Remoticon 2021 // Rob Weinstein Builds An HP-35 From The Patent Up

Fifty years ago, Hewlett-Packard introduced the first handheld scientific calculator, the HP-35. It was quite the engineering feat, since equivalent machines of the day were bulky desktop affairs, if not rack-mounted. [Rob Weinstein] has long been a fan of HP calculators, and used an HP-41C for many years until it wore out. Since then he gradually developed a curiosity about these old calculators and what made them tick. The more he read, the more engrossed he became. [Rob] eventually decided to embark on a three year long reverse-engineer journey that culminated a recreation of the original design on a protoboard that operates exactly like the original from 1972 (although not quite pocket-sized). In this presentation he walks us through the history of the calculator design and his efforts in understanding and eventually replicating it using modern FPGAs.

The HP patent ( US Patent 4,001,569 ) contains an extremely detailed explanation of the calculator in nearly every aspect. There are many novel concepts in the design, and [Rob] delves into two of them in his presentation. Early LED devices were a drain on batteries, and HP engineers came up with a clever solution. In a complex orchestra of multiplexed switches, they steered current through inductors and LED segments, storing energy temporarily and eliminating the need for inefficient dropping resistors. But even more complicated is the serial processor architecture of the calculator. The first microprocessors were not available when HP started this design, so the entire processor was done at the gate level. Everything operates on 56-bit registers which are constantly circulating around in circular shift registers. [Rob] has really done his homework here, carefully studying each section of the design in great depth, drawing upon old documents and books when available, and making his own material when not. For example, in the course of figuring everything out, [Rob] prepared 338 pages of timing charts in addition to those in the patent. Continue reading “Remoticon 2021 // Rob Weinstein Builds An HP-35 From The Patent Up”

An assortment of MemoryStick cards and devices, some of them, arguably cursed, like a MemoryStick-slot-connected camera.

Hacker Challenges MemoryStick To A Fight And Wins

It’s amazing when a skilled hacker reverse-engineers a proprietary format and shares the nitty-gritty with everyone. Today is a day when we get one such write-up – about MemoryStick. It is one of those proprietary formats, a staple of Sony equipment, these SD-card-like storage devices were evidently designed to help pad Sony’s pockets, as we can see from the tight lock-in and inflated prices. As such, this format has always remained unapproachable to hackers. No more – [Dmitry Grinberg] is here with an extensive breakdown of MemoryStick protocol and internals.

If you ever want to read about a protocol that is not exactly sanely designed, from physical layer quirks to things like inexplicable large differences between MemoryStick and MemoryStick Pro, this will be an entertaining read for hackers of all calibers. Dmitry doesn’t just describe the bad parts of the design, however, as much as that rant is entertaining to read – most of the page is taken by register summaries, struct descriptions and insights, the substance about MemoryStick that we never got.

One sentence is taken to link to a related side project of [Dmitry] that’s a rabbithole on its own – he has binary patched MemoryStick drivers for PalmOS to add MemoryStick Pro support to some of the Sony Clie handhelds. Given the aforementioned differences between non-Pro and Pro standards, it’s a monumental undertaking for a device older than some of this site’s readers, and we can’t help but be impressed.

To finish the write-up off, [Dmitry] shares with us some MemoryStick bit-banging examples for the STM32. Anyone who ever wanted to approach MemoryStick, be it for making converter adapters to revive old tech, data recovery or preservation purposes, or simply hacker curiosity, now can feel a bit less alone in their efforts.

We are glad to see such great hacking on the MemoryStick front – it’s much needed, to the point where our only article mentioning MemoryStick is about avoiding use of the MemoryStick slot altogether. [Dmitry] is just the right person for reverse-engineering jobs like this, with extensive reverse-engineering history we’ve been keeping track of – his recent reverse-engineering journey of an unknown microcontroller in cheap E-Ink devices is to behold.

Mirror, Mirror On The Wall, Do My Eyes Deceive Me After All

Say what you will about illusions, [Create Inc] has some 3D prints that appear to change shape when viewed in a mirror. For example, circles transform into stars and vice versa. A similar trick was performed by [Kokichi Sugihara] in 2016, where he showed circles that appear as squares in the mirror. For the trick to work, the camera’s position (or your eye) is important as the shapes look different from different angles. The illusion comes in when your brain ignores any extra information and concludes that a much more complex shape is a simpler one. [Create Inc] walks you through the process of how the illusion works and how it was created in Blender.

When he posted the video on Reddit, most seemed to think that it wasn’t a mirror and there was some camera trickery. At its heart, this is reverse-engineering a magic trick, and we think it’s an impressive one. STL files are on Thingiverse or Etsy if you want to print your own. We covered a second illusion that [Kokichi] did that relies on a similar trick.

Continue reading “Mirror, Mirror On The Wall, Do My Eyes Deceive Me After All”

Remoticon 2021 // Hash Salehi Outsmarts His Smart Meter

Smart meters form mesh networks among themselves and transmit your usage data all around. Some of them even allow the power company to turn off your power remotely, through the mesh. You might want to know if any of this information is sensitive, or if the power shutdown system has got glaring security flaws and random people could just turn your house off. Hash Salehi has set out to get inside these meters, and luckily for the rest of us, he was kind enough to share his findings during Remoticon 2021. It’s a journey filled with wonderful tidbits about GNU Radio, embedded devices, and running your own power company inside a Faraday cage.

