Author: Arya Voronova

381 Articles

A render of the USB Blaster, showing all the major parts

The Cheapest USB Blaster Ever, Thanks To CH552

April 30, 2024 by 8 Comments

Here’s a CH552G-based USB Blaster project from [nickchen] in case you needed more CH552G in your life, which you absolutely do. It gives you the expected IDC-10 header ready for JTAG, AS, and PS modes. What’s cool, it fits into the plastic shell of a typical USB Blaster, too!

The PCB is flexible enough, and has all the features you’d expect – a fully-featured side-mounted IDC-10 header, two LEDs, a button for CH552 programming mode, and even a UART header inside the case. There’s an option to add level shifter buffers, too – but you don’t have to populate them if you don’t want to do that for whatever reason! The Hackaday.io page outlines all the features you are getting, though you might have to ask your browser to translate from Chinese.

Sadly, there’s no firmware or PCB sources – just schematics, .hex, BOM, and Gerber .zip, so you can’t fix firmware bugs, or add the missing USB-C pulldowns. Nevertheless, it’s a cool project and having the PCB for it is lovely, because you never know when you might want to poke at a FPGA on a short notice. Which is to say, it’s yet another CH552 PCB you ought to put in your PCB fab’s shopping cart! This is not the only CH552G-based programming dongle that we’ve covered – here’s a recent Arduino programmer that does debugWire, and here’s like a dozen more different CH552G boards, programmers and otherwise.

Wireshark screenshot with QCSuper-produced packets streaming into it; QCSuper script running in an adjacent terminal

Turn Your Qualcomm Phone Or Modem Into Cellular Sniffer

April 30, 2024 by 16 Comments

If your thought repurposing DVB-T dongles for generic software defined radio (SDR) use was cool, wait until you see QCSuper, a project that re-purposes phones and modems to capture raw 2G/3G/4G/5G. You have to have a Qualcomm-based device, it has to either run rooted Android or be a USB modem, but once you find one in your drawers, you can get a steady stream of packets straight into your Wireshark window. No more expensive SDR requirement for getting into cellular sniffing – at least, not unless you are debugging some seriously low-level issues.

It appears there’s a Qualcomm specific diagnostic port you can access over USB, that this software can make use of. The 5G capture support is currently situational, but 2G/3G/4G capabilities seem to be pretty stable. And there’s a good few devices in the “successfully tested” list – given the way this software functions, chances are, your device will work! Remember to report whether it does or doesn’t, of course. Also, the project is seriously rich on instructions – whether you’re using Linux or Windows, it appears you won’t be left alone debugging any problems you might encounter.

This is a receive-only project, so, legally, you are most likely allowed to have fun — at least, it would be pretty complicated to detect that you are, unlike with transmit-capable setups. Qualcomm devices have pretty much permeated our lives, with Qualcomm chips nowadays used even in the ever-present SimCom modules, like the modems used in the PinePhone. Wondering what a sniffer could be useful for? Well, for one, if you ever need to debug a 4G base station you’ve just set up, completely legally, of course.

The board shown in real life, top and bottom, showing the pinout and alternate functions silkscreened.

A CH552G Devboard In Case You Missed It

April 29, 2024 by 10 Comments

We might just never get tired of covering cool small cheap MCUs, and CH552G sure fits this description. Just so you know, here’s a Hackaday.io project you should check out – a CH552G devboard that’s as simple as it sufficient, in case you needed a tangible reminder that this chip exists, has a lively community, and is very much an option for your projects.

The devboard design by [Dylan Turner] is so straightforward, it’s almost inspiring – a square of PCB with the chip in the center and plenty of empty space for your mods. Everything is open-source with KiCad sources stored on GitHub. The most lovely aspect of this board, no doubt, is having the pin mapping written on the bottom, with all the alternate pin functions – you won’t have to constantly glance at the datasheet while wiring this one up. Plus, of course, there’s the microUSB port for programming, and the programming mode button that a few CH552 projects tend to lack.

It’s simple, it’s self-documenting, it’s breadboardable, and it’s definitely worth putting into the shopping cart at your PCB fab of choice. Oh, and there are bringup instructions on GitHub, in case you need them. Whether you want to prototype the cheapest macropad or keyboard ever, or perhaps a reflow hotplate, the CH552 delivers. If these CH552 projects aren’t enough to light your fire, here are a dozen more.

The ROM programmer on display, with an OLED screen attached

Relatively Universal ROM Programmer Makes Retro Tech Hacking Accessible

April 20, 2024 by 25 Comments

There’s treasures hidden in old technology, and you deserve to be able to revive it. Whether it’s old personal computer platforms, vending machines, robot arms, or educational kits based on retro platforms, you will need to work with parallel EEPROM chips at some point. [Anders Nielsen] was about to do just that, when he found out that a TL866, a commonly used programmer kit for such ROMs, would cost entire $70 – significantly raising the budget of any parallel ROM-involving hacking. After months of work, he is happy to bring us a project – the Relatively Universal ROM Programmer, an open-source parallel ROM programmer board that you can easily assemble or buy.

