Fail Of The Week: Capturing Data From A Laser Rangefinder

fotw-laser-measuring-tape

We’re changing it up this week with a reverse engineering fail which [Itay] pointed out to us. A couple of years ago [Nate] over at Sparkfun agreed to help a friend with a project that required precise distance measurement. He knew that laser rangefinders are a good way to go and mentions their use in golfing and the building trades. He picked up this handheld version billed as a laser tape measure. He put up a valiant effort to reverse engineer the PCB in hopes of finding a hook for the measurement data.

Obviously his endeavor failed or we wouldn’t be talking about it in this column. But there’s a lot to learn about his methods, and a few of the comments associated with his original post help to shed light on a couple of extra things to try.

First off, this thing isn’t cheap — ringing in for at least $90. That’s not a bad thing as the electronics are both well engineered and well designed. [Nate] was right to assume there’s some type of debugging information available from the board, he just had to find it. After spending some time with a continuity tester he was able to figure out what the test pads shown above go to and he soldered some pins onto them in order to connect his test equipment.

Tags2-M

So what’s next? Using a logic sniffer is the next logical step in the reverse engineering process. [Nate] made a ton of captures and ended up stumbling upon a tiny snippet of serial data. The software he was using identified it as 19543 baud which is close enough to the 19200 standard to call it a match. But further efforts to send or receive more than the ‘? \n \r’ which the device was putting out failed.

So what’s going on here? Some of the ideas already posted on the original thread include the need to ground a line to get the chip talking, flow control problems, attempts at using AT commands, and the possibility that a fuse on the RX line was burnt during programming to prevent tampering/reading the firmware. Of course we’d like to hear what you think below!


2013-09-05-Hackaday-Fail-tips-tileFail of the Week is a Hackaday column which runs every Wednesday. Help keep the fun rolling by writing about your past failures and sending us a link to the story — or sending in links to fail write ups you find in your Internet travels.

44 thoughts on “Fail Of The Week: Capturing Data From A Laser Rangefinder

        1. I’m with you on tapping into the data lines of the LCD. He’s already done a ton of work with the logic analyzer. Hook it to the LCD and figure out how it’s displaying the measurement data. Then throw in a little microcontroller that translates that to a serial output or I2C interface for the rest of your hack to listen to.

          1. Seems like the very first step to be tried… grab it just before display and everything’s already been smoothed and formatted. If you try grabbing it early on in the signal chain, you may run into very different looking raw data that you’d have to waste time on formatting/converting/etc… in potentially convoluted fashions.

      1. Even if it is, intercepting LCD lines ranges from “really easy” (if they’re not multiplexed, and simple numeric displays often aren’t) to “a little obnoxious” (if they’re 4x or more multiplexed). The refresh rate is slow enough a standard microcontroller ADC should be more than up to it.

          1. Maybe I missed something obvious when I also tried to do LCD decoding on a similar model rangefinder and got stuck, but you can’t just digital decode the LCD lines. LC lines are high frequency switched at the only location to intercept, and are not ‘on or off’ like an LED display would be. From what I remember, with the high frequency multiplexed scanning of the LCD, a particular segment spends slightly more time on, or slightly more time off to either darken or lighten the segment. Something to do with LC drift, it needs to ‘hang in the balance’ of polarization, and the segment is never just ‘off’. If anyone has some info on decoding LCD lines, it would be great to post and check out!

          2. Microchip has an app note AN658 (00658a.pdf) explaining the multiplexed
            LCD waveforms. It shows you what the waveforms looks like for a segment
            to be On and Off.

            Also take a look at AN563 (00563c.pdf) on how to drive such a display with
            regular digital I/O. May be this would help you works backward to figure out
            what is turned on.

    1. A few years back Elektor magazine had a design that grabbed the lines of a LCD into a shift register then transmitted them serially. This was a simple CMOS PISO shift register chain, controlled and clocked by a 4060.

      Serial start/stop bits were hard coded into the register parallel inputs and it simply asynchronously sent two raw segment data frames per second, and let the host sort it out.

      The LCD backplane signal phase is vital to decoding the active segments in the host. The add-on was powered by the sending device (a DMM) and opto-isolated for good measure. This technique would seem applicable to just about anything with an LCD.

    1. Note the comment at the bottom of that article suggesting that a modern update incorporate OpenCV. Certainly you can’t beat the price saving on hardware by just using a webcam and laser pointer. The downside is you’ve got to throw in a computer of some type (Raspberry Pi or BeagleBone, etc.)

    2. IMHO The reverse engineering itself isn’t really classified as a “fail”
      unless it does irreversible damages like bricking, shorting pins etc.

      Seems like the moderation system has eaten my comment for an actual link.

      google for “Grand Idea Studio laser range finder module” It has a
      on board camera module and has a propeller processor that probably does
      all the magic bits. Creative Common 3.0. Links to manual, source
      code and schematic are available for those who want to understand how it works.

  1. After looking at the original article, I think Nate could have designed a rangefinder with less effort. He was hoping for a cheap victory, but Leica had other outcomes in mind.

