A multimeter connected to the EEPROM chip with crocodile clips, showing that there's a 0.652V diode drop between GND and one of the IO pins

Dead EPROM Dumped With Help Of Body Diodes

August 26, 2022 by Arya Voronova 9 Comments

[Jason P], evidently an enjoyer of old reliable laser printing tech, spilled a drink (nitter) onto his Panasonic KX-P5400 SideWriter. After cleanup, everything worked fine — except that the PSU’s 5 V became 6.5 V during the accident, and the EPROM with LocalTalk interface firmware died, connection between VCC and GND seemingly interrupted inside the chip. Understandably, [Jason] went on Twitter, admitted the error of his ways, and sheepishly asked around for EPROM dumps.

Instead, [Manawyrm] wondered — would the chip have anti-ESD body diodes from GND to IO pins, by any chance? A diode mode multimeter check confirmed, yes! It was time for an outlandish attempt to recover the firmware. [Manawyrm] proposed that [Jason] connect all output pins but one to 5 V, powering the EPROM through the internal VCC-connected body diodes – reading the contents one bit at a time and then, combining eight dumps into a single image.

After preparing a TL866 setup, one hour of work and some PHP scripting later, the operation was a success. Apparently, in certain kinds of cases, dead ROM chips might still tell their tales! It’s not quite clear what happened here. The bond wires looked fine, so who knows where the connection got interrupted – but we can’t deny the success of the recovery operation! Need a primer on dumping EPROMs that are not dead? Here you go.

Continue reading “Dead EPROM Dumped With Help Of Body Diodes” →

Everything You Didn’t Know You Need To Know About Glitching Attacks

August 25, 2022 by Dan Maloney 1 Comment

If you’ve always been intrigued by the idea of performing hardware attacks but never knew where to start, then we’ve got the article for you: an in-depth look at the hows and whys of hardware glitching.

Attentive readers will recall that we’ve featured [Matthew Alt]’s reverse engineering exploits before, like the time he got root on a Linux-based arcade cabinet. For something a bit more challenging, he chose a Trezor One crypto wallet this time. We briefly covered a high-stakes hack (third item) on one of these wallets by [Joe Grand] a while back, but [Matthew] offers much, much more detail.

After introducing the theory of glitching attacks, which seek to force a processor into an undefined state using various methods, [Matthew] discusses the specifics of the Trezor wallet and how the attack was planned.

His target — the internal voltage regulator of the wallet’s STM32 microcontroller — required desoldering a few caps before the attack could begin, which was performed with a ChipWhisperer. After resolving a few initial timing issues, he was able to glitch the chip into dropping to the lowest level of readout protection, which gave access to the dongle’s SRAM through an ST-Link debugger.

While this summary may make the whole thing sound trivial, it’s obvious that the attack was anything but, nor was the effort that went into writing it all up. The whole thing reads a little like a techno-thriller, and there’s plenty of detail there if you’re looking for a tutorial on chip glitching. We’re looking forward to part 2, which will concentrate on electromagnetic fault-injection using a PicoEMP and what looks like a modified 3D printer.

Why Didn’t We Think Of Making A Remote Trigger Button?

August 21, 2022 by Jenny List 44 Comments

One of the many functions a digital oscilloscope offers over its analog ancestors is a trigger button. Alongside the usual electronic means of triggering the instrument, you can reach over and press a button to “freeze-frame” the action and preserve the trace. Sometimes doing it repeatedly it can become a chore to reach for the ‘scope. That’s where [Kevin Santo Cappuccio]’s remote trigger button comes in.

The button itself is about as simple a hack as it gets. The ‘scope was carefully dissected and some fine wires laid from the contacts within the front panel to a connector on the case. From there a cable goes to a box with a momentary action button switch. Plug in the box, and you can trigger the ‘scope from a distance!

We have to admit to rather admiring this hack, as needing to trigger the ‘scope is a well-known problem here. It’s easy to stab the wrong button and lose what you are looking for, so we’re rather surprised we didn’t think of this one ourselves. But then again from another viewpoint, it involves dissecting an expensive instrument which is best left unmolested. Perhaps manufacturers should consider adding this functionality.

This may be the most straightforward oscilloscope hack we’ve shown you, but it’s certainly not the first.

A Fast Linear Actuator Entirely In One PCB

August 10, 2022 by Jenny List 18 Comments

There are many ways to make a linear actuator, a device for moving something is a straight line. Most of the easier to make ones use a conventional motor and a mechanical linkage such as a rack and pinion or a lead screw, but [Ben Wang] has gone for something far more elegant. His linear actuator uses a linear motor, a linear array of coils for the motor phases, working against a line of magnets. Even better than that, he’s managed to make the whole motor out of a single PCB. And it’s fast!

This represents something of an engineering challenge, because achieving the required magnetic field from the relatively few turns possible on a PCB is no easy task. He’s done it by using a four-layer board to gather enough turns for the required magnetic field, and a simple view of the board doesn’t quite convey what lies beneath.

PCB motors are perhaps one of those areas where the state of the art is still evolving, and the exciting part is that their limits are being pushed right there in our community. And this isn’t the only linear motor we’ve seen recently either, here’s one used in a model train.

