About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Hacking eInk Price Tags- 500

Dmitry GrinbergPosted 4 Years Ago
  • eInk price tags are ESL (Electronic Shelving Labels) that allow for stores to dynamically change the prices as they see fit without placing a new paper on the shelf. Most ESLs are updated wirelessly and use a custom protocol to communicate.
  • When tearing open the device, Dmitry found a Marvell chip that angered him because of the lack of documentation. The only thing that he could find was that this used an Cortex-M3 processor 512K of Flash, 160K of RAM and it speaks Zigbee (an IoT protocol).
  • Cortex-M chips are debugged using an interface called SWD (single wire debugging). SWD only has two pins: one for data and one for the clock. After trying a large combination of pins, his CortexProg tool came up with a connection on pins 22 and 23! Sometimes, blind guessing works out for ya.
  • For whatever reason, the Marvell chip does NOT have any protections against reading out the ROM off of the chip. So, using the tool mentioned above, it was trivial to read 128K of ROM, set breakpoints and do anything a developer would want to do! The Flash was divided into a Bootloader, binary data, peripheral drivers and a Zigbee stack.
  • The REAL firmware was not in the ROM though: it was coming from RAM! The bootloader was using commands to directly interface with an internal QSPI bus. By writing a program to talk to the bootloader directly, it was possible to dump out the real firmware of the program. Even though they attempted to password protect this, they failed miserably with a default going to 0xFFFFFFFFF.
  • The protocol works over the 2.4GHz band using QPSK moduation at 250Kbps with a 5MHz channel spacing. After struggling to find a tool that supported QPSK modulation, he found a tool to speak raw 802.15.4 to interact with the device. Finally, to run custom code on the device, they took the bootloader and patched on his own code with linker magic.
  • A large portion of this article is about the display of the reader, which is not something I cared to take notes for. Dmitry creates his own firmware for the device with a bunch of interesting twists though. Dmitry picks up another one of these devices for fun though: the Chroma 74.
  • When the device turned on, virtually nothing happened. However, when connecting to the chip it had not been code locked! This allowed for reprogramming and firmware downloading in an easy fashion.
  • Overall, another interesting reverse engineering article from Dmitry.

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed