Reverse Engineering

290 Articles

Very Efficient APFC Circuit In Faulty Industrial 960 Watt Power Supply

August 25, 2025 by 2 Comments

The best part about post-mortem teardowns of electronics is when you discover some unusual design features, whether or not these are related to the original fault. In the case of a recent [DiodeGoneWild] video involving the teardown of an industrial DIN-rail mounted 24 V, 960 Watt power supply, the source of the reported bang was easy enough to spot. During the subsequent teardown of this very nicely modular PSU the automatic power factor correction (APFC) board showed it to have an unusual design, which got captured in a schematic and is explained in the video.

Choosing such a APFC design seems to have been done in the name of efficiency, bypassing two of the internal diodes in the bridge rectifier with the external MOSFETs and ultrafast diodes. In short, it prevents some of the typical diode voltage drops by removing diodes in the path of the current.

Although not a new design, as succinctly pointed out in the comments by [marcogeri], it’s explained how even cutting out one diode worth of voltage drop in a PSU like this can save 10 Watt of losses. Since DIN rail PSUs rarely feature fans for active cooling, this kind of APFC design is highly relevant and helps to prevent passively cooled PSUs from spiraling into even more of a thermal nightmare.

As for the cause behind the sooty skid marks on one of the PCBs, that will be covered in the next video.

Continue reading “Very Efficient APFC Circuit In Faulty Industrial 960 Watt Power Supply”

How Intel’s 386 Protects Itself From ESD, Latch-up And Metastability

August 21, 2025 by 11 Comments

To connect the miniature world of integrated circuits like a CPU with the outside world, a number of physical connections have to be made. Although this may seem straightforward, these I/O pads form a major risk to the chip’s functioning and integrity, in the form of electrostatic discharge (ESD), a type of short-circuit called a latch-up and metastability through factors like noise. Shielding the delicate ASIC from the cruel outside world is the task of the I/O circuitry, with [Ken Shirriff] recently taking an in-depth look at this circuity in Intel’s 386 CPU.

The 386 die, zooming in on some of the bond pad circuits. (Credit: Ken Shirriff)
The 386 die, zooming in on some of the bond pad circuits. (Credit: Ken Shirriff)

The 386 has a total of 141 of these I/O pads, each connected to a pin on the packaging with a delicate golden bond wire. ESD is on the top of the list of potential risks, as a surge of high voltage can literally blow a hole in the circuitry. The protective circuit for this can be seen in the above die shot, with its clamping diodes, current-limiting resistor and a third diode.

Latch-up is the second major issue, caused by the inadvertent creation of parasitic structures underneath the P- and NMOS transistors. These parasitic transistors are normally inactive, but if activated they can cause latch-up which best case causes a momentary failure, but worst case melts a part of the chip due to high currents.

To prevent I/O pads from triggering latch-up, the 386 implements ‘guard rings’ that should block unwanted current flow. Finally there is metastability, which as the name suggests isn’t necessarily harmful, but can seriously mess with the operation of the chip which expects clean binary signals. On the 386 two flip-flops per I/O pad are used to mostly resolve this.

Although the 386’s 1985-era circuitry was very chonky by today’s standards, it was still no match for these external influences, making it clear just how important these protective measures are for today’s ASICs with much smaller feature sizes.

Playing DOOM On The Anker Prime Charging Station

August 21, 2025 by 13 Comments

At this point the question is no longer whether a new device runs DOOM, but rather how well. In the case of Anker’s Prime Charging Station it turns out that it’s actually not too terrible at controlling the game, as [Aaron Christophel] demonstrates. Unlike the similar Anker power bank product with BLE and a big display that we previously covered, this device has quite the capable hardware inside.

Playing a quick game of Doom while waiting for charging to finish. (Credit: Aaron Christophel, YouTube)
Playing a quick game of DOOM while waiting for charging to finish. (Credit: Aaron Christophel, YouTube)

According to [Aaron], inside this charging station you’ll not only find an ESP32-C3 for Bluetooth Low Energy (BLE) duty, but also a 150 MHz Synwit SWM341RET7 (Chinese datasheet) ARM-based MCU along with 16 MB of external flash and 8 MB of external RAM. Both of these are directly mapped into the MCU’s memory space. The front display has a 200×480 pixel resolution.

This Synwit MCU is a bit of a curiosity, as it uses ARM China’s Star-MC1 architecture for which most of the information is in Chinese, though it’s clear that it implements the ARMv8-M profile. It can also be programmed the typical way, which is what [Aaron] did to get DOOM on it, with the clicky encoder on the side of the charging station being the sole control input.

As can be seen in the video it makes for a somewhat awkward playing experience, but far more usable than one might expect, even if running full-screen proved to be a bit too much for the hardware.

