Bypassing Airpods Hearing Aid Georestriction With A Faraday Cage

November 15, 2024 by Maya Posch 54 Comments

When Apple recently announced the hearing aid feature on their new AirPods Pro 2, it got the attention of quite a few people. Among these were [Rithwik Jayasimha] and friends, with [Rithwik] getting a pair together with his dad for use by his hard-of-hearing grandmother. That’s when he found out that this feature is effectively limited to the US and a small number of other countries due them being ‘regulated health features’, per Apple. With India not being on the approved countries list and with no interest in official approval legalities, [Rithwik] set to work to devise a way to bypass this restriction.

As noted in the blog post, the primary reason for using AirPods here instead of official hearing aids is due to the cost of the latter, which makes them a steal for anyone who is dealing with mild to moderate hearing loss. Following the official Hearing Aid feature setup instructions requires that your location is detected as being in an approved country. If it is, the Health App (on iOS 18.1) will popup a ‘Get Started’ screen. The challenge was thus to make the iOS device believe that it was actually in the FDA-blessed US and not India.

Merely spoofing the location and locale didn’t work, so the next step was to put the iOS device into a Faraday cage along with an ESP32 that broadcast California-based WiFi SSIDs. Once the thus treated iPad rebooted into the US, it could be used to enable the hearing aid feature. Next [Rithwik] and friends created a more streamlined setup and procedure to make it possible for others to replicate this feat.

As also noted in the blog post, the Hearing Aid feature is essentially a specially tuned Transparency mode preset, which is why using AirPods for this feature has been a thing for a while, but with this preset it’s much better tuned for cases of hearing loss.

Bluetooth Dongle Gives Up Its Secrets With Quick Snooping Hack

November 14, 2024 by Dan Maloney 5 Comments

There’s a lot going on in our wireless world, and the number of packets whizzing back and forth between our devices is staggering. All this information can be a rich vein to mine for IoT hackers, but how do you zero in on the information that matters? That depends, of course, but if your application involves Bluetooth, you might be able to snoop in on the conversation relatively easily.

By way of explanation, we turn to [Mark Hughes] and his Boondock Echo, a device we’ve featured in these pages before. [Mark] needed to know how long the Echo would operate when powered by a battery bank, as well as specifics about the power draw over time. He had one of those Fnirsi USB power meter dongles, the kind that talks to a smartphone app over Bluetooth. To tap into the conversation, he enabled Host Control Interface logging on his phone and let the dongle and the app talk for a bit. The captured log file was then filtered through WireShark, leaving behind a list of all the Bluetooth packets to and from the dongle’s address.

That’s when the fun began. Using a little wetware pattern recognition, [Mark] was able to figure out the basic structure of each frame. Knowing the voltage range of USB power delivery helped him find the bytes representing voltage and current, which allowed him to throw together a Python program to talk to the dongle in real-time and get the critical numbers.

It’s not likely that all BLE-connected devices will be as amenable to reverse engineering as this dongle was, but this is still a great technique to keep in mind. We’ve got a couple of applications for this in mind already, in fact.

Continue reading “Bluetooth Dongle Gives Up Its Secrets With Quick Snooping Hack” →

Fail Of The Week: Subscription EV Charger Becomes Standalone, Briefly

November 1, 2024 by Dan Maloney 48 Comments

At this point in the tech dystopia cycle, it’s no surprise that the initial purchase price of a piece of technology is likely not the last payment you’ll make. Almost everything these days needs an ongoing subscription to do whatever you paid for it to do in the first place. It’s ridiculous, especially when all you want to do is charge your electric motorcycle with electricity you already pay for; why in the world would you need a subscription for that?

That was [Maarten]’s question when he picked up a used EVBox wall mount charger, which refused to charge his bike without signing up for a subscription. True, the subscription gave access to all kinds of gee-whiz features, none of which were necessary for the job of topping off the bike’s battery. A teardown revealed a well-built device with separate modules for mains supply and battery charging, plus a communications module with a cellular modem, obviously the bit that’s phoning home and keeping the charger from working without the subscription.

Continue reading “Fail Of The Week: Subscription EV Charger Becomes Standalone, Briefly” →

Supercon 2024 Flower SAO Badge Redrawing In KiCad

October 31, 2024 by Chris Lott 12 Comments

Out of curiosity, I redrew the Supercon Vectorscope badge schematics in KiCad last year. As you might suspect, going from PCB to schematic is opposite to the normal design flow of KiCad and most other PCB design tools. As a result, the schematics and PCB of the Vectorscope project were not really linked. I decided to try it again this year, but with the added goal of making a complete KiCad project. As usual, [Voja] provided a well drawn schematic diagram in PDF and CorelDRAW formats, and a PCB design using Altium’s Circuit Maker format (CSPcbDoc file). And for reference, this year I’m using KiCad v8 versus v7 last year.

