mmca wanted us to show off the badge at hackaday's supercon event this coming november in pasadena, so i went from a nice leisurely the badges actually might be ready for xmas, to i have like a week left.
so after the last log one of the things i ended up working on was the encrypted bootloader / flashtools from ST, i spent a few days on it, rewrote their flash tool, added some features etc. Discovered we're likely missing a small part of firmware that ST doesn't give out. Which is a shame that an electronics OEM wants to keep a neat feature to itself, but that is how it goes. I messed up a couple of the Nucleo 446 dev boards, but not enough to stop working, just lost one feature.
after that i threw together some of the morpho headers and made a little pop on board that had the LCD breakout, sd card , usb device and speakers , sent them off to seeed for making, then i remembered i'd forgotten to add the mcp2551 CAN transceivers, so added those and a week later submitted the boards to itead,.. just about a week later the itead boards showed up.
setup the boards, pretty much everything worked, went on to test the CAN adapters, i'd been using a little waveshare board i'd had to test with before. Couldn't get much out of the CAN just a small blip here and there. Read over the docs, added a 10K slew resistor to it, fiddled, re-fiddled, then mmca said , is that chip ok for 3.3V i said yes, i'd checked it on the internets and i know i'd used it before (but on a 5V part), so yes i had that sinking feeling, but it was working on ther chip.
now fast forward to the day of #supercon and a late name,t hen early 6AM morning finishing up code, we got the PCB's in a few days ago but the two sizes of LQFP64 bit us again, even though we used the BSDL from the OEM. Once we got the PCBs in it was really obvious the chip was the wrong size. So went in with the prototypes instead, they're basically the same. I dropped a new PCB to itead this morning as well.
i added a simple CAN bus viewer that just dumps the CAN bus traffic coming in.
For the NES emulator (which is pNesX) I did the following
- Added game pads to CAN bus for read and write, so you can do two/four player etc.
- Added a memory read/write over CAN bus to get access to the internal memory of the the emulator
- Added CAN bus to the NES fceux on the PC so that you can play on the PC against the badge (uses j2534 dll)
- ECU reflash function
So our Idea is to teach how to hack on CAN bus but make it easier and a bit more interesting, the principle of it is the same as doing it on a car's CAN bus, you can read/log/inject and interact with the memory on the device, except its more fun you can hack into peoples games grab screen shots, disassembly, change scores , change joystick commands etc, auto play, the list goes on.
These are basically the same things as you do with the car, you listen to the bus do something , record it and see what it is , decode the CAN packets, log, graph and replay, and you're playing a game. You can also do all the same things to the CAR, logging, injection, MITM, etc
We're not obfuscating the protocols , they're very simple and I'll publish them as i refine them, but the idea is basically commands to read/write byte/word/dword you tell it the size and address, and the badge replies with the data, or updates the memory. The memory mapping is the the same layout as the NES,.
Everything is packed up in boxes at the moment as i just got back, so i'll add pictures and videos.
We're almost getting to "badges by Christmas," which hopefully will really give me time to polish up and makes lots of various firmware before layerOne, which never happens as i'm usually down to the wire.
mmca is finishing up the battery design, looks like we're going back to the iPod battery, and not an 18650, no CR123s this year, it'll be similar to the Proxmark layerOne board of 2014.
CAN bus logger running on prototype board, this is listening to a Hyundai ECU