The Pentium Processor’s Innovative (and Complicated) Method Of Multiplying By Three, Fast

March 8, 2025 by Donald Papp 26 Comments

[Ken Shirriff] has been sharing a really low-level look at Intel’s Pentium (1993) processor. The Pentium’s architecture was highly innovative in many ways, and one of [Ken]’s most recent discoveries is that it contains a complex circuit — containing around 9,000 transistors — whose sole purpose is to multiply specifically by three. Why does such an apparently simple operation require such a complex circuit? And why this particular operation, and not something else?

Let’s back up a little to put this all into context. One of the feathers in the Pentium’s cap was its Floating Point Unit (FPU) which was capable of much faster floating point operations than any of its predecessors. [Ken] dove into reverse-engineering the FPU earlier this year and a close-up look at the Pentium’s silicon die shows that the FPU occupies a significant chunk of it. Of the FPU, nearly half is dedicated to performing multiplications and a comparatively small but quite significant section of that is specifically for multiplying a number by three. [Ken] calls it the x3 circuit.

The “x3 circuit”, a nontrivial portion of the Pentium processor, is dedicated to multiplying a number by exactly three and contains more transistors than an entire Z80 microprocessor.

Why does the multiplier section of the FPU in the Pentium processor have such specialized (and complex) functionality for such an apparently simple operation? It comes down to how the Pentium multiplies numbers.

Multiplying two 64-bit numbers is done in base-8 (octal), which ultimately requires fewer operations than doing so in base-2 (binary). Instead of handling each bit separately (as in binary multiplication), three bits of the multiplier get handled at a time, requiring fewer shifts and additions overall. But the downside is that multiplying by three must be handled as a special case.

[Ken] gives an excellent explanation of exactly how all that works (which is also an explanation of the radix-8 Booth’s algorithm) but it boils down to this: there are numerous shortcuts for multiplying numbers (multiplying by two is the same as shifting left by 1 bit, for example) but multiplying by three is the only one that doesn’t have a tidy shortcut. In addition, because the result of multiplying by three is involved in numerous other shortcuts (x5 is really x8 minus x3 for example) it must also be done very quickly to avoid dragging down those other operations. Straightforward binary multiplication is too slow. Hence the reason for giving it so much dedicated attention.

[Ken] goes into considerable detail on how exactly this is done, and it involves carry lookaheads as a key element to saving time. He also points out that this specific piece of functionality used more transistors than an entire Z80 microprocessor. And if that is not a wild enough idea for you, then how about the fact that the Z80 has a new OS available?

Cheap Hackable Smart Ring Gets A Command Line Client

March 4, 2025 by Arya Voronova 18 Comments

Last year, we’ve featured a super cheap smart ring – BLE, accelerometer, heart sensor, and a battery, all in a tiny package that fits on your finger. Back when we covered it, we expected either reverse-engineering of stock firmware, or development of a custom firmware outright. Now, you might be overjoyed to learn that [Wesley Ellis] has written a Python client for the ring’s stock firmware.

Thanks to lack of any encryption whatsoever, you can simply collect the data from your ring, no pairing necessary, and [Wesley]’s work takes care of the tricky bits. So, if you want to start collecting data from this ring right now, integrate it into anything you want, such as your smart home or exoskeleton project, this client is enough. A few firmware secrets remain – for instance, the specific way that the ring keep track of day phases, or SPO2 intricacies. But there’s certainly enough here for you to get started with.

This program will work as long as your ring uses the QRing app – should be easy to check right in the store listing. Want to pick up the mantle and crack open the few remaining secrets? Everything is open-source, and there’s a notepad that follows the OG reverse-engineering journey, too. If you need a reminder on what this ring is cool for, here’s our original article on it.

Here’s A Spy Movie-Grade Access Card Sniffing Implant

March 3, 2025 by Arya Voronova 17 Comments

Some of our devices look like they’re straight out of hacker movies. For instance, how about a small board you plant behind an RFID reader, collecting access card data and then replaying it when you next walk up the door? [Jakub Kramarz] brings us perhaps the best design on the DIY market, called The Tick – simple, flexible, cheap, tiny, and fully open-source.

Take off the reader, tap into the relevant wires and power pins (up to 25V input), and just leave the board there. It can do BLE or WiFi – over WiFi, you get a nice web UI showing you the data collected so far, and letting you send arbitrary data. It can do Wiegand like quite a few open-source projects, but it can also do arbitrary clock+data protocols, plus you can just wire it up quickly, and it will figure out the encoding.

We could imagine such a board inside a Cyberpunk DnD rulebook or used in Mr Robot as a plot point, except that this one is real and you can use it today for red teaming and security purposes. Not to say all applications would be NSA-catalog-adjacent pentesting – you could use such a bug to reverse-engineer your own garage door opener, for one.

A picture of the Alarmo running a tweaked firmware, showing a theme with (Debug) added to its name, obviously a firmware modification

Making The Alarmo Customizable, By Any Means Necessary

March 2, 2025 by Arya Voronova 6 Comments

Last year, Nintendo has released the Alarmo, a bedside-style alarm clock with a colourful display. Do you own one? You deserve full control over your device, of course. [KernelEquinox] has been reverse-engineering an Alarmo ever since getting one, and there’s no shortage of cool stuff you’ll be able to do with an Alarmo thanks to this work.

