Remoticon 2021 // Jeroen Domburg [Sprite_tm] Hacks The Buddah Flower

Nobody likes opening up a hacking target and finding a black epoxy blob inside, but all hope is not lost. At least not if you’ve got the dedication and skills of [Jeroen Domburg] alias [Sprite_tm].

It all started when [Big Clive] ordered a chintzy Chinese musical meditation flower and found a black blob. But tantalizingly, the shiny plastic mess also included a 2 MB flash EEPROM. The questions then is: can one replace the contents with your own music? Spoiler: yes, you can! [Sprite_tm] and a team of Buddha Chip Hackers distributed across the globe got to work. (Slides here.)

[Jeroen] started off with binwalk and gets, well, not much. The data that [Big Clive] dumped had high enough entropy that it looks either random or encrypted, with the exception of a couple tiny sections. Taking a look at the data, there was some structure, though. [Jeroen] smelled shitty encryption. Now in principle, there are millions of bad encryption methods out there for every good one. But in practice, naive cryptographers tend to gravitate to a handful of bad patterns.

Bad pattern number one is XOR. Used correctly, XORing can be a force for good, but if you XOR your key with zeros, naturally, you get the key back as your ciphertext. And this data had a lot of zeros in it. That means that there were many long strings that started out the same, but they seemed to go on forever, as if they were pseudo-random. Bad crypto pattern number two is using a linear-feedback shift register for your pseudo-random numbers, because the parameter space is small enough that [Sprite_tm] could just brute-force it. At the end, he points out their third mistake — making the encryption so fun to hack on that it kept him motivated!

Decrypted, the EEPROM data was a filesystem. And the machine language turned out to be for an 8051, but there was still the issue of the code resident on the microcontroller’s ROM. So [Sprite_tm] bought one of these flowers, and started probing around the black blob itself. He wrote a dumper program that output the internal ROM’s contents over SPI. Ghidra did some good disassembling, and that let him figure out how the memory was laid out, and how the flow worked. He also discovered a “secret” ROM area in the chip’s flash, which he got by trying some random functions and looking for side effects. The first hit turned out to be a memcpy. Sweet.

[Neil555]’s Rosetta Stone
Meanwhile, the Internet was still working on this device, and [Neil555] bought a flower too. But this one had a chip, rather than a blob, and IDing this part lead them to an SDK, and that has an audio suite that uses a derivative of WMA audio encoding. And that was enough to get music loaded into the flower. (Cue a short rick-rolling.) Victory!

Well, victory if all you wanted to do was hack your music onto the chip. As a last final fillip, [Sprite_tm] mashed the reverse-engineered schematic of the Buddha Flower together with [Thomas Flummer]’s very nice DIY Remoticon badge, and uploaded our very own intro theme music into the device on a badge. Bonus points? He added LEDs that blinked out the LSFR that were responsible for the “encryption”. Sick burn!

Editor’s Note: This is the last of the Remoticon 2 videos we’ve got. Thanks to all who gave presentations, to all who attended and participated in the lively Discord back channel, and to all you out there who keep the hacking flame alive. We couldn’t do it without you, and we look forward to a return to “normal” Supercon sometime soon.

Remoticon 2021 // Rob Weinstein Builds An HP-35 From The Patent Up

Fifty years ago, Hewlett-Packard introduced the first handheld scientific calculator, the HP-35. It was quite the engineering feat, since equivalent machines of the day were bulky desktop affairs, if not rack-mounted. [Rob Weinstein] has long been a fan of HP calculators, and used an HP-41C for many years until it wore out. Since then he gradually developed a curiosity about these old calculators and what made them tick. The more he read, the more engrossed he became. [Rob] eventually decided to embark on a three year long reverse-engineer journey that culminated a recreation of the original design on a protoboard that operates exactly like the original from 1972 (although not quite pocket-sized). In this presentation he walks us through the history of the calculator design and his efforts in understanding and eventually replicating it using modern FPGAs.

