Reverse-Engineering a Superior Chinese Product

It makes an Arduino look like a 555.  A 364 Mhz, 32 bit processor. 8 MB RAM. GSM. Bluetooth. LCD controller. PWM. USB and dozens more. Smaller than a Zippo and thinner than corrugated cardboard. And here is the kicker: $3. So why isn’t everyone using it? They can’t.

Adoption would mandate tier after tier of hacks just to figure out what exact hardware is there. Try to buy one and find that suppliers close their doors to foreigners. Try to use one, and only hints of incomplete documentation will be found. Is the problem patents? No, not really.

[Bunnie] has dubbed the phenomenon “Gongkai”, a type of institutionalized, collaborative, infringementesque knowledge-exchange that occupies an IP equivalent of bartering. Not quite open source, not quite proprietary. Legally, this sharing is only grey-market on paper, but widespread and quasi-accepted in practice – even among the rights holders. [Bunnie] figures it is just the way business is done in the East and it is a way that is encouraging innovation by knocking down barriers to entry. Chinese startups can churn out gimmicky trash almost on whim, using hardware most of us could only dream about for a serious project.

Continue reading “Reverse-Engineering a Superior Chinese Product”

Counting Transistors In The Playstation

Over in Russia there are a few people doing extremely in-depth technical teardowns, and the latest is one of the most ambitious ever seen. The PSXDEV team is tearing into the heart of the original PlayStation (Google translatrix), looking at 300,000 transistors, and re-implementing the entire console in a logic level simulator.

While the CPU in the PSX is unique to that specific piece of hardware, a lot of this custom silicon can be found in other places. The core – a RISC LSI LR33300 – is documented in a few rare tomes that are somehow available for free on the Internet. Other parts of this chip are a little stranger. There is a bizarre register that isn’t documented anywhere, a Bus Unit that handles the access between various devices and peripherals, and a motion picture decompressor.

The reverse engineering process begins by de-encapsulating the CPU, GPU, sound processing unit, and CD-ROM controller, taking very high magnification photos of the dies, and slowly mapping out the semiconductors and metals to figure out what cells do what function, how they’re connected, and what the big picture is. It’s a painstaking process that requires combing through gigabytes of die shots and apparently highlight gates, wires, and busses with MS Paint.

The end result of all this squinting at a monitor is turning tracings of chips into logic elements with Logisim. From there, the function of the CPU can be understood, studied, and yes, eventually emulated down to the gate level. It’s an astonishing undertaking, really.

If this sort of thing sounds familiar, you’re right: the same team behind PSXDEV is also responsible for a similar effort focused on the Nintendo Entertainment System. There, the CPU inside the NES – the Ricoh 2A03 – was torn down, revealing the 6502 core, APU, DMA, and all the extra bits that made this a custom chip.

Thanks [Rasz] for the tip.

Reverse Engineering a Robotic Arm

Not too many people will argue that Robot Arms aren’t cool. [Dan] thinks they are cool and purchased a LabVolt Armdroid robotic arm on eBay for a mere $150. Unfortunately, he did not get the power supply or the control unit. To most, this would a serious hurdle to overcome, but not for [Dan]. He opened up the robot and started probing around the circuit board to figure out what was going on.

Since there was a DB9 connector on the outside of the robot arm, he assumed it was a standard RS-232 controlled device. Good thing he checked the internal circuitry because this was not the case at all. There was no mircocontroller or microprocessor found inside.  [Dan] painstakingly reversed engineered the circuit board and documented his results. He found that there were SN76537A chips that drove the 6 unipolar stepper motors and SN75HC259 latches to address each individual motor.

Now knowing how the robot works, [Dan] had to figure out how to control the robot from his computer. He started by making a custom Parallel Port to DB9 cable to connect the computer to the arm. After a series of several programs, starting with simply moving just one arm joint, the latest iteration allows manual control of all joints using the computer keyboard. A big ‘Thanks’ goes out to [Dan] for all his work and documentation.


Reverse Engineering Super Animal Cards

If you don’t have a niece or nephew we encourage you to get one because they provide a great excuse to take apart kids’ toys.

[Sam] had just bought some animal-themed trading cards. These particular cards accompany a card-reader that uses barcodes to play some audio specific to each animal when swiped. So [Sam] convinces her niece that they should draw their own bar codes. Of course it’s not that easy: the barcodes end up having even and odd parity bits tacked on to verify a valid read. But after some solid reasoning plus trial-and-error, [Sam] convinces her niece that the world runs on science rather than magic.

But it can’t end there; [Sam] wants to hear all the animals. Printing out a bunch of cards is tedious, so [Sam] opens up the card reader and programs and Arduino to press a button and blink an IR LED to simulate a card swipe. (Kudos!) Now she can easily go through all 1023 possible values for the animal cards and play all the audio tracks, and her niece gets to hear more animal sounds than any child could desire.

Along the way, [Sam] found some interesting non-animal sounds that she thinks are Easter eggs but we would wager are for future use in a contest or promotional drawing or something similar. Either way, its great fun to get to listen in on more than you’re supposed to. And what better way to educate the next generation of little hackers than by spending some quality time together spoofing bar codes with pen and paper?

