$3 Smartwatch Can Run Python

June 26, 2024 by Al Williams 8 Comments

[Poking Technology] doesn’t think much of his new smartwatch. It is, by his admission, the cheapest possible smartwatch, coming in at about $3. It has very few useful features but he has figured out how to port MicroPython to it, so for a wrist-mounted development board with BLE, it might be useful. You can check it out in the video below.

The first step is a teardown, which reveals surprisingly little on the inside. There’s a tiny battery, a few connections, a display, and a tiny CPU board. There are, luckily, a few test pads that let you get into the CPU. What do you get? A 24 MHz Telink CPU with 512k of flash and 16k of RAM, along with all the other hardware.

Continue reading “$3 Smartwatch Can Run Python” →

Recovering An Agilent 2000a/3000a Oscilloscope With Corrupt Firmware NAND Flash

June 18, 2024 by Maya Posch 21 Comments

Everyone knows that you can never purchase enough projects off EBay, lest boredom might inadvertently strike. That’s why [Anthony Kouttron] got his mitts on an Agilent DSO-X 2014A digital oscilloscope that was being sold as defective and not booting, effectively just for parts. When [Anthony] received the unit, this turned out to be very much the case, with the front looking like it got dragged over the tarmac prior to having the stuffing beaten out of its knobs with a hammer. Fortunately, repairing the broken encoder and the plastic enclosure was easy enough, but the scope didn’t want to boot when powered on. How bad was the damage?

As [Anthony] describes in the article, issues with this range of Agilent DSOs are well-known, with for example the PSU liking to fry the primary side due to soft power button leaving it powered 24/7 with no cooling. The other is corrupted NAND storage, which he confirmed after figuring out the UART interface on the PCB with the ST SPEAr600 ARM-based SoC. Seeing the sad Flash block decompression error from the Windows CE said enough.

This led him down the rabbithole of finding the WinCE firmware images (nuked by Keysight, backed up on his site) for this scope, along with the InfiniiVision scope application. The former is loaded via the bootloader in binary YMODEM mode, followed by installing InfiniiVision via a USB stick. An alternate method is explained in the SPEAr600 datasheet, in the form of USB BootROM, which can also be reached via the bootloader with some effort.

As for the cause of the NAND corruption, it’s speculated that the scope writes to the same section of NAND Flash on boot, with the SPEAr600’s Flash controller documentation not mentioning wear leveling. Whether that’s true or not, at least it can be fixed with some effort even without replacing the NAND Flash IC.

A closeup of the ring, inner electronics including a lit green LED seen through the inner transparent epoxy, next to the official app used to light up the LED for a demo.

New Part Day: A Hackable Smart Ring

June 16, 2024 by Arya Voronova 35 Comments

We’ve seen prolific firmware hacker [Aaron Christophel] tackle smart devices of all sorts, and he never fails to deliver. This time, he’s exploring a device that seems like it could have come from the pages of a Cyberpunk RPG manual — a shiny chrome Bluetooth Low Energy (BLE) smart ring that’s packed with sensors, is reasonably hacker friendly, and is currently selling for as little as $20.

The ring’s structure is simple — the outside is polished anodized metal, with the electronics and battery carefully laid out along the inside surface, complete with a magnetic charging port. It has a BLE-enabled MCU, a heartrate sensor, and an accelerometer. It’s not much, but you can do a lot with it, from the usual exercise and sleep tracking, to a tap-sensitive interface for anything you want to control from the palm of your hand. In the video’s comments, someone noted how a custom firmware for the ring could be used to detect seizures; a perfect example of how hacking such gadgets can bring someone a brighter future.

The ring manufacturer’s website provides firmware update images, and it turns out, you can upload your own firmware onto it over-the-air through BLE. There’s no signing, no encryption — this is a dream device for your purposes. Even better, the MCU is somewhat well-known. There’s an SDK, for a start, and a datasheet which describes all you would want to know, save for perhaps the tastiest features. It’s got 200 K of RAM, 512 K of flash, BLE library already in ROM, this ring gives you a lot to wield for how little space it all takes up. You can even get access to the chip’s Serial Wire Debug (SWD) pads, though you’ve got to scrape away some epoxy first.

As we’ve seen in the past, once [Aaron] starts hacking on these sort of devices, their popularity tends to skyrocket. We’d recommend ordering a couple now before sellers get wise and start raising prices. While we’ve seen hackers build their own smart rings before, it’s tricky business, and the end results usually have very limited capability. The potential for creating our own firmware for such an affordable and capable device is very exciting — watch this space!

Continue reading “New Part Day: A Hackable Smart Ring” →

the Logitech receiver in question next to the mouse it's paired to

Uncovering Secrets Of Logitech M185’s Dongle

June 15, 2024 by Arya Voronova 14 Comments

[endes0] has been hacking with USB HID recently, and a Logitech M185 mouse’s USB receiver has fallen into their hands. Unlike many Logitech mice, this one doesn’t include a Unifying receiver, though it’s capable of pairing to one. Instead, it comes with a pre-paired CU0019 receiver that, it turns out, is based on a fairly obscure TC32 chipset by Telink, the kind we’ve seen in cheap smart wristbands. If you’re dealing with a similarly obscure MCU, how do you even proceed?

