Hardware Reverse Engineering
Reverse engineering of circuitry hardware and firmware...
65 topics in this forum
-
Help with Duplicating Reverse Engineered USB Commands from Wireshark Using PyUSB on Linux
by bekindpleaserewind- 2 followers
- 1 reply
- 936 views
I'm attempting to reverse engineer a USB HID device with a display on it. It has 4 endpoints (two interfaces), with two endpoints as IN and two endpoints as OUT. I'm duplicating some of the commands that I've captured and I'm having trouble doing so one of them using PyUSB on Linux. The following two screenshots contain the packet I'm trying to duplicate. The first screenshot is from the Windows host that supports the device, the second is from the Linux machine I am attempting to duplicate the packet on: Wireshark USB Packet Capture Windows Host Wireshark USB Packet Capture Linux Host (PyUSB) Hopefully you can see the difference i…
-
HTC Diamond Unlocker (2008)
by whoknows- 1 follower
- 0 replies
- 649 views
dn 8mb @: https://www.upload.ee/files/16843500/NikeUnlocker.rar.html https://nitroflare.com/view/09FBAD06E1DF2D7/NikeUnlocker.rar device info https://www.gsmarena.com/htc_touch_diamond-2368.php
-
- 4 followers
- 7 replies
- 3k views
I have this code from a tricore processor and I am trying to reverse engineer it in order to rebuild it using c. It is a seed -> key algorithm, that get's a 4byte seed passed (d4 register) does some algorithm to it and returns a 4byte key (d2). In the calculation the d1 register gets used as well. First the extracted assembly: movh d0,#0x7777 d0 now 0x7777'0000 sha d15,a4,#-0x1f d15 = a4 >> 0x1f addi d0,d0,#0x123 +0x123 d0 now 0x77770123 mul e0,a4,d0 e0 = a4 * d0 sha d0,d1,#-0xd …
-
Bypass eXecute-Only-Memory (XOM) with ARM
by c0mrade- 3 followers
- 3 replies
- 2.2k views
A greeting to all, I have a firmware dump of a older satellite receiver and out of production for some years. This dump has xom protection (ARM CPU) inside, it is loaded in Ida pro and I can't even debug it step by step as it is all read-only. Execute-only memory (XOM) allows only instruction fetches but Read and write accesses are not allowed from protection. With ida pro, ghidra and radare2, I can see the code but it does not allow debugging. Some times ida pro and ghidra get blocked. when loaded by these software, radare2 no has problems opening the file but I can't debug it. Are there solutions to bypass this protection? https://community.a…
-
Question about rebuilding a windows xp Media class driver for windows 11.
by 12264447666.william.ashley- 2 replies
- 1.4k views
So I have an old hardware device that was built for windows 2000 / xp - it still is almost as new. Akai MPD16 however the device doesn't work via USB only through its midi 5 din cables. I've looked at the .inf and .sys, and the .inf seems easy enough to modify from win32 xp to windows 11 as not much has changed for driver install locations as far as I am aware. I've taken a look at the .sys in CFF explorer and Hex Editor Neo, and chatted with chatgpt and provided data on it. My understanding is that the .sys file is split into different sections and involves sending midi instructions part of the mpd16 midi sysex instructions that seem more or less standard ak…
-
Patching firmwares
by RADIOX- 1 follower
- 5 replies
- 1.8k views
I have seen many people patching firmware and selling it on the internet, like this website: Chipless firmware for printers Epson I tried to download some original firmware and some patched ones with the same firmware version to compare them, but I couldn’t find any pattern. I created this topic because I think there are smart people here who can help me learn how to do this, at least in the beginning. Thank you.
-
Deleted
by Liodeus- 1 follower
- 0 replies
- 2.6k views
Deleted
-
Uefi Bios backdoor
by H1TC43R- 1 follower
- 24 replies
- 17k views
Has anyone been able to find any master passwords or backdoors for the newer UEFI bios? Let me give you an overview of what I'm doing below I have a windows 10 x64 based machine which works fine, but i want to get into the bios to change settings (Boot order etc) now the older machines used to give you a code on the 3 wrong password attempts which then lets you get a master code for it, but these newer machines have a locked password, which again you get 3 attempts then locks up until reboot no more codes, the bios is the American Megatrends v5.65 i don't want to open it up and remove the cmos at the moment for a few reasons plus I'm not sure that ol…
-
analyse FILE packed with ElecKey
by prince2023- 1 follower
- 0 replies
- 2.7k views
hi i am need help to check version.dll is packed with ElecKey
-
Unpack .bin firmware
by MCUDC- 1 follower
- 2 replies
- 3.9k views
This is the firmware of my home satellite receiver, I am trying to unpack it to hide or remove some installed apps but I couldn't access the targeted files. I have tried different scenarios with Binwalk, radare2 & Ghidra but I didn't make any success because I am still a newbie so I thought to consult the professionals. https://drive.google.com/file/d/1G3J72xMT-Btjl_0-5RCZ00jOSkYujKIM/view?usp=sharing
-
Adapting a QUAD horn by a micro-light switch
by Kirbiflint- 2 followers
- 0 replies
- 3.8k views
