Completely Owning The Dreamcast Add-on You Never Had

July 17, 2017 by Elliot Williams 30 Comments

If you’ve got a SEGA Dreamcast kicking around in a closet somewhere, and you still have the underutilized add-on Visual Memory Unit (VMU), you’re in for a treat today. If not, but you enjoy incredibly detailed hacks into the depths of slightly aged silicon, you’ll be even more excited. Because [Dmitry Grinberg] has a VMU hack that will awe you with its completeness. With all the bits in place, the hacking tally is a new MAME emulator, an IDA plugin, a never-before ROM dump, and an emulator for an ARM chip that doesn’t exist, running Flappy Bird. All in a month’s work!

The VMU was a Dreamcast add-on that primarily stored game data in its flash memory, but it also had a small LCD display, a D-pad, and inter-VMU communications functions. It also had room for a standalone game which could interact with the main Dreamcast games in limited ways. [Dmitry] wanted to see what else he could do with it. Basically everything.

We can’t do this hack justice in a short write-up, but the outline is that he starts out with the datasheet for the VMU’s CPU, and goes looking for interesting instructions. Then he started reverse engineering the ROM that comes with the SDK, which was only trivially obfuscated. Along the way, he wrote his own IDA plugin for the chip. Discovery of two ROP gadgets allowed him to dump the ROM to flash, where it could be easily read out. Those of you in the VMU community will appreciate the first-ever ROM dump.

On to doing something useful with the device! [Dmitry]’s definition of useful is to have it emulate a modern CPU so that it’s a lot easier to program for. Of course, nobody writes an emulator for modern hardware directly on obsolete hardware — you emulate the obsolete hardware on your laptop to get a debug environment first. So [Dmitry] ported the emulator for the VMU’s CPU that he found in MAME from C++ to C (for reasons that we understand) and customized it for the VMU’s hardware.

Within the emulated VMU, [Dmitry] then wrote the ARM Cortex emulator that it would soon run. But what ARM Cortex to emulate? The Cortex-M0 would have been good enough, but it lacked some instructions that [Dmitry] liked, so he ended up writing an emulator of the not-available-in-silicon Cortex-M23, which had the features he wanted. Load up the Cortex emulator in the VMU, and you can write games for it in C. [Dmitry] provides two demos, naturally: a Mandlebrot set grapher, and Flappy Bird.

Amazed? Yeah, we were as well. But then this is the same guy emulated an ARM chip on the AVR architecture, just to run Linux on an ATMega1284p.

Getting Data Off Proprietary Glucometers Gets A Little Easier

June 23, 2017 by Donald Papp 22 Comments

Glucometers (which measure glucose levels in blood) are medical devices familiar to diabetics, and notorious for being proprietary. Gentoo Linux developer [Flameeyes] has some good news about his open source tool to read and export data from a growing variety of glucometers. For [Flameeyes], the process started four years ago when he needed to send his glucometer readings to his doctor and ended up writing his own tool. Previously it was for Linux only, but now has Windows support.

Glucometers use a variety of different data interfaces, and even similar glucometers from the same manufacturer can use different protocols. Getting the data is one thing, but more is needed. [Flameeyes] admits that the tool is still crude in many ways, lacking useful features such as HTML output. Visualization and analysis are missing as well. If you’re interested in seeing if you can help, head over to the GitHub repository for glucomerutils. Also needed are details on protocols used by different devices; [Flameeyes] has only been able to reverse-engineer the protocols of meters he owns.

Speaking of glucometers, there is a project for a Universal Glucometer which aims to be able to use test strips from any manufacturer without needing to purchase a different meter.

Thanks for the tip, [Stuart]!

Reverse Engineering The Monoprice Printer

June 20, 2017 by Brian Benchoff 33 Comments

When the Monoprice MP Select Mini 3D printer was released last year, it was a game changer. This was a printer for $200, yes, but it also held a not-so-obvious secret: a 3D printer controller board no one had ever seen before powered by a 32-bit ARM microcontroller with an ESP8266 handling the UI. This is a game-changing set of electronics in the world of 3D printing, and now, finally, someone is reverse engineering it.

[Robin] began the reverse engineering by attaching the lead of an oscilloscope to the serial line between the main controller and display controller. The baud rate is weird (500 kHz), but apart from that, the commands readily appear in human-parsable text. There is a web server built into the MP Mini printer, and after inspecting the web page that’s served up from this printer, [Robin] found it was possible to send G-code directly from the controller board, get a list of files on the SD card, and do everything you would want to do with a 3D printer.

After deconstructing the circuit on the display board, [Robin] found exactly what you would expect from such a simple board: an SPI display driven by an ESP, and a big flash chip sitting off to the side. [Robin] found the the model of the display, and quickly built a project on Platform.io to draw text to the LCD. This isn’t the end of the project – there’s still a lot that must be done before this printer is squirting out parts with custom firmware.

While this isn’t a hack of the driver board inside the MP Mini, that’s not really a problem. The motor driver board in this printer doesn’t really need any changes, and was already ahead of its time when this printer was released last year. As with most things, the UI is the weak point, and upgrading the firmware and built-in web server for this printer is the best way forward.

[Robin] put together a truly phenomenal video of how he reverse engineered this display controller. You can check that out below.

