Reverse Engineering

317 Articles

Beating Apple’s Secret Lid Angle Sensor Calibration With Custom Tool

September 26, 2023 by 35 Comments

Among the changes made by Apple to its laptops over the years, the transition from a Hall sensor-based sleep sensor to an angle sensor that determines when the lid is closed is a decidedly unpopular one. The reason for this is the need to calibrate this sensor after replacement, using a tool that Apple decided to keep for itself. That is, until recently [Stephan Steins] created a tool which he creatively called the ‘nerd.tool.1‘. This widget can perform this calibration procedure with the press of its two buttons, as demonstrated on [Louis Rossmann]’s YouTube channel.

This new angle sensor was first introduced in late 2019, with Apple’s official reason being an increased level of ‘precision’. As each sensor has to be calibrated correctly in order to measure the magnetic field and determine the associated lid angle, this means that third-party repair shops and determined MacBook owners have to transplant the chip containing the calibration data to a replacement sensor system. Until now, that is. Although the nerd.tool.1 is somewhat pricey at €169 ($179 USD), for a third-party MacBook repair shop this would seem to be a steal.

It is however unfortunate that Apple persists in such anti-repair methods, with recently [Hugh Jeffreys] also calling Apple out on this during a MacBook Pro M1/M2 teardown video. During this teardown [Hugh] came across this angle sensor issue by swapping parts between two otherwise identical MacBook Pros, indicating just how annoying this need to calibrate one tiny lid angle sensor is.

Continue reading “Beating Apple’s Secret Lid Angle Sensor Calibration With Custom Tool”

Reverse-engineering The Milwaukee M18 Redlink Protocol

September 15, 2023 by 20 Comments

In an ideal world, every single battery pack for power tools would use the same physical interface and speak a clearly documented protocol with chargers. Since we live in a decidedly less-than-ideal world, we get to enjoy the fun pastime of reverse-engineering the interfaces and protocols of said battery packs.

Hooking up a logic analyzer to a M18 battery and charger.

A recent video from the [Tool Scientist] goes over what is already known about the Milwaukee M18 Redlink protocol, used with the manufacturer’s M18-series of batteries, before diving into some prodding and poking of these packs’ sensitive parts to see what comes out of their interface.

Previously, [Buy It Fix It] shared their findings on Reddit, covering the basic protocol, including the checksum method, but without an in-depth analysis of the entire charging protocol. Meanwhile [Quagmire Repair] performed an in-depth teardown and reverse-engineering of the M18 hardware, including the circuitry of the BMS.

Putting these two things together, [Tool Scientist] was able to quickly get some of his M18 packs strapped down into the analysis chair for both passive analysis, as well as the effect of overvoltage, undervoltage, overheating and freezing the battery pack on the output reported by the battery’s BMS.

One of the lists of commands and response messages obtained by [Tool Scientist] on YouTube.
One of the lists of commands and response messages obtained by [Tool Scientist] on YouTube.
The result is a rather comprehensive list of instructions obtained under these various conditions, including a fault condition (05) returned by the BMS of one pack indicating its likely demise. Overall, it does not appear to be a particularly special (or well-designed) protocol, but it does make for a good reverse-engineering target, while adding to the body of collective knowledge on these widely available battery packs.

Hopefully the same inertia that prevents people from moving outside the designated power tool ecosystem due to the incompatible battery packs will also ensure that this level of  knowledge will remain relevant for the foreseeable future, especially since the manufacturers of knock-off battery packs seem rather unwilling to share the results of their own reverse-engineering efforts.

Continue reading “Reverse-engineering The Milwaukee M18 Redlink Protocol”

Exploring Hidden Lyrics On 1990s DCC Audio Tapes

September 11, 2023 by 18 Comments

Having a fondness for old and obscure audio and video media formats, [Techmoan] recently revisited the Philips Digital Compact Cassette (DCC) format introduced in 1992. Despite being billed as the successor to Philips’ original analog Compact Cassette format from 1963, DCC was short-lived and slipped away after only four years in 1996. [Techmoan] obtained a unique cassette that purports to be the only known published DCC tape which contains embedded song lyrics that scroll on the DCC player’s tiny screen in sync with the music — “Size Isn’t Everything” by the Bee Gees from 1993. Sure enough, he is able to demonstrate this in the video down below the break.

