Sunday, January 5, 2020

How Smart Is My Monitor? (Part 1)

A couple months ago I bought a set of LG 49WL95C-W monitors, and of course after unboxing, the next logical thing to do is to start reverse engineering.

After finding out that LG's OnScreen utility (for macOS or Windows) can update the firmware, I opened up Activity Monitor to check what files were open.


I could have opened up Cache.db in a SQLite viewer, but strings works to get what I want to know: the firmware URL.

https://lmu.lge.com/ExternalService/onscreencontrol/fw/49WL900G/MODEL_49WL900G_SV3.02_PV1.0.5_NV2.18_20190422.zip

After downloading this file and trying to extract it, it turns out there's a password, which was trivial to spot in the binary.



Using "49WL900G!LGdasusodkug!@#" as the password worked as expected, and now I have the following firmware files!

img=images/Scaler/WL95C_MSTAR_MST9W00V4_V3.2.2_RscV1.0_0xA2A1_rev3136_190415.bin
area=
ver=3.02
res=1.00
img=images/PD/20181002_49WL95C_FW1_12_08_V1_0_5_GUI4_01_Low.bin:
ver=1.0.5
img=images/NXP/LPC11U68_NXP_V218__rev595_181002.bin

The last file matches up with what I found listed on LG's open source website, which lists FreeRTOS as running on a NXP LPC11U68 (Cortex-M0+). http://opensource.lge.com/osSch/list?types=ALL&search=49WL95C

Time to look at the firmware in more detail in a later blog post!

Sunday, January 7, 2018

Hitron's "Encryption"

If you try to open a backup configuration file from a Hitron modem/router, it won't be readable.



However, it turns out it's just DES with a static key. Either due to incompetence or laziness, the configuration key is not unique and appears to have been reused across all their products for years.



I've posted a simple Python script to automate decrypting and encrypting Hitron configuration files. https://github.com/Manouchehri/hitron-cfg-decrypter

Sunday, December 24, 2017

Steam Link - Force Upgrading & Downgrading

After discovering that controller support is partially broken in build 643 on the Steam Link, I had to manually downgrade mine to build 640. There doesn't seem to be any rollback protection, so it's trivial.

1. Enable SSH.

2. Find the build number you want on one or more of the following pages:

https://support.steampowered.com/kb_article.php?ref=8293-PDVM-4434
http://media.steampowered.com/steamlink/06_2015/public_builds.txt
http://media.steampowered.com/steamlink/06_2015/beta_builds.txt

3. Write the desired build number to "/mnt/config/system/update_branch.txt'". e.g. for build 640 you'd run:

ssh [email protected] 'echo 640 > /mnt/config/system/update_branch.txt'

4. Go to the update menu on your Steam Link and try to update it; it should now offer to update to the firmware revision previously specified.

Technical Explanation


By default, the Steam Link will load either the public_builds.txt or beta_builds.txt list depending on the branch. If a newer build is found, then the device will attempt to find a delta image (to save time/bandwidth); if it can't find a delta image, then it will download a full factory image.



When a build number is set instead of the branch ("beta" or "public"), the device will manually search for a update file regardless of the currently installed build. It will always fail at finding a delta for a downgrade, and then fallback to a full release.