Reverse-Engineering Aleratec CD Changers For Archival Use

September 14, 2025 by 15 Comments

Handling large volumes of physical media can be a bit of a chore, whether it’s about duplication or archiving. Fortunately this is a perfect excuse for building robotic contraptions, with the robots for handling optical media being both fascinating and mildly frustrating. When [Shelby Jueden] of Tech Tangents fame was looking at using these optical media robots for archival purposes, the biggest hurdle turned out to be with the optical drives, despite these Aleratec units being primarily advertised for disc duplication.

Both of the units are connected to a PC by USB, but operate mostly standalone, with a documented protocol for the basic unit that makes using it quite easy to use for ripping. This is unlike the larger, triple-drive unit, which had no documented protocol. This meant having to sniff the USB traffic that the original, very limited, software sends to the robot. The protocol has now been documented and published on theĀ Tech Tangents Wiki for this Aleratec Auto Publisher LS.

Where [Shelby] hit a bit of a brick wall was with mixed-media discs, which standalone DVD players are fine with, but typical IDE/SATA optical drives often struggle with. During the subsequent search for a better drive, the internals of the robot were upgraded from IDE to SATA, but calibrating the robot for the new drives led [Shelby] down a maddening cascade of issues. Yet even after making one type of drive work, the mixed-media issue reared its head again with mixed audio and data, leaving the drive for now as an imperfect, but very efficient, ripper for game and multimedia content, perhaps until the Perfect Optical Drive can be found.

Continue reading “Reverse-Engineering Aleratec CD Changers For Archival Use”

Reverse-Engineering The Milwaukee M18 Diagnostics Protocol

September 14, 2025 by 19 Comments

As is regrettably typical in the cordless tool world, Milwaukee’s M18 batteries are highly proprietary. Consequently, this makes them a welcome target for reverse-engineering of their interfaces and protocols. Most recently the full diagnostic command set for M18 battery packs were reverse-engineered by [ToolScientist] and others, allowing anyone to check useful things like individual cell voltages and a range of statistics without having to crack open the battery case.

These results follow on our previous coverage back in 2023, when the basic interface and poorly checksummed protocol was being explored. At the time basic battery management system (BMS) information could be obtained this way, but now the range of known commands has been massively expanded. This mostly involved just brute-forcing responses from a gaggle of battery pack BMSes.

Interpreting the responses was the next challenge, with responses like cell voltage being deciphered so far, but serial number and the like being harder to determine. As explained in the video below, there are many gotchas that make analyzing these packs significantly harder, such as some reads only working properly if the battery is on a charger, or after an initial read.

Continue reading “Reverse-Engineering The Milwaukee M18 Diagnostics Protocol”

Reverse Engineering A Robot Mower’s Fence

September 10, 2025 by 19 Comments

There are a variety of robot mower systems on the market employing different navigation methods, and [Eelco] has the story of how one of these was reverse engineered. Second hand Roomba lawnmowers kept appearing for very low prices without the electronics driving the buried-wire fence that keeps them from going astray. The story of their reverse engineering provides us with a handy insight into their operation.

The wire fence is a loop of wire in the ground, so it was modeled using a few-ohm resistor and the waveform across it from a working driver captured with an oscilloscope. The resulting 3 kHz waveform surprisingly to us at least doesn’t appear to encode any information, so it could be replicated easily enough with an ESP32 microcontroller. An LM386 audio amplifier drives the loop, and with a bit of amplitude adjustment the mower is quite happy in its fake fence.

Robot mower hacking has become quite the thing around here.

Reverse Engineering A (Toy) Fire Engine

September 6, 2025 by 3 Comments

Your kid has a toy remote control fire truck. You have an RTL SDR. See where this is going? [Jacob] couldn’t resist tearing into the why and how of the truck’s remote control protocol.

The entire process began with a basic GNU Radio setup to determine the exact frequency of the signal. Then a little analysis suggested that it might be using amplitude shift keying. That is, the information is in the amplitude of the signal, where one possible amplitude is completely off in some cases.

Continue reading “Reverse Engineering A (Toy) Fire Engine”

Reverse-Engineering Mystery TV Equipment: The Micro-Scan

September 3, 2025 by 12 Comments

[VWestlife] ended up with an obscure piece of 80s satellite TV technology, shown above. The Micro-Scan is a fairly plan metal box with a single “Tune” knob on the front. At the back is a power switch and connectors for TV Antenna, TV Set, and “MW” (probably meaning microwave). There’s no other data. What was this, and what was it for?

