> The key turned out to be the actual 32-bit GPS “key” and the “encryption” method was laughably simple: use the key as the starting value for CRC-32. To decrypt each byte, subtract from it the lower 8 bits of the current CRC. After the byte is decrypted, update the CRC for it. I am not joking, this is it.
[...]
> Fun tidbit: you can decrypt the file without knowing whose GPS it was for and what their “key” is. Honeywell engineers were nice enough to leave the decryption key right in the file footer.
When reading stories like this, I like to try to figure out whether the developers who designed these things were 1. totally incompetent / careless, thinking they're actually securing their precious IP, 2. powerless contractors, just dutifully implementing the half-witted attempt at obfuscation some other "architect" designed, or 3. actually true hackers, sympathetic to the cause, deliberately leaving breadcrumbs and vulnerabilities for like minded souls who will later go through the effort to reverse engineer their work.
When I'm in one of my rare optimistic moods, like today, I like to imagine it was #3.
They were probably just putting enough of a roadblock into the process to stop 98% of people from copying or selling nonauthorized cards. Also the "encrypt/decrypt" needed to be fast on the hardware of the time so it would necessarily be something pretty simple.
If you own an airplane, you can afford to buy avionics updates legitmately, and will likely make very little effort to seek out unauthorized sources.
> If you own an airplane, you can afford to buy avionics updates legitmately, and will likely make very little effort to seek out unauthorized sources.
Not only this, but the method here is definitely non-compliant with FAA regs. You aren't even allowed to pull the sled out of the panel by yourself (you need a FAA-certified mechanic for all removal/installation of avionics), there's no way that the FAA would be cool with you flashing a reverse-engineered database onto it.
To be clear: by all means go ahead and do this. If the database on the unit is outdated then it's functionally useless for any purpose. It's totally legal to have a GPS in the cockpit that you use for VFR operation, so it's still worthwhile. Have a mechanic pull the sled and reinstall it when you're done, it's the law.
But your GPS is no longer rated for IFR operation. If you have an accident while flying IFR on unrated equipment the FAA will see the removal and reinstallation of the sled in your maintenance logbooks and they will come down on you like a hundred tons of bricks.
No, you toe that line very carefully. You do mention removal (not sure if removing sleds is actually OK, I'll defer to you there, but in the general case avionics installation/removal is not OK), never mention flying on it, or quite explicitly state that this modification is legal. You just state that you have "a nice IFR-certified GPS" (not after this procedure you don't), and state that this procedure is "third option" to a legal-but-expensive service by a certified mechanic or illegally hacking in a connector for the official installation utility.
Again, to be clear, doing the mod is legal(-ish, probably violates DMCA but who cares). Flying IFR on it is not. Pulling and installing your own avionics is not. Flying VFR on it is... questionable, but not likely to end poorly.
This whole thing has giant red "DANGER" signs all over it and you should be making it very clear what the exact bounds of the law here are. Selling unpopulated PCBs is treading very close to the edge, that's farther than I would go personally. Selling finished units would definitely be over the line, you would certainly have liability if something happened to an aircraft because of your device. You need to be very clear about the fact that this database is not legal for IFR and the other caveats involved.
Again, I think the actual risk here is low for VFR flight, and I also think you got your reverse engineering correct and checked your work. But from the FAA's perspective: what if you actually did fuck up the reverse engineering, in-flight the unit hangs in a loop, overheats, and starts a fire in your cabin? That's not the perspective HackerNews likes to take, but it's the perspective the FAA does its regulation under. After all, until like 2012 you weren't even allowed to flash your own GPS database, you had to have a mechanic insert the connector and doubleclick the EXE for you. They are not DIY friendly people.
I don't think they'd be OK with a user-upgraded DB that was not done through an official installation tool. I think it's legally dubious even having that card installed in your aircraft (regardless of actual risk), flying IFR on it is right out.
Pulling your own avionics is legal if your airplane is experimental. If you want to hack your airplane, you should clearly have an experimental, not a certified one.
