X53 Research & Development

Rust does not allow function overloading or variadic functions, so a few different options are available to handle different use cases. I will not go into depth about all the options, but I want to show off one of option that I didn’t see in the blog posts I found but instead discovered while working with TcpStreams. The signature for connect() is pub fn connect<A: ToSocketAddrs>(addr: A) -> Result<Self> and it can be called with a variety of arguments, without any explicit conversion:...

It has been a very long journey with input methods for me, but I pretty much settled on the ErgoDox as my daily driver. At least when I’m at my perfect desk. But between commuting and traveling and late night hacking on the couch, I can be bound to a borrowed keyboard or the laptop keyboard. And that’s usually when my tendinitis flares up, since I use the GUI button heavily and can’t easily rebind it – but also never found a good placement for fn keys....

I usually start any research by looking at normal usage to get an understanding of the system, understand the interfaces, etc. Since it’s my car, I’m quite familiar with the user exposed parts. Next is usually the firmware upgrade process to get a clean version of the firmware. Luckily, the CMU gets fairly regular updates, but they are usually installed by a dealership. CMU updates Searching for CMU updates leads to various options to download the ....

Staring at a screen for too long always starts those curious thoughts about what’s driving it, where the data comes from, whether it can be messed. I held myself back for a very long time because I can’t risk bricking an expensive car, but at least I wanted the fancy new CarPlay upgrade. Unfortunately the dealership quoted a ridiculous price of $500, so I took matters into my hands anyways....

Why should Linux have all the fun? Configuration Find help here. Not so obviously: the configuration file path is stored in $PROFILE. Usually that directory and file don’t exist, so they should be created. if (!(Test-Path -Path $PROFILE)) { New-Item -ItemType File -Path $PROFILE -Force } source Then use code $PROFILE Because Windows has stricter defaults than they did in the past, the ExecutionPolicy has to be updated. Please understand the change!...

A closer look at the hardware. Opening the toothbrush Thanks to iFixIt we got it open fairly quickly. The bottom cap has the following information The FCC ID is 2ADZNHX68 and tell us that it’s using 13.56 Mhz, so NFC. Based on Cyrill’s information, that’s used for saving the toothbrush run time. The whole disassembly looks like this. SOC The best shot of the SOC I found is here The chip is a Cypress CY8C4146AZI-S433, now acquired by Infineon....

Sometimes jump tables are borked, especially when a binary has to be loaded rwx, specifically the issue is with writable memory. So fixing up the jump table from int32_t jt[0xd] to int32_t const jt[0xd] makes Binary Ninja happy again. This is a relevant GitHub issue Example In a recent firmware I encountered that issue. The whole blob was mapped as rwx because some of the memory ranges would change, but I didn’t know which ones yet, and I didn’t want to hand-pick the ranges either....

I woke up to a strange buzzing sound coming from my bathroom. It turns out that one of our toothbrushes started it’s own life and turned itself on and then off again after a while. So I did what any self-respecting hacker would do: I threw it out the window and let the battery run out, and went back to sleep. The next morning I take the toothbrush and put it on my lab bench to be disassembled, hoping that it could be salvaged by cleaning it out or replacing an obvious part....