reverse engineering

386 Articles

Tucoplexing: A New Charliplex For Buttons And Switches

March 23, 2019 by 28 Comments

Figuring out the maximum number of peripherals which can be sensed or controlled with a minimum number of IOs is a classic optimization trap with a lot of viable solutions. The easiest might be something like an i2c IO expander, which would give you N outputs for 4 wires (SDA, SCL, Power, Ground). IO expanders are easy to interface with and not too expensive, but that ruins the fun. This is Hackaday, not optimal-cost-saving-engineer-aday! Accordingly there are myriad schemes for using high impedance modes, the directionality of diodes, analog RCs, and more to accomplish the same thing with maximum cleverness and minimum part cost. Tucoplexing is the newest variant we’ve seen, proven out by the the prolific [Micah Elizabeth Scott] (AKA [scanlime]) and not the first thing to be named after her cat Tuco.

[Micah’s] original problem was that she had a great 4 port USB switch with a crummy one button interface. Forget replacement; the hacker’s solution was to reverse and reprogram the micro to build a new interface that was easier to relocate on the workbench. Given limited IO the Tucoplex delivers 4 individually controllable LEDs and 4 buttons by mixing together a couple different concepts in a new way.

Up top we have 4 LEDs from a standard 3 wire Charlieplex setup. Instead of the remaining 2 LEDs from the 3 wire ‘plex at the bottom we have a two button Charlieplex pair plus two bonus buttons on an RC circuit. Given the scary analog circuit the scan method is pleasingly simple. By driving the R and T lines quickly the micro can check if there is a short, indicating a pressed switch. Once that’s established it can run the same scan again, this time pausing to let the cap charge before sensing. After releasing the line if there is no charge then the cap must have been shorted, meaning that switch was pressed. Else it must be the other non-cap switch. Check out the repo for hardware and firmware sources.

Last time we talked about a similar topic a bunch of readers jumped in to tell us about their favorite ways to add more devices to limited IOs. If you have more clever solutions to this problem, leave them below! If you want to see the Twitter thread with older schematics and naming of Tucoplexing look after the break.

Continue reading “Tucoplexing: A New Charliplex For Buttons And Switches”

Reverse Engineering Keeps Keck Telescopes On Track

February 26, 2019 by 13 Comments

Perched atop a dormant volcano far above the roiling tropical air of the Big Island of Hawai’i sit two of the largest optical telescopes in the world. Each 10-meter main mirror is but a single part of a magnificent machine weighing in at some 400 tons that needs to be positioned with incredible precision. Keeping Keck 1 and Keck 2 in peak operating condition is the job of a team of engineers and scientists, so when the servo amplifiers running the twelve motors that move each scope started to show their age, [Andrew] bit the bullet and rebuilt the obsolete boards from scratch.

The Keck telescopes were built over three decades ago, and many of the parts, including the problematic servo amps, are no longer made. Accumulated wear and tear from constant use and repeated repairs had taken their toll on the boards, from overheated components to lifted solder pads. With only some barely legible schematics of the original amplifiers to go by, [Andrew] reverse engineered new amps. Some substitutions for obsolete components were needed, the PCB design was updated to support SMD parts, and higher-quality components were specified, but the end result is essentially new amplifiers that are plug-in replacements for the original units. This should keep the telescopes on track for decades to come.

Not to sound jealous, but it seems like [Andrew] has a great gig. He’s shared a couple of his Keck adventures before, like the time a failed LED blinded the telescope. He’s also had a few more down-to-earth hacks, like fixing a dodgy LCD monitor and making spooky blinkeneyes for Halloween.

Putting An Out Of Work IPod Display To Good Use

February 12, 2019 by 10 Comments

[Mike Harrison] produces so much quality content that sometimes excellent material slips through the editorial cracks. This time we noticed that one such lost gem was [Mike]’s reverse engineering of the 6th generation iPod Nano display from 2013, as caught when the also prolific [Greg Davill] used one on a recent board. Despite the march of progress in mobile device displays, small screens which are easy to connect to hobbyist style devices are still typically fairly low quality. It’s easy to find fancier displays as salvage but interfacing with them electrically can be brutal, never mind the reverse engineering required to figure out what signal goes where. Suffice to say you probably won’t find a manufacturer data sheet, and it won’t conveniently speak SPI or I2C.

