Decoding and Replicating Xantrex Solar Charge Data

This is a story mostly of decoding data, but there is a happy ending that includes turning that decoding work into an open source receiver. Xantrex solar charge controllers monitor a lot of data about what is happening with your solar panels, and they stream it over RJ25 but you need their add-on hardware to receive it. [Eric Herbers] figured if the data is being transmitted, a resourceful hackers should be able to decode it. And he did just that with a little help from his friends in the Hackaday community.

We asked on Twitter what people were working on and [Eric] posted his scope screenshot. The conversation that followed helped point him in the right direction and others knowing about the project surely drove him to finish it. The decoding isn’t perfect, but achieve enough to decode and display voltage, amperage, and temperature. [Eric] built the display unit using an Arduino Pro Mini and a character LCD housed in you most common of black project boxes.

Hacklet 45 – Reverse Engineering Projects

Sooner or later, all of us end up putting on our reverse engineering hats and digging in to a device. It might be that you’re trying to keep an old piece of equipment running – the manufacturer is long defunct, and parts are no longer available. It might be that sweet new router with locked down firmware. Or, it might just be that you’re curious. Whatever the reason, reverse engineering is a rewarding endeavor. Some of our favorite reverse engineering projects read like spy novels. Instead of cloak and dagger, it’s encryption and soldering iron. This week’s Hacklet focuses on some of the best reverse engineering projects on Hackday.io!

c02We start with [Henryk Plötz] and Reverse-Engineering a low-cost USB CO₂ monitor. Carbon monoxide detection and measurement devices are household safety items these days, and have become rather cheap. Carbon dioxide measuring devices are less common, and as expected, more expensive. [Henryk] found a device for around 80€ which did what he needed. The included USB connector was supposedly just for power, but when plugging it in, the device enumerated on his Linux box. The accompanying windows software displayed live data from the detector, but there wasn’t much information on the protocol. Time to bust out Ida pro, and go to town on that software! [Henryk] did battle with his CO₂ monitor”s software and was justly rewarded.

mavrickNext up is [Bob Blake] and Reverse Engineering the Maverick ET-732. [Bob] loves barbecue, but hates to babysit his smoker. Thankfully there are wireless temperature sensors out there built just for that purpose, but they have limited range and you can’t have multiple receivers around the house. [Bob] aimed to fix all of that by sending his Maverick wireless thermometer data to the web, so he could check in on his cooking from anywhere. First he had to reverse engineer the protocol used by the sensor. A spectrum analyzer told [Bob] that the sensor transmit frequency was  433.92 MHz, which is common for low-cost transmitters like this. [Bob] actually had some compatible receivers at his office, so he was quickly able to capture some data with his Saleae logic analyzer. The real fun came in figuring out exactly how the data was organized!

hmdA chance Ebay sale netted [Technics] a sweet head mounted magnifier, but no way to control it. Reverse engineering a Life Optics M5 documents [Technics] efforts to get his new headgear working. The Life Optics M5 is actually a re-branded version of the Leica HM500 head mounted zoom microscope. These devices were originally designed for medical use. They provide a stereo view to the surgeon or dentist using them, as well as sending a video feed to be displayed for the rest of the team to use or record. Cracking open the M5’s head-mounted box revealed several modules, but no obvious means of controlling zoom or focus. Scoping out a few of the mystery wires did reveal what looks to be a 9600 baud serial data stream though. This is a brand new project, and we’re waiting for [Technics] next update to see if he gets to do some soldering with his new toy!

 

biosBIOS password protection – it’s the bane of any used laptop buyer’s existence. Sometimes removing these passwords are as easy as popping out the CMOS battery, other times, not so much. [q3k] found themselves in the latter situation with a bundle of Toshiba R100 laptops. and no way to start them up. [q3k] didn’t give up though – they broke out the soldering iron and started Reverse engineering Toshiba R100 BIOS. The R100 is a Pentium M era machine – old but still usable for many hacking purposes. Dumping the ROM BIOS of the laptop didn’t yield the information [q3k] needed, so they moved on to the TLCS-870 controller, and built a really nice board with a Xilinx Spartan6 FPGA to help with the effort. It turns out that the 870 is just used for power management. – [q3k] has now turned their attention to a Renesas microcontroller which might be just the droid they are looking for!

