Wireless Hacks

1078 Articles

An NRF24L01 module soldered onto a 6502 single-board computer

Wireless Bootloader Saves You From Swapping ROM Chips

April 5, 2022 by 14 Comments

Flashing your code into an Arduino, an ESP32 or any other modern microcontroller platform is pretty straightforward: connect the device through USB, fire up the appropriate software platform, and press “program”. But those who followed embedded programming classes in the ’80s and ’90s will remember a more complicated procedure that consists of swapping EPROM chips between a programmer, a target board and a UV eraser. Veterans of that era might even remember how you could overwrite a previous program with NOPs and place new code behind it, to save yourself a trip to the “blank chips” bin.

If you’re a retrocomputer enthusiast and would like to have the easy programming of modern tools, but the authenticity of a self-contained ROM-loading computer, you might want to check out [Anders Nielsen]’s latest design of a wireless boot loader for a 6502 single board computer. The target platform for this project is a beautiful custom-made 6502-based retrocomputer that [Anders] documented in detail on his Hackaday.io page.

The basic idea here is to have a wireless receiver on the target system that receives data from a transmitter connected to a modern PC. When you click “program”, the object code is sent to the 6502 machine, stored in RAM and executed. The wireless link is implemented with a pair of nRF24L01 2.4 GHz modules that communicate through SPI. Since [Anders]’s Mac Mini doesn’t come with GPIO ports he hooked up the transmitter to a Raspberry Pi which he controlled through a network link.

On the 6502 side he wrote a bootloader in assembly language, which bit-bangs the SPI protocol to communicate with the wireless module. A simple user interface is included to allow the user to control the loading and running of programs. All code and hardware documentation is available on Github for use by anyone with a similar 6502 system.

Those nRF24L01s are versatile little things: we’ve seen them being used to transfer anything from MIDI data to TCP/IP links, as well as code for other microcontroller platforms.

Continue reading “Wireless Bootloader Saves You From Swapping ROM Chips”

ESP32: Is Two Better Than One?

April 4, 2022 by 9 Comments

We’ve looked at the WROOM-DA module before. It’s an ESP32 with two antennas, and [Andreas Spiess] says it is the ugliest ESP32 he’s ever seen. But beauty is only skin deep, after all. Did [Andreas] find beauty in the twin antennas? Watch the video below and see for yourself.

According to the block diagram, the twin antennas are not used simultaneously but offer diversity one at a time. There is also 8GB 8 MB of flash, double the amount on traditional WROOM modules. Mounting the device was a bit difficult since most ESP32 carrier boards will block some portion of the antenna array.

Continue reading “ESP32: Is Two Better Than One?”

You Break It, We Fix It

February 26, 2022 by 45 Comments

Apple’s AirTags have caused a stir, but for all the wrong reasons. First, they turn all iPhones into Bluetooth LE beacon repeaters, without the owner’s permission. The phones listen for the AirTags, encrypt their location, and send the data on to the iCloud, where the tag’s owner can decrypt the location and track it down. Bad people have figured out that this lets them track their targets without their knowledge, turning all iPhone users into potential accomplices to stalkings, or worse.

Naturally, Apple has tried to respond by implementing some privacy-protecting features. But they’re imperfect to the point of being almost useless. For instance, AirTags now beep once they’ve been out of range of their owner’s phone for a while, which would surely alert the target that they’re being tracked, right? Well, unless the evil-doer took the speaker out, or bought one with the speaker already removed — and there’s a surprising market for these online.

If you want to know that you’re being traced, Apple “innovated with the first-ever proactive system to alert you of unwanted tracking”, which almost helped patch up the problem they created, but it only runs on Apple phones. It’s not clear what they meant by “first-ever” because hackers and researchers from the SeeMoo group at the Technical University of Darmstadt beat them to it by at least four months with the open-source AirGuard project that runs on the other 75% of phones out there.