Satellite TV worked by having a dish receive microwave signals, but televisions could not use those signals directly. A downconverter was needed to turn the signal into something an indoor receiver box (to which the television was attached) could use, allowing the user to select a channel to feed into the TV.

At first, [VWestlife] suspected the Micro-Scan was a form of simple downconverter, but that turned out to not be the case. Testing showed that the box didn’t modify signals at all. Opening it up revealed the Micro-Scan acts as a combination switchbox and variable power supply, sending a regulated 12-16 V (depending on knob position) out the “MW” connector.

So what is it for, and what does that “Tune” knob do? When powered off, the Micro-Scan connected the TV (plugged into the “TV Set” connector) to its normal external antenna (connected to “TV Antenna”) and the TV worked like a normal television. When powered on, the TV would instead be connected to the “MW” connector, probably to a remote downconverter. In addition, the Micro-Scan supplied a voltage (the 12-16 V) on that connector, which was probably a control voltage responsible for tuning the downconverter. The resulting signal was passed unmodified to the TV.

It can be a challenge to investigate vintage equipment modern TV no longer needs, especially hardware that doesn’t fit the usual way things were done, and lacks documentation. If you’d like to see a walkthrough and some hands-on with the Micro-Scan, check out the video (embedded bel0w).

Continue reading “Reverse-Engineering Mystery TV Equipment: The Micro-Scan”

Battery Repair By Reverse Engineering

August 26, 2025 by 28 Comments

Ryobi is not exactly the Cadillac of cordless tools, but one still has certain expectations when buying a product. For most of us “don’t randomly stop working” is on the list. Ryobi 18-volt battery packs don’t always meet that expectation, but fortunately for the rest of us [Badar Jahangir Kayani] took matters into his own hands and reverse-engineered the pack to find all the common faults– and how to fix them.

[Badar]’s work was specifically on the Ryobi PBP005 18-volt battery packs. He’s reproduced the schematic for them and given a fairly comprehensive troubleshooting guide on his blog. The most common issue (65%) with the large number of batteries he tested had nothing to do with the cells or the circuit, but was the result of some sort of firmware lock.

It isn’t totally clear what caused the firmware to lock the batteries in these cases. We agree with [Badar] that it is probably some kind of glitch in a safety routine. Regardless, if you have one of these batteries that won’t charge and exhibits the characteristic flash pattern (flashing once, then again four times when pushing the battery test button), [Badar] has the fix for you. He actually has the written up the fix for a few flash patterns, but the firmware lockout is the one that needed the most work.

[Badar] took the time to find the J-tag pins hidden on the board, and flash the firmware from the NXP micro-controller that runs the show. Having done that, some snooping and comparison between bricked and working batteries found a single byte difference at a specific hex address. Writing the byte to zero, and refreshing the firmware results in batteries as good as new. At least as good as they were before the firmware lock-down kicked in, anyway.

He also discusses how to deal with unbalanced packs, dead diodes, and more. Thanks to the magic of buying a lot of dead packs on e-Bay, [Badar] was able to tally up the various failure modes; the firmware lockout discussed above was by far the majority of them, at 65%. [Badar]’s work is both comprehensive and impressive, and his blog is worth checking out even if you don’t use the green brand’s batteries. We’ve also embedded his video below if you’d rather watch than read and/or want to help out [Badar] get pennies from YouTube monetization. We really do have to give kudos for providing such a good write up along with the video.

This isn’t the first attempt we’ve seen at tearing into Ryobi batteries. When they’re working, the cheap packs are an excellent source of power for everything from CPap machines to electric bicycles.

Thanks to [Badar] for the tip.

Continue reading “Battery Repair By Reverse Engineering”

TDA7000 die shot, with labels. Credit: Ken Shirriff

Reverse-Engineering The TDA7000 FM Radio Receiver IC

August 3, 2025 by 5 Comments
A wristwatch featuring the TDA7000 FM radio receiver IC. (Credit: Philips Technical Review)
A wristwatch featuring the TDA7000 FM radio receiver IC. (Credit: Philips Technical Review)

During the 1980s a lot of consumer devices suddenly got a lot smaller as large-scale integration using semiconductor technology took off. This included radios, with Philips’ TDA7000 FM radio receiver IC being the first to cram most of what you’d need for an FM radio receiver into a single chip. Recently, [Ken Shirriff] had a poke at analyzing a die shot of the TDA7000, reverse-engineering its functional blocks. How did the Philips engineers manage to miniaturize an FM radio? [Ken] will show you.

Continue reading “Reverse-Engineering The TDA7000 FM Radio Receiver IC”