Written by Elecia White.
We have all heard that so-and-so was meant to be an engineer because they took things apart as a child. I wasn’t like that. If I took things apart, it was more in a smashing fashion. And, they never went back together (sorry, Mom).
The first time I remember reverse engineering something was in college, freshman or sophomore year. An engineer from Mattel visited, bringing Barbie dolls and razor blades. We dissected the dolls and really looked at the skeleton, joints, and skin. The knees are fascinating, well worth a look. It was a mechanical and manufacturing master class.
On episode 115 (Datasheep), we talked to Dan Hienszch of Rheingold Heavy about his work reverse engineering the Arduino UNO electronics. Of course, the Arduino UNO is open source hardware so Dan doesn’t have to guess about what is on the board. Instead Dan has been trying to figure out the whys of everything from voltage regulators to op amps. It is a hardware centric view of what is generally a software platform.
This approach of trying to rebuild something from scratch is a fantastic way to learn. It is like having a book of quiz questions with the answers in the back.
Q: Build a board that can transition seamlessly between USB power and input power limits 6-20V.
Q: Demonstrate the circuitry necessary to shield a board from ESD on the USB connector.
Q: Make an LED controllable via processor but not lit under certain conditions.
With the Arduino UNO schematic, you don’t get to see the solutions being created but you know that there are answers. Dan decided that someone needed to show their work. I’m happy to read along.
I have thought that reverse engineering was derivative and often destructive. I sometimes forget how incredibly educational it is. Knowing the answer isn’t enough, the “engineering” part of reverse engineering refers to understanding the whys and hows of the answer. Dan said he definitely approached the board, especially the USB connection part of the Arduino, with the idea of, "I'm going to learn how they did it, so I can use that on projects in the future."
This harkens back to episode 101 (Taking Apart the Toaster) with Micah Elizabeth Scott. She is one of those people who take things apart. Her Coastermelt video series involves reverse engineering Blu-Ray disc recorders using a source code disassembler. I was amazed at what she’d done and I learned so much from those videos about how Blu-Rays worked. Why doesn’t it occur to me to do those sorts of projects? And where would I get started?
As a developer, I do consider how to protect my products against intrusion (or how to balance ease of debugging with the importance of security). But I tend to be a builder, focusing on making something from blocks rather than tearing apart my toys (though that Barbie demo was awesome, it didn’t change my general worldview). Nonetheless, when I do wonder how something is built (or I look at hacking my own product), I have some tools to consider:
- Screwdriver. This seems obvious but since I don’t tend to take things apart, having a screwdriver handy reminds me that its enclosure needn’t get between me and learning something new.
- Voltmeter. With a multilayer board and BGA mounted processor, it may be impossible to follow all of the traces. On the other hand, test points (and manufacturing pins) are there for a reason. Find all the ones that connect to ground and power. Every other pad there is going to be useful.
- Logic analyzer and/or scope. Many devices ship with debug serial available somewhere. If you can find it, well, now you are listening to the muttering of the developer’s brain. Even if you can’t get that, I2C and SPI will tell you a lot about the devices the system talks to.
- Disassembler. Micah used IDA which looked amazing. I haven’t gotten to looking at other people’s code, sucked out from the system ROM. Yet.
There is so much further to go. Power analysis is an amazing (and frightening) tool for looking at security (see Chip Whisperer). Different microscopes and inspection tools (x-ray, CT, etc) will let you look inside board layers and inside flash memories, but that’s way further than I want to go, especially if I want to get something and see how it works.
Taking a step backward, I would look at the device and think about how I’d design it, essentially make a block diagram. Once inside the box, update the block diagram until it looks as much like a schematic as I can get from the information available. Just as Dan is doing with the Arduino, figure out what these circuits do (Dan suggested TinEye Reverse Image Search to find circuit snippets that may explain unknown areas.
With all that as a plan, now I need to figure out what to take apart. Natalie Silvanovich took apart her Tamagotchi (111: Potty Train Your Tamagotchi). I can see the attraction: she was deeply into the device. So I need something I’m interested in. I wonder if a BB8 toy is going on sale this week. Or perhaps I need a Sphero to make my own. I can see the conversation with my accountant about business expenses from Toys R Us:
Acct: “You bought a toy? And you bought it just to destroy it?”
Me: “No, I bought it to learn from it.”