Hacking An NFC E-Paper Display From Waveshare With Mystery MCU

These days e-paper (eInk) displays are everywhere, with stores being one of the largest users of smaller, monochrome versions of these persistent displays. This has also made them a solid target of hackers who seek to not only reverse-engineer and reuse discarded ones, but also ones sold to consumers, with [Aaron Christophel] recently reverse-engineering and flashing custom firmware (GitHub source) to a Waveshare 2.13″ NFC-Powered E-Paper display.

What’s perhaps most notable is how locked-down and devoid of documentation these devices are. The board [Aaron] looked at did not have any markings on the main IC, and Waveshare did not provide more information other than the Android and iOS apps. This led to some matching of various NFC-enabled MCUs with the pinout, with the Chivotech TN2115S2 rolling out as the most likely candidate. This is an 8 MHz Cortex-M0 MCU with not only NFC, but also an energy harvesting feature (up to 300 mW), which is why this e-paper tag can update the display without external power or a battery.

With the Chivotech datasheet being rather sparse, more reverse-engineering needed to be done, which included dumping the firmware and exploring it with Ghidra. During this, the secret key was discovered to make the Flash writeable along with how to control the peripherals and display. With this knowledge it’s now possible to make this tag display update without being limited by manufacturer-supplied tools and software, making it infinitely more useful.

Continue reading “Hacking An NFC E-Paper Display From Waveshare With Mystery MCU”

The Dark Side Of Hacking XMas Lights, Literally

When looking at the piles of cheap RGB, Bluetooth-controlled LED strips you can find for sale just about anywhere these days, integrating them into a home-automation setup is very tempting. Normally these strips are controlled via a special smartphone app, that speaks whatever dodgy protocol was thrown together for the LED strip controller in question. Reverse-engineering this Bluetooth protocol is fairly easy these days, as [Will Cooke] describes in a recent tutorial, although for him there was a bit of a tragic ending with one particular RGB set.

With previous experiences reverse-engineering the Bluetooth protocol with Wireshark under his belt and having published the BJ_LED repository for LED strips that use the MohuanLED app, reverse-engineering this new LED strip with the associated “iDeal LED” app seemed fairly routine. Initially it was indeed routine, with just a curveball in the form of some encryption that the Jadx decompiler used on the app couldn’t help with. Fortunately the key ended up floating around on the internet, and the protocol was wide open. That’s when disaster struck.

While trying to throw payloads at the LED controller to find hidden modes and settings, [Will] found that he could indeed increase the brightness beyond what the app supported, but poking at lighting modes beyond the 10 presets gave a nasty shock. Modes 1 through 10 worked fine, 11 also did something new, but when the controller was asked to switch to mode 12, it shut off. Permanently. Whether this corrupted the firmware or caused some other issue is unknown, but it’s a clear warning that reverse-engineering comes with potentially fried hardware.

We hope that [Will] can get an autopsy performed on this controller to see the cause of this seemingly permanent failure that persisted across hard resets and disconnecting from power overnight. The protocol for this controller has been published on GitHub for those who’d like to take their chances.

LED lights: LadyAda, CC BY-SA 4.0.

The Logg Dogg: How A Mysterious Logging Robot Leads Down Twisting Forestry Paths

There are many places where you’d want to use remotely controlled robots, but perhaps forestry isn’t the first application to come to mind. Yet there are arguments to be made for replacing something like a big logging machine with grapple for a much smaller robot. The reduced ground pressure can be beneficial in fragile ecosystems, and removing the operator is much safer if felling a tree goes wrong.

This is where a US company called Forest Robots tried to come in, with their Logg Dogg, of which [Wes] over at Watch Wes Work found a very unique prototype abandoned in a barn, courtesy of Zuckerberg’s marketplace of wonders.

One of the two receivers on the Forest Robots' Logg Dogg logging robot prototype. (Credit: Watch Wes Work)
One of the two receivers on the Forest Robots’ Logg Dogg logging robot prototype. (Credit: Watch Wes Work)

After lugging the poor abandoned robot back into a warm repair shop, he set to work on figuring out what it was that he had bought. At the time he knew only that it was some kind of logging robot, but with no model number or name on the robot, it was tough to find information. Eventually he got tipped off about it being the Logg Dogg, with even a video of the robot in action, helpfully uploaded to YouTube by [Hankey Mountain Garage] and embedded below for your viewing pleasure.

As [Wes] noticed during teardown and inspection was that it has that distinct mix-and-match feel to it of a prototype, ranging from metric and US customary bolts to both European and US/Canadian supplied components. Although it has two RF receivers on the device, no remote(s) came with the device, and the seller only knew that it was already in the barn when they purchased the place. After getting the engine working again on the robot, [Wes] contacted one of the people behind the robot: [Dean Edwards], a professor at the University of Idaho, hoping to learn more about this robot and how it ended up abandoned in a barn.

Hopefully we’ll find out in a Part 2 whether [Wes] got a response, and whether this robot will get a second chance at life. Meanwhile, in countries such as Portugal such robots are already finding significant use, including for fire protection in its forests, tackling difficult terrain more easily than humans. With forest fires an increasing risk, perhaps the Logg Dogg and kin could find a use there.

Continue reading “The Logg Dogg: How A Mysterious Logging Robot Leads Down Twisting Forestry Paths”

Polish Train Manufacturer Threatens Hackers Who Unbricked Their Trains

A week ago we covered the story of a Polish train manufacturer who was caught using software to brick their products after they had been repaired by in independent railway workshop. Now 404 Media has a follow-up story with more information, including the news that the hackers responsible for the discovery are now being threatened by the manufacturer.