After a few generations of strange form factor exploration Apple has all but abandoned the stand-alone portable media player market; witness the sole surviving member of that once mighty species, the woefully outdated iPod Touch. Luckily thanks to vibrant sales, replacement parts for the little square sixth generation Nano are still inexpensive and easily available. If only there was a convenient interface this would be a great source of comparatively very high quality displays. Enter [Mike].

Outer edge of FPGA and circuit

This particular display speaks a protocol called DSI over a low voltage differential MIPI interface, which is a common combination which is still used to drive big, rich, modern displays. The specifications are somewhat available…if you’re an employee of a company who is a member of the working group that standardizes them — there are membership discounts for companies with yearly revenue below $250 million, and dues are thousands of dollars a quarter.

Fortunately for us, after some experiments [Mike] figured out enough of the command set and signaling to generate easily reproduced schematics and references for the data packets, checksums, etc. The project page has a smattering of information, but the circuit includes some unusual provisions to adjust signal levels and other goodies so try watching the videos for a great explanation of what’s going on and why. At the time [Mike] was using an FPGA to drive the display and that’s certainly only gotten cheaper and easier, but we suspect that his suggestion about using a fast micro and clever tricks would work well too.

It turns out we made incidental mention of this display when covering [Mike]’s tiny thermal imager but it hasn’t turned up much since them. As always, thanks for the accidental tip [Greg]! We’re waiting to see the final result of your experiments with this.

Under The Hood Of Leica Camera Firmware

January 29, 2019 by 11 Comments

There’s nothing quite like waiting for something you’ve ordered online to arrive. In [Alex]’s case, he’d ordered a new Leica camera, only to find out there was a six month backlog in shipping. Wanting to whet his thirst regardless, he decided to investigate the Leica website, and reverse engineered a whole heap of camera firmware. As you do.

[Alex] didn’t stop at just one camera, instead spreading his interest across whatever firmware Leica happened to have online at the time. This approach led to improved effectiveness, as there were similarities in the firmware used between different cameras that made it easier to understand what was going on.

There are plenty of surprise quirks – from firmwares using the Doom WAD data format, to compression methods used by iD software in old game releases. [Alex]’s work runs the gamut from plotting out GUI icons on graph paper, to building custom tools to tease apart the operation of the code. Sample components were even sourced from connector manufacturers to reverse engineer various accessories, too.

[Alex]’s methodical approach and perseverance pays off, and it’s always interesting to get a look under the hood of the software underpinning consumer devices. We’ve even seen similar work done to decode the mysteries of Pokemon cries.

[Thanks to JRD for the tip!]

 

Pokemon Cries And How They Work

January 4, 2019 by 4 Comments

If you grew up watching the Pokémon TV series, you’d naturally be familiar with the cries of all your favourite Pocket Monsters. Most of the creatures in the anime tend to say their own name, over and over again. Pour one out for the legions of parents who, upon hearing a distant “PIKA PIKA!”,  still involuntarily twitch to this day.

However, the games differ heavily in this area. Generation I of Pokémon was released on the Game Boy, which simply didn’t have the sound capabilities to deliver full bitstream audio. Instead, sounds were synthesized for the various Pokémon based on various parameters. It’s quite a deep and involved system, but never fear – help is at hand via [Retro Game Mechanics Explained].

The video breaks down, at a bitwise level, how the parameters are stored for each Pokémon’s cry, and how they are synthesized. It’s broken down into easily understandable chunks, explaining first how the Game Boy’s sound hardware works, with two pulse channels and a noise channel, before later expanding upon why some Pokémon have the same or similar cries.

