PDP-11 Trouble With A Ruthless Power Supply Issue

After [David Lovett] of [Usagi Electric] was donated a few cars full of DEC PDP-11 minicomputers of various flavors and vintages, he passed on most of them to loving homes, but kept a few of them himself. One goal of this being to put together a PDP-11 system that could be more easily taken to vintage computer shows than the ‘rollable’ PDP-11s he had access to prior. Of 1980s PDP-11s, the first-generation Large Scale Integration (LSI) PDP11/03 system (so-called Q-Bus models) is among the smallest, taking up about as much space as a 1980s desktop PC, while supporting the second generation LSI PDP-11/23 cards. It all seemed so easy until [David] tried testing the PDP-11/03’s PSU and everything went south.

Despite having access to the circuit diagrams of the PSU, figuring out what was going wrong was an absolute nightmare for [David], after some easy fixes involving replacing a blown fuse and bulging capacitors failed to deliver salvation. Reading through the comments to the video, it would seem that people are generally confused about whether this PSU is a linear, switching or some other configuration. What is clear is that with the absolutely massive transformer, it looks more like a linear power supply, but with a lot of protections against over current and other failure modes built-in, all of which rely on transistors and other components that could have gone bad.

Although in round 1 the PDP-11/03 PSU won the battle, we hope that once round 2 commences [David] will have had the proverbial training montage behind him (set to ‘Eye of the Usagi’, probably) and will manage to get this PSU working once more.

Continue reading “PDP-11 Trouble With A Ruthless Power Supply Issue”

Reverse-Engineering The ESP32’s WiFi Binary Blob With A Faraday Cage

The Faraday cage constructed by Jasper Devreker.
The Faraday cage constructed by Jasper Devreker.

As part of a team reverse-engineering the binary blob driver for the ESP32’s WiFi feature at Ghent University, [Jasper Devreker] saw himself faced with the need to better isolate the network packets coming from the ESP32-under-test. This is a tough call in today’s WiFi and 2.4 GHz flooded airwaves. To eliminate all this noise, [Jasper] had to build a Faraday cage, but ideally without racking up a massive invoice and/or relying on second-hand parts scavenged from eBay.

We previously reported on this reverse-engineering project, which has since seen an update. Although progress has been made, filtering out just the packets they were interested in was a big challenge. The solution was a Faraday cage, but on a tight budget.

Rather than relying on exotic power filters, [Jasper] put a battery inside a Faraday cage he constructed out of wood and conductive fabric. To get Ethernet data in and out, a fiber link was used inside a copper tube. Initial testing was done using a Raspberry Pi running usbip and a WiFi dongle.  The Faraday cage provided enough attenuation that the dongle couldn’t pick up any external WiFi signals in listening mode.

The total cost of this build came down to a hair over €291, which makes it feasible for a lot of RF experiments by hobbyists and others. We wish [Jasper] and the rest of the team a lot of luck in figuring out the remaining secrets of Espressif’s binary WiFi blob using this new tool.

Reverse Engineering Smart Meters, Now With More Fuming Nitric Acid

If you’re lucky, reverse engineering can be a messy business. Sure, there’s something to be said for attacking and characterizing an unknown system and leaving no trace of having been there, but there’s something viscerally satisfying about destroying something to understand it. Especially when homemade fuming nitric acid is involved.

The recipient of such physical and chemical rough love in the video below is a residential electric smart meter, a topic that seems to be endlessly fascinating to [Hash]; this is far from the first time we’ve seen him take a deep dive into these devices. His efforts are usually a little less destructive, though, and his write-ups tend to concentrate more on snooping into the radio signals these meters are using to talk back to the utility company.

This time around, [Hash] has decided to share some of his methods for getting at these secrets, including decapping the ICs inside. His method for making fuming nitric acid from stump remover and battery acid is pretty interesting; although the laboratory glassware needed to condense the FNA approaches the cost of just buying the stuff outright, it’s always nice to have the knowledge and the tools to make your own. Just make sure to be careful about it — the fumes are incredibly toxic. Also detailed is a 3D-printable micropositioner, used for examining and photographing acid-decapped ICs under the microscope, which we’d bet would be handy for plenty of other microscopy jobs.

In addition to the decapping stuff, and a little gratuitous destruction with nitric acid, [Hash] takes a look at the comparative anatomy of smart meters. The tamper-proofing features are particularly interesting; who knew these meters have what amounts to the same thing as a pinball machine’s tilt switch onboard?

