Inside Smart Meters Hack Chat

April 12, 2021 by Dan Maloney 39 Comments

Join us on Wednesday, April 14 at noon Pacific for the Inside Smart Meters Hack Chat with [Hash]!

That electrical meter on the side of your house might not look like it, but it’s pretty packed with technology. What was once a simple electromechanical device that a human would have to read in person is now a node on a far-flung network. Not only does your meter total up the amount of electricity you use, but it also talks to other meters in the neighborhood, sending data skipping across town to routers that you might never have noticed as it makes its way back to the utility. And the smartest of smart meters not only know how much electricity you’re using, but they can also tease information about which appliances are being used simply by monitoring patterns of usage.

While all this sounds great for utility companies, what does it mean for the customers? What are the implications of having a network of smart meters all talking to each other wirelessly? Are these devices vulnerable to attack? Have they been engineered to be as difficult to exploit as something should be when it’s designed to be in service for 15 years or more?

These questions and more burn within [Hash], a hardware hacker and security researcher who runs the RECESSIM reverse-engineering wiki. He’s been inside a smart meter or two and has shared a lot of what he has learned on the wiki and with some in-depth YouTube videos. He’ll stop by the Hack Chat to discuss what he’s learned about the internals of smart meters, how they work, and where they may be vulnerable to attack.

Our Hack Chats are live community events in the Hackaday.io Hack Chat group messaging. This week we’ll be sitting down on Wednesday, April 14 at 12:00 PM Pacific time. If time zones have you tied up, we have a handy time zone converter.

Click that speech bubble to the right, and you’ll be taken directly to the Hack Chat group on Hackaday.io. You don’t have to wait until Wednesday; join whenever you want and you can see what the community is talking about.
Continue reading “Inside Smart Meters Hack Chat” →

Reverse Engineering Silicon, One Transistor At A Time

April 3, 2021 by Jenny List 10 Comments

Many of will have marveled at the feats of reverse engineering achieved by decapping integrated circuits and decoding their secrets by examining the raw silicon die. Few of us will have a go for ourselves, but that doesn’t stop the process being a fascinating one. Fortunately [Ryan Cornateanu] is on hand with a step-by-step description of his journey into the art of decapping, as he takes on what might seem an unlikely subject in the form of the CH340 USB to serial chip you’ll find on an Arduino Nano board.

Starting with hot sulphuric acid is probably not everyone’s idea of a day at the bench, but having used it to strip the epoxy from the CH340, he’s able to take a look under the microscope. This is no ordinary microscope but a metallurgists instrument designed to light the top of the sample from one side with polarised light. This allows him to identify an area of mask ROM and zoom in on the transistors that make each individual bit.

At this point the chemistry moves into the downright scary as he reaches for the hydrofluoric acid and has to use a PTFE container because HF is notorious for its voracious reactivity. This allows him to take away the interconnects and look at the transistor layer. He can then with a bit of computer vision processing help extract a bit layer map, which with some experimentation and guesswork can be manipulated into a firmware dump. Even then it’s not done, because he takes us into the world of disassembly of what is an unknown architecture. Definitely worth a read for the armchair chip enthusiast.

If you’re thirsty for more, of course we have to direct you towards the work of [Ken Shirriff].

Machine Learning Current Sensor Snoops On MCUs

March 23, 2021 by Tom Nardi 8 Comments

Anyone who’s ever tried their hand at reverse engineering a piece of hardware has wished there was some kind of magic wand you could tap on a PCB to understand what its doing and why. We imagine that’s what put security researcher [Mark C] on the path to developing CurrentSense-TinyML, a fascinating proof of concept that uses machine learning and sensitive current measurements to try and determine what a microcontroller is up to.

The idea is simple enough: just place a INA219 current sensor between the power supply and the microcontroller under observation, and record the resulting measurements as it goes about its business. Of course in this case, [Mark] knew what the target Arduino Nano was doing because he wrote the code that blinks its onboard LED.

This allowed him to create training data for TensorFlow, which was ultimately optimized into a model that could fit onto the Arduino Nano 33 BLE Sense which stands in for our magic wand. The end result is that the model can accurately predict when the Nano has fired up its LED based on the amount of power it’s using. [Mark] has done a fantastic job of documenting the whole process, which also doubles as a great intro for putting machine learning to work on a microcontroller.

Now we already know what you’re thinking: obviously the current would go up when the LED was lit, so the machine learning aspect is completely unnecessary. That may be true in this limited context, but remember, this is just a proof of concept to base further work on. In the future, with more training data, this technique could potentially be used to identify a whole range of nuanced activities. You’d be able to see when the MCU was sitting idle, when it was writing to flash, or when it was reading from sensors. In fact, with a good enough model, it might even be possible to identify the individual sensors that are being polled.

These are early days, but we’re very interested in seeing where this research goes. It might not be magic, but if analyzing the current draw of a coffee maker can tell you how much everyone in the office is drinking, then maybe it can help us figure out what all these unlabeled ICs are doing.

Hacking A Digital Microscope Camera For Fun And Automated PCB Inspection

March 17, 2021 by Zach Zeman 5 Comments

A desire for automated PCB inspection has led [charliex] down some deep rabbit holes. He’s written his own inspection software, he’s mounted his PCB vise on a stepper-controlled table, and now he’s hacked his digital microscope camera to allow remote and automated control.

