Skip to main content

Featured

Color Profiles

I bought a Spyder 5 Elite display calibrator. Then, it's inevitable that I will start benchmarking and calibrating all the devices I own. I think it would be nice to share the generated color profiles so owners of those (poorly factory-calibrated) devices can use them to hopefully get a better color reproduction.  As a rule of thumb, without any calibrator or color palettes on hand, you can compare your device with an Apple device (which usually has a good factory calibration and does not have the "vibrant enhancement" BS) to get a sense of its color accuracy. All calibrations are done with the default settings (50% brightness, Gamma 2.2, 6500K) I do not provide any guarantee on the quality of those profiles. Use it at your own risk. Device Name Serial Numbers Profile Coverage Device Panel sRGB aRGB DCI-P3 Wacom DTH-W1310  6CAH000337-715 EDID   ICC
Post a Comment
Read more
Labels

Dumping firmware from Huion Tablets

 Huion uses a chip labeled "HV901" as the central controller. The location of USB routing, crystal, and power rail is identical to the STM32 C8 package and its numerous clones. It's very likely a relabeled STM32 chip.

Mainboard of Huion H610Pro V2

As a commercial product, the JTAG is locked. Some hacking is needed to obtain the firmware dump. 

Getting one from the firmware updater:

It turns out that the official firmware updater (https://www.huion.com/firmware.html) uses an unencrypted HTTP transaction, so it's easy to obtain the firmware from there: 
https://github.com/Lucretia/hs610-info. But the files are encrypted in some way.

Device list:

The firmware updater also has some other interesting stuff inside. For example, in the MacOS version, there's a file called "DevicesMcuTypeForRdCode.plist" containing a detailed list of supported devices, the highest version supported, and the exact model number of the MCU used. From this file, I learned that the HV901 is basically a relabeled GD32F350C8, which is a popular STM32 clone.

Busting the firmware encryption:

Surprisingly, the raw, encrypted binary of H430P is included in the MacOS version of the firmware updater, probably by mistake! Oopsie. With this firmware, it's now possible to reverse engineer the encryption and obtain the firmware of all other models! 
It turns out that the encryption uses a very simple static dictionary-based method. I obtained the dictionary by comparing the two versions of the H430P firmware.
Decrypting the Firmware Binary

Because it's a static dictionary, it's also possible to extract it without any reference using statistical methods. The gist is that the bytes in a typical firmware should follow some kind of statistical distribution.  It's possible to guess the unencrypted bytes by looking at the hisogram.

Getting one using power glitch:

This kind of MCU has a physically connected but software-locked JTAG, making them particularly susceptible to power glitch attacks (compared to older chips like MSP430, where the JTAG pins are physically melted internally once programming is done). One famous example is the AirTag hack: People managed to dump Apple's AirTag firmware almost immediately after its release https://www.youtube.com/watch?v=_E0PWQvW-14. Initially, you need to buy FPGA-based hardware, such as the ChipWhisperer, to generate the exact timed power glitch. Today, the process has been streamlined to the extreme, and you basically only need a Raspberry Pi Pico to pull it off: 
For STM32s, the community has created a complete toolkit for this exact purpose: https://github.com/CTXz/stm32f1-picopwner

It's never been so easy to breach the readout protection, but I have to stress that it's not ST's fault for this breach. Almost all microprocessors are susceptible to this kind of attack, and despite the fact that academia has devoted tremendous effort to trying to fix this problem, there's simply no easy engineering solution available yet. Today, the best thing you can do as a product engineer is to fully utilize the hardware asymmetry key cryptography features and figure out a way to protect the most sensitive information.

Conclusion:

So, I managed to get a ROM dump of HV901 in the end. In the next article, I will analyze the firmware and understand all the math magic that makes drawing tablets possible.  


Labels:

Comments

Post a Comment