Hosting A Website On A Disposable Vape

September 15, 2025 by Maya Posch 16 Comments

For the past years people have been collecting disposable vapes primarily for their lithium-ion batteries, but as these disposable vapes have begun to incorporate more elaborate electronics, these too have become an interesting target for reusability. To prove the point of how capable these electronics have become, [BogdanTheGeek] decided to turn one of these vapes into a webserver, appropriately called the vapeserver.

While tearing apart some of the fancier adult pacifiers, [Bogdan] discovered that a number of them feature Puya MCUs, which is a name that some of our esteemed readers may recognize from ‘cheapest MCU’ articles. The target vape has a Puya PY32F002B MCU, which comes with a Cortex-M0+ core at 24 MHz, 3 kB SRAM and 24 kB of Flash. All of which now counts as ‘disposable’ in 2025, it would appear.

Even with a fairly perky MCU, running a webserver with these specs would seem to be a fool’s errand. Getting around the limited hardware involved using the uIP TCP/IP stack, and using SLIP (Serial Line Internet Protocol), along with semihosting to create a serial device that the OS can use like one would a modem and create a visible IP address with the webserver.

The URL to the vapeserver is contained in the article and on the GitHub project page, but out of respect for not melting it down with an unintended DDoS, it isn’t linked here. You are of course totally free to replicate the effort on a disposable adult pacifier of your choice, or other compatible MCU.

Using An MCU’s Own Debug Peripheral To Defeat Bootrom Protection

September 10, 2025 by Maya Posch 2 Comments

The patient hooked up for some reverse-engineering. (Credit: Caralynx, Twitter)

Released in July of 2025, the Tamagotchi Paradise may look somewhat like the late 90s toy that terrorized parents and teachers alike for years, but it’s significantly more complex and powerful hardware-wise. This has led many to dig into its ARM Cortex-M3-powered guts, including [Yukai Li] who recently tripped over a hidden section in the bootrom of the dual-core Sonix SNC73410 MCU that makes up most of the smarts inside this new Tamagotchi toy.

Interestingly, [Yukai] did see that the visible part of the bootrom image calls into the addresses that make up the hidden part right in the reset handler, which suggests that after reset this hidden bootrom section is accessible, just not when trying to read it via e.g. SWD as the hiding occurs before the SWD interface becomes active. This led [Yukai] to look at a way to make this ROM section not hidden by using the Cortex-M3’s standard Flash Patch and Breakpoint (FPB) unit. This approach is covered in the project’s source file.

With this code running, the FPB successfully unset the responsible ROM hide bit in the OSC_CTRL register, allowing the full bootrom to be dumped via SWD and thus defeating this copy protection with relatively little effort.

Heading image: PCB and other components of a torn-down Tamagotchi Paradise. (Credit: Tamagotchi Center)

A thick, rectangular device with rounded corners is shown, with a small screen in the upper half, above a set of selection buttons.

Further Adventures In Colorimeter Hacking

September 9, 2025 by Aaron Beckendorf No comments

One of the great things about sharing hacks is that sometimes one person’s work inspires someone else to take it even further. A case in point is [Ivor]’s colorimeter hacking (parts two and three), which started with some relatively simple request spoofing to install non-stock firmware, and expanded from there until he had complete control over the hardware.

After reading [Adam Zeloof]’s work on replacing the firmware on a cosmetics spectrophotometer with general-purpose firmware, [Ivor] bought two of these colorimeters, one as a backup. He started with [Adam]’s method for updating the firmware by altering the request sent to an update server, but was only able to find the serial number from a quality-control unit. This installed the quality-control firmware, which encountered an error on the device. More searching led [Ivor] to another serial number, which gave him the base firmware, and let him dump and compare the cosmetic, quality-control, and base firmwares.

Continue reading “Further Adventures In Colorimeter Hacking” →

Battery Repair By Reverse Engineering

August 26, 2025 by Tyler August 28 Comments

Ryobi is not exactly the Cadillac of cordless tools, but one still has certain expectations when buying a product. For most of us “don’t randomly stop working” is on the list. Ryobi 18-volt battery packs don’t always meet that expectation, but fortunately for the rest of us [Badar Jahangir Kayani] took matters into his own hands and reverse-engineered the pack to find all the common faults– and how to fix them.

[Badar]’s work was specifically on the Ryobi PBP005 18-volt battery packs. He’s reproduced the schematic for them and given a fairly comprehensive troubleshooting guide on his blog. The most common issue (65%) with the large number of batteries he tested had nothing to do with the cells or the circuit, but was the result of some sort of firmware lock.

It isn’t totally clear what caused the firmware to lock the batteries in these cases. We agree with [Badar] that it is probably some kind of glitch in a safety routine. Regardless, if you have one of these batteries that won’t charge and exhibits the characteristic flash pattern (flashing once, then again four times when pushing the battery test button), [Badar] has the fix for you. He actually has the written up the fix for a few flash patterns, but the firmware lockout is the one that needed the most work.

[Badar] took the time to find the J-tag pins hidden on the board, and flash the firmware from the NXP micro-controller that runs the show. Having done that, some snooping and comparison between bricked and working batteries found a single byte difference at a specific hex address. Writing the byte to zero, and refreshing the firmware results in batteries as good as new. At least as good as they were before the firmware lock-down kicked in, anyway.

