
Updating my plane’s very old GPS data in a very modern way - dmitrygr
http://dmitry.gr/index.php?r=05.Projects&proj=21.%20KLN89
======
ryandrake
> The key turned out to be the actual 32-bit GPS “key” and the “encryption”
> method was laughably simple: use the key as the starting value for CRC-32.
> To decrypt each byte, subtract from it the lower 8 bits of the current CRC.
> After the byte is decrypted, update the CRC for it. I am not joking, this is
> it.

[...]

> Fun tidbit: you can decrypt the file without knowing whose GPS it was for
> and what their “key” is. Honeywell engineers were nice enough to leave the
> decryption key right in the file footer.

When reading stories like this, I like to try to figure out whether the
developers who designed these things were 1. totally incompetent / careless,
thinking they're actually securing their precious IP, 2. powerless
contractors, just dutifully implementing the half-witted attempt at
obfuscation some other "architect" designed, or 3. actually true hackers,
sympathetic to the cause, deliberately leaving breadcrumbs and vulnerabilities
for like minded souls who will later go through the effort to reverse engineer
their work.

When I'm in one of my rare optimistic moods, like today, I like to imagine it
was #3.

~~~
ams6110
They were probably just putting enough of a roadblock into the process to stop
98% of people from copying or selling nonauthorized cards. Also the
"encrypt/decrypt" needed to be fast on the hardware of the time so it would
necessarily be something pretty simple.

If you own an airplane, you can afford to buy avionics updates legitmately,
and will likely make very little effort to seek out unauthorized sources.

~~~
paulmd
> If you own an airplane, you can afford to buy avionics updates legitmately,
> and will likely make very little effort to seek out unauthorized sources.

Not only this, but the method here is definitely non-compliant with FAA regs.
You aren't even allowed to pull the sled out of the panel by yourself (you
need a FAA-certified mechanic for all removal/installation of avionics),
there's no way that the FAA would be cool with you flashing a reverse-
engineered database onto it.

To be clear: by all means go ahead and do this. If the database on the unit is
outdated then it's functionally useless for any purpose. It's totally legal to
have a GPS in the cockpit that you use for VFR operation, so it's still
worthwhile. Have a mechanic pull the sled and reinstall it when you're done,
it's the law.

But your GPS is no longer rated for IFR operation. If you have an accident
while flying IFR on unrated equipment the FAA will see the removal and
reinstallation of the sled in your maintenance logbooks and they will come
down on you like a hundred tons of bricks.

~~~
CamperBob2
Meh, everybody in this business is more Catholic than the Pope. Who's going to
enter this sort of thing in their maintenance logbooks to begin with?

~~~
justinjlynn
Everyone in this business is 'more Catholic than the Pope' for a very good
reason. Almost every single one of the rules we find so restrictive is so
restrictive because it was bought and paid for with someone's life -- and
often the lives of the innocent who trusted them as well.

Being certified and claiming to others to be certified is a promise. It's a
position of trust in much the same way is anyone with a licence to practice
medicine and who actually does practice is trusted.

We guard the system so jealously because have to trust in the system. Without
it, it's far too dangerous for any rational person to even consider stepping
foot on a plane or in an emergency room.

~~~
JorgeGT
> and often the lives of the innocent who trusted them as well.

This is the most crucial part. Maybe you, personally, are OK with modifying
your plane and you accept the possibility that your tinkering may cause the
plane to crash. But unless you're flying in the middle of Siberia, there are
others.

The people in the house you may crash in, the people in the other plane you
may have just clipped in the runway, the SAR crew that may drown trying to
rescue you after your corrupted GPS database diverted the plane to open ocean
in stormy IFR conditions. Please everyone, think of their lives even if you're
open to risk yours.

------
LeonM
Very nice writeup. I once had to do something similar for RFID readers used by
the Dutch police to scan 'anti theft' RFID tags for bikes/scooters. The
scanner manufacturer went bankrupt, and we had a bunch of scanners with old
firmware which needed to be updated to a newer version. I spent a couple of
weeks building the required hardware and software tools to extract firmware
from the newer scanners and load them into the old scanners. Fun times =)

