Reverse Engineering Smart Meters, Now With More Fuming Nitric Acid

January 13, 2024 by Dan Maloney 14 Comments

If you’re lucky, reverse engineering can be a messy business. Sure, there’s something to be said for attacking and characterizing an unknown system and leaving no trace of having been there, but there’s something viscerally satisfying about destroying something to understand it. Especially when homemade fuming nitric acid is involved.

The recipient of such physical and chemical rough love in the video below is a residential electric smart meter, a topic that seems to be endlessly fascinating to [Hash]; this is far from the first time we’ve seen him take a deep dive into these devices. His efforts are usually a little less destructive, though, and his write-ups tend to concentrate more on snooping into the radio signals these meters are using to talk back to the utility company.

This time around, [Hash] has decided to share some of his methods for getting at these secrets, including decapping the ICs inside. His method for making fuming nitric acid from stump remover and battery acid is pretty interesting; although the laboratory glassware needed to condense the FNA approaches the cost of just buying the stuff outright, it’s always nice to have the knowledge and the tools to make your own. Just make sure to be careful about it — the fumes are incredibly toxic. Also detailed is a 3D-printable micropositioner, used for examining and photographing acid-decapped ICs under the microscope, which we’d bet would be handy for plenty of other microscopy jobs.

In addition to the decapping stuff, and a little gratuitous destruction with nitric acid, [Hash] takes a look at the comparative anatomy of smart meters. The tamper-proofing features are particularly interesting; who knew these meters have what amounts to the same thing as a pinball machine’s tilt switch onboard?

Continue reading “Reverse Engineering Smart Meters, Now With More Fuming Nitric Acid” →

Oddball LCDs Reverse Engineered Thanks To Good Detective Work

December 12, 2023 by Dan Maloney 5 Comments

Is there anything more discouraging to the reverse engineer than to see a black blob of epoxy applied directly to a PCB? We think not, because that formless shape provides no clue as to what chip lies beneath, and that means a lot of detective work if you’re going to figure out how to use this thing.

[Sudhir Chandra]’s detective story starts with a bunch of oddball LCDs, slim 1×32 character units rather than the more familiar 2×16 displays. Each bore the dreaded black COB blob on the back, as well as a handful of SMD components and not much else. Googling revealed no useful documentation, and the manufacturer wasn’t interested in fielding calls from a hobbyist. Reasoning that most manufacturers wouldn’t spin up a custom chip for every display, [Sudhir] assumed there was an ST7066, a common LCD driver chip, underneath the blob, especially given the arrangement of external components. But a jumper set was bodged together under this assumption didn’t get the display going.

Next up were more destructive methods, to decap the COB and see what kind of numbers might be on the chip. Sandpaper worked at first, but [Sudhir] eventually turned to the “Chips a la [Antoine]” method of decapping, which uses heat and brute force to get at the goods. This got down to the chip, but [Sudhir]’s microscope wasn’t up to the task of reading the die markings.

What eventually cracked the case was tracing out the voltages across the various external resistors and matching them up to other chips in the same family as the ST7066, plus the realization that the long, narrow epoxy blob probably covered a similarly shaped chip, which led to the culprit: an ST7070. This allowed [Sudhir] to build an adapter PCB for the displays, with plans for a custom Arduino library to talk to the displays.

This was a great piece of reverse engineering and a good detective story to boot. Hats off to [Sudhir] for sticking with it.

Hackaday Links: March 26, 2023

March 26, 2023 by Dan Maloney 3 Comments

Sad news in the tech world this week as Intel co-founder Gordon Moore passed away in Hawaii at the age of 94. Along with Robert Noyce in 1968, Moore founded NM Electronics, the company that would later go on to become Intel Corporation and give the world the first commercially available microprocessor, the 4004, in 1971. The four-bit microprocessor would be joined a few years later by the 8008 and 8080, chips that paved the way for the PC revolution to come. Surprisingly, Moore was not an electrical engineer but a chemist, earning his Ph.D. from the California Institute of Technology in 1954 before his postdoctoral research at the prestigious Applied Physics Lab at Johns Hopkins. He briefly worked alongside Nobel laureate and transistor co-inventor William Shockley before jumping ship with Noyce and others to found Fairchild Semiconductor, which is where he made the observation that integrated circuit component density doubled roughly every two years. This calculation would go on to be known as “Moore’s Law.”

Continue reading “Hackaday Links: March 26, 2023” →

Creating A Game Boy ROM From Pictures

March 23, 2023 by Bryan Cockfield 22 Comments

There are very few legal ways of obtaining ROM files for video games, and Nintendo’s lawyers are extremely keen on at least reminding you of the fact that you need to own the game cart before obtaining the ROM. With cart in hand, though, most will grab a cart reader to download the game files. While this is a tried-and-true method, for GameBoy games this extra piece of hardware isn’t strictly required. [Travis Goodspeed] is here to show us a method of obtaining ROM files from photographs of the game itself.