Continue reading “Reverse Engineering The Monoprice Printer” →

The Art Of The Silicon Chip

June 6, 2017 by Jenny List 23 Comments

If you have followed the group of reverse engineers whose work on classic pieces of silicon we feature regularly here at Hackaday, you may well be familiar with the appearance of the various components that make up their gates and other functions. What you may not be familiar with, however, are the features that can occasionally be found which have no function other than the private amusement of the chip designers themselves. Alongside the transistors, resistors, and interconnects, there are sometimes little pieces of artwork inserted into unused spaces on the die, visible only to those fortunate enough to own a powerful microscope.

Fortunately those of us without such an instrument can also take a look at these works, thanks to the Smithsonian Institution, who have brought together a gallery of them on the web as part of their chip collection. In it we find cartoon characters such as Dilbert, favourites from children’s books such as Waldo, and the Japanese monster Godzilla. There are animals, cows, a leopard, a camel, and a porpoise, and of course company logos aplenty.

In a sense, these minuscule artworks are what our more strident commenters might describe as Not A Hack, but to dismiss them in such a manner would be to miss their point. Even in an age of huge teams of integrated circuit designers working with computerized tools rather than the lone geniuses of old with their hand drafting, we can still see little flashes of individuality with no practical or commercial purpose and with no audience except a very few. And we like that.

Also take a look at the work of [Ken Shirriff] for a masterclass in IC reverse engineering.

Gimbal SDI Camera Mod

June 4, 2017 by Michael Uttmark 4 Comments

Sometimes when you need something, there is a cheap and easily obtainable product that almost fits the bill. Keyword: almost. [Micah Elizabeth Scott], also known as [scanlime], is creating a hovering camera to follow her cat around, and her Feiyu Mini3D 3-axis brushless gimbal almost did everything she’d need. After a few modifications, [Micah] now has a small and inexpensive 3-axis gimbal with a Crazyfire HZ-100P SDI camera and LIDAR-Lite distance sensor.

At thirty minutes long, [Micah’s] documenting video is rife with learning moments. We’ve said it before, and we’ll say it again: “just watch it and thank us later.” [Micah Elizabeth Scott] has a way of taking complicated concepts and processes and explaining things in a way that just makes sense (case in point: side-channel glitching) . And, while this hack isn’t exactly the most abstractly challenging, [Micah’s] natural talent as a teacher still comes through. She takes you through what goes right and what goes wrong, making sure to explain why things are wrong, and how she develops a solution.

Throughout her video, [Micah] shares small bits of wisdom gained from first-hand experience. From black hot glue to t-glase (a 3D printing filament), we learned of a few materials that could be mighty useful.

We’re no strangers to the work of [Micah Elizabeth Scott], she’s been on the scene for a while now. She’s been a Hackaday Prize Judge in 2015 and 2016 and is always making things we love to cover. She’s one of our three favorite hackers and has a beautiful website that showcases her past work.

Video after the break.

Continue reading “Gimbal SDI Camera Mod” →

Integrated Circuit Reverse Engineering, 1970s Style

June 2, 2017 by Jenny List 11 Comments

We are used to stories about reverse engineering integrated circuits, in these pages. Some fascinating exposés of classic chips have been produced by people such as the ever-hard-working [Ken Shirriff].

You might think that this practice would be something new, confined only to those interested in the workings of now-obsolete silicon. But the secrets of these chips were closely guarded commercial intelligence back in the day, and there was a small industry of experts whose living came from unlocking them.

Electron micrograph of a wire bond to the Z80 CTC die

Integrated Circuit Engineering Corporation were a Scottsdale, Arizona based company who specialised in semiconductor industry data. They have long since been swallowed up in a series of corporate takeovers, but we have a fascinating window into their activities because their archive is preserved by the Smithsonian Institution. They reverse engineered integrated circuits to produce reports containing detailed information about their mechanical properties as well as their operation, and just such a report is our subject today. Their 1979 examination of the Zilog Z80 CTC (PDF) starts with an examination of the package, in this case the more expensive ceramic variant, then looks in detail at the internal construction of the die itself, and its bonding wires. We are then taken in its typewritten pages through an extensive analysis of the circuitry on the die, with gate-level circuits to explain the operation of each part.

The detail contained in this report is extraordinary, it is clear that a huge amount of work went into its production and it would have been of huge value to certain of Zilog’s customers and competitors. At the time this would have been extremely commercially sensitive information, even if it now seems like a historical curiosity.

The Z80 CTC is a 4-channel counter/timer peripheral chip for the wildly succesful Z80 8-bit microprocessor, in a 28-pin dual-in-line package. We were surprised to find from a quick search that you can still buy this chip from some of the usual suppliers rather than the surplus houses, so it may even still be in production.

If IC reverse engineering takes your fancy, take a look at our archive of [Ken Shirriff] posts.

Thanks [fortytwo] for the tip.

How To Reverse Engineer A Chip

May 2, 2017 by Al Williams 27 Comments

Have you ever wondered how you could look at a chip and map out its schematic? [Robert Baruch] wants to show you how he does it and he does in a new video (see below). The video assumes you know how to expose the die because he’s made a video about that before.

This video focuses on using his Beaglebone-driven microscope stage to get high-resolution micrographs stitched together from smaller shots. A 3D-printed sample holder keeps the part from moving around. Luckily, there’s software to stitch the images together. Once he has the die photo, he will etch away the metal to remove the passivation, the metal layer, and the silicon dioxide under the metal and takes another set of photos.

Continue reading “How To Reverse Engineer A Chip” →