Importing into KiCad

This went smoothly. KiCad imports Altium files, as I discovered last year. Converting the graphic lines to traces was easier than before, since the graphical lines are deleted in the conversion process. There was a file organizational quirk, however. I made a new, empty project and imported the Circuit Maker PCB file. It wasn’t obvious at first, but the importing action didn’t make use the new project I had just made. Instead, it created a completely new project in the directory holding the imported Circuit Maker file. This caused a lot of head scratching when I was editing the symbol and footprint library table files, and couldn’t figure out why my edits weren’t being seen by KiCad. I’m not sure what the logic of this is, was an easy fix once you know what’s going on. I simply copied everything from the imported project and pasted it in my new, empty project. Continue reading “Supercon 2024 Flower SAO Badge Redrawing In KiCad” →

Tearing Down Nintendo’s Alarmo Alarm Clock

October 30, 2024 by Maya Posch 6 Comments

All your Nintendo Alarmo are belong to mew~ (Credit: GaryOderNichts, Blogspot)

Most of us will probably have seen Nintendo’s latest gadget pop up recently. Rather than a Switch 2 announcement, we got greeted with a Nintendo-branded alarm clock. Featuring a 2.8″ color LCD and a range of sensors, it can detect and respond to a user, and even work as an alarm clock for the low, low price of €99. All of which takes the form of Nintendo-themed characters alongside some mini-games. Naturally this has led people like [Gary] to buy one to see just how hackable these alarm clocks are.

As can be expected from a ‘smart’ alarm clock it has 2.4 GHz WiFi connectivity for firmware and content download, as well as a 24 GHz millimeter wave presence sensor. Before [Gary] even had received his Alarmo, others had already torn into their unit, uncovering the main MCU (STM32H730ZBI6) alongside a 4 GB eMMC IC, as well as the MCU’s SWD pads on the PCB. This gave [Gary] a quick start with reverse-engineering, though of course the MCU was protected (readout protection, or RDP) against firmware dumps, but the main firmware could be dumped from the eMMC without issues.

After this [Gary] had a heap of fun decrypting the firmware, which seems to always get loaded into the external octal SPI RAM before execution, as per the boot sequence (see featured image). This boot sequence offers a few possibilities for inserting one’s own (properly signed) contents. As it turns out via the USB route arbitrary firmware binaries can be loaded, which provided a backdoor to defeat RDP. Unfortunately the MCU is further locked down with Secure Access Mode, which prevents dumping the firmware again.

So far firmware updates for the Alarmo have not nailed shut the USB backdoor, making further reverse-engineering quite easy for the time being. If you too wish to hack your Alarmo and maybe add some feline charm, you can check [Gary]’s GitHub project.

Have You Heard Of The Liquid Powder Display?

October 12, 2024 by Jenny List 10 Comments

Over the decades the technology behind flat panel displays has continuously evolved, and we’ve seen many of them come and go. Among the popular ones there are a few that never quite made the big time, usually because a contemporary competitor took their market. An example is in a recent [Wenting Zhang] video, a mystery liquid powder display. We’d never heard of it, so we were intrigued.

The first segment of the video is an examination of the device, and a comparison with similar-looking ones such as a conventional LCD, or a Sharp Memory LCD. It’s clearly neither of those, and the answer finally came after a lot of research. A paper described a “Quick response liquid powder” as a mechanism for a novel display, and thus it was identified. It works by moving black and white electrically charged powder to flip a pixel from black to white, and its operation is not dissimilar to the liquid-based e-ink displays which evidently won that particular commercial battle.

The process of identifying the driver chip and pinout should be an essential watch for anyone with an interest in display reverse engineering. After a lot of adjusting timing and threshold voltages the dead pixels and weird effects fall away, and then it’s possible to display a not-too-high-quality image on this unusual display, through a custom PCB with an RP2040. Take a look at the video below the break.

We’ve seen [Wenting Zhang]’s work here a few times before, most recently in a very impressive mirror-less camera project.

Continue reading “Have You Heard Of The Liquid Powder Display?” →

ROG Ally Community Rebuilds The Proprietary Asus EGPU

October 1, 2024 by Arya Voronova 15 Comments

As far as impressive hacks go, this one is more than enough for your daily quota. You might remember the ROG Ally, a Steam Deck-like x86 gaming console that’s graced our pages a couple of times. Now, this is a big one – from the ROG Ally community, we get a fully open-source eGPU adapter for the ROG Ally, built by reverse-engineering the proprietary and overpriced eGPU sold by Asus.

We’ve seen this journey unfold over a year’s time, and the result is glorious – two different PCBs, one of them an upgraded drop-in replacement board for the original eGPU, and another designed to fit a common eGPU form-factor adapter. The connector on the ROG Ally is semi-proprietary, but its cable could be obtained as a repair part. From there, it was a matter of scrupulous pinout reverse-engineering, logic analyzer protocol captures, ACPI and BIOS decompiling, multiple PCB revisions and months of work – what we got is a masterpiece of community effort.

Do you want to learn how the reverse-engineering process has unfolded? Check out the Diary.md – it’s certainly got something for you to learn, especially if you plan to walk a similar path; then, make sure to read up all the other resources on the GitHub, too! This achievement follows a trend from the ROG Ally community, with us having featured dual-screen mods and battery replacements before – if it continues the same way, who knows, maybe next time we will see a BGA replacement or laser fault injection.