reverse engineering

362 Articles

Ground Off Part Number Leads To Chip Detective Work

December 6, 2020 by 20 Comments

Sometimes when a piece of electronics lands on the bench, you find that its chips have their markings sanded off. The manufacturer is trying to make the task of the reverse engineer less easy, thus protecting their market. [Maurizio Butti] found an unexpected one in an electronic switch designed for remote control systems, it had the simple job of listening to the PWM signal from a receiver in a model aircraft or similar and opening or closing a FET.

From previous experience he suspected it might be a microcontroller from STC based on the location of power, ground, Rx, and Tx pins. This 8051-compatible device could be readily reprogrammed, so he has able to create his own firmware for it. He’s published the code and it’s pretty simple, as it simply replicates the original. He acknowledges that this might seem odd, but makes the point that it is left open for future upgrades such as for example repeatedly cycling the output as in a flashing light.

We don’t see so much of the STC chips here aside from one of their earlier offerings, but the 8051 core features here more regularly as it’s found in Nordic’s NRF24 series of wireless-capable chips.

Remoticon Video: How To Reverse Engineer A PCB

December 1, 2020 by 4 Comments

You hold in your hand a circuit board from a product you didn’t make. How does the thing work? What a daunting question, but it’s both solvable and approachable if you know what you’re doing. The good news is that Eric Schlaepfer knows exactly what he’s doing and boiled down the process of reverse engineering printed circuit boards into this excellent workshop. It was presented live during the 2020 Hackaday Remoticon, and the edited video, which you’ll find below, was just published. Slides for the talk have been published on the workshop project page.

Need proof that he has skills that we all want? Last year Eric successfully reverse-engineered the legendary Sound Blaster audio card and produced his own fully-functional drop-in replacement called the Snark Barker. And then re-engineered it to work with the ancient MCA bus architecture. Whoa.

Continue reading “Remoticon Video: How To Reverse Engineer A PCB”

Taking Over The Amazing Control Panel Of A Vintage Video Switcher

November 28, 2020 by 15 Comments

Where does he get such wonderful toys? [Glenn] snagged parts of a Grass Valley Kalypso 4-M/E video mixer switcher control surface from eBay and since been reverse engineering the button and display modules to bend them to his will. The hardware dates back to the turn of the century and the two modules would have been laid out with up to a few dozen others to complete a video mixing switcher console.

[Glenn’s] previous adventures delved into a strip of ten backlit buttons and gives us a close look at each of the keyswitches and the technique he used to pull together his own pinout and schematic of that strip. But things get a lot hairier this time around. The long strip seen above is a “machine control plane” module and includes a dozen addressible character displays, driven by a combination of microcontrollers and FPGAs. The square panel is a “Crosspoint Switch Matrix” module include eight individual 32 x 32 LCDs drive by three dedicated ICs that can display in red, green, or amber.

[Glen] used an STM8 Nucleo 64 to interface with the panels and wrote a bit of code to help map out what each pin on each machine control plane connector might do. He was able to stream out some packets from the plane that changed as he pressed buttons, and ended up feeding back a brute-force of that packet format to figure out the LED display protocols.

But the LCDs on the crosspoint switch were a more difficult nut to crack. He ended up going back to the original source of the equipment (eBay) to get a working control unit that he could sniff. He laid out a man-in-the-middle board that has a connector on either side with a pin header in the middle for his logic analyzer. As with most LCDs, the secret sauce was the initialization sequence — an almost impossible thing to brute force, yet exceedingly simple to sniff when you have a working system. So far he has them running under USB control, and if you are lucky enough to have some of this gear in your parts box, [Glen] has painstakingly recorded all of the details you need to get them up and running.

Remoticon Video: Firmware Reverse Engineering Workshop With Asmita Jha

November 19, 2020 by 4 Comments

Taking things apart to see how they work is an important part of understanding a system, and that goes for software as much as for hardware. You can get a jump start on your firmware reverse engineering skills with Asmita Jha’s workshop which was presented live at the Hackaday Remoticon. The video has just been published, and is found below along with a bit more on what she covered in her hands-on labs.

Continue reading “Remoticon Video: Firmware Reverse Engineering Workshop With Asmita Jha”

Scratching That Itch

October 31, 2020 by 11 Comments

I did something silly. I bought a lot of ten “broken” cheesy indoor quadcopters on eBay — to hopefully cobble one working one together and to amuse my son. At this point, I’ve got eight working. The bad news is that they all come with dirt-cheap transmitters that aren’t really conducive to flying at all. They’d be a lot more fun if they could be controlled with a real remote. Enter the hackers.

Most all of the cheap quads are based on one of a handful of radio chipsets, although they use different protocols. An enterprising hacker could conceivably just bundle together this handful of radio modules, and the rest would be a simple matter of software. That’s exactly what Pascal Langer’s DIY Multiprotocol TX and supporting firmware does. This hobby project was so successful that compatible hardware is manufactured by more than a few Chinese companies, and non-geeks have them installed in their radios. The module lets you control virtually anything that uses 2.4 GHz. Of course, I’ve got one of them.

