**Drawbot: Let's Hack Something Cute (2025)**
**The Challenge**
As a journalist, I'm always on the lookout for unique and quirky projects to sink my teeth into. Recently, I stumbled upon a series of drawbots that caught my eye - adorable robots that drew pre-defined images from a set of cards. The attack surface seemed small, but the challenge was too enticing to resist.
**The Hardware**
The drawbot in question came with a stack of 100 cards, each containing a minimal "barcode" consisting of 8 bits of information (256 possible barcodes/drawings). The cards were separated into five categories: food, animal, plant, vehicle, and circle. I chose the bulbous cactus card as my starting point.
**Disassembly**
The drawbot's design didn't exactly scream "easy to open," but with some patience and a power tool or two (I opted for drilling and chaining bits together), I managed to remove the four recessed screws holding the top half in place. The barcode reader was now exposed, and it was time to start fuzzing.
**Fuzzing**
Using a valid card, I shifted its position around to provide unexpected input. Initially, various images were announced that matched up with other cards in the deck. However, one odd result stood out: "Take a bath!" I couldn't find any corresponding cards, which sparked my curiosity.
**The Breakthrough**
After some trial and error, I discovered the drawbot was singing along to an internal audio track while drawing the image. I realized that this card might be triggering a different set of images not present on the included cards.
**Enumerating Drawings**
With my next goal in mind - identifying all available drawings - I moved on to understanding how these drawings were represented and stored within the drawbot's system. A combination of logic analysis, multimeter readings, and a healthy dose of persistence led me to the following conclusions:
1. **Barcode translation**: The barcode reader sends signals to the microcontroller (MCU), which interprets them as binary values. 2. **SPI flash dump**: I managed to dump the contents of the smaller flash chip via its SPI interface, revealing a directory entry layout with numeric filenames.
**Understanding Image Storage**
With my High-Level Analyzer (HLA) script in place, I identified the following:
1. **Audio files**: When scanning cards, the drawbot reads associated YXXX.f1a files for audio playback. 2. **Image files**: The larger flash chip contains the actual image data.
**Reversing Image Data**
After a successful chip-off extraction and installation of the extracted flash chip on a breakout board with headers, I used BusPirate to extract the contents. This revealed a structured format that suggested coordinate-based data for drawings.
With some help from ChatGPT (LLM), we:
1. **Parsed the dump**: ChatGPT identified potential image instruction files within the dump. 2. **Confirmed the structure**: Further analysis confirmed the presence of images within the file, with the first 35 images being readily accessible.
**Implementing Image Generation**
Using Python and a script provided by ChatGPT (now slightly simplified), I was able to:
1. **Carve out image data**: Extract specific images from the dump. 2. **Process coordinates**: Convert extracted points into SVG path elements. 3. **Generate an image file**: Create an image file based on the extracted data.
**Overwriting Flash Memory**
With our parser in place, I was able to:
1. **Identify slot offset**: Determine where to start extracting images from the dump. 2. **Extract sequential images**: Select a range of consecutive images to extract. 3. **Render image**: Feed processed coordinates into SVG path elements.
**The Final Result**
After some trial and error, I successfully overwrote one slot with an existing image file, demonstrating the drawbot's ability to render custom images.
**Future Work**
Potential areas for future development include:
1. **Streamlining the process**: Automating the conversion, writing to flash, and triggering drawing (GPIO manipulation) in a single script. 2. **Decoding audio files**: Figuring out the audio format to replace the existing songs and sounds. 3. **Overhauling the drawbot**: Designing and 3D-printing a new body for the robot.
**Conclusion**
This project was an exciting challenge that pushed me to think creatively about hardware, software, and reverse engineering. The outcome has left me eager to tackle more projects in the future.