The HP patent ( US Patent 4,001,569 ) contains an extremely detailed explanation of the calculator in nearly every aspect. There are many novel concepts in the design, and [Rob] delves into two of them in his presentation. Early LED devices were a drain on batteries, and HP engineers came up with a clever solution. In a complex orchestra of multiplexed switches, they steered current through inductors and LED segments, storing energy temporarily and eliminating the need for inefficient dropping resistors. But even more complicated is the serial processor architecture of the calculator. The first microprocessors were not available when HP started this design, so the entire processor was done at the gate level. Everything operates on 56-bit registers which are constantly circulating around in circular shift registers. [Rob] has really done his homework here, carefully studying each section of the design in great depth, drawing upon old documents and books when available, and making his own material when not. For example, in the course of figuring everything out, [Rob] prepared 338 pages of timing charts in addition to those in the patent. Continue reading “Remoticon 2021 // Rob Weinstein Builds An HP-35 From The Patent Up”

Remoticon 2021 // Arsenijs Tears Apart Your Laptop

Hackaday’s own [Arsenijs Picugins] has been rather busy hacking old laptops apart and learning what can and cannot be easily reused, and presents for the 2021 Hackaday Remoticon, a heavily meme-loaded presentation with some very practical advice.

Full HD, IPS LCD display with touch support, reused with the help of a dedicated driver board

What parts inside a dead laptop are worth keeping? Aside from removable items like RAM stick and hard drives, the most obvious first target is the LCD panel. These are surprisingly easy to use, with driver boards available on the usual marketplaces, so long as you make sure to check the exact model number of your panel is supported.

Many components inside laptops are actually USB devices, things like touch screen controllers, webcams and the like are usually separate modules, which simply take power and USB. This makes sense, since laptops already have a fair amount of external USB connectivity, why not use it internally too? Other items are a bit trickier: trackpads seem to be either PS/2 or I2C and need a bit more hardware support. Digital microphones mostly talk I2S, which means some microcontroller coding.

Some items need a little more care, however, so maybe avoid older Dell batteries, with their ‘spicy pillow’ tendencies. As [Arsenijs] says, take them when they are ripe for the picking, but not too ripe. Batteries need a little care and feeding, make sure you’ve got some cell protection, if you pull raw cells! Charging electronics are always on the motherboard, so that’s something you’ll need to arrange yourself if you take a battery module, but it isn’t difficult, so long as you can find your way around SMBus protocol.

These batteries are too ripe. Leave them alone.

Older laptops were much more modular and some even designed for upgrade or modification, and this miniaturization-driven trend of shrinking everything — where a laptop now needs to be thin enough to shave with — is causing some manufacturers to move in a much more proprietary direction regarding hardware design.

This progression conflicts with our concerns of privacy, repairability and waste elimination, resulting in closed boxes filled with unrepairable, non-reusable black boxes. We think it’s time to take back some of the hardware, so three cheers to those taking upon themselves the task to reverse engineer and publish reusability information, and long may it be possible to continue.

Continue reading “Remoticon 2021 // Arsenijs Tears Apart Your Laptop”

Remoticon 2021 // Vaibhav Chhabra And The M19 Collective Make One Million Faceshields

[Vaibhav Chhabra], the co-founder of Maker’s Asylum hackerspace in Mumbai, India, starts his Remoticon talk by telling a short story about how the hackerspace rose to its current status. Born out of frustration with a collapsed office ceiling, having gone through eight years of moving and reorganizations, it accumulated a loyal participant base – not unusual with hackerspaces that are managed well. This setting provided a perfect breeding ground for the M19 effort when COVID-19 reached India, mixing “what can we do” and “what should we do” inquiries into a perfect storm and starting the 49 day work session that swiftly outgrew the hackerspace, both physically and organizationally.

When the very first two weeks of the Infinite Two Week Quarantine Of 2020 were announced in India, a group of people decided to wait it out at the hackerspace instead of confining themselves to their homes. As various aspects of our society started crashing after the direct impact of COVID-19, news came through – that of a personal protective equipment shortage, especially important for frontline workers. Countries generally were not prepared when it came to PPE, and India was no different. Thus, folks in Maker’s Asylum stepped up, finding themselves in a perfect position to manufacture protective equipment when nobody else was prepared to help.

