Reverse Engineering

211 Articles

Supercon 2024 SAO Petal KiCad Redrawing Project

November 19, 2024 by 4 Comments

Last week I completed the SAO flower badge redrawing task, making a complete KiCad project. Most of the SAO petals are already released as KiCad projects, except for the Petal Matrix. The design features 56 LEDs arranged in eight spiral arms radiating from the center. What it does not feature are straight lines, right angles, nor parts placed on a regular grid.

Importing into KiCad

Circuit Notes for LEDs, Thanks to [spereinabox]
I followed the same procedures as the main flower badge with no major hiccups. This design didn’t have any released schematics, but backing out the circuits was straightforward. It also helped that user [sphereinabox] over on the Hackaday Discord server had rung out the LED matrix connections and gave me his notes.

Grep Those Positons

I first wanted to only read the data from the LEDs for analysis, and I didn’t need the full Kicad + Python scripting for that. Using grep on the PCB file, you get a text file that can be easily parsed to get the numbers. I confirmed that the LED placements were truly as irregular as they looked.

My biggest worry was how obtain and re-apply the positions and angles of the LEDs, given the irregular layout of the spiral arms. Just like the random angles of six SAO connector on the badge board, [Voja] doesn’t disappoint on this board, either. I fired up Python and used Matplotlib to get a visual perspective of the randomness of the placements, as one does. Due to the overall shape of the arms, there is a general trend to the numbers. But no obvious equation is discernable.

Continue reading “Supercon 2024 SAO Petal KiCad Redrawing Project”

Bypassing Airpods Hearing Aid Georestriction With A Faraday Cage

November 15, 2024 by 53 Comments

When Apple recently announced the hearing aid feature on their new AirPods Pro 2, it got the attention of quite a few people. Among these were [Rithwik Jayasimha] and friends, with [Rithwik] getting a pair together with his dad for use by his hard-of-hearing grandmother. That’s when he found out that this feature is effectively limited to the US and a small number of other countries due them being ‘regulated health features’, per Apple. With India not being on the approved countries list and with no interest in official approval legalities, [Rithwik] set to work to devise a way to bypass this restriction.

As noted in the blog post, the primary reason for using AirPods here instead of official hearing aids is due to the cost of the latter, which makes them a steal for anyone who is dealing with mild to moderate hearing loss. Following the official Hearing Aid feature setup instructions requires that your location is detected as being in an approved country. If it is, the Health App (on iOS 18.1) will popup a ‘Get Started’ screen. The challenge was thus to make the iOS device believe that it was actually in the FDA-blessed US and not India.

Merely spoofing the location and locale didn’t work, so the next step was to put the iOS device into a Faraday cage along with an ESP32 that broadcast California-based WiFi SSIDs. Once the thus treated iPad rebooted into the US, it could be used to enable the hearing aid feature. Next [Rithwik] and friends created a more streamlined setup and procedure to make it possible for others to replicate this feat.

As also noted in the blog post, the Hearing Aid feature is essentially a specially tuned Transparency mode preset, which is why using AirPods for this feature has been a thing for a while, but with this preset it’s much better tuned for cases of hearing loss.

Bluetooth Dongle Gives Up Its Secrets With Quick Snooping Hack

November 14, 2024 by 3 Comments

There’s a lot going on in our wireless world, and the number of packets whizzing back and forth between our devices is staggering. All this information can be a rich vein to mine for IoT hackers, but how do you zero in on the information that matters? That depends, of course, but if your application involves Bluetooth, you might be able to snoop in on the conversation relatively easily.

By way of explanation, we turn to [Mark Hughes] and his Boondock Echo, a device we’ve featured in these pages before. [Mark] needed to know how long the Echo would operate when powered by a battery bank, as well as specifics about the power draw over time. He had one of those Fnirsi USB power meter dongles, the kind that talks to a smartphone app over Bluetooth. To tap into the conversation, he enabled Host Control Interface logging on his phone and let the dongle and the app talk for a bit. The captured log file was then filtered through WireShark, leaving behind a list of all the Bluetooth packets to and from the dongle’s address.

That’s when the fun began. Using a little wetware pattern recognition, [Mark] was able to figure out the basic structure of each frame. Knowing the voltage range of USB power delivery helped him find the bytes representing voltage and current, which allowed him to throw together a Python program to talk to the dongle in real-time and get the critical numbers.

It’s not likely that all BLE-connected devices will be as amenable to reverse engineering as this dongle was, but this is still a great technique to keep in mind. We’ve got a couple of applications for this in mind already, in fact.

Continue reading “Bluetooth Dongle Gives Up Its Secrets With Quick Snooping Hack”

Fail Of The Week: Subscription EV Charger Becomes Standalone, Briefly

November 1, 2024 by 48 Comments

At this point in the tech dystopia cycle, it’s no surprise that the initial purchase price of a piece of technology is likely not the last payment you’ll make. Almost everything these days needs an ongoing subscription to do whatever you paid for it to do in the first place. It’s ridiculous, especially when all you want to do is charge your electric motorcycle with electricity you already pay for; why in the world would you need a subscription for that?

