Actions

Reverse engineering

From Trammell Hudson's Projects

I like to take things apart to figure out how they work, document their functions and build new, interoperable things. Here are some of the highlights of my reverse engineering projects. For all of them, see Category:Reverse engineering.

Talks

The Joy of Taking Things Apart

HackRice

This is an annotated transcript of a talk I gave at HackRice about reverse engineering and some of the fun projects/hacks they could do with reverse engineering skills. Some of the results were reported in the news. Read on for the presentation...


Reverse Engineering with Hopper

Hopper Interactive Disassembly
Intro to Reverse Engineering class at NYC Resistor

I taught an intro to reverse engineering with Hopper class at NYC Resistor. Hopper is a full featured interactive disassembler for i386, x86-64 and ARM CPUs, with a "decompiler" that generates mostly readable pseudo-code. Slides and example binary to disassemble.


Firmware

Magic Lantern firmware

Magic Lantern original logo.png
Sobel edge detection

In 2009 I reverse engineered the firmware in the Canon 5D Mark 2 camera and wrote the Magic Lantern firmware to add features that I needed for some of my film projects. Since then it has been ported to nearly every Canon DSLR model and provides an enormous range of features including RAW video and HDR. It even has a wikipedia page.


Mac EFI firmware

Thunderstrike lock screen

Thunderstrike is the name for a class of Apple EFI firmware security vulnerabilities that allow malicious software or Thunderbolt devices to flash untrusted code to the boot ROM and propagate via shared devices. It was presented at 31C3. Read on for more info on Thunderstrike or Thunderstrike 2, a software-only extension.

ROMs

Minibug III ROM
PROMdate: Now with AVR support

Old ROMs frequently hold hidden secrets (like the Mac-SE Easter Egg images) and modern ROMs often have security issues to be analyzed. I've designed PROMdate, a reader built with the Teensy++ for up to 40 pin DIP chips that can handle most common +5V ROM/PROM/EPROM/EEPROM/etc chips, and an 8 pin SOIC clip reader for SPI flash ROMs. Read on for more ROMs...

SPI Flash reader

Teensy3 SPI flash reader/writer

Like ho.ax, I had been using a Dangerous Prototypes buspirate to read SPI flash boot ROMs, but it was too slow. So I built a dedicated one with a Teensy 2 or 3 and a 8-SOIC chip-clip. It can read/write the entire multi-megabit ROM in a minute. Read on for more info...

Software

Mac SE Easter Egg

Mac SE engineers (0x1D93C)
Mac SE

Using my PROMdate generic EPROM reader, I extracted the Mac SE boot ROMs from a machine I found on the side of the road. We then reverse engineered the easter egg photographs of the development team hidden in the extra space. Read on for more details...


Command line laser cutting

Epilog command line laser cutter test

The Epilog laser cutter at NYC Resistor officially only work with Windows, but that doesn't seem right for a hackerspace. I reverse engineered the HPGL dialect and have a set of command line tools to send PDF files directly to the laser cutter's LPD port over the ethernet. Read on for more info....