[Micah Elizabeth Scott], aka [scanlime], has been playing around with USB drawing tablets, and got to the point that she wanted with the firmware — to reverse engineer, see what’s going on, and who knows what else. Wacom didn’t design the devices to be user-updateable, so there aren’t copies of the ROMs floating around the web, and the tablet’s microcontroller seems to be locked down to boot.
With the easy avenues turning up dead ends, that means building some custom hardware to get it done and making a very detailed video documenting the project (embedded below). If you’re interested in chip power glitching attacks, and if you don’t suffer from short attention span, watch it, it’s a phenomenal introduction.
Spoiler: the ROM dump comes out in the USB device enumerator strings. Using a Chip Whisperer (second place in Hackaday Prize 2014!) and the “FaceWhisperer” add-on board of her own design, [Micah] could send power-supply glitches just as the tablet was identifying itself to the computer. Instead of stopping after the few device descriptor bytes, it just kept on going. And going. In fact, in one of the many brute-force attempts, it dumped its ROM twice, making it easy to find the beginning and end of the code stream.
Next up is disassembling and reversing the software, which is no small feat. We can’t wait to see what [Micah] comes up with.
Thanks to [Ben] and [Tim] for the nearly-simultaneous tips.
Filed under: classic hacks, misc hacks
No comments:
Post a Comment