Reverse Engineering Super Animal Cards

If you don’t have a niece or nephew we encourage you to get one because they provide a great excuse to take apart kids’ toys.

[Sam] had just bought some animal-themed trading cards. These particular cards accompany a card-reader that uses barcodes to play some audio specific to each animal when swiped. So [Sam] convinces her niece that they should draw their own bar codes. Of course it’s not that easy: the barcodes end up having even and odd parity bits tacked on to verify a valid read. But after some solid reasoning plus trial-and-error, [Sam] convinces her niece that the world runs on science rather than magic.

But it can’t end there; [Sam] wants to hear all the animals. Printing out a bunch of cards is tedious, so [Sam] opens up the card reader and programs and Arduino to press a button and blink an IR LED to simulate a card swipe. (Kudos!) Now she can easily go through all 1023 possible values for the animal cards and play all the audio tracks, and her niece gets to hear more animal sounds than any child could desire.

Along the way, [Sam] found some interesting non-animal sounds that she thinks are Easter eggs but we would wager are for future use in a contest or promotional drawing or something similar. Either way, its great fun to get to listen in on more than you’re supposed to. And what better way to educate the next generation of little hackers than by spending some quality time together spoofing bar codes with pen and paper?

Five Dollar RF Controlled Light Sockets

This is tens of thousands of dollars worth of market research I’m about to spill, so buckle up. I have a spreadsheet filled with hundreds of projects and products that are solutions to ‘home automation’ according to their creators. The only common theme? Relays. Home automation is just Internet connected relays tied to mains. You’re welcome.

[Todd] over at found an interesting home automation appliance on Amazon; a four-pack of remote control light sockets for $20, or what we would call a microcontroller, an RF receiver, and a relay. These lamp sockets are remote-controlled, but each package is limited to four channels. Terrible if you’re trying to outfit a home, but a wonderful exploration into the world of reverse engineering.

After cracking one of these sockets open, [Todd] found the usual suspects and a tiny little 8-pin DIP EEPROM. This chip stores a few thousand bits, several of which are tied to the remote control. After dumping the contents of the EEPROM from the entire four-pack of light sockets, [Todd] noticed only one specific value changed. Obviously, this was the channel tied to the remote. No CRC or ‘nothin. It doesn’t get easier than this.

With the new-found knowledge of what each lamp socket was looking for, [Todd] set out to clone the transmitter. Tearing this device apart, he found a chip with HS1527 stamped on it. A quick Googling revealed this to be an encoder transmitter, with the datasheet showing an output format of a 20-bit code and four data bits. This was a four-channel transmitter, right? That’s where you put each channel. The 20-bit code was interesting but not surprising; you don’t want one remote being able to turn of every other 4-pack of lamp sockets.

With all the relevant documentation, [Todd] set out to do the obvious thing – an Arduino transmitter. This was simply an Arduino and a transmitter in the right frequency, loaded up with bit of carefully crafted code. [Todd] also figured out how to expand his setup to more than four lamp sockets – by changing the 20-bit code, he could make his Arduino pretend to be more than one transmitter.

With Arduino-controlled lamp sockets, the world is [Todd]’s oyster. He can add Ethernet, WiFi, Bluetooth LE, and whatever trendy web front end he wants to have a perfect home automation setup. It’s actually a pretty impressive build with some great documentation, and is probably the cheapest way to add Arduino/Internet-enabled relays we’ve ever seen.


Protocol Snooping Digital Audio

More and more clubs are going digital. When you go out to hear a band, they’re plugging into an ADC (analog-to-digital converter) box on stage, and the digitized audio data is transmitted to the mixing console over Ethernet. This saves the venue having to run many audio cables over long distances, but it’s a lot harder to hack on. So [Michael] trained popular network analysis tools on his ProCo Momentum gear to see just what the data looks like.

[Michael]’s writeup of the process is a little sparse, but he name-drops all the components you’d need to get the job done. First, he simply looks at the raw data using Wireshark. Once he figured out how the eight channels were split up, he used the command-line version (tshark) and a standard Unix command-line tool (cut) to pull the data apart. Now he’s got a text representation for eight channels of audio data.

Using xxd to convert the data from text to binary, he then played it using sox to see what it sounded like. No dice, yet. After a bit more trial and error, he realized that the data was unsigned, big-endian integers.  He tried again, and everything sounded good. Success!

While this is not a complete reverse-engineering tutorial like this one, we think that it hits the high points: using a bunch of the right tools and some good hunches to figure out an obscure protocol.

Reverse Engineering a Blu-ray Drive for Laser Graffiti

There’s a whole lot of interesting mechanics, optics, and electronics inside a Blu-ray drive, and [scanlime] a.k.a. [Micah Scott] thinks those bits can be reused for some interesting project. [Micah] is reverse engineering one of these drives, with the goal of turning it into a source of cheap, open source holograms and laser installations – something these devices were never meant to do. This means reverse engineering the 3 CPUs inside an external Blu-ray drive, making sense of the firmware, and making this drive do whatever [Micah] wants.

When the idea of reverse engineering a Blu-ray drive struck [Micah], she hopped on Amazon and found the most popular drive out there. It turns out, this is an excellent drive to reverse engineer – there are multiple firmware updates for this drive, an excellent source for the raw data that would be required to reverse engineer it.

[Micah]’s first effort to reverse engineer the drive seems a little bit odd; she turned the firmware image into a black and white graphic. Figuring out exactly what’s happening in the firmware with that is a fool’s errand, but by looking at the pure black and pure white parts of the graphic, [Micah] was able guess where the bootloader was, and how the firmware image is segmented. In other parts of the code, [Micah] saw thing vertical lines she recognized as ARM code. In another section, thin horizontal black bands revealed code for an 8051. These lines are only a product of how each architecture accesses code, and really only something [Micah] recognizes from doing this a few times before.

