Remoticon 2021 // Jeroen Domburg [Sprite_tm] Hacks the Buddah Flower

Nobody likes opening up a hacking target and finding a black epoxy blob inside, but all hope is not lost. At least not if you've got the dedication and skills of [Jeroen Domburg] alias [Sprite_tm].

It all started when [Big Clive] ordered a chintzy Chinese musical meditation flower and found a black blob. But tantalizingly, the shiny plastic mess also included a 2 MB flash EEPROM. The questions then is: can one replace the contents with your own music? Spoiler: yes, you can! [Sprite_tm] and a team of Buddha Chip Hackers distributed across the globe got to work. (Slides here.)

[Jeroen] started off with binwalk and gets, well, not much. The data that [Big Clive] dumped had high enough entropy that it looks either random or encrypted, with the exception of a couple tiny sections. Taking a look at the data, there was some structure, though. [Jeroen] smelled shitty encryption. Now in principle, there are millions of bad encryption methods out there for every good one. But in practice, naive cryptographers tend to gravitate to a handful of bad patterns.

Bad pattern number one is XOR. Used correctly, XORing can be a force for good, but if you XOR your key with zeros, naturally, you get the key back as your ciphertext. And this data had a lot of zeros in it. That means that there were many long strings that started out the same, but they seemed to go on forever, as if they were pseudo-random. Bad crypto pattern number two is using a linear-feedback shift register for your pseudo-random numbers, because the parameter space is small enough that [Sprite_tm] could just brute-force it. At the end, he points out their third mistake -- making the encryption so fun to hack on that it kept him motivated!

Decrypted, the EEPROM data was a filesystem. And the machine language turned out to be for an 8051, but there was still the issue of the code resident on the microcontroller's ROM. So [Sprite_tm] bought one of these flowers, and started probing around the black blob itself. He wrote a dumper program that output the internal ROM's contents over SPI. Ghidra did some good disassembling, and that let him figure out how the memory was laid out, and how the flow worked. He also discovered a "secret" ROM area in the chip's flash, which he got by trying some random functions and looking for side effects. The first hit turned out to be a memcpy. Sweet.

[Neil555]'s Rosetta StoneMeanwhile, the Internet was still working on this device, and [Neil555] bought a flower too. But this one had a chip, rather than a blob, and IDing this part lead them to an SDK, and that has an audio suite that uses a derivative of WMA audio encoding. And that was enough to get music loaded into the flower. (Cue a short rick-rolling.) Victory!

Well, victory if all you wanted to do was hack your music onto the chip. As a last final fillip, [Sprite_tm] mashed the reverse-engineered schematic of the Buddha Flower together with [Thomas Flummer]'s very nice DIY Remoticon badge, and uploaded our very own intro theme music into the device on a badge. Bonus points? He added LEDs that blinked out the LSFR that were responsible for the "encryption". Sick burn!

Editor's Note: This is the last of the Remoticon 2 videos we've got. Thanks to all who gave presentations, to all who attended and participated in the lively Discord back channel, and to all you out there who keep the hacking flame alive. We couldn't do it without you, and we look forward to a return to "normal" Supercon sometime soon.

#cons #hackadaycolumns #reverseengineering #2021hackadayremoticon #8051 #badgehacking #hacking #rickroll #sprite_tm

Heroic Efforts Give Smallest ARM MCU a Breakout, Open Debugger

In today's episode of Diminutive Device Technology Overview, [Sprite_TM] is at it again - this time conquering the HC32L110. A few weeks ago, we have highlighted the small ARM Cortex M0+ microcontroller, which is outstanding because of its exceptionally small size. We also pointed out a few hurdles, among them - hard-to-approach SDK and documentation, and difficulties making and assembling a PCB for such a small BGA. Today, we witness how [Sprite_TM] bulldozed through all of these hurdles for all of us, and added a few pictures to our collective "outrageous soldering" galleries while at it.

