Emulating A 74LS48 BCD-to-7-Segment Decoder/Driver With An Altera MAX 7000 “S” Series Complex Programmable Logic Device

November 11, 2025 by John Elliot V 25 Comments

Over on the [Behind The Code with Gerry] YouTube channel our hacker [Gerry] shows us how to emulate a 74LS48 BCD-to-7-segment decoder/driver using an Altera CPLD Logic Chip From 1998.

This is very much a das blinkenlights kind of project. The goal is to get a 7-segment display to count from 0 to 9, and that’s it. [Gerry] has a 74LS193 Up/Down Binary Counter, a 74LS42 BCD to Decimal Decoder, and some 74LS00 NAND gates, but he “doesn’t have” an 74LS48 to drive the 7-segment display so he emulates one with an old Altera CPLD model EPM7064SLC44 which dates back to the late nineties. A CPLD is a Complex Programmable Logic Device which is a kind of precursor to FPGA technology.

Continue reading “Emulating A 74LS48 BCD-to-7-Segment Decoder/Driver With An Altera MAX 7000 “S” Series Complex Programmable Logic Device” →

A thick, rectangular device with rounded corners is shown, with a small screen in the upper half, above a set of selection buttons.

Further Adventures In Colorimeter Hacking

September 9, 2025 by Aaron Beckendorf No comments

One of the great things about sharing hacks is that sometimes one person’s work inspires someone else to take it even further. A case in point is [Ivor]’s colorimeter hacking (parts two and three), which started with some relatively simple request spoofing to install non-stock firmware, and expanded from there until he had complete control over the hardware.

After reading [Adam Zeloof]’s work on replacing the firmware on a cosmetics spectrophotometer with general-purpose firmware, [Ivor] bought two of these colorimeters, one as a backup. He started with [Adam]’s method for updating the firmware by altering the request sent to an update server, but was only able to find the serial number from a quality-control unit. This installed the quality-control firmware, which encountered an error on the device. More searching led [Ivor] to another serial number, which gave him the base firmware, and let him dump and compare the cosmetic, quality-control, and base firmwares.

Continue reading “Further Adventures In Colorimeter Hacking” →

JTAG & SWD Debugging On The Pi Pico

January 18, 2025 by Tom Nardi 20 Comments

[Surya Chilukuri] writes in to share JTAGprobe — a fork of the official Raspberry Pi debugprobe firmware that lets you use the low-cost microcontroller development board for JTAG and SWD debugging just by flashing the provided firmware image.

We’ve seen similar projects in the past, but they’ve required some additional code running on the computer to bridge the gap between the Pico and your debugging software of choice. But [Surya] says this project works out of the box with common tools such as OpenOCD and pyOCD.

As we’ve cautioned previously, remember that the Pi Pico is only a 3.3 V device. JTAG and SWD don’t have set voltages, so in the wild you could run into logic levels from 1.2 V all the way to 5.5 V. While being able to use a bare Pico as a debugger is a neat trick, adding in a level shifter would be a wise precaution.

Looking to get even more use out of those Pi Picos you’ve got in the parts bin? How about using it to sniff USB?

Smartwatch Snitches On Itself And Enables Reverse Engineering

July 4, 2024 by Dan Maloney 10 Comments

If something has a “smart” in its name, you know that it’s talking to someone else, and the topic of conversation is probably you. You may or may not like that, but that’s part of the deal when you buy these things. But with some smarts of your own, you might be able to make that widget talk to you rather than about you.

Such an opportunity presented itself to [Benjamen Lim] when a bunch of brand X smartwatches came his way. Without any documentation to guide him, [Benjamen] started with an inspection, which revealed a screen of debug info that included a mysterious IP address and port. Tearing one of the watches apart — a significant advantage to having multiple units to work with — revealed little other than an nRF52832 microcontroller along with WiFi and cellular chips. But the luckiest find was JTAG pins connected to pads on the watch face that mate with its charging cradle. That meant talking to the chip was only a spliced USB cable away.

Once he could connect to the watch, [Benjamen] was able to dump the firmware and fire up Ghidra. He decided to focus on the IP address the watch seemed fixated on, reasoning that it might be the address of an update server, and that patching the firmware with a different address could be handy. He couldn’t find the IP as a string in the firmware, but he did manage to find a sprintf-like format string for IP addresses, which led him to a likely memory location. Sure enough, the IP and port were right there, so he wrote a script to change the address to a server he had the keys for and flashed the watch.

So the score stands at [Benjamen] 1, smartwatch 0. It’s not clear what the goal of all this was, but we’d love to see if he comes up with something cool for these widgets. Even if there’s nothing else, it was a cool lesson in reverse engineering.