~~~
jimktrains2
It seems like every day there is some story about the dangers of proprietary
hardware and software :(

Do you have a writeup of your reverse engineering the scanners and firmware?
Like this article, it could be a fun read!

~~~
LeonM
Unfortunately not, since I was doing this for an employer I'd highly doubt
thew would have appreciated me telling the world on how we'd go about reverse
engineering and extracting IP from the scanners.

------
sunils34
Dmitry, you never cease to amaze me with your side projects and the lengths
and hurdles you go through with ease. These writeups are fun to read and
provide me with some inspiration if I'm ever stuck on something.

For those that don't know, Dmitry also ported linux to an 8 bit micro-
controller.

Still to date, the craziest project I can think of.
[http://dmitry.gr/index.php?r=05.Projects&proj=07.%20Linux%20...](http://dmitry.gr/index.php?r=05.Projects&proj=07.%20Linux%20on%208bit)

~~~
throwanem
He also wrote a whole suite [1] of utilities for later PalmOne and Treo
devices that massively improved their capabilities and made them usable for a
much longer time - absent PowerSDHC and WarpSpeed in particular, my old Palm
TX wouldn't have lasted me until 2012.

[1] [http://palmpowerups.com/](http://palmpowerups.com/)

------
devy
Pardon me if this sounds like a buzzkill, but is modifying plane equipment
legal without re-certification? I remember reading a previous post on HN on
why same electronics on airplanes are 10x more expensive due to rigorous FAA
certifications.

~~~
peckrob
Pilot here. Generally speaking, FAA regs allow owners to update GPS databases
(14 CFR 43.3 [0]) if we're provided with the means to do so. However, this
method of doing it may be legally questionable.

The crux of the matter is this regulation (14 CFR 43.3(k)):

> (2) The pilot must comply with the certificate holder's procedures or the
> manufacturer's instructions.

> (3) The holder of operating certificates must make available written
> procedures consistent with manufacturer's instructions to the pilot that
> describe how to

Basically, while as an engineer I can appreciate the technical cleverness of
this, I would definitely talk to an aviation lawyer first before trying this
myself.

[0] [http://www.ecfr.gov/cgi-bin/text-
idx?rgn=div5&view=text&node...](http://www.ecfr.gov/cgi-bin/text-
idx?rgn=div5&view=text&node=14:1.0.1.3.21&idno=14#se14.1.43_13)

[1]
[http://aviation.stackexchange.com/a/1300](http://aviation.stackexchange.com/a/1300)

~~~
cnvogel
Interestingly, by 14 CFR 43.3(k) even the "official" method described in the
article is noncompliant, as the device is removed from the aircraft, and put
into a docking-station at home, loaded via RS232.

I also understand the need to follow procedures, even if there are cases in
which they are clearly nonsensical or obviously without influence on air
safety -- just because it's not guaranteed that everything that seems to have
no influence on safety actually does have no influence on safety.

But: I had seen photographs of an old floppy drive in a B737 (I think) which
was used to load updates to the FMS. Then there's a version with USB. Both
storage devices could be inserted into a PC, with junk stored on them, or
swapped with a completely unrelated disk/usb-stick. Inadvertently, or even
with malicious intent.

So the risk of arbitrary data on the floppy drive must have been mitigated (by
signing the FMS updates, checksums, ...) and considered acceptable during the
design of the system.

The same, I think, should hold true for the memory card in the article: If
traditionally these cards had been shipped around by postal mail, I'll claim
that the possibility of damage which isn't visually apparent must have been
taken into account, and a procedure been put into place, such as a CRC check
to be performed after the swap, or a self-test after every turn-on of the
unit. Afterwards, the card should be considered "good", independent of the
method by which the data was loaded.