It is my understanding that, in an experimental, you can even legally fly IFR with a GPS you built yourself, as long as it complies with the performance standards and you document the test data that verifies that it does so. Whether it's wise to do so is a different question.
I didn't consider experimental and I agree it sounds more reasonable there. I'm not super familiar with experimental regs, other than the obvious "no commercial use" rule and the necessity of hanging on real tight while you bump and wobble your way down the strip :P
Interesting about the fact that you can fly IFR on your own GPS. I would not have figured that would be allowed since you will be around other aircraft under similar weather conditions/operating rules. Particularly in Class Bravo airspace where it's busy. Or are there other restrictions about experimental aircraft in Class B?
As long as the paper maps and your instruments are accurate, that's perfectly legitimate.
There's no guarantee that a random GPS you built yourself is anywhere near accurate, doesn't have random edge cases, etc. That's problematic when there's a high density of other aircraft containing hundreds of people around.
Not saying it's not legal, it just surprises me because the FAA is usually really cautious.
Actually, yes they are. You just register your aircraft as an experimental aircraft and bingo you're free to do repairs, maintenance and modification to it as you like. However, as an experimental aircraft you're restricted from using it for commercial uses.
Experimental is fantastic for private pilots and families. In fact, Experimental aviation is where the majority of the small aircraft market has moved to, as well as /all/ of the progress.
EDIT: also, you can purchase a certified aircraft and have it reclassified to an experimental as you will. Some people to it to things like Cessna's in order to change the engine/props. Though it's much more common to start off building an experimental from scratch.
While I get your point, an in-flight device that gets stuck in an infinite loop should not cause an in-flight fire. If that still happens, then it's safe to say that more than one mistake was made. Otherwise you're basically assuming that an untampered vendor model of that unit is so perfect that it would never get stuck in a loop. And as we all know in aviation, to assume anything is making an ass out of 'u' and me. Especially when you assume that something is perfect and cannot fail.
Notwithstanding this, I totally get what would happen in the scenario you describe, and I think it's pretty accurate.
Again - like I said, I don't think that's a likely scenario at all. I think this guy did his stuff right and so on.
But there's all kinds of unanticipated failure modes when someone without actual knowledge of a device generates a data structure that mostly kinda sorta works, and the FAA does not do anything halfway. The people who designed it okay it, or you get it re-certified, or else it's not approved (except experimental certification, based on what people are saying).
Everyone in this business is 'more Catholic than the Pope' for a very good reason. Almost every single one of the rules we find so restrictive is so restrictive because it was bought and paid for with someone's life -- and often the lives of the innocent who trusted them as well.
Being certified and claiming to others to be certified is a promise. It's a position of trust in much the same way is anyone with a licence to practice medicine and who actually does practice is trusted.
We guard the system so jealously because have to trust in the system. Without it, it's far too dangerous for any rational person to even consider stepping foot on a plane or in an emergency room.
> and often the lives of the innocent who trusted them as well.
This is the most crucial part. Maybe you, personally, are OK with modifying your plane and you accept the possibility that your tinkering may cause the plane to crash. But unless you're flying in the middle of Siberia, there are others.
The people in the house you may crash in, the people in the other plane you may have just clipped in the runway, the SAR crew that may drown trying to rescue you after your corrupted GPS database diverted the plane to open ocean in stormy IFR conditions. Please everyone, think of their lives even if you're open to risk yours.
There's a reason for that. Quite a lot of people in this business end up splashed all over terra firma. Like I literally guarantee anyone who's an active pilot knows someone who has died or had some really fucking close calls.
I grew up in a house that's adjacent to a small grass airstrip. You walk across a grassy field for 50 feet and around a barbed wire fence, there's a barn on your right that opens onto the airstrip. The guy who owned that barn died when the wing fell off his buddy's ultralight down in Florida. Now it belongs to his kids and they're keeping some construction equipment in there until it finishes decaying and falls down.
My dad belonged to an aviation club at a municipal airport (different from the grass strip) with four aircraft for about a decade when I was a kid. I can remember no less than three major accidents.