Eakins cameras have become a relatively popular, relatively inexpensive choice for electronics hobbyists to inspect their small-scale work. The cameras have a USB port for a mouse and overlay a GUI on the HDMI output for controlling the camera’s various settings and capturing images to the SD card. Using the mouse-based GUI can feel clunky, though, so users have already endeavored to streamline the process to fit better in their workflow. [charliex] decided to take streamlining a few steps further.

One issue in microscope photography is that microscopes have an extremely tight focus plane. So, even at the minuscule scales of an SMD circuit board, the components are simply too tall. Only a sub-millimeter-thick layer can be in focus at a time. If you take just a single image, much of what you want to see will be lost in the blurry distance. Focus stacking solves this problem by taking multiple pictures with the focus set at different depths then combining their focused bits into a single sharp image.

This takes care of the focus issue, but even the most streamlined and intuitive manual controls become tedious given the multitude of pictures required. So [charliex] searched for a way to remotely control his camera, automating focus stacking and possibly even full PCB scans.

Continue reading “Hacking A Digital Microscope Camera For Fun And Automated PCB Inspection” →

Retro Recreations Hack Chat With Tube Time

March 15, 2021 by Dan Maloney 2 Comments

Join us on Wednesday, March 17 at noon Pacific for the Retro Recreations Hack Chat with Tube Time!

Nostalgia seems to be an inevitable consequence of progress. Advance any field far enough into the future, and eventually someone will look back with misty eyes and fond memories of the good old days and start the process of turning what would qualify as junk under normal conditions into highly desirable collectibles.

In some ways, those who have been bitten by the computer nostalgia bug are lucky, since the sheer number of artifacts produced during their period of interest is likely to be pretty high, making getting gear to lovingly restore relatively easy. But even products produced in their millions can eventually get difficult to find, especially once they get snapped up by eager collectors, leaving the rest to make do or do without.

Of course, if you’re as resourceful as Tube Time is, there’s another alternative: build your own retro recreations. He has embarked on some pretty intense builds to recapture a little of what early computer enthusiasts went through trying to build useful machines. He has built replicas of early PC sound cards, like an ISA-bus AdLib card, its MCA equivalent, and the “Snark Barker”— or is it the “Snood Bloober”? — which bears an uncanny resemblance to the classic Sound Blaster card from the 1980s.

Tube Time will join us for the Hack Chat this week to answer questions about all his retro recreations, including his newest work on a retro video card. Be sure to bring your questions on retro rebuilds, reverse engineering, and general computer nostalgia to the chat.

Our Hack Chats are live community events in the Hackaday.io Hack Chat group messaging. This week we’ll be sitting down on Wednesday, March 17 at 12:00 PM Pacific time. If time zones have you tied up, we have a handy time zone converter.

Reverse Engineering The Weather Channel’s Magic

March 14, 2021 by Tom Nardi 32 Comments

For American readers of a certain age, Local on the 8s likely holds a special spot in your heart. The program, once a staple of The Weather Channel, would provide viewers with a text and eventually graphical depiction of their local forecast set to some of the greatest smooth jazz ever heard outside of an elevator. In the days before smartphones, or even regular Internet access for that matter, these broadcasts were a critical part of planning your day in the 1980s through to the early 2000s.

Up until recently the technical details behind these iconic weather reports were largely unknown, but thanks to the Herculean efforts of [techknight], the fascinating engineering that went into the WeatherSTAR 4000 machines that pumped out current conditions and Shakin’ The Shack from CATV distribution centers all over the US for decades is now being documented and preserved. The process of reversing the hardware and software has actually been going on for the last couple of years, but all those juicy details are now finally going to be available on the project’s Hackaday.IO page.

It all started around Christmas of 2018, when an eBay alert [techknight] had configured for the WeatherSTAR 4000 finally fired off. His offer was accepted, and soon he had the physical manifestation of Local on the 8s in his own hands. He’d reasoned that getting the Motorola MC68010 machine working would be like poking around in a retrocomputer, but it didn’t take long for him to realize he’d gotten himself into a much larger project than he could ever have imagined.

Continue reading “Reverse Engineering The Weather Channel’s Magic” →

Decapping Components Hack Chat With John McMaster

March 8, 2021 by Dan Maloney 2 Comments

Join us on Wednesday, March 10 at noon Pacific for the Decapping Components Hack Chat with John McMaster!

We treat them like black boxes, which they oftentimes are, but what lies beneath the inscrutable packages of electronic components is another world that begs exploration. But the sensitive and fragile silicon guts of these devices can be hard to get to, requiring destructive methods that, in the hands of a novice, more often than not lead to the demise of the good stuff inside.

To help us sort through the process of getting inside components, John McMaster will stop by the Hack Chat. You’ll probably recognize John’s work from Twitter and YouTube, or perhaps from his SiliconPr0n.org website, home to beauty shots of some of the chips he has decapped. John is also big in the reverse engineering community, organizing the Mountain View Reverse Engineering meetup, a group that meets regularly to discuss the secret world of components. Join us as we talk to John about some of the methods and materials used to get a look inside this world.

Our Hack Chats are live community events in the Hackaday.io Hack Chat group messaging. This week we’ll be sitting down on Wednesday, March 10 at 12:00 PM Pacific time. If time zones have you tied up, we have a handy time zone converter.