[Sprite_tm] Gives Near Death VFD a Better Second Life

[Sprite_tm] picked up some used VFD displays for cheap, and wanted to make his own custom temperature and air-quality display. He did that, of course, but turned it into a colossal experiment in re-design to boot. What started out as a $6 used VFD becomes priceless with the addition of hours of high-powered hacking mojo.

You see, the phosphor screen had burnt-in spots where the old display was left static for too long. A normal person would either live with it or buy new displays. [Sprite_tm] ripped off the old display driver and drives the row and column shift registers using the DMA module on a Raspberry Pi2, coding up his own fast PWM/BCM hybrid scheme that can do greyscale.

He mapped out the individual pixels using a camera and post processing in The Gimp to establish the degradation of burnt-in pixels. He then re-wrote a previous custom driver project to compensate for the pixels’ inherent brightness in firmware. After all that work, he wrapped the whole thing up in a nice wooden frame.

There’s a lot to read, so just go hit up his website. High points include the shift-register-based driver transplant, the bit-angle modulation that was needed to get the necessary bit-depth for the grayscale, and the PHP script that does the photograph-based brightness correction.

Picking a favorite [Sprite_tm] hack is like picking a favorite ice-cream flavor: they’re all good. But his investigation into hard-drive controller chips still makes our head spin just a little bit. If you missed his talks about the Tamagotchi Singularity from the Hackaday SuperCon make sure you drop what you’re doing and watch it now.

[Sprite_TM]’s Keyboard Plays Snake

Hackaday Prize judge, hacker extraordinaire, and generally awesome dude [Sprite_TM] spends a lot of time at his computer, and that means a lot of time typing on his keyboard. He recently picked up a board with the latest fad in the world of keyboards, a board with individually addressable LEDs. He took this board to work and a colleague jokingly said, ‘You’ve had this keyboard for 24 hours now, and it has a bunch of LEDs and some arrow keys. I’m disappointed you haven’t got Snake running on it yet.” Thus began the quest to put the one game found on all Nokia phones on a keyboard.

The keyboard in question is a Coolermaster Quickfire Rapid-I, a board that’s marketed as having an ARM Cortex CPU. Pulling apart the board, [Sprite] found a bunch of MX Browns, some LEDs, and a 72MHz ARM Cortex-M3 with 127k of Flash and 32k of RAM. That’s an incredible amount of processing power for a keyboard, and after finding the SWD port, [Sprite] attempted to dump the Flash. The security bit was set. There was another way, however.

Coolermaster is actively working on the firmware, killing bugs, adding lighting modes, and putting all these updates on their website. The firmware updater is distributed as an executable with US and EU versions; the EU version has another key. Figuring the only difference between these versions would be the firmware itself, [Sprite] got his hands on both versions, did a binary diff, and found only one 16k block of data at the end of the file was different. There’s the firmware. It was XOR encrypted, but that’s obvious if you know what to look for.

flashdata The firmware wasn’t complete, though; there were jumps to places outside the code [Sprite] had and a large block looked corrupted. There’s another thing you can do with an executable file: run it. With USBPcap running in the background while executing the firmware updater, [Sprite] could read exactly what was happening when the keyboard was updating. With a small executable that gets around the weirdness of the updater, [Sprite] had a backup copy of the keyboard’s firmware. Even if he bricked the keyboard, he could always bring it back to a stock state. It was time to program Snake.

The first part of writing new firmware was finding a place that had some Flash and RAM to store the new code. This wasn’t hard; there was 64k of Flash free and 28K of unused RAM. The calls to the Snake routine were modified from the variables the original firmware had. If, for example, the original keyboard had a call to change the PWM, [Sprite] could change that to the Snake routine.

Snake is fun, but with a huge, powerful ARM in a device that people will just plug into their keyboard, there’s a lot more you can do with a hacked keyboard. Keyloggers and a BadUSB are extremely possible, especially with firmware that can be updated from a computer. To counter that, [Sprite] added the requirement for a physical condition in order to enter Flash mode. Now, the firmware will only update for about 10 seconds after pressing the fn+f key combination.

There’s more to playing Snake on a keyboard; Sprite has also written a new lighting mode, a fluid simulation thingy that will surely annoy anyone who can’t touch type. You can see the videos of that below.

Continue reading “[Sprite_TM]’s Keyboard Plays Snake”

Hackaday Munich Speaker: Sprite_TM

Plans for Hackaday Munich are coming along quite nicely. Today we’re happy to announce that [Sprite_TM] will be speaking at the event. Click that link above and make sure you get your tickets for November 13th. You can do some hands-on hacking at the Embedded Hardware Workshop, hear the talks, find out which of the five finalists will be the grand prize winner, and enjoy The Hackaday Prize Party along with the Hackaday crew.

You may also know [Sprite_TM] as [Jeroen Domburg], one of the judges for The Hackaday Prize. That’s him on the left in the image above (we love a good avatar!). If you follow Hackaday, you should already be thrilled about meeting him and hearing his talk. The last talk we remember reading about was an epic hard drive controller hack. Just last month we saw a well-executed clock radio overhaul from him. While we’re on the topic, his micro-bots were a spectacular project.

[Sprite_TM] has also offered to help out with the reverse engineering workshop. We’re hard at work making sure everything is in place for those afternoon hacking events. As we solidify details we’ll be adding workshop pages (and emailing those already registered for Hackaday Munich) to let everyone know what to expect. We can report that we have shipped [Sprite_TM] a Bus Pirate so that he can be familiar with it. This will be the primary tool provided for this particular workshop.

