Reverse Engineering

230 Articles

Hacking The 22€ BLE SR08 Smart Ring With Built-In Display

February 5, 2025 by 26 Comments

In the process of making everything ‘smart’, it would seem that rings have become the next target, and they keep getting new features. The ring that [Aaron Christophel] got his mittens on is the SR08, which appears to have been cloned by many manufacturers at this point. It’s got an OLED display, 1 MB Flash and a Renesas DA14585 powering it from a positively adorable 16 mAh LiPo battery.

The small scale makes it an absolute chore to reverse-engineer and develop with, which is why [Aaron] got the €35 DA14585 development kit from Renesas. Since this dev kit only comes with a 256 kB SPI Flash chip, he had to replace it with a 1 MB one. The reference PDFs, pinouts and custom demo firmware are provided on his GitHub account, all of which is also explained in the video.

Rather than hack the ring and destroy it like his first attempts, [Aaron] switched to using the Renesas Software Update OTA app to flash custom firmware instead. A CRC error is shown, but this can be safely ignored. The ring uses about 18 µA idle and 3 mA while driving the display, which is covered in the provided custom firmware for anyone who wants to try doing something interesting with these rings.

Continue reading “Hacking The 22€ BLE SR08 Smart Ring With Built-In Display”

Shellcode Over MIDI? Bad Apple On A PSR-E433, Kinda

January 23, 2025 by 6 Comments

If hacking on consumer hardware is about figuring out what it can do, and pushing it in directions that the manufacturer never dared to dream, then this is a very fine hack indeed. [Portasynthica3] takes on the Yamaha PSR-E433, a cheap beginner keyboard, discovers a shell baked into it, and takes it from there.

[Portasynthinca3] reverse engineered the firmware, wrote shellcode for the device, embedded the escape in a MIDI note stream, and even ended up writing some simple LCD driver software totally decent refresh rate on the dot-matrix display, all to support the lofty goal of displaying arbitrary graphics on the keyboard’s dot-matrix character display.

Now, we want you to be prepared for a low-res video extravaganza here. You might have to squint a bit to make out what’s going on in the video, but keep in mind that it’s being sent over a music data protocol from the 1980s, running at 31.25 kbps, displayed in the custom character RAM of an LCD.

As always, the hack starts with research. Identifying the microcontroller CPU lead to JTAG and OpenOCD. (We love the technique of looking at the draw on a bench power meter to determine if the chip is responding to pause commands.) Dumping the code and tossing it into Ghidra lead to the unexpected discovery that Yamaha had put a live shell in the device that communicates over MIDI, presumably for testing and development purposes. This shell had PEEK and POKE, which meant that OpenOCD could go sit back on the shelf. Poking “Hello World” into some free RAM space over MIDI sysex was the first proof-of-concept.

The final hack to get video up and running was to dig deep into the custom character-generation RAM, write some code to disable the normal character display, and then fool the CPU into calling this code instead of the shell, in order to increase the update rate. All of this for a thin slice of Bad Apple over MIDI, but more importantly, for the glory. And this hack is glorious! Go check it out in full.

MIDI is entirely hacker friendly, and it’s likely you can hack together a musical controller that would wow your audience just with stuff in your junk box. If you’re at all into music, and you’ve never built your own MIDI devices, you have your weekend project.

Continue reading “Shellcode Over MIDI? Bad Apple On A PSR-E433, Kinda”

Audio On A Shoestring: DIY Your Own Studio-Grade Mic

January 14, 2025 by 14 Comments

When it comes to DIY projects, nothing beats the thrill of crafting something that rivals expensive commercial products. In the microphone build video below, [Electronoobs] found himself inspired by DIY Perks earlier efforts. He took on the challenge of building a $20 high-quality microphone—a budget-friendly alternative to models priced at $500. The result: an engaging and educational journey that has it’s moments of triumph, it’s challenges, and of course, opportunities for improvement.

The core of the build lies in the JLI-2555 capsule, identical to those found in premium microphones. The process involves assembling a custom PCB for the amplifier, a selection of high-quality capacitors, and designing lightweight yet shielded wiring to minimize noise. [Electronoobs] also demonstrates the importance of a well-constructed metal mesh enclosure to eliminate interference, borrowing techniques like shaping mesh over a wooden template and insulating wires with ultra-thin enamel copper. While the final build does not quite reach the studio-quality level and looks of the referenced DIY Perks’ build, it is an impressive attempt to watch and learn from.

The project’s key challenge here would be achieving consistent audio quality. The microphone struggled with noise, low volume, and single-channel audio, until [Electronoobs] made smart modifications to the shielded wiring and amplification stages. Despite the hurdles, the build stands as an affordable alternative with significant potential for refinement in future iterations.