The smart meter in question is deployed by a power company known as Oncor in the Dallas, Texas, area. These particular meters form an extensive mesh network using a ZigBee module onboard that allows them to to pass messages amongst themselves that eventually make their way to a collector or aggregator to be uploaded to a more central location. Hash obtained his parts via everyone’s favorite online auction house and was surprised to see how many parts were available. Then, with parts in hand, he began all the usual reverse engineering tricks: SDR, Faraday cages, flash chip readers, and recreating the schematic. Continue reading “Remoticon 2021 // Hash Salehi Outsmarts His Smart Meter”

Ken Shirriff Breaks Open The Yamaha DX7

For better or worse, this synthesizer was king in the 1980s music scene. Sure, there had been synthesizers before, but none acheived the sudden popularity of Yamaha’s DX7. “Take on Me?” “Highway to the Dangerzone”?  That harmonica solo in “What’s Love Got to Do With It?”  All DX7. This synth was everywhere in pop music at the time, and now we can all get some insight from taking a look at this de-capped chip from [Ken Shirriff].

To be clear, by “look” that’s exactly what we mean in this case, as [Ken] is reverse-engineering the YM21280 — the waveform generator of the DX7 — from photos. He took around 100 photos of the de-capped chip with a microscope, composited them, and then analyzed them painstakingly. The detail in his report is remarkable as he is able to show individual logic gates thanks to his powerful microscope. From there he can show exactly how the chip works down to each individual adder and array of memory.

[Ken]’s hope is that this work improves the understanding of the Yamaha DX7 chips enough to build more accurate emulators. Yamaha stopped producing the synthesizer in 1989 but its ubiquity makes it a popular, if niche, platform for music even today. Of course you don’t need a synthesizer to make excellent music. The next pop culture trend, grunge, essentially was a rebellion to the 80s explosion of synths and neon colors and we’ve seen some unique ways of exploring this era of music as well.

Thanks to [Folkert] for the tip!

[Ken Shirriff] Picks Apart Mystery Chip From Twitter Photo

It’s no secret that the work of [Ken Shirriff] graces the front pages of Hackaday quite frequently. He’s back again, this time reverse engineering a comparator chip from a photo on Twitter. The mysterious chip was decapped, photographed under a microscope, and subsequently posted on the internet with an open call to figure out what it did.

[Ken] stepped up, and at first glance, it was obvious that most of the chip is unused, and there appeared to be four copies of the same circuit. After identifying resistors and the different transistor types, [Ken] found differential pairs.

Differential pairs form the heart of most op-amps, and by chaining them together, you can get a strong enough signal to treat it as a logic signal. Based on the design and materials, [Ken] estimates the chip is from the 1970s. Given that it appears to be ECL (Emitter-Coupled Logic), it could just be four comparators. But there are still a few things that don’t add up as two comparators have additional inverted outputs. Searching the part number offered few if any clues, so this will remain somewhat a mystery.

We’ve covered [Ken’s] incredible chip sleuthing before here, such as the Sharp EL-8 from 1969.

Reverse Engineering A PokeWalker

The PokeWalker is part of Nintendo’s long quest to get children (and likely some adults) walking and exercising. There’s the PokeWalker, Pokemon Pikachu, PokeBall Plus, Pokemon Pikachu 2, Pokemon mini, and of course Pokemon Go. Despite being out a decade, there wasn’t a ROM dump for the device and there was minimal documentation on the communication protocol. [Dmitry Grinberg] took it upon himself to change all that and crack the PokeWalker open.

At its heart, the PokeWalker is just a pedometer with an IR port and a 96×64 grayscale screen. It came out in 2009 to accompany the new Pokemon release for the Nintendo DS. Cracking open the device revealed a 64KB EEPROM, a Renesas H8/38606R CPU, a Bosch BMA150 accelerometer, and a generic IR transceiver. The CPU is particularly interesting as in addition to being quite rare, it has a mix of 8, 16, and 32 bits with 24-bit pointers. This gives it a 64K address space. While the CPU is programmable, any attempt to do so erases the onboard flash. The communication protocol packets have an 8-bit header that precedes each packet. The header has a checksum, a command byte, and four bytes of session id, and an unused byte. Curiously enough, every byte is XOR’d with 0xAA before being broadcast.

One command is an EEPROM write, which uses back-referencing compression. Each chunk of data to be written is packaged into 128-byte chunks, though 128 bytes likely won’t be sent thanks to the compression. The command can theoretically reference 4k bytes back, but in practice, it can only reference 256 bytes back. It was this command that laid the foundation for the exploit. By carefully crafting the command to send, the command can overflow the decompression buffer and into executable code. Only a few bytes can be overflowed so the payload needs to be carefully crafted. This allowed for an exploit that reads the system ROM and broadcasts it out the IR port. Only 22k bytes can be dumped before the watchdog reboots the device. By changing the starting address, it was easy to do multiple passes.

After the ROM was stitched together from the different passes, the different IR commands were analyzed. In particular, a command was found that allows direct writes into RAM. This makes for a much easier exploit as you can write your exploit, then override a pointer in the event table, then have the exploit revert the event table once the system naturally jumps to your exploit.

[Dmitry] finishes off this amazing exploit by writing a PalmOS app to dump the ROM from a PokeWalker as well as modify the system state. PalmOS was chosen as it is an easy and cheap way to have a programmable IR transciever. All in all, a gorgeous hack with a meticulous writeup. This isn’t the first video game accessory that’s been reverse engineered with a scrupulous writeup, and we’re sure it won’t be the last.

Continue reading “Reverse Engineering A PokeWalker”