Reverse Engineering

318 Articles

Take A Ride On Wrongbaud’s Hardware Hacking Highway

March 9, 2026 by 9 Comments

Regular Hackaday readers will no doubt be familiar with the work of Matthew Alt, AKA [wrongbaud]. His deep-dive blog posts break down hardware hacking and reverse engineering concepts in an engaging way, with practical examples that make even the most complex of topics approachable.

But one of the problems with having a back catalog of written articles is making sure they remain accessible as time goes on. (Ask us how we know.) Without some “algorithm” at play that’s going to kick out the appropriate article when it sees you’re interested in sniffing SPI, there needs to be a way to filter through the posts and find what’s relevant. Which is why the new “Roadmap” feature that [wrongbaud] has implemented on his site is so handy.

At the top of the page you’ll find [wrongbaud]’s recommended path for new players: it starts with getting your hardware and software together, and moves through working with protocols of varying complexity until it ends up at proper techno wizardry like fault injection.

Clicking any one of these milestones calls up the relevant articles — beginners can step through the whole process, while those with more experience can jump on wherever they feel comfortable. There’s also buttons that let you filter articles by topic, so for example you can pull up anything related to I2C or SPI.

Further down the page, there’s a helpful “Common Questions” section that gives you a brief overview of how to accomplish various goals, such as identify an unknown UART baud rate, or extract the contents of an SPI flash chip.

Based on the number and quality of the articles, [wrongbaud]’s site has always been on our shortlist of must-see content for anyone looking to get started with hardware hacking, and we think this new interface is going to make it even more useful for beginners who appreciate a structured approach to learning.

Reverse-Engineering The Bluetooth Fichero Thermal Label Printer Protocol

March 9, 2026 by 20 Comments

It’s hard to deny that label printers have become more accessible than ever, but an annoying aspect of many of these cheap units is that their only user interface is a proprietary smartphone app connected via Bluetooth. The Fichero-branded label printer that [0xMH] obtained for a mere 10 Euro at a store in the Netherlands was much the same, with an associated app that doesn’t just bind it to smartphones, but also requires no fewer than 26 permissions. Obviously this required some reverse-engineering of the BLE protocol.

The fruits of this reverse-engineering effort can be found in the GitHub repository, with the most interesting part probably being that this Fichero is just one of many relabeling of generic label printers, this one being an AiYin D11, by Xiamen Printer Future Technology. This means that other iterations of this D11 will work exactly the same, as they all use the same ‘LuckPrinter’ SDK.

[0xMH] provides a Web GUI to talk with a local D11 printer, though you can also use the Python scripts, or of course implement the protocol using your favorite language and frameworks, so that you can finally control a cheap label printer from a PC or even BLE-equipped MCU like the software gods intended.

Thanks to [T-ice] for the tip.

Reverse Engineering The PROM For The SGI O2

March 6, 2026 by 9 Comments

The SGI O2 was SGI’s last-ditch attempt at a low-end MIPS-based workstation back in 1996, and correspondingly didn’t use the hottest parts of the time, nor did it offer much of an upgrade path. None of which is a concern to hobbyists who are more than happy to work around any hardware- and software limitations to e.g. install much faster CPUs. While quite a few CPU upgrades were possible with just some BGA chip reworking skills, installing the 900 MHz RM7900 would require some PROM hacking, which [mattst88] recently took a shake at.

The initial work on upgrading SGI O2 systems was done in the early 2000s, with [Joe Page] and [Ian Mapleson] running into the issue that these higher frequency MIPS CPUs required a custom IP32 PROM image, for which they figured that they’d need either SGI’s help or do some tricky reverse-engineering. Since SGI is no longer around, [mattst88] decided to take up the torch.

After downloading a 512 kB binary dump of the last version of the O2’s PROM, he set to work reverse-engineering it, starting by dissembling the file. A big part of understanding MIPS PROM code is understanding how the MIPS architecture works, including its boot process, so much of what followed was a crash-course on the subject.

With that knowledge it was much easier to properly direct the Capstone disassembler and begin the arduous process of making sense of the blob of data and code. The resulting source files now reassemble into bit-identical ROM files, which makes it likely that modifying it to support different CPUs is now possible with just a bit more work.

For those who want to play along, [mattst88] has made his ip32prom-decompiler project available on GitHub.

Thanks to [adistuder] for the tip.

