Travis Goodspeed Profile picture
Merchant of Dead Trees and Licensed Proselytizer of the Gospel of the Weird Machines with Pwnage, PoC, and Secular Rock.
Apr 4 9 tweets 3 min read
I need a few Mediatek MT1335WE chips for an upcoming book. If you have a DVD-ROM drive in your junk drawer, you could you please check to see if it has this controller?

Other chips in the series will not work, but retweets are appreciated. Found some MT1335WE chips, so here's a short thread on how they are reprogrammed.

The exploit is performed by a tiny drill hole in the east of the chip, just a little north of center. This unlocks it for a single write, when its identity can change to work with an XBox 360 Slim. Image
Nov 25, 2023 19 tweets 8 min read
A while back, @david_rysk asked me to dump the firmware of the Wersi SL-M2 51173 Slave Sound Generator, a plugin module for Wersi's DX10 synthesizer. @p4ula sent me three boards from Germany, and this thread will show the extraction process from the saw to the bits. 1/n Image The Z8 chips are known to have a diffusion ROM, but I don't want to waste HNO3 dissolving the whole package. Instead, I used a bandsaw and a handy PCB jig to saw out the center. Soldered legs keep it from flying off. 2/n

Image
Image
Image
Mar 16, 2023 20 tweets 7 min read
87072 Floppy controller from @intel. 1/n Image Both Intel and NEC copyright marks on the die. 2/n ImageImage
Dec 17, 2022 22 tweets 8 min read
I need some good photographs of the MYK78 Clipper Chip, but the best ones available are my own photos from grad school, and those aren't quite good enough.

So let's go step by step and see what's inside! 1/n Image Desoldering with hot air burns off a bit of the paper label. 2/n Image
Dec 9, 2022 21 tweets 6 min read
I have accurate 32-bit words from an ARM32 firmware image based at 0, but I have them in the wrong order. This @radareorg one-liner dumps a bunch of literal-pool pointers from the image, so that I can know when I've got things aligned right. Image I'll know that things are perfect when none of those 32-bit values on the right look like ARM machine code. They should start looking like pointers to the first 16-bits of the address space.
Oct 8, 2022 12 tweets 5 min read
Over the summer, I got nerd sniped with extracting bits from microscope photographs of mask ROMs. Here is my C++/Qt6 CAD tool for marking and extracting bits, including Design Rule Checks, a variety of export formats and a CLI.

maskromtool.com You begin by opening an image in the tool, preferably one that is losslessly compressed. Image
Sep 8, 2022 19 tweets 7 min read
Dallas DS5002, an early secure microcontroller. Nonvolatile memory is encrypted with a 64-bit key. The chip is also available with an internal microprobe shield, but I don't think that was included in my sample. 1/n The model number is clearly written in the northwest corner, so there's no need to guess which device we found. 2/n
Sep 29, 2020 9 tweets 4 min read
1/n This past weekend, I published my Android app for programming memory entries into Kenwood radios over Bluetooth or TCP/IP.

Here's the google play link, but follow along if you'd rather write your own. #hamradio
play.google.com/store/apps/det… 2/n Kenwood radios are programmed over a serial port, but the protocols are undocumented. Thankfully I didn't need to reverse engineer it from scratch because LA3QMA helpfully hosts accurate unofficial documentation for each command.

github.com/LA3QMA/TH-D74-…
May 3, 2019 28 tweets 11 min read
Next up at @BSidesKnoxville on the Scruffy City Hall stage is @brandonwilson telling the history of Texas Instruments graphing calculator hacking! I've been waiting years for this lecture. He has one of every model, including engineering prototypes and development samples.
May 3, 2019 12 tweets 5 min read
Next up on the Scruffy City Hall stage of @BSidesKnoxville is @bxsays. Drop what you are doing and catch this talk! In Bx' view, a bootloader is just another type of executable loader. ELF, PE or Uboot, they are still loading a program into memory before jumping into it.
Jan 16, 2019 6 tweets 2 min read
Have you checked the water level and specific gravity of your car's battery lately? Image Don't forget to reduce the pressure in the outer chamber or the tires after you receive your new car from the factory! Image
Dec 11, 2017 42 tweets 17 min read
Howdy y'all! In this friendly little tweety-box thread, I'd like to share my new project with you. It's called the GoodWatch, and it will be next month at Shmoocon. 1/n I began by measuring the pinouts of the LCD and keypad of the Casio 3208 watch module, shown on the right, and cloning them into my own GoodWatch10 PCB on the left. The sticky notes let me distinguish COMMON from SEGMENT pins in the LCD, so that my wiring would be correct. 2/n