Documenting The IR Protocol Of The PumpSaver Plus Device

Having a pump in a remote location where you aren’t constantly monitoring it is a common scenario, which can be unfortunate when said pump runs into problems like a dry well, jammed impeller or power issues. This is where pump monitors like the older SymCom (now Littelfuse) PumpSaver Plus 233P will protect the pump if such conditions are detected. Of course, the infrared communication port on it uses an undocumented protocol that was meant to be used with a long-since discontinued handheld device. Ergo [Elizabeth Camporeale] saw fit to reverse-engineer this protocol.

In the installation manual for this device this Informer unit is briefly mentioned along with the information it will display on its screen, making it clear that it’s quite literally just there to act as a display for the information that’s constantly generated on this interface. Naturally, this is incredibly useful if you wish to tie the system into a wider monitoring and automation system.

Somewhat unusual, this IR interface on the used 233P-1.5 unit turned out to be use a 5,000 baud NRZ, MSB-first protocol, with the juicy details fully documented and a Python-based decoder implementation provided.

Naturally [Elizabeth] didn’t just reverse-engineer this for the fun of it, but also for ESPHome integration. This uses a setup as can be seen in the top image, with an ESP32-C6 module providing the processing power and Wi-Fi, with a standard phototransistor recording the data pumped out by the pump monitor.

Hacking Amazon Echo Show 8 3rd Gen Via UART And EMMC

Even with Amazon’s Echo Show devices running Linux in the form of the Android-derived FireOS, using them for non-Amazon approved purposes can be a chore at best. In the case of the Echo Show 8 even simple workarounds using ADB and the bootloader have been locked-down, requiring more drastic measures. Here [Vowed] over at the XDA forums shows off one such hack, involving directly tapping into the device’s eMMC.

Suffice it to say that this is not a hack for the faint of heart, with even the iFixit teardown guide for this device being rather daunting. Even after you get access to the mainboard, you still have to remove or cut open the metal can that covers the eMMC, so that you can unleash an eMMC programmer on it. It’s best to make sure to make a backup image of the original contents too, just in case you have to restore things.

With the shield out of the way you can solder fine wires to pads that connect to the eMMC to program it. You also have to solder wires to pads for the UART, though if you’re fancy you can also create a custom pogo pin adapter. With a serial connection established to the original firmware you can then enable features like ADB, and courtesy of the connected eMMC adapter it’s possible to directly alter system files to make rooting as easy as possible.

In addition to rooting the system you can also do a straight replacement of the eMMC contents, such as the demonstrated Debian installation. Even if not the most easy of mods, it’s good to see that it’s possible to repurpose these devices.

(Top image: Amazon Echo Show 8 3rd generation mainboard. Credit: iFixit, CC BY-NC-SA 3.0.)

Reverse Engineering And Self-Hosting The OBI Smart Energy Tracker

Sold by German DIY store OBI, the OBI Energy Tracker is a €15 set of two devices, one of which you essentially stick on top of your existing electricity meter. This then allows for electricity usage to be measured and tracked, with the data sent to the second, gateway device. This latter cloud-bound device is linked to an OBI account via the heyOBI app. This correspondingly called for the gateway device to be reverse-engineered and freed from its cloud-based shackles, a task that [Aaron Christophel] happily took upon himself.

The whole process is also covered in two videos, with the first providing all the essentials on reprovisioning the original firmware for a local MQTT server in English, while the second, German-language video focuses on custom firmware for the ESP32-C3 inside of the gateway device.

Inside the reader device is a Cortex-M0+-based BAT32G135 MCU that communicates with the meter via its IR protocol. This is then communicated via 868 MHz LoRa to the gateway device that will be placed somewhere within Wi-Fi reach by the user. Inside this latter device is as mentioned the ESP32-C3, which by default runs firmware that communicates via secure MQTT with an AWS cloud instance for the typical cloud-based shenanigans.

The aforementioned reprovisioning option doesn’t require firmware flashing, just a handful of steps to follow. This involves fetching the 32-bit TEA key, generating your own PKI, running your own MQTTS-capable broker and having the provided Python script handle the rest from there.

Flashing custom firmware is the other option, with straightforward UART/JTAG reflashing sadly disabled by the manufacturer. With the effort required here you could perhaps argue that simply connecting the reader device to a custom gateway device might be a lot easier, especially if you already have a LoRa transceiver and associated hardware.

Continue reading “Reverse Engineering And Self-Hosting The OBI Smart Energy Tracker”

scantron

Bubbles, Belts, And Bulbs: How The Scantron Works

Many of us remember back in our school days taking tests and filling out answers on a Scantron sheet, those long rows of A, B, C, D, and E that had to be filled in with a #2 pencil. Ever wonder why it needed a #2 pencil, or what the point of using a Scantron was at all? That question is answered in the latest video from [SimonRetro], where he takes a look at the Scantron and how it works.

One of the more interesting things about the Scantron is that it’s such a standalone device. No software needed, no keypad to mess with just two rocker switches. The on/off switch is also the way you tell it to forget the last answer sheet and allow you to program in a new test. Upon booting, you feed in a Scantron sheet with some specific boxes filled in, and then it’s programmed and ready to take in and grade all the students’ answers. Opening up the Scantron reveals it’s pretty interesting inside: one control board with early-’90s-era chips. There’s also a lightbulb (no LEDs) shining through the six reading sections of the card, as well as an arrangement of belts and motors to move the card through the machine. The printer is a seven-pin printer used in conjunction with a pair of ink rollers to print out the results on the cards.

