LINUX ARCADE CAB gives UP ITS secrets too easily

in some cases reverse engineering embedded systems can be a best old faff, with you needing to resort to all kinds of tricks such as power glitching in purchase to poke a tiny hole in the armour, giving you an way in. And, in some cases the door is just plain broad open. This comprehensive exploration of an off-the-shelf retro arcade machine, is certainly in that second camp, for an unknown reason. [Matthew Alt] of VoidStar Security, took a comprehensive look into how this unit works, which reads as a terrific introduction to how embedded Linux is constructed on these minimal systems.

Could this debug serial port be much more obvious?
The hardware is the typical bartop cabinet, with dual controls and an LCD display, with just enough inside a metal enclosure to drive the show. inside this, the main PCB has the expected minimal ARM-based application processor with its supporting circuit. The processor is the Rockchip RK3128, sporting a quad-core ARM Neon and a Mali400 GPU, but the main selling point is the outstanding Linux support. You’ll likely see this chip or its relatives powering low-cost Android TV boxes, and it’s the core of this good looking ‘mini PC’ platform from firefly. maybe something to consider seeing as though Raspberry Pis are currently so hard to come by?

Anyway, we digress a little, [Matthew] breaks it down for us in a very methodical way, first by identifying the main ICs and downloading the suitable datasheets. next he moves on to connectors, locating an internal non-user-facing USB micro port, which is certainly going to be of interest. Finally, the rather apparent un-populated 3-pin header is clearly identified as a serial port. This was captured using a Saleae clone, to verify it certainly was a UART interface and measure the baud rate. After doing that, he hooked it into a Raspberry Pi UART and by attaching the conventional screen utility to the serial device, lo-and-behold, a boot log and a root prompt! This thing really is barn-door wide-open.

Is that a root prompt you have for me? Oh why yes it is!
Simply by plugging in a USB stick, the entire flash memory was copied over, partitions and all, giving a full backup in case subsequent hacking messed things up. Being based on U-Boot, it was a trivial matter of just keying in ‘Ctrl-C’ at boot time, and he was dropped straight into the U-Boot command line, and all configuration could be easily read out. By using U-Boot to low-level dump the SPI flash to an external USB device, through a RAM copy, he shown he could do the reverse and write the same image back to flash without breaking something, so it was now possible to reverse engineer the software, make changes and write it back. Automation of the process was done using Depthcharge on the Raspberry Pi, which was also good to read about. We will keep an eye on the blog for what he does with it next!

As we’ve covered earlier, embedded Linux really is everywhere, and once you’ve got hardware access and some software support, hacking in new tricks is not so hard either.

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Post