scantron

Bubbles, Belts, And Bulbs: How The Scantron Works

Many of us remember back in our school days taking tests and filling out answers on a Scantron sheet, those long rows of A, B, C, D, and E that had to be filled in with a #2 pencil. Ever wonder why it needed a #2 pencil, or what the point of using a Scantron was at all? That question is answered in the latest video from [SimonRetro], where he takes a look at the Scantron and how it works.

One of the more interesting things about the Scantron is that it’s such a standalone device. No software needed, no keypad to mess with just two rocker switches. The on/off switch is also the way you tell it to forget the last answer sheet and allow you to program in a new test. Upon booting, you feed in a Scantron sheet with some specific boxes filled in, and then it’s programmed and ready to take in and grade all the students’ answers. Opening up the Scantron reveals it’s pretty interesting inside: one control board with early-’90s-era chips. There’s also a lightbulb (no LEDs) shining through the six reading sections of the card, as well as an arrangement of belts and motors to move the card through the machine. The printer is a seven-pin printer used in conjunction with a pair of ink rollers to print out the results on the cards.

[SimonRetro] also went ahead and tried different ways to mark the sheets including pens, Sharpies, colored pencils, and different thicknesses of pencils besides the #2 to see which would and wouldn’t work in the Scantron. Thanks [SimonRetro] for exploring this machine from many of our childhoods and sharing its inner workings. Be sure to check out some of our other reverse engineering articles that explore how classic devices work.

Continue reading “Bubbles, Belts, And Bulbs: How The Scantron Works”

Hacking A Reverse Osmosis Water Filter Through Its Smart Faucet

Reverse-osmosis (RO) systems are one way to ensure that you get very clean drinking water. The Waterdrop G3P600 variety that [Tomasz Wasilczyk] recently purchased is definitely among the fanciest and ‘smartest’, with the faucet having its own 7-segment display and gaggle of LEDs connected to the actual RO unit with a four-pin connector. This naturally meant that whatever protocol runs on this cable had to be reverse-engineered for science.

Now with more custom PCB. (Credit: Tomasz Wasilczyk)
Now with more custom PCB.

The main practical benefit here is to make the system smarter — such as plugging it into a home automation system with ESPHome support, as well as make it play nice with refrigerator lines.

What automation and monitoring options exist here thus depend on what data gets sent between the RO unit and the faucet. Fortunately this turned out to be quite extensive, ranging from filter health, the water quality and pump status as well as air temperature and faucet state.

Unsurprisingly the four-pin connector turned out to be a basic serial link, with 5 V, ground and a 9,600 baud connection. From this it was easy enough to deduce the protocol, and by looking at what lit up on the faucet, a custom PCB wasn’t far behind.

After one blown-up fuse later due to getting 24 V instead of 12 V on the RO unit when tapping off power, the unit popped to life and was able to be connected to Home Assistant, from where the entire functionality and what triggered what could be mapped out. Of course, there’s still more to be discovered and reverse-engineered in the unit, but this seems like a good place to start.

Hacking The Mi Band 10 Smart Band And Its Bestechnic SoC

In between playing Doom on the most ergonomically challenged devices, [Aaron Christophel] likes to take a relaxing break with reverse-engineering Xiaomi Mi Band fitness trackers and writing custom firmware for them. Also so that he can play more Doom on those, natch. The latest subject comes in the form of the Mi Band 10, which features a BES2700iMP SoC, known internally at the manufacturer Bestechnic as the BEST1503. This is all documented on the GitHub project.

In the accompanying video we get some more details on this project, with the main challenge being that for this Mi Band 10 there’s no public SDK for its SoC. This was a major bummer until [Aaron] realized that the BEST1306 (BES2700IHC) is effectively the same SoC, but with a leaked SDK available via apparently audio-focused development kits. From there a BEST1503-compatible SDK could be assembled.

Naturally, to check that all of this was working correctly Doom was ported to the device courtesy of the GBADoom project. This mostly works aside from the display running in single-bit SPI mode instead of quad-SPI that it should be capable of, along with limited color depth. Despite burning all the tokens on the Claude, this provided little help, probably because the required information hasn’t leaked out of Bestechnic yet and ended up in the training data set.

Since the Mi Band 9 uses the same SoC, it’s expected that this reverse-engineered SDK will also work for that fitness band, though that hasn’t been tested yet.

Continue reading “Hacking The Mi Band 10 Smart Band And Its Bestechnic SoC”

8087's 4-bit adder block. (Credit: Ken Shirriff)

The Adder At The Heart Of Intel’s 8087 FPU

As simple as the concept of adding two numbers appears at first glance, doing it in the 1970s in Intel’s 8087 FPU with its 69-bit adder was still a tall order. This is namely the core feature that many features like tangents, cosines and exponentiation rely on, so it had to be basically perfect. In a recent die-level analysis of the 8087 [Ken Shirrif] dives into the structure, layout and functioning of this ‘beating heart’ of this piece of semiconductor history.

