Reverse Engineering A Two-Wire Intercom

There was a time when an intercom was simply a pair of boxes with speakers joined by a couple of wires, with an audio amplifier somewhere in the mix. But intercoms have like everything else joined the digital age, so those two wires now carry a load of other functionality as digital signalling. [Aaron Christophel] installs these devices for a living, and has posted a fascinating reverse engineering video that we’ve also placed below the break.

Power for the system is present as a constant 24V DC, and the audio is still an old-fashioned analogue signal that we’ll all be familiar with. On that 24V DC though are imposed a series of pulse trains to trigger the different alarms and other functions, and he describes extracting these with an oscilloscope before showing us the circuitry he’s used to send and receive pulses with an Arduino. The bulk of the video is then devoted to the software on the Arduino, which you can also find in a GitHub repository.

The result is an interesting primer for anyone who fancies a bit of serial detective work, even if they don’t have a intercom to hand.

Continue reading “Reverse Engineering A Two-Wire Intercom”

Reverse-Engineering Xiaomi IoT Firmware

IoT devices rarely ever just do what they’re advertised. They’ll almost always take up more space than they need to – on top of that, their processor and memory alone should be enough to run a multitude of other tasks while not necessarily compromising the task they were built to do.

That’s partially the motivation for rooting any device, but for Xiaomi devices, it’s a bit more fun – that is to say, it’s a little bit harder when you’re reverse engineering its firmware from scratch.

Similar to his other DEF CON 26 talk on modifying ARM Cortex-M firmware, [Dennis Giese] returns with a walkthrough of how to reverse-engineer Xiaomi IoT devices. He starts off talking about the Xiaomi ecosystem and the drawbacks of reusing firmware across all the different devices connected to the same cloud network before jumping into the walkthrough for accessing the devices.

Continue reading “Reverse-Engineering Xiaomi IoT Firmware”

Reverse Engineering Liberates Dash Cam Video

If you’ve purchased a piece of consumer electronics in the last few years, there’s an excellent chance that you were forced to use some proprietary application (likely on a mobile device) to unlock its full functionality. It’s a depressing reality of modern technology, and unless you’re willing to roll your own hardware, it can be difficult to avoid. But [krishnan793] decided to take another route, and reverse engineered his DDPAI dash camera so he could get a live video stream from it without using the companion smartphone application.

Like many modern gadgets, the DDPAI camera creates its own WiFi access point that you need to connect to for configuration. By putting his computer’s wireless card into Monitor mode and running Wireshark, [krishnan793] was able to see that the smartphone was communicating with the camera using some type of REST API. After watching the clear-text exchanges for awhile, he not only discovered a few default usernames and passwords, but the commands necessary to configure the camera and start the video stream.

After hitting it with the proper REST messages, an nmap scan confirmed that several new services had started up on the device. Unfortunately, he didn’t get any video when he pointed VLC to the likely port numbers. At this point [krishnan793] checked the datasheet for the camera’s Hi3516E SoC and saw that it supported H.264 encoding. By manually specifying that as the video codec when invoking VLC, it was able to play a video stream from port 6200. A little later, he discovered that port 6100 was serving up the live audio.

Technically that’s all he wanted to do in the first place, as he was looking to feed the video into OpenCV for other projects. But while he was in the area, [krishnan793] also decided to find the download URL for the camera’s firmware, and ran it through binwalk to see what he could find out. Not surprisingly the security turned out to be fairly lax through the entire device, so he was able to glean some information that could be useful for future projects.

Of course, if you’d rather go with the first option and build your own custom dash camera so you don’t have to jump through so many hoops just to get a usable video stream, we’ve got some good news for you.

Dealing With Missing Pin Allocations

Blindsided by missing pin allocations? Perhaps you’re working on a piece of hardware and you notice that the documentation is entirely wrong. How can you get your device to work?

[Dani Eichhorn]’s troubles began when running an IoT workshop using a camera module. Prior to the work, no one had through to check if all of the camera modules ordered for the participants were the same. As it turns out, the TTGO T-CAM module had a number of revisions, with some even receiving a temperature/pressure sensor fixed on top of the normal board.

