The Ware for January, 2006, is shown below. Click on the image for a much larger view.

This is the first time I’ve welcomed a guest ware into the contest. A friend at work (Mike Fitzmorris) handed me this unit and asked me to guess what this was, and suggested that perhaps I can put it up for the contest. To be honest, I couldn’t guess what it was off-hand (other than it was something used in a car), partially because one key part (a sensor) was removed to reveal the circuit board. So, I figured perhaps I could put it up this month and see if it doesn’t also stump a few other people as well!

January has been a hectic month (I got a probe station with a laser cutter!!!), and once again I am posting my ware at the last possible minute to still call it January’s ware. Let’s hope I don’t miss February outright! I have been able to find the time to make minor contributions to the Free60 project (see if you can’t guess which pages are mine…I’ve been posting under a different alias to avoid undue attention, as that can be harmful to good teamwork and make it difficult to receive honest peer review), and it has been very interesting to watch the progress of the project overall. Currently, it seems that the shader hack is still quite promising, as well as people looking directly at the DVD firmware. The quality and acumen of the hackers out there is simply outstanding. I don’t think you could raise enough money to form a company of finer and more motivated engineers–and remarkably, nobody is being paid to do this. I guess that’s the power of passion.

As predicted, this one was a cinch. Roastbeef posted a correct answer within an hour of the contest going up. Congratulations Roastbeef! I got a rise out of your comment about the improperly named reference designator. And in fact, James Walter guessed the exact model of the G-meter, the G-tech Pro (how do you guys do that?). I got this as a novelty item on loan from a friend of mine to test out in my car. It’s probably the most direct application of freshman physics and the integral that I’ve ever seen…the device measures your acceleration, and from there it integrates over time and infers your position and velocity. Given these values, it reports statistics such as your 0-60 mph times, your quarter-mile performance, and the effective horsepower of your car. It’s suprisingly accurate and robust (so long as you have it mounted correctly–it only measures acceleration along a single axis), although I’ll have to say I wasn’t able to pull off the advertised 4.8 second 0-60 time for my car (almost certainly due to operator error, since I was breaking traction on second gear every time I tried). Thanks again to everyone for playing!

The Ware for December, 2005, is shown below. Click on the image for a much larger view.

A friend of mine gave this to me to try out, and I had to open it up to see what was inside. I was a bit surprised when I looked in there, I thought there would be a lot more, but I guess simplicity is elegance. The board was well-marked, so I had to pixelate portions of the silkscreen and chip markings to make this contest non-trivial. However, based on past performance, I’m guessing people will figure this one out in no time flat.

Again, sorry for this month’s ware coming so late! I’m posting at the last possible moment to still claim a ware for December, 2005. It’s been an exciting month though; a lot of very interesting projects I’m working on have passed pivotal stages and I’m looking forward to seeing what January will bring. I’ve also been observing the progress on the Xbox360 hacking, and I’m impressed. The hacking scene is more or less an organized anarchy that is frightfully productive. Now that I’ve had a little brush with being a manager in my day job, I can see that clarity of purpose obviates the need for management; people just self-organize and things happen. I could ponder on this for many parargaphs, but I’ll spare you my treatise on human social behavior.

At any rate, some very interesting things are afoot. Much of it stems from the discovery of an all-media bootable kiosk demo disk. Many hackers will instantly recognize the value of this, but it’s still interesting to reflect on the significance of this find.

Like the original Xbox, the Xbox360 uses a media flag on its executables. The media flag tells the OS what type of media it should be on; typically, games are released with the flag set to Microsoft’s proprietary secure Xbox DVD format (which is in itself not that secure…). Significantly, only the executable is signed for a game; the data sections typically are not signed (presumably for performance reasons). Thus, one has the ability to fuzz the executable by corrupting the data sections, potentially invoking a buffer overrun or some other unintentional behavior–if one could effectively modify the data sections. Remember that this is normally not possible, since modifying the data segment requires making a copy to a writeable media, and this contradicts the signed media flag.

Thus, the run-anywhere demo disk now enables software hackers to create and test the interaction of signed executables with modified game data using no tool other than a DVD-RW drive (and an Xbox360 console, still considerably rare and difficult to obtain in the US). Some of the more interesting modifiable data regions include Shockwave Flash movies, and the pixel shaders executed by the GPU (more info can be found on the xboxhacker.net website). Of particular interest is the MEMEXPORT shader command in the 360, which could enable people to dump physical memory to the screen (where it can be digitized or extracted with a sniffer upstream of the ANA chip), or to some other peripheral function. Presuming plaintext kernel code can be extracted this way, it bootstraps further efforts in vulnerability analysis of the code running in the Xbox…and so forth. Of course, its quite possible that this hole is plugged, since Microsoft’s NGSCB spec calls for the Northbridge to limit DMA access from the graphics card to main memory. Furthermore, buffer overrun exploits have questionable applicability since each process runs as its own virtual machine and rumors has it that the no-execute bit is used on heap space. Still, I’m very surprised that such a media was even released into the wild by Microsoft…their own worst enemy is their own haste to get to the market and carelessness; security is for naught without consideration of human factors. Very exciting! Perhaps the Xbox360 will be opened without the need for significant hardware hacking.

Oh, and happy new year to everyone! I’ll be at Spundae’s New Year event in LA with some friends. If you happen to be going, give me a shout if you see me. Should be great fun!

I’m always impressed that people can derive so much from a single board image and no hints. November’s Ware was my Korg KM-2 Kaoss Mixer, which sits between my decks and my vinyl-to-MP3 converter (Serato Scratch Live, a must-have for DJs). The winner is Mouser, as he gave the most insightful and detailed analysis, even though he did not guess the exact ware (although his general conclusion is correct). As I have noted in the past, correctness of the answer counts for less than the thought process of getting there. bdb also deserves an honorable mention for his cleverness in matching up the rear footprint of the device to derive the exact model number of the ware.

Many people were thrown off by the 40-pin dual-row 0.1″ pitch header in the lower right corner of the picture; the ATA hard drive standard uses an identical connector. However, ribbon cable headers are not unique to the ATA standard, so some caution needs to be applied when trying to identify such a connector. In this case, the connector is a proprietary internal general-purpose I/O header connected to other peripherals within the unit. The connector distinguishes itself from an ATA header through its pinout. A header for an ATA bus has grounds at certain pin locations. In this photograph, one can see that these locations are pinned out as signals, ruling out the possibility of it functioning as an ATA bus connector (or if it is, it is highly non-standard for some arcane reason). Also, the bank of series resistors adjacent to connector is unusual for an IDE/ATA header.

I’ve always found it interesting how each piece of hardware has a certain look and feel to it. In fact, the board has a distinctly Japanese-designed look and feel to it. The tented vias, the color of the solder mask, and the silkscreen styling, along with the component selection, is reminiscent of many other designs I’ve seen come out of Japanese design houses, in particular, the mainboard of my old Casio FX-7000 graphing calculator looked like it was fabbed in a very similar process…and in fact, I just looked up the Corporate History of Korg, and it is a Japanese corporation. It’s always interesting to note how regional biases tend to inform certain design motifs. Check out the HP 2600 N teardown from a while ago, and look at the engine board as another example of a board that smells of Japanese engineering.