Along the way, the SeeMoo group also reverse engineered the AirTag system, allowing anything that can send BLE beacons to play along. This opened the door for [Fabian Bräunlein]’s ID-hopping “Find You” attack that breaks all of the tracker-detectors by using an ESP32 instead of an AirTag. His basic point is that most of the privacy guarantees that Apple is trying to make on the “Find My” system rely on criminals using unmodified AirTags, and that’s not very likely.

To be fair, Apple can’t win here. They want to build a tracking network where only the good people do the tracking. But the device can’t tell if you’re looking for your misplaced keys or stalking a swimsuit model. It can’t tell if you’re silencing it because you don’t want it beeping around your dog’s neck while you’re away at work, or because you’ve planted it on a luxury car that you’d like to lift when its owners are away. There’s no technological solution for that fundamental problem.

But hackers are patching up the holes they can, and making the other holes visible, so that we can at least have a reasonable discussion about the tech’s tradeoffs. Apple seems content to have naively opened up a Pandora’s box of privacy violation. Somehow it’s up to us to figure out a way to close it.

This article is part of the Hackaday.com newsletter, delivered every seven days for each of the last 200+ weeks. It also includes our favorite articles from the last seven days that you can see on the web version of the newsletter. Want this type of article to hit your inbox every Friday morning? You should sign up!

An Off-Grid Makeshift Cell Network

February 21, 2022 by 51 Comments

When traveling into the wilderness with a group of people, it’s good to have a method of communications set up both for safety and practicality. In the past people often relied on radios like FRS, CB, or ham bands if they had licenses, but nowadays almost everyone has a built-in communications device in their pocket that’s ready to use. Rather than have all of his friends grab a CB to put in their vehicle for their adventures together, [Keegan] built an off-grid network which allows any Android phone to communicate with text even if a cell network isn’t available.

The communications system is built on the LoRa communications standard for increased range over other methods like WiFi using a SX1278 chip and an ESP8266. The hardware claims a 10 km radius using this method which is more than enough for [Keegan]’s needs. Actually connecting to the network is only half of the solution though; the devices will still need a method of communication. For that, a custom Android app was created which allows up to 8 devices to connect to the network and exchange text messages with each other similar to a group text message.

For off-grid adventures a solution like this is an elegant solution to a communications problem. It uses mostly existing hardware since everyone carries their own phones already, plus the LoRa standard means that even the ESP8266 base station and transmitter are using only a tiny bit of what is likely battery power. If you’re new to this wireless communications method, we recently featured a LoRa tutorial as well.

An RF remote control with a LoRa receiver next to it

Reverse Engineering A 900 MHz RC Transmitter And Receiver

February 20, 2022 by 7 Comments

For those building their own remote controlled devices like RC boats and quadcopter drones, having a good transmitter-receiver setup is a significant factor in the eventual usability of their build. Many transmitters are available in the 2.4 GHz band, but some operate at different frequencies, like the 868/915 MHz band. The TBS Crossfire is one such transmitter, and it’s become a popular model thanks to its long-range performance.

The channel hopping sequence of a TBS Crossfire transmitter
The channel hopping sequence

When [g3gg0] bought a Crossfire set for his drone, he discovered that the receiver module consisted of not much more than a PIC32 microcontroller and an SX1272 LoRa modem. This led him to ponder if the RF protocol would be easy to decode. As it turns out, it was not trivial, but not impossible either. First, he built his own SPI sniffer using a CYC1000 FPGA board to reveal the exact register settings that the PIC32 sent to the SX1272. The Crossfire uses channel hopping, and by simply looking at the register settings it was easy to figure out the hopping sequence.

Once that was out of the way, the next step was to figure out what data was flowing through those channels. The data packets appeared to be built up in a straightforward way, but they included an unknown CRC checksum. Luckily, brute-forcing it was not hard; the checksum is most likely used to keep receivers from picking up signals that come from a different transmitter than their own.