Continue reading “Playing DOOM On The Anker Prime Charging Station”

Hacking The Bluetooth-Enabled Anker Prime Power Bank

August 14, 2025 by 35 Comments

Selling power banks these days isn’t easy, as you can only stretch the reasonable limits of capacity and output wattage so far. Fortunately there is now a new game in town, with ‘smart’ power banks, like the Anker one that [Aaron Christophel] recently purchased for reverse-engineering. It features Bluetooth (BLE), a ‘smart app’ and a rather fancy screen on the front with quite a bit of information. This also means that there’s a lot to hack here beyond basic battery management system (BMS) features.

As detailed on the GitHub project page, after you get past the glue-and-plastic-clip top, you will find inside a PCB with a GD32F303 MCU, a Telink TLSR8253 BLE IC and the 240×240 ST7789 LCD in addition to a few other ICs to handle BMS functions, RTC and such. Before firmware version 1.6.2 you can simply overwrite the firmware, but Anker added a signature check to later firmware updates.

The BLE feature is used to communicate with the Anker app, which the official product page advertises as being good for real-time stats, smart charging and finding the power bank by making a loud noise. [Aaron] already reverse-engineered the protocol and offers his own alternative on the project page. Naturally updating the firmware is usually also done via BLE.

Although the BLE and mobile app feature is decidedly a gimmick, hacking it could allow for some interesting UPS-like and other features. We just hope that battery safety features aren’t defined solely in software, lest these power banks can be compromised with a nefarious or improper firmware update.

Continue reading “Hacking The Bluetooth-Enabled Anker Prime Power Bank”

Exploring The TRS-80’s Color BASIC’s Random Number Function

August 8, 2025 by 6 Comments

Although these days we get to tap into many sources of entropy to give a pretty good illusion of randomness, home computers back in the 1980s weren’t so lucky. Despite this, their random number generators were good enough for games and such, as demonstrated by the [CoCo Town] YouTube channel.

The CoCo is the nickname for the TRS-80 Color Computer, which despite its name, shares absolutely nothing with the TRS-80. Its BASIC version is called Color BASIC, which like many others was based on Microsoft BASIC, so the video’s description should be valid for many other BASIC versions as well. In the video we’re first taken through a basic summary of what the floating point format is all about, before running through an example of the algorithm used by Color BASIC for its RND function, using a test program written in Color BASIC.

As described in the video, the used algorithm appears to be the linear congruential generator, which is a pseudo-random generator that requires minimal resources from the hardware it runs on. Of course, its main disadvantage is that it will fairly rapidly begin to repeat itself, especially with a limited number of output bits. This makes it a decent choice even today for something like simple game logic where you just want to get some variation without aiming for cryptographically secure levels of randomness.

Continue reading “Exploring The TRS-80’s Color BASIC’s Random Number Function”

The Scourge Of Fake Retro Unijunction Transistors

August 4, 2025 by 18 Comments

We all know that it’s easy to get caught out by fake electronic components these days, with everything from microcontrollers to specialized ASICs being fair game. More recently, retro components that were considered obsolete decades ago are now becoming increasingly popular, with the unijunction transistor (UJT) a surprising example of this. The [En Clave de Retro] YouTube channel released a video (Spanish, with English dub) documenting fake UJTs bought off AliExpress.

These AliExpress UJTs were discovered after comments to an earlier video on real UJTs said that these obsolete transistors are still being manufactured and can be bought everywhere, meaning mostly on AliExpress and Amazon. Of course, this had to be investigated, as why would anyone still manufacture UJTs today, and did some Chinese semiconductor factory really spin up a new production line for them?

Perhaps unsurprisingly, some tests later and after a quick decapping of the metal can, the inside revealed a bipolar transistor (BJT) die (see top image on the left). Specifically, a PNP BJT transistor die, packaged up inside a vintage-style metal can with fake markings claiming it is a 2N2646 UJT.

The video suggests that scams like these might be because people want to get vintage parts for cheap, and that’s created a new market for people who would rather get scammed than deal with the sticker shock of paying for genuine new-old-stock or salvaged components. For example, while programmable unijunction transistors (PUTs) like the 2N6028 are still being manufactured, they cost a few dollars a pop in low quantities. UJTs used to be common in timer circuits, but now we have the 555.

Continue reading “The Scourge Of Fake Retro Unijunction Transistors”

TDA7000 die shot, with labels. Credit: Ken Shirriff

Reverse-Engineering The TDA7000 FM Radio Receiver IC

August 3, 2025 by 5 Comments
A wristwatch featuring the TDA7000 FM radio receiver IC. (Credit: Philips Technical Review)
A wristwatch featuring the TDA7000 FM radio receiver IC. (Credit: Philips Technical Review)

During the 1980s a lot of consumer devices suddenly got a lot smaller as large-scale integration using semiconductor technology took off. This included radios, with Philips’ TDA7000 FM radio receiver IC being the first to cram most of what you’d need for an FM radio receiver into a single chip. Recently, [Ken Shirriff] had a poke at analyzing a die shot of the TDA7000, reverse-engineering its functional blocks. How did the Philips engineers manage to miniaturize an FM radio? [Ken] will show you.

Continue reading “Reverse-Engineering The TDA7000 FM Radio Receiver IC”