It’s a tour de force in retro game reverse engineering, and expertly presented with high quality graphical guides as to what’s going on at the software level. There’s even an emulator you can use to explore the various cries from the original game, and generate your own, too.

Now that we’re up to speed with Pokémon, how about fixing bugs in a 37 year old game? Video after the break.

Continue reading “Pokemon Cries And How They Work”

Reverse Engineering With Sandpaper

November 29, 2018 by 34 Comments

Every once in a while, and more so now than before, you’ll find a really neat chip with zero documentation. In [David]’s case, it’s a really cool USB 3.0 eMMC/ SD MMC controller. Use this chip, attach a USB port on one end, and some memory on the other, and you have a complete bridge. There are drivers, too. There are products shipping with this chip. The problem is, there is no data sheet. Wanting to use this chip, [David] turned to sandpaper to figure out the pinout of this chip.

The best example of a product that came with this chip is a simple board from the hardkernel store that happily came with fairly high resolution product photos. While waiting for these boards to be delivered, [David] traced the top layer of copper. This was enough to get an idea of what was going on, but the real work started when the boards arrived. These were placed in a flatbed scanner and carefully photographed.

The next step was to desolder all the parts, taking care to measure and catalog each component. Then, it’s off to sanding with 200 and 600 grit wet sandpaper. Slowly, the soldermask is removed and the top copper layer appears. After that, it’s just a matter of sanding and scanning, stacking all the layers together with your image processing software of choice.

There are a few caveats to hand-sanding a PCB to reverse-engineer the copper layers. First, it makes a mess. This is wet/dry sandpaper, though, and you can and should sand with water. Secondly, even pressure should be applied. We’re not sure if [David] was holding the sandpaper or not, but the best technique is to actually hold the board itself.

Despite a few problems, [David] did get the pictures of each copper layer. After assembling these images, he could make an Eagle part for an eMMC reader for his Nintendo Switch.

Steady Hand Repurposes Cheap SSD Modules

November 8, 2018 by 52 Comments

For hackers, cheap (and arguably disposable) consumer hardware makes for a ready supply of free or low-cost components. When you can walk into a big box store and pick up a new low-end laptop for $150, how many are going to spend the money to repair or upgrade the one they have now? So the old ones go to the bin, or get sold online for parts. From an ecological standpoint our disposable society is terrible, but at least we get some tech bargains out of the deal.

Case in point, the dirt cheap 32 GB eMMC SSDs [Jason Gin] recently scored. Used by Hewlett Packard on their line of budget laptops, he was able to snap up some of these custom drives for only $12 each. Only problem was, since they were designed for a very specific market and use case, they aren’t exactly the kind of thing you can just slap in your computer’s drive bay. He had to do some reverse engineering to figure out how to talk to them, and then some impressive fine-pitch soldering to get them plugged in, but in the end he got some very handy drives for an exceptionally low price.

[Jason] starts by figuring out the drive’s pinout using the cornerstone of the hacker’s electronic toolkit: the multimeter. By putting one lead on an obvious ground point such as the PCB’s screw holes, you can work through the pins on the connector and make some educated guesses as to what’s what. Ground pins will read as a short, but the meter should read power and data pins as a forward-biased diode. With a rough idea of the pin’s identities and some luck, he was able to figure out that it was basically a standard SATA connection in a different form factor.

To actually hook it up to his computer, he pulled the PCB off of a dead SATA hard drive, cut it down to size, and was able to use fine magnet wire to attach the conductors in the drive’s ribbon cable to the appropriate pads. He sealed everything up with a healthy dose of hot glue to make sure it didn’t pull loose, and then ran some drive diagnostics on his cobbled together SSD to make sure it was behaving properly. [Jason] reports the drive isn’t exactly a speed demon, but given the low cost and decent performance he still thinks it’s worth the work to use them for testing out different operating systems and the like.

[Jason] seems to have something of an obsession with eMMC hacking. Last time we heard from him, he was bringing a cheap Windows tablet back from the dead by replacing its shot eMMC chip.