[g3gg0]’s blog post goes into intricate detail on both the Crossfire’s protocol as well as the reverse engineering process needed to obtain this information. The eventual conclusion is that while the protocol is efficient and robust, it provides no security against eavesdropping or deliberate interference. Of course, that’s perfectly fine for most RC applications, as long as the user is aware of this fact.

If you’re into decoding RF protocols, you might also want to try using a logic analyzer. But if you merely want to replicate an existing transmitter’s signals, it might be easier to simply spoof a few button presses.

Continue reading “Reverse Engineering A 900 MHz RC Transmitter And Receiver”

Palm portable keyboard gone Bluettoh

Palm Portable Keyboard Goes Wireless

February 8, 2022 by 19 Comments

Long ago when digital portables where in their infancy, people were already loath to type on tiny keyboards, stylus or not. So Palm made a sweet little portable keyboard that would fold up and fit in your cargo pocket. And what do we have now for luxury typing on the go? Rubber roll-up jelly keebs? That’s a hard no from this scribe.

But why mess with the success of the the Palm Portable Keyboard? It just needs to be updated for our times, and that’s exactly what [Xinming Chen] did with their PPK Bluetooth adapter.

Inspired by the work of [cy384] to make a USB adapter as well as [Christian]’s efforts with the ESP32, [Xinming Chen] points out that this version is more power efficient, easier to program, and has a built-in Li-Po charging circuit. It also uses the hardware serial port instead of the software serial, which saves brainpower.

There’s really not much to this build, which relies on the Adafruit Feather nRF52840 and will readily work with Palm III and Palm V keyboards. Since the PPK is RS-232 and needs to be TTL, this circuit also needs a voltage level inverter which can be made with a small handful of components. We love that there’s a tiny hidden switch that engages the battery when the adapter clicks on to the connector.

The schematic, code, and STL files are all there in the repository, so go pick up one of these foldy keebs for cheap on the electronic bay while they’re still around. Watch the demo video unfold after the break.

Want an all-in-one solution for typing on the go? Check out the history of tiny computers.

Continue reading “Palm Portable Keyboard Goes Wireless”

Remote control PCB next to its shell, with a breadboarded analog switch connected to the remote's onboard microcontroller, soldered to the pins responsible for button reading

Reusing Proprietary Wireless Sockets Without Wireless Hacking

January 31, 2022 by 9 Comments

Bending various proprietary devices to our will is a hacker’s rite of passage. When it comes to proprietary wall sockets, we’d often reverse-engineer and emulate their protocol – but you can absolutely take a shortcut and, like [oaox], spoof the button presses on the original remote! Buttons on such remotes tend to be multiplexed and read as a key matrix (provided there’s more than four of them), so you can’t just pull one of the pads to ground and expect to not confuse the microcontroller inside the remote. While reading a key matrix, the controller will typically drive rows one-by-one and read column states, and a row or column driven externally will result in the code perceiving an entire group of keys as “pressed” – however, a digitally-driven “switch” doesn’t have this issue!

One way to achieve this would be to use a transistor, but [oaox] played it safe and went for a 4066 analog multiplexer, which has a higher chance of working with any remote no matter the button configuration, for instance, even when the buttons are wired as part of a resistor network. As a bonus, the remote will still work, and you will still be able to use its buttons for the original purpose – as long as you keep your wiring job neat! When compared to reverse-engineering the protocol and using a wireless transmitter, this also has the benefit of being able to consistently work with even non-realtime devices like Raspberry Pi, and other devices that run an OS and aren’t able to guarantee consistent operation when driving a cheap GPIO-operated RF transmitter.

In the past, we’ve seen people trying to tackle this exact issue, resorting to RF protocol hacking in the end. We’ve talked about analog multiplexers and switches in the past, if you’d like figure out more ways to apply them to solve your hacking problems! Taking projects like these as your starting point, it’s not too far until you’re able to replace the drift-y joysticks on your Nintendo Switch with touchpads!