Continue reading “Reverse Engineering Smart Meters, Now With More Fuming Nitric Acid”

Wiring An SD Card To A Handspring PDA’s 68K Bus With Only Three SOT23s

In 1998 the founders of Palm had a bit of a falling out with the wildly successful PDA company’s new owners. They set up a new company called Handspring, which enabled them to make PDAs again in the way they preferred, This resulted in the Handspring Visor line of PDAs, which featured a big cartridge slot called the Springboard Expansion slot. Much like a Gameboy, you could put in a range of modules, ranging from games to cameras to memory expansion and more. Since these modules connect directly to the internal Motorola 68k-based microprocessor, you could make a module either to comply with this standard or if you’re like [Dmitry], you’d figure out a way to get an SPI device like an SD card to communicate and expand storage.

Editor note: Dmitry’s design isn’t the first SD/MMC interface for the Visor. Portable Innovation Technology’s SD MemPlug Module supported SD/MMC way back in 2002. However – MemPlug was a commercial product, while Dmitry’s work is open source.

Continue reading “Wiring An SD Card To A Handspring PDA’s 68K Bus With Only Three SOT23s”

Decoding A ROM From A Picture Of The Chip

Before there were home computers, among the hottest pieces of consumer technology to own was a pocket calculator. In the early 1970s a series of exciting new chips appeared which allowed the impossible to become the affordable, and suddenly anyone with a bit of cash could have one.

Perhaps one of the more common series of chips came from Texas instruments, and it’s one of these from which [Veniamin Ilmer] has retrieved the ROM contents. In a way there’s nothing new here as the code is well known, it’s the way it was done which is of interest. A photo of the die was analysed, and with a bit of detective work the code could be deduced merely from the picture.

These chips were dedicated calculators, but under the hood they were simple pre-programmed microcontrollers. Identifying the ROM area of the chip was thus relatively straightforward, but some more detective work lay in getting to the bottom of how it could be decoded before the code could be verified. So yes, it’s possible to read code from an early 1970s chip by looking at a photograph.

A very similar chip to this one was famously reprogrammed with scientific functions to form the heart of the inexpensive Sinclair Cambridge Scientific.

Diagram from the blog post, showing how GATT communication capture works

Hacking BLE To Liberate Your Exercise Equipment

It’s a story we’ve heard many times before: if you want to get your data from the Domyos EL500 elliptical trainer, you need to use a proprietary smartphone application that talks to the device over Bluetooth Low-Energy (BLE). To add insult to injury, the only way to the software will export your workout information is by producing a JPG image of a graph. This just won’t do, so [Juan Carlos Jiménez] gives us yet another extensive write-up, which provides an excellent introduction to practical BLE hacking.

He walks us through BLE GATT (Generic Attribute Profile), the most common way such devices work, different stages of the connection process, and the tools you can use for sniffing an active connection. Then [Juan] shows us a few captured messages, how to figure out packet types, and moves into the tastiest part — using an ESP32 to man-in-the-middle (MITM) the connection.

Continue reading “Hacking BLE To Liberate Your Exercise Equipment”

Current-Based Side-Channel Attacks, Two Ways

Funny things can happen when a security researcher and an electronics engineer specializing in high-speed circuits get together. At least they did when [Limpkin] met [Roman], which resulted in two interesting hardware solutions for side-channel attacks.

As [Limpkin] relates it, the tale began when he shared an office with [Roman Korkikian], a security researcher looking into current-based attacks on the crypto engine inside ESP32s. The idea goes that by monitoring the current consumption of the processor during cryptographic operations, you can derive enough data to figure out how it works. It’s difficult to tease a useful signal from the noise, though, and [Roman]’s setup with long wire runs and a noisy current probe wasn’t helping at all. So [Limpkin] decided to pitch in.

The first board he designed was based on a balun, which he used to isolate the device under test from the amplification stage. He found a 1:8 balun, normally used to match impedances in RF circuits, and used its primary as a shunt resistance between the power supply — a CR1220 coin cell — and the DUT. The amplifier stage is a pair of low-noise RF amps; a variable attenuator was added between the amp stages on a second version of the board.

Board number two took a different tack; rather than use a balun, [Limpkin] chose a simple shunt resistor with a few twists. To measure the low-current signal on top of the ESP32’s baseline draw would require such a large shunt resistor that the microcontroller wouldn’t even boot, so he instead used an OPA855 wideband low-noise op-amp as an amplified shunt. The output of that stage goes through the same variable attenuator as the first board, and then to another OPA855 gain stage. The board is entirely battery-powered, relying on nice, quiet 18650s to power both the DUT and the shunt.

How well does it work? We’ll let you watch the talk below and make up your own mind, but since they’ve used these simple circuits to break a range of different chips, we’d say this approach a winner.

Continue reading “Current-Based Side-Channel Attacks, Two Ways”