    An accurate range finder requires only a few things:

    accurate modulation frequency, temperature and humidity
    decent optics and alignment

    My instincts would be to sweep modulate a laser pointer using a comparator to identify when the source and receiver signals are in phase. For each distance there will be a unique set of frequencies which are in phase. However, it would be wise to look at the signal to the laser diode w/ a scope. There may be reasons the foregoing approach wouldn’t be satisfactory.

    I *think* an MSP430 LaunchPad running mecrisp would be all you needed for the MCU to create an RS-232 rangefinder.

    http://mecrisp.sourceforge.net/

    Have Fun!

  2. I think the true fail here is the manufacturer’s response to Nate’s request for more information. When Nate wrote that he opened up the rangefinder and was trying to control the device using serial commands, their response was:

    “We do not recommend tampering with the electronics and by doing so you have voided your warranty.”

    I have been looking for a rangefinder you can interface to a microcontroller for a while. Still looking. They can count me as a sale not realized.

  3. So we have an 5V Arduino, with no level-shifting components readily apparent in the breadboard photo. With inverted logic levels, so it’s continuously outputting 5V when no data is being sent. Driving an input pin on a device which runs at 4.2V, maybe less. And no indication whether rangefinder or Arduino is powered up first.

    Is it possible he’s simply latched up the input structure on the rangefinder’s MCU pin?

    1. To get to your resolution & accuracy, you’ll need something other than Time of Flight
      or geometry. May be looking at Interferometry.
      http://en.wikipedia.org/wiki/Interferometry

      >Interferometers are widely used in science and industry for the measurement of small displacements,

      Start there. Depends on how much you are going to spend, you might ended up on
      http://www.home.agilent.com/en/pc-1000000394%3Aepsg%3Apgr/laser-interferometer-position-measurement-systems?&cc=CA&lc=eng

  4. Thanks HaD. I missed this on Sparkfun because I do not root around enough there. Lesson learned.

    This may not help hack into the main processor, but knowing black box I/O often provides surprising insights.

    This unit is supposed to use interferometry, but has to use more. If either has two sensors or one unit that combines output from two sensors into one output signal. Interferometry permits relative rather than absolute measurement. By way of example, NASA left a retro-reflector (a type of mirror) on the moon. If one uses laser interferometry with that retro-reflector they can tell within fractions of a wavelength whether the interferometer and retro-reflector have gotten closer together or farther apart (relative measurement). They cannot tell how far apart they were to begin with or ended up (absolute measurement). For that you need something like ‘time of flight’ measurement (which permits absolute measurement)(Google Leica Geosystems and Absolute Distance Meters (ADM)). The difficulty with this is the speed of light. The moon is ~250,000 miles away, so a time of flight to and from it is appreciable (and measurable). One ends up with the oddity that we can measure the distance to the moon (absolutely) with about +/- one mile, one foot, etc. resolution whereas we can measure changes in that distance (relative) with +/- 0.000001 inch accuracy (e.g., 475 nm blue light with 1/100th phase sensitive signal processing provides ~1×10^7 inch resolution).

    Anyway, a bit tangential to the hacking problem here. It was suggested to study the LCD output from the system more to better understand the system. I urge that studying the sensors (plural) inputs to the system may also be interesting.

    The Sentic device is interesting (150 feet, .075 inch resolution), but I think most of us are looking for something with 1.5 foot range and 0.000075 inch resolution (0.5 m / 0.002 mm).

    1. It probably uses interferometry at different frequencies. If you have enough you can solve for absolute distance instead of only relative to the wavelength. Google for ‘Frequency Stepped CW radar’, it’s the same principe, you just modulate the laser instead of transmitting the signal.

      You also have FMCW radar, which uses a frequency sweep, this also works with a laser.

      1. Dodo, interesting but I am still not seeing FSCW/FMCW being that useful, say, for pick and place or 3D printing. The best absolute measurement accuracy I see discussed is about 2 meters, whereas interferometry provides 2×10^-5 relative (the position has changed) measurement accuracy.

        The traditional example that comes to mind is writing servo tracks on media, like magnetic disk drive platters. One positions at a start position and then uses interferometry to very accurately determine changes in position relative to that start position. This works fine when you can “slap a retro-reflector on” the target, move it to a start position, and then monitor/measure continuously after that. In contrast, for example, try to kill mosquitoes with a precise laser. We cannot ask the mosquito to assume a start position.

        Anyway, my thoughts so far. I would love to learn we have newer techniques than I am aware of.

        1. A few thoughts on the matter. Not sure if all of the conversations are
          about killing mosquitoes in a 3rd world.

          If you are trying to focusing a laser to kill a mosquito, your task does
          not require finding the exact distance down to a few decimal point.

          You are not going to be able to achieve that kind of precision out in
          the fields with uncontrolled environment on a mass produced price point
          anyways. A mosquito has a thickness so any depth within that range
          really doesn’t matter.

          A LRF would get you the approximate distance and from that point to have
          a way to fine tune the focus. A DVD burner constantly adjusts its focus
          to track the layer as the disc is not completely flat. May be that type
          of auto focus technology can be adopted?

