https://blog.usedbytes.com/tags/ghidra/ Recent content in Ghidra on usedbytes:Blog Hugo -- gohugo.io Wed, 29 Apr 2020 19:53:36 +0100 https://blog.usedbytes.com/2020/04/reverse-engineering-keyboard-firmware-with-ghidra-part-4-conclusion/ Wed, 29 Apr 2020 19:53:36 +0100 https://blog.usedbytes.com/2020/04/reverse-engineering-keyboard-firmware-with-ghidra-part-4-conclusion/ This post has been a bit delayed for noe reason in particular (except perhaps fatigue with the project). It brings the Ducky reverse engineering adventure (mainly) to a close. At the end of Part 3, all of the pieces were in place, but I still wasn’t able to flash my own modified firmware to the keyboard because of a pesky failing CRC check. What I did know, was that after sending the CRCCheck() command, the keyboard responded with a 16-bit value. https://blog.usedbytes.com/2020/03/reverse-engineering-keyboard-firmware-with-ghidra-part-3/ Sat, 28 Mar 2020 10:18:10 +0000 https://blog.usedbytes.com/2020/03/reverse-engineering-keyboard-firmware-with-ghidra-part-3/ In which we succeed, and fail - and take a break to play through Half-Life: Alyx At the end of Part 2, we’d found and extracted the “firmware blob”, which is the data that the updater sends over USB to the keyboard. The problem is that the data doesn’t look anything like Arm Cortex-M3 code. 00000000: 84be c2c7 450a 0879 6c0a d553 51ce 1efc ....E..yl..SQ... 00000010: fe5b e848 e9c1 3c77 3b74 48b7 768c cbd9 . https://blog.usedbytes.com/2020/03/reverse-engineering-keyboard-firmware-with-ghidra-part-2/ Fri, 13 Mar 2020 20:36:08 +0000 https://blog.usedbytes.com/2020/03/reverse-engineering-keyboard-firmware-with-ghidra-part-2/ Last time, in Part 1, we found out the super-secret XOR key for the Ducky One firmware updater and used it to obtain its file header describing the firmware version and keyboard layout. The next missing piece to find is the size of the firmware image, which will tell us which part of the .exe file contains the firmware. To find out where to look, we need to go back to the xx_get_fw function, which takes the firmware size as a parameter: https://blog.usedbytes.com/2020/03/reverse-engineering-keyboard-firmware-with-ghidra-part-1/ Wed, 04 Mar 2020 20:43:08 +0000 https://blog.usedbytes.com/2020/03/reverse-engineering-keyboard-firmware-with-ghidra-part-1/ In March 2019, the NSA (yes, that NSA) released a reverse engineering tool called Ghidra. This is pretty cool, as it’s relatively easy to use, pretty powerful, and free as in both speech and beer (compared to the similar and popular IDA Pro which is not). Around a year earlier, I’d “upgraded” my non-backlit Ducky One TKL keyboard to a backlit one: The non-backlit version is identical to the backlit version, they just don’t install the LEDs.