Once, the mechanic was changing the oil and stuffed a paper towel into the oil drain cock to catch those last annoying drips of oil that gunk up the cowling. He forgot about it and it held well enough for the pilot to make it off the ground, then popped loose. She saw the oil pressure gauge drop and decided it was a bad gauge and proceeded on. She made it about 30 miles and seized the engine, then put it down on Milford Proving Grounds.
Another time, a club member was making a night approach into Lansing and got a little low. Apparently he noticed that the runway lights were starting to sparkle, and that's when he clipped the tree canopy (low-wing aircraft). He jerked the yoke back and floored it and managed to climb out. Thanks to the adrenaline rush he made the worst decision of his life. He called the 24/7 staffed tower at a mid-tier international airport with fire rescue service and requested direct clearance back to his home-field where the tower had closed at sundown, without mentioning that he'd flown his plane into a fucking tree. On the hour long flight back he had some time to cool off and think about it, which turned out to be the best decision of his life. He realized how totally fucked he was flying at night with a derelict aircraft into a municipal airport with no tower and no fire service, and started thinking. He reckoned that since he'd been doing 75 knots when he jerked the yoke back, the aircraft would be flyable at that speed. So his plan was to fly it all the way down to the ground at 75 knots. Turned out to be a great decision - a Piper Archer normally lands at 50kts, he flared at 75 kts and the aircraft fell out of the air onto the runway. When he could get some lights on he saw that he'd knocked several feet out of the leading edge of one of his wings. Repairable, the club fixed it and eventually sold the airplane.
Much simpler one, someone fucked up and ran the plane out of gas and parked it in a cornfield. That's the good kind of accident, everyone involved is real happy to walk away and come hire a trailer to come and get the plane.
That includes the FAA. To be brutally honest the FAA is the poster child of a cooperative regulatory agency. If you make an oopsie and have an accident, you come clean and tell them what happened. They track all that shit, they have probably the world's most accurate picture of the kind of accidents that happen in their field. They know everyone is human and mistakes happen, if you come clean and weren't grossly negligent then you are likely to walk away with a "this is a life lesson: do better next time". Or maybe some remedial flight training if you were a total knucklehead. But if they catch you doing something like modifying your avionics or pencil-whipping your maintenance logs they will come down on you like a fucking ton of bricks and you will never again set foot on any airplane where the flight attendants don't do a song-and-dance before takeoff.
I myself had a semi-close call when I was a kid. We had a father-son outing where my dad flew me, his instructor, and his instructor's kid across the state to a really cool aircraft museum attached to an airport (nowadays they have an SR-71). On the way back they noted the oil pressure was getting a little low, topped it up, and marked it in the log. The maintenance guy took a look at it. Cracked crankcase, don't remember if it was major service or a new engine. Could have been a problem if someone else had flown it for a couple more hours before us and hadn't noted it. That's the kind of shit that gets you if you're not careful about it. One pilot - not even the pilot actually flying the airplane at the time - making an oopsie at a bad time, or in too much hurry to mark that they added some oil in the maintenance log, and that could have been it. You're fucked if it seizes on climbout - and that's when you're pushing the engine hardest.
Ever heard the saying? There's old pilots and there's bold pilots, but there's no old, bold pilots. The truth is the FAA is just the hired gun here. Around good pilots - nobody pencilwhips the logs because if that's the norm then next time it might be them, or their buddy. The FAA rules are there for a reason, hard learned reasons, and airmen don't want to kill each other either or the public. The risks of flying around a several-ton missile full of fuel at 100kts are absolutely palpable in this hobby. A good airman will drive the plane down into the ground rather than hit something that might have people in it. That could be you or your friend.
---
It's kind of sad because I know the airstrip is toast as soon as the 85 year old who owns it croaks. His son is raring to sell it.
On the other hand once I got to see someone bring this CASA-212 twin-engine cargo plane into this tiny grass strip, turn around, and do a takeoff. Must have been someone on their checkride - spec sheets says the plane can do it, so let's see it. Damndest thing I've ever seen, I wish I had video.
