39C3: Recreating Sandstorm

December 29, 2025 by Elliot Williams 7 Comments

Some synthesizer sounds are just catchy, but some of them are genre-defining. We think you could make that case for the Roland JP-8000 patch “Sandstorm”, which you’ve heard if you listened to any trance from the 90’s, but especially the song that was named after it.

“Sandstorm” is powered by the Roland Supersaw, and synth nerds have argued for a decade about how it’s made. The JP-8000 is a digital synthesizer, though, so it’s just code, run through custom DSP chips. If you could reverse engineer these chips, make a virtual machine, and send them the right program, you could get the sound 100% right. Think MAME but for synthesizers.

That brings us to [giulioz]’s talk at the 39th Chaos Communication Congress, where he dives deep into the custom DSP chip at the heart of the JP-8000. He and his crew had approached older digital synths by decapping and mapping out the logic, as you often do in video game emulation. Here, getting the connections right turned out to be simply too daunting, so he found a simpler device that had a test mode that, combined with knowledge of the chip architecture, helped him to figure out the undocumented DSP chip’s instruction set.

After essentially recreating the datasheet from first principles for a custom chip, [guiloz] and team could finally answer the burning question: “how does the Supersaw work”? The horrifying answer, after all this effort, is that it’s exactly what you’d expect — seven sawtooth waves, slightly detuned, and layered over each other. Just what it sounds like.

The real end result is an emulation that’s every bit (tee-hee!) as good as the original, because it’s been checked out on a logic analyzer. But the real fun is the voyage. Go give the talk a watch.

39C3: Hacking Washing Machines

December 29, 2025 by Elliot Williams 13 Comments

Many of us have them, few of us really hack on them: well, here we’re talking about large home appliances. [Severin von Wnuck-Lipinski] and [Hajo Noerenberg] were both working on washing machines, found each other, and formed a glorious cooperation that ended in the unholy union of German super-brands Miele and B/S/H — a Miele washer remote controlled by Siemens’ web app.

This talk, given at the 39th Chaos Communication Congress (39C3), is about much more than the stunt hack, however. In fact, we covered [Severin]’s work on the very clever, but proprietary, Miele Diagnostic Interface a little while ago. But now, he’s got it fully integrated into his home automation system. It’s a great hack, and you can implement it without even opening the box.

About halfway through the talk, [Hajo] takes over, dissecting the internal D-Bus communication protocol. Here, you have to open up the box, but then you get easy access to everything about the internal state of the machine. And D-Bus seems to be used in a wide range of B/S/H/ home appliances, so this overview should give you footing for your own experimentation on coffee machines or dishwashers as well. Of course, he wires up an ESP32 to the bus, and connects everything, at the lowest level, to his home automation system, but he also went the extra mile and wrote up a software stack to support it.

It’s a great talk, with equal parts humor and heroic hacking. If you’re thinking about expanding out your own home automation setup, or are even just curious about what goes on inside those machines these days, you should absolutely give it a watch.

Editor Note: The “S” is Siemens, which is Hackaday’s parent company’s parent company. Needless to say, they had nothing to do with this work or our reporting on it.

Reverse-Engineering The Intel 8087 Stack Circuitry

December 19, 2025 by Maya Posch 3 Comments

Although something that’s taken for granted these days, the ability to perform floating-point operations in hardware was, for the longest time, something reserved for people with big wallets. This began to change around the time that Intel released the 8087 FPU coprocessor in 1980, featuring hardware support for floating-point arithmetic at a blistering 50 KFLOPS. Notably, the 8087 uses a stack-based architecture, a major departure from existing FPUs. Recently [Ken Shirriff] took a literal closer look at this stack circuitry to see what it looks like and how it works.

Nearly half of the 8087’s die is taken up by the microcode frontend and bus controller, with a block containing constants like π alongside the FP calculation-processing datapath section taking up much of the rest. Nestled along the side are the eight registers and the stack controller. At 80 bits per FP number, the required registers and related were pretty sizeable for the era, especially when you consider that the roughly 60,000 transistors in the 8087 were paired alongside the 29,000 transistors in the 16-bit 8086.

Each of the 8087’s registers is selected by the decoded instructions via a lot of wiring that can still be fairly easily traced despite the FPU’s die being larger than the CPU it accompanied. As for the unique stack-based register approach, this turned out to be mostly a hindrance, and the reason why the x87 FP instructions in the x86 ISA are still quite maligned today. Yet with careful use, providing a big boost over traditional code, this made it a success by that benchmark, even if MMX, SSE, and others reverted to a stackless design.

Decapsulating A PIC12F683 To Examine Its CMOS Implementation

December 19, 2025 by John Elliot V 8 Comments

In a recent video, [Andrew Zonenberg] takes us through the process of decapsulating a PIC12F683 to take a peek at its CMOS implementation.

This is a multipart series with five parts done and more to come. The PIC12F683 is an 8-pin flash-based, 8-bit microcontroller from Microchip. [Andrew] picked the PIC12F683 for decapsulation because back in 2011 it was the first microcontroller he broke read-protection on and he wanted to go back and revisit this chip, given particularly that his resources and skills had advanced in the intervening period.

