
Hacking an assault tank...a Nerf one - HBlix
https://www.pentestpartners.com/security-blog/hacking-an-assault-tank-a-nerf-one/
======
monocasa
> you will notice that the upper nybble of nearly every fourth byte is an “E”,
> these denote a number of different operations, including loading, storing,
> branching and standard arithmetic. When you see a binary file with data
> represented uniformly like this, you can be reasonably sure that it is
> running ARM code.

The 'E' nybble doesn't have much to do with the operation code. What it really
is, is that more or less A32 instruction can be predicated by a condition
code. 'E' means 'always execute this instruction' regardless of the current
state of the flags.

------
UpshotKnothole
_Fuzzing the tank within certain parameters made for entertainment. It would
drive & shoot randomly. That was great fun, until it shot my wife. Oops._

Oh dear. From my experience in life, women and girls never find being shot
with Nerf even remotely as amusing as the men and boys in their life think
they will. “It was random, I swear,” probably didn’t help much. Great article
though, does anyone know why the toy uses the full 32bit ARM instruction set
instead of THUMB?

~~~
justtopost
If someone I married was genuinely pissed off about an errant nerf dart, I
would seek a new partner. I found the authors comment quite odd for a comitted
fellow.

~~~
hugg
Sometimes I wonder if the SO in these kinds of comments actually get a
negative reaction - or if it's just another dumb, outdated joke that
women/girls are sooo sensitive

~~~
rhaps0dy
I thought it was a "joke" on how shooting your wife on accident actually would
be really serious and sad, but it could be that too.

------
iuguy
I was the target of the Nerf tank assault. I was winning until Dave picked up
the tank and started aiming it at me ;)

Talk video should be up next month for those interested, which goes into a bit
more detail about the process taken to reverse the tank. Good research, would
get shot again!

------
thewizardofaus
Awesome read! Any tips or books on how to learn reverse engineering firmware?
It's pretty overwhelming

------
syntaxing
Is there a way to determine the instruction set automatically? Like you hit a
button on the remote and it looks for a specific change in the hex
instruction. Or is the only way to do it is through deductive reasoning and
experience like how the author does?

~~~
archi42
You might try to disassemble the code for a bunch of ISAs and see if your
disassembly produces meaningful function prologue & epilogue for that ISAs
ABI. Automatically.

Not sure if someone is doing that. Our (commercial) disassembler for example
is told by the user what target it's disassembling (and I usually look at the
output, not the actual opcodes; so maybe that's not feasible).

