Learning About The Flume Water Monitor

The itch to investigate lurks within all us hackers. Sometimes, you just have to pull something apart to learn how it works. [Stephen Crosby] found himself doing just that when he got his hands on a Flume water monitor.

[Stephen] came by the monitor thanks to a city rebate, which lowered the cost of the Flume device. It consists of two main components: a sensor which is strapped to the water meter, and a separate “bridge” device that receives information from the sensor and delivers it to Flume servers via WiFi. There’s a useful API for customers, and it’s even able to integrate with a Home Assistant plugin. [Stephen] hoped to learn more about the device so he could scrape raw data himself, without having to rely on Flume’s servers.

Through his reverse engineering efforts, [Stephen] was able to glean how the system worked. He guides us through the basic components of the battery-powered magnetometer sensor, which senses the motion of metering components in the water meter. He also explains how it communicates with a packet radio module to the main “bridge” device, and elucidates how he came to decompile the bridge’s software.

When he sent this one in, [Stephen] mentioned the considerable effort that went into reverse engineering the system was “a very poor use” of his time — but we’d beg to differ. In our book, taking on a new project is always worthwhile if you learned something along the way. Meanwhile, if you’ve been pulling apart some weird esoteric commercial device, don’t hesitate to let us know what you found!

Unexpectedly Interesting Payphone Gives Up Its Secrets

Reverse engineering a payphone doesn’t sound like a very interesting project, at least in the United States, where payphones were little more than ruggedized versions of residential phones with a coin mechanism attached. Phones in other parts of the world were far more interesting, though, as this look at the mysteries of a payphone from Israel reveals (in Hebrew; English translation here.)

This is a project [Inbar Raz] worked on quite a while ago, but only got around to writing up recently. The payphone in question was sourced from the usual surplus market channels, and appears to have been removed from service by Israeli telecommunications company Bezeq only shortly before he found it. It was in pretty good shape, and was even still locked tight, making some amateur locksmithing the first order of the day. The internals of the phone are surprisingly complex, with a motherboard that looks more like something from a PC. Date codes on the chips and through-hole construction date the device to the early- to mid-1990s.

With physical access gained, [Inbar] turned to the firmware. An Atmel flash chip seemed a good place to look, and indeed he was able to pull code off the chip. That’s where things took a turn thanks to the CPU the code was written for — the CDP1806, a later version of the more popular but still fringe CDP1802. This required [Inbar] to fall down the rabbit hole of writing a new processor definition file for Ghidra so that the firmware could be reverse-engineered. This got him to the point of understanding 1806 assembly well enough that he was able to re-flash the phone to print debugging messages on the built-in 16×2 LCD screen, which allowed him to figure out which routines were being called under various error conditions.

It doesn’t appear that [Inbar] ever completed the reverse engineering project, but as he points out, what does that even mean? He got inside, took a look around, and made the phone do some cool things it couldn’t do before, and in the process made things easier for anyone working with 1806 processors in Ghidra. That’s a pretty complete win in our books.

PlayStation Motherboard Sanded And Scanned, But There’s More To Do

If you want to reverse engineer the boards in a modern console, you’d better have a lab, a lot of fancy gear, and a good few months to dedicate to the task. The humble PlayStation, on the other hand, is more accessible in this regard. [Lawrence Brode] pulled one apart and started documenting it as part of a grander quest for console understanding.

[Lawrence’s] ultimate goal is to create a portable PlayStation using original hardware. That is, rather than cannibalizing an existing console, he wants to build an original portable from scratch. He needed to understand the PlayStation to recreate it, so he started by analyzing the original hardware.

The first part of [Lawrence’s] quest was to try and reverse engineer the PlayStation motherboard itself. The 1990s console has the benefit of only using a two-layer PCB, meaning it’s far easier to trace out than more modern multi-layer designs. [Lawrence] started with a damaged console, pulled out the motherboard, and stripped off all the components. He then cleaned the board, scanned it, and then sandblasted it to remove the solder mask.

He’s begun the work of tracing out signals, and next on the agenda is to create a new custom PCB that’s compatible with the original PlayStation hardware. You can grab his work via GitHub if you’re interested. [Lawrence] is also excited about the possibilities of grabbing the 24-bit RGB signal heading into the GPU and using it for an HDMI output conversion in the future.

It’s always an exciting time in the PlayStation community; we see lots of great hacks on the regular. If you’re cooking up your own, don’t hesitate to drop us a line!

