Hacking Old Honda ECUs

Automotive security specialist by day [P1kachu] hacks his own cars as a hobby in his free time. He recently began to delve into the Engine Control Units (ECUs) of the two old Hondas that he uses to get around in Japan. Both the 1996 Integra and the 1993 Civic have similar engines but different ECU hardware. Making things more interesting; each one has a tuned EPROM, the Civic’s being of completely unknown origin.

[P1kachu] took his Civic to a shop to have some burned-out transistors replaced in the ECU, and a chance conversation with the proprietor [Tuner-san] sends him on a journey into the world of old EPROMs. [Tuner-san] pulled out an old PROM duplicator stashed away under the counter which he originally used as a kid to copy PROM chips from console games like the Famicom. These days he uses it to maintain a backup collection of old ECU chips from cars he has worked on. This tweaked [P1kachu]’s curiosity, and he wondered if he could obtain the contents of the Civic’s mysterious PROM. After a false start trying to use the serial port on the back of the PROM copier, he brute-forces it. A few minutes of Googling reveals the ASCII pinout of the 27C256 EPROM, and he whips out an Arduino Mega and wires it up to the chip and is off and running.

Advantest R4945A EPROM Duplicator c.1980s

He’s currently digging into the firmware, using IDA and a custom disassembler he wrote for the Mitsubishi M7700 family of MCUs. He started a GitHub repository for this effort, and eventually hopes to identify what has been tweaked on this mysterious ECU chip compared to factory stock. He also wants to perform a little tuning himself. We look forward to more updates as [P1kachu] posts the results of his reverse engineering efforts. We also recommend that you be like [P1kachu] and carry an Arduino, a breadboard, and some hookup wire with you at all times — you never know when they might come in handy. Be sure to checkout our articles about his old Subaru hacks from in 2018 if these kinds of projects interest you.

Breaking Down The USB Keyboard Interface With Old-Fashioned Pen And Paper

What is better for gaming, old PS/2 style keyboards, or modern USB devices? [Ben Eater] sets out to answer this question, but along the way he ends up breaking down the entire USB keyboard interface.

It turns out that PS/2 and USB are very, very different. A PS/2 keyboard sends your keystroke every time you press a key, as long as it has power. A USB keyboard is more polite, it won’t send your keystrokes to the PC until it asks for them.

To help us make sense of USB’s more complicated transactions, [Ben] prints out the oscilloscope trace of a USB exchange between a PC and keyboard and deciphers it using just a pen and the USB specification. We were surprised to see that USB D+ and D- lines are not just a differential pair but also have more complicated signaling behavior. To investigate how USB handles multi-key rollover, [Ben] even borrowed a fancy oscilloscope that automatically decodes the USB data packets.

It turns out that newer isn’t always better—the cheap low-speed USB keyboard [Ben] tested is much slower than his trusty PS/2 model, and even a much nicer keyboard that uses the faster full-speed USB protocol is still only just about as fast as PS/2.

If you’d like to delve deeper into keyboard protocols, check out [Ben]’s guide to the PS/2 keyboard interface, complete with a breadboarded hardware decoder. If these keyboards have too many keys for your taste, you might consider this USB Morse code keyboard. Thanks to Peter Martin for the Tip!

Cloned Memory Module Fixes Broken Scopemeter

Finding broken test gear and fixing it up to work again is a time-honored tradition among hackers. If you’re lucky, that eBay buy will end up being DOA because of a popped fuse or a few bad capacitors, and a little work with snips and a soldering iron will earn you a nice piece of test gear and bragging rights to boot.

Some repairs, though, are in a class by themselves, like this memory module transplant for a digital scopemeter. The story began some time ago when [FeedbackLoop] picked up a small lot of broken Fluke 199C scopemeters from eBay. They were listed as “parts only”, which is never a good sign, and indeed the meters were in various states of disassembly and incompleteness.

The subject of the video below was missing several important bits, like a battery and a power connector, but most critically, its memory module. Luckily, the other meter had a good module, making reverse engineering possible. That effort started with liberating the two RAM chips and two flash chips, all of which were in BGA packages, from the PCB. From there each chip went into a memory programmer to read its image, which was then written to new chips. The chip-free board was duplicated — a non-trivial task for a six-layer PCB — and new ones ordered. After soldering on the programmed chips and a few passives, the module was plugged in, making the meter as good as new.

While we love them all, it’s clear that there are many camps of test gear collectors. You’ve got your Fluke fans, your H-P aficionados, the deep-pocketed Keithley crowd — but everyone loves Tektronix.

Continue reading “Cloned Memory Module Fixes Broken Scopemeter”

Super Mario Bros. 35 Lives Again With A Fan-Made Server

If you liked playing Super Mario Bros. 35, the unique multiplayer battle royale Mario game that Nintendo released last year on the Switch to celebrate 35 years since the original NES version of Super Mario Bros, then it’s likely that you have been disappointed since April. The gaming giant ended support and removed the game’s servers once their 35 year celebrations were over, leaving the game’s players hanging. Happily there’s a solution, because [Kinnay] has presented a reverse-engineered Nintendo game server replacement along with a game patch, that should keep gamers in multi-Mario fun forever.