That was [Maarten]’s question when he picked up a used EVBox wall mount charger, which refused to charge his bike without signing up for a subscription. True, the subscription gave access to all kinds of gee-whiz features, none of which were necessary for the job of topping off the bike’s battery. A teardown revealed a well-built device with separate modules for mains supply and battery charging, plus a communications module with a cellular modem, obviously the bit that’s phoning home and keeping the charger from working without the subscription.

Continue reading “Fail Of The Week: Subscription EV Charger Becomes Standalone, Briefly”

Supercon 2024 Flower SAO Badge Redrawing In KiCad

October 31, 2024 by 12 Comments

Out of curiosity, I redrew the Supercon Vectorscope badge schematics in KiCad last year. As you might suspect, going from PCB to schematic is opposite to the normal design flow of KiCad and most other PCB design tools. As a result, the schematics and PCB of the Vectorscope project were not really linked. I decided to try it again this year, but with the added goal of making a complete KiCad project. As usual, [Voja] provided a well drawn schematic diagram in PDF and CorelDRAW formats, and a PCB design using Altium’s Circuit Maker format (CSPcbDoc file). And for reference, this year I’m using KiCad v8 versus v7 last year.

Importing into KiCad

This went smoothly. KiCad imports Altium files, as I discovered last year. Converting the graphic lines to traces was easier than before, since the graphical lines are deleted in the conversion process. There was a file organizational quirk, however. I made a new, empty project and imported the Circuit Maker PCB file. It wasn’t obvious at first, but the importing action didn’t make use the new project I had just made. Instead, it created a completely new project in the directory holding the imported Circuit Maker file. This caused a lot of head scratching when I was editing the symbol and footprint library table files, and couldn’t figure out why my edits weren’t being seen by KiCad.  I’m not sure what the logic of this is, was an easy fix once you know what’s going on. I simply copied everything from the imported project and pasted it in my new, empty project. Continue reading “Supercon 2024 Flower SAO Badge Redrawing In KiCad”

Tearing Down Nintendo’s Alarmo Alarm Clock

October 30, 2024 by 5 Comments
All your Nintendo Alarmo are belong to mew~ (Credit: GaryOderNichts, Blogspot)

Most of us will probably have seen Nintendo’s latest gadget pop up recently. Rather than a Switch 2 announcement, we got greeted with a Nintendo-branded alarm clock. Featuring a 2.8″ color LCD and a range of sensors, it can detect and respond to a user, and even work as an alarm clock for the low, low price of €99. All of which takes the form of Nintendo-themed characters alongside some mini-games. Naturally this has led people like [Gary] to buy one to see just how hackable these alarm clocks are.

As can be expected from a ‘smart’ alarm clock it has 2.4 GHz WiFi connectivity for firmware and content download, as well as a 24 GHz millimeter wave presence sensor. Before [Gary] even had received his Alarmo, others had already torn into their unit, uncovering the main MCU (STM32H730ZBI6) alongside a 4 GB eMMC IC, as well as the MCU’s SWD pads on the PCB. This gave [Gary] a quick start with reverse-engineering, though of course the MCU was protected (readout protection, or RDP) against firmware dumps, but the main firmware could be dumped from the eMMC without issues.

After this [Gary] had a heap of fun decrypting the firmware, which seems to always get loaded into the external octal SPI RAM before execution, as per the boot sequence (see featured image). This boot sequence offers a few possibilities for inserting one’s own (properly signed) contents. As it turns out via the USB route arbitrary firmware binaries can be loaded, which provided a backdoor to defeat RDP. Unfortunately the MCU is further locked down with Secure Access Mode, which prevents dumping the firmware again.

So far firmware updates for the Alarmo have not nailed shut the USB backdoor, making further reverse-engineering quite easy for the time being. If you too wish to hack your Alarmo and maybe add some feline charm, you can check [Gary]’s GitHub project.

Have You Heard Of The Liquid Powder Display?

October 12, 2024 by 10 Comments

Over the decades the technology behind flat panel displays has continuously evolved, and we’ve seen many of them come and go. Among the popular ones there are a few that never quite made the big time, usually because a contemporary competitor took their market. An example is in a recent [Wenting Zhang] video, a mystery liquid powder display. We’d never heard of it, so we were intrigued.

The first segment of the video is an examination of the device, and a comparison with similar-looking ones such as a conventional LCD, or a Sharp Memory LCD. It’s clearly neither of those, and the answer finally came after a lot of research. A paper described a “Quick response liquid powder” as a mechanism for a novel display, and thus it was identified. It works by moving black and white electrically charged powder to flip a pixel from black to white, and its operation is not dissimilar to the liquid-based e-ink displays which evidently won that particular commercial battle.

The process of identifying the driver chip and pinout should be an essential watch for anyone with an interest in display reverse engineering. After a lot of adjusting timing and threshold voltages the dead pixels and weird effects fall away, and then it’s possible to display a not-too-high-quality image on this unusual display, through a custom PCB with an RP2040. Take a look at the video below the break.

We’ve seen [Wenting Zhang]’s work here a few times before, most recently in a very impressive mirror-less camera project.

Continue reading “Have You Heard Of The Liquid Powder Display?”