Bits can be manually edited to fix detection errors.

Of course, the chips inside the game cart will need to be decapped in order to obtain the pictures, and the pictures will need to be of high quality in order to grab the information. [Travis] is more than capable of this task in his home lab, but some work is still required after this step.

The individual bits in the Game Boy cartridges are created by metal vias on the chip, which are extremely small, but still visible under a microscope. He also has a CAD program that he developed to take this visual information and extract the data from it, which creates a ROM file that’s just as good as any obtained with a cart reader.

This might end up being slightly more work especially if you have to decap the chips and take the photographs yourself, but it’s nonetheless a clever way of obtaining ROM files due to this quirk of Game Boy technology. Encoding data into physical hardware like this is also an excellent way of ensuring that it doesn’t degrade over time. Here are some other methods for long-term data storage.

Gaze Inside These Nanopower Op-Amps

June 4, 2022 by Donald Papp 2 Comments

[Robo] over at Tiny Transistor Labs has a fascinating look at what’s inside these modern, ultra low-power devices that consume absolutely minuscule amounts of current. Crank up the magnification, and go take a look at the dies on these two similar (but internally very different) devices.

Texas Instruments LPV801, under the hood.

The first unit is the Texas Instruments LPV801, a single-channel op-amp that might not be very fast, but makes up for it by consuming only a few hundred nanoamps. Inside, [Robo] points out all the elements of the design, explaining how a part like this would be laser-trimmed to ensure it performs within specifications.

The second part is the Texas Instruments LPV821 which uses a wee bit more power, but makes up for it with a few extra features like zero-drift and EMI hardening. Peeking inside this device reveals the different manufacturing process this part used, and [Robo] points out things like the apparent lack of fuses for precise trimming of the part during the manufacturing process.

Seeing these structures up close isn’t an everyday thing for most of us, so take the opportunity to check out [Robo]’s photos. Tiny Transistor Labs definitely takes the “tiny” part of their name seriously, as we’ve seen with their 555 timer, recreated with discrete transistors, all crammed into a package that’s even the same basic size as the original.

Reverse Engineering Silicon, One Transistor At A Time

April 3, 2021 by Jenny List 10 Comments

Many of will have marveled at the feats of reverse engineering achieved by decapping integrated circuits and decoding their secrets by examining the raw silicon die. Few of us will have a go for ourselves, but that doesn’t stop the process being a fascinating one. Fortunately [Ryan Cornateanu] is on hand with a step-by-step description of his journey into the art of decapping, as he takes on what might seem an unlikely subject in the form of the CH340 USB to serial chip you’ll find on an Arduino Nano board.

Starting with hot sulphuric acid is probably not everyone’s idea of a day at the bench, but having used it to strip the epoxy from the CH340, he’s able to take a look under the microscope. This is no ordinary microscope but a metallurgists instrument designed to light the top of the sample from one side with polarised light. This allows him to identify an area of mask ROM and zoom in on the transistors that make each individual bit.

At this point the chemistry moves into the downright scary as he reaches for the hydrofluoric acid and has to use a PTFE container because HF is notorious for its voracious reactivity. This allows him to take away the interconnects and look at the transistor layer. He can then with a bit of computer vision processing help extract a bit layer map, which with some experimentation and guesswork can be manipulated into a firmware dump. Even then it’s not done, because he takes us into the world of disassembly of what is an unknown architecture. Definitely worth a read for the armchair chip enthusiast.

If you’re thirsty for more, of course we have to direct you towards the work of [Ken Shirriff].

Decapping Components Hack Chat With John McMaster

March 8, 2021 by Dan Maloney 2 Comments

Join us on Wednesday, March 10 at noon Pacific for the Decapping Components Hack Chat with John McMaster!

We treat them like black boxes, which they oftentimes are, but what lies beneath the inscrutable packages of electronic components is another world that begs exploration. But the sensitive and fragile silicon guts of these devices can be hard to get to, requiring destructive methods that, in the hands of a novice, more often than not lead to the demise of the good stuff inside.

To help us sort through the process of getting inside components, John McMaster will stop by the Hack Chat. You’ll probably recognize John’s work from Twitter and YouTube, or perhaps from his SiliconPr0n.org website, home to beauty shots of some of the chips he has decapped. John is also big in the reverse engineering community, organizing the Mountain View Reverse Engineering meetup, a group that meets regularly to discuss the secret world of components. Join us as we talk to John about some of the methods and materials used to get a look inside this world.

Our Hack Chats are live community events in the Hackaday.io Hack Chat group messaging. This week we’ll be sitting down on Wednesday, March 10 at 12:00 PM Pacific time. If time zones have you tied up, we have a handy time zone converter.

Click that speech bubble to the right, and you’ll be taken directly to the Hack Chat group on Hackaday.io. You don’t have to wait until Wednesday; join whenever you want and you can see what the community is talking about.
Continue reading “Decapping Components Hack Chat With John McMaster” →