He also discusses how to deal with unbalanced packs, dead diodes, and more. Thanks to the magic of buying a lot of dead packs on e-Bay, [Badar] was able to tally up the various failure modes; the firmware lockout discussed above was by far the majority of them, at 65%. [Badar]’s work is both comprehensive and impressive, and his blog is worth checking out even if you don’t use the green brand’s batteries. We’ve also embedded his video below if you’d rather watch than read and/or want to help out [Badar] get pennies from YouTube monetization. We really do have to give kudos for providing such a good write up along with the video.

This isn’t the first attempt we’ve seen at tearing into Ryobi batteries. When they’re working, the cheap packs are an excellent source of power for everything from CPap machines to electric bicycles.

Thanks to [Badar] for the tip.

Continue reading “Battery Repair By Reverse Engineering” →

How Intel’s 386 Protects Itself From ESD, Latch-up And Metastability

August 21, 2025 by Maya Posch 11 Comments

To connect the miniature world of integrated circuits like a CPU with the outside world, a number of physical connections have to be made. Although this may seem straightforward, these I/O pads form a major risk to the chip’s functioning and integrity, in the form of electrostatic discharge (ESD), a type of short-circuit called a latch-up and metastability through factors like noise. Shielding the delicate ASIC from the cruel outside world is the task of the I/O circuitry, with [Ken Shirriff] recently taking an in-depth look at this circuity in Intel’s 386 CPU.

The 386 die, zooming in on some of the bond pad circuits. (Credit: Ken Shirriff)

The 386 has a total of 141 of these I/O pads, each connected to a pin on the packaging with a delicate golden bond wire. ESD is on the top of the list of potential risks, as a surge of high voltage can literally blow a hole in the circuitry. The protective circuit for this can be seen in the above die shot, with its clamping diodes, current-limiting resistor and a third diode.

Latch-up is the second major issue, caused by the inadvertent creation of parasitic structures underneath the P- and NMOS transistors. These parasitic transistors are normally inactive, but if activated they can cause latch-up which best case causes a momentary failure, but worst case melts a part of the chip due to high currents.

To prevent I/O pads from triggering latch-up, the 386 implements ‘guard rings’ that should block unwanted current flow. Finally there is metastability, which as the name suggests isn’t necessarily harmful, but can seriously mess with the operation of the chip which expects clean binary signals. On the 386 two flip-flops per I/O pad are used to mostly resolve this.

Although the 386’s 1985-era circuitry was very chonky by today’s standards, it was still no match for these external influences, making it clear just how important these protective measures are for today’s ASICs with much smaller feature sizes.

It’s A Pi, But It’s Not Quite A Raspberry Pi

August 17, 2025 by Jenny List 17 Comments

When is a Raspberry Pi not a Raspberry Pi? Perhaps when it’s a Pi Pico-shaped board with an RP3A0 SoC from a Raspberry Pi Zero 2, made by [jonny12375].

Back in the early days of the Raspberry Pi, there was a offering from the Korean manufacturer Odroid, which wasn’t merely a similar machine with a different SoC, but a full clone in a smaller form factor featuring the same BCM2385 chip as the original. It was electrically and software-wise identically to the real thing, which we suspect didn’t go down very well with the Pi folks in Cambridge. The supply of Broadcom chips dried up, and ever since then the only way to get a real Pi has been from the official source. That’s not quite the end of the unofficial Pi story though, because a few hardy experimenters have made Pi clones like this one using chips desoldered from the real thing.

It’s the fruit of a reverse-engineering project to find the chip’s pinout, and it’s a proof of concept board rather than the intended final target of the work. The process involved painstakingly sanding down each layer of a Zero 2 board to reveal the traces and vias. The current board has a few quirks but it boots, making this an impressive piece of work on all counts. We’re looking forward to seeing whatever the final project will be.

If you’re hungry for more Pi-derived goodness, we’ve also seen one using the part form a Pi 3.

Reverse Engineering A ‘Tony’ 6502-based Mini Arcade Machine

July 21, 2025 by Maya Posch 15 Comments

The mainboard of the mini arcade unit with its blob chip and EEPROM. (Credit: Poking Technology, YouTube)

For some reason, people are really into tiny arcade machines that basically require you to ruin your hands and eyes in order to play on them. That said, unlike the fifty gazillion ‘retro consoles’ that you can buy everywhere, the particular mini arcade machine that [David Given] of [Poking Technology] obtained from AliExpress for a teardown and ROM dump seems to have custom games rather than the typical gaggle of NES games and fifty ROM hack variations of each.

After a bit of gameplay to demonstrate the various games on the very tiny machine with tiny controls and a tiny 1.8″, 160×128 ST7735 LC display, the device was disassembled. Inside is a fairly decent speaker, the IO board for the controls, and the mainboard with an epoxy blob-covered chip and the SPI EEPROM containing the software. Dumping this XOR ‘encrypted’ ROM was straightforward, revealing it to be a 4 MB, W23X32-compatible EEPROM.

Continue reading “Reverse Engineering A ‘Tony’ 6502-based Mini Arcade Machine” →