Jack Roush (the racecar driver) also used to buzz the airfield in his T-6 Texan and P-51 Mustang. We would always run out and watch, and one time he landed and asked if it was cool if he buzzed the runway and we were like "hell yeah!?". Then our asshole neighbors who unknowingly bought airport-fronting real estate got butthurt because he was waking up their infant and reported reported him to the FAA for doing low level acrobatics. He got a suspension and never came back again.
Not strictly legal with the license he had, and that's how the FAA plays the game. He stepped over the line and he got slapped for it. But he wasn't really being dangerous and it was so cool to see, he'd dive and come by 30 feet off the deck, then do a sick climbout, maybe with like a roll or something. One time we heard him make a pass and then rushed my grandma out without telling her what was happening, and he came by and gave her the scare of her life. I miss you buzzing the field, buddy, come land again and say hi sometime :(
Another time, my sister and I witnessed a plane crash. Living next to an airfield you get a sense for how fast a plane needs to be going to take off. I saw this Cessna come by way fucking slow. Like probably 30mph, 150 feet from the end of the runway, on the ground. There's a point on the runway called V1 where you're committed , usually below the speed where you can take off safely, so you're in it for the long haul. There's a displaced threshold on that runway because of a gigantic fucking tree 50 feet off the end of the runway. This guy was way below where he needed to be, he was fucked, and he realized it, and he pushed it back onto the ground, jammed the brakes, and swerved into a field of soy (60 ft wide with a busy road on the other side). Clipped a wingtip (high wing), torqued it around 270 degrees, and ripped one of his gear off. But it was the good kind of crash. He walked away and the trailer came and picked up his plane.
We'd sometimes get Blackhawks from Selfridge ANGB and shit in the middle of night practicing their rustic-site operations. Never knew what you'd get, really. One time 7-year-old me helped launch a hot-air balloon that had decided to ride out some inclement weather on our field.
But yeah, in 10 years tops it'll all be a subdivision because the son of the owner is chomping at the bit to sell and develop that shit, since it's several hundred acres of woods with several lakes included. Used to take my dog running down the twotrack and see the lakes. 25 years ago a tornado ripped all the siding off the only permanent hanger and threw it into a tree, and it's only been getting worse since. The owner hardly ever plows the field anymore (used to use a vintage Korean War Deuce-and-a-half to plow and roll). We've been the ones who do the mowing for quite a while now. All those moments will be lost, like tears in rain. At least my parents tell me that they're filming a Netflix movie called "Crystal" there (production codename?) so I hope it will be immortalized.
I should get a drone and do some flyarounds for posterity. I used to fly R/C airplanes there all the time, we get a landing like once a month nowadays and I'm 100% willing to trash the R/C airplane to avoid hitting a real plane if it comes down to it.
PS: as far as I know all of those pilots flew again. Except the ultralight guy of course.
The air traffic controllers are there for you. They are waiting for you to declare an emergency so they can use their superpowers to help - I've literally heard a controller prompt a distressed pilot to make a declaration. Once you say those magic words, "[tail number] declaring an emergency", you literally can request any clearance or approach and reject anything they grant if that's what you need in order to get onto the ground. They will bend heaven and earth to get you back down safely - they will divert multiple airliner traffic for you if that's what it takes. Tell them what is wrong and they will rally ground resources for you and tell you from a 3rd party perspective what they think your best move is. They are there to help you, the pilot who is fighting a losing battle in their tiny, fragile, flammable little bubble of a world, and the FAA will likely forgive all if you weren't a total retard about the whole accident. Admitting you made a mistake is 75% of the battle.
That's the deal, you tell daddy and everything will be OK. They need to know what actually happened so they can address the actual risks of aviation. If people are flying tired, they want to know. If digital cockpits are too complex, they want to know. Etc etc. That's their mandate. General aviation is a super fucking risky business, they know it, there's tons of hardware failure and pilot error and combinations thereof, and they want to try and make it safer.
