Seeing Transistors Switch In Infrared

In the hacker and DIY community, there are people who have exceptional knowledge and fantastic tools. These people are able to do what others could only dream about, and that others can only browse eBay looking for that one tool they need to do the job. One of these such people is [John McMaster]. He is the resident expert on looking inside integrated circuits. He drops acid on a chip, and he can tell you exactly how it works on the inside.

At the hardwear.io conference, [John] shared one of his techniques for reverse-engineering intgrated circuits. He’s doing this by simply looking at the transistors, and looking at the light they give off. He’s also looking at the wrong side of the die.

The technique [John] is using is properly called backside analysis, or looking at the infrared emissions of electron recombinations. This happens at the junction of every transistor when it’s active, and these photons are emitted at the bandgap of silicon, or about 1088 nm, far into the infrared. This sort of thing has been done before by [nedos] at CCC in 2013, but rarely have we seen a deep dive into the tools and techniques needed to look at the reverse side of an IC and see the photons coming off.

An IC, seen in infrared

There are several tools [John] used for this work, and he actually did a good comparison of different camera technologies used to image infrared photon emissions from integrated circuits. InGaAs cameras are expensive, but they offer high sensitivity. New back-illuminated CMOS cameras and cooled CCDs normally reserved for astrophotography were also tested, and as always, you get what you pay for; the most expensive cameras worked best, but there were ways you could make the cheap ones work.

As with any camera work, preparing the lighting is of utmost importance. This includes an IR pass filter, and using only LED lighting in the lab with no sunlight, incandescent, or halogen light bulbs in the room — you don’t want any IR, after all. A NIR objective in the microscope was sourced from eBay, for about 1/10th the normal cost, because the objective had a small, insignificant scratch. Using this NIR objective made the image twice as bright as any other method. You can successfully image a chip with this, and [John] tested the setup on a resistor inside a CD4050 chip; the resistor glowed a slight purple, the color you would expect with infrared sensors. But can it work with I/O levels in a more modern chip? Also, yes. It needs some Photoshop to process, and stretching the 12-bit or 16-bit color space into an 8-bit color space, but it does work.

Finally, the supreme achievement of doing backside IR analysis. Is that possible with even this minimal setup? This requires some preparation; the silicon substrate in an IC is transparent in IR, but there is attenuation and this is especially important when the substrate is 300 um thick. This needs to be shaved down to about 25 um thick, which surprisingly is best done with fine sandpaper and a finger.

While few IR emissions were observed via backside emissions, the original plan wasn’t to completely analyze the chip, but merely to do some floor planning. For this, it worked. It’s a remarkable amount of work to see the inside of a silicon chip.

Simple Arduino Universal Remote Control

The infrared remote control might not hold the seat of honor in the average home theater setup that it once enjoyed, but it’s not quite out to pasture yet. After all, what are you going to use to stop Netflix once the Chromecast invariably disconnects from your phone? As long as there are devices out there that will respond to commands blasted their way via an IR LED, hackers will be looking to get in on the action.

In an effort to make IR remote hacking just a bit easier, [sjm4306] has submitted his Remoteduino for the 2019 Hackaday Prize. With this handy tool in your arsenal, you can focus on developing the software side of your next IR remote project without worry about the hardware. Just upload your code, and get clicking.

As you might imagine, the design is rather simple. On the front edge of the PCB you’ve got the prerequisite IR LED, and a healthy supply of tactile buttons that your code can use as input. The remote features a fairly standard layout on the top half, complete with silkscreened labels for the common functions, but below that [sjm4306] has packed in six general purpose buttons that can be used for whatever you like.

The Remoteduino is powered by an ATmega328P, and the whole thing runs on a CR2032 cell mounted on the backside. [sjm4306] mentions in his write-up on Hackaday.io that battery life was always a consideration during development of the Remoteduino, so he’s made a few energy-saving considerations. Using the internal 8 MHz oscillator instead of an external crystal shaved a bit off the top, and the aggressive sleep routines got him the rest of the way. In testing, he estimates the battery should last a few years even with daily use.

Continue reading “Simple Arduino Universal Remote Control”

Infrared Brute Force Attack Unlocks TiVo

While the era of the TiVo (and frankly, the idea of recording TV broadcasts) has largely come to a close, there are still dedicated users out there who aren’t quite ready to give up on the world’s best known digital video recorder. One such TiVo fanatic is [Gavan McGregor], who recently tried to put a TiVo Series 3 recorder into service, only to find the device was stuck in the family-friendly “KidZone” mode.

Without the code to get it out of this mode, and with TiVo dropping support for this particular recorder years ago, he had to hack his way back into this beloved recorder on his own. The process was made easier by the simplistic nature of the passcode system, which only uses four digits and apparently doesn’t impose any kind of penalty for incorrect entries. With only 10,000 possible combinations for the code and nothing to stop him from trying each one of them in sequence, [Gavan] just needed a way to bang them out.

After doing some research on the TiVo remote control protocol, he came up with some code for the Arduino using the IRLib2 library that would brute force the KidZone passcode by sending the appropriate infrared codes for each digit. He fiddled around with the timing and the delay between sending each digit, and found that the most reliable speed would allow his device to run through all 10,000 combinations in around 12 hours.

The key thing to remember here is that [Gavan] didn’t actually care what the passcode was, he just needed it to be entered correctly to get the TiVo out of the KidZone mode. So he selected the “Exit KidZone” option on the TiVo’s menu, placed his Arduino a few inches away from the DVR, and walked away. When he came back the next day, the TiVo was back into its normal mode. If you actually wanted to recover the code, the easiest way (ironically) would be to record the TV as the gadget works its way through all the possible digits.