The entire Hackaday crew is looking forward to it. See you there!

[Sprite_TM] Puts Linux in a Clock Radio

[Sprite] needs an alarm clock to wake up in the morning, and although his phone has an infinitely programmable alarm clock, his ancient Phillips AJ-3040 has never failed him. It’s served him well for 15 years, and there’s no reason to throw it out. Upgrading it was the only way, with OLED displays and Linux systems inside this cheap box of consumer electronics.

After opening up the radio, [Sprite] found two boards. The first was the radio PCB, and the existing board could be slightly modified with a switch to input another audio source. The clock PCB was built around an old chip that used mains frequency as the time base. This was torn out of the enclosure along with the old multiplexed LCD.

A new display and brain for the clock was needed, and [Sprite] reached into his parts drawer and pulled out an old 288×48 pixel OLED display. When shining though a bit of translucent red plastic, it’s can be a reasonable facsimile of the old LEDs. The brains of the clock would be a Carambola Linux module. After writing a kernel module for the OLED, [Sprite] had a fully functional Linux computer that would fit inside a clock radio.

After having a board fabbed with the power supplies, I2C expanders, USB stereo DAC, and SPI port for the OLED, [Sprite] had a clock radio that booted Linux on an OLED screen. In the video below, [Sprite] walks through the functions of the clock, including setting one of the many alarms, streaming audio from the Internet, and changing the font of the display. There’s also a web UI for the clock that allows alarms to be set remotely – from a phone, even, if [Sprite] is so inclined.

Continue reading “[Sprite_TM] Puts Linux in a Clock Radio”

Judge Spotlight: Sprite_TM


His friends call him [Jeroen], but everyone else on the Internet knows this god of hacks and mods as [Sprite_TM]. He’s done everything from hacking hard drive controllers to making the best computer ever made even better. As one of the preeminent hardware hackers around, we’re proud to have [Sprite] as a judge in The Hackaday Prize, and happy to interview him on his thoughts on connected devices, the cloud-based Internet of Things, and his process of opening up black box devices for some sometimes subtle modifications.

judge-spotlight-q5You’re well known for your highly technical electronic hacks on your
blog SpritesMods. What about the professional side of your life, what kind
of projects keep you busy there?

judge-spotlight-a5I’m a software developer for a big broadcasting equipment manufacturer. Every now and then a hardware project comes along and I try to grab those too.

Continue reading “Judge Spotlight: Sprite_TM”

[Sprite_TM] OHM2013 Talk: Hacking hard drive controller chips

Even if he hadn’t done any firmware hacking on this hard drive [Sprite_TM’s] digital exploration of the controller is fascinating. He gave a talk at this year’s Observe, Hack, Make (OHM2013) — a non-commercial community run event in the Netherlands and we can’t wait for the video. But all the information on how he hacked into the three-core controller chip is included in his write up.

[Sprite_TM] mentions that you’re not going to find datasheets for the controllers on these drives. He got his foot in the door after finding a JTAG pinout mentioned on a forum post. The image above shows his JTAG hardware which he’s controlling with OpenOCD. This led him to discover that there are three cores inside the controller, each used for a different purpose. The difference between [Sprite_TM’s] work and that of mere mortals is that he has a knack for drawing surprisingly accurate conclusions from meager clues. To see what we mean check out the memory map for the second core which he posted on page 3 or his article.

Using JTAG he was able to inject a jump into the code (along with a filler word to keep the checksum valid) and run his own code. To begin the firmware hacking portion of the project he pulled the flash ROM off of the board and installed it on that little board sticking out on the left. This made it easy for him to backup and reflash the chip. Eventually this let him pull off the same proof of concept as a firmware-only hack (no JTAG necessary). He goes onto detail how an attacker who has root access could flash hacked firmware which compromises data without any indication to they system admin or user. But we also like his suggestion that you should try this out on your broken hard drives to see if you can reuse the controllers for embedded projects. That idea is a ton a fun!

When we were poking around the OHM2013 website (linked above) we noticed that the tickets are sold out; good for them! But if you were still able to buy them they take Bitcoin as one payment option. Are there any other conferences that allow Bitcoin for registration?

[Sprite_tm] connects an LCD to a tiny Linux board

One of [Sprite_tm]’s colleagues recently challenged him to connect a small LCD touch screen to a Raspberry Pi. Sadly, [Sprite_tm] has yet to take delivery of a Raspberry Pi, but he did manage to connect an LCD to a Linux board without video capabilities.

Because [Sprite_tm]’s display has a 16-bit parallel interface, and 16 GPIO pins are hard to come by on the Carambola Linux board, a few shift registers had to be brought into the build to make the LCD work. These shift registers are connected to the Carambola board via an SPI interface; a very simple way to connect all the LCD pins to the Linux board.

Of course, there’s no way for Linux to speak to the LCD without a kernel driver; [Sprite_tm] wrote a framebuffer driver so the LCD can be used as a console, an X session, or used by any other program that can write to a framebuffer device.

Like all good driver authors, [Sprite_tm] is giving away the patch to enable SPI-ified LCD panels on the Carambola along with the shift register schematic. With any luck we’ll also see the Raspi drivers when [Sprite_tm] takes delivery of his Raspberry Pi.