But if you try to fuck the system then you will be taken out and shot out back as far as the FAA is concerned. Lying to them is the worst offense you can possibly do as a pilot, either in an incident report or in your maintenance logs. If they catch that it's over.
They track every problem back relentlessly and they will have a very solid chance of catching you in a lie, because they want to make damned sure nobody else ever dies needlessly to the same thing that downed your aircraft. There is no such thing as "nobody's fault" as far as the FAA is concerned and they will bend heaven and hell just as hard to find out what really happened. Every part in every system on your plane has a page in a binder that lists everyone who touched it - they will find it eventually.
If you have a problem, you fess up to your lie right then and there, or you better hope you crash so bad that when you hit every chip on that memory card is shattered beyond repair. You get to choose, either confess and live, or die and keep your secret, or live and keep your secret and spend the rest of your life as a paraplegic. Either way it will be on the ground where you belong.
Decryption aside, reverse-engineering anything is extremely difficult - I've seen projects like this take much, much longer than 3 days even when no encryption is involved. But as for the encryption itself, the author says himself: "the 'encryption' method was laughably simple." That may be "good" encryption from a hacker perspective, in that it's easy to work around, but it's not "strong" encryption in any book.
I have seen this quite often in legacy devices. 20 years ago there wasn't ida-pro, and the designers probably felt more secure about leaving all the pieces of the puzzle in the hands of the enduser. Real cryptography was more difficult on 8 bit hardware, as well as being export-controlled.
The last one I encountered was an s-box, where the s-box material was included in the update file. The only secret was the initial substitution ('seed' if you will.) They kept it in firmware until the very last product to use this scheme, whose windows app decrypted the update to learn some details about the update before it was loaded into the embedded device.
IDA Pro might not have existed 20+ years ago but other tools certainly did. I can recall using SoftICE as a teenager to "crack" door games for my BBS. Thanks for the flashback. :)
I still use SoftICE (DOS) for its debugger! (I still get legacy projects from time to time.) But it requires a lot more manual labor to understand a binary.
I'd like to think it was 3, just because the design has just enough of a PITA factor that it's just plain easier to pay Honeywell for updates so long as the program exists. But as soon as the program doesn't exist, at the least the hardware isn't a brick.
Another possibility is that they designed it as just a thin brick wall for the consumer, never suspecting or caring if they'd reverse engineer it one day, while making it easy for them to do these updates by mail. By making a system easy for Honeywell to provide mail-in updates, they unwittingly made it easyish to hack 20 years later.
Very nice writeup. I once had to do something similar for RFID readers used by the Dutch police to scan 'anti theft' RFID tags for bikes/scooters. The scanner manufacturer went bankrupt, and we had a bunch of scanners with old firmware which needed to be updated to a newer version. I spent a couple of weeks building the required hardware and software tools to extract firmware from the newer scanners and load them into the old scanners. Fun times =)
Unfortunately not, since I was doing this for an employer I'd highly doubt thew would have appreciated me telling the world on how we'd go about reverse engineering and extracting IP from the scanners.
Dmitry, you never cease to amaze me with your side projects and the lengths and hurdles you go through with ease. These writeups are fun to read and provide me with some inspiration if I'm ever stuck on something.
For those that don't know, Dmitry also ported linux to an 8 bit micro-controller.
He also wrote a whole suite [1] of utilities for later PalmOne and Treo devices that massively improved their capabilities and made them usable for a much longer time - absent PowerSDHC and WarpSpeed in particular, my old Palm TX wouldn't have lasted me until 2012.
Pardon me if this sounds like a buzzkill, but is modifying plane equipment legal without re-certification? I remember reading a previous post on HN on why same electronics on airplanes are 10x more expensive due to rigorous FAA certifications.
Pilot here. Generally speaking, FAA regs allow owners to update GPS databases (14 CFR 43.3 [0]) if we're provided with the means to do so. However, this method of doing it may be legally questionable.
The crux of the matter is this regulation (14 CFR 43.3(k)):
> (2) The pilot must comply with the certificate holder's procedures or the manufacturer's instructions.
