| HN Mirror

Y	Hacker News new \| ask \| show \| jobs


	by mk_stjames 1221 days ago
	I wonder what the motivation is the attempt to use the stock firmware and reverse engineer whatever communication and potential key signing the device has from the factory, versus just wiping the flash / desoldering and replacing with completely new firmware from scratch. That would require completely tracing the PCB out to understand the display drive from the uC and other pin assignments, but... I find that much easier. And then the end result is the potential for a completely understood hardware & software configuration.

1 comments

redfast00 1221 days ago

The person who brought the tags has a lot of them, more than the 3 they donated to Zeus. If we replace the firmware, we have to do this for every device, which would be a lot of manual work (opening case, adding probes, flashing firmware, ...). This is even more work per device if you have to desolder the uC from the PCB and solder something else to it.

Reverse engineering the communication protocol is a lot of work, but only once. After that, you can talk to stock devices, without having to modify their hardware or software.

I also didn't find any datasheets for the e-ink display or how to control it, so here also the stock firmware can come in useful.

Aside from practical concerns, I won't lie, I also took this path because it's fun to do and I could practice hardware hacking.

mk_stjames 1221 days ago

Makes sense. I got more interested after finishing reading your whole post and went looking at the manufacturer's website... it would be too easy for them to just provide their software direct for people to download, huh? It looks like a total software-hardware-cloud service lock in... I can't seem to tell but it seems like all tags might have to call back to their cloud to get their displayed info that is managed by their "VUSION Manager". Talk about a nightmare.

They note it's end to end encrypted, and if they call home to their cloud and not to local area managed software, I bet they are calling a preset list of IP's to auth and DL data. You'd have to both spoof their IP and sign the data with their key somehow.