The current state of the project is a backdoor that is able to upload new firmware to the drive. It’s in no way a complete project; only the memory for the ARM processor is running new code, and [Micah] still has no idea what’s going on inside some of the other chips. Still, it’s a start, and the beginning of an open source firmware for a Blu-ray drive.

While [Micah] want’s to use these Blu-ray drives for laser graffiti, there are a number of other slightly more useful reasons for the build. With a DVD drive, you can hold a red blood cell in suspension, or use the laser inside to make graphene. Video below.

Continue reading “Reverse Engineering a Blu-ray Drive for Laser Graffiti”

How To Reverse Engineer, Featuring the Rigol DS1054Z

For a few years now, the Rigol DS1052E has been the unofficial My First Oscilloscope™. It’s cheap, it’s good enough for most projects, and there have been a number hacks and mods for this very popular scope to give it twice as much bandwidth and other interesting tools. The 1052E is a bit long in the tooth and Rigol has just released the long-awaited update, the DS1054Z. It’s a four-channel scope, has a bigger screen, more bells and whistles, and only costs $50 more than the six-year-old 1052E. Basically, if you’re in the market for a cheap, usable oscilloscope, scratch the ~52E off your list and replace it with the ~54Z.

With four channels of input, [Dave Jones] was wondering how the engineers at Rigol managed to stuff two additional front ends into the scope while still meeting the magic price point of $400. This means it’s time for [Dave] to reverse engineer the 1054Z, and give everyone on the Internet a glimpse at how a real engineer tears apart the worth of other engineers.

The first thing [Dave] does once the board is out of the enclosure is taking a nice, clear, and in-focus picture of both sides of the board. These pictures are edited, turned into a line drawing, and printed out on a transparency sheet. This way, both sides of the board can be viewed at once, allowing for a few dry erase marker to highlight the traces and signals.

Unless your voyage on the sea of reverse engineering takes you to the island of despair and desoldering individual components, you’ll be measuring the values of individual components in circuit. For this, you’ll want a low-voltage ohms function on your meter; if you’re putting too much voltage through a component, you’ll probably turn on some silicon in the circuit, and your measurements will be crap. Luckily, [Dave] shows a way to test if your meter will work for this kind of work; you’ll need another meter.

From there, it’s basically looking at datasheets and drawing a schematic of the circuit; inputs go at the left, outputs at the right, ground is at the bottom, and positive rails are at the top. It’s harder than it sounds – most of [Dave]’s expertise in this area is just pattern recognition. It’s one thing to reverse engineer a circuit through brute force, but knowing the why and how of how the circuit works makes things much easier.

Continue reading “How To Reverse Engineer, Featuring the Rigol DS1054Z”

Reverse Engineering a Bathroom Scale for Automated Weight Tracking

[Darell] recently purchased a fancy new bathroom scale. Unlike an average bathroom scale, this one came with a wireless digital display. The user stands on the scale and the base unit transmits the weight measurement to the display using infrared signals. The idea is that you can place the display in front of your face instead of having to look down at your feet. [Darell] realized that his experience with infrared communication would likely enable him to hack this bathroom scale to automatically track his weight to a spreadsheet stored online.

[Darell] started by hooking up a 38khz infrared receiver unit to a logic analyzer. Then he recorded the one-way communication from the scale to the display. His experience told him that the scale was likely using pulse distance coding to encode the data. The scale would start each bit with a 500ms pulse. Then it would follow-up with either another 500ms pulse, or a 1000ms pulse. Each combination represented either a 1 or a 0. The problem was, [Darell] didn’t know which was which. He also wasn’t sure in which order the bits were being transmitted. He modified a software plugin for his logic analyzer to display 1’s and 0’s on top of the waveform. He then made several configurable options so he could try the various representations of the data.

Next it was time to generate some known data. He put increasing amounts of weight on the scale and recorded the resulting data along with the actual reading on the display. Then he tried various combinations of display settings until he got what appeared to be hexadecimal numbers increasing in size. Then by comparing values, he was able to determine what each of the five bytes represented. He was even able to reconstruct the checksum function used to generate the checksum byte.

Finally, [Darell] used a Raspberry Pi to hook the scale up to the cloud. He wrote a Python script to monitor an infrared receiver for the appropriate data. The script also verifies the checksum to ensure the data is not corrupted. [Darell] added a small LED light to indicate when the reading has been saved to the Google Docs spreadsheet, so he can be sure his weight is being recorded properly.

Reverse Engineering Altium Files

Several times in the last few weeks, I’ve heard people say, ‘this will be the last PCB I design in Eagle.’ That’s bad news for CadSoft, but if there’s one thing Eagle has done right, its their switch to an XML file format. Now anyone can write their own design tools for Eagle without mucking about with binary files.

Not all EDA softwares are created equally, and a lot of vendors use binary file formats as a way to keep their market share. Altium is one of the worst offenders, but by diving into the binary files it’s possible to reverse engineer these proprietary file formats into something nearly human-readable.

[]’s first step towards using an Altium file with his own tools was opening it up with a hex editor. Yeah, this is as raw as it can possibly get, but simply by scrolling through the file, he was able to find some interesting bits hanging around the file. It turns out, Altium uses something called a Compound Document File, similar to what Office uses for Word and PowerPoint files, to store all the information. Looking through the lens of this file format, [] found all the content was held in a stream called ‘FileHeader’, everything was an array of strings (yeah, everything is in text), and lines of text are separated by ‘|’ in name=value pairs.

With a little bit of code, [dstanko] managed to dump all these text records into a pseudo plain text format, then convert everything into JSON. You can check out all the code here.