Reverse Engineering Reveals Hidden API In Abandonware Trail Camera

It sometimes seems like there are two kinds of cheap hardware devices: those dependent on proprietary software that is no longer available and those that are equally dependent but haven’t been abandoned just quite yet. But rest assured, abandonment is always on the table, and until then, you get to deal with poorly written apps that often suffer from a crippling lack of essential functionality.

Such was the case for the wireless game camera that [Chris Jones] scored on the cheap, but rather than suffering with the original software, he decided to reverse engineer the camera and turn it into something more useful. The eBay description was promising — Bluetooth LE! WiFi! — but the reality proved less so. To save the batteries, WiFi is off by default and can only be turned on by connecting to the camera via BLE using a janky and crash-prone Android app.

[Chris]’ first step in reverse engineering the camera was to snoop into the BLE by capturing the Bluetooth packets to a file and running them through Wireshark. This revealed a write command with the text “BT_KEY_ON” — very promising. After verifying that this command turned on the camera’s access point, [Chris] got to work capturing WiFi packets using PCAPDroid and analyzing the results, again with Wireshark. Using every function available in the OEM app eventually revealed the full API on the camera, which gives file system control, access to individual images, and even putting the camera into live video mode.

Continue reading “Reverse Engineering Reveals Hidden API In Abandonware Trail Camera”

Modern Software Brings Back The Timex Datalink

As much as some people on the Internet might like to think — no, Apple did not come up with the idea of the smart watch. Even if you ignore the calculator watches that we imagine a full 60% of Hackaday readers wore at one time or another in their lives, the Timex Datalink was already syncing with computers and pulling down the user’s list of appointments back in 1994 by decoding the pulses of light produced by a CRT monitor. Hey, it sounded like a good idea at the time.

Unfortunately, this idea hasn’t aged well. The technique doesn’t work on more modern displays, and naturally the companion software to generate the flashing patterns was written for Windows 3.1. But thanks to the reverse engineering efforts of [Synthead], you can now sync any version of the Timex Datalink to your computer using nothing more complex than the onboard LED of the Teensy LC or Raspberry Pi Pico.

There’s actually several different projects working together to make this happen. In place of a CRT, there was an official “Timex Datalink Notebook Adapter” back in the day that was designed to be used on laptops and featured a single blinking LED. That’s what [Synthead] has recreated with timex-datalink-arduino, allowing a microcontroller to stand in for this gadget and featuring 100% backwards compatibility with the original Datalink software.

Appointment data is loaded from a text file.

But since you’re probably not rocking Windows 3.1 anymore, having access to that software is far from a given. That’s why [Synthead] also created timex_datalink_client, which is a Ruby library that lets you generate data fit for upload into the Timex Datalink. At the time of this writing there doesn’t seem to be a friendly user interface (graphical or otherwise) for this software, but it’s easy enough to feed data into it using plain-text configuration files.

Helpfully [Synthead] provides screenshots of information loaded into the original software, followed by a config file example that accomplishes the same thing. It looks like writing some glue code that pulls your schedule from whatever service you fancy and formats it for the Datalink client should be relatively simple.

We’ve previously seen projects that got the Timex Datalink synced without the need for a CRT, but they still required the original software. To our knowledge, this is the first complete implementation of the Datalink protocol that doesn’t rely on any original hardware or software. Expect eBay prices to go up accordingly.

Sniffing Passwords, Rickrolling Toothbrushes

If you could dump the flash from your smart toothbrush and reverse engineer it, enabling you to play whatever you wanted on the vibrating motor, what would you do? Of course there’s no question: you’d never give up, or let down. Or at least that’s what [Aaron Christophel] did. (Videos, embedded below.)

But that’s just the victory lap. The race began with previous work by [Cyrill Künzi], who figured out that the NFC chip inside was used for a run-time counter, and managed to reset it by sniffing the password with an SDR as it was being transmitted. A great hack to be sure, but it only works for people with their own SDR setup.

With the goal of popularizing toothbrush-head-NFC-hacking, [Aaron] busted open the toothbrush itself, found the debug pins, dumped the flash, and got to reverse engineering. A pass through Ghidra got him to where the toothbrush reads the NFC tag ID from the toothbrush head. But how does it get from the ID to the password? It turns out that it runs a CRC on a device UID from the NFC tag itself and also a manufacturer’s string found in the NFC memory, and scramble-combines the two CRC values.

Sounds complicated, but the NFC UID can be read with a cellphone app, and the manufacturer’s string is also printed right on the toothbrush head itself for your convenience. Armed with these two numbers, you can calculate the password, and convince your toothbrush head that it’s brand new, all from the comfort of your smartphone! Isn’t technology grand?

We’re left guessing a little bit about the Rickroll hack, but we’d guess that once [Aaron] had the debug pins on the toothbrush’s microcontroller, he just couldn’t resist writing and flashing in a custom firmware. Talk about dedication.

[Aaron] has been doing extensive work on e-paper displays, but his recent work on the Sumup payment terminal is a sweet look at hacking into higher security devices with acupuncture needles.

