Reverse Engineering

296 Articles

How Intel’s 386 Protects Itself From ESD, Latch-up And Metastability

August 21, 2025 by 11 Comments

To connect the miniature world of integrated circuits like a CPU with the outside world, a number of physical connections have to be made. Although this may seem straightforward, these I/O pads form a major risk to the chip’s functioning and integrity, in the form of electrostatic discharge (ESD), a type of short-circuit called a latch-up and metastability through factors like noise. Shielding the delicate ASIC from the cruel outside world is the task of the I/O circuitry, with [Ken Shirriff] recently taking an in-depth look at this circuity in Intel’s 386 CPU.

The 386 die, zooming in on some of the bond pad circuits. (Credit: Ken Shirriff)
The 386 die, zooming in on some of the bond pad circuits. (Credit: Ken Shirriff)

The 386 has a total of 141 of these I/O pads, each connected to a pin on the packaging with a delicate golden bond wire. ESD is on the top of the list of potential risks, as a surge of high voltage can literally blow a hole in the circuitry. The protective circuit for this can be seen in the above die shot, with its clamping diodes, current-limiting resistor and a third diode.

Latch-up is the second major issue, caused by the inadvertent creation of parasitic structures underneath the P- and NMOS transistors. These parasitic transistors are normally inactive, but if activated they can cause latch-up which best case causes a momentary failure, but worst case melts a part of the chip due to high currents.

To prevent I/O pads from triggering latch-up, the 386 implements ‘guard rings’ that should block unwanted current flow. Finally there is metastability, which as the name suggests isn’t necessarily harmful, but can seriously mess with the operation of the chip which expects clean binary signals. On the 386 two flip-flops per I/O pad are used to mostly resolve this.

Although the 386’s 1985-era circuitry was very chonky by today’s standards, it was still no match for these external influences, making it clear just how important these protective measures are for today’s ASICs with much smaller feature sizes.

Playing DOOM On The Anker Prime Charging Station

August 21, 2025 by 13 Comments

At this point the question is no longer whether a new device runs DOOM, but rather how well. In the case of Anker’s Prime Charging Station it turns out that it’s actually not too terrible at controlling the game, as [Aaron Christophel] demonstrates. Unlike the similar Anker power bank product with BLE and a big display that we previously covered, this device has quite the capable hardware inside.

Playing a quick game of Doom while waiting for charging to finish. (Credit: Aaron Christophel, YouTube)
Playing a quick game of DOOM while waiting for charging to finish. (Credit: Aaron Christophel, YouTube)

According to [Aaron], inside this charging station you’ll not only find an ESP32-C3 for Bluetooth Low Energy (BLE) duty, but also a 150 MHz Synwit SWM341RET7 (Chinese datasheet) ARM-based MCU along with 16 MB of external flash and 8 MB of external RAM. Both of these are directly mapped into the MCU’s memory space. The front display has a 200×480 pixel resolution.

This Synwit MCU is a bit of a curiosity, as it uses ARM China’s Star-MC1 architecture for which most of the information is in Chinese, though it’s clear that it implements the ARMv8-M profile. It can also be programmed the typical way, which is what [Aaron] did to get DOOM on it, with the clicky encoder on the side of the charging station being the sole control input.

As can be seen in the video it makes for a somewhat awkward playing experience, but far more usable than one might expect, even if running full-screen proved to be a bit too much for the hardware.

Continue reading “Playing DOOM On The Anker Prime Charging Station”

Hacking The Bluetooth-Enabled Anker Prime Power Bank

August 14, 2025 by 35 Comments

Selling power banks these days isn’t easy, as you can only stretch the reasonable limits of capacity and output wattage so far. Fortunately there is now a new game in town, with ‘smart’ power banks, like the Anker one that [Aaron Christophel] recently purchased for reverse-engineering. It features Bluetooth (BLE), a ‘smart app’ and a rather fancy screen on the front with quite a bit of information. This also means that there’s a lot to hack here beyond basic battery management system (BMS) features.

As detailed on the GitHub project page, after you get past the glue-and-plastic-clip top, you will find inside a PCB with a GD32F303 MCU, a Telink TLSR8253 BLE IC and the 240×240 ST7789 LCD in addition to a few other ICs to handle BMS functions, RTC and such. Before firmware version 1.6.2 you can simply overwrite the firmware, but Anker added a signature check to later firmware updates.

The BLE feature is used to communicate with the Anker app, which the official product page advertises as being good for real-time stats, smart charging and finding the power bank by making a loud noise. [Aaron] already reverse-engineered the protocol and offers his own alternative on the project page. Naturally updating the firmware is usually also done via BLE.

Although the BLE and mobile app feature is decidedly a gimmick, hacking it could allow for some interesting UPS-like and other features. We just hope that battery safety features aren’t defined solely in software, lest these power banks can be compromised with a nefarious or improper firmware update.

