Sucking PIC Firmware Out of an Old APC Battery Backup

reverse-engineering-pic-firmware-of-APC-power-supply

Looking at this huge Uninterruptible Power Supply we are a little envious. It’s meant to hang on the wall of a utility room and power your critical devices. [Radek Hvizdos] has had it in service for quite some time, and when he started thinking of replacing the internal battery he decided to see if he could also extend the functionality. To do so he needed to get at the firmware of the chip controlling the device. And so began his adventure of dumping the firmware from the read-protected PIC 18F452.

The challenge of dumping code from a write-protected chip is in itself a fun project. But [Radek] was actually interested in fixing bugs and adding features. The wishlist feature we’d be most interested in is a kind of triage for shutting down devices as the internal battery starts to run low. Nice! But starting from scratch with the firmware is a no-go. You can see the two places where he connected to the PCB. The upper is for using a PIC programmer. The lower is an I2C connection used to dump the EEPROM with an improvised Bus Pirate.

In the end it was improper lock bit settings that opened the door to grabbing the firmware. The bootloader section of the PIC is not locked, and neither is the ability to read from FLASH at run-time. These two combined allowed him to write his own code which, when flashed to the bootloader section, dumps the rest of the firmware so that it may be combined into a complete file afterward. Since posting this fascinating article he has made a follow-up about disassembling the code.

Fubarino Contest: Serial Data Transmission

fubarino-contest-serial-data

[Jesus] is helping his cousin learn about microcontrollers. Right now they’re on the subject of serial communications, which turned into a nice way to add a Hackaday Easter Egg.

Using and FTDI chip in conjunction with the PIC 18F4550 (it’s a little soon for them to tackle implementing USB directly) the serial data is shown in a terminal window. At the same time the binary value of each byte is flashed on the PORTD LEDs. When the chip receives the characters “hack” it immediately echos back the recommendation to check out the awesomeness that is Hackaday. He posted the code used in this example as a Gist.


This is an entry in the Fubarino Contest for a chance at one of the 20 Fubarino SD boards which Microchip has put up as prizes!

Continue reading “Fubarino Contest: Serial Data Transmission”

Fubarino Contest: Persistence of Vision clock

propellerck5

The best part of these contests is that we get people to actually show off what they’ve been working on! Check out the POV clock which was sent in by [Taciuc]. He doesn’t have a webpage for it, but he did send a video which you can see after the break.

The project is a home-etched PCB with a long row or surface mount LEDs. The board is spun by a stepper motor which takes a little while to stabilize. But once it does it’s a twirling package of awesomeness. A PIC 16F628 drives the device, with a separate RTC chip to keep time. There’s also an IR receiver to facilitate user control. Our URL is displayed on the clock face itself and we think it’s always shown. But there is an easter egg in the code itself. If you try to dump the firmware from the chip you’ll see our web address in the hex output. Here’s his project archive if you want to the HEX, ASM and DipTrace schematic.


This is an entry in the Fubarino Contest for a chance at one of the 20 Fubarino SD boards which Microchip has put up as prizes!

Continue reading “Fubarino Contest: Persistence of Vision clock”

Scratch-built Smart Flashlight

scratch-built-smart-flashlight

This flashlight has a face; one of the many tricks which [Hobbyman] included during the development process. The smart flashlight build turned out to be a great way to practice so many different aspects of product development.

It was envisioned as a light for use when walking or biking that could do more than just light your way or flash on and off. Of course we know it’s really just a reason to spend way too much time in his lair. He started with the electronics, driven by a PIC 16F88. The 5×5 LED matrix gives him just enough to work with for patterns and rudimentary text. The prototype is wrapped up into a pretty tight package which leaves enough room in the 3D printed case for 4 AAA batteries. As the project progressed more and more features were added in. The most current offering includes a temperature sensor as well as the ability to react to ambient sound. See for yourself after the break.

Continue reading “Scratch-built Smart Flashlight”

Simple 10 Watt LED driver is Hot Stuff

[Peter] needed to drive a high power LED for his microscope. Rather than pick up a commercial LED driver, he built a simple constant current LED driver and fan control. We’ve featured [Peter’s] pumpkin candle LED work here on Hackaday in the past. Today he’s moving on to higher power LEDs. A 10 watt LED would be a good replacement light source for an old halogen/fiber optic ring light setup. [Peter] started with his old standby – an 8 pin Microchip PIC. In this case, a PIC12F1501. A PIC alone won’t handle a 10 watt LED, so he utilized a CAT4101 constant current LED driver from ON Semi. The PIC performs three tasks in this circuit. It handles user input from two buttons, generates a PWM signal to the LED driver, and generates a PWM signal for a cooling fan.

Control is simple: Press both buttons and the LED comes on full bright. Press the “up” button, and the LED can be stepped up from 10% to 100% in 10 steps.  The “down” button drops the LED power back down. [Peter] even had a spare pin. He’s currently using it as an LED on/off confirmation, though we’d probably use it with a 1wire temperature sensor as a backup to thermal protection built into the CAT4101. It may be overkill, but we’d also move the buttons away from that 7805 linear regulator. Being that this circuit will be used with a microscope, it may eventually be operated by touch alone. It would be a bit surprising to try to press a button and end up with a burnt fingertip!

Continue reading “Simple 10 Watt LED driver is Hot Stuff”

Heathkit Clock Updated with a PIC32 and GPS

heathkit-clock

One of [Bob’s] most treasured possessions is a Heathkit alarm clock he put together as a kid. Over the years he’s noticed a few problems with his clock. There isn’t a battery backup, so it resets when the power goes out. Setting the time and alarm is also a forward only affair – so stepping the clock back an hour for daylight savings time means holding down the buttons while the clock scrolls through 23 hours. [Bob] decided to modify his clock with a few modern parts. While the easiest method may have been to gut the clock, that wouldn’t preserve all those classic Heathkit parts. What [Bob] did in essence is to add a PIC32 co-processor to the system.

Like many clocks in the 70’s and 80’s, the Heathkit alarm clock was based upon the National Semiconductor MM5316 Digital Alarm Clock chip. The MM5316 operates at 8 – 22 volts, so it couldn’t directly interface with the 3.3V (5V tolerant)  PIC32 I/O pins. On PIC’s the input side, [Bob] used a couple of analog multiplexer chips. The PIC can scan the individual elements of the clock’s display. On the PIC’s output side, he used a couple of analog switches to control the ‘Fast’, ‘Slow’, and ‘Display Alarm/Time’ buttons.

Continue reading “Heathkit Clock Updated with a PIC32 and GPS”

Running Custom Code on Cheap One-time Password Tokens

One-time passwords (OTP) are often used in America but not so much in Europe. For our unfamiliar readers, OTP tokens like the one shown above generate passwords that are only valid for one login session or transaction, making them invulnerable to replay attacks. [Dmitry] disassembled one eToken (Aladin PASS) he had lying around and managed to reprogram it for his own needs.

Obviously, these kind of devices don’t come with their schematics and layout files so [Dmitry] had to do some reverse engineering. He discovered six holes in a 3×2 arrangement on the PCB so he figured that they must be used to reprogram the device. However, [Dmitry] also had to find which microcontroller was present on the board as its only marking were “HA4450″ with a Microchip logo. By cross-referencing the number of pins, package and peripherals on Microchip parametric search tool he deduced it was a PIC16F913. From there, it was just a matter of time until he could display what he wanted on the LCD.

We love seeing tiny consumer hardware hacked like this. Most recently we’ve been enthralled by the Trandscend Wi-Fi SD card hacking which was also one of [Dmitry’s] hacks.