First, he figured out an example layout for this MCU that's achievable for us even on a cheapest 2-layer board from JLCPCB, keeping distances within the generic tolerance standards by snubbing out a few pins. As a result, we only lose access to four GPIOs - those will have to be kept as inputs, so that nothing burns out. However, that's the kind of tradeoff we are okay making if it helps us keep our PCB small and lightweight for projects where these factors matter. After receiving the resulting board, he also recorded a short tutorial on soldering such packages at home with a mere hot air gun and a few bare necessities like flux and tweezers - embedded below.

It doesn't end there, however, as he decided to work around the GPIO fanout limitation in a non-intended way. Evidently, [Sprite_TM] decided to have some fun, taking a piece of regular 0.1″ spacing protoboard and deadbugging the chip with magnet wire, much to our amusement. The resulting contraption, pictured above, worked - and this is ever something you'd like to be able to achieve yourself in times of dire need, whether you make something work or simply to be entertained by making use of a cursed mounting technique, there's an one-hour-long livestream recording of how this magnet wire contraption came to be. And, of course, that wasn't the last thing to be shared.

As a finishing touch, he has published bindings and wrappers for Huada SDK so that the chip is usable with GCC, GDB and OpenOCD. He also added datasheets to the same repository - auto-translated but quite readable. All-GPIOs-involved blinkie GIF of a magnet-wire-bound chip triumphantly concludes the write-up.

An addition to [Sprite_TM]'s toolkit is an addition to everyone's toolkit - the techniques, the insights, and the are all here for us to learn from. If you ever doubted your ability to work with small packages in general or this MCU specifically, now you have a whole lot more material to draw upon!

Wondering what kind of miniature device you might want to make? We hackers have mostly been having fun so far, building things like the USB-cable-hidden RubberDucky or a miniature PDP11, but there must be applications in, say, the wearable or medical fields where such a small MCU would prove itself to be a hacker's friend. Maybe you want to build an LED engagement ring with some Cortex-M0+ smarts? In fact, this microcontroller is small enough that it wouldn't be hard to hide inside your PCB itself.

#arm #howto #parts #armcortexm0 #armm0 #bga #chiponboard #chipscalepackage #cortexm0 #hc32l110 #huada #newpartday #sprite_tm #wcsp #wlcsp

The Game Boy As You Have Never Seen It Before Is Newest from [Sprite_tm]

Explain a Game Boy to a child in 2021 and they'll have little idea of how much impact that chunky grey brick had back in the day. Search for a YouTube video to demonstrate, and you might find the one we've put below the break. It starts with the classic Tetris on the Game Boy, then moves on to Super Mario World before treating us to Sonic the Hedgehog, and finally Doom. All seminal games of the Game Boy's heyday, with one small problem. The last three were never Game Boy titles, and certainly wouldn't have run on the device's limited hardware. Most of you will by now not be surprised to find that the narrator is none other than [Sprite_tm], and his Game Boy has one of the nicest Raspberry Pi conversions we've ever seen.

Given his previous work we expected the cartridges to have an ESP32 on board that somehow mapped into Game Boy display memory, but in fact he's swapped the original Nintendo motherboard with a replacement carrying an ICE40 FPGA on one side to handle the Nintendo hardware and a Pi Zero on the other to do the heavy lifting. Insert a Game Boy cartridge and it emulates the original to the point you'd never suspect it wasn't the real thing, but insert one of the non Game Boy cartridges and it passes an identifier to the Pi which launches a script to run the appropriate Pi code. So the Mario and Sonic games are running in Pi-based emulators, and Doom is running natively on the Pi. It gives the appearance of a seamless gaming experience, wherein lies its charm.

This project certainly has the quality we've come to expect from Sprite, and a quick flick through these pages will show plenty of previous examples. One of the most recent was a miniature working DEC VT100 terminal containing an emulated PDP minicomputer.

#nintendogameboyhacks #gameboy #raspberrypi #sprite_tm