Further Adventures in Colorimeter Hacking

As we continue to explore the fascinating world of hardware hacking, a story that embodies the spirit of sharing knowledge and pushing boundaries is that of [Ivor]'s colorimeter hacking journey. Building on his earlier work with relatively simple request spoofing, Ivor took it to new heights by unlocking complete control over the device's software. In this article, we'll delve into the intricate details of how he achieved this remarkable feat.

It all started when [Adam Zeloof]'s work on replacing the firmware on a cosmetics spectrophotometer with general-purpose firmware caught Ivor's attention. Intrigued by the possibilities, Ivor decided to purchase two colorimeters, one as a backup, and began experimenting with Adam's method for updating the firmware using request spoofing. However, unlike Adam, Ivor encountered an unexpected hurdle – finding the serial number of his device.

Undeterred, Ivor persisted in his search, eventually discovering another serial number that led him to the base firmware. This breakthrough allowed him to dump and compare the cosmetic, quality-control, and base firmwares, a crucial step towards understanding the device's software architecture. The next challenge was writing a Python program to upload firmware without relying on the official companion app.

Ivor's innovative solution involved analyzing traffic between the host computer and the colorimeter during an update, which enabled him to display custom images – including the iconic DOOM title page. During firmware upload, the device would switch into a bootloader mode, revealing an interesting menu with options such as viewing and editing the NAND contents.

With careful soldering, Ivor was able to dump the bootloader and, after some trial and error, even extract the NAND contents. By modifying the chip ID and serial number in the NAND, he was able to make the quality-control firmware work on his cosmetic model – a remarkable achievement that showcased the depth of Ivor's knowledge.

However, the journey wasn't without its setbacks. The device became "bricked" several times, requiring Ivor to install a jumper to force it into recovery mode. Despite these challenges, Ivor persevered and eventually managed to download and upload content to NAND, alter the bootloader, change the serial number, and enter boot recovery – effectively gaining total control over the device's software.

In recognition of his remarkable achievement, Ivor has created a Python utility library that allows users to interact with and edit the colorimeter's software over USB. This innovative tool represents an exciting development in the world of hardware hacking, offering new possibilities for creative exploration and experimentation.

For those interested in exploring more examples of reverse-engineering, we recommend checking out our previous articles on a mini console and an audio interface – thought-provoking works that demonstrate the power of human ingenuity and creativity when applied to complex technological challenges.