USB Logger....

Request a hack or modification here:

So, you need a new wheelchair control for your nephew, someone here can figure it it. Maybe you want ambient lighting for your car to match the music, we've probably got someone here who does that.

No illegal "hacking" requests allowed and we are not responsible for the activities of the users. If you make an arrangement with another user, it is between the two of you.

Re: USB Logger....

Postby GaspingSpark » November 16th, 2011, 3:32 pm

Yeah, CPU is probably on the underside of the top board. No way to see it without desoldering the other boards. The other boards are just power MOSFETs.

The plug on the top board might be JTAG.
GaspingSpark
 
Posts: 180
Joined: March 8th, 2011, 10:24 am

Re: USB Logger....

Postby NTense » November 16th, 2011, 5:01 pm

The plug on the top is for the motor sensor harness. It's a pretty common plug.

Unsoldering the board isn't gonna happen, as I don't even have the correct equipment to solder multiple pins at once.

I am gonna see if I can find a blow unit at this point.

So suggestions where to go at this point? I sure would like to see more about yanking apart the software....possibly if we could just fool the unit into having 208 installed, but thinking its 210....with the correct blink (they made it blink different).

Later EddieO
NTense
 
Posts: 23
Joined: November 12th, 2011, 11:12 am

Re: USB Logger....

Postby GaspingSpark » November 18th, 2011, 12:01 pm

I did some looking into the software/protocol side of things:

The firmware for the speed control is sent to the device in encrypted form. It is not decrypted by the program first. Without discovering the algorithm and key used it's pretty much tamper-proof.

The firmware for the USB device is encrypted as well, but it is decrypted before sending it. So the algorithm is easy to reverse engineer. XOR first byte with a key=7, and for each subsequent byte add 13 to the key. Decryption proceeds in the order of the Hex records in the file.

The communications protocol is based around 13 byte packets that are sent between the device:

1 byte Header (set to 0x43 by the program - ASCII 'C', messages from the device might use a different code)
1 byte Packet-type (see below)
1 byte Checksum (sum of all bytes - negated)
1 byte Destination address high bits (used for firmware updates / parameter setting messages)
1 byte Destination address low bits
8 bytes Payload

Packet types:
ECHO = 8,
ERASE_FLASH = 4,
ERASE_PROGRAM_VALS = 10,
ERASE_THROTTLE_VALS = 12,
GET_INPUT_POSITION = 0x23,
PC_PING = 1,
PC_PING_RESP = 0x81,
PING = 2,
PING_RESP = 130,
PROGRAM_FLASH = 3,
RECIEVER_ENABLE_DISABLE = 0x20,
REQ_BOOTLOADER_VER = 5,
REQ_DRAGONSL_VER = 9,
REQ_PROGRAM_VALS = 6,
REQ_THROTTLE_VALS = 14,
RESET = 7,
SET_LEDS = 0x18,
SET_OUTPUT_POSITION = 0x22,
SET_PROGRAM_VALS = 11,
SET_THROTTLE_VALS = 13,
TRANSMIT_ENABLE_DISABLE = 0x21,
USB_ERASE_FLASH = 20,
USB_ERASE_FL_35_45 = 0x17,
USB_INSTALL_FLASH = 0x15,
USB_PROGRAM_FLASH = 0x13,
USB_REQ_VERSION = 0x12,
USB_RESET_DATA_LO = 0x10,
USB_RESET_PROCESSOR = 0x16

If you want to get serious about the software get the trial version of Reflector. It'll tell you everything you need to know. Assuming you can figure out C# programming. ;)
GaspingSpark
 
Posts: 180
Joined: March 8th, 2011, 10:24 am

Re: USB Logger....

Postby NTense » November 18th, 2011, 2:34 pm

Heh, you might as well be speaking french to me at this point.....I don't know any of this stuff, let alone how it works.

