Reverse Engineering Bottle Threads for Fun and Profit

Recently, one of [Eric]’s clients asked him to design a bottle. Simple enough for a product designer, except that the client needed it to thread into a specific type of cap. And no, they don’t know the specs.

But that’s no problem, thought [Eric] as he turned on the exhaust fan and reached for the secret ingredient that would make casting the negative image of the threads a breeze. He mixed up the foul-smelling body filler with the requisite hardener and some lovely cyan toner powder and packed it into the cap with a tongue depressor. Then he capped off the cast by adding a small PVC collar to lengthen the cast so he has something to grab on to when it’s time to take it out.

Bondo does seem like a good choice for casting threads. You need something workable enough to twist out of there without breaking, but rigid enough that the small detail of the threads isn’t lost. For the release agent, [Eric] used Johnson’s Paste Wax. He notes from experience that it works particularly well with Bondo, and even seems to help it cure.

Once the Bondo hardened, [Eric] made sure it screwed in and out of the cap and then moved on to CAD modeling and 3D printing bottle prototypes until he was satisfied. We’ve got the video screwed in after the break to cap things off.

Did you know that you can also use toner powder to tint your epoxy resin? Just remember that it is particulate matter, and take precautions.

Continue reading “Reverse Engineering Bottle Threads for Fun and Profit”

Eavesdropping on a VGA Monitor’s Conversations

Did you ever wonder what your monitor and your computer are talking about behind your back? As it turns out, there’s quite a conversation going on while the monitor and the computer decide how to get along, and sniffing out VGA communications can reveal some pretty fascinating stuff about the I²C protocol.

To reverse engineer the configuration information exchanged between a VGA monitor and a video card, [Ken Shirriff] began by lopping a VGA cable in two. The inside of such cables is surprisingly complex, with separate shielding wires for each color and sync channel and a host of control wires, all bundled in multiple layers of shielding foil and braid to reduce EMI. [Ken] identified the clock and data lines used for the I²C interface and broke those out into a PocketBeagle for analysis using the tiny Linux machine’s I²C tools.

With a Python script to help decode the monitor’s Extended Display Identification Data (EDID) data, [Ken] was able to see everything the monitor knows about itself — manufacturer, serial number, all the supported resolution modes, and even deprecated timing and signal information left over from the days when CRTs ruled the desktop. Particularly interesting are the surprisingly limited capabilities of a VGA display in terms of color reproduction, as well as [Ken]’s detailed discussion on the I²C bus in general and how it works.

We always enjoy these looks under the hood that [Ken] is so good at, and we look forward to his reverse engineering write-ups. His recent efforts include a look at core memory from a 50-year old mainframe and reverse engineering at the silicon level.

How To Reverse Engineer Mechanical Designs for 3D Modeling

If you’re interested in 3D printing or CNC milling — or really any kind of fabrication — then duplicating or interfacing with an existing part is probably on your to-do list. The ability to print replacement parts when something breaks is often one of the top selling points of 3D printing. Want some proof? Just take a look at what people made for our Repairs You Can Print contest.

Of course, to do that you need to be able to make an accurate 3D model of the replacement part. That’s fairly straightforward if the part has simple geometry made up of a primitive solid or two. But, what about the more complicated parts you’re likely to come across?

In this article, I’m going to teach you how to reverse engineer and model those parts. Years ago, I worked for a medical device company where the business model was to duplicate out-of-patent medical products. That meant that my entire job was reverse engineering complex precision-made devices as accurately as possible. The goal was to reproduce products that were indistinguishable from the original, and because they were used for things like trauma reconstruction, it was critical that I got it right.

Continue reading “How To Reverse Engineer Mechanical Designs for 3D Modeling”

What’s Inside A Neonode Laser Sensor?

Every once in a while, you get your hands on a cool piece of hardware, and of course, it’s your first instinct to open it up and see how it works, right? Maybe see if it can be coaxed into doing just a little bit more than it says on the box? And so it was last Wednesday, when I was at the Embedded World trade fair, and stumbled on a cool touch display floating apparently in mid-air.

The display itself was a sort of focused Pepper’s Ghost illusion, reflected off of an expensive mirror made by Aska3D. I don’t know much more — I didn’t get to bring home one of the fancy glass plates — but it looked pretty good. But this display was interactive: you could touch the floating 2D projection as if it were actually there, and the software would respond. What was doing the touch response in mid-air? I’m a sucker for sensors, so I started asking questions and left with a small box of prototype Neonode zForce AIR sensor sticks to take apart.

