Reverse Engineering

294 Articles

The Defunct Scooter Company, And The Default Key

January 23, 2026 by 4 Comments

Äike were an Estonian scooter company, which sadly went bust last year. [Rasmus Moorats] has one, and since the app and cloud service the scooter depends on have lost functionality, he decided to reverse engineer it. Along the way he achieved his goal, but found a vulnerability that unlocks all Äike scooters.

The write-up is a tale of app and Bluetooth reverse engineering, ending with the startling revelation of a hardcoded key that’s simply “ffffffffffffffff”. From that he can unlock and interact with any Äike scooter, except for a subset that were used as hire scooters and didn’t have Bluetooth. Perhaps of more legitimate use is the reverse engineering of the scooter functionality.

What do you do when you find a vulnerability in a product whose manufacturer has gone? He reported to the vendor of the IoT module inside the scooter, who responded that the key was a default value that should have been changed by the Äike developers. Good luck, should you own one of these machines.

Meanwhile, scooter hacking is very much a thing for other manufacturers too.

Converting A Nebra Cryptocurrency Miner To A Meshcore Repeater

January 22, 2026 by 5 Comments

After the swivel by Helium Inc. towards simply running distributed WiFi hotspots after for years pushing LoRaWAN nodes, much of the associated hardware became effectively obsolete. This led to quite a few of these Nebra LoRa Miners getting sold off, with the [Buy it Fix it] channel being one of those who sought to give these chunks of IP-67-rated computing hardware a new life.

Originally designed to be part of the Helium Network Token (HNT) cryptocurrency mining operation, with users getting rewarded by having these devices operating, they contain fairly off-the-shelf hardware. As can be glanced from e.g. the Sparkfun product page, it’s basically a Raspberry Pi Compute Module 3+ on a breakout board with a RAK 2287 LoRa module. The idea in the video was to convert it into a Meshcore repeater, which ought to be fairly straightforward, one might think.

Unfortunately the unit came with a dead eMMC chip on the compute module, the LoRa module wasn’t compatible with Meshcore, and the Nebra breakout board only covers the first 24 pins of the standard RPi header on its pin header.

Continue reading “Converting A Nebra Cryptocurrency Miner To A Meshcore Repeater”

Repair And Reverse-Engineering Of Nespresso Vertuo Next Coffee Machines

January 21, 2026 by 34 Comments
Well there’s your problem. (Credit: Mark Funeaux, YouTube)

Akin to the razor-and-blades model, capsule-based coffee machines are an endless grind of overpriced pods and cheaply made machines that you’re supposed to throw out and buy a new one of, just so that you don’t waste all the proprietary pods you still have at home. What this also means is a seemingly endless supply of free broken capsule coffee makers that might be repairable. This is roughly how [Mark Furneaux] got into the habit of obtaining various Nespresso VertuoLine machines for attempted repairs.

The VirtuoLine machines feature the capsule with a bar code printed on the bottom of the lip, requiring the capsule to be spun around so that it can be read by the optical reader. Upon successful reading, the code is passed to the MCU after which the brewing process is either commenced or cruelly halted if the code fails. Two of the Vertuo Next machines that [Mark] got had such capsule reading errors, leading to a full teardown of the first after the scanner board turned out to work fine.

Long story short and many hours of scrubbed footage later, one machine was apparently missing the lens assembly on top of the photo diode and IR LED, while the other simply had these lenses gunked up with spilled coffee. Of course, getting to this lens assembly still required a full machine teardown, making cleaning it an arduous task.

Unfortunately the machine that had the missing lens assembly turned out to have another fault which even after hours of debugging remained elusive, but at least there was one working coffee machine afterwards to make a cup of joe to make [Mark] feel slightly better about his life choices. As for why the lens assembly was missing, it’s quite possible that someone else tried to repair the original fault, didn’t find it, and reassembled the machine without the lens before passing the problem on to the next victim.

Continue reading “Repair And Reverse-Engineering Of Nespresso Vertuo Next Coffee Machines”

Hacking The Krups Cook4Me Smart Cooking Pot For Doom

January 13, 2026 by 7 Comments

With more and more kitchen utilities gaining touch screens and capable microcontrollers it’d be inconceivable that they do not get put to other uses as well. To this end [Aaron Christophel] is back with another briefly Doom-less device in the form of the Krups Cook4Me pressure cooking pot with its rather sizeable touch screen and proclaimed smarts in addition to WiFi and an associated smartphone app.