While it’s a boon for fans of this particular game, the real value here is in introducing us to the reverse engineering work on those Nintendo servers. We learn about their various foibles over several generations of console, and perhaps most importantly we learn something of their inner workings.

Usually when a game server is turned off it’s because the platform it supports is so ancient as to have hardly any users. This time-limited game on an up-to-date platform is unusual then, but since it was made available to subscribers to Nintendo’s online service for free it’s less of a surprise. Certainly not in the same class as the loss of servers for an entire platform.

Thanks [Digiaap] for the tip.

Header image: Elvis untot, CC BY-SA 4.0.

An Exercise In Firmware Dumping With The GreatFET

Looking to hone his hardware hacking skills, [James Chambers] recently set out to reverse engineer a common cheap wireless keyboard: the Logitech K360. The chipset it uses has already been fairly well explored (and exploited) by security researchers, but the goal here was more about gaining some practical hands-on experience than it was breaking any new ground.

The first post in what we’re sure will be a fascinating series deals with dumping the board’s firmware using the GreatFET. We actually haven’t seen too many projects that showcase the capabilities of this highly capable open hardware multi-tool, so the post serves as a nice demonstration of how one goes about writing the necessary Python scripts to put it to work in a practical scenario.

Some promising bytes.

Of course, even with the best of tools, there’s always a few stumbling blocks. After identifying what was clearly some kind of programming header on the K360’s diminutive PCB, it took a few failed attempts at reading the firmware before [James] realized he needed to tap into more pins on the keyboard’s nRF24LE1 microcontroller. Once everything was physically wired up, he wrote some code for the GreatFET that would perform the proper incantations on the chip’s PROG and RESET pins to enable its programming interface.

[James] goes on to explain how you can pull some extended chip information out of the hardware and verify the contents of the firmware dump with Gihdra, but any more advanced analysis will have to wait until the next post in the series. In the meantime, if you like reading about hardware hacking from this “over the shoulder” viewpoint, you should check out some of the fantastic work that [wrongbaud] has sent in over the last year or so.

Investigating A New Chip In A Minimalist LED Lamp

Teardowns of cheap electronic devices can produce results that are interesting, horrifying, or both, especially when mains power is involved. [bigclivedotcom] gave a minimalist LED lamp his reverse engineering treatment, and discovered a new chip that requires only four additional passive components to run LEDs on AC power.

The chip in question is a Joulewatt JWB1981, for which no datasheet is available on the internet. However, there is a datasheet for the JW1981, which is a linear LED driver. After reverse-engineering the PCB, [bigclivedotcom] concluded that the JWB1981 must include an onboard bridge rectifier. The only other components on the board are three resistors, a capacitor, and LEDs. The first resistor limits the inrush current to the large smoothing capacitor. The second resistor is to discharge the capacitor, while the final resistor sets the current output of the regulator. 

It is possible to eliminate the smoothing capacitor and discharge resistor, as other LED circuits have done, which also allow the light to be dimmable. However, this results in a very annoying flicker of the LEDs at the AC frequency, especially at low brightness settings.

As always, this is a very informative video from [bigclivedotcom], and it was all done based on a single picture of the PCB sent in by a viewer. He also mentions that the lifespan of the lamp would likely be increased by swapping out the current setting resistor for a larger one.

We’ve covered several [bigclivedotcom]’s videos, covering topics from self-powered wireless switches to filling up fake capacitors with electrolyte.

Continue reading “Investigating A New Chip In A Minimalist LED Lamp”

ESP8266 Adds WiFi To A 433 MHz Weather Station

There’s no shortage of cheap weather stations on the market that pull in data from several wireless sensors running in the 433 to 900 MHz range and present you with a slick little desktop display, but that’s usually where the flow of information stops. Looking to bridge the gap and bring all that local climate data onto the Internet, [Jonathan Diamond] decided to reverse engineer how his weather station worked.

The first phase of this project involved an RTL-SDR receiver, GNURadio, and a sprinkling of Python. [Jonathan] was able to lock onto the signal and piece together the data packets that reported variables such as temperature, wind speed, and rainfall. Each one of these was a small puzzle in itself, and in the end, there’s still a few bits which he hasn’t quite figured out. But he at least had enough to move onto the next step.

Tapping into the radio module.

Now at this point, he could have pulled the data right out of the air with his RTL-SDR. But looking to push his skills to the next level, [Jonathan] decided to open up the base station and isolate its receiver. Since he already decoded the packets on the RF side, he knew exactly what he was looking for with his oscilloscope and logic analyzer. Once he was tapped into the feed coming from the radio, the final step was writing some code for the ESP8266 that could listen on the line, interpret the data packets, and push the resulting variables out over the network.

In this case, [Jonathan] decided to funnel all the data into Weather Underground by way of the Personal Weather Station API. This not only let him view the data through their web interface and smartphone application, but brought their hyperlocal forecasting technology into the mix at no extra charge. If you’re not interested in sharing your info with the public, it would be a trivial matter to change the firmware so the data is published to a local MQTT broker, or whatever else floats your proverbial boat.

If you’re really lucky, your own weather station may already have an ESP8266 onboard and is dumping all its collected data to the serial port. But if not, projects like this one that break down how to reverse engineer a wireless signal can be a great source of inspiration and guidance should you decide to try and crack the code.