Designed in the Arduino shield format, there’s a lot of care and love put into making this board as universal as reasonably possible, so that it fits any of the old flash chips you might want to flash – whether it’s an old UV-erasable ROM that wants a voltage up to 30 V to be written, or the newer 5 V-friendly chips. You can use ICs with pin count from 24 to 32 pins, it’s straightforward to use a ZIF socket with this board, there’s LED indication and silkscreen markings so that you can see and tweak the programming process, and it’s masterfully optimized for automated assembly.

You can breadboard this programmer platform as we’ve previously covered, you can assemble our own boards using the open-source files, and if you don’t want to do either, you can buy the assembled boards from [Anders Nielsen] too! The software is currently work in progress, since that’s part of the secret sauce that makes the $70 programmers tick. You do need to adjust the programming voltage manually, but that can be later improved with a small hardware fix. In total, if you just want to program a few ROM chips, this board saves you a fair bit of money.

Continue reading “Relatively Universal ROM Programmer Makes Retro Tech Hacking Accessible”

A standard-compliant MXM card installed into a laptop, without heatsink

MXM: Powerful, Misused, Hackable

April 18, 2024 by 23 Comments

Today, we’ll look into yet another standard in the embedded space: MXM. It stands for “Mobile PCI Express Module”, and is basically intended as a GPU interface for laptops with PCIe, but there’s way more to it – it can work for any high-power high-throughput PCIe device, with a fair few DisplayPort links if you need them!

You will see MXM sockets in older generations of laptops, barebones desktop PCs, servers, and even automotive computers – certain generations of Tesla cars used to ship with MXM-socketed Nvidia GPUs! Given that GPUs are in vogue today, it pays to know how you can get one in low-profile form-factor and avoid putting a giant desktop GPU inside your device.

I only had a passing knowledge of the MXM standard until a bit ago, but my friend, [WifiCable], has been playing with it for a fair bit now. On a long Discord call, she guided me through all the cool things we should know about the MXM standard, its history, compatibility woes, and hackability potential. I’ve summed all of it up into this article – let’s take a look!

This article has been written based on info that [WifiCable] has given me, and, it’s also certainly not the last one where I interview a hacker and condense their knowledge into a writeup. If you are interested, let’s chat!

Continue reading “MXM: Powerful, Misused, Hackable”

Human-Interfacing Devices: HID Over I2C

April 17, 2024 by 11 Comments

In the previous two HID articles, we talked about stealing HID descriptors, learned about a number of cool tools you can use for HID hacking on Linux, and created a touchscreen device. This time, let’s talk about an underappreciated HID standard, but one that you might be using right now as you’re reading this article – I2C-HID, or HID over I2C.

HID as a protocol can be tunneled over many different channels. If you’ve used a Bluetooth keyboard, for instance, you’ve used tunneled HID. For about ten years now, I2C-HID has been heavily present in laptop space, it was initially used in touchpads, later in touchscreens, and now also in sensor hubs. Yes, you can expose sensor data over HID, and if you have a clamshell (foldable) laptop, that’s how the rotation-determining accelerometer exposes its data to your OS.

This capacitive touchscreen controller is not I2C-HID, even though it is I2C. By [Raymond Spekking], CC-BY-SA 4.0
Not every I2C-connected input device is I2C-HID. For instance, if you’ve seen older tablets with I2C-connected touchscreens, don’t get your hopes up, as they likely don’t use HID – it’s just a complex-ish I2C device, with enough proprietary registers and commands to drive you crazy even if your logic analysis skills are on point. I2C-HID is nowhere near that, and it’s also way better than PS/2 we used before – an x86-only interface with limited capabilities, already almost extinct from even x86 boards, and further threatened in this increasingly RISCy world. I2C-HID is low-power, especially compared to USB, as capable as HID goes, compatible with existing HID software, and ubiquitous enough that you surely already have an I2C port available on your SBC.

In modern world of input devices, I2C-HID is spreading, and the coolest thing is that it’s standardized. The standardization means a lot of great things for us hackers. For one, unlike all of those I2C touchscreen controllers, HID-I2C devices are easier to reuse; as much as information on them might be lacking at the moment, that’s what we’re combating right now as we speak! If you are using a recent laptop, the touchpad is most likely I2C-HID. Today, let’s take a look at converting one of those touchpads to USB HID.

A Hackable Platform

Continue reading “Human-Interfacing Devices: HID Over I2C”

The mod as installed into the handheld, complete with the custom 3D-printed back, with a screwdriver being used to install one of the screws

A ROG Ally Battery Mod You Ought To Try

April 17, 2024 by 4 Comments

Today’s hack is an unexpected but appreciated contribution from members of the iFixit crew, published by [Shahram Mokhtari]. This is an ROG Ally Asus-produced handheld gaming console mod that has you upgrade the battery to an aftermarket battery from an Asus laptop to double your battery life (40 Wh to 88 Wh).

There are two main things you need to do: replace the back cover with a 3D printed version that accommodates the new battery, and move the battery wires into the shell of an old connector. No soldering or crimping needed — just take the wires out of the old connector, one by one, and put them into a new connector. Once that is done and you reassemble your handheld, everything just works; the battery is recognized by the OS, can be charged, runs the handheld wonderfully all the same, and the only downside is that your ROG Ally becomes a bit thicker.

Continue reading “A ROG Ally Battery Mod You Ought To Try”