Reverse Engineering A Better Night’s Sleep

June 6, 2023 by Dan Maloney 8 Comments

All you want is a decent night’s sleep, so you decide to invest in one of those fancy adjustable beds. At first, it’s fine — being able to adjust the mattress to your needs on the fly is a joy, and yet…something isn’t quite right. Something nags at you every night, thwarting your slumber and turning your dreams of peaceful sleep into a nightmare once you realize your bed has locked you into a vertically integrated software ecosystem from which there’s no escape.

Or is there? That’s what [Chris Laplante] wanted to know, and why he reverse-engineered his Tempur-Pedic remote control. As many products these days do, his bed was touted as having an Android application for smartphone adjustability, but alas, the app hasn’t been updated since 2014 (!) and doesn’t appear to work on modern phones. [Chris] decided to take matters into his own hands and build a gateway to talk to the bed using its native RF protocol.

Most good reverse engineering stories start with research, and this one is no exception. Digging into the FCC database revealed a wealth of clues, such as the frequency — 433-MHz ISM band, no surprise — and even spectrum analyzer screenshots of the remote’s signals. A HackRF One revealed more about the signals, but it turned out that sniffing in on the SPI bus between the microcontroller and the Si4431 RF transceiver with a Salae logic analyzer was more fruitful, allowing him to dig into the packet structure.

The engineers at Tempur-Pedic threw quite a few challenges at [Chris], like an application-level CRC in addition to the CRC used by the Si4431, and interesting complications to control the massage features of the bed. In the end, [Chris] managed to get a pretty complete snapshot of the conversation between the bed and the remote, and is now in the process of building a gateway that’ll actually connect to his phone, plus integrate into his home automation system. We’re looking forward to updates on that.

Can Hobbyists Bring SGI’s IRIX OS Back To Life?

May 31, 2023 by Lewin Day 33 Comments

Irix was the operating system developed by Silicon Graphics from 1988 to 1998. The OS supported the company’s high-end workstations and served in many serious roles. The company cut off support for the UNIX-based OS in 2006, but now a diehard community is looking to bring the ancient codebase back to life.

SGI workstations used to cost big money before the company collapsed. It failed to make the leap to a new era when x86 architecture began to dominate the wider computing industry. Credit: Bruno Cordioli, CC-BY-2.0

While SGI’s workstations once sold for five or six figures, surviving examples can now often be had for just a few hundred dollars on eBay. The MIPS-based hardware was potent for its time, often used for 3D rendering work for video games, films, or for scientific purposes. IRIX was SGI’s own OS built specifically to support these use cases.

The IRIX Network is a hobbyist community that loves these old machines and their software. The group hopes to raise $6,500 through crowdfunding to reverse-engineer IRIX. The hope is to use those learnings to create an open-source derivative version named IRIX-32, based on IRIX 5.3, the last 32-bit version of the OS.

It’s a monumental task, but admirable nonetheless. Whether we one day see IRIX reborn, akin to what happened to AmigaOS, remains to be seen.

Google Nest Hub Teardown

May 29, 2023 by Matthew Carlson 16 Comments

Seeing the guts of devices is a fascination that many hackers share. [Txyz] tore down a 2nd gen Google Nest Hub for all of us to enjoy. The video after the break is well produced and relaxing to watch as various heat shields are removed and debug cables are soldered on.

The main SOC is an Amlogic S905D3G, a 4-core A55-based SoC. The important chips are meticulously documented, and it’s a fascinating look inside a device common in many people’s homes. One chip that’s of note is the BGT60TR13C, otherwise known as Project Soli. It is an 8x10mm chip that uses radar to detect movement with sub-millimeter accuracy. This allows the device to measure your sleep quality or recognize gestures. Luckily for us, [Txyz] has included a datasheet and a block diagram. First, the chip fills a FIFO with data samples. Once full, it will issue an interrupt to the main SoC, which empties the buffer via SPI.

The debug cables allowed him to capture traces of the SPI commands to the BGT60TR13C. [Txyz] focused on decoding the various data blocks and the configuration registers. Unfortunately, only a few registers are documented in the datasheet, and it isn’t apparent what they do.

If a hardware teardown isn’t enough for you, perhaps a software teardown to bypass Secure Boot might sate your interest.

Continue reading “Google Nest Hub Teardown” →

North Korean Karaoke Machine Teardown

May 19, 2023 by Chris Lott 9 Comments

Karaoke is a very popular pastime in Seoul — there are venues where you can sing on a stage, sing in rooms with your friends, and even sing solo in coin-operated karaoke booths on the bullet train. Apparently it is also popular in North Korea as well — [Martyn Williams] of the North Korea Tech blog reported on an interesting teardown by web hacker [Will Scott]. It is the Tianchi v700 machine, a Chinese product tailored for North Korean users, obtained online back in 2020.

Unlike the karaoke machines encountered by this author in South Korea, the v700 form factor is a 19.5-inch Android tablet with touch-screen and all the necessary interfaces you’d expect: external video, speakers, and microphone, as well as WiFi and Ethernet for content upgrade and online payment systems. Not surprisingly, the connectivity aspects of the machine are not used in the North Korean model, but with a large catalog of pre-loaded music, it’s perfectly usable as a stand-alone device.

