reverse engineering

386 Articles

Reverse Engineer Then Drive LCD With FPGA

January 29, 2015 by 18 Comments

Fans of [Ben Heck] know that he has a soft spot for pinball machines and his projects that revolve around that topic tend to be pretty epic. This is a good example. At a trade show he saw an extra-wide format LCD screen which he thought would be perfect on a pinball build. He found out it’s a special module made for attaching to your car’s sun visor. The problem is that it only takes composite-in and he wanted higher quality video than that offers. The solution: reverse engineer the LCD protocol and implement it in an FPGA.

This project is a soup to nuts demonstration of replacing electronics drivers; the skill is certainly not limited to LCD modules. He starts by disassembling the hardware to find what look like differential signaling lines. With that in mind he hit the Internet looking for common video protocols which will help him figure out what he’s looking for. A four-channel oscilloscope sniffs the signal as the unit shows a blue screen with red words “NO SIGNAL”. That pattern is easy to spot since the pixels are mostly repeated except when red letters need to be displayed. Turns out the protocol is much like VGA with front porch, blanking, etc.

With copious notes about the timings [Ben] switches over to working with a Cyclone III FPGA to replace the screen’s stock controller. The product claims 800×234 resolution but when driving it using those parameters it doesn’t fill the entire screen. A bit more tweaking and he discovers the display actually has 1024×310 pixels. Bonus!

It’s going to take us a bit more study to figure out exactly how he boiled down the sniffed data to his single color-coded protocol sheet. But that’s half the fun! If you need a few more resources to understand how those signals work, check out one of our other favorite FPGA-LCD hacks.

Continue reading “Reverse Engineer Then Drive LCD With FPGA”

Reverse-Engineering A Superior Chinese Product

January 1, 2015 by 116 Comments

It makes an Arduino look like a 555.  A 364 Mhz, 32 bit processor. 8 MB RAM. GSM. Bluetooth. LCD controller. PWM. USB and dozens more. Smaller than a Zippo and thinner than corrugated cardboard. And here is the kicker: $3. So why isn’t everyone using it? They can’t.

Adoption would mandate tier after tier of hacks just to figure out what exact hardware is there. Try to buy one and find that suppliers close their doors to foreigners. Try to use one, and only hints of incomplete documentation will be found. Is the problem patents? No, not really.

[Bunnie] has dubbed the phenomenon “Gongkai”, a type of institutionalized, collaborative, infringementesque knowledge-exchange that occupies an IP equivalent of bartering. Not quite open source, not quite proprietary. Legally, this sharing is only grey-market on paper, but widespread and quasi-accepted in practice – even among the rights holders. [Bunnie] figures it is just the way business is done in the East and it is a way that is encouraging innovation by knocking down barriers to entry. Chinese startups can churn out gimmicky trash almost on whim, using hardware most of us could only dream about for a serious project.

Continue reading “Reverse-Engineering A Superior Chinese Product”

Counting Transistors In The Playstation

December 18, 2014 by 40 Comments

Over in Russia there are a few people doing extremely in-depth technical teardowns, and the latest is one of the most ambitious ever seen. The PSXDEV team is tearing into the heart of the original PlayStation (Google translatrix), looking at 300,000 transistors, and re-implementing the entire console in a logic level simulator.

While the CPU in the PSX is unique to that specific piece of hardware, a lot of this custom silicon can be found in other places. The core – a RISC LSI LR33300 – is documented in a few rare tomes that are somehow available for free on the Internet. Other parts of this chip are a little stranger. There is a bizarre register that isn’t documented anywhere, a Bus Unit that handles the access between various devices and peripherals, and a motion picture decompressor.

The reverse engineering process begins by de-encapsulating the CPU, GPU, sound processing unit, and CD-ROM controller, taking very high magnification photos of the dies, and slowly mapping out the semiconductors and metals to figure out what cells do what function, how they’re connected, and what the big picture is. It’s a painstaking process that requires combing through gigabytes of die shots and apparently highlight gates, wires, and busses with MS Paint.

The end result of all this squinting at a monitor is turning tracings of chips into logic elements with Logisim. From there, the function of the CPU can be understood, studied, and yes, eventually emulated down to the gate level. It’s an astonishing undertaking, really.

If this sort of thing sounds familiar, you’re right: the same team behind PSXDEV is also responsible for a similar effort focused on the Nintendo Entertainment System. There, the CPU inside the NES – the Ricoh 2A03 – was torn down, revealing the 6502 core, APU, DMA, and all the extra bits that made this a custom chip.

Thanks [Rasz] for the tip.

LabVolt Robot Arm Reverse Engineering

Reverse Engineering A Robotic Arm

December 15, 2014 by 9 Comments

Not too many people will argue that Robot Arms aren’t cool. [Dan] thinks they are cool and purchased a LabVolt Armdroid robotic arm on eBay for a mere $150. Unfortunately, he did not get the power supply or the control unit. To most, this would a serious hurdle to overcome, but not for [Dan]. He opened up the robot and started probing around the circuit board to figure out what was going on.