We think that reverse engineering projects are pretty darn cool, so we’ve created a Reverse Engineering List to keep them all organized.

That’s it for this Hacklet, As always, see you next week. Same hack time, same hack channel, bringing you the best of Hackaday.io!

How To Reverse Engineer A PCB

For [Peter]’s entry for the 2015 Hackaday Prize, he’s attempting to improve the standard industrial process to fix atmospheric nitrogen. Why? Fertilizers. He’s come up with an interesting technique that uses acoustic transducers in a pressure vessel, and to power that transducer, he’s turned to the greatest scrap heap in the world: eBay. He found a cheap ultrasonic power supply, but didn’t know offhand if it would work with his experiments. That’s alright; it’s a great opportunity to demo some basic reverse engineering skills.

A few months ago, [Dave Jones] posted a great video where he reverse engineers the front end of the new Rigol Zed. The basic technique is to make a photocopy, get some transparency sheets, grab a meter, and go to town. [Peter]’s technique is similar, only he’s using digital image manipulation, Photoshop, and a meter.

The process begins by taking pictures of both sides of the board, resizing them, flipping one side, and making an image with several layers. The traces on the bottom of the board were flooded and filled with the paint bucket tool, and components and traces carefully annotated.

With some effort, [Peter] was able to create a schematic of his board. He doesn’t know if this power supply will work with his experiments; there’s still some question of what some components actually do. Still, it’s a good effort, a great learning opportunity, and another log in [Peter]’s entry to The Hackaday Prize

Reverse Engineering Galaga to Fix the No-Fire Cheat

We didn’t know there was a cheat to Galaga, but [Chris Cantrell] did. And so he did what any curious hacker would do — reverse-engineer the game to diagnose and eventually fix the bug.

Spoilers ahoy! Go read the website first if you’d like to follow [Chris]’s reversing efforts in the order that they actually happened.

The glitch is triggered by first killing most of the bees. When only six are left, they go into a second pattern where they swoop across the screen and wrap around the edges. While swooping, sometimes the bees will fire a shot when they’re at coordinates with X=0. Now two facts: there’s a maximum of eight missiles on the screen at any given time, and the position X=0 was reserved by the software to hide sprites that don’t need updating.

The end result is that eight missiles get stuck in a place where they never drop and don’t get drawn. No further shots are fired in the entire game. You win.

So that’s the punchline, but everyone knows that a good joke is in the telling. If you’re at all interested in learning reverse engineering, go read [Chris]’s explanations and work through them on your own.

And here’s our generic plug for Computer Archaeology:

Ancient video games run on MAME or similar emulators are the perfect playground for learning to reverse engineer; you can pause the machine, flip a bit in memory, and watch what happens next. Memory was expensive back then too, so the games themselves are small. (It’s not like trying to reverse engineer all however many jiggabytes of Microsoft Office.) The assembly languages for the old chips are small and well-documented, and most of the time you’ve also got a good dissasembler. What more could you ask for?

A walkthrough tutorial?  We’ve just given you one.

Oh and PS: If you get past level 255, the game freaks out.

Continue reading “Reverse Engineering Galaga to Fix the No-Fire Cheat”

Reverse-Engineering a Wireless BBQ Thermometer

[Bob] has his own smoker and loves to barbecue, but doesn’t like spending all day checking on his smoker’s temperature. He thought about building his own wireless thermometer setup, which would have been pretty awesome, but then he had a better idea: why not hack an existing wireless barbecue thermometer? [Bob] purchased an off-the-shelf wireless BBQ thermometer and reverse-engineered its wireless protocol to make his own wireless thermometer setup.