Does that make sense, or am I overseeing something obviously here?

~~~
peckrob
> Interestingly, by 14 CFR 43.3(k) even the "official" method described in the
> article is noncompliant, as the device is removed from the aircraft, and put
> into a docking-station at home, loaded via RS232.

It's not noncompliant, it just means that owner maintenance on this GPS isn't
possible and has to be done by a specialist. A general rule I go by is if
something needs to come out of the panel, it needs a mechanic or avionics tech
to do. This unit is from 1996. IIRC we weren't allowed to do our own updates
until 2012 or so. So it's not surprising that owner maintenance may not be
legally possible on it.

I can pretty easily construct a scenario where doing something like this gets
you in trouble. Chances are nothing will happen but it's all about your risk
tolerance. Mine is pretty low.

~~~
matheweis
He has added an interesting disclaimer "Please note: I am in no way saying
that you can, should, or are allowed to fly with a card updated in this way
(even though the bits in it are identical). I am not claiming that I plan to
or am flying with such a card. All experimentation was performed on a card and
a GPS that is not used for IFR flight."

Also author appears to have commented on this thread with a similar
disclaimer. Very neat hack, but yea, walking a very fine line with the
relevant aviation authority :(

------
e28eta
Maybe I missed it, but I didn't see where he's getting updated GPS data from.
Does the company still provide it? Is it fairly standard and there's another
source?

I think it's a very cool project, and amazing that he's able to read/write the
data, but I kept waiting to find out where the updated GPS data came from.

~~~
mrbill
He mentioned getting an update from Honeywell.

------
pjc50
> 16-bit x86 Borland-compiler-produced code is a huge pain to read

I've occasionally considered writing some sort of reverse engineering
assistant for 16-bit DOS executables, with the primary target of retro games.
I still have a Borland compiler suite handy, although I've long since binned
its original 5 1/4" disks.

~~~
khedoros1
Embarcadero has Borland Turbo C 2.01 and 3 versions of Turbo Pascal available
for download from their site (on their "Antique Software" page), along with
Turbo C++ 1.01 if you have a license to some of their more modern software.

Disassembling DOS games has been my introduction to reverse engineering, over
the last couple of years. Specifically, Ultima Underworld. The game itself is
complex, and a lot of the file formats are already documented, so I'm not
jumping into the deep end unaided.

Fun fact: The original Lemmings game is actually encrypted. The first thing it
does when loading is decrypt chunks of itself at a time, sometimes copying
chunks of code to different places, then jumping into those chunks.

------
JoblessWonder
Don't get me started on database updates or connection methods for aircraft...
We have models that use floppys (about 75% disk failure rate per box of "new"
disks), CompactFlash cards, SD cards, zip disks (yes, zip disks), WiFi + Ipad,
serial connection (9 or proprietary cable) and USB sticks.

The USB sticks are the preferred method these days, but there are a bunch of
aircraft flying around out there with Windows viruses stored on their USB
sticks. My mechanics get an alert every time they plug one in to do an update.

------
ttsiodras
Amazing work, Dmitry!

Your linux-on-an-AVR [1] is still the best hack ever, though :-)

[1]
[http://dmitry.gr/index.php?r=05.Projects&proj=07.%20Linux%20...](http://dmitry.gr/index.php?r=05.Projects&proj=07.%20Linux%20on%208bit)

------
kw71
Hey nice work! This new silicon that is not tolerant of 5v inputs grinds my
gears. I wonder if you could have used zener diodes instead of a more
complicated level shifter to stay on the STM32. I really don't like the avr
anymore.

~~~
leoedin
I think the problem was that the flash chip was designed to work at 5V, so
he'd have had to provide level shifting or buffering for all the outputs to
the flash chip.

There are ARM microcontrollers from both Atmel and NXP (LPC) which are 5V
tolerant, but I'm not aware of any which can provide a 5V output.