E-paper Price Tags Combined To Create A Large Wireless Display

August 5, 2022 by Danie Conradie 3 Comments

E-paper price tags have become popular for retail stores over the past few years, which is great for hackers since we now have some more cheap commodity hardware to play with. [Aaron Christophel] went all on creating grid displays with E-paper price tags, up to a 20×15 grid.

E-paper price tags are great for these kinds of projects, since they are wireless, lightweight, and can last a long time with the onboard batteries. To mount the individual tags on the plywood backboard,[Aaron] simply glued Velcro to the backboard of the tags. The displays’ firmware is based on the reverse engineering work of [Dmitry Grinberg], flashed to a few hundred tags using a convenient 3D printed pogo pin programming jig. All the displays are controlled via a Zigbee USB dongle plugged into a PC running station software.

[Aaron] is also experimenting with the displays removed from their enclosure and popped into a 3D printed grid frame. The disadvantage is the loss of the battery holders and the antenna, which are both integrated into the enclosure. He plans to get around this by powering the displays from a single large battery, and connecting an ESP32 to the displays via ISP or UART.

This project comes hot on the heels of another E-ink grid display project that uses Bluetooth and a rather clever update scheme.

Continue reading “E-paper Price Tags Combined To Create A Large Wireless Display” →

The modem in question plugged into a black powerbank.

Hackable $20 Modem Combines LTE And Pi Zero W2 Power

August 3, 2022 by Arya Voronova 188 Comments

[extrowerk] tells us about a new hacker-friendly device – a $20 LTE modem stick with a quadcore CPU and WiFi, capable of running fully-featured Linux distributions. This discovery hinges on a mountain of work by a Chinese hacker [HandsomeYingYan], who’s figured out this stick runs Android, hacked its bootloader, tweaked a Linux kernel for it and created a Debian distribution for the stick – calling this the OpenStick project. [extrowerk]’s writeup translates the [HandsomeYingYan]’s tutorial for us and makes a few more useful notes. With this writeup in hand, we have unlocked a whole new SBC to use in our projects – at a surprisingly low price!

At times when even the simplest Pi Zero is unobtainium (yet again!), this is a wonderful find. For a bit over the price of a Zero 2W, you get a computer with a similar CPU (4-core 1GHz A53-based Qualcomm MSM8916), same amount of RAM, 4GB storage, WiFi – and an LTE modem. You can stick this one into a powerbank or a wallwart and run it at a remote location, make it into a home automation hub, or perhaps, process some CPU-intensive tasks in a small footprint. You can even get them with a microSD slot for extra storage – or perhaps, even extra GPIOs? You’re not getting a soldering-friendly GPIO header, but it has a few LEDs and, apparently, a UART header, so it’s not all bad. As [extrowerk] points out, this is basically a mobile phone in a stick form factor, but without the display and the battery.

Now, there’s caveats. [extrowerk] points out that you should buy the modem with the appropriate LTE bands for your country – and that’s not the only thing to watch out for. A friend of ours recently obtained a visually identical modem; when we got news of this hack, she disassembled it for us – finding out that it was equipped with a far more limited CPU, the MDM9600. That is an LTE modem chip, and its functions are limited to performing USB 4G stick duty with some basic WiFi features. Judging by a popular mobile device reverse-engineering forum’s investigations (Russian, translated), looks like the earlier versions of this modem came with the way more limited MDM9600 SoC, not able to run Linux like the stick we’re interested in does. If you like this modem and understandably want to procure a few, see if you can make sure you’ll get MSM8916 and not the MDM9600.

Days of using WiFi routers to power our robots are long gone since the advent of Raspberry Pi, but we still remember them fondly, and we’re glad to see a router stick with the Pi Zero 2W oomph. We’ve been hacking at such sticks for over half a decade now, most of them OpenWRT-based, some as small as an SD card reader. Now, when SBCs are hard to procure, this could be a perfect fit for one of your next projects.

Update: in the comments below, people have found a few links where you should be able to get one of these modems with the right CPU. Also, [Joe] has started investigating the onboard components!

Toddler EV Gets Big Boy Battery Upgrade

July 29, 2022 by Ryan Flowers 13 Comments

No matter the type of vehicle we drive, it has a battery. Those batteries wear out over time. Even high end EV’s have batteries with a finite life. But when your EV uses Lead Acid batteries, that life is measured on a much shorter scale. This is especially true when the EV is driven by a driver that takes up scarcely more space in their EV than a stuffed tiger toy! Thankfully, the little girl in question has a mechanic:

A 3d printed adapter sends go-juice to the DC-DC converter

Her daddy, [Brian Lough], who documented the swift conversion of his daughter’s toy truck from Lead Acid to Li-Ion in the video which you can see below the break.

Facing challenges similar to that of actual road worthy passenger vehicles, [Brian] teamed up with [bitluni] to solve them. The 12 V SLA battery was being replaced with a 20 V Li-Ion pack from a power tool. A 3d printed adapter was enlisted to break out the power pins on the pack. The excessive voltage was handled with a DC-to-DC converter that, after a bit of tweaking, was putting out a solid 12 V.

What we love about the hack is that it’s one anybody can do, and it gives an inkling of what type of engineering goes into even larger projects. And be sure to watch the video to the end for the adorable and giggly results!

Speaking of larger projects, check out the reverse engineering required in this Lead Acid to Li-Ion conversion we covered in 2016.

Continue reading “Toddler EV Gets Big Boy Battery Upgrade” →