Hacklet 45 – Reverse Engineering Projects

May 1, 2015 by Adam Fabio 18 Comments

Sooner or later, all of us end up putting on our reverse engineering hats and digging in to a device. It might be that you’re trying to keep an old piece of equipment running – the manufacturer is long defunct, and parts are no longer available. It might be that sweet new router with locked down firmware. Or, it might just be that you’re curious. Whatever the reason, reverse engineering is a rewarding endeavor. Some of our favorite reverse engineering projects read like spy novels. Instead of cloak and dagger, it’s encryption and soldering iron. This week’s Hacklet focuses on some of the best reverse engineering projects on Hackday.io!

We start with [Henryk Plötz] and Reverse-Engineering a low-cost USB CO₂ monitor. Carbon monoxide detection and measurement devices are household safety items these days, and have become rather cheap. Carbon dioxide measuring devices are less common, and as expected, more expensive. [Henryk] found a device for around 80€ which did what he needed. The included USB connector was supposedly just for power, but when plugging it in, the device enumerated on his Linux box. The accompanying windows software displayed live data from the detector, but there wasn’t much information on the protocol. Time to bust out Ida pro, and go to town on that software! [Henryk] did battle with his CO₂ monitor”s software and was justly rewarded.

Next up is [Bob Blake] and Reverse Engineering the Maverick ET-732. [Bob] loves barbecue, but hates to babysit his smoker. Thankfully there are wireless temperature sensors out there built just for that purpose, but they have limited range and you can’t have multiple receivers around the house. [Bob] aimed to fix all of that by sending his Maverick wireless thermometer data to the web, so he could check in on his cooking from anywhere. First he had to reverse engineer the protocol used by the sensor. A spectrum analyzer told [Bob] that the sensor transmit frequency was 433.92 MHz, which is common for low-cost transmitters like this. [Bob] actually had some compatible receivers at his office, so he was quickly able to capture some data with his Saleae logic analyzer. The real fun came in figuring out exactly how the data was organized!

A chance Ebay sale netted [Technics] a sweet head mounted magnifier, but no way to control it. Reverse engineering a Life Optics M5 documents [Technics] efforts to get his new headgear working. The Life Optics M5 is actually a re-branded version of the Leica HM500 head mounted zoom microscope. These devices were originally designed for medical use. They provide a stereo view to the surgeon or dentist using them, as well as sending a video feed to be displayed for the rest of the team to use or record. Cracking open the M5’s head-mounted box revealed several modules, but no obvious means of controlling zoom or focus. Scoping out a few of the mystery wires did reveal what looks to be a 9600 baud serial data stream though. This is a brand new project, and we’re waiting for [Technics] next update to see if he gets to do some soldering with his new toy!

BIOS password protection – it’s the bane of any used laptop buyer’s existence. Sometimes removing these passwords are as easy as popping out the CMOS battery, other times, not so much. [q3k] found themselves in the latter situation with a bundle of Toshiba R100 laptops. and no way to start them up. [q3k] didn’t give up though – they broke out the soldering iron and started Reverse engineering Toshiba R100 BIOS. The R100 is a Pentium M era machine – old but still usable for many hacking purposes. Dumping the ROM BIOS of the laptop didn’t yield the information [q3k] needed, so they moved on to the TLCS-870 controller, and built a really nice board with a Xilinx Spartan6 FPGA to help with the effort. It turns out that the 870 is just used for power management. – [q3k] has now turned their attention to a Renesas microcontroller which might be just the droid they are looking for!

We think that reverse engineering projects are pretty darn cool, so we’ve created a Reverse Engineering List to keep them all organized.

That’s it for this Hacklet, As always, see you next week. Same hack time, same hack channel, bringing you the best of Hackaday.io!

Reverse Engineering A Bathroom Scale For Automated Weight Tracking

October 18, 2014 by Rick Osgood 16 Comments

[Darell] recently purchased a fancy new bathroom scale. Unlike an average bathroom scale, this one came with a wireless digital display. The user stands on the scale and the base unit transmits the weight measurement to the display using infrared signals. The idea is that you can place the display in front of your face instead of having to look down at your feet. [Darell] realized that his experience with infrared communication would likely enable him to hack this bathroom scale to automatically track his weight to a spreadsheet stored online.

