An RF Remote Is No Match For A Logic Analyser!

September 16, 2021 by Jenny List 7 Comments

The Neewer NL660-2.4 Video Keylight has a handy remote control, which for [Tom Clement] has a major flaw in that it can’t restore the light to the state it had during its last power-on. He’s thus taken the trouble to reverse engineer it and create his own remote using a suitably-equipped Arduino clone.

The write-up is a step through primer for the would-be RF remote hacker, identifying the brains as an STM8 and the radio as an NRF24 clone before attempting to dump the firmware of the STM8. As might be expected the STM is protected, which only leaves the option of sniffing the connection between the two chips. The SPI pins are duly probed with a logic analyser, and the codes used by Neweer are extracted. As luck would have it there is a handy board called the RF Nano which is an Arduino Nano and an NRF24 in an Arduino Nano form factor, so a proof of concept remote could be written on an all-in-one module. You can find the result as a GitHub Gist, should you be curious.

We’ve seen Tom a few times before, particularly in his European BadgeLife work, as part of which he’s put a lot of effort into bringing browser-based WebUSB and WebSerial development to his work.

Teardown: Impassa SCW9057G-433 Alarm System

September 9, 2021 by Tom Nardi 15 Comments

This series of monthly teardowns was started in early 2018 as an experiment, and since you fine folks keep reading them, I keep making them. But in truth, finding a new and interesting gadget every month can sometimes be a chore. Which is why I’m always so thankful when a reader actually sends something in that they’d like to see taken apart, as it absolves me from having to make the decision myself. Of course it also means I can’t be blamed if you don’t like it, so keep that in mind as well.

Coming our way from the tropical paradise of Eastern Pennsylvania, this month’s subject is an ADT branded Impassa SCW9057G-433 alarm system that was apparently pulled off the wall when our kind patron was moving house. As you might have guessed from the model number, this unit uses 433 MHz to communicate with various sensors and devices throughout the home, and also includes a 3G cellular connection that allows it to contact the alarm monitoring service even if the phone line has been cut.

Diagram of Impassa home security setup — The alarm can connect to a wide array of 433 MHz devices.

From how many of these are on eBay, and the research I’ve done on some home alarm system forums, it appears that you can actually pick one of these up on the second-hand market and spin your own whole-house alarm system without going through a monitoring company like ADT. The extensive documentation from Impassa covers how to wire and configure the device, and as long as the system isn’t locked when you get it, it seems like wiping the configuration and starting from scratch isn’t a problem.

If it’s possible to put together your own homebrew alarm system with one of these units at the core, then it seems the least we can do is take it apart and see what kind of potentially modifiable goodies are waiting under that shiny plastic exterior.

Continue reading “Teardown: Impassa SCW9057G-433 Alarm System” →

School Surplus Laptop BIOS Hacked To Remove Hardware Restrictions

August 23, 2021 by Ryan Flowers 50 Comments

Why did [Hales] end up hacking the BIOS on a 10 year old laptop left over from an Australian education program? When your BIOS starts telling you you’re not allowed to use a particular type of hardware, you don’t have much of a choice.

Originally [Hales] planned on purchasing a used Lenovo X260 to replace his dying laptop, but his plans were wrecked. A pandemic-induced surge in demand that even the used laptop market caused prices to bloat. The need for a small and affordable laptop with a built in Ethernet port led to the purchase of a Lenovo Thinkpad x131e. Although the laptop was older than he liked, [Hales] was determined to make it work. Little did he know the right-to-repair journey he was about to embark on.

Problems first arose when the Broadcom WiFi adapter stopped working reliably. He replaced it, but the coaxial antenna cable was found to be damaged. Even after replacing the damaged cabling, the WiFi adapter was still operating very poorly. Recalling past problems with fickle Broadcom WiFi adapters, it was decided that an Intel mPCIe WiFi adapter would take its place. When power was re-applied, [Hales] was shocked to find the following message:

Unauthorized network card is plugged in – Power off and remove the miniPCI network card

And this is where things got interesting. With off the shelf SOIC8 clips and a CH340 programmer, [Hales] dumped the BIOS from the laptop’s flash chip to another computer and started hacking away. After countless hours of researching, prodding, hacking, and reverse engineering, the laptop was useful once again with the new Intel WiFi adapter. His site documents in great detail how he was able to reverse engineer the BIOS over the course of several days.

But that’s not all! [Hales] was also able to modify the hardware so that his slightly more modern mPCIe WiFi adapter would come back on after the computer had been put in Hibernation. It’s an elegant hack, and be sure to check [Hales’] site to get the full details. And at the end, there’s a nice Easter egg for anybody who’s ever wanted to make their laptop boot up with their own logo.

We applaud [Hales] for his fine efforts to keep working equipment out of the landfill. We’ve covered many hacks that had similar goals in the past. Do you have a hack you’d like to share? Submit it via the Tips Line.

Reverse Engineering A Topfield VFD Front Panel

August 14, 2021 by Tom Nardi 2 Comments

Hackers love the warm glow of a vacuum fluorescent display (VFD), and there’s no shortage of dead consumer electronics from which they can be pulled to keep our collective parts bins nicely stocked. Unfortunately, figuring out how to actually drive these salvaged modules can be tricky. But thanks to the efforts of [Lauri Pirttiaho], we now have a wealth of information about a VFD-equipped front panel used in several models of Topfield personal video recorders.

