Reverse Engineering

225 Articles

Repairing A BPS-305 30V Bench Power Supply

December 31, 2024 by 6 Comments

When [Tahmid Mahbub] recently reached for his ‘Lavolta’ BPS-305 bench supply, he was dismayed to find that despite it being a 30V, 5A-rated unit, the supply refused to output more than 15V. To be fair, he wasn’t sure that he had ever tried to push it beyond 15V in the years that he had owned it, but it had better live up to its specs. Ergo out came the screwdriver to open the power supply to see what had broken, and hopefully to fix it.

After some more probing around, he discovered that the unit had many more issues, including a highly unstable output voltage and output current measurement was completely wrong. Fortunately this bench power supply turns out to be very much like any number of similar 30V, 5A units, with repair videos and schematics available.

While [Tahmid] doesn’t detail his troubleshooting process, he does mention the culprits: two broken potentiometers (VR104 and VR102). VR104 is a 5 kOhm pot in the output voltage feedback circuit and VR102 (500 Ohm) sets the maximum output current. With no 500 Ohm pot at hand, a 5 kOhm one was combined with a 470 Ohm resistor to still allow for trimming. Also adjusted were the voltage and current trimpots for the front display as they were quite a bit off. Following some testing on the reassembled unit, this power supply is now back in service, for the cost of two potentiometers and a bit of time.

38C3: Lawsuits Are Temporary; Glory Is Forever

December 29, 2024 by 35 Comments

One of the blockbuster talks at last year’s Chaos Communications Congress covered how a group of hackers discovered code that allegedly bricked public trains in Poland when they went into service at a competitor’s workshop. This year, the same group is back with tales of success, lawsuits, and appearances in the Polish Parliament. You’re not going to believe this, but it’s hilarious.

The short version of the story is that [Mr. Tick], [q3k], and [Redford] became minor stars in Poland, have caused criminal investigations to begin against the train company, and even made the front page of the New York Times. Newag, the train manufacturer in question has opened several lawsuits against them. The lawsuit alleges the team is infringing on a Newag copyright — by publishing the code that locked the trains, no less! If that’s not enough, Newag goes on to claim that the white hat hackers are defaming the company.

What we found fantastically refreshing was how the three take all of this in stride, as the ridiculous but incredibly inconvenient consequences of daring to tell the truth. Along the way they’ve used their platform to speak out for open-sourcing publicly funded code, and the right to repair — not just for consumers but also for large rail companies. They are truly fighting the good fight here, and it’s inspirational to see that they’re doing so with humor and dignity.

If you missed their initial, more technical, talk last year, go check it out. And if you ever find yourself in their shoes, don’t be afraid to do the right thing. Just get a good lawyer.

A Die-Level Look At The Pentium FDIV Bug

December 29, 2024 by 10 Comments

The early 1990s were an interesting time in the PC world, mainly because PCs were entering the zeitgeist for the first time. This was fueled in part by companies like Intel and AMD going head-to-head in the marketplace with massive ad campaigns to build brand recognition; remember “Intel Inside”?

In 1993, Intel was making some headway in that regard. The splashy launch of their new Pentium chip in 1993 was a huge event. Unfortunately an esoteric bug in the floating-point division module came to the public’s attention. [Ken Shirriff]’s excellent account of that kerfuffle goes into great detail about the discovery of the bug. The issue was discovered by [Dr. Thomas R. Nicely] as he searched for prime numbers. It’s a bit of an understatement to say this bug created a mess for Intel. The really interesting stuff is how the so-called FDIV bug, named after the floating-point division instruction affected, was actually executed in silicon.

We won’t presume to explain it better than [Professor Ken] does, but the gist is that floating-point division in the Pentium relied on a lookup table implemented in a programmable logic array on the chip. The bug was caused by five missing table entries, and [Ken] was able to find the corresponding PLA defects on a decapped Pentium. What’s more, his analysis suggests that Intel’s characterization of the bug as a transcription error is a bit misleading; the pattern of the missing entries in the lookup table is more consistent with a mathematical error in the program that generated the table.

The Pentium bug was a big deal at the time, and in some ways a master class on how not to handle a complex technical problem. To be fair, this was the first time something like this had happened on a global scale, so Intel didn’t really have a playbook to go by. [Ken]’s account of the bug and the dustup surrounding it is first-rate, and if you ever wanted to really understand how floating-point math works in silicon, this is one article you won’t want to miss.

close up hands holding lighting pcb

Circuit Secrets: Exploring A $5 Emergency Light

December 28, 2024 by 2 Comments

Who would’ve thought a cheap AliExpress emergency light could be packed with such crafty design choices? Found for about $5, this unit uses simple components yet achieves surprisingly sophisticated behaviors. Its self-latching feature and decisive illumination shut-off are just the beginning. A detailed analysis by [BigCliveDotCom] reveals a smart circuit that defies its humble price.