Fixing Issues With Knockoff Altera USB Blasters

June 9, 2024 by Maya Posch 14 Comments

One exciting feature of hardware development involving MCUs and FPGAs is that you all too often need specific tools to program them, with [Doug Brown] suffering a price tag aneurysm after checking the cost of an official Altera/Intel USB Blaster (yours for $300) to program a MAX 10 FPGA device with. This led him naturally down the path of exploring alternatives, with the $69 Terasic version rejected for ‘being too expensive’ and opting instead for the Waveshare USB Blaster V2, at a regretful $34. The amazing feature of this USB Blaster clone is that while it works perfectly fine under Windows, it works at most intermittently under Linux.

This led [Doug] down the path of reverse-engineering and diagnosing the problem, ultimately throwing in the towel and downclocking the Altera CPLD inside the adapter after finding that it was running a smidge faster than the usual 6 MHz. This was accomplished initially by wiring in an external MCU as a crude (and inaccurate) clock source, but will be replaced with a 12 MHz oscillator later on. Exactly why the problem only exists on Linux and not on Windows will remain a mystery, with Waveshare support also being clueless.

Undeterred, [Doug] then gambled on a $9 USB Blaster clone (pictured above), which turned out to be not only completely non-functional, but also caused an instant BSOD on Windows, presumably due to the faked FTDI USB functionality tripping up the Windows FTDI driver. This got fixed by flashing custom firmware by [Vladimir Duan] to the WCH CH552G-based board after some modifications shared in a project fork. This variety of clone adapters can have a range of MCUs inside, ranging from this WCH one to STM32 and PIC MCUs, with very similar labels on the case. While cracking one open we had lying around, we found a PIC18 inside, but if you end up with a CH552G-based one, this would appear to fully fix it. Which isn’t bad for the merest fraction of the official adapter.

Thanks to [mip] for the tip.

Pi with the PiFEX shield on the right, the SSD under test on the left with testpoints held by a jumper clip, jumper wires connecting the two together

JTAG Hacking An SSD With A Pi: A Primer

May 12, 2024 by Arya Voronova 4 Comments

[Matthew “wrongbaud” Alt] is well known around these parts for his hardware hacking and reverse-engineering lessons, and today he’s bringing us a JTAG hacking primer that demoes some cool new hardware — the PiFEX (Pi Interface Explorer). Ever wondered about those testpoint arrays on mSATA and M.2 SSDs? This write-up lays bare the secrets of such an SSD, using a Pi 4, PiFEX, OpenOCD and a good few open-source tools for JTAG probing that you can easily use yourself.

The PiFEX hat gives you level-shifted bidirectional GPIO connectors for UART, SPI, I2C, JTAG, SWD and potentially way more, an OLED screen to show any debugging information you might need, and even a logic analyzer header so that you can check up on your reverse-engineering progress.

Continue reading “JTAG Hacking An SSD With A Pi: A Primer” →

Showing the ESP-Prog-Adapter board plugged into the ESP-Prog adapter, wired to a SOIC clip, that then attaches to a PCB under test

ESP-Prog-Adapter Makes Your ESP32 Tinkering Seamless

April 3, 2024 by Arya Voronova 8 Comments

Did you ever struggle with an ESP32 board of yours, wishing you had exposed that UART, or seriously lacking the JTAG port access? If so, you should seriously check out [0xjmux]’s ESP-PROG-Adapter project, because [0xjmux] has put a lot of love and care into making your ESP32 hardware interfacing a breeze. This project shows you how to add JTAG and UART headers with extra low board footprint impact, gives you a KiCad library to do so super quickly, and shares a simple and helpful adapter PCB you can directly use with the exceptionally cheap Espressif’s ESP-Prog dongle you should have bought months ago.

The hardware is perfect for ZIF no-soldering interfacing – first of all, both UART and JTAG can be connected through a SOICBite connection, a solderless connector idea that lets you use SPI flashing clips on specially designed pads at the edge of your board. For the fancy toolkit hackers among us, there’s also a Tag Connect symbol suggested and a connector available, but it carries JTAG that you will already get with the SOICBite, so it’s maybe not worth spending extra money on.

Everything is fully open-source, as one could hope! If you’re doing ESP32 hacking, you simply have to order this board and a SOIC clip to go with it, given just how much trouble [0xjmux]’s board will save you when programming or debugging your ESP32 devices. Now, you don’t strictly need the ESP-Prog dongle – you could remix this into an adapter for the Pi Pico board instead. Oh, and if designing boards with ARM CPUs are your thing, you might benefit from being reminded about the Debug Edge standard!