Continue reading “Remoticon 2021 // Vaibhav Chhabra And The M19 Collective Make One Million Faceshields”

Remoticon 2021 // Jay Bowles Dips Into The Plasmaverse

Every hacker out there is familiar with the zaps and sizzles of the Tesla coil, or the crash and thunder of lighting strikes on our hallowed Earth. These phenomena all involve the physics of plasma, a subject near and dear to Jay Bowles’s heart. Thus, he graced Remoticon 2021 with a enlightening talk taking us on a Dip Into the Plasmaverse.

Jay’s passion for the topic is obvious, having fallen in love with high voltage physics as a teenager. He appreciated how tangible the science was, whether it’s the glow of neon lighting or the heating magic of the common microwave. His talk covers the experiments and science that he’s studied over the past 17 years and in the course of running his Plasma Channel YouTube channel. Continue reading “Remoticon 2021 // Jay Bowles Dips Into The Plasmaverse”

Remoticon 2021 // Joey Castillo Teaches Old LCDs New Tricks

Segmented liquid crystal displays are considered quite an old and archaic display technology these days. They’re perhaps most familiar to us from their use in calculators and watches, where they still find regular application. [Joey Castillo] decided that he could get more out of these displays with a little tinkering, and rocked up to Remoticon 2021 to share his findings.

[Joey’s] talk is a great way to learn the skills needed to reverse engineer a typical segment LCD.
[Joey] got his start hacking on these displays via his Sensor Watch project –  a board swap for the venerable Casio F-91W wristwatch, with the project now available on CrowdSupply. It kits out the 33-year-old watch design with a modern, low-power ARM Cortex M0+ microcontroller running at 32 MHz that completely revolutionizes what the watch can do. Most importantly, however, it repurposes the watches original segmented monochrome LCD.

Segment LCDs are usually small monochrome devices made out of glass, that have the benefit of using very little power in their operation. They come with a fixed layout, which cannot be changed – so they’re often designed specifically for a given purpose. A calculator will have segments laid out to display numbers, often in the usual 7-segment fashion, while a watch may add dedicated segments for displaying things like “AM,” “PM,” or “ALARM.” Continue reading “Remoticon 2021 // Joey Castillo Teaches Old LCDs New Tricks”

Remoticon 2021 // Matt Venn Helps You Make ASICS

What would you make if you were given about ten square millimeters of space on a silicon wafer on a 130 nm process? That’s the exact question that the Open MPW program asks, and that [Matt Venn] has stepped up to answer. [Matt] came to Remoticon in 2020 to talk about his journey from nothing to his own ASIC, and he came back in 2021 to talk about what has happened in a year.

image of the metal layers of an IC
[maxiborga] has been making beautiful renders of his and others’ chip designs
We expected great designs, but the variety of exciting and wonderful designs that have been submitted we think exceeded our expectations. [Matt] goes through quite a few of them, such as an analog neuron, a RISC-V Arduino-compatible microprocessor, and a satellite transceiver. Perhaps an unexpected side effect has been the artwork. Since the designs are not under an NDA, anyone can take the design and transform it into something gorgeous.

Of course, all of this hardware design isn’t possible without an open toolchain. There is an SRAM generator known as OpenRAM that can generate RAM blocks for your design. Coriolis2 is an RTL to GDS tool that can do placement and routing in VLSI. Finally, FlexCell is a cell library that tries to provide standard functions in a flexible, customizable way that cuts down on the complexity of the layout. There are GitHub actions that can run tests and simulations on PRs to keep the chip’s HDL in a good state.

However, it’s not all roses, and there was an error on the first run (MPW1). Hold time violations were not detected, and the clock tree wasn’t correct. This means that the GPIO cannot be set up, so the designs in the middle could be working, but without the GPIO, it is tricky to determine. With a regular chip, that would be the end, but since [Matt] has access to both the layout and the design, he can identify the problem and come up with a plan. He’s planning on overriding the IO setup shift register with an auxiliary microcontroller. (Ed Note: [tnt] has been making some serious progress lately, summarized in this video.)

It is incredible to see what has come from the project so far, and we’re looking forward to future runs. If this convinces you that you need to get your own ASIC made, you should check out [Matt]’s “Zero to ASIC” course.

Continue reading “Remoticon 2021 // Matt Venn Helps You Make ASICS”