Hacking Your Way to a Custom TV Boot Screen

More and more companies are offering ways for customers to personalize their products, realizing that the increase in production cost will be more than made up for by the additional sales you’ll net by offering a bespoke product. It’s great for us as consumers, but unfortunately we’ve still got a ways to go before this attitude permeates all corners of the industry.

[Keegan Ryan] recently purchased a TV and wanted to replace its stock boot screen logo with something of his own concoction, but sadly the set offered no official way to make this happen. So naturally he decided to crack the thing open and do it the hard way The resulting write-up is a fascinating step by step account of the trials and tribulations that ultimately got him his coveted custom boot screen, and just might be enough to get you to take a screw driver to your own flat panel at home.

The TV [Keegan] brought was from a brand called SCEPTRE, but as a security researcher for NCC Group he thought it would be a fun spin to change the boot splash to say SPECTRE in honor of the infamous x86 microarchitecture attack. Practically speaking it meant just changing around two letters, but [Keegan] would still need to figure out where the image is stored, how it’s stored, and write a modified version to the TV without letting the magic smoke escape. Luckily the TV wasn’t a “smart” model, so he figured there wouldn’t be much in the way of security to keep him from poking around.

He starts by taking the TV apart and studying the main PCB. After identifying the principle components, he deduces where the device’s firmware must be stored: an 8 MB SPI flash chip from Macronix. He connects a logic analyzer up to the chip, and sure enough sees that the first few kilobytes are being read on startup. Confident in his assessment, he uses his hot air rework station to lift the chip off the board so that he can dive into its contents.

With the help of the trusty Bus Pirate, [Keegan] is able to pull the chip’s contents and verify its integrity by reading a few human-readable strings from it. Using the binwalk tool he’s able to identify a JPEG image within the firmware file, and by feeding its offset to dd, pull it out so he can view it. As hoped, it’s the full screen SCEPTRE logo. A few minutes in GIMP, and he’s ready to merge the modified image with the firmware and write it back to the chip.

He boots the TV back up and finds…nothing changed. A check of the datasheet for the SPI flash chip shows there are some protection bits used to prevent modifying particular regions of the chip. So after some modifications to the Bus Pirate script and another write, he boots the TV and hopes for the best. Finally he sees the object of his affection pop up on the big screen, a subtle change that reminds him every time the TV starts about the power of reverse engineering.

Ken Shirriff Explains His Techniques For Reverse Engineering Silicon

When it comes to reverse engineering silicon, there’s no better person to ask than Ken Shirriff. He’s the expert at teasing the meaning out of layers of polysilicon and metal. He’s reverse engineered the ubiquitous 555 timer, he’s taken a look at the inside of old-school audio chips, and he’s found butterflies in his op-amp. Where there’s a crazy jumble of microscopic wires and layers of silicon, Ken’s there, ready to do the teardown.

For this year’s talk at the Hackaday Superconference, Ken walked everyone through the techniques for reverse engineering silicon. Surprisingly, this isn’t as hard as it sounds. Yes, you’ll still need to drop acid to get to the guts of an IC (of course, you could always find a 555 stuck in a metal can, but then you can’t say ‘dropping acid’), but even the most complex devices on the planet are still made of a few basic components. You’ve got n-doped silicon, p-doped silicon, and some metal. That’s it, and if you know what you’re looking for — like Ken does — you have all the tools you need to figure out how these integrated circuits are made.

Continue reading “Ken Shirriff Explains His Techniques For Reverse Engineering Silicon”

Spring-Loaded Bed for K40 Laser Acts As an Auto-Focus

Laser engraving and cutting has something in common with focusing the sun’s rays with a magnifying glass: good focus is critical to results. If materials of varying thicknesses are used, focus needs to be re-set every time the material changes, and manual focusing quickly becomes a chore. [Scorch Works] has a clever solution to avoid constant re-focusing that doesn’t involve sensors or motors of any sort. The result is a self-adjusting bed that compensates for material height changes, ensuring that the top surface of the material is always a fixed distance from the laser’s head.

The way [Scorch Works] has done this is to make two spring-loaded clamps from angle aluminum and a few pieces of hardware. When a sheet of material is placed into the machine, the edges get tucked underneath the aluminum “lips” while being pushed upward from beneath. By fixing the height of the top layer of angle aluminum, any sheet stock always ends up the same distance from the laser head regardless of the material’s thickness.

[Scorch Works] shows the assembly in action in the video embedded below, along with a few different ways to accommodate different materials and special cases, so be sure to check it out.

Continue reading “Spring-Loaded Bed for K40 Laser Acts As an Auto-Focus”

New Part Day: The Twenty Five Cent USB Microcontroller (With A Toolchain!)

Last year, Jiangsu Yuheng Co., Ltd introduced a new microcontroller. The CH554 is a microcontroller with an E8051 core with a 24 MHz clock, a little more than 1 kB of RAM, and a bit more than 14 kB split between the code and data Flash. In short, it’s nothing too spectacular, but it makes up for that with peripherals. It’s got SPI and ADCs and PWM, UARTs, and even a few capacitive touch channels. It’s also a USB device, with some chips in the series able to function as a USB host. You can buy this chip for a quarter through the usual retailers.