Five Dollar RF Controlled Light Sockets

This is tens of thousands of dollars worth of market research I’m about to spill, so buckle up. I have a spreadsheet filled with hundreds of projects and products that are solutions to ‘home automation’ according to their creators. The only common theme? Relays. Home automation is just Internet connected relays tied to mains. You’re welcome.

[Todd] over at found an interesting home automation appliance on Amazon; a four-pack of remote control light sockets for $20, or what we would call a microcontroller, an RF receiver, and a relay. These lamp sockets are remote-controlled, but each package is limited to four channels. Terrible if you’re trying to outfit a home, but a wonderful exploration into the world of reverse engineering.

After cracking one of these sockets open, [Todd] found the usual suspects and a tiny little 8-pin DIP EEPROM. This chip stores a few thousand bits, several of which are tied to the remote control. After dumping the contents of the EEPROM from the entire four-pack of light sockets, [Todd] noticed only one specific value changed. Obviously, this was the channel tied to the remote. No CRC or ‘nothin. It doesn’t get easier than this.

With the new-found knowledge of what each lamp socket was looking for, [Todd] set out to clone the transmitter. Tearing this device apart, he found a chip with HS1527 stamped on it. A quick Googling revealed this to be an encoder transmitter, with the datasheet showing an output format of a 20-bit code and four data bits. This was a four-channel transmitter, right? That’s where you put each channel. The 20-bit code was interesting but not surprising; you don’t want one remote being able to turn of every other 4-pack of lamp sockets.

With all the relevant documentation, [Todd] set out to do the obvious thing – an Arduino transmitter. This was simply an Arduino and a transmitter in the right frequency, loaded up with bit of carefully crafted code. [Todd] also figured out how to expand his setup to more than four lamp sockets – by changing the 20-bit code, he could make his Arduino pretend to be more than one transmitter.

With Arduino-controlled lamp sockets, the world is [Todd]’s oyster. He can add Ethernet, WiFi, Bluetooth LE, and whatever trendy web front end he wants to have a perfect home automation setup. It’s actually a pretty impressive build with some great documentation, and is probably the cheapest way to add Arduino/Internet-enabled relays we’ve ever seen.


Protocol Snooping Digital Audio

More and more clubs are going digital. When you go out to hear a band, they’re plugging into an ADC (analog-to-digital converter) box on stage, and the digitized audio data is transmitted to the mixing console over Ethernet. This saves the venue having to run many audio cables over long distances, but it’s a lot harder to hack on. So [Michael] trained popular network analysis tools on his ProCo Momentum gear to see just what the data looks like.

[Michael]’s writeup of the process is a little sparse, but he name-drops all the components you’d need to get the job done. First, he simply looks at the raw data using Wireshark. Once he figured out how the eight channels were split up, he used the command-line version (tshark) and a standard Unix command-line tool (cut) to pull the data apart. Now he’s got a text representation for eight channels of audio data.

Using xxd to convert the data from text to binary, he then played it using sox to see what it sounded like. No dice, yet. After a bit more trial and error, he realized that the data was unsigned, big-endian integers.  He tried again, and everything sounded good. Success!

While this is not a complete reverse-engineering tutorial like this one, we think that it hits the high points: using a bunch of the right tools and some good hunches to figure out an obscure protocol.

Reverse Engineering a Blu-ray Drive for Laser Graffiti

There’s a whole lot of interesting mechanics, optics, and electronics inside a Blu-ray drive, and [scanlime] a.k.a. [Micah Scott] thinks those bits can be reused for some interesting project. [Micah] is reverse engineering one of these drives, with the goal of turning it into a source of cheap, open source holograms and laser installations – something these devices were never meant to do. This means reverse engineering the 3 CPUs inside an external Blu-ray drive, making sense of the firmware, and making this drive do whatever [Micah] wants.

When the idea of reverse engineering a Blu-ray drive struck [Micah], she hopped on Amazon and found the most popular drive out there. It turns out, this is an excellent drive to reverse engineer – there are multiple firmware updates for this drive, an excellent source for the raw data that would be required to reverse engineer it.

[Micah]’s first effort to reverse engineer the drive seems a little bit odd; she turned the firmware image into a black and white graphic. Figuring out exactly what’s happening in the firmware with that is a fool’s errand, but by looking at the pure black and pure white parts of the graphic, [Micah] was able guess where the bootloader was, and how the firmware image is segmented. In other parts of the code, [Micah] saw thing vertical lines she recognized as ARM code. In another section, thin horizontal black bands revealed code for an 8051. These lines are only a product of how each architecture accesses code, and really only something [Micah] recognizes from doing this a few times before.

The current state of the project is a backdoor that is able to upload new firmware to the drive. It’s in no way a complete project; only the memory for the ARM processor is running new code, and [Micah] still has no idea what’s going on inside some of the other chips. Still, it’s a start, and the beginning of an open source firmware for a Blu-ray drive.

While [Micah] want’s to use these Blu-ray drives for laser graffiti, there are a number of other slightly more useful reasons for the build. With a DVD drive, you can hold a red blood cell in suspension, or use the laser inside to make graphene. Video below.

Continue reading “Reverse Engineering a Blu-ray Drive for Laser Graffiti”