Apollo-era PCB Reverse Engineering To KiCad

Earlier this year [Skyhawkson] got ahold of an Apollo-era printed circuit board which he believes was used in a NASA test stand. He took high quality photos of both sides of the board and superimposed them atop each other. After digging into a few obsolete parts from the 1960s, he was able to trace out the connections. I ran across the project just after making schematics for the Supercon badge and petal matrix. Being on a roll, I decided to take [Skyhawkson]’s work as a starting point and create KiCad schematics. Hopefully we can figure out what this circuit board does along the way.

The board is pretty simple:

  • approximately 6.5 x 4.5 inches
  • 22 circuit edge connector 0.156 in pitch
  • 31 ea two-terminal parts ( resistors, diodes )
  • 3 ea trimmer potentiometers
  • 7 ea transistors
  • parts arranged in 4 columns

Continue reading “Apollo-era PCB Reverse Engineering To KiCad”

Bluetooth Dongle Gives Up Its Secrets With Quick Snooping Hack

There’s a lot going on in our wireless world, and the number of packets whizzing back and forth between our devices is staggering. All this information can be a rich vein to mine for IoT hackers, but how do you zero in on the information that matters? That depends, of course, but if your application involves Bluetooth, you might be able to snoop in on the conversation relatively easily.

By way of explanation, we turn to [Mark Hughes] and his Boondock Echo, a device we’ve featured in these pages before. [Mark] needed to know how long the Echo would operate when powered by a battery bank, as well as specifics about the power draw over time. He had one of those Fnirsi USB power meter dongles, the kind that talks to a smartphone app over Bluetooth. To tap into the conversation, he enabled Host Control Interface logging on his phone and let the dongle and the app talk for a bit. The captured log file was then filtered through WireShark, leaving behind a list of all the Bluetooth packets to and from the dongle’s address.

That’s when the fun began. Using a little wetware pattern recognition, [Mark] was able to figure out the basic structure of each frame. Knowing the voltage range of USB power delivery helped him find the bytes representing voltage and current, which allowed him to throw together a Python program to talk to the dongle in real-time and get the critical numbers.

It’s not likely that all BLE-connected devices will be as amenable to reverse engineering as this dongle was, but this is still a great technique to keep in mind. We’ve got a couple of applications for this in mind already, in fact.

Continue reading “Bluetooth Dongle Gives Up Its Secrets With Quick Snooping Hack”

Fail Of The Week: Subscription EV Charger Becomes Standalone, Briefly

At this point in the tech dystopia cycle, it’s no surprise that the initial purchase price of a piece of technology is likely not the last payment you’ll make. Almost everything these days needs an ongoing subscription to do whatever you paid for it to do in the first place. It’s ridiculous, especially when all you want to do is charge your electric motorcycle with electricity you already pay for; why in the world would you need a subscription for that?

That was [Maarten]’s question when he picked up a used EVBox wall mount charger, which refused to charge his bike without signing up for a subscription. True, the subscription gave access to all kinds of gee-whiz features, none of which were necessary for the job of topping off the bike’s battery. A teardown revealed a well-built device with separate modules for mains supply and battery charging, plus a communications module with a cellular modem, obviously the bit that’s phoning home and keeping the charger from working without the subscription.

Continue reading “Fail Of The Week: Subscription EV Charger Becomes Standalone, Briefly”

MOTU Audio Interface Resurrected After Some Reverse Engineering

These days, when something electronic breaks, most folks just throw it away and get a new one. But as hackers, we prefer to find out what the actual problem is and fix it. [Bonsembiante] took that very tack when a MOTU brand audio interface wasn’t booting. As it turns out, a bit of investigative work led to a simple and viable fix.

The previous owner had tried to get the unit fixed multiple times without success. When it ended up on [Bonsembiante]’s bench, reverse engineering was the order of the day. Based around an embedded Linux system, there was lots to poke and prod at inside, it’s just that… the system wasn’t booting, wasn’t showing up over USB or Ethernet, or doing much of anything at all.

Extracting the firmware only revealed that the firmware was actually valid, so that was a dead end. However, after some work following the boot process along in Ghidra, with some external help, the problem was revealed. Something was causing the valid firmware to fail the bootloader’s checks—and with that fixed, the unit booted. You’ll have to read the article to get the full juicy story—it’s worth it!

We’ve seen [Bonsembiante’s] work here before, when they turned an old ADSL router into a functioning guitar pedal. Video after the break.

Continue reading “MOTU Audio Interface Resurrected After Some Reverse Engineering”