> (3) The holder of operating certificates must make available written procedures consistent with manufacturer's instructions to the pilot that describe how to
Basically, while as an engineer I can appreciate the technical cleverness of this, I would definitely talk to an aviation lawyer first before trying this myself.
Interestingly, by 14 CFR 43.3(k) even the "official" method described in the article is noncompliant, as the device is removed from the aircraft, and put into a docking-station at home, loaded via RS232.
I also understand the need to follow procedures, even if there are cases in which they are clearly nonsensical or obviously without influence on air safety -- just because it's not guaranteed that everything that seems to have no influence on safety actually does have no influence on safety.
But: I had seen photographs of an old floppy drive in a B737 (I think) which was used to load updates to the FMS. Then there's a version with USB. Both storage devices could be inserted into a PC, with junk stored on them, or swapped with a completely unrelated disk/usb-stick. Inadvertently, or even with malicious intent.
So the risk of arbitrary data on the floppy drive must have been mitigated (by signing the FMS updates, checksums, ...) and considered acceptable during the design of the system.
The same, I think, should hold true for the memory card in the article: If traditionally these cards had been shipped around by postal mail, I'll claim that the possibility of damage which isn't visually apparent must have been taken into account, and a procedure been put into place, such as a CRC check to be performed after the swap, or a self-test after every turn-on of the unit. Afterwards, the card should be considered "good", independent of the method by which the data was loaded.
Does that make sense, or am I overseeing something obviously here?
> Interestingly, by 14 CFR 43.3(k) even the "official" method described in the article is noncompliant, as the device is removed from the aircraft, and put into a docking-station at home, loaded via RS232.
It's not noncompliant, it just means that owner maintenance on this GPS isn't possible and has to be done by a specialist. A general rule I go by is if something needs to come out of the panel, it needs a mechanic or avionics tech to do. This unit is from 1996. IIRC we weren't allowed to do our own updates until 2012 or so. So it's not surprising that owner maintenance may not be legally possible on it.
I can pretty easily construct a scenario where doing something like this gets you in trouble. Chances are nothing will happen but it's all about your risk tolerance. Mine is pretty low.
He has added an interesting disclaimer "Please note: I am in no way saying that you can, should, or are allowed to fly with a card updated in this way (even though the bits in it are identical). I am not claiming that I plan to or am flying with such a card. All experimentation was performed on a card and a GPS that is not used for IFR flight."
Also author appears to have commented on this thread with a similar disclaimer. Very neat hack, but yea, walking a very fine line with the relevant aviation authority :(
Yes, I see the disclaimer. You are walking an incredibly fine line.
If you did this to the GPS that is currently in your airplane, unless you are also a licensed A&P or your aircraft is registered as experimental, you potentially made an illegal modification to your aircraft. You almost certainly voided the IFR rating on your GPS. You may have voided your airworthiness certificate. You may have also voided your insurance policy.
Now, there's a lot of qualifiers in there because ... I honestly don't know. There's lots of rule making about what maintenance owners can do when to comes to physical parts of the plane, but hardly any about software. That's why I would talk to a lawyer and A&P first if you do decide to fly with this. It might be fine, especially given the age of the GPS in question, to just have someone sign off on it. But likely only an attorney up-to-date with FAA rule making could tell you that. To me, this looks legally problematic at the very least, but IANAL.
Yes, it is your GPS, and your airplane, and you should be able to do what you like with them, but that's not how the FAA works. You and I both know that, as pilots, we have almost no legal protection. It literally just takes one FAA bureaucrat wanting to make a name for themselves to really make your life a living hell over this if they want to. Never underestimate the pettiness of government bureaucrats when it comes to following rules. If someone from the FAA sees this, they're likely going to want to ask you some questions.
I'm not going to tell you how to live your life. Only you can determine what your risk tolerance is, and the reality is that probably no one will find out, you will have no issues, and you'll be just fine. Again, it's an impressive and very clever feat of reverse-engineering, and I don't want to take anything away from that. From one engineer to another, really, it's well done. But if you have an incident flying IFR on this now-unrated equipment, and the FAA finds out about this, it will likely end very poorly for you.
