School Surplus Laptop BIOS Hacked To Remove Hardware Restrictions

August 23, 2021 by Ryan Flowers 50 Comments

Why did [Hales] end up hacking the BIOS on a 10 year old laptop left over from an Australian education program? When your BIOS starts telling you you’re not allowed to use a particular type of hardware, you don’t have much of a choice.

Originally [Hales] planned on purchasing a used Lenovo X260 to replace his dying laptop, but his plans were wrecked. A pandemic-induced surge in demand that even the used laptop market caused prices to bloat. The need for a small and affordable laptop with a built in Ethernet port led to the purchase of a Lenovo Thinkpad x131e. Although the laptop was older than he liked, [Hales] was determined to make it work. Little did he know the right-to-repair journey he was about to embark on.

Problems first arose when the Broadcom WiFi adapter stopped working reliably. He replaced it, but the coaxial antenna cable was found to be damaged. Even after replacing the damaged cabling, the WiFi adapter was still operating very poorly. Recalling past problems with fickle Broadcom WiFi adapters, it was decided that an Intel mPCIe WiFi adapter would take its place. When power was re-applied, [Hales] was shocked to find the following message:

Unauthorized network card is plugged in – Power off and remove the miniPCI network card

And this is where things got interesting. With off the shelf SOIC8 clips and a CH340 programmer, [Hales] dumped the BIOS from the laptop’s flash chip to another computer and started hacking away. After countless hours of researching, prodding, hacking, and reverse engineering, the laptop was useful once again with the new Intel WiFi adapter. His site documents in great detail how he was able to reverse engineer the BIOS over the course of several days.

But that’s not all! [Hales] was also able to modify the hardware so that his slightly more modern mPCIe WiFi adapter would come back on after the computer had been put in Hibernation. It’s an elegant hack, and be sure to check [Hales’] site to get the full details. And at the end, there’s a nice Easter egg for anybody who’s ever wanted to make their laptop boot up with their own logo.

We applaud [Hales] for his fine efforts to keep working equipment out of the landfill. We’ve covered many hacks that had similar goals in the past. Do you have a hack you’d like to share? Submit it via the Tips Line.

Reverse Engineering A Topfield VFD Front Panel

August 14, 2021 by Tom Nardi 2 Comments

Hackers love the warm glow of a vacuum fluorescent display (VFD), and there’s no shortage of dead consumer electronics from which they can be pulled to keep our collective parts bins nicely stocked. Unfortunately, figuring out how to actually drive these salvaged modules can be tricky. But thanks to the efforts of [Lauri Pirttiaho], we now have a wealth of information about a VFD-equipped front panel used in several models of Topfield personal video recorders.

The board in question is powered by a Hynix HMS99C52S microcontroller and includes five buttons, a small four character 14-segment display, a larger eight character field, and an array of media-playback related icons. There’s also a real-time clock module onboard, as well as an IR receiver. [Lauri] tells us this same board is used in at least a half-dozen Topfield models, which should make it relatively easy to track one down.

After determining what goes where in the 6-pin connector that links the module with the recorder, a bit of poking with a logic analyzer revealed that they communicate over UART. With the commands decoded, [Lauri] was able to write a simple Python tool that lets you drive the front panel with nothing more exotic than a USB-to-serial adapter. Though keep in mind, you’ll need to provide 17 VDC on the appropriate pin of the connector to fire up the VFD.

What’s that? You don’t need the whole front panel, and just want to pull the VFD itself off the board? Not a problem. Our man [Lauri] was kind enough to document how data is passed from the Hynix microcontroller to the display itself; critical information should you want to liberate the screen from its PVR trappings.

If you manage to get your hands on one of these modules, it would be an ideal addition to a custom media streamer. Though we suppose simply turning it into a network-controlled clock would be a suitable alternative if you’re looking for something a bit easier.

Continue reading “Reverse Engineering A Topfield VFD Front Panel” →

Here’s How To Sniff Out An LCD Protocol, But How Do You Look Up The Controller?

July 30, 2021 by Mike Szczys 11 Comments

Nothing feels better than getting a salvaged component to do your bidding. But in the land of electronic displays, the process can quickly become a quagmire. For more complex displays, the secret incantation necessary just to get the things to turn on can be a non-starter. Today’s exercise targets a much simpler character display and has the added benefit of being able to sniff the data from a functioning radio unit.

When [Amen] upgraded his DAB radio he eyed the 16×2 character display for salvage. With three traces between the display and the controller it didn’t take long to trace out the two data lines using an oscilloscope. Turing on the scope’s decoding function verified his hunch that it was using I2C, and gave him plenty of data to work from. This included a device address, initialization string, and that each character was drawn on screen using two bytes on the data bus.

He says that some searching turned up the most likely hardware: a Winstar WO1602I-TFH- AT derived from an ST7032 controller. What we’re wondering is if there is a good resource for searching this kind of info? Our go-to is the LCD display and controller reference we covered here back in March. It’s a great resource, but turns up bupkis on this particular display. Are we relegated to using DuckDuckGo for initialization strings and hoping someone’s published a driver or a logic dump of these parts in the past, or is there a better way to go about this? Let us know in the comments!

Cracking A GBA Game With NSA Tools

July 16, 2021 by Bryan Cockfield 1 Comment

[Wrongbaud] is a huge fan of Japanese kaiju-style movies, including Godzilla and King Kong. In honor of the release of a new movie, he has decided to tackle a few projects to see how both of these monsters can hold their own against other legendary monsters. In this project, he is using Ghidra, named after another legendary kaiju, against the password system of the Game Boy Advance game Kong: King of Atlantis.