Inside is an ESP32 module for the WiFi side, with the brains of the whole operation being a Renesas R7S721031VC SoC with a single 400 MHz Cortex-A9. This is backed by 128 MB of Flash and 128 MB of RAM. The lower touch interface is handled by a separate Microchip PIC MCU to apparently enable for low standby power usage until woken up by touch.

The developers were nice enough to make it easy to dump the firmware on the SoC via SWD, allowing for convenient reverse-engineering and porting of Doom. With the touch screen used as the human input device it was actually quite playable, and considering the fairly beefy SoC, Doom runs like a dream. Sadly, due to the rarity of this device, [Aaron] is not releasing project files for it.

As for why a simple cooking pot needs all of this hardware, the answer is probably along the lines of ‘because we can’.

Continue reading “Hacking The Krups Cook4Me Smart Cooking Pot For Doom

The Intel 8087 And Conditional Microcode Tests

January 11, 2026 by 19 Comments

Continuing his reverse-engineering of the Intel 8087, [Ken Shirriff] covers the conditional tests that are implemented in the microcode of this floating point processing unit (FPU). This microcode contains the details on how to perform the many types of specialized instructions, like cos and arctan, all of which decode into many microcode ops. These micro ops are executed by the microcode engine, which [Ken] will cover in more detail in an upcoming article, but which is effectively its own CPU.

Conditional instructions are implemented in hardware, integrating the states of various functional blocks across the die, ranging from the instruction decoder to a register. Here, the evaluation is performed as close as possible to the source of said parameter to save on wiring.

Implementing this circuitry are multiplexers, with an example shown in the top die shot image. Depending on the local conditions, any of four pass transistors is energized, passing through that input. Not shown in the die shot image are the inverters or buffers that are required with the use of pass transistors to amplify the signal, since pass transistors do not provide that feature.

Despite how firmly obsolete the 8087 is today, it still provides an amazing learning opportunity for anyone interested in ASIC design, which is why it’s so great that [Ken] and his fellow reverse-engineering enthusiasts keep plugging away at recovering all this knowledge.

Reverse-Engineering The Tamagotchi IR Connection

January 10, 2026 by 7 Comments

The Tamagotchi Connection is a series of Tamagotchi toys that took the original portable pet concept and mixed things up with a wireless connection, which allowed you to interact with the pets of other proud Tamagotchi owners. This wireless connection is implemented using an infrared transceiver, somewhat like IrDA, but as [Zach Resmer] discovered while reverse-engineering this connection, it’s actually what is called ‘Nearly NEC’ by [Natalie Silvanovich], who has a GitHub repository full of related Tamagotchi hacking tools and ROM dumps.

With the protocol figured out, creating a transceiver for low-bitrate infrared communication isn’t particularly hard. In this case, it was implemented using an RP2040 MCU and an appropriate IR LED and receiver pair. This Tamagometer project was also implemented as an app for the Flipper Zero, and a custom PCB called the Pico TamaBadge by [Daniel Weidman].

There’s a web application associated with [Zach]’s project using a Web Serial-enabled browser (i.e. Chrome). The serial protocol is somewhat documented in the patent for the device’s connection feature, which makes it relatively easy to implement yourself.

The Issue With Wii U Gamepads And How To Clone Them

January 8, 2026 by 12 Comments
The Wii U running Mario Kart with the Gamepad duplicating the main screen. (Credit: MattKC, YouTube)
The Wii U running Mario Kart with the Gamepad duplicating the main screen. (Credit: MattKC, YouTube)

How hard would it be to clone the Wii U gamepad, the quirky controller with its unique embedded screen? This is the question that [MattKC] faced as he noticed the complete lack of Wii U gamepad replacements from either Nintendo or third-parties, leading him down the rabbit hole of answering said question.

Although unloved and even despised in compared to the Nintendo Wii, the Wii U was a solid system in its own right. One of its interesting additions was the gamepad controller, whose screen games used for features like a private screen during multiplayer and 3DS-like map screens. Its main weakness is however that the Wii U gamepad was considered an irreplaceable part of the console, which is obviously not fun if your gamepad breaks and your console along with it.

The Wii U console and gamepad communicate via 5 GHz 802.11n WiFi, but in order to deter other parties from simply hopping onto the access point, Nintendo slightly obfuscated this WiFi standard. Specifically the WPA authentication was modified by a byte swap in the PTK, rendering every existing WiFi stack incompatible with the Wii U.

Continue reading “The Issue With Wii U Gamepads And How To Clone Them”