Back in 2004, there were so many TiVo hacks hitting the front page of Hackaday that we actually gave them a dedicated subdomain. But by the end of 2007, we were asking what hackers would do with the increasingly discarded Linux-powered devices. That people are still hacking on these gadgets over a decade later is truly a testament to how dedicated the TiVo fanbase really is.

[Thanks to Chris for the tip.]

Turning A Tiny FLIR Into An Action Cam With FPGAs

FLIR are making some really great miniature thermal cameras these days, designed for applications such as self-driving cars, and tools that help keep firefighters safe. That’s great and all, but these thermal cameras are so cool, you really just want to play with one. That’s what [greg] was thinking when he designed a PCB backpack that captures thermal images from a FLIR Boson and stores it on an SD card. It’s a thermal action cam, and an impressive bit of FPGA development, too.

The FLIR product in question is a Boson 640, an impressive little camera that records in 640×512 resolution, with a 60 Hz update rate. This one’s got the 95° field of view, giving it a very good specification in a very small footprint. This is a huge improvement over FLIR’s Tau camera, for which [greg] built a breakout board with Ethernet and DDR memory a few years ago. Once he found out about the Boson, he figured a backpack PCB for this camera would be possible and a great excuse to teach himself FPGAs with a hands-on project.

With an impressive ability to find the perfect part, [greg] sourced a Lattice iCE40 FPGA in an 8×8 mm package along with an 8 Mbit HyperRAM in a 6×8 package. This combination allows for all the chips to fit behind the Boson camera. Add in an microSD card slot and a few connectors and this breakout board is very close to being a commercial product, for whatever forward looking infrared needs you might have.

Improving Indoor Navigation Of Robots With IR

If the booths at CES are to be believed, the future is full of home robots: everything from humanoid robots on wheels to Alexas duct taped to a Roomba. Back in reality, home robots really aren’t a thing yet. There’s an obvious reason for this: getting around a house is hard. A robot might actually need legs to get up and down stairs, and GPS simply doesn’t exist indoors, at least to the accuracy needed. How on Earth does a robot even navigate indoors?

This project for the Hackaday Prize solves the problem of indoor navigation, and it does it in an amazingly clever way. This is using QR codes for navigation, but not just any QR codes. They’re QR codes read by an infrared camera, and painted on the walls and ceilings with a special IR sensitive paint that’s invisible to the human eye. It’s navigation for robotic vision, and it’s a fantastic idea.

The basic idea behind this project is to use an IR camera — or basically any webcam with the IR blocking filter removed — and a massive amount of IR LEDs to illuminate any target. So far, the proof of concept works. A computer can easily read QR codes, and if paint is invisible to the human eye but visible to an IR camera, the entire project is merely a matter of implementation.

There have been a number of projects that try to add indoor navigation to robots. Some of them use LIDAR, some use computer vision and SLAM. These are computationally expensive. Some even use wireless beacons to navigate indoors like the SubPos Ranger from the 2016 Hackaday Prize. Using IR and QR codes is just so simple and hacker-friendly, and we think it’s fantastic.

IR Detective Eases Development With Compact Decoding

Hardware development often involves working with things that can’t be directly perceived, which is one reason good development tools are so important. In appreciation of this, [David Johnson-Davies] created the IR Remote Control Detective to simplify working with IR signals. While IR remote controls are commonplace, there are a number of different protocols and encoding methods in use across different brands. The IR Detective takes care of all of that with three main components, none of which are particularly expensive. To use the decoder, one simply points an IR remote at the unit and presses one of the buttons. The IR Detective will identify the protocol, decode the signal, and display the address and command related to the key that was pressed. The unit doesn’t consist of much more than an ATtiny85 microcontroller, a small OLED display, and an IR receiver unit. The IR receiver used is intended for a 38 kHz carrier, but such receivers can and do respond to signals outside this frequency, although they do so at a reduced range.

As a result, not only is the unit useful for decoding IR or verifying that correct signals are being generated, but the small size and low cost means it could easily be used as a general purpose receiver to add IR remote control to other devices. It’s also halfway to bridging IR to something else, like this WiFi-IR bridge which not only interfaces to legacy hardware, but does it across WiFi to boot.

Motion-Controlled KVM Switch

Once upon a time, [hardwarecoder] acquired a Gen8 HP microserver that he began to toy around with. It started with ‘trying out’ some visualization before spiraling off the rails and fully setting up FreeBSD with ZFS as a QEMU-KVM virtual machine. While wondering what to do next, he happened to be lamenting how he couldn’t also fit his laptop on his desk, so he built himself a slick, motion-sensing KVM switch to solve his space problem.

At its heart, this device injects DCC code via the I2C pins on his monitors’ VGA cables to swap inputs while a relay ‘replugs’ the keyboard and mouse from the server to the laptop — and vice-versa — at the same time. On the completely custom PCB are a pair of infrared diodes and a receiver that detects Jedi-like hand waves which activate the swap. It’s a little more complex than some methods, but arguably much cooler.

Using an adapter, the pcb plugs into his keyboard, and the monitor data connections and keyboard/mouse output to the laptop and server stream out from there. There is a slight potential issue with cables torquing on the PCB, but with it being so conveniently close, [hardwarecoder] doesn’t need to handle it much.

Continue reading “Motion-Controlled KVM Switch”