More Fun With Syma 107 Reverse Engineering

December 8, 2012 by Eric Evenchick 4 Comments

[Jim] used a logic analyzer to do some in depth analysis of the Syma 107G helicopter’s IR protocol. We’ve seen work to reverse engineer this protocol in the past, but [Jim] has improved upon it.

Instead of reading the IR output of the controller, [Jim] connected a Saleae Logic directly to the controller’s circuitry. This allowed him to get more accurate timing, which helped him find out some new things about the protocol. He used this to create a detailed explanation of the protocol.

One of the major findings is that the controller used a 3 byte control packet, which contradicts past reverse engineering of the device. There’s also a new explanation of how multiple channels work. This allows multiple helicopters to be flown without the controllers interfering.

The write up is quite detailed, and explains the reverse engineering process. It also provides great information for anyone wanting to hack one of these low cost helicopters. From the details [Jim] worked out, it would be fairly easy to implement the protocol on your own hardware.

Nikon WU-1a WiFi Dongle Hacking

November 10, 2012 by Mike Szczys 23 Comments

Here’s a pretty tricky piece of consumer electronics reverse engineering. [Joe Fitz] came across the Nikon WU-1a. It’s a dongle that plugs into a Nikon D3200 camera, producing a WiFi connection which can be picked up and controlled from a smart phone. The app shows you the current image from the viewfinder, allows you to snap the picture, then pulls down the picture afterwards. The problem is that the same functionality for his D800 camera will cost him $1200, when this dongle can be had for $60. That’s a powerful incentive to find a way to use the WU-1a with his camera model. This is more than just rerouting some wires. It involves sniffing the USB traffic and drilling down in the datasheets for the chips used in the hardware. We’re not certain, but he may have even rolled new firmware for the dongle.

Details are a bit scarce right now. Your best bet is to watch the video embedded after the break. There is also a set of slides which [Joe] put together for a talk at this weekend’s BsidesPDX. It will give you a general overview of the process he went through. But he also started a forum thread and we hope to learn much more from that as the conversation gets going.

Continue reading “Nikon WU-1a WiFi Dongle Hacking” →

Reverse Engineering A Syma 107 Toy Helicopter IR Protocol

August 27, 2012 by Mike Szczys 9 Comments

Half the fun of buying toys for your kids is getting your hands on them when they no longer play with them. [Kerry Wong] seems to be in this boat. He bought a Syma S107G helicopter for his son. The flying toy is IR controlled and he reverse engineered the protocol it uses. This isn’t the first time we’ve seen this type of thing with the toy. In fact, we already know the protocol has been sniffed and there is even a jammer project floating around out there. But we took a good look at this because of what you can learn from [Kerry’s] process.

He starts by connecting an IR photo diode to his oscilloscope. This gave him the timing between commands and allowed him to verify that the signals are encoded in a 38 kHz carrier signal. He then switched over to an IR module designed to demodulate this frequency. From there he captures and graphs all of the possible control configuration, establishing a timing and command set for the device. He finishes it off by building a replacement controller based on an Arduino. You can see a video of that hardware after the break.

Continue reading “Reverse Engineering A Syma 107 Toy Helicopter IR Protocol” →

Digital TV Converter Reverse Engineering

August 1, 2012 by Mike Szczys 15 Comments

Back when broadcast television was first switching over from analog to digital most people needed to get a converter box to watch DTV broadcasts. Remember that abomination that was “HD-Ready”? Those TVs could display an HD signal, but didn’t actually have a digital tuner in them. Nowadays all TVs come with one, so [Craig] found his old converter box was just gathering dust. So he cracked it open and reverse engineered how the DTV hardware works.

The hardware includes a Thompson TV tuner, IR receiver for the remote control, and the supporting components for an LGDT1111 SoC. This is an LG chip and after a little searching [Craig] got his hands on a block diagram that gave him a starting place for his exploration. The maker of the converter box was also nice enough to include a pin header for the UART. It’s populated and even has the pins labeled on the silk screen. We wish all hardware producers could be so kind. He proceeds to pull all the information he can through the terminal. This includes a dump of the bootloader, readout of the IR codes, and much more.

Reverse Engineering A Stylophone

July 22, 2012 by Brian Benchoff 10 Comments

The Stylophone – a musical toy from the 60s – is a surprisingly simple piece of engineering. With a simple metallic keyboard played with a stylus and just a handful of transistors, the Stylophone was able to produce a few marvelous for their time sounds, and is the equivalent of a pre-[Stradivarius] violin for the electronic music scene. [Simon] tore apart an original Stylophone, and did a complete teardown of the circuit, going over the ins and outs of why this ancient noise box is so cool.

There have been quite a few DIY Stylophone clones, but all of them suffered from the same raspy sound made by a 555 timer chip slightly misguided makers used instead of the relaxation oscillator (in the pic seen above) used in the original. Aside from the oscillator connect to the RC circuit of the metallic keyboard, [Simon] also looked into the vibrato circuit. This is just a simple oscillator producing an 8 Hz sine-ish wave. The keyboard, of course, is connected to the circuit with an array of resistors which [Simon] happily provided the values for.

[Simon] put up a schematic of his reverse engineered Stylophone, allowing you to clone this ancient electronic instrument. If you can source the transistors, that is.

Re-engineering Some FM Transmitter Firmware

July 16, 2012 by Mike Szczys 17 Comments

[Furrteck] had a little adventure with this FM transmitter he picked up on eBay. It worked alright, but he wanted to be able to scan through the frequencies, and to have the device return to the same settings after power cycling. He cracked it open and got to work to achieve all of his goals.

The device is driven by an ATmega48, and there’s a 6-pin ISP header on the board. An initial read of the chip wouldn’t work, and he soon discovered the unstable power supply was to blame. After connecting his own regulated source he could read the chip id without a hitch, but the code is locked so no dumping was possible. Fortunately he managed to trace out the board, and includes a full schematic in his write up. With this in hand he erased the chip and started programming his own firmware from the ground up.

The video after the break shows off the completed project. He can now scan through frequencies with audio feedback to let he know when he’s found a station to hijack. The new code will also write a tuned station to EEPROM for use the next time the rig is powered up.

Continue reading “Re-engineering Some FM Transmitter Firmware” →

Reverse Engineering Silicon

July 5, 2012 by Mike Szczys 16 Comments

[John McMaster] is doing some pretty amazing work with figuring out how the circuitry in an integrated circuit works. Right now he’s reverse engineering a serial EEPROM chip one section at a time. This is a 24c02 made by ST, and he chose this particular portion of the die to examine because it looked like there were some analog components involved.

He removed the top metal using hydrofluoric acid in order to take this image. By continually removing layers this way he manages to work out the traces and even the components themselves. To help clarify the parts he uses the set of snapshots to generate a colored map using Inkscape. From there he begins labeling what he thinks the components might be, and like a puzzle the pieces start falling into place one by one. From the Inkscape drawing he lays out a schematic, then rearranges the components to make the design easier to understand. Apparently this is a Schmidt trigger.

[Thanks George]