[Will] dug into the innards of the machine and discovered it was powered by an Allwinner ARM processor (seemingly the H6 V200, a quad-core ARM Cortex-A53). He also found it uses a swappable external disk to hold the songs, but all the files were encrypted. You can read more details in the blog post linked above, but eventually he was successful in decoding the disk and accessing the material.

The V700 consults both “/proc/cpuinfo” to learn the CPU serial number of the device it is on, and a binary file associated with the device file system structure as part of its method for determining its AES (Advanced Encryption Standard) key. It then ignores all of these device-specific items, and reverts back to a static key “87654321” stored in the binary.

All the songs on the disk were posted up on the Internet Archive. Check them out if you’re curious what North Korean karaoke songs sound and look like. One video that caught our attention was about CNC machines (see the video linked below the break). [Martyn] has been covering technology issues related to North Korea since 2011. In 2016, he learned after the fact that his website had been banned by the South Korean authorities. Believing this was in error, he appealed the ban and eventually prevailed in the courts. We wrote about some of [Will]’s research on consumer computing technology back in 2017 if you’re interested in learning more.

Continue reading “North Korean Karaoke Machine Teardown” →

Reverse Engineering An Oil Burner Comms Board, With A Few Lucky Breaks

May 11, 2023 by Dan Maloney 3 Comments

Here’s a question for you: How do you reverse engineer a circuit when you don’t even have it in hand? It’s an interesting problem, and it adds a level of difficulty to the already iffy proposition that reverse engineering generally presents. And yet, not only did [themole] find a way to replicate a comms board for his oil burner, he extended and enhanced the circuit for integration into his home automation network.

By way of backstory, [themole] has a wonky Buderus oil burner, which occasionally goes into safety mode and shuts down. With one too many cold showers as a result, he looked for ways to communicate with the burner controller. Luckily, Buderus sells just the thing — a serial port module that plugs into a spare slot in the controller. Unluckily, the board costs a bundle, and that’s even if you can find it. So armed with nothing but photos of the front and back of the board, the finding of which was a true stroke of luck, he set about figuring out the circuit.

With only a dozen components or so and a couple of connectors, the OEM board gave up its secrets pretty easily; it’s really just a level shifter to make the boiler talk RS-232. But that’s a little passé these days, and [the78mole] was more interested in a WiFi connection. So his version of the card includes an ESP32 module, which handles wireless duties as well as the logic needed to talk to the burner using the Buderus proprietary protocol. The module plugs right into the burner controller and connects it to ESPHome, so no more cold showers for [themole].

We thought this one was pretty cool, especially the way [themole] used the online photos of the board to not only trace the circuit but to get accurate — mostly — measurements of the board using an online measuring tool. That’s a tip we’ll keep in our back pocket.

Thanks to [Jieffe] for the tip.

A white, house-shaped clock with the words "TEMPUS NECTIT" written in faux Roman script in black on a strip of silver at the base of the "roof." a white power cord extends from the left of the enclosure, and the center of the clock is a 22 pin knitting machine wheel with one pin covered in silver metalic. A white plastic peg extends from the bottom right of the enclosure to hold the feedstock yarn.

Tempus Nectit, A DIY Knitting Clock With Instructions

April 5, 2023 by Navarre Bartz 1 Comment

We’re no strangers to unusual clocks here at Hackaday, and some of our favorites make time a little more tangible like [Kyle Rankin]’s knitting clock.

Inspired by our coverage of [Siren Elise Wilhelmsen]’s knitting clock, [Rankin] decided to build one of his own. Since details on the build from the original artist were sparse, he had to reverse engineer how the device worked. He identified that a knitting clock is essentially a knitting machine with a stepper motor replacing the hand crank.

Using a Raspberry Pi with an Adafruit motor hat connected to a stepper motor and a 3D printed motor adapter, [Rankin] was able to drive the knitting machine to do a complete round of knitting every twelve hours. By marking one of the knitting pegs as an hour hand, the clock works as a traditional clock in addition to its year-long knitting task. [Rankin] says he still has some fine tuning to work on, but that he’s happy to have had the chance to combine so many of his interests into a single project.

If you’re looking for more knitting hacks, check out this knitted keyboard instrument or a knitted circuit board.

Continue reading “Tempus Nectit, A DIY Knitting Clock With Instructions” →

Debugging And Analyzing Real-Mode 16-Bit X86 Code With Fresh Bread

March 28, 2023 by Maya Posch 7 Comments

Running a debugger like gdb with real-mode 16-bit code on the x86 platform is not the easiest thing to do, but incredibly useful when it comes to analyzing BIOS firmware and DOS software. Although it’s possible to analyze a BIOS image after running it through a disassembler, there is a lot that can only be done when the software is running on the real hardware. This is where [Davidson Francis] decided that some BREAD would be useful, as in BIOS Reverse Engineering & Advanced Debugging.

What BREAD does is provide some injectable code that with e.g. a BIOS replaces the normal boot logo with the debugger stub. This stub communicates with a bridge via the serial port, with the gdb client connecting to this bridge. Since DOS programs are also often 16-bit real-mode, these can be similarly modified to provide light-weight in-situ debugging and analysis. We imagine that this software can be very useful both for software archaeology and embedded purposes.

Thanks to [Rodrigo Laneth] for the tip.