All I can say is that, if it were me, I would not fly with anything in the airplane that would endanger me or get me in trouble with the FAA. I would not even want to take a chance with something like this in my airplane.
I would at the very least 1) talk to an aviation lawyer, and 2) get someone to sign off on what you've done. I would also provide the relevant documentation on your webpage about the legally questionable nature of this modification.
Or 3) slap an "INOP" placard on it and get on with the fun of flying.
Judging by the text and posts the author is well aware of all that, is this preaching really necessary here on HN? :/
The process of reverse engineering and hardware design itself is still very interesting to read about and I'm not sure what your post really adds besides negativity?
I found the reverse engineering part interesting too. Like I said, it's incredibly well done. But it's also legally problematic and anyone reading this should understand the risks they are taking. Fighting an FAA enforcement action will be far more expensive (think 5 figures) than just paying the money to do it the legally correct way. If someone does it wrong it might cost them their life (see paulmd's comments above).
Pilots operate in an complex regulatory environment and things that may seem okay from the outside are not okay to the government. It's so complex that otherwise well meaning and law abiding pilots each year run afoul of the various regulations, and there are few legal protections afforded to pilots facing an enforcement action. A good example of this is the relevant FARs about reimbursement for business expenses when flying yourself. They're not the same as driving and being caught breaking them could cost you your certificate.
Whole books are written about aviation law and attorneys specialize in it. And all pilots are expected to be familiar with them. But the devil is in the details, and that's where they'll get you,
He says he didn't put it in his plane, so he's fine. And it was a super interesting technical read. But others reading this need to understand the ramifications of doing this or something like it to an actual airplane is just asking for problems.
Sure, and that's what a disclaimer, like the one you even acknowledged, does. Make it obvious that this is something that he did for fun and that you shouldn't do the same unless you know the risks.
So, going back to izacus's comment, is the preaching really necessary? He gets it, and people who read this and are in a position to act upon the information (ie. have a plane, with this GPS, and want updates) also are likely to understand the ramifications, so, really, what does the preaching add, other than negativity, as was mentioned?
Maybe I missed it, but I didn't see where he's getting updated GPS data from. Does the company still provide it? Is it fairly standard and there's another source?
I think it's a very cool project, and amazing that he's able to read/write the data, but I kept waiting to find out where the updated GPS data came from.
> 16-bit x86 Borland-compiler-produced code is a huge pain to read
I've occasionally considered writing some sort of reverse engineering assistant for 16-bit DOS executables, with the primary target of retro games. I still have a Borland compiler suite handy, although I've long since binned its original 5 1/4" disks.
Embarcadero has Borland Turbo C 2.01 and 3 versions of Turbo Pascal available for download from their site (on their "Antique Software" page), along with Turbo C++ 1.01 if you have a license to some of their more modern software.
Disassembling DOS games has been my introduction to reverse engineering, over the last couple of years. Specifically, Ultima Underworld. The game itself is complex, and a lot of the file formats are already documented, so I'm not jumping into the deep end unaided.
Fun fact: The original Lemmings game is actually encrypted. The first thing it does when loading is decrypt chunks of itself at a time, sometimes copying chunks of code to different places, then jumping into those chunks.
Don't get me started on database updates or connection methods for aircraft... We have models that use floppys (about 75% disk failure rate per box of "new" disks), CompactFlash cards, SD cards, zip disks (yes, zip disks), WiFi + Ipad, serial connection (9 or proprietary cable) and USB sticks.
The USB sticks are the preferred method these days, but there are a bunch of aircraft flying around out there with Windows viruses stored on their USB sticks. My mechanics get an alert every time they plug one in to do an update.
Hey nice work! This new silicon that is not tolerant of 5v inputs grinds my gears. I wonder if you could have used zener diodes instead of a more complicated level shifter to stay on the STM32. I really don't like the avr anymore.
I think the problem was that the flash chip was designed to work at 5V, so he'd have had to provide level shifting or buffering for all the outputs to the flash chip.
