[HN Gopher] Reverse engineering an e-ink display
___________________________________________________________________
Reverse engineering an e-ink display
Author : redfast00
Score : 118 points
Date : 2023-02-10 12:11 UTC (10 hours ago)
(HTM) web link (zeus.ugent.be)
(TXT) w3m dump (zeus.ugent.be)
| blutack wrote:
| Nice article - is the idea to communicate with the tags with
| their stock firmware using another CC25x series chip or dev
| board?
|
| Unfortunately, that might be tricky without the private keys in
| the controller. User manual [0] describes a per site 128 bit AES
| keys used for the RF comms.
|
| Might be easier to just write fresh firmware for them - there's
| some code here [1] for driving the display that could be ported
| to the CC2510. There's SDCC support for at least the CC2511 as
| used in the Pololu Wixel [2]. It's certainly possible that their
| cryptosystem is broken but I wouldn't bet on it.
|
| 0: https://fcc.report/FCC-ID/2ACQM-EDG2-0590-A/4393106
|
| 1:
| https://github.com/atc1441/E-Paper_Pricetags/tree/main/GxEPD...
|
| 2: https://www.pololu.com/product/1336/resources
| redfast00 wrote:
| The idea is indeed to communicate with the tags with their
| stock firmware (not necessarily using another CC2510, since
| these aren't made anymore, but that's a possibility).
|
| AES is symmetric cryptography, so that should be possible to
| extract from the firmware. The tags also show a QR code when
| the aren't initialized yet, this is likely the setup key. I
| also read that even if tags are already initialized, it's still
| possible to reset them with some kind of PUK (not sure how to
| get that PUK though)
|
| I couldn't find a datasheet for the e-paper screen, so even if
| re-implementing communication with stock firmware proves to be
| infeasible, I'll still need the dumped firmware to figure out
| how the e-paper screen is controlled.
| blutack wrote:
| Some of the marketing mentioned private keys so I stupidly
| assumed a per transmission negotiation mechanism but of
| course they probably just mean "symmetric key". A per tag key
| extraction would be annoying though presumably. The PUK
| mechanism is very interesting, I'm interested to see what you
| find in the firmware...
|
| For the display, this poster has something similar and talks
| about a datasheet - there's even a pinout for the flex cable
| (and it's supposedly SPI) [0]. It's for the 2.6" version not
| the 2.7 though so might be totally different. A comment on
| the post (by this person [1]) claims that they have working
| cleanroom CC2510 code that drives the display but who knows.
|
| Great project anyway - I look forward to part two (and what
| you find on that flash chip)!
|
| (Edit: sorry if you know this already, but there's a manual
| for the labels themselves [2] implying the setup page is
| permanently stored in one of the 4 slots - hopefully in that
| external flash chip)
|
| 0: https://epongenoir.blogspot.com/2017/10/
|
| 1: http://andreiprojects.blogspot.com/
|
| 2: https://fccid.io/2ACQM-EDG1-0260-A/User-Manual/User-
| Manual-5...
| redfast00 wrote:
| Thanks for the interest :) If you have an RSS feed reader,
| you can add our RSS feed, so you'll automatically get the
| next blog posts https://zeus.ugent.be/feed.xml
| [deleted]
| dutch_scrambler wrote:
| [dead]
| layer8 wrote:
| It still somehow breaks my intuition that it's cost-effective to
| have thousands of these deployed in each supermarket. I mean, I
| do understand it rationally, but it's still weird.
| soco wrote:
| What happens if you see a product with price X and by the time
| you checkout it has price Y? Can you claim somehow the previous
| price?
| Gigachad wrote:
| Same could happen with paper tags while they are in the
| process of updating them.
|
| Best solution would be to have a transition period where for
| x hours it's at the lower price in the system.
| reaperducer wrote:
| Supermarkets already have inventory robots (look for the high-
| contrast markers around the store), and shelf-stocking robots
| are on the way. It makes sense that the next step is to
| eliminate another human job and give it to the robots you
| already have running around the store.