Continue reading “Hacking The Bluetooth-Enabled Anker Prime Power Bank”

Exploring The TRS-80’s Color BASIC’s Random Number Function

August 8, 2025 by 6 Comments

Although these days we get to tap into many sources of entropy to give a pretty good illusion of randomness, home computers back in the 1980s weren’t so lucky. Despite this, their random number generators were good enough for games and such, as demonstrated by the [CoCo Town] YouTube channel.

The CoCo is the nickname for the TRS-80 Color Computer, which despite its name, shares absolutely nothing with the TRS-80. Its BASIC version is called Color BASIC, which like many others was based on Microsoft BASIC, so the video’s description should be valid for many other BASIC versions as well. In the video we’re first taken through a basic summary of what the floating point format is all about, before running through an example of the algorithm used by Color BASIC for its RND function, using a test program written in Color BASIC.

As described in the video, the used algorithm appears to be the linear congruential generator, which is a pseudo-random generator that requires minimal resources from the hardware it runs on. Of course, its main disadvantage is that it will fairly rapidly begin to repeat itself, especially with a limited number of output bits. This makes it a decent choice even today for something like simple game logic where you just want to get some variation without aiming for cryptographically secure levels of randomness.

Continue reading “Exploring The TRS-80’s Color BASIC’s Random Number Function”

The Scourge Of Fake Retro Unijunction Transistors

August 4, 2025 by 19 Comments

We all know that it’s easy to get caught out by fake electronic components these days, with everything from microcontrollers to specialized ASICs being fair game. More recently, retro components that were considered obsolete decades ago are now becoming increasingly popular, with the unijunction transistor (UJT) a surprising example of this. The [En Clave de Retro] YouTube channel released a video (Spanish, with English dub) documenting fake UJTs bought off AliExpress.

These AliExpress UJTs were discovered after comments to an earlier video on real UJTs said that these obsolete transistors are still being manufactured and can be bought everywhere, meaning mostly on AliExpress and Amazon. Of course, this had to be investigated, as why would anyone still manufacture UJTs today, and did some Chinese semiconductor factory really spin up a new production line for them?

Perhaps unsurprisingly, some tests later and after a quick decapping of the metal can, the inside revealed a bipolar transistor (BJT) die (see top image on the left). Specifically, a PNP BJT transistor die, packaged up inside a vintage-style metal can with fake markings claiming it is a 2N2646 UJT.

The video suggests that scams like these might be because people want to get vintage parts for cheap, and that’s created a new market for people who would rather get scammed than deal with the sticker shock of paying for genuine new-old-stock or salvaged components. For example, while programmable unijunction transistors (PUTs) like the 2N6028 are still being manufactured, they cost a few dollars a pop in low quantities. UJTs used to be common in timer circuits, but now we have the 555.

Continue reading “The Scourge Of Fake Retro Unijunction Transistors”

TDA7000 die shot, with labels. Credit: Ken Shirriff

Reverse-Engineering The TDA7000 FM Radio Receiver IC

August 3, 2025 by 5 Comments
A wristwatch featuring the TDA7000 FM radio receiver IC. (Credit: Philips Technical Review)
A wristwatch featuring the TDA7000 FM radio receiver IC. (Credit: Philips Technical Review)

During the 1980s a lot of consumer devices suddenly got a lot smaller as large-scale integration using semiconductor technology took off. This included radios, with Philips’ TDA7000 FM radio receiver IC being the first to cram most of what you’d need for an FM radio receiver into a single chip. Recently, [Ken Shirriff] had a poke at analyzing a die shot of the TDA7000, reverse-engineering its functional blocks. How did the Philips engineers manage to miniaturize an FM radio? [Ken] will show you.

Continue reading “Reverse-Engineering The TDA7000 FM Radio Receiver IC”

Exploring VersaLOGIC Pre-LSI Logic Cards With The Data/620

August 2, 2025 by 3 Comments

Before the era of large-scale integration (LSI) semiconductor circuits, discrete logic circuits using the common diode-transistor logic (DTL) were still necessary and available in a format that was modular and reusable. [David Lovett] over at the Usagi Electric farm has two great examples that date back to the 1950s and 1960s, showing the jump in technology over the course of a mere decade.

The newer Varian Data Machines 620 from 1966 uses germanium diodes and transistors, while the 1956 Bendix G-15 uses germanium diodes with vacuum tubes, the latter effectively fulfilling the same purpose as the transistors. The main difference between the modules is the density, with a decade of technological improvements allowing for more than double the logic on similarly sized cards and a similarly impressive reduction in power usage.

Currently, [David] is working on reverse-engineering these so-called VersaLogic modules to be able to troubleshoot the Data/620 machine in his possession. The results of these efforts are being published on GitHub. Although you can think of these modules as more or less big versions of the 7400-logic ICs — which began to replace them in the Data/620I from 1967 — some of the circuits on the cards get pretty complex.

Continue reading “Exploring VersaLOGIC Pre-LSI Logic Cards With The Data/620”