Huion uses a chip labeled "HV901" as the central controller. The location of USB routing, crystal, and power rail is identical to the STM32 C8 package and its numerous clones. It's very likely a relabeled STM32 chip.
Mainboard of Huion H610Pro V2
As a commercial product, the JTAG is locked. Some hacking is needed to obtain the firmware dump.
Getting one from the firmware updater:
It turns out that the official firmware updater (
https://www.huion.com/firmware.html) uses an unencrypted HTTP transaction, so it's easy to obtain the firmware from there:
Device list:
The firmware updater also has some other interesting stuff inside. For example, in the MacOS version, there's a file called "DevicesMcuTypeForRdCode.plist" containing a detailed list of supported devices, the highest version supported, and the exact model number of the MCU used. From this file, I learned that the HV901 is basically a relabeled GD32F350C8, which is a popular STM32 clone.
Busting the firmware encryption:
Surprisingly, the raw, encrypted binary of H430P is included in the MacOS version of the firmware updater, probably by mistake! Oopsie. With this firmware, it's now possible to reverse engineer the encryption and obtain the firmware of all other models!
It turns out that the encryption uses a very simple static dictionary-based method. I obtained the dictionary by comparing the two versions of the H430P firmware.
Decrypting the Firmware Binary Because it's a static dictionary, it's also possible to extract it without any reference using statistical methods. The gist is that the bytes in a typical firmware should follow some kind of statistical distribution. It's possible to guess the unencrypted bytes by looking at the hisogram.
Getting one using power glitch:
This kind of MCU has a physically connected but software-locked JTAG, making them particularly susceptible to power glitch attacks (compared to older chips like MSP430, where the JTAG pins are physically melted internally once programming is done). One famous example is the AirTag hack: People managed to dump Apple's AirTag firmware almost immediately after its release
https://www.youtube.com/watch?v=_E0PWQvW-14. Initially, you need to buy FPGA-based hardware, such as the ChipWhisperer, to generate the exact timed power glitch. Today, the process has been streamlined to the extreme, and you basically only need a Raspberry Pi Pico to pull it off:
It's never been so easy to breach the readout protection, but I have to stress that it's not ST's fault for this breach. Almost all microprocessors are susceptible to this kind of attack, and despite the fact that academia has devoted tremendous effort to trying to fix this problem, there's simply no easy engineering solution available yet. Today, the best thing you can do as a product engineer is to fully utilize the hardware asymmetry key cryptography features and figure out a way to protect the most sensitive information.
Conclusion:
So, I managed to get a ROM dump of HV901 in the end. In the next article, I will analyze the firmware and understand all the math magic that makes drawing tablets possible.
Comments
Post a Comment