Reverse-Engineering A Russian Tornado-S Guidance Circuit Board

With Russian military hardware quite literally raining down onto the ground in Ukraine, it’s little wonder that a sizeable part of PCBs and more from these end up being sold on EBay. This was thus where [msylvain] got a guidance board from a 300 mm Tornado-S 9M542 GLONASS-guided projectile from, for some exploration and reverse-engineering. The first interesting surprise was that the board was produced in February of 2023, with the Tornado-S system having begun production in 2016.

Presumed location of the PCB under investigation in the Tornado-S rocket.
Presumed location of the PCB under investigation in the Tornado-S rocket.

The 9M542 and similar rocket projectiles are designed to reach their designated area with as much precision as possible, which where the guidance system comes into play. Using both GLONASS and inertial navigation, the rocket’s stack of PCBs (pictured) are supposed to process the sensor information and direct the control system, which for the 9M542 consists out of four canards. The board that [msylvain] is looking at appears to be one of the primary PCBs, containing some DC-DC and logic components, as well as three beefy gate arrays (ULAs). While somewhat similar to FPGAs, these are far less configurable, which is why the logic ICs around it are needed to tie everything together. For this reason, gate array technology was phased out globally by the 1990s due to the competition of FPGAs, which makes this dual-sided PCB both very modern and instantly vintage.

This is where a distinct 1980s Soviet electronics vibe begins, as along the way of noting the function of each identified IC, it’s clear that these are produced by the same Soviet-era factories, just with date stamps ranging from 2018 to more recent and surface-mount DIP-sized packages rather than through-hole.

Continue reading “Reverse-Engineering A Russian Tornado-S Guidance Circuit Board”

PDP-11 Trouble With A Ruthless Power Supply Issue

After [David Lovett] of [Usagi Electric] was donated a few cars full of DEC PDP-11 minicomputers of various flavors and vintages, he passed on most of them to loving homes, but kept a few of them himself. One goal of this being to put together a PDP-11 system that could be more easily taken to vintage computer shows than the ‘rollable’ PDP-11s he had access to prior. Of 1980s PDP-11s, the first-generation Large Scale Integration (LSI) PDP11/03 system (so-called Q-Bus models) is among the smallest, taking up about as much space as a 1980s desktop PC, while supporting the second generation LSI PDP-11/23 cards. It all seemed so easy until [David] tried testing the PDP-11/03’s PSU and everything went south.

Despite having access to the circuit diagrams of the PSU, figuring out what was going wrong was an absolute nightmare for [David], after some easy fixes involving replacing a blown fuse and bulging capacitors failed to deliver salvation. Reading through the comments to the video, it would seem that people are generally confused about whether this PSU is a linear, switching or some other configuration. What is clear is that with the absolutely massive transformer, it looks more like a linear power supply, but with a lot of protections against over current and other failure modes built-in, all of which rely on transistors and other components that could have gone bad.

Although in round 1 the PDP-11/03 PSU won the battle, we hope that once round 2 commences [David] will have had the proverbial training montage behind him (set to ‘Eye of the Usagi’, probably) and will manage to get this PSU working once more.

Continue reading “PDP-11 Trouble With A Ruthless Power Supply Issue”

Reverse-Engineering The ESP32’s WiFi Binary Blob With A Faraday Cage

The Faraday cage constructed by Jasper Devreker.
The Faraday cage constructed by Jasper Devreker.

As part of a team reverse-engineering the binary blob driver for the ESP32’s WiFi feature at Ghent University, [Jasper Devreker] saw himself faced with the need to better isolate the network packets coming from the ESP32-under-test. This is a tough call in today’s WiFi and 2.4 GHz flooded airwaves. To eliminate all this noise, [Jasper] had to build a Faraday cage, but ideally without racking up a massive invoice and/or relying on second-hand parts scavenged from eBay.

We previously reported on this reverse-engineering project, which has since seen an update. Although progress has been made, filtering out just the packets they were interested in was a big challenge. The solution was a Faraday cage, but on a tight budget.

Rather than relying on exotic power filters, [Jasper] put a battery inside a Faraday cage he constructed out of wood and conductive fabric. To get Ethernet data in and out, a fiber link was used inside a copper tube. Initial testing was done using a Raspberry Pi running usbip and a WiFi dongle.  The Faraday cage provided enough attenuation that the dongle couldn’t pick up any external WiFi signals in listening mode.

The total cost of this build came down to a hair over €291, which makes it feasible for a lot of RF experiments by hobbyists and others. We wish [Jasper] and the rest of the team a lot of luck in figuring out the remaining secrets of Espressif’s binary WiFi blob using this new tool.