Now, just how can you improve upon the Alarmo? Looking through the Alarmo dev community site and threads on the subreddit, there are plenty of ideas, from themes to a ton of possible behaviour tweaks! In particular, Nintendo has already changed Alarmo’s behaviour in a way that is jarring to some users – a third-party development community will help us all make sure our Alarmos work exactly like we expect them to. Want to replace the sound files, tie your Alarmo into your smart home setup, write your apps, tweak the UI or default behaviour, fix a bug that irks you real bad, or access a debug menu? Or, ensure that Alarmo doesn’t contribute to light pollution in your room? All appears to be doable.

Like the Alarmo, but don’t own one yet? They’re limited-release for now, but it will be more widely available this March; we thank [KernelEquinox] for the work in making Alarmo hacker-friendly. If you’ve forgotten, this project started off thanks to the efforts of [Gary] last year. We covered it back then — cat pictures included!

The Bus Pirate 5 Sure Can Glitch

March 1, 2025 by Arya Voronova 2 Comments

Own a Bus Pirate 5? Now, it can do power glitching, thanks to [Matt Brugman’s] demo and contributions to the stock code. This is also a great demo of Bus Pirate’s capabilities and programmability! All you need is the Bus Pirate and a generic Arduino – load a glitch-vulnerable code example into the Arduino, get yourself a generic FET-based glitching setup, and you too can play.

The Arduino board outputs data over UART, and that’s used as a trigger for the Bus Pirate’s new glitch feature – now mainline, thanks to [Matt]’s pull request. It’s pretty feature-complete, too — all parameters are configurable, it can vary the glitching interval, as one would want, and the code checks for success conditions so that it can retry glitching automatically.

In this demo, it only took six consecutive attempts to successfully glitch the ATMega328P – wouldn’t you know it, the code that got glitched was pulled almost wholesale from an IoT device. Glitching remains an underappreciated vector for reverse-engineering, and there’s really no shortage of hacks it allows you to do – get yourself a FET, a Bus Pirate, or maybe just an ESP8266, and join the glitching-aware hackers club!

Want to know more about the Bus Pirate 5? Check out our hands-on review of the hacker multi-tool from last year.

Reverse-Engineering SKS Airspy Tire Pressure Sensors For Custom Firmware

February 25, 2025 by Maya Posch 17 Comments

Although a somewhat common feature on cars these days, tire pressure sensors (TPS) are also useful on bicycles. The SKS Airspy range of TPS products is one such example, which enables remote monitoring of the air pressure either to a special smartphone app (SKS MYBIKE) or to a Garmin device. Of course, proprietary solutions like this require reverse-engineering to liberate the hardware from nasty proprietary firmware limitations, which is exactly what [bitmeal] did with a custom firmware project.

Rather than the proprietary and closed communication protocol, the goal was to use the open ANT+ sensor instead, specifically the (non-certified) TPS profile which is supported by a range of cycling computers. Before this could happen the Airspy TPS hardware had to be first reverse-engineered so that new firmware could be developed and flashed. These devices use the nRF52832 IC, meaning that development tools are freely available. Flashing the custom firmware requires gaining access to the SWD interface, which will very likely void the warranty on a $160 – 240 device.

The SWD programmer is then attached to the 1.27 mm spaced SWD holes per the instructions on the GitHub page. After flashing the provided .hex file you can then connect to the TPS as an ANT+ device, but instructions are also provided for developing your own firmware.

Close up of a custom optical HDMI cable on a desk

Let There Be Light: The Engineering Of Optical HDMI

February 18, 2025 by Heidi Ulrich 15 Comments

In a recent video, [Shahriar] from The Signal Path has unveiled the intricate design and architecture of optical HDMI cables, offering a cost-effective solution to extend HDMI 2.0 connections beyond the limitations of traditional copper links. This exploration is particularly captivating for those passionate about innovative hardware hacks and signal transmission technologies.

[Shahriar] begins by dissecting the fundamentals of HDMI high-speed data transmission, focusing on the Transition Minimized Differential Signaling (TMDS) standard. He then transitions to the challenges of converting from twisted-pair copper to optical lanes, emphasizing the pivotal roles of Vertical-Cavity Surface-Emitting Lasers (VCSELs) and PIN photodiodes. These components are essential for transforming electrical signals into optical ones and vice versa, enabling data transmission over greater distances without significant signal degradation.

A standout aspect of this teardown is the detailed examination of the optical modules, highlighting the use of free-space optics and optical confinement techniques with lasers and detectors. [Shahriar] captures the eye diagram of the received high-speed lane and confirms the VCSELs’ optical wavelength at 850 nm. Additionally, he provides a microscopic inspection of the TX and RX chips, revealing the intricate VCSEL and photodetector arrays. His thorough analysis offers invaluable insights into the electronic architecture of optical HDMI cables, shedding light on the complexities of signal integrity and the innovative solutions employed to overcome them.

For enthusiasts eager to take a deeper look into the nuances of optical HDMI technology, [Shahriar]’s comprehensive teardown serves as an excellent resource. It not only gives an insight in the components and design choices involved, but also inspires further exploration into enhancing data transmission methods.

Continue reading “Let There Be Light: The Engineering Of Optical HDMI” →