Hacking the 'scope from a distant land

Hacking the 'scope from a distant land

Ah, the 90s. The heady days when nothing came with Linux drivers, and so brave souls had to buy new pieces of hardware with the expectation that it would definitely not work out of the box. Then there would be a quest worthy of a video game in which they tracked down a bunch of old .edu sites with grad student projects, snippets of Usenet posts, and the occasional "forgotten" ftp server which held data sheets of chips.

Some of these things would eventually be glued together, and that's how we got support for hardware that was otherwise locked down to not just the Windows world, but a specific version of Windows at that. Some of the analysis done by these folks ended up making it possible for even Windows users to keep using the device later on, when the software had long since stopped working for even them.

I don't see a whole lot of this going on any more, and I guess that's progress, but it's still fun to find out when someone's decoded a device and made it available to the world. That's what happened over the past couple of days as I found out about a project done by a friend of mine.

To understand the motivation for his project, you have to first understand the situation he's in. You know how I've written about visa issues screwing up people's lives? Well, my friend Greg is how I got to see it happen first hand. He wound up having to put his entire U.S. based life in storage and moved back "home". He's a serious hardware hacking goth, and all of his stuff is in storage somewhere in the valley, and he's a few thousand miles away on the wrong side of an ocean.

Among other things, he found himself without an oscilloscope. He needed a replacement that wouldn't set him back too much cash, and wound up finding something rather unusual. Instead of the massive old-school HP boxes he had before, he got this weird little tablet-based thing.

It seemed nice enough, so he started poking at it. It had some interesting features, like being able to get on a network. So then he started wondering just how that worked, and what all could be done with it. He also wanted to run it from his normal computer instead of just from the tablet itself. It supposedly had a way to use it from a web browser, but that didn't work.

But, hey, hacking is hacking, so he didn't stop there. Digging around the manufacturer's site (and spending a "minter" or two out there) revealed their own little Android app, completely disconnected from the usual store route. It actually worked, too, and so that proved the network option was viable, but just needed to be understood.

It was time to start sniffing. I'm not clear on exactly what steps happened here, since they apparently went pretty quickly, but apparently at least a Raspberry Pi was involved to get between his phone and 'scope, and it became pretty obvious that you could just connect to it on the right TCP port and it would spray data at you without even being asked. Okay, so there's all this data, but what is it?

Next up, Greg exploited the fact that Android apps are basically Java and fed it to a decompiler, and oh hey, look, it's doing x.264 stuff! That means video. Is that never-ending stream from the TCP port just x.264 video? Maybe it is. So he pointed VLC at the port... and... nothing.

Then he pointed binwalk at some of the output, because, hey, maybe it'll find some sense in the headers or whatever, but, again, nope.

Back to the decompiled package he went, and it seemed that no, it's not just plain x.264. It has some kind of wrapping going on. There's metadata here. Well then, challenge accepted.

Somewhere in here, I assume pizza and caffeine was involved, but I wasn't there to witness it myself, but the result was code. C++ code. Qt-using code. For Linux. Yep, he figured it out and got a GUI client going that would nail up a connection to the box and start showing what's going on.

During this process, Greg also noticed some unusual UDP emissions from the device. It seems that it sends out a broadcast beacon of sorts, as if to say, "hey, there's an oscilloscope out here, just in case you care about that kind of thing". The Android app didn't notice, but he sure did! So, as a result, his program picks that up and lets you just pick from a list.

I should mention this is not just a one-way situation, either. Somehow he managed to figure out enough of the binary protocol to be able to push commands BACK to the device. That changed it from a cool toy to an actual tool for doing real work.

So far he hasn't reported finding any hidden stuff aside from the UDP broadcasts, but who knows what else might be lurking?

Now, for the call to action: if you're US-based, have reliability work that needs to be done, and are willing to sponsor a visa, then maybe you should check out his page. This is a friend and talented individual who's currently cooling his heels far away because of dumb bureaucracy. Maybe you can help.

Even if you can't, you can still enjoy some of his hacks. Be sure to check out the prompt on that web page of his. Try typing at it and see what happens.

Enjoy.