Reverse Engineering

318 Articles

DOOM On A Fancy Smart Toaster

April 15, 2026 by 5 Comments

Although toasters should be among the most boring appliances in a household – with perhaps just a focus on making their toasting more deterministic rather than somewhere between ‘still frozen’ and ‘charcoal’ – somehow companies keep churning out toasters that just add very confusing ‘smart’ features. Of course, if a toaster adds a big touch screen and significant processing power, you may as well run DOOM on it, as was [Aaron Christophel]’s reflexive response.

While unboxing the Aeco Toastlab Elite toaster, [Aaron] is positively dumbfounded that they didn’t also add WiFi to the thing. Although on the bright side, that should mean no firmware updates being pushed via the internet. During the disassembly it can be seen that there’s an unpopulated pad for a WiFi chip and an antenna connection, making it clear that the PCB is a general purpose PCB that will see use in other appliances.

The SoC is marked up as a K660L with an external flash chip. Dumping the firmware is very easy, with highly accessible UART that spits out a ‘Welcome to ArtInChip Luban-Lite’ message. After some reverse-engineering the SoC turned out to be a rebranded RISC-V-based ArtInChip D133CxS, with a very usable SDK by the manufacturer. From there it was easy enough to get DOOM to run, with the bonus feature of needing to complete a level before the toaster will give the slice back.

Continue reading DOOM On A Fancy Smart Toaster”

Reverse-Engineering An Amazon Blink Gen 3 Camera

April 13, 2026 by 12 Comments

After some water intrusion apparently killed one of [electronupdate]’s Amazon Blink Gen 3 cameras he took this opportunity to do a full teardown and analysis of all the major components. Spread across its three PCBs there are no fewer than two wireless ICs and a custom ASIC for all the major processing. There’s also a blog post with easy-to-ogle pictures.

The most basic PCB is effectively just a PCB antenna for the Silicon Labs EZR32 IC on the main PCB, using which the ~915 MHz connection with the central hub is maintained. The other smaller PCB is a bit surprising in that it contains a Cypress CYW43438 W-Fi b/g/n and BT 5.1 chip. This would seem to be used for the setup process, but considering that it also uses a central hub it is a bit of a mystery as to what it is used for exactly.

Finally, the main PCB contains all the major parts, with the custom Amazon Immedia ASIC that’s an integral part of this very low-power camera. Given that two AA cells being enough to run the camera for about two years, using off-the-shelf parts probably wasn’t good enough without some serious customization.

As for why this outdoors-rated camera failed after a few years in the outdoors, the reason appears to be water intrusion via the speaker opening. As for why a camera needs a speaker and not just the microphone is left as an exercise to the reader, but maybe it could be useful for yelling at the local kids to get off your darn lawn?

Continue reading “Reverse-Engineering An Amazon Blink Gen 3 Camera”

Making The Forgotten 1982 Game Adventure Canoe Run On MAME

April 12, 2026 by 5 Comments
A Taito Egret II mini arcade cabinet.
A Taito Egret II mini arcade cabinet.

A while back [Jack] came across a Taito arcade game that neither he nor any of his mates recognized. The game was Adventure Canoe and part of the collection of forty preinstalled games on a Taito Egret II mini arcade cabinet. Yet despite [Jack] and his buddies being avid 1980s arcade enthusiasts, this 1982 title for the Z80-based Taito SJ system was completely unfamiliar to them.

When even a web search turned up extremely few details, [Jack] did the only reasonable thing and borrowed the rather expensive mini arcade for hopefully some extracting of the game ROM.

As expensive as this mini arcade is, it features the typical ARM-based SoC and Linux-based firmware. Although you can totally dump the Flash, [Jack] found that the firmware update ZIP file was a much easier target to poke at and hopefully extract the ROMs from.

Of course, Taito used password-protected ZIP files within the firmware, leading to some reverse-engineering to find the passwords. The first was ‘hidden’ as plain text in the egret2 binary. For the remainder of the ZIP files the password wasn’t as readily found, but required some sleuthing. This took the form of dynamic runtime analysis with gdb, using information previously gleaned from a Ghidra analysis. Eventually this yielded the final passwords.

Extracting the game’s ROM files this way allowed for them to be adapted to the format that MAME expects, after which the game just had to be added to the emulator’s source files. With this done the game fired right up, and [Jack] was able to play the game without any trouble.

Rescuing A Pokémon Off A Pokéwalker After Losing The Game Cartridge

April 6, 2026 by No comments

The Pokéwalker is a gadget that was sold alongside the Pokémon HeartGold and SoulSilver games for the Nintendo DS which players could use to take a Pokémon out on a walk in the real world. Not only would you earn points while walking, but you’d be able to find items, battle wild enemies, etc. The Pokémon inside the device is however linked to the game cartridge. This fact turned into tragedy when [Etchy] found his old Pokéwalker with a treasured Pokémon still on it, but was forced to erase the device as he had lost the cartridge over the years.

Although he had been told repeatedly by then that it was impossible to transfer such a digital pet to a new save file, this never felt right. Although it made some sense that a specific critter would be linked to a specific save file as a level of security, there’s also the question of whether all data of the Pokémon in question would be erased from said save file.

Cloning a Snickers. {Credit: Etchy, YouTube)
Cloning a Snickers. {Credit: Etchy, YouTube)

Fortunately, [Dmitry] has reverse-engineered the Pokéwalker already, including the infrared protocol that uses the IR transceiver in the cartridge itself. As it turns out, only some basic information is sent over to the device, while the Pokémon is simply hidden in the save file, including the data that isn’t sent to the device. Case closed, right?

