pinout-based identification:
Some chips have their top marking removed.
They can still be identified based on their pinout.
To help me with that, I created the Integrated Circuit IDendifier (ICID) database and search engine.
building a sound level enforcer:
for a private club I built a sound level enforcer.
if the DJ is playing music too loud, the device will shut off the audio output.
for that I reversed a GM1351 sound level meter to extract the measurements from the LCD interface, send them over Bluetooth to the enforcer, which will cut the power to the main audio amplifier if a set threshold is exceeded for a couple a seconds.
replacing the sensor of a dehumidifier:
the humidity sensor modules of a dehumidifier kept failing, and no replacement is easily available anymore.
after reversing its communication protocol, I was able to create my own module.
reversing USB meter protocols for long term low DC power logging:
To figure out the energy budget provided by a solar panel for a weather station, I needed a device capable of measuring low DC voltages and currents over a long period of time.
For that I used the USB Power Meter (UPM) Web-U2, but I first had to reverse engineered the BLE and USB communication protocols it provided.
reversing a printer cartridge chip:
How does a printer know when the cartridge is empty? Instead of using a sensor, the toner or ink level information is simply stored in memory and updated after each print. This technique also applies to my old laser-jet printer.
I was able to identify the chip on the toner cartridge as a 1-Wire EEPROM with some authentication features. We will see how and what the 1-Wire protocol is.
I also re-implemented this chip and was able to pass authentication thanks to a secret key I dumped from another chip, allowing me to fool the printer in thinking the toner cartridge is never empty.
reversing washing machine payment cards:
To use the washing machines in my apartment complex you need to pay using a rechargeable contact card.
I was curious to find out how it works. It turns out it's an I²C EEPROM in a card.
By recording the communication between the card and the machine I figured out where and how the credit value is stored.
Now I can read and write the value on cards using a Raspberry Pi or simple micro-controller, but also program my own cards to work with the machines.
Using infra-red LEDs I re-implemented the LaserTag protocol MilesTag v2.
With that I made an LaserTag grenade by putting a custom board placed in a cock shell.
I found out the weight measured by a Korona KFW-55 bathroom scale is encoded using PWM.
Using a micro-controlled I can interpret this value and send it to a computer over USB and bluetooth.
MegaCode is a system provided by Linear LLC for controlling gates.
This time I looked a the receiver.
With my firmware it is possible to efficiently record the individual codes of other remote controls.
MegaCode is a system provided by Linear LLC for controlling gates.
Using software defined radio I could record and decode the radio transmission of the remote.
And thanks to my firmware this can be re-transmitted.
With it is is possible to clone MegaCode remote controls.