Yesterday at Defcon I went to the vendor area to pick up the Zigbee and accelerometer chips for my awesome Defcon badge. Unfortunately they were out of both chips, but they did let me borrow their soldering iron and gave me some leads to solder onto my badge. I soldered these leads on in a minute or two and then attached my badge to their laptop which had the freescale programming software on it. I modified the source code, which is actually in C, simply changing the hard coded message from "I <3 DEFCON" to "eecue.com." Changing this, meant that as soon as I powered up the badge it displayed that instead of the default message, and also changed the POV message. After modifying the code, I recompiled the firmware and flashed it to the badge.
The hack was simple and in total took me about 10 minutes. According to the guys at the booth and Joe Grand (the badge's designer) I was the first person at the con to hack a badge. Today I am planning on picking up my own Freescale programmer and the accelerometer chips which should be in stock, and hopefully I'll find some time to modify the badge in more interesting ways. This simple hack has been written up on Wired's 27bstroke6 blog (whom I have been employed by for the duration of the convention as their staff photog), Gizmodo and several other places.
Yesterday I went and bought the New Furby which just came out in October this year. The new Furby is a pretty darn advanced toy for only $30, if you haven't seen one before they are basically armless Mogwais with beaks. New Furbys are powered by the Sensory Inc's RSC-4128 which is a multi-purpose microprocessor that does everything from voice recognition to text-to-speach to IO to DTMF output. After reading through the white paper for the RSC-4128 I was pretty sure that the Furby would be quite the hackable robot, so I decided to take a look inside and see what hacking would entail.
WARNING : If you take apart Furby it will never be the same once you put it back together, unless you are really good with a sewing needle.
I started by removing the feet which are fastened to Furby with a triangular security screw. The Boxer 62 piece security bit set that I bought at Fry's a few years back contained a triangular bit that was just slightly too large to fit the Furby foot screws, so I filed it down a tad and in it went. After taking off the feet, the clawed under-feet were exposed which were surrounded with little fur booties that just slid off with a little tug. Once I removed the under-feet I could see how the fur was attached to the skeleton.
The fur is glued on in 2 places, which i cut with a sharp knife. The fur also has plastic tabs that go into the base of Furby, which can be pulled out with a little effort. Once you have the base of the fur free from Furby you will have to open up the back of his little fur suit, this back is lightly sewn with just a few stitches and opens easily once you free the first stitch, almost like it was made to come open easily.
After you have opened the back of the suit you can slide it over his head, you will have to snip the small threads at the tips of his ears to get it off over his head, don't snip the big white threads that loop through the plastic ear guides, this is used to track the location of the ears. You will also have to snip the thread on the tip of his mohawk support and the thread wrapped around his eyebrow mover.
Then comes the tricky part and that is the last screw that holds the plastic eye and mouth guides onto the center of the face, at first I tried just pushing a screwdriver right between his eyes and turning but I couldn't get a hold of the screw. Next I tried just twisting the whole thing, but this seemed like it was going to mess up the eyelashes. Finally I just pulled hard on it and it the plastic flexed and popped off the screw. Now Furby is hairless and looks like a cyborg version of Mr. Potato head, sans-bucket of parts.
Furby's shell is closed by 6 screws and once they are removed you can open it up and see the goodies inside. After his shell is open, you will have to unwind the zig-zagging red and black wires, which I think are some kind of antenna to allow the Furby to communicate with its brethren. After you have released and unwound the wires you will need to cut the microphone, as there is no way to get it out of the shell without cutting it. Once you cut the wires in the middle, you will need to strip off the insulation so that the mic can pass through the grommet. The grommet has two sides, to get it out first pry out the outer grommet from the front of the shell and then push on the leads to drive the mic forward and out of the shell. You can then pull out the the rear grommet and use them together to protect the mic although it isn't really necessary.
After pulling the mic, I stripped the cut leads and removed the old leads from the motherboard, then I soldered the mic back on to the mic traces on the motherboard. I suppose this was the first actual hack. I then screwed back on the under-feet, stood Furby up, and switched it on. He worked fine and responded to my request to tell a joke.
I then removed the silicone mouth which was fastened by two screws to the face, once it was free from the face i had to clip two little silicone loops that attached to the beak and tongue, this will probably prevent the Furby from ever working the same again, although I suppose gluing would be possible.
The next step was to take a look at the motherboard. The motherboard is fastened to Furby with two screws, once you pull it off you will have to remove several snap in connectors, but to really get a good look at it I had to snip the feeding switch leads. Cutting the feeding switch wires was actually a good thing, because it makes feeding Furby much easier (just short the wires together). Here are pictures of the motherboard, the ROM/RAM daughter card and the transistor daughter card. The epoxy blob in the center of the MB is the RSC-4128, I am not yet sure what the other blob is.
The coolest thing I saw once I opened up Furby was that the board designers were nice enough to leave nice large pads for the RSC-4128 diagnostic interface, which hopefully should allow programming of the Furby. I am not sure, but I think the diagnostic port is a serial interface. I have ordered the development kit from Sensory Inc, and I'm sure this will help answer some of my questions. If I do end up being able to alter the programming / data on the Furby here are some things I plan on doing:
- Give Furby a more colorful vocabulary
- Teach Furby some tasteless jokes
- Change Furby's voice tone to be less cute and more evil
- Give Furby a funny accent and maybe a lisp and a twitch
- Hook up some of the unused I/O ports to control other things (the chips has 24 I/O ports with 10mA outputs)
- Expand Furby's memory
- Utilize the voice recording function of the RSC-4128
- Make Furby a voice controlled DTMF dialer
- Utilize the MIDI synth contained in the RSC-4128
Here is what I plan on doing even if I can change the code or data:
- Add nicer switches to the make the Skeletal Furby easier to
- Turn off
- LEDs that light up when Furby moves
- Volume control for the speaker
- Put the Furby head on a Robosapien body
Here are some relevant links:
So I am a sucker for robots and the new Furby looks pretty damn cool, so I ordered one, hey it only cost me $30. The new Furny has an off switch, and we all know you should never trust a robot without an off switch. It also responds to voice commands and has a whole bunch more motors and movement than the old Furby.
The furby also has 6 times more memory (512k) than its predecessor. It is powered by a Sensory RSC-4128 chip which is a "single-chip solution providing all hearing, talking and CPU functions". The Furby uses Sensory’s Quick Text to Speaker Independent™ (Quick T2SI) recognition technology, which sounds like it will make hacking a very interesting possibility as it uses text instead of audio files for its speach, there is also a plethora of developer info on the Sensory Inc website, and you can download an IDE.
I am also going to try and get a dev kit. Did I mention it has an off switch? As soon as I get it I will be removing its fur and taking pictures of the process. I will also see what kind if IR fun I can have with it.
After reading through the white paper for the RSC-4128 I can see this is going to be a totally hackable robot.
Now that money is involved it will only be a short amount of time before RFIDs are blown wide open as the next huge security problem. All you have to do is excite the card with the right radio freqs and pick up the response and you're in. Record it, replay it and you have pwn3d the money.
For the last three years we have brought you panels of security experts from
some of the members of the most elite hacker groups in Southern California.
This year we present the Orange County Hacking Summit IV - No Protection
version 2.003. This year we will be presenting some of the best and
brightest security engineers and hackers of the So Cal hacking and computer