The board in question is powered by a Hynix HMS99C52S microcontroller and includes five buttons, a small four character 14-segment display, a larger eight character field, and an array of media-playback related icons. There’s also a real-time clock module onboard, as well as an IR receiver. [Lauri] tells us this same board is used in at least a half-dozen Topfield models, which should make it relatively easy to track one down.

After determining what goes where in the 6-pin connector that links the module with the recorder, a bit of poking with a logic analyzer revealed that they communicate over UART. With the commands decoded, [Lauri] was able to write a simple Python tool that lets you drive the front panel with nothing more exotic than a USB-to-serial adapter. Though keep in mind, you’ll need to provide 17 VDC on the appropriate pin of the connector to fire up the VFD.

What’s that? You don’t need the whole front panel, and just want to pull the VFD itself off the board? Not a problem. Our man [Lauri] was kind enough to document how data is passed from the Hynix microcontroller to the display itself; critical information should you want to liberate the screen from its PVR trappings.

If you manage to get your hands on one of these modules, it would be an ideal addition to a custom media streamer. Though we suppose simply turning it into a network-controlled clock would be a suitable alternative if you’re looking for something a bit easier.

Continue reading “Reverse Engineering A Topfield VFD Front Panel” →

Here’s How To Sniff Out An LCD Protocol, But How Do You Look Up The Controller?

July 30, 2021 by Mike Szczys 11 Comments

Nothing feels better than getting a salvaged component to do your bidding. But in the land of electronic displays, the process can quickly become a quagmire. For more complex displays, the secret incantation necessary just to get the things to turn on can be a non-starter. Today’s exercise targets a much simpler character display and has the added benefit of being able to sniff the data from a functioning radio unit.

When [Amen] upgraded his DAB radio he eyed the 16×2 character display for salvage. With three traces between the display and the controller it didn’t take long to trace out the two data lines using an oscilloscope. Turing on the scope’s decoding function verified his hunch that it was using I2C, and gave him plenty of data to work from. This included a device address, initialization string, and that each character was drawn on screen using two bytes on the data bus.

He says that some searching turned up the most likely hardware: a Winstar WO1602I-TFH- AT derived from an ST7032 controller. What we’re wondering is if there is a good resource for searching this kind of info? Our go-to is the LCD display and controller reference we covered here back in March. It’s a great resource, but turns up bupkis on this particular display. Are we relegated to using DuckDuckGo for initialization strings and hoping someone’s published a driver or a logic dump of these parts in the past, or is there a better way to go about this? Let us know in the comments!

Cracking A GBA Game With NSA Tools

July 16, 2021 by Bryan Cockfield 1 Comment

[Wrongbaud] is a huge fan of Japanese kaiju-style movies, including Godzilla and King Kong. In honor of the release of a new movie, he has decided to tackle a few projects to see how both of these monsters can hold their own against other legendary monsters. In this project, he is using Ghidra, named after another legendary kaiju, against the password system of the Game Boy Advance game Kong: King of Atlantis.

Since this project is a how-to, [wrongbaud] shows how to search Ghidra for existing scripts that might already have the functionality needed for GBA analysis and emulation. When not, he also illustrates how to write scripts to automate code analysis, and then moves on to cracking the level password system on the game.

The key to finding the passwords on this game was looking for values in the code that were seven characters long, and after some searching [wrongbaud] is finally able to zero in on the code responsible for handling passwords. Once found a brute force method was automated to find viable passwords, and from there the game was officially pwned. For anyone interested in security, reverse engineering, or just the way that binaries work, it’s quite the detailed breakdown. Of course, it’s not the only example we have seen that uses this software tool to extract passwords.

High-Tech Paperweight Shows Off Working 60s-era Thin-Film Electronics

July 12, 2021 by Donald Papp 9 Comments

[Ken Shirriff]’s analysis of a fascinating high-tech paperweight created by GE at the height of the space race is as informative as it is fun to look at. This device was created to show off GE’s thin-film electronics technology, and while it’s attractive enough on its own, there’s an added feature: as soon as the paperweight is picked up, it begins emitting a satellite-like rhythmic beep. It is very well-made, and was doubtlessly an impressive novelty for its time. As usual, [Ken] dives into what exactly makes it tick, and shares important history along the way.

Thin-film module with labels, thanks to [Ken]’s vintage electronics detective work. Click to enlarge.

In the clear area of the paperweight is a thin-film circuit, accompanied by a model of an early satellite. The module implements a flip-flop, and the flat conductors connect it to some additional components inside the compartment on the left, which contains a power supply and the necessary parts to create the beeps when it is picked up.

Thin-film electronics reduced the need for individual components by depositing material onto a substrate to form things like resistors and capacitors. The resulting weight and space savings could be considerable, and close-ups of the thin film module sure look like a precursor to integrated circuits. The inside of the left compartment contains a tilt switch, a battery, a vintage earphone acting as a small speaker, and a small block of components connected to the thin-film module. This block contains two oscillators made with unijunction transistors (UJTs); one to create the beep, and one to control each beep’s duration. The construction and overall design of the device is easily recognizable, although some of the parts are now obsolete.

If you’d like a bit more detail on exactly how this device worked, including circuit diagrams and historical context, be sure to click that first link, and pay attention to the notes and references at the end. One other thing that’s clear is that functional electronics embedded in clear plastic shapes simply never go out of style.