Recently [Imran Haque]’s family bought the quite popular Peloton bike. After his initial skepticism melted to a quiet enthusiasm, [Imran] felt his hacker curiosity begin to probe the head unit on the bike. Which despite being a lightly skinned android tablet, has a reputation for being rather locked down. The Peloton bike will happily collect data such as heart rate from other devices but is rather reticent to broadcast any data it generates such as cadence and power. [Imran] set out to decode and liberate the Peleton’s data by creating a device he has dubbed PeloMon. He credits the inspiration for his journey to another hacker who connected a Raspberry Pi to their bricked exercise bike.
As a first step, [Imran] step began with decoding the TRRS connector that connects the bike to the head unit. With the help of a multi-meter and a logic analyzer, two 19200bps 8N1 RS-232 channels (TX and RX) were identified. Once the basic transport layer was established, he next set to work decoding the packets. By plotting the bytes in the packets and applying deductive reasoning, a rough spec was defined. The head unit requested updates every 100ms and the bike responded with cadence, power, and resistance data depending on the request type (the head unit did a round-robin through the three data types).
Once the protocol was decoded, the next step for [Imran] was to code up an emulator. It seems a strange decision to write an emulator for a device with a simple protocol, but the reasoning is quite sound. It avoids a 20-minute bike ride every time a code change needs to be tested. [Imran] wrote both an event-driven and a timing-accurate emulator. The former runs on the same board as the PeloMon and the latter runs on a separate board (an Arduino).
The hardware chosen for the PeloMon was an Adafruit Feather 32u4 Bluefruit LE. It was chosen for supporting Bluetooth LE as well as having onboard EEPROM. A level shifter allows the microcontroller to talk directly to the RS-323 on the bike. After a few pull requests to the Adafruit Bluetooth libraries and a fair bit of head-banging, [Imran] has code that advertises two Bluetooth services, one for speed and another for power. A Bluetooth serial console is also included for debugging without having to pull the circuit out.
The code, schematics, emulators, and research notes are all available on GitHub.
We’ve seen so many explorations of older semiconductors at the hands of [Ken Shirriff], that we know enough to expect a good read when he releases a new one. His latest doesn’t disappoint, as he delves into the workings of one of the first hand-held electronic calculators. The Sharp EL-8 from 1969 had five MOS ICs at its heart, and among them the NRD2256 keyboard/display chip is getting the [Shirriff] treatment with a decapping and thorough reverse engineering.
The basic functions of the chip are explained more easily than might be expected since this is a relatively simple device by later standards. The fascinating part of the dissection comes in the explanation of the technology, first in introducing the reader to PMOS FETs which required a relatively high negative voltage to operate, and then in explaining its use of four-phase logic. We’re used to static logic that holds a state depending upon its inputs, but the technologies of the day all called for an output transistor that would pull unacceptable current for a calculator. Four phase logic solved this by creating dynamic gates using a four-phase clock signal, relying on the an output capacitor in the gate to hold the value. It’s a technology that lose out in the 1970s as later TTL and CMOS variants arrived that did not have the output current drain. Fascinating stuff!
[Ken] gave a talk at the Hackaday Superconference a couple of years ago, if you’ve not seen it then it’s worth a watch.
If only you could get your hands on the code to fix the broken features on your beloved electronic widget. But wait, hardware hackers have the skills to write their own firmware… as long as we can get the compiled binary into a format the hardware needs.
Luckily, we have Uri Shaked to walk us through that process. This workshop from the 2020 Hackaday Remoticon demonstrates how to decipher the encryption scheme used on the firmware binary of a 3D printer. Along the way, we learn about the tools and techniques that are useful for many encrypted binary deciphering adventures.
Continue reading “Remoticon Video: Breaking Encrypted Firmware Workshop”
Sometimes when a piece of electronics lands on the bench, you find that its chips have their markings sanded off. The manufacturer is trying to make the task of the reverse engineer less easy, thus protecting their market. [Maurizio Butti] found an unexpected one in an electronic switch designed for remote control systems, it had the simple job of listening to the PWM signal from a receiver in a model aircraft or similar and opening or closing a FET.
From previous experience he suspected it might be a microcontroller from STC based on the location of power, ground, Rx, and Tx pins. This 8051-compatible device could be readily reprogrammed, so he has able to create his own firmware for it. He’s published the code and it’s pretty simple, as it simply replicates the original. He acknowledges that this might seem odd, but makes the point that it is left open for future upgrades such as for example repeatedly cycling the output as in a flashing light.
We don’t see so much of the STC chips here aside from one of their earlier offerings, but the 8051 core features here more regularly as it’s found in Nordic’s NRF24 series of wireless-capable chips.
You hold in your hand a circuit board from a product you didn’t make. How does the thing work? What a daunting question, but it’s both solvable and approachable if you know what you’re doing. The good news is that Eric Schlaepfer knows exactly what he’s doing and boiled down the process of reverse engineering printed circuit boards into this excellent workshop. It was presented live during the 2020 Hackaday Remoticon, and the edited video, which you’ll find below, was just published. Slides for the talk have been published on the workshop project page.
Need proof that he has skills that we all want? Last year Eric successfully reverse-engineered the legendary Sound Blaster audio card and produced his own fully-functional drop-in replacement called the Snark Barker. And then re-engineered it to work with the ancient MCA bus architecture. Whoa.
Continue reading “Remoticon Video: How To Reverse Engineer A PCB”
Where does he get such wonderful toys? [Glenn] snagged parts of a Grass Valley Kalypso 4-M/E video
mixer switcher control surface from eBay and since been reverse engineering the button and display modules to bend them to his will. The hardware dates back to the turn of the century and the two modules would have been laid out with up to a few dozen others to complete a video mixing switcher console.
[Glenn’s] previous adventures delved into a strip of ten backlit buttons and gives us a close look at each of the keyswitches and the technique he used to pull together his own pinout and schematic of that strip. But things get a lot hairier this time around. The long strip seen above is a “machine control plane” module and includes a dozen addressible character displays, driven by a combination of microcontrollers and FPGAs. The square panel is a “Crosspoint Switch Matrix” module include eight individual 32 x 32 LCDs drive by three dedicated ICs that can display in red, green, or amber.
[Glen] used an STM8 Nucleo 64 to interface with the panels and wrote a bit of code to help map out what each pin on each machine control plane connector might do. He was able to stream out some packets from the plane that changed as he pressed buttons, and ended up feeding back a brute-force of that packet format to figure out the LED display protocols.
But the LCDs on the crosspoint switch were a more difficult nut to crack. He ended up going back to the original source of the equipment (eBay) to get a working control unit that he could sniff. He laid out a man-in-the-middle board that has a connector on either side with a pin header in the middle for his logic analyzer. As with most LCDs, the secret sauce was the initialization sequence — an almost impossible thing to brute force, yet exceedingly simple to sniff when you have a working system. So far he has them running under USB control, and if you are lucky enough to have some of this gear in your parts box, [Glen] has painstakingly recorded all of the details you need to get them up and running.
Taking things apart to see how they work is an important part of understanding a system, and that goes for software as much as for hardware. You can get a jump start on your firmware reverse engineering skills with Asmita Jha’s workshop which was presented live at the Hackaday Remoticon. The video has just been published, and is found below along with a bit more on what she covered in her hands-on labs.
Continue reading “Remoticon Video: Firmware Reverse Engineering Workshop With Asmita Jha”