-segment LCD controller, 60kB of code memory, and 2kB of RAM. It's 12-bit ADC can be used for sampling the outside world. 1/4
The GoodWatch and other projects were helpfully financed by
@skytee
, who has been funding my recent sabbatical by paying me one dollar for every day since I last wasted an hour of my life in a daily SCRUM meeting.
Thanks, neighbor! 16/n
I documented how to load the MD380 radio's firmware and symbols from the md380tools project into GHIDRA. Should work as a handy example for other embedded ARM targets, including stubborn compatibility between the decompiler and Thumb literal pools.