Continue reading “Sniffing Passwords, Rickrolling Toothbrushes”

Conductive Gel Has Potential

There are some technologies first imagined in the Star Trek universe have already come to exist in the modern day. Communicators, tablet computers, and computer voice recognition are nearly as good as seen in the future, and other things like replicators and universal translators are well on their way. Star Trek: Voyager introduced a somewhat ignored piece of futuristic technology, the bio-neural gel pack. Supposedly, the use of an organic gel improved the computer processing power on the starship. This wasn’t explored too much on the series, but [Tom] is nonetheless taking the first steps to recreating this futuristic technology by building circuitry using conductive gel.

[Tom]’s circuitry relies on the fact that salts in a solution can conduct electricity, so in theory filling a pipe or tube with a saline solution should function similarly to a wire. He’s also using xanthan gum to increase viscosity. While the gel mixture doesn’t have quite the conductivity of copper, with a slight increase in the supplied voltage to the circuit it’s easily able to be used to light LEDs. Unlike copper, however, these conductive gel-filled tubes have some unique properties. For example, filling a portion of the tube with conductive gel and the rest with non-conductive mineral oil and pushing and pulling the mixture through the tube allows the gel to move around and engage various parts of a circuit in a way that a simple copper wire wouldn’t be able to do.

In this build specifically, [Tom] is using a long tube with a number of leads inserted into it, each of which correspond to a number on a nixie tube. By moving the conductive gel, surrounded by mineral oil, back and forth through the tube at precise intervals each of the numbers on the nixie tube can be selected for. It’s not yet quite as good as the computer imagined in Voyager but it’s an interesting concept nonetheless, not unlike this working replica of a communicator badge.

Continue reading “Conductive Gel Has Potential”

PCMCIA Flash Card Gives Up Its Secrets Thanks To Retro Gear

There are two ways to recover data from an obsolete storage medium. One way is to pull out all the tools in the hacker’s kit — with logic analyzers, oscilloscopes, and bit-banged software in a desperate attempt to reverse engineer the original protocol. The other way is to have a really, really deep junk bin that just happens to contain exactly the right pieces that would have been used decades ago.

For recovering data from a 25-year-old PCMCIA memory card, [Dave] from Vintage Apparatus chose the latter method. But to be fair, characterizing the stash of gear he had to select from as a “junk bin” is pretty insulting. It’s more like a museum of retro technology, which just so happened to hold  Toshiba Libretto, a subnotebook computer hailing from the late 1990s. The machine sports a pair of PCMCIA slots and was just the thing to read the data from the old 32 MB SanDisk flash card, which once lived in a backpack-mounted GPS system for surveyors.

If this hack sounds as easy as plugging things into an old computer, you’d be right — if you just happen to have a stack of floppies containing the Windows 98 drivers for said things. So [Dave]’s task became a game of finding the right combination of cards that already had the drivers installed and would provide the connectivity needed to get the data off the flash card. Between a suspiciously crunchy-sounding floppy drive and an Ethernet card dongle badly in need of some contact cleaner, cobbling together the right hardware was a bit of a chore. After that, a lot of the hack was [Dave] just remembering how we used to do things back in the day, with the eventual solution being transferring over the files to an FTP server on a Raspberry Pi.

The video below tells the whole saga, but the real treat might just be the Vintage Apparatus collection of gear. Incidentally, we really like [Dave]’s idea for storing associated bits and bobs.

Continue reading “PCMCIA Flash Card Gives Up Its Secrets Thanks To Retro Gear”

Crab Shells Massively Improve Zinc-Ion Batteries

In the fast-moving world of battery research, scientists are constantly on the lookout for innovative materials with the right properties to help improve energy storage. Meanwhile, batteries are in greater demand than ever as production of EVs and renewable energy projects ramp up to new heights.

In the hunt for new and better battery materials, scientists found an unexpected hero: crab shells.Researchers at the University of Maryland have uncovered a remarkable breakthrough by exploring their use in battery production.

Continue reading “Crab Shells Massively Improve Zinc-Ion Batteries”

Tesla Door Phone Decoded (Not That Tesla)

[Danman] has digital door phones manufactured by Tesla — or at least, a Tesla, as they’re not to be confused with the carmaker, though. The problem is if someone comes to the door when no one’s home, there’s no remote indicator. The answer? Reverse engineer the protocol and fix it.

A quick dump on a storage scope showed the data clearly, but it wasn’t obvious what protocol it was using. After a little analysis, it proved the datastream used 4 PWM pulses as symbols with three symbols: one, zero, and stuffing sequence.

Once you can read the bits, it is easy to determine that each frame consists of a 16-bit destination and source address, along with a command byte and a checksum byte. Each station can have an ID from 000 to 999 although you can only dial up to number 323. Some nodes are special, and there are ways to address particular units.

Connecting to the hardware took a transformer for isolation. Honestly, unless you have this exact hardware, this isn’t likely to be something you can directly use. However, it is a great example of how you can figure out a specialized device and bend it to your will.

We love reverse engineering projects. In some cases, it is easier if you have a CT scan.