## Archive for the ‘Hacking’ Category

### Name that Ware, July 2022

Sunday, July 31st, 2022

The Ware for July 2022 is shown below.

This is yet another fine ware contributed by jackw01. I kind of like how the board on the left went straight from bringup to production, without any attempt to strip out the debug headers or JTAG ports. Which is totally fine, btw: why change something that already meets spec, and might even be helpful with improving yields?…I just have to resist the urge to plug something into said ports.

### Winner, Name that Ware June 2022

Sunday, July 31st, 2022

The Ware for June 2022 is a Cue COVID-19 test cartridge. Congrats to Nathan for identifying it first. Email me for your prize! Also thanks for the comment describing how it works, Frankie — that’s pretty fascinating. I’m copying your comment here so others who might have missed it can benefit from your insights:

The round object in the incubation chamber is a piezoelectric element designed to sonicate the sample solution. This ensures the contents of the lyophilized pellet (which contains the enzymes used for DNA amplification and detection) are well mixed with the sample solution. The PCB has heating elements which melt wax valves when it’s time to send the contents downstream. Lot of clever ideas in the Cue device.

I guess the blue stuff must be the wax valves. I was wondering what that was for. Also — wow, the black element is a mini sonicator. That is downright cool! Now I want to extract it from the plastic and hook it to a signal generator, heh.

### The Plausibly Deniable DataBase (PDDB): It’s Real Now!

Thursday, July 28th, 2022

Earlier I described the Plausibly Deniable DataBase (PDDB). It’s a filesystem (like FAT or ext4), combined with plausibly deniable full disk encryption (similar to LUKS or VeraCrypt) in a “batteries included” fashion. Plausible deniability aims to make it difficult to prove “beyond a reasonable doubt” that additional secrets exist on the disk, even in the face of forensic evidence.

Since then, I’ve implemented, deployed, and documented the PDDB. Perhaps of most interest for the general reader is the extensive documentation now available in the Xous Book. Here you can find discussions about the core data structures, key derivations, native & std APIs, testing, backups, and issues affecting security and deniability.

### Name that Ware, June 2022

Thursday, June 30th, 2022

The Ware for June 2022 is shown below.

Thanks to an anonymous benefactor for donating a few of these for this months’ Ware. The board itself is a bit sparse, but, there are some hefty clues regardless. I think there’s a good chance someone will guess it from this image alone. However, I’ve got a few other images in my back pocket in case it turns out to be too hard to guess. Either way, I’ll add them to this post once some guesses are in!

Because the board is so sparse, I thought maybe it would be fun to also dump the contents of the one chip that is on it. Not that it gives any particularly useful hint about what it does, but because it was fairly easy to do; just an SOIC test clip and a Raspberry Pi does the trick:

sudo i2cdump 1 0x50
I will probe file /dev/i2c-1, address 0x50, mode byte
(sample 1)
0  1  2  3  4  5  6  7  8  9  a  b  c  d  e  f    0123456789abcdef
00: 00 00 94 4f 00 9e eb 2e c6 0d 12 bf ee 5b 49 2f    ..?O.??.?????[I/
10: 2e 9d 1e 34 f6 30 dd 1a 05 19 df 35 ab 74 df 75    .??4?0?????5?t?u
20: 06 bc 3d e4 f5 fe 7f 2d e6 8b 5b a2 0f 83 6b b5    ??=????-??[???k?
30: 04 7a 3a ae 68 96 5f f8 55 8a ce 3c 91 be 5b c3    ?z:?h?_?U??<??[?
40: e1 07 00 00 00 00 2e 00 0a 19 08 c9 d9 83 50 10    ??......??????P?
50: 13 20 a3 82 01 30 80 9a fd 92 06 3a 06 31 36 35    ? ???0?????:?165
60: 39 34 4a 12 11 9a 01 0e 08 02 15 00 80 88 c5 20    94J????????.???
70: 01 2d 00 00 c8 c3 00 00 00 00 00 00 00 00 00 00    ?-..??..........
80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
****
f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................

(sample 2)
0  1  2  3  4  5  6  7  8  9  a  b  c  d  e  f    0123456789abcdef
00: 00 00 1c 44 fc 2b 6d 07 02 55 9a fe 0d ed 91 98    ..?D?+m??U??????
10: ab 6b 94 51 db bd 2f cb 93 cc e3 b8 e1 17 14 85    ?k?Q??/?????????
20: 9b 5e 0d fd 6b 18 c2 da 67 a6 73 98 99 cb f4 40    ?^??k???g?s????@
30: 3e ab 40 b4 48 eb aa c2 94 94 49 29 12 93 da 3e    >?@?H?????I)???>
40: f0 08 00 00 00 00 2e 00 0a 19 08 95 e2 83 50 10    ??......??????P?
50: 13 20 a3 82 01 30 80 9a fd 92 06 3a 06 31 36 35    ? ???0?????:?165
60: 39 34 4a 12 11 9a 01 0e 08 02 15 00 80 88 c5 20    94J????????.???
70: 01 2d 00 00 c8 c3 00 00 00 00 00 00 00 00 00 00    ?-..??..........
80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
****
f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................


It’s always instructive to dump a couple of samples. Without doing any numerical analysis, eyeballing the two dumps side-by-side makes me think whatever drives this is little-endian (given the formatting of some constants in address 0x40 and above), and the data from 0x04-0x40 is probably cryptographic in nature; assuming the implementation didn’t roll their own cipher, it’s probably either an AEAD, or an HMAC. I say this because the first 2-4 bytes from 0x00-0x04 are likely not ciphertext. However, the block size of AES is 16 bytes, so, it’s not any simple block-based encryption scheme, due to the odd 12 bytes or so that are present. However, the format could make sense if 12 bytes served as the nonce for AES-GCM-SIV, and then maybe the last 16 bytes are the authentication tag; that would yield 32 bytes of encrypted, authenticated data, which would be enough for…

…I’ll stop talking there, before I totally give it away!

Edit: looks like someone has already guessed what it is, so here’s some more photos of it!

The small bit of research I did on the device indicates it uses LAMP for amplification, so the device runs at an elevated but constant temperature, and the results are read out using an electrochemical method. Basically, the reagents are mixed with the sample, and they are pumped through a small channel (lined with some kind of blue film) that goes over gold-plated electrodes on the circuit board. The reaction presumably changes some sort of electrically measurable parameter as it evolves — conductivity, pH, impedance, something like that. I thought the round black object molded into the clear plastic assembly would be a heating element, but it also seems to be an electrode of some sort, as it measures an open circuit before the reagent mix is punctured, but has a high DC impedance once liquids are introduced to the chamber.

The I2C ROM likely encodes per-device calibration parameters, as well as (presumably encrypted and authenticated) traceability data such as expiration dates, serial numbers and the like. The encryption would enforce the expiration of the reagents (hence the disposal of the cartridges to yours truly), and also foil the ability of third parties to make interoperable cartridges.

### Winner, Name that Ware May 2022

Thursday, June 30th, 2022

The Ware for May 2022 is a Lenovo Thinkpad Minidock, Type 4338 from back when I had a T520 Thinkpad — circa 2011, about a decade ago. It’s slightly unusual for its time period, because it was probably one of the last brand-name OEM pieces of hardware that featured a parallel port. As a hardware hacker I bemoaned the parallel port’s obsolescence: it was the closest thing we had to standardized GPIOs on a “full sized OS” until the Raspberry Pi. Anyways, I was cleaning out some old hardware and thought it’d be interesting to see what’s inside. Congrats to Matthew for nailing it, email me for your prize!