Counting Transistors In The Playstation

Over in Russia there are a few people doing extremely in-depth technical teardowns, and the latest is one of the most ambitious ever seen. The PSXDEV team is tearing into the heart of the original PlayStation (Google translatrix), looking at 300,000 transistors, and re-implementing the entire console in a logic level simulator.

While the CPU in the PSX is unique to that specific piece of hardware, a lot of this custom silicon can be found in other places. The core – a RISC LSI LR33300 – is documented in a few rare tomes that are somehow available for free on the Internet. Other parts of this chip are a little stranger. There is a bizarre register that isn’t documented anywhere, a Bus Unit that handles the access between various devices and peripherals, and a motion picture decompressor.

The reverse engineering process begins by de-encapsulating the CPU, GPU, sound processing unit, and CD-ROM controller, taking very high magnification photos of the dies, and slowly mapping out the semiconductors and metals to figure out what cells do what function, how they’re connected, and what the big picture is. It’s a painstaking process that requires combing through gigabytes of die shots and apparently highlight gates, wires, and busses with MS Paint.

The end result of all this squinting at a monitor is turning tracings of chips into logic elements with Logisim. From there, the function of the CPU can be understood, studied, and yes, eventually emulated down to the gate level. It’s an astonishing undertaking, really.

If this sort of thing sounds familiar, you’re right: the same team behind PSXDEV is also responsible for a similar effort focused on the Nintendo Entertainment System. There, the CPU inside the NES – the Ricoh 2A03 – was torn down, revealing the 6502 core, APU, DMA, and all the extra bits that made this a custom chip.

Thanks [Rasz] for the tip.

Reverse Engineering a Robotic Arm

Not too many people will argue that Robot Arms aren’t cool. [Dan] thinks they are cool and purchased a LabVolt Armdroid robotic arm on eBay for a mere $150. Unfortunately, he did not get the power supply or the control unit. To most, this would a serious hurdle to overcome, but not for [Dan]. He opened up the robot and started probing around the circuit board to figure out what was going on.

Since there was a DB9 connector on the outside of the robot arm, he assumed it was a standard RS-232 controlled device. Good thing he checked the internal circuitry because this was not the case at all. There was no mircocontroller or microprocessor found inside.  [Dan] painstakingly reversed engineered the circuit board and documented his results. He found that there were SN76537A chips that drove the 6 unipolar stepper motors and SN75HC259 latches to address each individual motor.

Now knowing how the robot works, [Dan] had to figure out how to control the robot from his computer. He started by making a custom Parallel Port to DB9 cable to connect the computer to the arm. After a series of several programs, starting with simply moving just one arm joint, the latest iteration allows manual control of all joints using the computer keyboard. A big ‘Thanks’ goes out to [Dan] for all his work and documentation.

 

Reverse Engineering Super Animal Cards

If you don’t have a niece or nephew we encourage you to get one because they provide a great excuse to take apart kids’ toys.

[Sam] had just bought some animal-themed trading cards. These particular cards accompany a card-reader that uses barcodes to play some audio specific to each animal when swiped. So [Sam] convinces her niece that they should draw their own bar codes. Of course it’s not that easy: the barcodes end up having even and odd parity bits tacked on to verify a valid read. But after some solid reasoning plus trial-and-error, [Sam] convinces her niece that the world runs on science rather than magic.

But it can’t end there; [Sam] wants to hear all the animals. Printing out a bunch of cards is tedious, so [Sam] opens up the card reader and programs and Arduino to press a button and blink an IR LED to simulate a card swipe. (Kudos!) Now she can easily go through all 1023 possible values for the animal cards and play all the audio tracks, and her niece gets to hear more animal sounds than any child could desire.

Along the way, [Sam] found some interesting non-animal sounds that she thinks are Easter eggs but we would wager are for future use in a contest or promotional drawing or something similar. Either way, its great fun to get to listen in on more than you’re supposed to. And what better way to educate the next generation of little hackers than by spending some quality time together spoofing bar codes with pen and paper?

Five Dollar RF Controlled Light Sockets

This is tens of thousands of dollars worth of market research I’m about to spill, so buckle up. I have a spreadsheet filled with hundreds of projects and products that are solutions to ‘home automation’ according to their creators. The only common theme? Relays. Home automation is just Internet connected relays tied to mains. You’re welcome.

[Todd] over at Fabricate.io found an interesting home automation appliance on Amazon; a four-pack of remote control light sockets for $20, or what we would call a microcontroller, an RF receiver, and a relay. These lamp sockets are remote-controlled, but each package is limited to four channels. Terrible if you’re trying to outfit a home, but a wonderful exploration into the world of reverse engineering.

After cracking one of these sockets open, [Todd] found the usual suspects and a tiny little 8-pin DIP EEPROM. This chip stores a few thousand bits, several of which are tied to the remote control. After dumping the contents of the EEPROM from the entire four-pack of light sockets, [Todd] noticed only one specific value changed. Obviously, this was the channel tied to the remote. No CRC or ‘nothin. It doesn’t get easier than this.

With the new-found knowledge of what each lamp socket was looking for, [Todd] set out to clone the transmitter. Tearing this device apart, he found a chip with HS1527 stamped on it. A quick Googling revealed this to be an encoder transmitter, with the datasheet showing an output format of a 20-bit code and four data bits. This was a four-channel transmitter, right? That’s where you put each channel. The 20-bit code was interesting but not surprising; you don’t want one remote being able to turn of every other 4-pack of lamp sockets.