I opened up the cheesy drone’s transmitter, found that it used a popular chipset, and worked through all the different supported protocols that used it. No dice. But the radio module did have nicely labeled SPI lines, so I reached out to Pascal. A couple of Sigrok sessions later, he’d figured out that it was trying to bind on a different channel, I’d recompiled the firmware, and was playing with the drone’s other functions.

I just love a good SPI-sniffing session. sigrok-cli -d fx2lafw -c samplerate=4000000 -P spi:clk=D0:mosi=D1:cs=D2 -A spi="mosi transfer" --continuous | grep A0 | uniq reads the SPI lines, decodes the packets, filters out the commands, and removes duplicates, in real-time. All that’s left to do is wiggle the sticks, mash buttons, and take good notes.

None of this was hard, and certainly none of it was expensive. I got my drones under the control of my fancy-schmancy remote, and have a good foothold into controlling them algorithmically later on thanks to everyone’s previous work on reverse engineering these protocols. Support for DF Drone’s SkyTumbler will be included in the next DIY Multiprotocol TX release, and I spent about four or five pleasant hours on this project. Maybe only a handful of people will stumble on this particular protocol — or maybe it will just be me. I did it mostly just to scratch my own particular itch.

But that’s one way open source works, thrives, and grows. Here’s to you all out there, from the Deviation team, who did a lot of the early drone protocol reverse engineering, to Pascal for the DIY Module, to the Sigrok folks who made the tools accessible for me to piggyback on everyone’s previous work. Keep on hacking!

This article is part of the Hackaday.com newsletter, delivered every seven days for each of the last 200+ weeks. It also includes our favorite articles from the last seven days that you can see on the web version of the newsletter. Want this type of article to hit your inbox every Friday morning? You should sign up!

Rolling Your Own TiVo WiFi Adapter

October 14, 2020 by 16 Comments

The only thing more surprising than finding out TiVo actually put out a new 4K set-top box recently is learning that somehow they didn’t bother to build WiFi into the thing. You’re forced to buy a special wireless adapter to the tune of $60 USD to add the feature. We’d make a joke about the company living in the past, but frankly, it would be too easy.

Having to buy just one of these expensive dongles in 2020 would be insulting enough, but TiVo superfan [xxbiohazrdxx] needed four of them. Rather than hand nearly $250 to the antennae-headed overlords, they decided to reverse engineer the adapter and produce their own low-cost version. While the final result might not be as slim and svelte as the original, it does come in at less than 1/4 the price.

Operating under the assumption that the TiVo would only talk to a WiFi adapter based on the same Broadcom BCM43569 chipset used in the official one, [xxbiohazrdxx] started by trying to find a standard USB dongle that might be a drop-in replacement. Unfortunately, it looks like this particular chip was almost exclusively used in proprietary applications, most commonly as a WiFi board inside of smart TVs. But as it turns out, that wasn’t necessarily a deal breaker.

After some searching, [xxbiohazrdxx] eventually found the promising CyberTAN NU361-HS board. Not only was it based on the right chipset and ran from 5 volts, but its FCC ID entry had a complete pinout for the connector. This particular WiFi module is used in a number of budget TVs and is widely available as a spare part for less than $10. By combing the board and a USB breakout PCB inside of a 3D printed case, you’ve got a plug-and-play WiFi adapter that the TiVo thinks is the real deal.

There was a time when Hackaday was flooded with TiVo hacks, but it’s now been more than a decade since cheap carrier-provided DVRs ate the company’s lunch. Realistically, there’s an excellent chance that this post will be the only time a mention of the once-mighty DVR graces the front page in 2020. While the reign of the TiVo might be at its end, the impact it had as one of the first Linux-powered consumer devices will be etched in hacker history forever.

The Cable Modem To SDR Transformation

October 10, 2020 by 5 Comments

What do you do with an old cable modem in a closet? If you are [stdw] you reverse engineer it and turn it into a software-defined radio. The modem in question was a Motorola MB7220. After looking at a similar project using a different modem, it seemed like it should be doable.

Cracking open the case revealed two likely UART ports, one of which was active. The output from that UART provided a lot of info. The chip was a Broadcom BCM3383 which is a MIPS processor. It had eCos as an operating system. However, the bootloader eventually disables the UART, so there wasn’t much more investigation possible via the serial terminal.

The next step was to dump the flash memory. That required a little solder surgery to prevent the board from starting while the flash chip had power. It appeared that some key credentials and configuration data were present, but they were really backups. After doing a factory reset to remove the backups, the right data was apparent.

After some lengthy exploration, the diagnostic that builds a spectrum display gave up its data. At first, the data was just a small sample of what was really required, but it did show a local FM station as a spectrum. Eventually, the data loss rate was down to about 12% when streaming which is not great, but good enough. You can hear an audio clip of the reception. Not exactly crystal-clear quality, but not bad.

Of course, no one will use this for an FM radio. But it is a fascinating view into how far you can hack into a device like this if you have some skills and patience. There must be something about quarantine that is making people hack old gear, as we just recently saw a similar Netgear hack. Even cheap games aren’t safe.