[SimonRetro] also went ahead and tried different ways to mark the sheets including pens, Sharpies, colored pencils, and different thicknesses of pencils besides the #2 to see which would and wouldn’t work in the Scantron. Thanks [SimonRetro] for exploring this machine from many of our childhoods and sharing its inner workings. Be sure to check out some of our other reverse engineering articles that explore how classic devices work.

Continue reading “Bubbles, Belts, And Bulbs: How The Scantron Works”

Hacking A Reverse Osmosis Water Filter Through Its Smart Faucet

Reverse-osmosis (RO) systems are one way to ensure that you get very clean drinking water. The Waterdrop G3P600 variety that [Tomasz Wasilczyk] recently purchased is definitely among the fanciest and ‘smartest’, with the faucet having its own 7-segment display and gaggle of LEDs connected to the actual RO unit with a four-pin connector. This naturally meant that whatever protocol runs on this cable had to be reverse-engineered for science.

Now with more custom PCB. (Credit: Tomasz Wasilczyk)
Now with more custom PCB.

The main practical benefit here is to make the system smarter — such as plugging it into a home automation system with ESPHome support, as well as make it play nice with refrigerator lines.

What automation and monitoring options exist here thus depend on what data gets sent between the RO unit and the faucet. Fortunately this turned out to be quite extensive, ranging from filter health, the water quality and pump status as well as air temperature and faucet state.

Unsurprisingly the four-pin connector turned out to be a basic serial link, with 5 V, ground and a 9,600 baud connection. From this it was easy enough to deduce the protocol, and by looking at what lit up on the faucet, a custom PCB wasn’t far behind.

After one blown-up fuse later due to getting 24 V instead of 12 V on the RO unit when tapping off power, the unit popped to life and was able to be connected to Home Assistant, from where the entire functionality and what triggered what could be mapped out. Of course, there’s still more to be discovered and reverse-engineered in the unit, but this seems like a good place to start.

Hacking The Mi Band 10 Smart Band And Its Bestechnic SoC

In between playing Doom on the most ergonomically challenged devices, [Aaron Christophel] likes to take a relaxing break with reverse-engineering Xiaomi Mi Band fitness trackers and writing custom firmware for them. Also so that he can play more Doom on those, natch. The latest subject comes in the form of the Mi Band 10, which features a BES2700iMP SoC, known internally at the manufacturer Bestechnic as the BEST1503. This is all documented on the GitHub project.

In the accompanying video we get some more details on this project, with the main challenge being that for this Mi Band 10 there’s no public SDK for its SoC. This was a major bummer until [Aaron] realized that the BEST1306 (BES2700IHC) is effectively the same SoC, but with a leaked SDK available via apparently audio-focused development kits. From there a BEST1503-compatible SDK could be assembled.

Naturally, to check that all of this was working correctly Doom was ported to the device courtesy of the GBADoom project. This mostly works aside from the display running in single-bit SPI mode instead of quad-SPI that it should be capable of, along with limited color depth. Despite burning all the tokens on the Claude, this provided little help, probably because the required information hasn’t leaked out of Bestechnic yet and ended up in the training data set.

Since the Mi Band 9 uses the same SoC, it’s expected that this reverse-engineered SDK will also work for that fitness band, though that hasn’t been tested yet.

Continue reading “Hacking The Mi Band 10 Smart Band And Its Bestechnic SoC”

8087's 4-bit adder block. (Credit: Ken Shirriff)

The Adder At The Heart Of Intel’s 8087 FPU

As simple as the concept of adding two numbers appears at first glance, doing it in the 1970s in Intel’s 8087 FPU with its 69-bit adder was still a tall order. This is namely the core feature that many features like tangents, cosines and exponentiation rely on, so it had to be basically perfect. In a recent die-level analysis of the 8087 [Ken Shirrif] dives into the structure, layout and functioning of this ‘beating heart’ of this piece of semiconductor history.

The Intel 8087 adder and associated registers. (Credit: Intel)
The Intel 8087 adder and associated registers. (Credit: Intel)

Although anyone can build a simple binary adder out of off-the-shelf parts including 74-series logic ICs, the problem is to make it fast so that the 69th bit doesn’t have to wait for e.g. a carry to trickle all the way through the preceding bits. The main way that this is solved is by breaking addition into 4-bit blocks, reducing the problem by a factor of four, along with an optimized Manchester carry-chain carry-lookahead implementation.

The main advantage of this variation of a carry-lookahead is that it reduces the number of required transistors, without sacrificing too much performance. Later on Intel would switch to the faster, but more transistor-intensive Kogge-Stone adder.

Implementing this entire adder with NMOS technology and wiring it all up to the rest of the die required a lot of ingenuity on the side of the Intel engineers, as previously noted this adder is effectively always used in any operation at some stage. This necessitates many surrounding registers and in turn circuitry to manage these, with part of the complexity handled in microcode and part in silicon.