Reverse Engineering Smart Meters, Now With More Fuming Nitric Acid

If you’re lucky, reverse engineering can be a messy business. Sure, there’s something to be said for attacking and characterizing an unknown system and leaving no trace of having been there, but there’s something viscerally satisfying about destroying something to understand it. Especially when homemade fuming nitric acid is involved.

The recipient of such physical and chemical rough love in the video below is a residential electric smart meter, a topic that seems to be endlessly fascinating to [Hash]; this is far from the first time we’ve seen him take a deep dive into these devices. His efforts are usually a little less destructive, though, and his write-ups tend to concentrate more on snooping into the radio signals these meters are using to talk back to the utility company.

This time around, [Hash] has decided to share some of his methods for getting at these secrets, including decapping the ICs inside. His method for making fuming nitric acid from stump remover and battery acid is pretty interesting; although the laboratory glassware needed to condense the FNA approaches the cost of just buying the stuff outright, it’s always nice to have the knowledge and the tools to make your own. Just make sure to be careful about it — the fumes are incredibly toxic. Also detailed is a 3D-printable micropositioner, used for examining and photographing acid-decapped ICs under the microscope, which we’d bet would be handy for plenty of other microscopy jobs.

In addition to the decapping stuff, and a little gratuitous destruction with nitric acid, [Hash] takes a look at the comparative anatomy of smart meters. The tamper-proofing features are particularly interesting; who knew these meters have what amounts to the same thing as a pinball machine’s tilt switch onboard?

Continue reading “Reverse Engineering Smart Meters, Now With More Fuming Nitric Acid”

Wiring An SD Card To A Handspring PDA’s 68K Bus With Only Three SOT23s

In 1998 the founders of Palm had a bit of a falling out with the wildly successful PDA company’s new owners. They set up a new company called Handspring, which enabled them to make PDAs again in the way they preferred, This resulted in the Handspring Visor line of PDAs, which featured a big cartridge slot called the Springboard Expansion slot. Much like a Gameboy, you could put in a range of modules, ranging from games to cameras to memory expansion and more. Since these modules connect directly to the internal Motorola 68k-based microprocessor, you could make a module either to comply with this standard or if you’re like [Dmitry], you’d figure out a way to get an SPI device like an SD card to communicate and expand storage.

Editor note: Dmitry’s design isn’t the first SD/MMC interface for the Visor. Portable Innovation Technology’s SD MemPlug Module supported SD/MMC way back in 2002. However – MemPlug was a commercial product, while Dmitry’s work is open source.

Continue reading “Wiring An SD Card To A Handspring PDA’s 68K Bus With Only Three SOT23s”

Decoding A ROM From A Picture Of The Chip

Before there were home computers, among the hottest pieces of consumer technology to own was a pocket calculator. In the early 1970s a series of exciting new chips appeared which allowed the impossible to become the affordable, and suddenly anyone with a bit of cash could have one.

Perhaps one of the more common series of chips came from Texas instruments, and it’s one of these from which [Veniamin Ilmer] has retrieved the ROM contents. In a way there’s nothing new here as the code is well known, it’s the way it was done which is of interest. A photo of the die was analysed, and with a bit of detective work the code could be deduced merely from the picture.

These chips were dedicated calculators, but under the hood they were simple pre-programmed microcontrollers. Identifying the ROM area of the chip was thus relatively straightforward, but some more detective work lay in getting to the bottom of how it could be decoded before the code could be verified. So yes, it’s possible to read code from an early 1970s chip by looking at a photograph.

A very similar chip to this one was famously reprogrammed with scientific functions to form the heart of the inexpensive Sinclair Cambridge Scientific.

Diagram from the blog post, showing how GATT communication capture works

Hacking BLE To Liberate Your Exercise Equipment

It’s a story we’ve heard many times before: if you want to get your data from the Domyos EL500 elliptical trainer, you need to use a proprietary smartphone application that talks to the device over Bluetooth Low-Energy (BLE). To add insult to injury, the only way to the software will export your workout information is by producing a JPG image of a graph. This just won’t do, so [Juan Carlos Jiménez] gives us yet another extensive write-up, which provides an excellent introduction to practical BLE hacking.

He walks us through BLE GATT (Generic Attribute Profile), the most common way such devices work, different stages of the connection process, and the tools you can use for sniffing an active connection. Then [Juan] shows us a few captured messages, how to figure out packet types, and moves into the tastiest part — using an ESP32 to man-in-the-middle (MITM) the connection.

Continue reading “Hacking BLE To Liberate Your Exercise Equipment”