Advice on RE
Closed this issue · 1 comments
Let me give you some advice from my personal experience. I RE'd a printer last year that was blocking non OEM ink cartridges. It turned out there was a fairly complex handshake happening between a tiny chip on the ink cartridge and the printer. To produce knockoff ink cartridges, that handshake would have to be cracked. I wont go into much more detail about that because you know. but I will say that simply trying to figure out the logic by looking at the firmware dump in various disassemblers was not enough.
I also RE'd a 'secure' router from Verizon, the research for that and how I found a jailbreak for it was published here;
https://github.com/MeisterLone/Askey-RT5010W-D187-REV6
With regards to the printer project, in the end the most useful tool I had was the ability to write custom firmware to the device. This involved figuring out how the firmware self-checked itself at startup but once I had the ability to make small tweaks to the firmware here and there, I could measure the effect those tweaks had on the handshake between the printer and the ink cartridge. This ended up being the gamechanger.
I dont know the intricacies of the power meters and this advice might not be that relevant but if you are able to make writes to the firmware, you could tweak some bytecode here and there where things look relevant to see if perhaps a small change causes the meter to never switch channels, which would help you home in on the location of the important firmware instructions. It might even be possible to disable the encryption as simple as jumping over a function.
Just my 2cents. Thank you for your efforts!
The pico-puller tool is a general purpose tool for grabbing the image of any M16C processor devices that uses the standard Renesas bootloader and isn't specific to power meters or any other kind of equipment. While this may be useful advice for reverse engineering, it's not really an issue that can or will be addressed within the project, so I'm closing it with this comment.