Sucking PIC Firmware Out Of An Old APC Battery Backup

reverse-engineering-pic-firmware-of-APC-power-supply

Looking at this huge Uninterruptible Power Supply we are a little envious. It’s meant to hang on the wall of a utility room and power your critical devices. [Radek Hvizdos] has had it in service for quite some time, and when he started thinking of replacing the internal battery he decided to see if he could also extend the functionality. To do so he needed to get at the firmware of the chip controlling the device. And so began his adventure of dumping the firmware from the read-protected PIC 18F452.

The challenge of dumping code from a write-protected chip is in itself a fun project. But [Radek] was actually interested in fixing bugs and adding features. The wishlist feature we’d be most interested in is a kind of triage for shutting down devices as the internal battery starts to run low. Nice! But starting from scratch with the firmware is a no-go. You can see the two places where he connected to the PCB. The upper is for using a PIC programmer. The lower is an I2C connection used to dump the EEPROM with an improvised Bus Pirate.

In the end it was improper lock bit settings that opened the door to grabbing the firmware. The bootloader section of the PIC is not locked, and neither is the ability to read from FLASH at run-time. These two combined allowed him to write his own code which, when flashed to the bootloader section, dumps the rest of the firmware so that it may be combined into a complete file afterward. Since posting this fascinating article he has made a follow-up about disassembling the code.

Keeping The Family Off The Net With An Undocumented Backdoor

memetics

When [Eloi] was home for Christmas, he faced one of the most difficult problems man has ever faced: his entire family, equipped with smartphones and laptops, siphoning all the Internet through a 1Mb/s connection. For any technically minded person, the fix for this problem is to limit the bandwith for all those Facebook and Twitter-heads, while leaving [Eloi]’s battlestation unaffected. [Eloi] had originally set up the Linksys WAG200G router in the family home a few years ago but had since forgotten the overly complex admin password. No worries, then, because apparently the WAG200G is open as wide as a barn door with a completely undocumented backdoor.

Without the password to the admin panel of the router, [Eloi] needed a way in. After pointing nmap at the router, he found an undocumented service running on port 32764. Googling this observation resulted in a lot of speculation, so the only option was to download the router’s firmware, look for the service, and figure out a way in.

[Eloi] eventually got a shell on the router and wrote a very short Python script to automate the process for all WAG200G routers. As for where this backdoor came from, it appears a SerComm device on the router is responsible. This means a whole bunch of routers with this specific SerComm module also have this backdoor, and we’d assume anything with a service running on port 32764 is suspect.

If you’re looking for a fix for this backdoor, your best bet is probably installing OpenWRT or Tomato. The OpenWAG200 project, an open firmware specifically designed for [Eloi]’s router, still has this vulnerability, though.

Reverse Engineering HitClips

hitclipz

After a quick review of the Hackaday viewer demographics, we need to say the late 90s were weird. Even portable audio players were downright bizarre: MP3 players existed, but you loaded up your songs (all eight of them) over your PC’s parallel port.  While helping a cousin move some furniture, [Ch00f] found a huge collection of one of the oddest music formats ever: HitClips, a tiny plastic encapsulated bit of circuitry that stores 60 seconds of terrible-sounding mono audio. Yes, this was a thing, but so was the pet rock. With no HitClips player, [Ch00f] decided he would take a swing at reverse engineering these tiny, tinny songs.

After taking apart the plastic enclosure, [Ch00f] found a very simple circuit: a few resistors, a cap, and an epoxy blob that enclosed an die with the musical data. On the back of the clip, there are eight pads for connecting to the player. With nothing to go on, [Ch00f] started poking around and found connecting one of these pins to ground caused circuit to draw 300uA of current for about 60 seconds – the same length of time as the recorded sample.

[Ch00f] originally thought the HitClip would provide audio data over an SPI or other digital protocol. What he found was much more interesting: two of the pins on the HitClip correspond to the push and pull FETs of a class D amplifier. The audio on the HitClip is digital audio, but it’s encoded so it can directly drive an analog circuit. Pretty clever engineering for a happy meal toy, if you ask us.

After dumping this data with a logic analyzer, [Ch00f] turned all the values in to .WAV file. It was, amazingly, music. A little refinement to the process to nail down the timing resulted in a 60-second clip seen (heard?) after the break.