But, there’s more. For reasons unclear, this only happens on on this one Bee Gees’ album. But it turns out that many DCC tapes did in fact include lots of other metadata, and sometimes lyrics as well. But these were only visible using an unreleased Philips system called Interactive Text Transmission System (ITTS). It just so happens that the folks at the DCC Museum obtained a Philips prototype ITTS box and have been gradually hacking the protocol.

Track Listing Using Blocky Graphics

[Techmoan] demonstrates a modernized prototype version from Germany designed by [Thomas Falkner] called the ITTS video box NG. Using this, he runs through a bunch of DCC tapes from his collection, and finds a significant number of them were published with lyrics and metadata, presumably in anticipation of as ITTS launch. It’s interesting to see how some publishers spent a lot of effort to format this information and others seemed to just copy / paste over the bare minimum.

The more elaborate pages resemble what you might see on your teletext screens back in the day. On those albums that do have lyrics, the presentation can be different, as well. Lyrics from the Bee Gees album appear like text scrolling up on a terminal, with current phrases shown in yellow. Another album’s lyrics can be scrolled in different peculiar ways, including a one-word-at-a-time mode.

If this kind of historical dive into technology interests you, check out the talk that [Jac] and [Ralf] gave at the 2022 Supercon about DCC, and this video from 2018 where [Ralf] digs deeper into this topic. Also, [Jac] has some more recent details on hacking the protocol posted over on his Hackaday.io project page. If you want a more basic introduction to DCC, [Techmoan] introduced this format some years ago on his YouTube channel.

Continue reading “Exploring Hidden Lyrics On 1990s DCC Audio Tapes”

Rare Arcade Game Teardown And Mods

September 9, 2023 by 7 Comments

[Video Game Esoterica] loves a 1990s video game called Operation Tiger. Apparently, there are only a few of these known to exist in 2023, and he managed to find one of them. Well, it is really just a module so he has to figure out how to give it enough input and output to be actually playable. You can see several videos of his work with the Taito game below.

The board has a lot of ICs and a Power PC to handle the 3D graphics. The graphics seem clunky today, but they were impressive for the time. According to the video, the CPU board was only used for this game. The ROM that holds the software is separate with a mix of mask-programmed memory and EPROMs.

The machine is meant to live in an arcade box. So wiring things like coin selectors, video, speakers, and controllers is a non-trivial exercise. The wiring paid off, though, as the board started up but with no buttons, it wasn’t able to start in the first video. The controls go through a 60-pin connector and he tackles that project in part two.

The next step is to actually update the game software, which is hard but possible. Of course, you can run many of these old games with MAME or, if you prefer, use it to score that primo engineering workstation you used to covet.

Continue reading “Rare Arcade Game Teardown And Mods”

RGB Graphics On A DEC Rainbow With Reverse-Engineered Monitor

September 1, 2023 by 13 Comments

One of the delights of the boring pre-VGA era is that you get to express your creativity when it comes to making a random color CRT work with an equally exciting dual CPU computer like the DEC Rainbow 100. This is the situation that the folk over at Usagi Electric found themselves in with a recent project. The Rainbow 100 is an interesting computer in that it can boot not only DOS with its 8088 processor, but also CP/M on the Z80 processor. Although generally used in monochrome mode, it supports a color graphic card to output RGB signals via its male DB15 connector.

DEC Rainbow 100 to Princeton Ultrasync adapter. With strain-relief zip tie.
DEC Rainbow 100 to Princeton Ultrasync adapter. With strain-relief zip tie.