It would be a sad ending for those who have lost Pokémon on these devices if it was that simple, fortunately. After some digging, [Etchy] found out that the device only checks for three pieces of information to ensure that it is being accessed from a valid game session: the version (HeartGold or SoulSilver), the region (NA, JP, etc.), and the training and secret IDs.

This thus means that if you try long enough, or use an RNG manipulation hack as demonstrated, you can get a new save file created that has the exact same IDs. As long as you make sure that your local critter’s details in terms of species and form are the same as on the device, there’s nothing really stopping the device from happily handing over the critter’s details.

Of course, the real thing that defines a single Pokémon is its ID (PID) that defines its properties, and this is only saved in the save file. The final answer is thus that there’s no way to rescue a trapped Pokémon, as it only really exists on the cartridge that may or may not still exist in some physical form.

Continue reading “Rescuing A Pokémon Off A Pokéwalker After Losing The Game Cartridge”

How A Belkin USB Charger Pulls Off A 3 Milliwatt Standby Usage

March 22, 2026 by 21 Comments
Belkin charger standby power. (Credit: Denki Otaku, YouTube)
Belkin charger standby power. (Credit: Denki Otaku, YouTube)

A well-known property of wall warts like power bricks and USB chargers is that they always consume some amount of power even when there’s no connected device drawing power from them. This feels rather wasteful when you have a gaggle of USB chargers constantly plugged in, especially on a nation-sized scale. This is where a new USB-C wall charger by Belkin, the BoostCharger Pro, is interesting, as it claims ‘zero standby power’, which sounds pretty boastful and rather suspect. Fortunately, [Denki Otaku] saw fit to put one to the test and even tear one down to inspect the work of Belkin’s engineers.

Naturally, no laws of physics were harmed in the construction of the device, as ‘zero standby power’ translated from marketing speak simply means ‘very low standby power usage’, or about 3 milliwatt with 0.3 mA at the applied 100 VAC.

Fascinatingly, plugging in an e-marker equipped USB-C cable with no device on the other end caused this standby usage to increase to about 30 mW, clearly disabling the ‘zero standby’ feature. With that detail noted, it was time to tear down the charger, revealing its four PCBs.

Continue reading “How A Belkin USB Charger Pulls Off A 3 Milliwatt Standby Usage”

Running Windows 98 On The IPAQ IA-2 Internet Appliance

March 18, 2026 by 10 Comments

Devices that were limited to only run a web browser were relatively common around 2000, as many people wanted to surf the Information Super Highway, but didn’t quite want to get a regular PC — being in many ways the retro equivalent of a Chromebook. The Compaq iPAQ IA-2 from 2000 that [Dave Luna] got is no exception, with a Microsoft CE-based OS that is meant to be used with Microsoft Network (MSN) dial-up, which amusingly is still available today.

In order to get a more useful OS on it, like Windows 98, you have to jump through quite a few hoops, as [Dave] found out. Although there is an IDE connection on the mainboard, this cannot be booted from, likely due to BIOS limitations. This means that he had to chain boot via the 16 MB NAND Flash drive that the original OS booted from, which was done by writing MS-DOS to the Flash drive using another workaround as it’s not a standard IDE device either.

From this you can then boot Windows 98 from an IDE drive by pretending that it’s an ATAPI IDE device to dodge a limitation on IDE devices. The system’s hardware isn’t really going to make it into a blazing fast retro computer. It only has a 266 MHz Geode GX1 CPU and supports up to 256 MB of SDRAM. The IA-2 is also limited to 800×600, which required the use of an external monitor (as seen above) hooked up to the internal VGA port to set the proper resolution in the OS.

But at least it can run DOOM, so that bare minimum requirement can be ticked off.

Continue reading “Running Windows 98 On The IPAQ IA-2 Internet Appliance”

It’s 1979 – What Exactly Did That ∫ Key Do?

March 10, 2026 by 15 Comments

[Michel Jean] asked a question few others might: what exactly is going on under the hood of a classic HP scientific calculator when one presses the key? A numerical integration, sure, but how exactly? There are a number of useful algorithms that could be firing up when the integral button is pressed, and like any curious hacker [Michel] decided to personally verify what was happening.

[Michel] implemented different integration algorithms in C++ and experimentally compared them against HP calculator results. By setting up rigorous tests, [Michel] was able to conclude that the calculators definitely use Romberg-Kahan, developed by HP Mathematician William Kahan.

Selected by HP in 1979 for use in their scientific calculators, the Romberg-Kahan algorithm was kept in service for nearly a decade. Was it because the algorithm was fast and efficient? Not really. The reason it was chosen over others was on account of its robustness. Some methods are ridiculously fast and tremendously elegant at certain types of problem, but fall apart when applied to others. The Romberg-Kahan algorithm is the only one that never throws up its hands in failure; ideal for a general-purpose scientific calculator that knows only what its operator keys in, and not a lick more.

It’s a pretty neat fact about classic HP calculators, and an interesting bit of historical context for these machines. Should you wish for something a bit more tactile and don’t mind some DIY, it’s entirely possible to re-create old HP calculators as handhelds driven by modern microcontrollers, complete with 3D-printed cases.

Thanks to [Stephen Walters] for the tip!