The more we learn about this story the more interesting it becomes, as the Newag trains in question began failing after service as far back as 2021. In desperation after services were affected by the number of non-functional units, an employee searched online for Polish hackers and found a group called Dragon Sector. The group was able to find the issue, and are now being threatened with legal action by the manufacturer, who are citing possible safety issues.

It’s clear from where we are standing that Newag have been caught red-handed in some extremely dubious practices, and seem to have little sense of how their actions might not be the best in terms of protecting their reputation. We are guessing that the European regulators will become very interested in this case, and that meanwhile the order books of a company which puts DRM in its trains will start to look very empty indeed. You can catch our original coverage as the story broke, here.

Thanks [JohnU] for the tip.

Oddball LCDs Reverse Engineered Thanks To Good Detective Work

Is there anything more discouraging to the reverse engineer than to see a black blob of epoxy applied directly to a PCB? We think not, because that formless shape provides no clue as to what chip lies beneath, and that means a lot of detective work if you’re going to figure out how to use this thing.

[Sudhir Chandra]’s detective story starts with a bunch of oddball LCDs, slim 1×32 character units rather than the more familiar 2×16 displays. Each bore the dreaded black COB blob on the back, as well as a handful of SMD components and not much else. Googling revealed no useful documentation, and the manufacturer wasn’t interested in fielding calls from a hobbyist. Reasoning that most manufacturers wouldn’t spin up a custom chip for every display, [Sudhir] assumed there was an ST7066, a common LCD driver chip, underneath the blob, especially given the arrangement of external components. But a jumper set was bodged together under this assumption didn’t get the display going.

Next up were more destructive methods, to decap the COB and see what kind of numbers might be on the chip. Sandpaper worked at first, but [Sudhir] eventually turned to the “Chips a la [Antoine]” method of decapping, which uses heat and brute force to get at the goods. This got down to the chip, but [Sudhir]’s microscope wasn’t up to the task of reading the die markings.

What eventually cracked the case was tracing out the voltages across the various external resistors and matching them up to other chips in the same family as the ST7066, plus the realization that the long, narrow epoxy blob probably covered a similarly shaped chip, which led to the culprit: an ST7070. This allowed [Sudhir] to build an adapter PCB for the displays, with plans for a custom Arduino library to talk to the displays.

This was a great piece of reverse engineering and a good detective story to boot. Hats off to [Sudhir] for sticking with it.

Hacking The Xiaomi Mi Band 8 With Custom Firmware

Over the past years, fitness trackers have gone from fairly unobtrusive bands that relied mostly on smartphone apps for interaction to essentially being fashion statements and smart watches, with large screens and impressive specs. The Xiaomi Mi Band 8 is no exception, with a zippy MCU and a 1.62″ AMOLED screen that just asks for some serious rick-rolling. This was a challenge which [Aaron Christophel] was all too happy to accept, resulting in some reverse-engineering and flashing of custom firmware onto one of these marvels of modern wearable technology.

Block Diagram for the Apollo4 Blue Lite. (Credit: Ambiq)
Block Diagram for the Apollo4 Blue Lite. (Credit: Ambiq)

The Mi Band 8 is built around an Ambiq Apollo4 Blue Lite MCU which features a Cortex-M4 core for applications, along with a Bluetooth LE radio and a lot of SRAM and Flash. This naturally implies an SWD interface for programming, which was mostly a matter of reverse-engineering the PCB to find the locations for these signals and realizing that the original firmware disables the SWD interface on boot. Unfortunately the Ambiq SDK requires you to create an account, but you can get the basics from [Aaron]’s GitHub project. It appears that for BLE you do need the full SDK, and OTA updates feature a signing check, so physical access is required.

So far the display, touchscreen and light sensor are working, with the remaining peripherals just a matter of time. With a list price of around $64 for one of these fitness bands with a 192 x 490 touch-enabled AMOLED display and a variety of health-related sensors, they’d seem to be a fun toy to hack, especially when found on sale or used.

Continue reading “Hacking The Xiaomi Mi Band 8 With Custom Firmware”

The Deere Disease Spreads To Trains

If the right-to-repair movement has a famous story, it’s the familiar green and yellow John Deere tractor. Farmers and mechanics have done their own repairs as long as there have been tractors, but more recent Deeres have been locked down such that only Deere-authorised agents can fix them. It’s a trend that has hurt the value of a second-had Deere, but despite that it appears to be spreading within the machinery world. Now there’s a parallel on Polish railways, as Polish-made Newag electric passenger trains have been found to give errors when serviced by non-Newag workshops.

At the heart of the problem are the PLCs which control all aspects of a modern rail traction system, which thanks to a trio of Poland and Germany based researchers have been found to play a range of nasty tricks. They’ll return bogus error codes after a set date which would presumably be reset by the official service, if the train has been laid up for a while, or even if they are detected via GPS to have visited a third-party workshop. Their work will be the subject of a talk at 37C3 which should be worth watching out for.

It will be especially interesting to juxtapose the reaction to this revelation with cases such as the Deere tractors, because of course Poland is part of the European Union. We’re not specialist EU competition lawyers, but we know enough to know that the EU takes a dim view of these types of practices and has been strong on the right to repair. Who knows, Polish trains may contribute further to the rights of all Europeans.