The circuit operates via a capacitive dropper, a cost-effective way to power low-current devices. What stands out, though, is its self-latching behavior. During a power failure, transistors manage to keep the LEDs illuminated until the battery voltage drops below a precise threshold, avoiding the dreaded fade-to-black. Equally clever is the automatic shut-off when the voltage dips too low, sparing the battery from a full drain.

Modifications are possible, too. For regions with 220V+ mains, swapping the dropper capacitor with a 470nF one can reduce heat dissipation. Replacing the discharge resistor (220k) with a higher value improves longevity by running cooler. What remarkable reverse engineering marvels have you come across? Share it in the comments!  After all, it is fun to hack into consumer stuff. Even if it is just a software hack.

Continue reading “Circuit Secrets: Exploring A $5 Emergency Light”

Stream Deck Plus Reverse Engineered

December 26, 2024 by 6 Comments

[Den Delimarsky] had a Stream Deck and wanted to be free of the proprietary software, so he reverse-engineered it. Now, he has a Stream Deck Plus, and with the same desire, he reverse-engineered it as well.

The device has eight buttons, a narrow screen, and four encoder dials. The device looks like a generic HID device to the host machine, and once it has been configured, doesn’t need any special software to function. By configuring the device using the official software in a virtual machine under the watchful eye of Wireshark, it was possible to figure out how that initial setup worked and recreate it using a different software stack.

If you’ve never done this kind of thing before, there is a lot of information about how to find USB data and draw inferences from it. The buttons send messages when pressed, of course. But they also accept a message that tells them what to display on their tiny screen. The device screen itself isn’t very big at 800×100.

[Den] packages everything up in the DeckSurf SDK, an open source project that lets you control Stream Decks. So if you just want to control the Deck, you don’t need to know all these details. But, for us, that’s where the fun is.

Way back in 2015, we covered some guy who had sniffed out a USB signal generator. That was easy since it was a serial port. However, you can go pretty far down the rabbit hole.

Unexpectedly Interesting Payphone Gives Up Its Secrets

December 11, 2024 by 7 Comments

Reverse engineering a payphone doesn’t sound like a very interesting project, at least in the United States, where payphones were little more than ruggedized versions of residential phones with a coin mechanism attached. Phones in other parts of the world were far more interesting, though, as this look at the mysteries of a payphone from Israel reveals (in Hebrew; English translation here.)

This is a project [Inbar Raz] worked on quite a while ago, but only got around to writing up recently. The payphone in question was sourced from the usual surplus market channels, and appears to have been removed from service by Israeli telecommunications company Bezeq only shortly before he found it. It was in pretty good shape, and was even still locked tight, making some amateur locksmithing the first order of the day. The internals of the phone are surprisingly complex, with a motherboard that looks more like something from a PC. Date codes on the chips and through-hole construction date the device to the early- to mid-1990s.

With physical access gained, [Inbar] turned to the firmware. An Atmel flash chip seemed a good place to look, and indeed he was able to pull code off the chip. That’s where things took a turn thanks to the CPU the code was written for — the CDP1806, a later version of the more popular but still fringe CDP1802. This required [Inbar] to fall down the rabbit hole of writing a new processor definition file for Ghidra so that the firmware could be reverse-engineered. This got him to the point of understanding 1806 assembly well enough that he was able to re-flash the phone to print debugging messages on the built-in 16×2 LCD screen, which allowed him to figure out which routines were being called under various error conditions.

It doesn’t appear that [Inbar] ever completed the reverse engineering project, but as he points out, what does that even mean? He got inside, took a look around, and made the phone do some cool things it couldn’t do before, and in the process made things easier for anyone working with 1806 processors in Ghidra. That’s a pretty complete win in our books.

Apollo-era PCB Reverse Engineering To KiCad

November 25, 2024 by 24 Comments

Earlier this year [Skyhawkson] got ahold of an Apollo-era printed circuit board which he believes was used in a NASA test stand. He took high quality photos of both sides of the board and superimposed them atop each other. After digging into a few obsolete parts from the 1960s, he was able to trace out the connections. I ran across the project just after making schematics for the Supercon badge and petal matrix. Being on a roll, I decided to take [Skyhawkson]’s work as a starting point and create KiCad schematics. Hopefully we can figure out what this circuit board does along the way.

The board is pretty simple:

  • approximately 6.5 x 4.5 inches
  • 22 circuit edge connector 0.156 in pitch
  • 31 ea two-terminal parts ( resistors, diodes )
  • 3 ea trimmer potentiometers
  • 7 ea transistors
  • parts arranged in 4 columns

Continue reading “Apollo-era PCB Reverse Engineering To KiCad”