Since [Ch00f] doesn’t want to spend $40 on eBay for a vintage HitClips player, he’s right about at the limit of what he can reverse engineer out of these cheap, crappy music chips. He has put up all his documentation, though, so if you’re up for improving on [Ch00f]’s methods, have a go.

Continue reading “Reverse Engineering HitClips”

Android And Arduino RF Outlet Selector

ardAndRFoutlets

Cyber Monday may be behind us, but there are always some hackable, inexpensive electronics to be had. [Stephen’s] wireless Android/Arduino outlet hack may be the perfect holiday project on the cheap, especially considering you can once again snag the right remote controlled outlets from Home Depot. This project is similar to other remote control outlet builds we’ve seen here, but for around $6 per outlet: a tough price to beat.

[Stephen] Frankenstein’d an inexpensive RF device from Amazon into his build, hooking the Arduino up to the 4 pins on the transmitter. The first step was to reverse engineer the communication for the outlet, which was accomplished through some down and dirty Arduino logic analyzing. The final circuit included a standard Arduino Ethernet shield, which [Stephen] hooked up to his router and configured to run as a web server. Most of the code was borrowed from the RC-Switch outlet project, but the protocols from that build are based on US standards and did not quite fit [Stephen’s] needs, so he turned to a similar Instructables project to work out the finer details.

Stick around after the break for a quick video demonstration, then check out another wireless outlet hack for inspiration.

Continue reading “Android And Arduino RF Outlet Selector”

Repairing And Adding Bluetooth Control To An Induction Cooker

When his 6 years old induction cooker recently broke, [Johannes] decided to open it in an attempt to give it another life. Not only did he succeed, but he also added Bluetooth connectivity to the cooker. The repair part was actually pretty straight forward, as in most cases the IGBTs and rectifiers are the first components to break due to stress imposed on them. Following advice from a Swedish forum, [Johannes] just had to measure the resistance of these components to discover that the broken ones were behaving like open circuits.

He then started to reverse engineer the boards present in the cooker, more particularly the link between the ‘keyboards’ and the main microcontroller (an ATMEGA32L) in charge of commanding the power boards. With a Bus Pirate, [Johannes] had a look at the UART protocol that was used but it seems it was a bit too complex. He then opted for an IOIO and a few transistors to emulate key presses, allowing him to use his phone to control the cooker (via USB or BT). While he was at it, he even added a temperature sensor.

Reverse Engineering The Sony Ericsson Vivaz High Resolution 640 X 360 Cellphone LCD

In our opinion, reverse engineering may be one of the best ways to tease your brain. [Andy] just did that by reverse engineering the Sony Ericsson Vivaz high resolution LCD (cached copy here). In his (very) nicely written article, [Andy] explains all the steps that led him to the result shown in the picture above. He started by finding the repair manual of the Vivaz, to discover that the display could be interfaced with 8080 type parallel signals. That meant that he could use a standard microcontroller without high speed buses to interface with it, in this case the STM32F4. Next in his adventure, [Andy] ordered the appropriate connector and took a more educated guess for the onboard microcontroller. A long Google search brought up the R61523 from Renesas. So he designed his breakout board, got it produced and a few hours later a nice picture was being shown on the LCD. He even took the time to compare the original display with the clone he found on the webs, and modified his graphics library to support this display.

Hacking A Flip Dot Display

While casually lurking on a famous auction website, [TeddyDesTodes] found the gem shown in the above picture and reverse engineered it. This is a flip dot display, the Brose Vollmatrix compact to be precise. It consists of a grid of small metal discs that are black on one side and yellow on the other, set into a black background. With power applied, the disc flips to show the other side. The disc is attached to an axle which also carries a small permanent magnet. Positioned close to the magnet is a solenoid. By pulsing the solenoid coil with the appropriate electrical polarity, the magnet will align itself with the magnetic field, also turning the disc.

After carrying the 25kg display from his post office to home, [TeddyDesTodes] opened it and discovered that the main control board was using two RS422 transceivers. So he fired up his bus pirate, started to sniff the traffic and noticed that several commands were repeatedly sent. [TeddyDesTodes] stopped the transmission, sent these particular commands and had the good surprise to see some dots flipped. From there, displaying something was a piece of cake.

If this is familiar to you it may be because it was shared in one of the Trinket Contest Updates. But the background details were just so much fun we think this deserves a full feature of it’s own. Do you agree?