Here’s the thought process and stuff I did in my quest to make the PC-L my personal slave. This is made possible by the contest for hacking it that the makers started 29 hours before i cracked it.
And i now have a title and a gift sig banner. ^_^
Oh goodness… I guess I should write everything out. It all started about 1 week after Tim sold his first PC-L to me. Yes I was the first one to buy one – he confirmed that within moments. ^_^ Anyway, I got it about a week later due to shipping across the ocean and cracked it open. Copied the files to a backup directory and wired up the board with basic operation to test it. It went into the waiting hilt of my contest saber after that. Once I had it tuned and set up in the configs the way I wanted, I made another copy of the font and started working on it, opening the files up in Goldwave and replacing the actual sound data with random stuff and testing them one at a time. 40+ formats and reloads later, I had determined that 3 files were not locked and could be changed at will. That left 19 files that were locked though.
Since my method of cloning the file header and format info was no good, I decided to swap the files around a bit and see if that changed anything. Swapping the names on clash1 and swing1 was no good as well, so I figured it was some sort of individual file check and something inside of the files was checked OR it was a checksum of some sort.
So I started pasting static pops into a file at a time. Sometimes it would work, sometimes it wouldn’t. The ones that did actually work were ones where I overlayed the pop over the old sound but even some of them didn’t work. This meant 1 of 3 things to me. It was doing a full file checksum – I doubted the PIC24 could store the software for, that there was a signature embedded in the file – I doubted the PIC was writing anything either, or that the PIC was recording pseudorandom bits from the file and looking for them. Being an RF Transmissions Craftsman and loving Viterbis and PRN data of all sorts, I decided to see if I could test for that. I inserted a burst of static at a random point and tried it. That one worked. Tried again. Failed. After about 3 hours of this I had a few working .25s pops and nothing else pure luck if anything. I had no real way to predict where the checks were or anything like that. And using the exact same time indexes in different files yielded dismal results. So I concluded that there was a hash of some sort and gave it up as just not viable to even bother trying to replace LM with another font.
A week of work wasn’t completely for naught though – I found a reliable way of making boot, blaster, and lockup sounds, so I made a bunch of boot sounds. Mostly Leia and Visas Marr from KOTOR 2 with a mix of others in there too. I also took the sonic screwdriver sound from Doctor Who and made a lockup sound. The mixing was bad and it really didn’t soud right at all so I dumped that project.
Fast forward about a month. Someone mentioned wanting to combine LM and DM so I took the DM humm and put it on a LM card. Fail sound. I played with it a little bit but no luck. I opened up LM and played with the pitch a tiny bit, locking the tempo in place, but that was a no go as well.
Now fast forward to the contest. I was in the middle of a software project, learning a few tricks, and training someone on something totally different, I was notified vigorously about the PC-L hacking contest. It was all pretty straight forward. Did I actually pay attention and try? No not really – I was focused on another project and had the details of that flying through my head. As for Erv’s clues…
1) 21st letter, you, that made sense. Look was also obvious. The finger thing would have confused me if I hadn’t learned how to count on my fingers in 8 different countries… French people count their thumb first so index was the obvious choice. (you should see how the Chinese do it) People were saying bin and container… and assuming nails as in hammer and nails… I try to keep my fingernails nice so that was what I thought first. It made sense and file cabinets store things. Lol and the PC manual index is quite the distraction, but completely off course. I new it had to do with an index within the files themselves. At this point I still hadn’t realized that the PC likely ignores header information like I heard the CF is supposed to so I was looking at the file itself in HxD, my hex editor, at the possible overhead bits in the data. Then I looked in Audacity and Goldwave for inconsistencies. Time indexes are still an index, so that was easy enough once I could actually concentrate on this. LOL I had to stare t both screens for a good while though, all while answering questions from others.
2) I’m told that being kicked in the nuts is a capital offense… and ask he was blatantly obvious… as for the rest of it, I knew that capital was referring to not capital letters, but not what exactly. In the end, I threw this clue out as missdirection. It was fun looking for secret codes int eh PC manual index with others in TCSS chat though. ^_^
3) Yoda said a lot of things. He’s probably most known for “do or do not” but I can’t tell you how many times I’ve heard guys say that size doesn’t matter… so being negative about it, size DOES matter. (yes it does)
4) This I knew right off was the piece of information I didn’t have months ago. It was also the most easily overcomplicated and overthinkable misdirection filled clue that could have been given. Fetish number… Well most would say 69, which was a fun number to play with for a while on TCSS – that eventually ended up on FX as well. (69 being reversal, the picture being a slave costume, reverses of which are either evals or master) Knowing Erv a very tiny bit better than most of the world, this didn’t make sense. He’s a die hard geek and has a family – he wouldn’t be referring to anything kinky with the word fetish – especially on family oriented forums. It was a number so that left only 1 logical conclusion given his Star Wars affinity – 1138. Other options were 42, 47, and 73 but they didn’t fit his profile. The picture was a little odd, and was obviously corrupted. By the time I got around to actually focusing on this, it was already opened up in a hex editor and the file order was found. That made sense to me – the PC checks the files for the data it’s looking for in that order. Good to know, but it didn’t fit at the time. Working on the numbers in the picture a little more, 3 was repeated in there a lot… 3 threes.
Only getting 3 hours of sleep a night will do funny things to your mind… it had to either be the cypher key or a time index or an equation or something similar. Barely remembering the research I did before and the findings I had in Goldwave, I started counting. Repeating threes three times.. three more and three more… reading back and forth on chat, saying things now and then. Somewhere in that something clicked and I started shaking and sweating and typed a few expletives into a chat – I wasn’t even sure which one at the time. I grabbed the first file in that order listed, counted out the first whole 3 digit ms index (100ms), selected that to close to 300ms, and distorted the heck out of that signal, turning it into static. Estimated another 100ms or so and distorted the signal to .6s. And so on across the first 3 files. Saved them, loaded them to the uSD, popped into my testing PC-L, pulled the killkey, heard the boot sound… then nothing… no sound… just a single idle blinking LED. I pressed the button and I heard the worst sound font I have ever heard. It was still a beautiful sound though. ^_^ Threes. 300ms has 3 digits and starts with a 3. It had nothing to do with PRN data or random anything. It was simple – very simple. Every third of a second you have to leave the data alone. It records a little bit of data every third of a second and goes through the files in that order to record the data end to end. When it boots, it checks that data to make sure it matches one of the 3 possible data recordings exactly. Hence how they’re locked as a whole like that. Was it perfect? Not by a long shot. Was it usable? To load a custom font no – unless you want a damaged LM or DM saber font. Did I reach my original goal? Effectively yes – I now have the power to hold an unlocked and open PC in my paws. ^_^ A rather selfish goal I know, but i’m greedy and want all the electronics to myself. After hacking all my phones, my android pad, 3 routers, my GPS, and numerous other things too numerous to name, getting this to a point where I could freely put whatever I wanted on the PC was a wall for me – I’m not happy with the end results of the hacking, but the end results of the operation thanks to the contest is better – the world gets access as well. The greatest prize is just that – it’s now freely available to buy for everyone.
Thank you to the JSSDC members that helped inspire me to that last bit of information and thank you PCMG for making this possible.
And now that this is over, I can go back to my other projects. ^_^
Az