With all the relevant documentation, [Todd] set out to do the obvious thing – an Arduino transmitter. This was simply an Arduino and a transmitter in the right frequency, loaded up with bit of carefully crafted code. [Todd] also figured out how to expand his setup to more than four lamp sockets – by changing the 20-bit code, he could make his Arduino pretend to be more than one transmitter.

With Arduino-controlled lamp sockets, the world is [Todd]’s oyster. He can add Ethernet, WiFi, Bluetooth LE, and whatever trendy web front end he wants to have a perfect home automation setup. It’s actually a pretty impressive build with some great documentation, and is probably the cheapest way to add Arduino/Internet-enabled relays we’ve ever seen.

 

Protocol Snooping Digital Audio

More and more clubs are going digital. When you go out to hear a band, they’re plugging into an ADC (analog-to-digital converter) box on stage, and the digitized audio data is transmitted to the mixing console over Ethernet. This saves the venue having to run many audio cables over long distances, but it’s a lot harder to hack on. So [Michael] trained popular network analysis tools on his ProCo Momentum gear to see just what the data looks like.

[Michael]’s writeup of the process is a little sparse, but he name-drops all the components you’d need to get the job done. First, he simply looks at the raw data using Wireshark. Once he figured out how the eight channels were split up, he used the command-line version (tshark) and a standard Unix command-line tool (cut) to pull the data apart. Now he’s got a text representation for eight channels of audio data.

Using xxd to convert the data from text to binary, he then played it using sox to see what it sounded like. No dice, yet. After a bit more trial and error, he realized that the data was unsigned, big-endian integers.  He tried again, and everything sounded good. Success!

While this is not a complete reverse-engineering tutorial like this one, we think that it hits the high points: using a bunch of the right tools and some good hunches to figure out an obscure protocol.

Reverse Engineering a Blu-ray Drive for Laser Graffiti

There’s a whole lot of interesting mechanics, optics, and electronics inside a Blu-ray drive, and [scanlime] a.k.a. [Micah Scott] thinks those bits can be reused for some interesting project. [Micah] is reverse engineering one of these drives, with the goal of turning it into a source of cheap, open source holograms and laser installations – something these devices were never meant to do. This means reverse engineering the 3 CPUs inside an external Blu-ray drive, making sense of the firmware, and making this drive do whatever [Micah] wants.

When the idea of reverse engineering a Blu-ray drive struck [Micah], she hopped on Amazon and found the most popular drive out there. It turns out, this is an excellent drive to reverse engineer – there are multiple firmware updates for this drive, an excellent source for the raw data that would be required to reverse engineer it.

[Micah]’s first effort to reverse engineer the drive seems a little bit odd; she turned the firmware image into a black and white graphic. Figuring out exactly what’s happening in the firmware with that is a fool’s errand, but by looking at the pure black and pure white parts of the graphic, [Micah] was able guess where the bootloader was, and how the firmware image is segmented. In other parts of the code, [Micah] saw thing vertical lines she recognized as ARM code. In another section, thin horizontal black bands revealed code for an 8051. These lines are only a product of how each architecture accesses code, and really only something [Micah] recognizes from doing this a few times before.

The current state of the project is a backdoor that is able to upload new firmware to the drive. It’s in no way a complete project; only the memory for the ARM processor is running new code, and [Micah] still has no idea what’s going on inside some of the other chips. Still, it’s a start, and the beginning of an open source firmware for a Blu-ray drive.

While [Micah] want’s to use these Blu-ray drives for laser graffiti, there are a number of other slightly more useful reasons for the build. With a DVD drive, you can hold a red blood cell in suspension, or use the laser inside to make graphene. Video below.

Continue reading “Reverse Engineering a Blu-ray Drive for Laser Graffiti”

How To Reverse Engineer, Featuring the Rigol DS1054Z

For a few years now, the Rigol DS1052E has been the unofficial My First Oscilloscope™. It’s cheap, it’s good enough for most projects, and there have been a number hacks and mods for this very popular scope to give it twice as much bandwidth and other interesting tools. The 1052E is a bit long in the tooth and Rigol has just released the long-awaited update, the DS1054Z. It’s a four-channel scope, has a bigger screen, more bells and whistles, and only costs $50 more than the six-year-old 1052E. Basically, if you’re in the market for a cheap, usable oscilloscope, scratch the ~52E off your list and replace it with the ~54Z.

With four channels of input, [Dave Jones] was wondering how the engineers at Rigol managed to stuff two additional front ends into the scope while still meeting the magic price point of $400. This means it’s time for [Dave] to reverse engineer the 1054Z, and give everyone on the Internet a glimpse at how a real engineer tears apart the worth of other engineers.

The first thing [Dave] does once the board is out of the enclosure is taking a nice, clear, and in-focus picture of both sides of the board. These pictures are edited, turned into a line drawing, and printed out on a transparency sheet. This way, both sides of the board can be viewed at once, allowing for a few dry erase marker to highlight the traces and signals.

Unless your voyage on the sea of reverse engineering takes you to the island of despair and desoldering individual components, you’ll be measuring the values of individual components in circuit. For this, you’ll want a low-voltage ohms function on your meter; if you’re putting too much voltage through a component, you’ll probably turn on some silicon in the circuit, and your measurements will be crap. Luckily, [Dave] shows a way to test if your meter will work for this kind of work; you’ll need another meter.

From there, it’s basically looking at datasheets and drawing a schematic of the circuit; inputs go at the left, outputs at the right, ground is at the bottom, and positive rails are at the top. It’s harder than it sounds – most of [Dave]’s expertise in this area is just pattern recognition. It’s one thing to reverse engineer a circuit through brute force, but knowing the why and how of how the circuit works makes things much easier.

Continue reading “How To Reverse Engineer, Featuring the Rigol DS1054Z”