There are ARM microcontrollers from both Atmel and NXP (LPC) which are 5V tolerant, but I'm not aware of any which can provide a 5V output.
But these GPIO's are generally not sources of Vcc/Vdd. Without reading technical details about the actual chip, I always assume they are weak pullups to Vcc/Vdd, that are shunted to ground (Vee/Vss) when 0.
So, a 5v pullup on the 'memory chip' side would satisfy the memory chip's 'high' threshold, the zener would protect the 3v3 device, and its shorting to ground would be a legitimate 0.
If you go to the effort to make a nice circuit board, and need to interface 3.3v to 5v logic it doesn't really pay off to skimp on, e.g. a proper voltage translator. [e.g. SN74LVC4245]
Why? Because it's giving you worse results: Slew time with open-collector/pullup signals is pretty bad because of the 0->1 transision the trace capacitance is charged up via the pullup rather slowly (compared to a proper CMOS driver). Also, for 8 signals you'll need to populate 8 resistors, 8 clamping zeners. Needs more space than a single SOIC-20, which provides you with proper bidirectional drivers.
In this special case, though, the inputs of the NOR flashes seem to be happy to be driven by 3.3V, the datasheet requires Vinh (voltage input high) to be >2V (likely to be compatible with old TTL logic which had this threshold voltage). So all inputs to the NOR flash could be directly connected to a 3v3 microcontroller, leaves only the 8 bidirectional data pins and the "Ready" pin RY/BY#.
So, I'd probably take a bidirectional level shifter for the data bus, skimp on the single "Ready" pin and only use a resistors, as this signal is only interesting during erase anyway. Then everything else could be directly connected to any 3.3v compatible microprocessor.
That way all signals that need to be fast are fast, there's a minimized component count, and the single remaining signal would be for me to be ridiculed for my lack of rigor :-).
I think this conversation is kind of orthogonal to the actual issue, which is that setting up the hardware to shift 32 signals from 3.3v to 5v is pretty easy. I definitely wouldn't consider it a "major pain." Interfacing parts which use two different logic levels is incredibly common, and there are many inexpensive ICs that provide bidirectional level shifting.
That being said, I think choosing a microcontroller which uses the logic level you need is a perfectly acceptable solution. Minimizing the number of components goes a long way towards making a project easier to manage.
The STM32 chips are generally 5V tolerant, but there's no guarantee that the memory will like 3.3V inputs. (The Atmel ARM chips used in the newer Arduinos unfortunately aren't though.)
Nice hack! As someone who is currently shopping for an old plane myself, it makes me so happy to see folks smarter than me hacking on all of this old legacy equipment that is still serviceable!
What would have been the options if one is not able to perform this magnificent feat of reverse engineering? Buying a new GPS unit? Is that a serious investment?
In your car or phone, no. In General Aviation, it will cost a minimum of a few grand to get an IFR certified unit, plus more for installation, as you aren't legally allowed to install much of anything in your panel on your aircraft unless it is a direct fit, drop in unit. Airplanes are awesome, and the laws are there for a very good reason, but they (can be) crazy expensive!
Pay to have the jack installed in the plane ($2k) or have mechanic pull GPS out and back in every 28 days to do update in the dock. (as I currently do)
I'm hoping you wrote that in the way that "here is this guy that did some amazing cool hardware hacking, whereas 'all' you have done today is write a shell script".
[...]
> Fun tidbit: you can decrypt the file without knowing whose GPS it was for and what their “key” is. Honeywell engineers were nice enough to leave the decryption key right in the file footer.
When reading stories like this, I like to try to figure out whether the developers who designed these things were 1. totally incompetent / careless, thinking they're actually securing their precious IP, 2. powerless contractors, just dutifully implementing the half-witted attempt at obfuscation some other "architect" designed, or 3. actually true hackers, sympathetic to the cause, deliberately leaving breadcrumbs and vulnerabilities for like minded souls who will later go through the effort to reverse engineer their work.
When I'm in one of my rare optimistic moods, like today, I like to imagine it was #3.