Skip to main content

Featured

A Modern Reincarination of Graphire: WACOM Bamboo Series Drawing Tablet Reverse Engineering

This is going to be a short follow-up of the previous article; please read that one before proceeding:   https://www.lithcore.cn/2024/02/wacom-et-0405-reverse-engineering.html . Same as before, all the high-resolution PCB scans have been uploaded to GDrive:  https://drive.google.com/drive/folders/1vGHHMH9WkavLYoCPT2HWrooUTZOjV1wc I'm personally attached to the Bamboo product line because that is where I got started 10 years ago. The Bamboo product line is initially made of cheap pen-tablet products designed for the entry-level market. WACOM intentionally limited the performance of those products to avoid direct competition with their professional Intuos product line.  Interestingly, by the time I started using their products, WACOM had gradually shifted the focus of this product line to experimental and high-diversity products, including mobile phone styluses, ultrasonic pens (The first Bamboo Inkling product), mobile phone applications, and paper-based products (e.g. Bamboo Folio

Dumping firmware from Huion Tablets

 Huion uses a chip labeled "HV901" as the central controller. The location of USB routing, crystal, and power rail is identical to the STM32 C8 package and its numerous clones. It's very likely a relabeled STM32 chip.

Mainboard of Huion H610Pro V2

As a commercial product, the JTAG is locked. Some hacking is needed to obtain the firmware dump. 

Getting one from the firmware updater:

It turns out that the official firmware updater (https://www.huion.com/firmware.html) uses an unencrypted HTTP transaction, so it's easy to obtain the firmware from there: 
https://github.com/Lucretia/hs610-info. But the files are encrypted in some way.

Device list:

The firmware updater also has some other interesting stuff inside. For example, in the MacOS version, there's a file called "DevicesMcuTypeForRdCode.plist" containing a detailed list of supported devices, the highest version supported, and the exact model number of the MCU used. From this file, I learned that the HV901 is basically a relabeled GD32F350C8, which is a popular STM32 clone.

Busting the firmware encryption:

Surprisingly, the raw, encrypted binary of H430P is included in the MacOS version of the firmware updater, probably by mistake! Oopsie. With this firmware, it's now possible to reverse engineer the encryption and obtain the firmware of all other models! 
It turns out that the encryption uses a very simple static dictionary-based method. I obtained the dictionary by comparing the two versions of the H430P firmware.
Decrypting the Firmware Binary

Because it's a static dictionary, it's also possible to extract it without any reference using statistical methods. The gist is that the bytes in a typical firmware should follow some kind of statistical distribution.  It's possible to guess the unencrypted bytes by looking at the hisogram.

Getting one using power glitch:

This kind of MCU has a physically connected but software-locked JTAG, making them particularly susceptible to power glitch attacks (compared to older chips like MSP430, where the JTAG pins are physically melted internally once programming is done). One famous example is the AirTag hack: People managed to dump Apple's AirTag firmware almost immediately after its release https://www.youtube.com/watch?v=_E0PWQvW-14. Initially, you need to buy FPGA-based hardware, such as the ChipWhisperer, to generate the exact timed power glitch. Today, the process has been streamlined to the extreme, and you basically only need a Raspberry Pi Pico to pull it off: 
For STM32s, the community has created a complete toolkit for this exact purpose: https://github.com/CTXz/stm32f1-picopwner

It's never been so easy to breach the readout protection, but I have to stress that it's not ST's fault for this breach. Almost all microprocessors are susceptible to this kind of attack, and despite the fact that academia has devoted tremendous effort to trying to fix this problem, there's simply no easy engineering solution available yet. Today, the best thing you can do as a product engineer is to fully utilize the hardware asymmetry key cryptography features and figure out a way to protect the most sensitive information.

Conclusion:

So, I managed to get a ROM dump of HV901 in the end. In the next article, I will analyze the firmware and understand all the math magic that makes drawing tablets possible.  


Comments