One of the great things about sharing hacks is that sometimes one person’s work inspires someone else to take it even further. A case in point is [Ivor]’s colorimeter hacking (parts two and three), which started with some relatively simple request spoofing to install non-stock firmware, and expanded from there until he had complete control over the hardware.

After reading [Adam Zeloof]’s work on replacing the firmware on a cosmetics spectrophotometer with general-purpose firmware, [Ivor] bought two of these colorimeters, one as a backup. He started with [Adam]’s method for updating the firmware by altering the request sent to an update server, but was only able to find the serial number from a quality-control unit. This installed the quality-control firmware, which encountered an error on the device. More searching led [Ivor] to another serial number, which gave him the base firmware, and let him dump and compare the cosmetic, quality-control, and base firmwares.

After analyzing traffic between the host computer and the colorimeter during an update, he wrote a Python program to upload firmware without using the official companion app. Since the first data sent over is a loading screen, this let him display custom images, such as the DOOM title page.

During firmware upload, the colorimeter switches into a bootloader, the menu of which has some interesting options, such as viewing and editing the NAND. Opening the device revealed a flash chip, an AT91SAM ARM9 chip, and some test pads. After carefully soldering to the test pads, he was able to dump the bootloader, and with some difficulty, the NAND contents. Changing the chip ID and serial number in the NAND let the quality-control firmware work on the cosmetic model; interestingly, only the first digit of the serial number needed to be valid.

Of course, the actual journey wasn’t quite this straightforward, and the device seemed to be bricked several times, one of which required the installation of a jumper to force it into a recovery mode. In the end, though, [Ivor] was able to download and upload content to NAND, alter the bootloader, alter the serial number, and enter boot recovery; in short, to have total control over the device’s software. Thoughtfully, he’s used his findings to write a Python utility library to interact with and edit the colorimeter’s software over USB.

If this makes you interested in seeing more examples of reverse-engineering, we’ve covered some impressive work on a mini console and an audio interface.

hackaday.com/2025/09/09/furthe…