Bypassing the Limelight Revision Check

Thu, Apr 30, 2020

The Limelight is a smart camera for use in the FIRST Robotics Competition. In the 2019.7.1 update a check was added to the firmware that would prevent it from running on anything besides a Raspberry Pi Compute Module. This means that even teams that legally purchased a Limelight and didn't just download the firmware from their website would be unable to run the firmware on a regular Raspberry Pi.

The check works by shelling out to cat /proc/cpuinfo | grep 'Revision' | awk '{print $3}' to grab the Pi revision from /proc/cpuinfo, and comparing it to the Compute Module revisions used in the Limelight. Specifically, the revision code must be one of the following: "a020a0" (CM3, Sony UK), "a220a0" (CM3, Embest), or "a02100" (CM3+, Sony UK). These revision codes are documented here. If the shell command output doesn't match any of these revision codes the visionserver program will output the bogus error message "Accelerator Error" and exit.

Decompiled source of the check code

The simplest way to bypass this check is to edit the shell command string. Instead of having it read /proc/cpuinfo and grep/awk the revision, we'll just have it echo whatever revision we want. We do this by reopening the file as a raw binary in Ghidra, editing the string in the bytes editor, and then saving the program as a binary.

The new string containing our echo after editing the shell command bytes

All that's left to do after this is replace the binary on the Limelight with the patched binary, and optionally modify the shadow file since the pi user password is unknown.