The five videos are a tour de force. He begins by taking a package cross section, then decapsulating and delayering. He collects high-resolution photos as he goes along. In the process, he takes some time to explain the dangers of working with acid and the risk mitigations he has in place. Then he does what he calls a “floorplan analysis” which takes stock of the entire chip before taking a close look at the SRAM implementation.

If you’re interested in decapsulating integrated circuits you might want to take a look at Laser Fault Injection, Now With Optional Decapping, A Particularly Festive Chip Decapping, or even read through the transcript of the Decapping Components Hack Chat With John McMaster.

Continue reading “Decapsulating A PIC12F683 To Examine Its CMOS Implementation” →

Liberating AirPods With Bluetooth Spoofing

December 12, 2025 by Aaron Beckendorf 18 Comments

Apple’s AirPods can pair with their competitors’ devices and work as basic Bluetooth earbuds, but to no one’s surprise most of their really interesting features are reserved for Apple devices. What is surprising, though, is that simple Bluetooth device ID spoofing unlocks these features, a fact which [Kavish Devar] took advantage of to write LibrePods, an AirPods controller app for Android and Linux.

In particular, LibrePods lets you control noise reduction modes, use ear detection to pause and unpause audio, detect head gestures, reduce volume when the AirPods detect you’re speaking, work as configurable hearing aids, connect to two devices simultaneously, and configure a few other settings. The app needs an audiogram to let them work as hearing aids, and you’ll need an existing audiogram – creating an audiogram requires too much precision. Of particular interest to hackers, the app has a debug mode to send raw Bluetooth packets to the AirPods. Unfortunately, a bug in the Android Bluetooth stack means that LibrePods requires root on most devices.

This isn’t the first time we’ve seen a hack enable hearing aid functionality without official Apple approval. However, while we have some people alter the hardware, AirPorts can’t really be called hacker- or repair-friendly.

Thanks to [spiralbrain] for the tip!

Shelf Life Extended: Hacking E-Waste Tags Into Conference Badges

December 3, 2025 by Matt Varian 10 Comments

Ever wonder what happens to those digital price tags you see in stores once they run out of juice? In what is a prime example of e-waste, many of those digital price tags are made with non-replaceable batteries, so once their life is over they are discarded. Seeing an opportunity to breathe new life into these displays, [Tylercrumpton] went about converting them to be the official badge of the Phreaknic 26 conference.

Looking for a solution for a cheap display for the upcoming conference badge, [Tylercrumpton] recalled seeing the work [Aaron Christophel] did with reusing electronic shelf labels. Looking on eBay, he picked up a lot of 100 ZBD 55c-RB labels for just $0.70 a piece. When they arrived, he got to work liberating the displays from their plastic cases. The long-dead batteries in the devices ended up being easily removed, leaving behind just the display and the PCB that drives it.

Another hacker assisting with the badge project, [Mog], noticed that the spacing of the programming pads on the PCB was very close to the spacing of a DB9/DE9 cable. This gave way to a very clever hack for programming the badges: putting pogo pins into a female connector. The other end of the cable was connected to a TI CC Debugger which was used to program the firmware on the displays. But along the way, even this part of the project got an upgrade with moving to an ESP32 for flashing firmware, allowing for firmware updates without a host computer.

The next challenge was how to handle customizing 200 unique badges for the conference. For this, each badge had a unique QR code embedded in the back of the 3D printed case that pointed to an online customization tool. The tool allowed the user to change which of the images was used for the background, as well as input the name they wanted to be displayed on the badge. Once finished, the server would provide a patched firmware image suitable for flashing the badge. The original intent was to have stations where attendees could plug in their badge and it would update itself; however, due to some 11th hour hiccups, that didn’t pan out for this conference. Instead, [Tylercrumpton] ran the update script on his machine, and it gave him a great opportunity to interact with conference attendees as they stopped by to update their badges.

For the Phreaknic 27 badge, the plan is to once again use electronic shelf labels, but this time to utilize some of the advanced features of the tags such as the EEPROM and wireless communications. We’re eager to see what the team comes up with.

Continue reading “Shelf Life Extended: Hacking E-Waste Tags Into Conference Badges” →

Reverse Engineering The Miele Diagnostic Interface

November 17, 2025 by Maya Posch 22 Comments

Since modern household appliances now have an MCU inside, they often have a diagnostic interface and — sometimes — more. Case in point: Miele washing machines, like the one that [Severin] recently fixed, leading to the firmware becoming unhappy and refusing to work. This fortunately turned out to be recoverable by clearing the MCU’s fault memory, but if you’re unlucky, you will have to recalibrate the machine, which requires very special and proprietary software.

Naturally, this led [Severin] down the path of investigating how exactly the Miele Diagnostic Utility (MDU) and the Program Correction (PC) interface communicate. Interestingly, the PC interface uses an infrared LED/receiver combination that’s often combined with a status LED, as indicated by a ‘PC’ symbol. This interface uses the well-known IrDA standard, but [Severin] still had to track down the serial protocol.

Continue reading “Reverse Engineering The Miele Diagnostic Interface” →