Good day everyone, first of all, feel free to delete the post whether its content is not fully pleasant. What I'm sharing with you is a demonstration video on how you can easily re-adapt an electronical device which requires an activation button with an adaptative button, that is the sensitive micro-light switch specifically. It is necessary to take out the circuit board, figure out where the contacts are located and just replace them with those from a 3.5mm audio jack female-to-male adapter cable as any adaptative switch is provided with a generic jack plug, that you can notice in the video below. That's essentially what it is. Feel free to reach me out for any part…
-
- 1 follower
- 0 replies
- 7.3k views
Hello, I am trying to reverse engineer a RT85 Retevis handheld radio in order to produce a custom firmware. The main problem I have is to figure out the microcontroller they are using. They went through the effort of grinding the top of the chip to make it harder for people to guess what it is. The remains of a logo is still distinguishable on the bottom of the chip. Does anyone recognize a brand logo? I doubt it is an obscure Chinese manufacturer otherwise they would have tried to mask it. Also, the programming port has only 4 pins so I guess VDD, VSS, Data and Reset. That already excludes some brands like Microchip which uses at least 5 pins. …
-
Getting Docsis Cable Modem Firmware
by Downloading...- 3 replies
- 16.4k views
Hello guys, I'm trying to get to know my cable modem with integrated router better but I can't seem to find any firmware online (it's a CBN 6643E) I read one guy was able to root it a few years ago and since then it has been updated, but I can't seem to find how he did it. I think he somehow managed to extract the firmware since he asked a binwalk question on devttys0's website. Now before I open up my modem (which is illegal I suppose since it is provided by my ISP) how would I be able to extract the firmware to analyse it? Would it be possible to somehow sniff the traffic from the coax cable to eventually grab an update file or something? There …
-
could someone give me useful information
by donjuan215- 1 follower
- 0 replies
- 6.7k views
Hello friend, could someone tell me how to get around nprotect for weeks searching the tricks forum and I had no results I'll go into details, because I want to get around the protection I have a project here written in C # the bot performs image recognition and sends the command via sandkeys the image reading is working perfectly the problem is in the key simulation already changed the name of the calls, class name and nothing even if the bot does not make any changes to the game memory nprotect does not allow any high click applications that I noticed the gameguard version is 2631 game name Lovebeat
-
How to find "0x6857c8" location in an SSD Drive?
by Jason Long- 2 followers
- 0 replies
- 7k views
Hello, I have a device (MITEL 3300) that it can't boot at "0x6857c8" address. When I plugged an SSD Drive into that device, then it can't boot at "0x6857c8" address: MITEL SYSTEM ROM R3.1/10 Aug 5 2011 (83 - POWER_ON_RESET) CCA Number : 36879572 Ra.4 System Model : 00620001 F2500 CPU Model : 8360 R80480021 Reset Config Low : 0804008c Reset Config High : b4500006 Coherent System Bus Clock (MHz) : 266 CPM Clock (MHz) : 399 Core Clock (MHz) : 533 DDR Clock (MHz) : 133 Local Bus Clock (MHz) : 66 Input Clock (MHz) : 33 Internal Memory Map : f0000000 Main Memory (MB) : 512 Local Memory (MB) : 0 Flash Memory (MB) : 4 MAC Address : 08000f640a40 POST Bypass : 0 Watchdog …
-
How to remove HPA and DCO of an SSD Drive?
by Jason Long- 2 followers
- 0 replies
- 7.2k views
Hello, I have an ADATA SSD Drive and its DCO locked. I tried to unlock it with "OSForensics" tool, but failed! https://pasteboard.co/JGslBt9.png Other tools? Thank you.
-
Building a basic video card
by Kurapica- 1 follower
- 0 replies
- 7.8k views
Part 1 Part 2 Part
-
Crack electromagnetic cards????
by r0mel- 1 follower
- 8 replies
- 12.5k views
helllo how are you/.? I am looking for a method for cracking electromagnetic cards. Do friends have any experience in this field? Electromagnetic cards like bank cards or subway cards...
-
Reversing Industrial Firmware...
by Teddy Rogers- 8 replies
- 19k views
Reversing Industrial Firmware />http://reversemode.com/index.php?option=com_content&task=view&id=80&Itemid=1 Ted.
-
dumping ram and rom
by perfum2020- 1 follower
- 1 reply
- 12k views
hi guys every plcs and hmis have ram and rom so how can read those ? how can to dumping?
-
PLC : S-7 1200 & FATEK
by perfum2020- 6 replies
- 11.9k views
hi guy how can crack a plc or hmi password? how can crack AVR or ARM IC? is there any real solution?
-
- 0 replies
- 8.4k views
Ted.
-
Analyzing Keyboard Firmware
by mrexodia- 2 replies
- 7.3k views
Hey guys, After a long time I started writing on my blog again. https://mrexodia.github.io/reversing/2019/09/28/Analyzing-keyboard-firmware-part-1 Best regards
-
HSM MPC5748GH
by 7ingsong- 0 replies
- 7.5k views
Hi All, Somebody know how activate HSM module in DEVKIT-MPC5748G board? Thank you
-
Trying to understand my modem/router - Part 2
by Downloading...- 1 reply
- 25.4k views
Hey guys, I started my journey some time ago here: https://forum.tuts4you.com/topic/39557-getting-docsis-cable-modem-firmware/ My ultimate goal would be to find a remote code execution on the system. The reason you may ask, is twofold: 1. Learning 2. Being able to access the router without opening it up would be nice. But now I am much further in trying to understanding my cable modem / router but I still have so many questions unanswered... What I managed to find so far: *The router has 2 main microcontrollers (one Puma 5 chip and one Realtek chip), what I suppose is that the Puma 5 chip deals with the Modem part and the Realtek chip with th…