Since there was a DB9 connector on the outside of the robot arm, he assumed it was a standard RS-232 controlled device. Good thing he checked the internal circuitry because this was not the case at all. There was no mircocontroller or microprocessor found inside.  [Dan] painstakingly reversed engineered the circuit board and documented his results. He found that there were SN76537A chips that drove the 6 unipolar stepper motors and SN75HC259 latches to address each individual motor.

Now knowing how the robot works, [Dan] had to figure out how to control the robot from his computer. He started by making a custom Parallel Port to DB9 cable to connect the computer to the arm. After a series of several programs, starting with simply moving just one arm joint, the latest iteration allows manual control of all joints using the computer keyboard. A big ‘Thanks’ goes out to [Dan] for all his work and documentation.

 

Reverse Engineering Super Animal Cards

December 11, 2014 by 15 Comments

If you don’t have a niece or nephew we encourage you to get one because they provide a great excuse to take apart kids’ toys.

[Sam] had just bought some animal-themed trading cards. These particular cards accompany a card-reader that uses barcodes to play some audio specific to each animal when swiped. So [Sam] convinces her niece that they should draw their own bar codes. Of course it’s not that easy: the barcodes end up having even and odd parity bits tacked on to verify a valid read. But after some solid reasoning plus trial-and-error, [Sam] convinces her niece that the world runs on science rather than magic.

But it can’t end there; [Sam] wants to hear all the animals. Printing out a bunch of cards is tedious, so [Sam] opens up the card reader and programs and Arduino to press a button and blink an IR LED to simulate a card swipe. (Kudos!) Now she can easily go through all 1023 possible values for the animal cards and play all the audio tracks, and her niece gets to hear more animal sounds than any child could desire.

Along the way, [Sam] found some interesting non-animal sounds that she thinks are Easter eggs but we would wager are for future use in a contest or promotional drawing or something similar. Either way, its great fun to get to listen in on more than you’re supposed to. And what better way to educate the next generation of little hackers than by spending some quality time together spoofing bar codes with pen and paper?

Five Dollar RF Controlled Light Sockets

November 22, 2014 by 46 Comments

This is tens of thousands of dollars worth of market research I’m about to spill, so buckle up. I have a spreadsheet filled with hundreds of projects and products that are solutions to ‘home automation’ according to their creators. The only common theme? Relays. Home automation is just Internet connected relays tied to mains. You’re welcome.

[Todd] over at Fabricate.io found an interesting home automation appliance on Amazon; a four-pack of remote control light sockets for $20, or what we would call a microcontroller, an RF receiver, and a relay. These lamp sockets are remote-controlled, but each package is limited to four channels. Terrible if you’re trying to outfit a home, but a wonderful exploration into the world of reverse engineering.

After cracking one of these sockets open, [Todd] found the usual suspects and a tiny little 8-pin DIP EEPROM. This chip stores a few thousand bits, several of which are tied to the remote control. After dumping the contents of the EEPROM from the entire four-pack of light sockets, [Todd] noticed only one specific value changed. Obviously, this was the channel tied to the remote. No CRC or ‘nothin. It doesn’t get easier than this.

With the new-found knowledge of what each lamp socket was looking for, [Todd] set out to clone the transmitter. Tearing this device apart, he found a chip with HS1527 stamped on it. A quick Googling revealed this to be an encoder transmitter, with the datasheet showing an output format of a 20-bit code and four data bits. This was a four-channel transmitter, right? That’s where you put each channel. The 20-bit code was interesting but not surprising; you don’t want one remote being able to turn of every other 4-pack of lamp sockets.

With all the relevant documentation, [Todd] set out to do the obvious thing – an Arduino transmitter. This was simply an Arduino and a transmitter in the right frequency, loaded up with bit of carefully crafted code. [Todd] also figured out how to expand his setup to more than four lamp sockets – by changing the 20-bit code, he could make his Arduino pretend to be more than one transmitter.

With Arduino-controlled lamp sockets, the world is [Todd]’s oyster. He can add Ethernet, WiFi, Bluetooth LE, and whatever trendy web front end he wants to have a perfect home automation setup. It’s actually a pretty impressive build with some great documentation, and is probably the cheapest way to add Arduino/Internet-enabled relays we’ve ever seen.

 

Protocol Snooping Digital Audio

November 12, 2014 by 21 Comments

More and more clubs are going digital. When you go out to hear a band, they’re plugging into an ADC (analog-to-digital converter) box on stage, and the digitized audio data is transmitted to the mixing console over Ethernet. This saves the venue having to run many audio cables over long distances, but it’s a lot harder to hack on. So [Michael] trained popular network analysis tools on his ProCo Momentum gear to see just what the data looks like.

[Michael]’s writeup of the process is a little sparse, but he name-drops all the components you’d need to get the job done. First, he simply looks at the raw data using Wireshark. Once he figured out how the eight channels were split up, he used the command-line version (tshark) and a standard Unix command-line tool (cut) to pull the data apart. Now he’s got a text representation for eight channels of audio data.

Using xxd to convert the data from text to binary, he then played it using sox to see what it sounded like. No dice, yet. After a bit more trial and error, he realized that the data was unsigned, big-endian integers.  He tried again, and everything sounded good. Success!

While this is not a complete reverse-engineering tutorial like this one, we think that it hits the high points: using a bunch of the right tools and some good hunches to figure out an obscure protocol.