The Intel 8087 adder and associated registers. (Credit: Intel)
The Intel 8087 adder and associated registers. (Credit: Intel)

Although anyone can build a simple binary adder out of off-the-shelf parts including 74-series logic ICs, the problem is to make it fast so that the 69th bit doesn’t have to wait for e.g. a carry to trickle all the way through the preceding bits. The main way that this is solved is by breaking addition into 4-bit blocks, reducing the problem by a factor of four, along with an optimized Manchester carry-chain carry-lookahead implementation.

The main advantage of this variation of a carry-lookahead is that it reduces the number of required transistors, without sacrificing too much performance. Later on Intel would switch to the faster, but more transistor-intensive Kogge-Stone adder.

Implementing this entire adder with NMOS technology and wiring it all up to the rest of the die required a lot of ingenuity on the side of the Intel engineers, as previously noted this adder is effectively always used in any operation at some stage. This necessitates many surrounding registers and in turn circuitry to manage these, with part of the complexity handled in microcode and part in silicon.

Honda Civics And Installing Software With Android Test Keys

As more and more of the ‘smart’ infotainment systems in cars begin to age out of support, it becomes increasingly more relevant to figure out how to do something with that lump of computer-and-display sitting prominently in the dashboard.

Here [Eric McDonald]’s reverse-engineering of the 2012-era Android-based infotainment system in a 2021 Honda Civic is an interesting case study, with recently the discovery made that the head unit of these infotainment systems can be updated via USB by using standard Android Open Source Project (AOSP) test keys as these were left on the file system.

This is a nice update to his initial reverse-engineering back in the innocent days of 2023, when such a facepalm-worthy exploit seemed unimaginable, but then the ‘s’ in ‘infotainment’ has always stood for ‘security’. In this exploit that [Eric] calls the EvilValet attack, it means that anyone with physical access to the USB port inside the car can theoretically run arbitrary code signed with these test keys, as documented in the GitHub project.

So far this rather foolish security issue has only been confirmed on [Eric]’s 2021 Honda Civic, but considering how those – often third-party – infotainment systems tend to get reused and recycled across generations and car variants, it’s quite possible that more Android-based infotainment systems have this vulnerability.

This exploit is obviously a double-edged sword, as on one hand it’s great that an owner of one of these cars can now basically do whatever they want with said infotainment system, but on the other hand it means that anyone who slides into your car with a USB stick can do the same.

Poking Around With JTAG On A Guitar Amp

You would think a guitar amplifier would be a straightforward piece of analog electronics. But, of course, these days, everything has firmware, including [mforney]’s Yamaha THR10c. The service manual showed both a UART and JTAG header on the schematic, so as many of us would, he took that as a challenge.

Of course, the production board doesn’t have headers for these ports, but that’s not a real problem. The serial port seemed quiet, but the JTAG port was more productive. This revealed two binary images: a bootloader and the main firmware. Once you have the code, it is a straightforward, if not laborious, process to reverse engineer what the code does.

The next step is to figure out how to load new firmware. You can see in the post that this was done, and custom features sprang into life with custom-patched firmware.

We never get tired of seeing people dig into consumer devices like this. Things like JTAG and the wide availability of JTAG tools have made it easier but no less fun. Of course, there are even more features [mforney] has in mind, but now that’s just a matter of coding.

Autopsy Of A Failed Vintage Carbon Resistor

Detail of the lead connecting to the inner carbon-filled tube. (Credit: CuriousMarc)
Detail of the lead connecting to the inner carbon-filled tube. (Credit: CuriousMarc)

Although resistors are hardly among the most exciting components, they are arguably one of the most important ones, as anyone who has done any amount of circuit design and debugging can attest to. So too with a single carbon resistor in a vintage Metrix oscilloscope that [CuriousMarc] recently repaired. After recapping the board there was still a major issue that got traced down to said resistor. After replacing it with a fresh resistor obviously this meant doing an autopsy to see why the old resistor had failed.

The 20 kOhm-rated resistor looked fine on the outside, with no obvious damage or discoloration, but it measured around 0.843 MOhm. To get to the insides [CuriousMarc] asked his friend [TubeTime] on how to proceed. The answer here was sandpaper and a lot of patience, and thus the experiment to see how much sanding it takes to get to the core of a fairly big resistor commenced.

Ultimately the insides were revealed, and they turned out to be rather interesting, with what looked like a glass tube filled with what would be the carbon-laden material between the two lead terminals. From poking around a bit at these insides it would appear that the failure mode was a degraded contact between these terminals and the carbon material. Considering that this resistor is many decades old and has gone through many thermal cycles and potentially various kinetic events some fractures are probably to be expected.

Perhaps most fascinating is the construction of this carbon resistor that looks to be a step above that of the average carbon resistor that [TubeTime] has taken apart over the years.

Continue reading “Autopsy Of A Failed Vintage Carbon Resistor”