| koffiedrinker wrote:
| The extra cost of these tags is easily offset by the money you
| save on employees having to regularly update paper tags
| (especially in Belgium where labour costs are very high).
| Mraedis wrote:
| I wonder how popular this tag must be/have been to be able to
| find someone that had already dissolved/sandpapered it? Can't
| wait for the follow-up on this, turn that e-waste into something
| usable!
| jabroni_salad wrote:
| Kohls has used tags like this for years. I guess it makes sense
| if you are actuallly adjusting prices daily
| Tagbert wrote:
| Best Buy stores use these kind of tags, too.
| redfast00 wrote:
| When I recently visited, I saw that the local IKEA uses these
| tags, so I'd guess these are rather popular.
| reaperducer wrote:
| I saw them at a Walmart in Texas a few years ago, so they're
| probably quite widespread by now.
| irsagent wrote:
| Very well written article. I have been looking for some
| inspiration to get into hardware hacking and I think this article
| did it for me.
|
| I find it interesting that in most writeups voltage injection is
| a popular appraoch to turning on debug mode. The aricle makes
| mention to other class of fault injection attack such as clock
| glitching or electromagnetic fault injection, but are there other
| approaches that I could look into, just out of curiousity?
| redfast00 wrote:
| Voltage injection is (IMO) the easiest attack. There's also
| optical fault injection, where you remove the black
| encapsulation from the chip and hit the bare die with a laser
| (that sounds really difficult though).
|
| On some chips, you can drill into the black encapsulation and
| find testpads that are not connected to pins on the IC. This is
| sometimes used for smartphone unlocking.
|
| Edit: Thanks for the compliment by the way, it really made my
| day that I got someone interested in hardware hacking
| dave78 wrote:
| I wonder if there are larger implications to reverse-engineering
| this. When I worked in retail in high school, I was told
| repeatedly that if a price was marked on a shelf, then there are
| laws that require the store to sell that item for that marked
| price. (IANAL so I don't know the nuances there, but it makes
| sense). If it becomes easy to change these displays with a new
| price wirelessly, that could be a really nasty problem for any
| stores using these displays.
|
| Hopefully for the store's sake, there'd be some sort of
| public/private key system so that only the holder of the private
| key can distribute price changes wirelessly. I wouldn't bet money
| on that though.
|
| (edit) - I see someone else posted the manual and that there's a
| per-site AES key. That's a good sign I guess.
| mig39 wrote:
| I once scored a big bunch of coffee because the local Canadian
| Superstore confused cents with dollars. The price was listed in
| cents per kg instead of dollars!
|
| At first they refused to honour the price, and fixed their
| mistake.
|
| I sent an e-mail with photos to their corporate office. I
| received a phone call from someone who was laughing and thought
| it was all funny. He told me to go back to the store, and as
| much as I could carry, they would honour the posted price.
|
| Cost me like less than a dollar for 4 or 5 kilos of coffee!
| ThePowerOfFuet wrote:
| Loblaw can definitely afford it.
| adversaryIdiot wrote:
| That is awesome to hear
| dcow wrote:
| I've only seen a store honor the floor price when it was
| clearly wrong like once and it was for an item that they were
| trying to get rid of anyway. I've heard the lore too and can't
| understand how it could be legally binding for a store to sell
| an item at the sticker price. Wouldn't people just walk in with
| little stickers and mark stuff down as they wished? My wife
| works in retail and confirms that stores don't just give out
| items at a loss when the price is mislabeled. They fix it and
| apologize. My experience confirms this too.
|
| These days stores essentially just map an item's UPC to a price
| in a DB in their point of sales software. The price isn't
| encoded on the tag. Which brings me to my question: why the
| heck are we making an eink price tag with heavy security when
| the source of truth is the POS anyway? I mean no negativity
| about reversing one, it's a super interesting and fun project.
| Just, "why?" in the first place does this thing exist? Maybe
| it's just convenience and saves on labor costs to be able to
| update the price of all the items in your store at once and not
| pay a human to go out and relabel them?
