Skip to content

Reverse engineering

I like to take things apart to figure out how they work, document their functions and build new, interoperable things. Here are some of the highlights of my reverse engineering projects. For all of them, see Category:Reverse engineering.

Talks

The Joy of Taking Things Apart

This is an annotated transcript of a talk I gave at HackRice about reverse engineering and some of the fun projects/hacks they could do with reverse engineering skills. Some of the results were reported in the news. Read on for the presentation...

Reverse Engineering with Hopper

I taught an intro to reverse engineering with Hopper class at NYC Resistor. Hopper is a full featured interactive disassembler for i386, x86-64 and ARM CPUs, with a "decompiler" that generates mostly readable pseudo-code. Slides and example binary to disassemble.

Firmware

Magic Lantern firmware

In 2009 I reverse engineered the firmware in the Canon 5D Mark 2 camera and wrote the Magic Lantern firmware to add features that I needed for some of my film projects. Since then it has been ported to nearly every Canon DSLR model and provides an enormous range of features including RAW video and HDR. It even has a wikipedia page. Read on for more details...

Mac EFI firmware

Thunderstrike is the name for a class of Apple EFI firmware security vulnerabilities that allow malicious software or Thunderbolt devices to flash untrusted code to the boot ROM and propagate via shared devices. It was presented at 31C3. Read on for more info on Thunderstrike or Thunderstrike 2, a software-only extension.

ROMs

Old ROMs frequently hold hidden secrets (like the Mac-SE Easter Egg images) and modern ROMs often have security issues to be analyzed. I've designed PROMdate, a reader built with the Teensy++ for up to 40 pin DIP chips that can handle most common +5V ROM/PROM/EPROM/EEPROM/etc chips, and an 8 pin SOIC clip reader for SPI flash ROMs. Read on for more ROMs...


List of pages


SPI Flash reader

Like ho.ax, I had been using a Dangerous Prototypes buspirate to read SPI flash boot ROMs, but it was too slow. So I built a dedicated one with a Teensy 2 or 3 and a 8-SOIC chip-clip. It can read/write the entire multi-megabit ROM in a minute. Read on for more info...

Software

Mac SE Easter Egg

Using my PROMdate generic EPROM reader, I extracted the Mac SE boot ROMs from a machine I found on the side of the road. We then reverse engineered the easter egg photographs of the development team hidden in the extra space. Read on for more details...


Last update: November 8, 2020