Unfortunately, the target monitor – a Princeton Ultrasync – featured a female DB25 connector that obviously wasn’t going to connect directly, thus requiring a spot of reverse engineering. Making this very easy, the PCB containing the input connector had the traces clearly marked with the intended signal, which just left the mapping of the two connectors. One complication here was with the Rainbow 100 outputting an RGB signal with sync-on-green, whereas the monitor expected a separate synchronization signal.

Fortunately, most analog monitors aren’t particularly fussy so long as they get the expected signal somewhere in the input, which just left the final issue, of the Rainbow 100 outputting the monochrome signal on a special monochrome pin. This allowed everything to work as it should, and leaving those of us who joined the computing era in the 90s appreciative of standard VGA cables, other than for those weird Sun and Apple systems with their proprietary connectors.

Continue reading “RGB Graphics On A DEC Rainbow With Reverse-Engineered Monitor”

An Unexpected Appearance Of An Iconic Motorola Chip

August 31, 2023 by 24 Comments
Big Clive's reverse-engineered schematic of the USB charger containing the MC34063 IC.
Big Clive’s reverse-engineered schematic of the USB charger containing the MC34063 IC.

Generally when you crack open a cheap car-to-USB charger unit that came with some widget, you do not expect to find anything amazing inside. That’s why it was such a surprise to [Big Clive] when said car USB charger revealed a blast from the past in the form of an MC34063. This is a switching regulator that supports buck, boost and inverting topologies, but perhaps it most notable feature is that it was first produced by Motorola in the early 1980s.

This particular IC is marked as having been produced by ON Semiconductor which means that it’s technically still manufactured by Motorola – with ON Semiconductor being the Phoenix division that was spun off in 1999 – but it’s somewhat remarkable that this particular chip isn’t only produced by ON Semi today, but also by Texas Instruments. Much like the venerable NE555 timer IC and Intel’s 8051 MCU architecture, it would seem that certain chips and designs are simply made to become commodities in the future.

This appears to be the case for the MC34063 as well, which may lack some niceties of more modern ICs, such as built-in thermal protection, and it switches at only up to 100 kHz, but it can be bought for peanuts, has a wide input voltage range of 3 to 40 V, can switch up to 1.5 A and supports multiple common topologies. Often a 100 kHz switching regulator is all you need, in which case it’s handy to have a stack of such commodity chips lying around, plus the MC34063 comes in PDIP packaging as well, which is a boon for prototyping.

Continue reading “An Unexpected Appearance Of An Iconic Motorola Chip”

Decompiling Sonic Runners

August 22, 2023 by 7 Comments

Usually, when you hear about games being decompiled and rebuilt, the games are often decades-old relics, loving and saved from the ravages of time. [MattKC] recently set out to decompile the 2015 game Sonic Runners.

The game was a 2D endless runner released on mobile platforms. Despite getting praise for the gameplay, it received mixed reviews for the pop-up ads and pay-to-play elements. A little over a year later, the game was discontinued. However, the game required a constant online connection, so once the servers were offline, it rendered the over five million downloads unplayable.

A team of developers worked to reverse engineer the server, and with a little bit of binary hacking, the client could be patched to connect to a community-hosted server instead. However, as phones with notched displays came out and suggestions for improvements stacked up, the community realized a new client would bring immense benefits. Compared to many decompilation projects, Sonic Runners was pretty easy as it uses Unity, which means most of the code is in C#. Unfortunately, the build of Unity used by the game is from 2012, meaning many of the tools designed for much later versions of Unity were inoperable.

However, one native code library called UnmanagedProcess was designed to confuse reverse engineering efforts. The library handled AES encryption and communication with the server. Luckily, the library was a later addition, and earlier versions of its functions still lingered in the C# code. Since an open source server already existed, it was trivial to validate the changes. Additionally, all the shaders were in OpenGL Shading Language (GLSL), which meant rewriting them in High-Level Shading Language (HLSL) and checking that they matched the original GLSL when building for Android.

Now the client has new game modes, no ads, and a proper offline mode. The community continues adding new features and refining the game, which is very satisfying. If you’re curious about reverse engineering, [Matthew Alt] can help you get started.

Continue reading “Decompiling Sonic Runners