          Some crazy idea: If you can project something say a QR code on to the
          target, you should be able to see that off a reflection. Now what if
          instead of a single QR code, it is a stack of different QR code with
          depth info in a static hologram?

      2. FSCW radar is possible because the wavelength of the RF signal can be shifted with considerable control (I’m thinking Single SideBand Suppressed Carrier).

        I don’t know of any similar processes for shifting the wavelength of light other than Doppler shift (assuming a specific medium) – and that requires movement between source, reflector, and detector. But then, I haven’t been looking.

        I didn’t see anything in the documentation about this laser range finder that mentioned interferometry – that came up in this discussion group. Granted, interferometry is great for detecting/measuring motion, but doesn’t help you establish a reference distance without sweeping the wavelength of the light.

        I haven’t seen any evidence that a <$100 laser diode can sweep the wavelength of the light it produces with anything resembling control. AM modulation of the light is possible, but not FM, and really not SSB.

  5. I was wondering if the (unpopulated) connector next to the TX/RX/trigger pads was used to attach an accessory of some sort. Check the vendor site for anything like communications, memory, or printer accessories. Try to identify how it attaches to the rangefinder.

    1. No accessories what-so-ever. I noticed in the SparkFun description, that there are holes in the back of the battery compartment that appear to line up with the TX/RX/trigger pads (7 large square pads). That suggests this is a test and calibration port. It might also function as an interface port. For an owner to use this would require destroying the S/N tag in the battery compartment.

      I see comments regarding swept frequency (chirped) continuous-wave radar. The optical analog would be a laser that emits light with a sweeping wavelength (color). That’s not going to happen in a low cost device like this.

      I think this device works by measuring time-of-flight for a laser pulse to be sent and detected (or anti-pulse, for a laser that’s on most of the time to measure time-of-flight of a period when the laser is turned off). Time is measured by integrating a fixed current into a capacitor during the time-of-flight. An analog-digital conversion would return time-of-flight in some arbitrary units. Some of this might be verified by probing some of the pogo-pads on the board near the optical receiver (near the controller) – use an oscilloscope. Look for changes in timing between the various signals as the measured range changes.

      Manufacturers web page:
      http://www.calculated.com/13/prd235/Prexiso-X2-Laser-Distance-Measuring-Tool.html#.UkUiRz_B-T4
      The user guide is pretty basic – no clues.
      Measurement range is 0.33 – 100 ft, 1/8 inch resolution.

      I assume none of the commands listed in the interface manual generated any responses at 115200 baud. Try 9600 Baud.

      1. Using such short wavelengths like light (laser) you don’t sweep the frequency of your light-source (color), you sweep the frequency of the modulation of the brightness of your light-source thus creating a pseudo-wavelength.

        Example:
        Modulating a light-source with 10MHz (period-length: 100ns) creates a wavelength of your modulated signal of ~30 meters (0.0000001s*300000000m/s).
        Measuring the phase between send modulated signal and received signal gives a range of 15 meters. Using higher modulation shortens the virtual wavelength.

        I wanted to try that principle myself, but didn’t found the time.

        1. Ummm… Measuring the phase (time delay) between the sent and received signal (pulse) is still a time-of-flight measurement. Amplitude modulation may or may not give you sharper edges to work with.

          Not that I believe you can modulate a low cost laser diode at 10MHz….

  6. For what it’s worth, when this came up on SFE, I got one of these and started messing with it

    I found the uC model, and it’s a Renasis (I think?) which has documentation on the pinout. My next step was to pull the chip off the board and make a small BOB that I could use to dump the firmware. My hope was that disassembling the firmware (there are disassemblers for the binaries used by that uC type) would yield some info on how to get the serial port running.

    I’d suggest the above as a great place to start for anyone wanting to make this happen :)

    1. This assumes that the memory is not protected, and that you are actually capable of going through a bunch of assembly, looking for the solution to a problem that could be solved by simply buying a rangefinder with serial output…

      At some point, you have to ask yourself what your time is worth. If your time is worthless, then this is a good project. If you can make even minimum wage somewhere instead of spending your time on this, then GO GET A JOB.

        1. Living in your parents basement must be nice. Is that my tax money on your EBT card? Shame. Don’t worry, the money will run out sooner or later and then you will have to work hard to survive, like everyone else in the real world ;)

          1. Ehhhhh, why are you being such a dickhead? The site is called Hack-A-Day not Go-Get-A-Job-And-Only-Do-What-Other-People-Tell-You-A-Day. Tax money and EBT card? Cool assumptions that are wildly unfounded. But hey, whatever makes you feel like a big boy, I guess.

  7. I have begun a hack attempt on a Nikon laser 440.
    http://www.rtftechnologies.org/electronics/rangefinder-nikon-laser440.htm
    It is a pulsed time of flight rangefinder that uses an iterative search method with a gated avalanche photo diode with ~500m range capability. I have logic analyzer captures, pin assignments, and connection information on the point to point wiring. Most importantly, this rangefinder uses an Altera FLEX6000 PLD which can be reprogrammed over a standard JTAG adapter with their free quartus web edition software. If there was ever a rangefinder that I believed was hackable, this is it.

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.