EEPROM hack unlocks crippled features in Agilent multimeter and LCR meter

u1241a-agilent-hack

[Gnif] was doing what any good hacker does… poking around the insides of one of his tools to see how it works. While in there, he discovered that an EEPROM hack could make the Agilent U1241A function like the U1242A.

If you’re into this kind of thing the Rigol 1052e hack should have already popped to mind. That was a firmware crippled device that, when unlocked, made the cheaper model behave the same ways as it’s $400 more expensive sibling. This doesn’t have quite the same impact, as the price difference is somewhere between $20-$100. Still, this stuff is just cool, right?

A few posts down in the thread linked above [Gnif] shares the story of how he found the hack. After shorting the i2c lines of the EEPROM while powering up the meter he was able to see that the device initializes a lot of its values to 0xFF when it can’t find the stored data. The next step was to use an STM32 board to dump the EEPROM contents. With the backup file stored safely he started changing values and reflashing the chip. Through this process he discovered that switching one byte from 0x01 to 0x02 enabled the higher model’s features. It also works for upgrading the U1732C to the U1733C feature set.

Playing a WAV file with 64 bytes of RAM

montage-final

[Jacques] thought his doorbell was too loud, so of course the first thing that came to mind was replacing the electronics and playing a WAV file of his choosing every time someone came knocking. What he ended up with is a very neat circuit: he used a six-pin microcontroller with 64 bytes of RAM to play an audio file. (French, Google translation)

The microcontroller in question is a PIC10F322. one of the tiniest PICs around with enough Flash for 512 instructions, 64 bytes of RAM, and a whole bunch of other features that shouldn’t fit into a package as small as a mote of dust. Without the space to store audio data on the microcontroller, [Jacques] turned to a 64 kilobyte I2C EEPROM. The PIC communicates with the EEPROM with just two pins, allowing it to read the audio data and spit it out again via PWM to an amplifier. The code required for this feat is only 253 instructions and uses just a few bytes of RAM; an impressive display of what a very small microcontroller can do.

Playing around with MRAM

For the longest time, hardware tinkerers have only been able to play around with two types of memory. RAM, including Static RAM and Dynamic RAM, can be exceedingly fast but is volatile and loses its data when power is removed. Non-volatile memory such as EPROMS, EEPROMS, and Flash memory retains its state after power is removed, but these formats are somewhat slower.

There have always been competing technologies that sought to combine the best traits of these types of memory, but not often have they been available to hobbyists. [Majenko] got his hands on a few MRAM chips – Magneto-Resistive RAM – and decided to see what they could do.

Magneto-Resistive RAM uses tiny pairs of magnetic plates to read and write 1s and 0s. [Majenko] received a sample of four MRAM chips with an SPI bus (it might be this chip, 4 Megabits for $20, although smaller capacity chips are available for about $6). After wiring these chips up on a home-made breakout board, [Majenko] had 16 Megabits of non-volatile memory that was able to run at 40 MHz.

The result was exactly what the datasheet said: very fast write and read times, with the ability to remove power. Unlike EEPROMS that can be destroyed by repeated reading and writing, MRAM has an unlimited number of write cycles.

While MRAM may be a very young technology right now, it’s a wonderful portent of things to come. In 20 (or 30, or 40) years, it’s doubtful any computer from the largest server to the smallest microcontroller will have the artificial separation between disk space and memory. The fact that any hardware hacker is able to play around with this technology today is somewhat amazing, and we look forward to more builds using MRAM in the future.

Disassembling and reprogramming Webkeys

Webkeys are small, inexpensive USB devices which launch a web browser when plugged into a computer. They’re given out as a promotional item, but they can be fun to hack as well. [Brad Antoniewicz] recently got his hands on one and decided to crack it open to see what he could accomplish.

The majority of the device was packaging but it didn’t take him long to get down to the guts seen here. There are two units shown in the image above so that we can get a look at both sides of the circuit board. As you can see, there’s a chip-on-board processor (that black blob) that handles the USB connectivity. But the data which is pushed to a computer is stored in that EEPROM chip at the top. It’s got legs which are just begging to be probed. [Brad] wasn’t able to find the exact datasheet but he got some clues as to the pinout. Using his Bus Pirate he was able to establish communications and sniff the i2c traffic. With that success he went on to overwrite that data. You can see a quick demonstration of it after the break.

[Brad] hopes to do a bit more with the hardware. He thinks those four pads can be used to reprogram the MCU. We’ll keep our eyes out for updates as he moves along on that mission.

[Read more...]

This hack can refill your Stratasys 3D printer

[Dan] has his own Stratasys Dimension SST 768 3D printer. It’s a professional grade machine which does an amazing job. But when it comes time to replace the cartridge he has to pay the piper to the tune of $260. He can buy ABS filament for about $50 per kilogram, so he set out to refill his own P400 cartridges.

Respooling the cartridge must be quite easy because he doesn’t describe the process at all. But the physical act of refilling it doesn’t mean you can keep using it. The cartridge and the printer both store usage information that prevents this type of DIY refill; there’s an EEPROM in the cartridge and a log file on the printer’s hard drive. [Dan] pulled the hard drive out and used a Live CD to make an image. He loaded the image in a virtual machine, made some changes to enable SSH and zap the log file at each boot, then loaded the image back onto the printer’s drive. A script that he wrote is able to backup and rewrite the EEPROM chip, which basically rolls back the ‘odometer’ on how much filament has been used.

[Image Source]

Word clock of a different nature

This work clock functions in an unexpected way. With each passing second it displays a random four letter word on the right side of the display. Traditional word clocks tell the time in natural language, but this one is simply used as a learning opportunity.

[Iron Jungle] got his hands on the display for just five buck from Deal Extreme. Looks like the price has gone up two dollars but that’s still a bargain. He wanted to use all eight digits of the display, and was looking for an opportunity to control more than one i2c device at a time. He ended up rolling an EEPROM and DS1307 RTC into the design. He figured the could display 24-hour time on four of the digits, and pull a library of four-letter words off of the EEPROM to fill the rest. He grabbed a word list off of the Internet then used a Python script to remove words containing 7-segment unfriendly characters (K, M, V, W, X, Z). The final touch was to use a salvaged relay to give the clock a ticking sound. Hear it for yourself in the clip after the break.

[Read more...]

Reprogramming promotional USB dongles to launch custom URLs

webkey-hacking

The teachers at [Jjshortcut's] school were each given a Webkey by the administration as a promotional item of sorts, but most of the staff saw them as useless, so they pitched them. [Jjshortcut] got his hands on a few of them and decided to take one apart to see what made them tick.

He found that the device was pretty simple, consisting of a push button that triggers the device to open the Windows run prompt, enter a URL, and launch Internet Explorer. Since the microcontroller was locked away under a blob of epoxy, he started poking around the onboard EEPROM with his Bus Pirate to see if he could find anything interesting there. It turns out he was able to read the contents of the EEPROM, and since it was not write protected, he could replace the standard URL with that of his own web site.

While it’s safe to say that without a new microcontroller the Webkeys probably can’t be used for anything more exciting than launching a browser, [Jjshortcut] can always reprogram the lot and drop them in random locations to drive some fresh traffic to his web site!

[Thanks, Wouter]

Follow

Get every new post delivered to your Inbox.

Join 96,562 other followers