The zForce sensors are essentially an array of IR lasers and photodiodes with some lenses that limit their field of view. The IR light hits your finger and bounces back to the photodiodes on the bar. Because the photodiodes have a limited angle over which they respond, they can be used to triangulate the distance of the finger above the display. Scanning quickly among the IR lasers and noting which photodiodes receive a reflection can locate a few fingertips in a 2D space, which explained the interactive part of the floating display. With one of these sensors, you can add a 2D touch surface to anything. It’s like an invisible laser harp that can also sense distance.

The intended purpose is fingertip detection, and that’s what the firmware is good at, but it must also be the case that it could detect the shape of arbitrary (concave) objects within its range, and that was going to be my hack. I got 90% of the way there in one night, thanks to affordable tools and free software that every hardware hacker should have in their toolbox. So read on for the unfortunate destruction of nice hardware, a tour through some useful command-line hardware-hacking tools, and gratuitous creation of animations from sniffed SPI-like data pulled off of some test points.

Continue reading “What’s Inside A Neonode Laser Sensor?”

Reverse Engineering A Bitcoin Miner

If you’re brave enough to have dipped your toes into the Wild West that is cryptocurrency, you probably know that people have long since abandoned trying to mine on their desktop computers. Farms of GPUs are all the rage now, but dedicated mining hardware has also enjoyed a following among those who are serious about their fictitious money. The state-of-the-art for such devices is moving just as rapidly as cryptocurrency itself is, which means older mining gear can now be picked up fairly cheap on the second-hand market. This is an excellent opportunity for those who want to experiment with this type of hardware and potentially utilize it for some other purpose, but first you’ve got to figure out how the thing works.

To that end, [Tomasz Wątorowski] wrote in to the tip line to tell us about the progress he’s made reverse engineering the control protocol for the Antminer S1. As is often the case, the documentation didn’t have all the details he needed, but it did have a schematic of the BM1380 chip at the heart of the device.

Performance of the Antminer S1 controlled via UART

The Antminer S1 contains 64 BM1380 chips on an internal UART bus. With the information from the schematic, [Tomasz] was able to tap into this UART bus with a USB adapter and start listening in on the conversation. He compiled a collection of commands and learned enough to be dangerous (which is always the goal here at Hackaday).

For example, he found that the could set the frequency of the BM1380 as high as he wished without any consideration for thermal overload. This could potentially allow somebody to run  the hardware to the point of destruction, à la Stuxnet.

Once he figured out how to give the hardware hashes to work on over the UART interface, he setup a little head-to-head competition between the software he wrote to command the Antminer S1 and the official control software. No drop in performance was found between his software and the real deal, which sounds like a win in our book.

Even if he can’t improve on the performance of this particular piece of outdated mining hardware, it still beats doing it by hand on a piece of paper.

Reverse Engineering the TEC-06 Battery Tester

[Syonyk] read that you could solder a few wires to a TEC-06 battery capacity tester, connect it to a TTL serial adapter, and it would interface with some Windows software via a serial port. You can buy it already enabled for serial, but since he had the non-connected version, he was interested in trying it. Not only did it work, but he took the time to reverse engineer the protocol and made a detailed write up about his findings and how he attacked the problem.

Around here, we never need an excuse to reverse engineer anything. But [Synonyk] mentions that he didn’t like using Windows-only software from China. If he wants it on Linux, or if Windows compatibility breaks with a new version, or if the software has spyware in it, he wants to be able to continue using the device. Of course, he also admits — and we get it — that he just enjoys doing it, too.

Continue reading “Reverse Engineering the TEC-06 Battery Tester”

Seek and Exploit Security Vulnerabilities in an Infusion Pump

Infusion pumps and other medical devices are not your typical everyday, off-the-shelf embedded system. Best case scenario, you will rarely, if ever, come across one in your life. So for wide-spread exploitation, chances are that they simply seem too exotic for anyone to bother exploring their weaknesses. Yet their impact on a person’s well-being makes potential security holes tremendously more severe in case someone decides to bother one day after all.

[Scott Gayou] is one of those someones, and he didn’t shy away from spending hundreds of hours of his free time inspecting the Smiths Medical Medfusion 4000 infusion pump for any possible security vulnerabilities. Looking at different angles for his threat model, he started with the physical handling of the device’s user interface. This allowed him to enable the external communication protocols settings, which in turn opened to the device’s FTP and Telnet ports. Not to give too much away, but he manages to gain access to both the file system content and — as a result of that — to the system’s login credentials. This alone can be clearly considered a success, but for [Scott], it merely opened a door that eventually resulted in desoldering the memory chips to reverse engineer the bootloader and firmware, and ultimately executing his own code on the device.

Understanding the implications of his discoveries, [Scott] waited long enough to publish his research so the manufacturer could address and handle these security issues. So kudos to him for fighting the good fight. And just in case the thought of someone gaining control over a machine that is crucial to your vitality doesn’t scare you enough yet, go ahead and imagine that device was actually implanted in your body.