Top image: Silicon Graphics 1600SW LCD display and O2 workstation. (Source: Wikimedia)

Inside SKALA: How Chornobyl’s Reactor Was Actually Controlled

March 3, 2026 by 13 Comments
Entering SKALA codes during RBMK operation. (Credit: Pripyat-Film studio)
Entering SKALA codes during RBMK operation. (Credit: Pripyat-Film studio)

Running a nuclear power plant isn’t an easy task, even with the level of automation available to a 1980s Soviet RBMK reactor. In their continuing efforts to build a full-sized, functional replica of an RBMK control room as at the Chornobyl Nuclear Power Plant – retired in the early 2000s – the [Chornobyl Family] channel has now moved on to the SKALA system.

Previously we saw how they replicated the visually very striking control panel for the reactor core, with its many buttons and status lights. SKALA is essentially the industrial control system, with multiple V-3M processor racks (‘frames’), each with 20k 24-bit words of RAM. Although less powerful than a PDP-11, its task was to gather all the sensor information and process them in real-time, which was done in dedicated racks.

Output from SKALA’s DREG program were also the last messages from the doomed #4 reactor. Unfortunately an industrial control system can only do so much if its operators have opted to disable every single safety feature. By the time the accident unfolded, the hardware was unable to even keep up with the rapid changes, and not all sensor information could even be recorded on the high-speed drum printer or RTA-80 teletypes, leaving gaps in our knowledge of the accident.

Continue reading “Inside SKALA: How Chornobyl’s Reactor Was Actually Controlled”

SNES Controllers Are (Almost) SPI-Compatible

March 2, 2026 by 10 Comments

Considering that the Serial Peripheral Interface bus semi-standard has been around since the early 1980s, it’s perhaps not that shocking that the controllers of the Super Nintendo Entertainment System (SNES) would take at least some strong design hints for the used protocol. This does however raise the question of exactly how compatible a SNES controller is when connected to the SPI master peripheral of any random MCU. Recently [James Sharman] set out to answer this question decisively.

The impetus for answering this question came after [James] designed a separate SNES controller board for his homebrew computer system, which led to many comments on that video saying that he could just have hooked the controller up to the SPI board in said homebrew system.

Here the short answer is that the SNES controller protocol is very close to SPI Mode-1, with a similar arrangement of clock/data/chip select (latch) lines and clocking. If you think of the SNES controller as an SPI device with just a MISO line, you’re basically there already. The only niggle that popped up was that the ‘MISO’ line does not get pulled into a high-impedance state when the active-low latch connection is pulled high.

This was fixable by introducing a 74HC125 tri-state buffer IC, after which both the original SD card and twin SNES controllers could be used simultaneously.

Continue reading “SNES Controllers Are (Almost) SPI-Compatible”

X-Ray A PCB Virtually

February 23, 2026 by 24 Comments

If you want to reverse engineer a PC board, you could do worse than X-ray it.  But thanks to [Philip Giacalone], you could just take a photo, load it into PCB Tracer, and annotate the images. You can see a few of a series of videos about the system below.

The tracer runs in your browser. It can let you mark traces, vias, components, and pads. You can annotate everything as you document it, and it can even call an AI model to help generate a schematic from the net list.

Continue reading “X-Ray A PCB Virtually”

Inside A Compact Intel 3000 W Water-Cooled Power Supply

February 22, 2026 by 11 Comments

Recently [ElecrArc240] got his paws on an Intel-branded 3 kW power supply that apparently had been designed as a reference PSU for servers. At 3 kW in such a compact package air cooling would be rather challenging, so it has a big water block sandwiched between the two beefy PCBs. In the full teardown and analysis video of the PSU we can see the many design decisions made to optimize efficiency and minimize losses to hit its 80 Plus Platinum rating.

For the power input you’d obviously need to provide it with 240 VAC at sufficient amps, which get converted into 12 VDC at a maximum of 250 A. This also highlights why 48 VDC is becoming more common in server applications, as the same amount of power would take only 62.5 A at that higher voltage.

The reverse-engineered schematic shows it using an interleaved totem-pole PFC design with 600 V-rated TI LMG3422 600V GaN FETs in the power stages. After the PFC section we find a phase-shifted full bridge rectifier with OnSemi’s SiC UF3C065030K4S Power N-Channel JFETs.

There were a few oddities in the design, such as the Kelvin source of the SiC JFET being tied into the source, which renders that feature useless. Sadly the performance of the PSU was not characterized before it was torn apart which might have provided some clues here.

Continue reading “Inside A Compact Intel 3000 W Water-Cooled Power Supply”