| reaperducer wrote:
| _the source of truth is the POS anyway_
|
| In a technical, ideal sense the PoS is the source of truth.
| But life is messy.
|
| PoS may lose connectivity. PoS may be running an outdated
| version of the software. PoS is based on some unreliable
| operating system or low-end PC, and is unreliable. PoS
| doesn't know about the store manager's last minute special
| because the distributor sent too much stock. Stores don't
| have in-house IT guys.
|
| From a legal standpoint, in some states, the price on the
| shelf label is the source of truth. My grandmother lived in a
| state where if the price on the shelf was lower than in the
| PoS you got the item for free.
|
| She was very good at catching those errors and complained
| bitterly when the law was changed so that the customer only
| got the lower price.
| bsder wrote:
| > I've only seen a store honor the floor price when it was
| clearly wrong like once and it was for an item that they were
| trying to get rid of anyway.
|
| I bought six packs of Diet Coke from Target at a discounted
| price for almost 6 months because they left an old tag up at
| one particular store. :)
| rhd wrote:
| Here's an example in Michigan's law:
|
| The Shopping Reform and Modernization Act, or Scanner Law,
| requires that most items on store shelves be clearly
| displayed with the price; by signage, electronic reader,
| price sticker, or any other method that clearly and
| reasonably conveys the price to a consumer in the store at
| the place where the item is located. If an automatic checkout
| system (scanner) charges you more than the displayed price of
| an item, and:
|
| the transaction has been completed, and you have a receipt
| indicating the item purchased and the price charged for it;
| Then:
|
| You must notify the seller that you were overcharged, within
| 30 days of the transaction, either in person or in writing.
| Within two days of receiving your notice, the seller may
| choose to refund you the difference between the amount
| charged and the price displayed plus a "bonus" of ten times
| the difference, with a minimum of $1.00 and a maximum of
| $5.00. If the seller does not pay you both the refund and the
| bonus, you may bring a lawsuit to recover your actual damages
| or $250.00, whichever is greater, plus reasonable attorney
| fees up to $300.00. You may instead file a complaint in a
| small claims court without an attorney.
|
| https://www.michigan.gov/ag/consumer-protection/consumer-
| ale...
| dave78 wrote:
| I think that page backs up what I thought, at least for
| Michigan. The law views the price displayed on the shelf as
| being the correct price, and if the POS system doesn't
| match then the law says the POS system is wrong. Also
| there's another interesting FAQ there which further
| reinforces it.
|
| Now, if an e-ink display is changed by a hacker, that's
| obviously fraud and presumably the store wouldn't have to
| pay up, but I assume that would be tough to catch because
| the store wouldn't likely assume it had been hacked and
| even if they thought so they'd probably have to prove it
| somehow.
|
| From the FAQ:
|
| What if the wrong price is displayed for an item and the
| clerk catches it before I pay; am I entitled to buy the
| item at the displayed price?
|
| This is a fact-specific question best answered by a court.
| A store may not knowingly charge or attempt to charge a
| price higher than the price displayed for that item.
| Therefore, the consumer may have a claim if the store will
| not sell the item at the price displayed. However, the
| consumer may face obstacles convincing a court that the
| store knowingly charged the higher price when the pricing
| mistake is not intentional and will result in an obvious
| windfall to the consumer.
| MayeulC wrote:
| How about glitching a write instruction to overwrite the copy
| protection register instead?
| mike256 wrote:
| Glitching a write instruction is a little dangerous. But if you
| have many chips to try or can live with an incomplete, possibly
| corrupted dump, feel free to do it.
| MayeulC wrote:
| Well, the exploit could be perfected on the device that can
| be reset first. I understand that writing a wrong address can
| have unattended consequences, but the read cycle should come
| first, and glitching likely affects the address decoding
| circuitry (as opposed to the SRAM registers), so it's
| probably hard to miss.
|
| I understand wanting to play it self though.
|
| One thing comes to my mind though: each board likely needs
| slightly different timings.
