Buy It Fix It Turns to ROM Dump Analysis to Pick Out the PIN Locking a Deep Sea Generator Panel
With no official way to reset a PIN preventing a second user control panel from being unlocked, Buy It Fix It turned to alternative methods.
Pseudonymous YouTuber "Buy It Fix It" has set about bringing a generator control panel back to life after it was acquired with a PIN locking its new owner out of required modifications β meaning some smart reverse engineering was required to get things operation again.
"A friend of mine asked if I could have a look at this gadget," Buy It Fix It explains. "It's a generator control panel manufactured by a company called Deep Sea. Now, this isn't actually faulty β but he does have a problem with it. What he wants to do is he wants to adjust the shutdown time and the startup time on the generator. Now, to do that I've looked at the manual and you hold down this button and that oneβ¦ and it says 'enter PIN number.'"
The first port of call was, of course, Deep Sea itself β but the company says it does not set a default PIN on its control panels, meaning the PIN currently loaded was one set by its previous owner. "If you lose [the PIN]," Buy It Fix It warns, "there's no back door. There's no way to reset it, which seems a little bit inconvenient."
With the previous owner uncontactable, Buy It Fix It set about finding a way to reset the PIN without having to know what it was. Dismantling the device, the YouTuber was able to find and remove an EEPROM chip and dump its contents. Sadly, nothing that looked like a PIN jumped out at first glance. "It might actually be stored in the flash memory of the microcontroller," Buy It Fix It muses, "and this might just be purely for log files."
Throwing some possible PINs from the ROM dump at the controller didn't work, so the next step was to blank the EEPROM β a brute-force solution that wiped logging data, but which proved to also clear the PIN. "Now," Buy It Fix It continues, "what I'm thinking is I wonder if we could find out what the original PIN code is if I set a PIN code on this [EEPROM] of, let's say, 1234 and then we read the EEPROM again we could try and work out where that PIN code is stored."
Breaking the EEPROM content down into sections revealed that the PIN is stored in the last line, in plain hex β though in reverse order. Analyzing the original ROM dump revealed the PIN to be 2000 β unlocking the control panel while leaving the log data intact.
The full video is embedded above, with more information available on the Buy It Fix It YouTube channel.