The first problem [Bob] encountered was figuring out the frequency of the transmitter. Thankfully [Bob] had access to a spectrum analyzer, where he discovered the transmitter was running at 433.92MHz (a cheap RTL-SDR dongle would also get the job done). Next, [Bob] started digging into the manufacturer’s FCC filings and found that it actually called out the transmit frequency, which matched the transmit frequency he measured. He also found a ton of other helpful information in the filing, like a block diagram and full transmitter schematic.

[Bob] used a Radiometrix RF module to receive the thermometer’s signal. He hooked up the output to his logic analyzer to start decoding the protocol. After a quick visual analysis, [Bob] found that the signal was a preamble followed 13 bytes of Manchester-encoded data being transmitted at 2kbps. He started collecting data with known temperatures, created a table of the data, and began looking for patterns. After quite a bit of searching [Bob] was successfully able to find and parse the temperature values out of the data stream. [Bob] did a great job of documenting his process and results, so check out his writeup if you want to try it out yourself.

Looking inside the KR580VM80A Soviet i8080 clone

The folks at Zeptobars are on a roll, sometimes looking deep inside historic chips and at others exposing fake devices for our benefit. Behind all of those amazing die shots are hundreds of hours of hard work. [Mikhail] from Zeptobars recently tipped us off on the phenomenal work done by engineer [Vslav] who spent over 1000 hours reverse engineering the Soviet KR580VM80A – one of the most popular micro-controllers of the era and a direct clone of the i8080.

But before [Vslav] could get down to creating the schematic and Verilog model, the chip needed to be de-capped and etched. As they etched down, they created a series of high resolution images of the die. At the end of that process, they were able to determine that the chip had exactly 4758 transistors (contrary to rumors of 6000 or 4500). With the images done, they were able to annotate the various parts of the die, create a Verilog model and the schematic. A tough compatibility test confirmed the veracity of their Verilog model. All of the source data is available via a (CC-BY-3.0) license from their website. If this looks interesting, do check out some of their work that we have featured earlier like comparing real and fake Nordic dies and amazing descriptions of how they figure out the workings of these decapped chips. If this is too deep for you check out the slightly simpler but equally awesome process of delayering PCBs.

Deconstructing PCBs

The surest way to reverse engineer a circuit is to look at all the components, all the traces between these components, and clone the entire thing. Take a look at a PCB some time, and you’ll quickly see a problem with this plan: there’s soldermask hiding all the traces, vias are underneath components, and replicating a board from a single example isn’t exactly easy. That’s alright, because [Joe Grand] is here to tell you how to deconstruct PCBs one layer at a time.

Most of this work was originally presented at DEFCON last August, but yesterday [Joe] put up a series of YouTube videos demonstrating different techniques for removing soldermask, delayering multi-layer boards, and using non-destructive imaging to examine internal layers.

If you’re dealing with a two-layer board, the most you’ll have to do is remove the soldermask. This can be done with techniques ranging from a fiberglass scratch brush, to laser ablation, to a dremel flapwheel. By far the most impressive and effective ways to take the solder mask off of PCBs is the way the pros do it: chemically. A bath in Magnastrip 500 or Ristoff C-8 results in perfectly stripped boards and a room full of noxious chemicals. It makes sense; this is what PCB houses use when they need to remove solder mask during the fabrication process.

Removing a solder mask will get you the layout of a two-layer board, but if you’re looking at deconstructing multi-layer boards, you’ll have to delaminate the entire board stack to get a look at the interior copper layers. By far the most impressive way of doing this is with a machine that can only be described as gently violent, but passive, imaging techniques such as X-rays, CT scanners and other sufficiently advanced technology will also do the trick. Acoustic microscopy, or  Acoustic Micro Imaging, was, however, unsuccessful. It does look cool, though.

Thanks [Morris] for the tip.

Continue reading “Deconstructing PCBs”