| redfast00 wrote:
| I had also thought about this, but this is much harder to pull
| off, since
|
| 1. You need a lot of instructions in sequence to succeed,
| enough that the chance that all succeed is very very small
| (recall that there's only about a 5% chance we execute an
| instruction correctly, if for example there are 10 instructions
| you need to execute, the chance is 0.05*10). If you write to a
| wrong location because an instruction didn't execute, you lose
| a byte of the flash.
|
| 2. Before writing to flash, you need to stabilize the clock of
| the chip (this is also done with 8051 instructions). For this,
| you need to wait until a register value changes. This is
| feasible, but an additional hurdle.
| focusedone wrote:
| I'm so happy there are people out in the world able to reverse
| engineer things like this and share the results publicly.
| Freakin' cool.
| JKCalhoun wrote:
| Yeah, waiting for them to finish up so Rob Cockerham can go
| into a COSCO and have some fun slightly altering the price
| tags.
| mk_stjames wrote:
| I wonder what the motivation is the attempt to use the stock
| firmware and reverse engineer whatever communication and
| potential key signing the device has from the factory, versus
| just wiping the flash / desoldering and replacing with completely
| new firmware from scratch.
|
| That would require completely tracing the PCB out to understand
| the display drive from the uC and other pin assignments, but... I
| find that much easier. And then the end result is the potential
| for a completely understood hardware & software configuration.
| redfast00 wrote:
| The person who brought the tags has a lot of them, more than
| the 3 they donated to Zeus. If we replace the firmware, we have
| to do this for every device, which would be a lot of manual
| work (opening case, adding probes, flashing firmware, ...).
| This is even more work per device if you have to desolder the
| uC from the PCB and solder something else to it.
|
| Reverse engineering the communication protocol is a lot of
| work, but only once. After that, you can talk to stock devices,
| without having to modify their hardware or software.
|
| I also didn't find any datasheets for the e-ink display or how
| to control it, so here also the stock firmware can come in
| useful.
|
| Aside from practical concerns, I won't lie, I also took this
| path because it's fun to do and I could practice hardware
| hacking.
| dclowd9901 wrote:
| > The biggest barrier to hacking is often the fear that you'll
| break something while poking around. But you have to break eggs
| to make an omelet; likewise, you have to be willing to sacrifice
| devices to hack a system. Fortunately, acquiring multiple copies
| of a mass-produced piece of hardware is easy. I often do a bit of
| dumpster diving or check classified advertisements to get sample
| units for research purposes. I generally try to start with three
| copies: one to tear apart and never put back together, one to
| probe, and one to keep relatively pristine.
|
| I love learning this kind of stuff through this site. In the
| world of reverse engineering or hacking stuff together, it feels
| like such a fumbly exercise that there just isn't any discipline
| to it, but experts definitely learned some tricks and learning
| from them is such a treat. I'll have to download that book and
| give it a read sometime soon.
| LeifCarrotson wrote:
| The author of that quote, Andrew "bunnie" Huang, has an
| excellent blog which is also worth reading:
|
| https://www.bunniestudios.com/blog/
|
| You can grab the download directly from NoStarchPress:
|
| https://nostarch.com/hardwarehackerpaperback
| adversaryIdiot wrote:
| God I wish this could be me so bad. But they do some really crazy
| stuff to hack this and I just don't have the time or mental
| capacity to learn.
| GianFabien wrote:
| I might be missing something. I've seen other reverse engineering
| projects where they simply unsoldered the flash memory and read
| out the contents. Wasn't that an option?
| redfast00 wrote:
| This might not have been clear in the blogpost, thanks for
| asking. There are two storage locations on the PCB: the
| external flash chip, and the internal flash on the
| microcontroller. I recall that someone else tried to read out
| the external flash chip, but nothing interesting was found,
| only the image data on the screen. In this blog post, I read
| out the code that handles the RF communication and talks to the
| screen.
___________________________________________________________________
(page generated 2023-02-10 23:00 UTC)