While the boards may have looked the same, their pin allocations were completely different.Changing the pin numbers wouldn’t have been difficult if they were simply numbered differently, but because the configurations were different, errors started to abound: Could not initialize the camera

As it turns out, even the LillyGo engineers – the manufacturers of the board – may have gotten a bit lost while working on the pin allocations, as [Eichhorn] was able to find some of the pins printed right onto the PCB, hidden behind the camera component.

To find information not printed on the board, a little more digging was required. To find the addresses of the devices connected to the I2C bus, running a program to find peripherals listening on the bus did the trick. This was able to print out the addresses of the SSD1306 OLED display driver and the microphone for the board at hand.

To find the pins of peripherals not printed on the PCB or hidden on the silkscreen, a GPIO scanner did the trick. This in particular worked for finding the PIR (passive infrared) motion sensor.

We picked up a few tips and tricks from this endeavor, but also learned that reverse-engineering anything is hard, and that there isn’t any one method for finding pin allocations when the documentation’s missing.

Hackaday Links Column Banner

Hackaday Links: September 8, 2019

We start this week with very sad news indeed. You may have heard about the horrific fire on the dive boat Conception off Santa Cruz Island last week, which claimed 33 lives. Sadly, we lost one of our own in the tragedy: Dan Garcia, author of the wildly popular FastLED library. Dan, 46, was an Apple engineer who lived in Berkley; his partner Yulia Krashennaya died with him. Our community owes Dan a lot for the work he put into FastLED over the last seven years, as many an addressable LED is being driven by his code today. Maybe this would be a good chance to build a project that uses FastLED and add a little light to the world, courtesy of Dan.

In happier news, the biggest party of the hardware hacking year is rapidly approaching. That’s right, the 2019 Hackaday Superconference will be upon us before you know it. Rumor has it that there aren’t that many tickets left, and we haven’t even announced the slate of talks yet. That’s likely to clean out the remaining stock pretty darn quickly. Are you seriously prepared to miss this? It seems like a big mistake to us, so why don’t you hop over and secure your spot before you’re crying into your Club-Mate and wondering what all the cool kids will be doing in November.

Of course one of the highlights of Superconference is the announcement of the Hackaday Prize winner. And while we naturally think our Prize is the best contest, that doesn’t mean there aren’t others worth entering. MyMiniFactory, the online 3D-printing community, is currently running a “Design with Arduino” competition that should be right up the alley of Hackaday readers. The goal is simple: submit a 3D-printed design that incorporates Arduino or other electronics. That’s it! Entries are accepted through September 16, so you’ve still got plenty of time.

Sometimes you see something that just floors you. Check out this tiny ESP32 board. It doesn’t just plug into a USB port – it fits completely inside a standard USB Type A jack. The four-layer board sports an ESP32, FTDI chip, voltage regulator, an LED and a ceramic antenna for WiFi and Bluetooth. Why would you want such a thing? Why wouldn’t you! The board is coming soon on CrowdSupply, so we hope to see projects using this start showing up in the tipline soon.

Here’s a “why didn’t I think of that?” bench tip that just struck us as brilliant. Ever had to probe a board to trace signal paths? It’s a common enough task for reverse engineering and repairs, but with increasingly dense boards, probing a massive number of traces is just too much of a chore. Hackaday superfriend Mike Harrison from “mikeselectricstuff” makes the chore easier with a brush made from fine stainless wires crimped into a ring terminal. Attached to one probe of a multimeter, the brush covers much more of the board at a time, finding the general area where your trace of interest ends up. Once you’re in the neighborhood you can drop back to probing one pad at a time. Genius! We’d imagine a decent brush could also be made from a bit of coax braid too.

Another shop tip to wrap up this week, this one for woodworkers and metalworkers alike. Raw materials are expensive, and getting the most bang for your buck is often a matter of carefully laying out parts on sheet goods to minimize waste. Doing this manually can be a real test of your spatial relations skills, so why not automate it with this cut list optimizer? The app will overlay parts onto user-defined rectangles and snuggle them together to minimize waste. The program takes any units, can account for material lost to kerfs, and will even respect grain direction if needed. It’s built for wood, but it should prove useful for sheet metal on a plasma cutter, acrylic on a laser, or even PCBs on a panel.