Normally, this isn’t huge news. The 8051 is the most copied microcontroller on the planet, and there are probably billions produced each year. Cheap parts are only cheap if your time is free; you’ll usually spend ages trying to digest the datasheet and get a toolchain up and running. That’s where this chip is a little different. There are multiple efforts to bring an Open Source toolchain to this chip. And they’re doing it in Windows and Linux. Someone really cares about this chip.

The current best option for an SDK for this chip comes from Blinkinlabs, with a port of the CH554 SDK from Keil to SDCC. There are real, working code examples for this chip using an Open Source toolchain. Sure, it might just blink a LED, but it’s there. If you can blink a LED, you can do just about anything from there. Programming the chip happens over USB with the ‘official’ WCHISPTool (Windows) or LibreCH551 (command line). The end result is a completely Open Source toolchain to program and upload a hex file to a cheap chip.

There are a few more chips in the CH554 series, ranging from the CH551 in an SOP-16 package to the CH559 in an LQFP48 package, with more features available as the chips get bigger. It’s an interesting chip, with some somehow implementing a USB hub, and could be a very cool chip for some low-level USB hacking.

Wonderful Sculptural Circuits hide Interactive Synthesizers

When it rains, it pours (wonderful electronic sculpture!). The last time we posted about freeform circuit sculptures there were a few eye-catching comments mentioning other fine examples of the craft. One such artist is [Eirik Brandal], who has a large selection of electronic sculptures. Frankly, we’re in love.

A common theme of [Eirik]’s work is that each piece is a functional synthesizer or a component piece of a larger one. For instance, when installed the ihscale series uses PIR sensors to react together to motion in different quadrants of a room. And the es #17 – #19 pieces use ESP8266’s to feed the output of their individual signal generators into each other to generate one connected sound.

Even when a single sculpture is part of a series there is still striking variety in [Eirik]’s work. Some pieces are neat and rectilinear and obviously functional, while others almost looks like a jumble of components. Whatever the style we’ve really enjoyed pouring through the pages of [Eirik]’s portfolio. Most pieces have demo videos, so give them a listen!

If you missed the last set of sculptural circuits we covered this month, head on over and take a look at the flywire circuits of Mohit Bhoite.

Thanks [james] for the tip!

Sniffing RFID Readers With A Piece of Paper

We feature plenty of printed projects here on Hackaday, though they tend to be of the three dimensional type thanks to the proliferation of affordable 3D printers. But in this case, [Milosch Meriac] has managed to put together a printable design that’s not only a very cool hack, but is made up of a scant two dimensions. His creation, which could perhaps be considered something of an interactive circuit diagram, allows anyone with a paper printer and a few passive components to make a functional low-frequency RFID sniffer.

[Milosch] tells us the goal of the project is to lower the barrier for experimenting with the RFID technology that’s increasingly part of our everyday lives. Rather than having to use something expensive and complicated such as an oscilloscope, experimenters can simply plug their DIY RFID sniffer into their computer’s line-in jack and explore the produced waveform with open source tools.

To create a paper RFID sniffer, you start by printing the image out on a thick piece of paper, like card stock. You then apply foil tape where indicated to serve as traces in this makeshift PCB, and start soldering on the components as described in the text. [Milosch] says the assembly procedure is so simple even a kid can do it, and the total cost of each assembled sniffer is literally pennies; making this an excellent project for schools or really any large group.

If you want to play it safe the sniffer can be connected to a USB sound card rather than your machine’s primary sound hardware, and still come in dirt cheap. [Milosch] stops short of explaining the software side of things in this particular project, but any tool which can use input from the sound card as a makeshift oscilloscope should be a good start.

In the past we’ve seen [Milosch] perform low frequency RFID sniffing through the sound card with the powerful baudline tool, but if you want a little more capable hardware, we can point you in the right direction.

Advances In Flat-Pack PCBs

Right now, we’ve got artistic PCBs, we’ve got #badgelife, and we have reverse-mounted LEDs that shine through the fiberglass substrate. All of this is great for PCBs that are functional works of art. Artists, though, need to keep pushing boundaries and the next step is obviously a PCB that doesn’t look like it has any components at all. We’re not quite there yet, but [Stephan] sent in a project that’s the closest we’ve seen yet. It’s a PCB where all the components are contained within the board itself. A 2D PCB, if you will.

[Stephen]’s project is somewhat simple as far as a #badgelife project goes. It’s a Christmas ornament, powered by two coin cells, hosting an ATTiny25 and blinking two dozen LEDs via Charlieplexing. The PCB was made in KiCAD, with some help from Inkscape and Gimp. So far, so good.

Castellated edges, containing a part

The trick is mounting all the components in this project so they don’t poke out above the surface of the board. This is done by milling a rectangular hole where every part should go and adding castellated pads to one side of the hole. The parts are then soldered in one at a time against these castellated pads, so the thickness of the completed, populated board is just the thickness of the PCB.

The parts used in this project are standard jellybean parts, but there are a few ways to improve the implementation of this project. The LEDs are standard 0805s, but side-emitting LEDs do exist. If you’d like to take this idea further, it could be possible to create a sandwich of PCBs, with the middle layer full of holes for components. These layers of PCBs can then be soldered or epoxied together to make a PCB that actually does something, but doesn’t look like it does. This technique is done in extremely high-end PCBs, but it’s expensive as all get out.

Still, this is a great example of what can be done with standard PCB processes and boards ordered from a random fab house. It also makes for a great Christmas ornament and pushes the boundaries of what can be done with PCB art.