So does this leave room to actually accomplish the goal or has tekin actually taken steps to prevent it? If so, there are other speedos on the market from companies we can look at (Novak, LRP, Speed Passion, GM, Castle)

What exactly would the reflector thing do for me?

Sorry for all the questions......

Later EddieO
NTense
 
Posts: 23
Joined: November 12th, 2011, 11:12 am

Re: USB Logger....

Postby NTense » November 18th, 2011, 5:12 pm

Two other possibilities

http://teamnovak.com/download/NovaLink/index.html

Novak more than likely has put encryption

LRP

http://www.lrp.cc/en/service/software-update/

LRP not only has the software, but the firmware is its own file...

I personally hate Novak, so cracking their stuff would be sweet:)


Later EddieO
NTense
 
Posts: 23
Joined: November 12th, 2011, 11:12 am

Re: USB Logger....

Postby GaspingSpark » November 18th, 2011, 9:10 pm

As far as I can tell Tekin has taken steps to prevent tampering with the firmware. Since this firmware is probably one of the most valuable products they create it is to be expected. Imagine if a knock-off company got a copy of the unencrypted firmware - it could slash years off their development time. These protections prevent cheaters from modifying it as well.

Their hotwire program on the other hand is Microsoft .NET based so it is not protected very well. The Reflector program allows you to decompile the program back into an approximation of the original source code. This allows pretty much the entire protocol to be reverse engineered easily. It might be possible to create a new program that could write unauthorized values to the speed control in an attempt to tweak it in ways the official program won't allow.

I took a quick look at the Novak stuff. They encrypt their firmware images as well. Using real honest-to-goodness AES-CBC no less. Since they very helpfully used a key and IV of "1234567890123456" I was able to easily decrypt the file. Looks like it's for a Motorola CPU of some sort - probably 68HCxx something.
GaspingSpark
 
Posts: 180
Joined: March 8th, 2011, 10:24 am

Re: USB Logger....

Postby NTense » November 19th, 2011, 1:36 pm

I find it hilarious that the Novak key is something so stupid. I felt like I was watching the scene from spaceballs when they get the code for the shield..... 1 2 3 4 5.....ironic since they are the RC brushless innovator who claimed that the stuff would never be crackable.

Let me know what ya find out. The LRP is another interesting choice, as the speedo is very popular.

Later EddieO
NTense
 
Posts: 23
Joined: November 12th, 2011, 11:12 am

Re: USB Logger....

Postby NTense » November 20th, 2011, 11:35 pm

Any chance you can send me the novak firmware file and let me know what program I need to look at it. It will probably be jibberish to me, but its possible since I know how the stuff works I might spot something....not like I can hurt something. More curious than anything....

eddieo at teambrood DOT com

Later EddieO
NTense
 
Posts: 23
Joined: November 12th, 2011, 11:12 am

Re: USB Logger....

Postby NTense » November 21st, 2011, 2:16 am

So I figured out the firmware file is seperate for the novak, as its the .rdd file....but after spending an hour looking up what to open a .rdd file with, with little luck....every search said Reliasoft weibull or alta...I got the demos of both, neither can open it.

Not sure what I am doing wrong.......

Later EddieO
NTense
 
Posts: 23
Joined: November 12th, 2011, 11:12 am

Re: USB Logger....

Postby st2000 » November 21st, 2011, 8:21 am

what to open a .rdd file with,


Assuming you are using some sort of windows platform...

Hex editors like Hex Editor Neo will open just about anything. But, fair warning, you will be looking at hexadecimal values in (probably) the rawest of formats. For instance, if you use FAT drivers to look at an SDCard you will see files names and directories. But if you used Neo you would start off looking at the MBR & FATables. After that would come the files. If a JPEG you would first see the JPEG header describing the particulars as to how to decode the JPEG & meta data then the JPEG image data.
st2000
 
Posts: 1453
Joined: February 3rd, 2011, 6:10 pm

PreviousNext

Return to Requests and commissions

Who is online

Users browsing this forum: Bing [Bot] and 1 guest