Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Matthew Alt (WrongBaud) started off soldering chips & reprogramming them at a car race track. He teaches a hardware hacking course that really focuses on reverse engineering. The introduction is long but eventually goes into a presentation for reverse engineering a street fighter two cabinet. NOTE: There is a workshop for this online now.

At the beginning, Matthew shows a Namco arcade board. Apparently, with the particular chipset, the SD Card slot can be repurposed for a JTAG interface. He has removed the SD Card slot and has attached wires to it. I had no idea this was a thing!

Matthew has a course on HackADay about reverse engineering embedded devices. According to him, breaking down the components piece by piece gives a good picture of it for how to attack it. Additionally, having a narrow goal that is well-defined instead of reverse engineering absolutely everything, which helps for a time frame. They even have a 5-day course where they send ALL of the targets to you to hack (VoidStarSec).

The Street Fighter 2 Championship Edition Arcade Cabinet is the target of this attack. The goal was to turn device into something will be run a custom program, such as Doom. To do this, the author lays out that we need to extract the non-votatile storage and analysis the firmware (operating system and application structure).

The first thing to do is to view ALL internal and external devices. Externally, the SFII cabinet has a USB port for charging and an audio jack. In the teardown, the author is looking for processors, non-volatile storage, debug interfaces, and any naming conventions on the board. The largest and central chip with the most traces going to it is likely the CPU.

While looking at the chip, there are a few headers that are silk-screened GND/TX. These may be debug headers that could be useful later on. Further onto the PCB, they found an SPI flash chip that likely has firmware on the device, since it is the only non-volatile chip on the board.

Remember the USB that was only used for charing? The USB port has a pin for data plus and data negative. As engineer with their thinking cap on, this must mean that it is used for something else! It turns out that this was also used for multi-player mode.

If nothing is named or labeled, using a logic analyzer is the best way to find how things are working. By tapping into the lines, we can learn quite a bit about the system. But, a lack of naming on the chips does make this significantly harder to do.

By connecting to the debug headers with a specific baud rate with UART, a large amount of information is outputted. From these output logs, the memory mapping is shown, the emulator being used is shown and a file path is disclosed. Now, the clues as a detective are starting to add up! However, no UART shell :(

By accessing the SPI chip directly, the firmware can be dumped. The author literally uses a raspberry pie with the flashroom tool. The connection to the SPI chip uses an alligator clip. Using binwalk and strings, they were able to reverse engineer how the device stores the files and how it works.

From looking about the storage of the data (file types mainly) and the chip being used, they found that Sunxi chips have an FEL loader. This is awesome but this is a debug interface that allows us to directly interact with the board. The FEL loader is a low-level subroutine contained in BootROM of all Allwinner devices. The USB connector has the data+ and data- pins, which now makes much more sense!

How do we trigger the FEL loader though? They reverse engineering the boot process and attempted to find a point that it could be interupted at. FEL mode can be triggered by holding certain IO lines on boot. They found out that by holding the volume down button, FEL mode was advertised over the USB interface. I assume they just tried different things to figure out the volume down.

The FEL interface allows for the flash to be rewritten and dumped. At this point, more software reverse engineering needs to be done in order to add our own ROMs to the board. Hurray! There's a whole slidedeck for this with more details at here.