In this case, GitHub had a good few tools developed by other hackers earlier — a Ghidra integration, and a tool for working with the MCU using a USB-UART and a single resistor. Unfortunately, dumping memory through the MCU’s interface was unreliable and frustrating. So it was time to celebrate when fuzzing the HID endpoints uncovered a memory dump exploit, with the memory dumper code helpfully shared in the blog post.

From a memory dump, the exploration truly began — [endes0] uncovers a fair bit of dongle’s inner workings, including a guess on which project it was based on, and even a command putting the dongle into a debug mode where a TC32-compatible debugger puts this dongle fully under your control.

Yet another hands-on course on Ghidra, and a wonderful primer on mouse dongle hacking – after all, if you treat your mouse’s dongle as a development platform, you can easily do things like controlling a small quadcopter, or pair the dongle with a SNES gamepad, or build a nifty wearable.

We thank [adistuder] for sharing this with us!

Reverse-Engineering Makita Batteries To Revive Them

June 15, 2024 by Maya Posch 35 Comments

Modern lithium-ion battery packs for cordless power tools contain an incredible amount of energy, which necessitates that they come with a range of safeties. Although it’s good when the battery management system (BMS) detects a fault and cuts power to prevent issues, there exist the possibility of false positives. Having an expensive battery pack brick itself for no good reason is rather annoying, as is being unable to reuse a BMS in for example a re-manufactured battery. This was the reasoning that led [Martin Jansson] down the path of reverse-engineering Makita batteries for starters.

After that initial reverse-engineering attempt involving a firmware dump of the NEC (Renesas) F0513 MCU, [Martin] didn’t get back to the project until recently, when he was contacted by [Romain] who donated a few BMS boards to the cause. One of these features an STM32 MCU, which made the task much easier. Ultimately [Martin] was able to determine the command set for the Maxim OneWire-based communication protocol, as was a hidden UART mode.

Due to the critical timing required, off-the-shelf programmers didn’t work, so an Arduino Uno-based programmer (ArduinoOBI) was created instead, which can be found on GitHub along with the Open Battery Information desktop application which provides access to these BMS features after connecting to the battery pack. Although only Makita is supported right now, [Martin] would like to see support for other brands being added as well.

Supercon 2023: Reverse Engineering Commercial Coffee Machines

June 12, 2024 by Jenny List 15 Comments

There was a time when a coffee vending machine was a relatively straightforward affair, with a basic microcontroller doing not much more than the mechanical sequencer it replaced. A modern machine by contrast has 21st century computing power, with touch screens, a full-fat operating system, and a touch screen interface. At Hackaday Supercon 2023, [Kuba Tyszko] shared his adventures in the world of coffee, after reverse engineering a couple of high-end dispensing machines. Sadly he doesn’t reveal the manufacturer, but we’re sure readers will be able to fill in the gaps.

Under the hood is a PC running a Linux distro from a CF card. Surprisingly the distros in question were Slax and Lubuntu, and could quite easily be investigated. The coffee machine software was a Java app, which seems to us strangely appropriate, and it communicated to the coffee machine hardware via a serial port. It’s a tale of relatively straightforward PC reverse engineering, during which he found that the machine isn’t a coffee spy as its only communication with its mothership is an XML status report.

In a way what seems almost surprising is how relatively straightforward and ordinary this machine is. We’re used to quirky embedded platforms with everything far more locked down than this. Meanwhile if hacking vending machines is your thing, you can find a few previous stories on the topic.

Continue reading “Supercon 2023: Reverse Engineering Commercial Coffee Machines” →

Fixing Issues With Knockoff Altera USB Blasters

June 9, 2024 by Maya Posch 14 Comments

One exciting feature of hardware development involving MCUs and FPGAs is that you all too often need specific tools to program them, with [Doug Brown] suffering a price tag aneurysm after checking the cost of an official Altera/Intel USB Blaster (yours for $300) to program a MAX 10 FPGA device with. This led him naturally down the path of exploring alternatives, with the $69 Terasic version rejected for ‘being too expensive’ and opting instead for the Waveshare USB Blaster V2, at a regretful $34. The amazing feature of this USB Blaster clone is that while it works perfectly fine under Windows, it works at most intermittently under Linux.

This led [Doug] down the path of reverse-engineering and diagnosing the problem, ultimately throwing in the towel and downclocking the Altera CPLD inside the adapter after finding that it was running a smidge faster than the usual 6 MHz. This was accomplished initially by wiring in an external MCU as a crude (and inaccurate) clock source, but will be replaced with a 12 MHz oscillator later on. Exactly why the problem only exists on Linux and not on Windows will remain a mystery, with Waveshare support also being clueless.

Undeterred, [Doug] then gambled on a $9 USB Blaster clone (pictured above), which turned out to be not only completely non-functional, but also caused an instant BSOD on Windows, presumably due to the faked FTDI USB functionality tripping up the Windows FTDI driver. This got fixed by flashing custom firmware by [Vladimir Duan] to the WCH CH552G-based board after some modifications shared in a project fork. This variety of clone adapters can have a range of MCUs inside, ranging from this WCH one to STM32 and PIC MCUs, with very similar labels on the case. While cracking one open we had lying around, we found a PIC18 inside, but if you end up with a CH552G-based one, this would appear to fully fix it. Which isn’t bad for the merest fraction of the official adapter.

Thanks to [mip] for the tip.