[Darell] started by hooking up a 38khz infrared receiver unit to a logic analyzer. Then he recorded the one-way communication from the scale to the display. His experience told him that the scale was likely using pulse distance coding to encode the data. The scale would start each bit with a 500ms pulse. Then it would follow-up with either another 500ms pulse, or a 1000ms pulse. Each combination represented either a 1 or a 0. The problem was, [Darell] didn’t know which was which. He also wasn’t sure in which order the bits were being transmitted. He modified a software plugin for his logic analyzer to display 1’s and 0’s on top of the waveform. He then made several configurable options so he could try the various representations of the data.

Next it was time to generate some known data. He put increasing amounts of weight on the scale and recorded the resulting data along with the actual reading on the display. Then he tried various combinations of display settings until he got what appeared to be hexadecimal numbers increasing in size. Then by comparing values, he was able to determine what each of the five bytes represented. He was even able to reconstruct the checksum function used to generate the checksum byte.

Finally, [Darell] used a Raspberry Pi to hook the scale up to the cloud. He wrote a Python script to monitor an infrared receiver for the appropriate data. The script also verifies the checksum to ensure the data is not corrupted. [Darell] added a small LED light to indicate when the reading has been saved to the Google Docs spreadsheet, so he can be sure his weight is being recorded properly.

Building A Vehicle Parking Camera

April 2, 2013 by Mike Szczys 12 Comments

rpi-backup-camera

We’re never really sure what to call these things. When we say “back up camera” it sounds distinctly like a redundancy system for when the primary camera fails to work. But it is used for when you move in reverse in an automobile. [Jeremy Blythe] built the distance sensing video system using a Raspberry Pi board as the brain.

The flexibility of Linux and the power of the RPi board ended up making it pretty easy to get everything working together. He’s using a Microsoft Lifecam Cinema HD camera, which connects to one of the USB ports on the board. Just above that you can see the infrared distance sensor which is connected to the RPi’s GPIO header using one of Adafruit’s Pi Cobbler breakout boards. This also facilitates the connection to the 176×220 color LCD screen.

In the video after the break you can see [Jeremy] testing out the system by moving his hand in front of the sensor. Python is used to grab the image from the camera, draw a circle on it, and overlay the distance in centimeters at the bottom. Once his hand is within 30cm the overlay turns red and the work STOP is displayed. Pretty neat!

Continue reading “Building A Vehicle Parking Camera” →

Reverse Engineering A PCB

January 22, 2011 by James Munns 19 Comments

Occasionally when a device breaks, the defect is obvious. Whether it is a blown fuse or a defective capacitor, generally the easy to see stuff is easy to fix. When a problem is more subtle, or when doing some more advanced tasks like adding functionality to a device, greater knowledge about a circuit board is required. While there might be details hidden in lower levels of PCB, often just knowing the mounted components and layout of the outside layers can be enough to create a rough schematic of a device. [Throbscottle] has put together an excellent guide for procedurally breaking down a photo of a board and turning it in to something useful. The guide utilizes some open source image processing software such as the GIMP, Inkscape, and Dia, all of which are widely available. Keep in mind this reverse engineering can be a time consuming process, but will almost definitely reward those patient enough to work through it.

[Thanks to everyone who sent this in!]

Improving A Motorized Toy

April 17, 2010 by Mike Szczys 18 Comments

[Dan Fruzzetti’s] daughter was delighted to get a motorized vehicle from her Grandparents, but [Dan] was unimpressed with the stock features. The lead-acid battery supplied remarkable life between charges, but the vehicle only had one feature: a go button that routed juice to the bipolar motor. After the break we’ll look at his improvements to the drive train, steering, and cosmetics.

Continue reading “Improving A Motorized Toy” →

Frustromantic Box, A Reverse Geocache

January 21, 2010 by Jakob Griffith 44 Comments

One of the best feelings in the world is when one of our posts inspires a fellow hacker to plan, create, and execute his or her own project.

[Russ] let us know about his Frustromantic Box which he gained inspiration from the original Reverse Geochache we posted about. For those out of the loop, the box is locked and will only open in a certain location. The current distance to the location is displayed on the screen when a button is pressed, and usually there is a limited number of button presses (3 presses for those that know geometry, 50 for everyone else). As soon as the box is at location, it will open.

The Frustromantic Box uses an Arduino, classic HD44780 display, a servo, and the pièce de résistance EM406 GPS. All built in time to frustrate his wife for Christmas.