Reverse engineering the die of a ULN2003 transistor array

uln2003-die-reverse-engineering

We’re no strangers to looking at uncapped silicon. This time around it’s not just a show and tell, as one transistor form a ULN2003 chip is reverse engineered.

The photo above is just one slice from a picture of the chip after having its plastic housing remove (decapped). It might be a stretch to call this reverse engineering. It’s more of a tutorial on how to take a functional schematic and figure out how each component is placed on a photograph of a chip die. Datasheets usually include these schematics so that engineers know what to expect from the hardware. But knowing what a resistor or transistor looks like on the die is another story altogether.

The problem is that you can’t just look at a two dimensional image like the one above. These semiconducting elements are manufactured in three dimensions. The article illustrates where the N and P type materials are located on the transistor using a high-res photo and a reference diagram.

If you want to photograph your own chip dies there are a few ways to decap them at home.

Reverse engineering Solari soft flap displays

This is a side view of the guts of a one character Solari soft flap module. This is the type of mechanical display used in some transportation hubs that have a flap for each letter. The motor turns the flaps through the alphabet until it gets to the target letter. Recently [Boz] had a client approach him who needed a custom controller for a 20-character soft flap display.

The process started out with a magnifying glass and multimeter which yielded a rather complicated hand-drawn schematic. An optical encoder is used to judge which character is currently displayed. After analyzing the output using an oscilloscope [Boz] designed a PIC based driver board which is controlling the display seen in the clip after the break.

The great thing about these displays is that they don’t use any electricity except when they change letters. This sounds like the predecessor of ePaper and makes us wonder if there are any companies developing high-contrast ePaper to replace soft-flap digits?

Continue reading “Reverse engineering Solari soft flap displays”

Reverse engineering old PDA software

[Troy Wright] acquired a lot of twenty broken Dell Axim PDAs. This type hardware was quite popular a decade ago, but looks archaic when compared to a modern cell phone. That’s why he was able to get them for a song. After a bit of work he managed to resurrect eight of the units, but was dismayed to find there’s no published method for controlling the back light from software. For some reason this is a deal-breaker for his project. But he knew it was possible because there are some apps for the device which are able to set the back light level. So he found out how to do it by reverse engineering the software.

The trick is to get a hold of the code. Since it’s not open source [Troy] used IDA, a graphical disassember and debug suite. He had some idea of what he was hunting for as the Windows CE developer documentation does mention a way to directly control the graphical hardware independently from the display driver. A few hours of pawing through assembly language, setting break points, and testing eventually led him to the solution.

Projector project bears no fruit but it was a fun ride

No matter how good the intentions or how strong your hack-fu may be, sometimes you just can’t cross the finish line with every project. Here’s one that we hate to see go unfinished, but it’s obvious that a ton of work already went into reclaiming these smart white-board projectors and it’s time to cut the losses.

The hardware is a Smartboard Unifi 35″ computer with a projector mounted on a telescoping rod. It was manufactured for use with a touch-sensitive white board which the guys at the Milwaukee Makerspace don’t have. The projector works, but all it will display is a message instructing the user to connect the computer to the white board. Since they’ve got a couple of these projectors, it would be nice to salvage the functionality.

The first attempt was to replace the video signal to the projector. A few test boards were etched to experiment with DVI input. This included several logic sniffing runs to see what the computer is pushing to get the warning message to display. Alas, the group was not able to get the device to respond. But this opens up a great opportunity for you to play Monday morning hacker. Take a look at the data they’ve posted in the link above and let us know how you would’ve done it in the comments.

G-35 circuit board porn

[Todd Harrison] took a slew of pictures in his quest to loose all the secrets of the G-35 Christmas Lights. These are a string of 50 plastic bulbs which house individually addressable RGB LEDs. We’ve seen a ton of projects that use them, starting about a year ago with the original reverse engineering and most recently used to make a 7×7 LED matrix. But most of the time the original control board is immediately ditched for a replacement. It’s become so common that you can now buy a drop-in board, no hacking needed. We enjoy the hard look that [Todd] took at the electronics.

The stock controller uses a single layer, single sided board. There’s a resin-blob chip, but also an SOP-20 microcontroller. Since [Todd’s] using several strings of lights on his house, he wondered if it would be possible to improve on the controller in order to synchronize the strands. His investigation showed that the board was designed to host a crystal oscillator but it is unpopulated. Unfortunately you can’t just add those parts to improve the timing of the chip (firmware changes would also be requires). He found that there’s a spot for a push-button. Quickly shorting the pads cycles through the effects, shorting them for a longer time turns off the string of lights. There is wireless control, but it seems that the only functionality it provides is the same as the unpopulated switch.

We enjoyed the close-up circuit board photos, and we like the spacing jig he used to attach the lights to his fascia boards. We’ve embedded a lengthy video about his exploits after the break. Continue reading “G-35 circuit board porn”

Adding Fluke 54 II features to a 51 II thermometer

The difference between Fluke’s 54 II and 51 II thermometers is the addition of a second channel for dual temperature sensing, and buttons which control data logging. Oh, and an additional $150 in price for the higher model. [TiN] was poking around inside and with the help of some forum members he figured out how to unlock additional features on his low-end Fluke temperature meter. You can do the same if you don’t mind cracking open the meter, sourcing and soldering most of the components seen above, cutting holes in the case for the buttons, and hoping it still works when you put everything back together.

It seems that Fluke designed one full-featured unit and watered it down to fill a hole in the lower-priced market just like some other testing-hardware manufacturers (Rigol’s digital storage oscilloscopes come to mind). But the MSP430 P337I in this meter cannot be reflashed, so this would most likely be unhackable hardware if the firmware for the two models is different. After some intensive study of the PCB layout [TiN] found a set of resistors which seemed to serve no external hardware purpose. They do connect to the microcontroller and together they create a two-bit code. He was able to get pictures of the four different hardware models and work out which resistor combinations identify the different meters. Now he can get the firmware to believe it is operating a Fluke 54 II, the rest is just putting the correct passive components onto the unpopulated locations.

We think the quest is what is of interest with this hack. [TiN] did an amazing job of photographing and writing about each step in the process. We’re unlikely to try this ourselves but loved reading about it.

Part 2: Help me reverse engineer an LED light bulb

Almost a month ago I started trying to reverse engineer an inexpensive LED color changing light bulb. With your help I’ve mapped out the circuit, and taken control of the bulb. But there’s still a few mysteries in this little blinker. Join me after the break to see what I’ve done so far, peruse the schematic and source code, and to help solve the two remaining mysteries.

Continue reading “Part 2: Help me reverse engineer an LED light bulb”