The Amazon Dash Button: A Retrospective

The Internet of Things will revolutionize everything! Manufacturing? Dog walking? Coffee bean refilling? Car driving? Food eating? Put a sensor in it! The marketing makes it pretty clear that there’s no part of our lives which isn’t enhanced with The Internet of Things. Why? Because with a simple sensor and a symphony of corporate hand waving about machine learning an iPhone-style revolution is just around the corner! Enter: Amazon Dash, circa 2014.

The first product in the Dash family was actually a barcode scanning wand which was freely given to Amazon Fresh customers and designed to hang in the kitchen or magnet to the fridge. When the Fresh customer ran out of milk they could scan the carton as it was being thrown away to add it to their cart for reorder. I suspect these devices were fairly expensive, and somewhat too complex to be as frequently used as Amazon wanted (thus the extremely limited launch). Amazon’s goal here was to allow potential customers to order with an absolute minimum of friction so they can buy as much as possible. Remember the “Buy now with 1-Click” button?

That original Dash Wand was eventually upgraded to include a push button activated Alexa (barcode scanner and fridge magnet intact) and is generally available. But Amazon had pinned its hopes on a new beau. Mid 2015 Amazon introduced the Dash Replenishment Service along with a product to be it’s exemplar – the Dash Button. The Dash Button was to be the 1-Click button of the physical world. The barcode-scanning Wands require the user to remember the Wand was nearby, find a barcode, scan it, then remember to go to their cart and order the product. Too many steps, too many places to get off Mr. Bezos’ Wild Ride of Commerce. The Dash Buttons were simple! Press the button, get the labeled product shipped to a preconfigured address. Each button was purchased (for $5, with a $5 coupon) with a particular brand affinity, then configured online to purchase a specific product when pressed. In the marketing materials, happy families put them on washing machines to buy Tide, or in a kitchen cabinet to buy paper towels. Pretty clever, it really is a Buy now with 1-Click button for the physical world.

There were two versions of the Dash button. Both have the same user interface and work in fundamentally the same way. They have a single button (the software can recognize a few click patterns), a single RGB LED (‘natch), and a microphone (no, it didn’t listen to you, but we’ll come back to this). They also had a WiFi radio. Version two (silently released in 2016) added Bluetooth and completely changed the electrical innards, though to no user facing effect.

In February 2019, Amazon stopped selling the Dash Buttons. Continue reading “The Amazon Dash Button: A Retrospective”

RTL-SDR: Seven Years Later

Before swearing my fealty to the Jolly Wrencher, I wrote for several other sites, creating more or less the same sort of content I do now. In fact, the topical overlap was enough that occasionally those articles would get picked up here on Hackaday. One of those articles, which graced the pages of this site a little more than seven years ago, was Getting Started with RTL-SDR. The original linked article has long since disappeared, and the site it was hosted on is now apparently dedicated to Nintendo games, but you can probably get the gist of what it was about from the title alone.

An “Old School” RTL-SDR Receiver

When I wrote that article in 2012, the RTL-SDR project and its community were still in their infancy. It took some real digging to find out which TV tuners based on the Realtek RTL2832U were supported, what adapters you needed to connect more capable antennas, and how to compile all the software necessary to get them listening outside of their advertised frequency range. It wasn’t exactly the most user-friendly experience, and when it was all said and done, you were left largely to your own devices. If you didn’t know how to create your own receivers in GNU Radio, there wasn’t a whole lot you could do other than eavesdrop on hams or tune into local FM broadcasts.

Nearly a decade later, things have changed dramatically. The RTL-SDR hardware and software has itself improved enormously, but perhaps more importantly, the success of the project has kicked off something of a revolution in the software defined radio (SDR) world. Prior to 2012, SDRs were certainly not unobtainable, but they were considerably more expensive. Back then, the most comparable device on the market would have been the FUNcube dongle, a nearly $200 USD receiver that was actually designed for receiving data from CubeSats. Anything cheaper than that was likely to be a kit, and often operated within a narrower range of frequencies.

Today, we would argue that an RTL-SDR receiver is a must-have tool. For the cost of a cheap set of screwdrivers, you can gain access to a world that not so long ago would have been all but hidden to the amateur hacker. Let’s take a closer look at a few obvious ways that everyone’s favorite low-cost SDR has helped free the RF hacking genie from its bottle in the last few years.

Continue reading “RTL-SDR: Seven Years Later”