~~~
kw71
But these GPIO's are generally not sources of Vcc/Vdd. Without reading
technical details about the actual chip, I always assume they are weak pullups
to Vcc/Vdd, that are shunted to ground (Vee/Vss) when 0.

So, a 5v pullup on the 'memory chip' side would satisfy the memory chip's
'high' threshold, the zener would protect the 3v3 device, and its shorting to
ground would be a legitimate 0.

~~~
cnvogel
If you go to the effort to make a nice circuit board, and need to interface
3.3v to 5v logic it doesn't really pay off to skimp on, e.g. a proper voltage
translator. [e.g. SN74LVC4245]

Why? Because it's giving you worse results: Slew time with open-
collector/pullup signals is pretty bad because of the 0->1 transision the
trace capacitance is charged up via the pullup rather slowly (compared to a
proper CMOS driver). Also, for 8 signals you'll need to populate 8 resistors,
8 clamping zeners. Needs more space than a single SOIC-20, which provides you
with proper bidirectional drivers.

In this special case, though, the inputs of the NOR flashes seem to be happy
to be driven by 3.3V, the datasheet requires Vinh (voltage input high) to be
>2V (likely to be compatible with old TTL logic which had this threshold
voltage). So all inputs to the NOR flash could be directly connected to a 3v3
microcontroller, leaves only the 8 bidirectional data pins and the "Ready" pin
RY/BY#.

So, I'd probably take a bidirectional level shifter for the data bus, skimp on
the single "Ready" pin and only use a resistors, as this signal is only
interesting during erase anyway. Then everything else could be directly
connected to any 3.3v compatible microprocessor.

That way all signals that need to be fast are fast, there's a minimized
component count, and the single remaining signal would be for me to be
ridiculed for my lack of rigor :-).

~~~
Declanomous
I think this conversation is kind of orthogonal to the actual issue, which is
that setting up the hardware to shift 32 signals from 3.3v to 5v is pretty
easy. I definitely wouldn't consider it a "major pain." Interfacing parts
which use two different logic levels is incredibly common, and there are many
inexpensive ICs that provide bidirectional level shifting.

That being said, I think choosing a microcontroller which uses the logic level
you need is a perfectly acceptable solution. Minimizing the number of
components goes a long way towards making a project easier to manage.

~~~
cnvogel
> choosing a microcontroller which uses the logic level you need is a
> perfectly acceptable solution.

Absolutely!

------
cnvogel
For comparison, this is how FMS (flight management system) updates are done on
contemporary aircraft: WiFi from iPhone, USB or SD-Card.

[https://aerospace.honeywell.com/en/products/cockpit-
systems/...](https://aerospace.honeywell.com/en/products/cockpit-
systems/dl-950-data-loader)

From the datasheet/pdf: Low-cost USB media can be used on your personal
computer to download the latest navigation database from the Internet.

------
Animats
Dead "cloud" services, the early years.

------
mslev
I love stuff like this! Similar to the "Restoring Y Combinator's Xerox Alto",
the mix of software and hardware hacking is just awesome.

Anyone have any suggestions/recommendations of similar material?

------
rhombocombus
Nice hack! As someone who is currently shopping for an old plane myself, it
makes me so happy to see folks smarter than me hacking on all of this old
legacy equipment that is still serviceable!

------
kmm
What would have been the options if one is not able to perform this
magnificent feat of reverse engineering? Buying a new GPS unit? Is that a
serious investment?

~~~
rhombocombus
In your car or phone, no. In General Aviation, it will cost a minimum of a few
grand to get an IFR certified unit, plus more for installation, as you aren't
legally allowed to install much of anything in your panel on your aircraft
unless it is a direct fit, drop in unit. Airplanes are awesome, and the laws
are there for a very good reason, but they (can be) crazy expensive!