Since this project is a how-to, [wrongbaud] shows how to search Ghidra for existing scripts that might already have the functionality needed for GBA analysis and emulation. When not, he also illustrates how to write scripts to automate code analysis, and then moves on to cracking the level password system on the game.

The key to finding the passwords on this game was looking for values in the code that were seven characters long, and after some searching [wrongbaud] is finally able to zero in on the code responsible for handling passwords. Once found a brute force method was automated to find viable passwords, and from there the game was officially pwned. For anyone interested in security, reverse engineering, or just the way that binaries work, it’s quite the detailed breakdown. Of course, it’s not the only example we have seen that uses this software tool to extract passwords.

High-Tech Paperweight Shows Off Working 60s-era Thin-Film Electronics

July 12, 2021 by Donald Papp 9 Comments

[Ken Shirriff]’s analysis of a fascinating high-tech paperweight created by GE at the height of the space race is as informative as it is fun to look at. This device was created to show off GE’s thin-film electronics technology, and while it’s attractive enough on its own, there’s an added feature: as soon as the paperweight is picked up, it begins emitting a satellite-like rhythmic beep. It is very well-made, and was doubtlessly an impressive novelty for its time. As usual, [Ken] dives into what exactly makes it tick, and shares important history along the way.

Thin-film module with labels, thanks to [Ken]’s vintage electronics detective work. Click to enlarge.

In the clear area of the paperweight is a thin-film circuit, accompanied by a model of an early satellite. The module implements a flip-flop, and the flat conductors connect it to some additional components inside the compartment on the left, which contains a power supply and the necessary parts to create the beeps when it is picked up.

Thin-film electronics reduced the need for individual components by depositing material onto a substrate to form things like resistors and capacitors. The resulting weight and space savings could be considerable, and close-ups of the thin film module sure look like a precursor to integrated circuits. The inside of the left compartment contains a tilt switch, a battery, a vintage earphone acting as a small speaker, and a small block of components connected to the thin-film module. This block contains two oscillators made with unijunction transistors (UJTs); one to create the beep, and one to control each beep’s duration. The construction and overall design of the device is easily recognizable, although some of the parts are now obsolete.

If you’d like a bit more detail on exactly how this device worked, including circuit diagrams and historical context, be sure to click that first link, and pay attention to the notes and references at the end. One other thing that’s clear is that functional electronics embedded in clear plastic shapes simply never go out of style.

Hacking Old Honda ECUs

July 3, 2021 by Chris Lott 21 Comments

Automotive security specialist by day [P1kachu] hacks his own cars as a hobby in his free time. He recently began to delve into the Engine Control Units (ECUs) of the two old Hondas that he uses to get around in Japan. Both the 1996 Integra and the 1993 Civic have similar engines but different ECU hardware. Making things more interesting; each one has a tuned EPROM, the Civic’s being of completely unknown origin.

[P1kachu] took his Civic to a shop to have some burned-out transistors replaced in the ECU, and a chance conversation with the proprietor [Tuner-san] sends him on a journey into the world of old EPROMs. [Tuner-san] pulled out an old PROM duplicator stashed away under the counter which he originally used as a kid to copy PROM chips from console games like the Famicom. These days he uses it to maintain a backup collection of old ECU chips from cars he has worked on. This tweaked [P1kachu]’s curiosity, and he wondered if he could obtain the contents of the Civic’s mysterious PROM. After a false start trying to use the serial port on the back of the PROM copier, he brute-forces it. A few minutes of Googling reveals the ASCII pinout of the 27C256 EPROM, and he whips out an Arduino Mega and wires it up to the chip and is off and running.

Advantest R4945A EPROM Duplicator c.1980s

He’s currently digging into the firmware, using IDA and a custom disassembler he wrote for the Mitsubishi M7700 family of MCUs. He started a GitHub repository for this effort, and eventually hopes to identify what has been tweaked on this mysterious ECU chip compared to factory stock. He also wants to perform a little tuning himself. We look forward to more updates as [P1kachu] posts the results of his reverse engineering efforts. We also recommend that you be like [P1kachu] and carry an Arduino, a breadboard, and some hookup wire with you at all times — you never know when they might come in handy. Be sure to checkout our articles about his old Subaru hacks from in 2018 if these kinds of projects interest you.

Breaking Down The USB Keyboard Interface With Old-Fashioned Pen And Paper

June 24, 2021 by Stephen Ogier 37 Comments

What is better for gaming, old PS/2 style keyboards, or modern USB devices? [Ben Eater] sets out to answer this question, but along the way he ends up breaking down the entire USB keyboard interface.

It turns out that PS/2 and USB are very, very different. A PS/2 keyboard sends your keystroke every time you press a key, as long as it has power. A USB keyboard is more polite, it won’t send your keystrokes to the PC until it asks for them.

To help us make sense of USB’s more complicated transactions, [Ben] prints out the oscilloscope trace of a USB exchange between a PC and keyboard and deciphers it using just a pen and the USB specification. We were surprised to see that USB D+ and D- lines are not just a differential pair but also have more complicated signaling behavior. To investigate how USB handles multi-key rollover, [Ben] even borrowed a fancy oscilloscope that automatically decodes the USB data packets.

It turns out that newer isn’t always better—the cheap low-speed USB keyboard [Ben] tested is much slower than his trusty PS/2 model, and even a much nicer keyboard that uses the faster full-speed USB protocol is still only just about as fast as PS/2.

If you’d like to delve deeper into keyboard protocols, check out [Ben]’s guide to the PS/2 keyboard interface, complete with a breadboarded hardware decoder. If these keyboards have too many keys for your taste, you might consider this USB Morse code keyboard. Thanks to Peter Martin for the Tip!