Continue reading “Audio On A Shoestring: DIY Your Own Studio-Grade Mic”

Reverse-Engineering The Polynomial Constants In The Pentium’s FPU

January 5, 2025 by 5 Comments
Die photo of the Intel Pentium processor with the floating point constant ROM highlighted in red. (Credit: Ken Shirriff)
Die photo of the Intel Pentium processor with the floating point constant ROM highlighted in red. (Credit: Ken Shirriff)

Released in 1993, Intel’s Pentium processor was a marvel of technological progress. Its floating point unit (FPU) was a big improvement over its predecessors that still used the venerable CORDIC algorithm. In a recent blog post [Ken Shirriff] takes an up-close look at the FPU and associated ROMs in the Pentium die that enable its use of polynomials. Even with 3.1 million transistors, the Pentium die is still on a large enough process node that it can be readily analyzed with an optical microscope.

In the blog post, [Ken] shows how you can see the constants in each ROM section, with each bit set as either a transistor (‘1’) or no transistor (‘0’), making read-out very easy. The example looks at the constant of pi, which the Pentium’s FPU has stored as a version with no fewer than 67 significand bits along with its exponent.

Continue reading “Reverse-Engineering The Polynomial Constants In The Pentium’s FPU”

Nottingham Railway departure board in Hackspace

All Aboard The Hack Train: Nottingham’s LED Revival

January 4, 2025 by 4 Comments

Hackerspaces are no strangers to repurposing outdated tech, and Nottingham Hackspace happens to own one of those oddities one rarely gets their hands on: a railway departure board. Left idle for over a decade, it was brought back to life by [asjackson]. Originally salvaged around 2012, it remained unused until mid-2024, when [asjackson] decided to reverse-engineer it. The board now cycles between displaying Discord messages and actual train departures from Nottingham Railway Station every few minutes. The full build story can be found in this blog post.

The technical nitty-gritty is fascinating. Each side of the board contains 4,480 LEDs driven as two parallel chains. [asjackson] dove into its guts, decoding circuits, fixing misaligned logic levels, and designing custom circuit boards in KiCAD. The latest version swaps WiFi for a WizNet W5500 ethernet module and even integrates the Arduino Uno R4 directly into the board’s design. Beyond cool tech, the display connects to MQTT, pulling real-time train data and Discord messages via scripts that bridge APIs and custom Arduino code.

This board is a true gem for any hackerspace, even more so now it’s working. It waited for the exact mix of ingredients why hackerspaces exist in the first place: curiosity, persistence, and problem-solving. Nottingham Hackspace is home to a lot more, as we once wrote in this introductory article.If you don’t have room for the real thing, maybe set your sights a bit smaller.

Do you have a statement piece this cool in your hackerspace or your home? Tip us!

Continue reading “All Aboard The Hack Train: Nottingham’s LED Revival”

Repairing A BPS-305 30V Bench Power Supply

December 31, 2024 by 6 Comments

When [Tahmid Mahbub] recently reached for his ‘Lavolta’ BPS-305 bench supply, he was dismayed to find that despite it being a 30V, 5A-rated unit, the supply refused to output more than 15V. To be fair, he wasn’t sure that he had ever tried to push it beyond 15V in the years that he had owned it, but it had better live up to its specs. Ergo out came the screwdriver to open the power supply to see what had broken, and hopefully to fix it.

After some more probing around, he discovered that the unit had many more issues, including a highly unstable output voltage and output current measurement was completely wrong. Fortunately this bench power supply turns out to be very much like any number of similar 30V, 5A units, with repair videos and schematics available.

While [Tahmid] doesn’t detail his troubleshooting process, he does mention the culprits: two broken potentiometers (VR104 and VR102). VR104 is a 5 kOhm pot in the output voltage feedback circuit and VR102 (500 Ohm) sets the maximum output current. With no 500 Ohm pot at hand, a 5 kOhm one was combined with a 470 Ohm resistor to still allow for trimming. Also adjusted were the voltage and current trimpots for the front display as they were quite a bit off. Following some testing on the reassembled unit, this power supply is now back in service, for the cost of two potentiometers and a bit of time.

38C3: Lawsuits Are Temporary; Glory Is Forever

December 29, 2024 by 35 Comments

One of the blockbuster talks at last year’s Chaos Communications Congress covered how a group of hackers discovered code that allegedly bricked public trains in Poland when they went into service at a competitor’s workshop. This year, the same group is back with tales of success, lawsuits, and appearances in the Polish Parliament. You’re not going to believe this, but it’s hilarious.

The short version of the story is that [Mr. Tick], [q3k], and [Redford] became minor stars in Poland, have caused criminal investigations to begin against the train company, and even made the front page of the New York Times. Newag, the train manufacturer in question has opened several lawsuits against them. The lawsuit alleges the team is infringing on a Newag copyright — by publishing the code that locked the trains, no less! If that’s not enough, Newag goes on to claim that the white hat hackers are defaming the company.

What we found fantastically refreshing was how the three take all of this in stride, as the ridiculous but incredibly inconvenient consequences of daring to tell the truth. Along the way they’ve used their platform to speak out for open-sourcing publicly funded code, and the right to repair — not just for consumers but also for large rail companies. They are truly fighting the good fight here, and it’s inspirational to see that they’re doing so with humor and dignity.

If you missed their initial, more technical, talk last year, go check it out. And if you ever find yourself in their shoes, don’t be afraid to do the right thing. Just get a good lawyer.