atc1441
@atc1441
Followers
12,405
Following
399
Media
1,071
Statuses
3,683
Hack the planet! my biggest passion is to run a custom firmware on as many devices as possible
Hamburg, Deutschland
Joined May 2019
Don't wanna be here?
Send us removal request.
Explore trending content on Musk Viewer
مدريد
• 1527879 Tweets
Madrid
• 795318 Tweets
Barca
• 426157 Tweets
Mbappe
• 337448 Tweets
#ElClásico
• 273544 Tweets
#UFC308
• 242042 Tweets
Lamine
• 236791 Tweets
Bernabeu
• 220910 Tweets
Topuria
• 123231 Tweets
Lewandowski
• 123000 Tweets
Raphinha
• 119642 Tweets
Perez
• 103275 Tweets
Holloway
• 101722 Tweets
Hansi Flick
• 98336 Tweets
Vini
• 91347 Tweets
Nenê
• 86519 Tweets
Ancelotti
• 82525 Tweets
Bellingham
• 74804 Tweets
#StarAcademy
• 74569 Tweets
Khamzat
• 63665 Tweets
Pedri
• 60956 Tweets
Whittaker
• 54081 Tweets
#كلاسيكو_الارض
• 52810 Tweets
#ولي_العهد
• 43182 Tweets
Michelle Obama
• 40704 Tweets
Fortaleza
• 38004 Tweets
Checo
• 35720 Tweets
Iñaki Peña
• 33323 Tweets
Olmo
• 32584 Tweets
Carlo
• 32568 Tweets
الريال
• 29949 Tweets
Mendy
• 28286 Tweets
Ohio State
• 22258 Tweets
Lewy
• 17068 Tweets
انشيلوتي
• 16879 Tweets
Piastri
• 16537 Tweets
Juventude
• 15879 Tweets
ليفا
• 15632 Tweets
Endrick
• 15281 Tweets
Gerson
• 13893 Tweets
Gabigol
• 13692 Tweets
Last Seen Profiles
Here is the full Philips Sonicare Head NFC Password Calculation 🥳
How I got there you can find in this Thread.
1/N
55
552
4K
Just received a lifetime supply of E-Paper Displays in different sizes🤪
122
129
2K
Fun fact, these Bluetooth enabled heated socks do use an AES Encrypted proto.
Just that the Hardcoded KEY and IV is hidden inside the app in 2 images 😅
49
169
2K
Teardown of the Disneyland entry band, friendly donation by you know who you are❤️
FCC: Q3E-MB-R1G2
First stage disassembly is quite easy via 2 screws but comes to a sonic welded inner part
From the outside you can talk to it via NFC
🧐a battery as well?
Lets look deeper!
1/N
17
170
1K
These Amiibo emulators 15-20€ are a nice little nRF52832 basis to build custom NFC / BLE enabled shenanigans
Make sure to get one with USB-C and LiPo and not the CR2032 version
Affiliate Aliexpress link:
17
84
1K
How do i say this,
Thats a freaking glitched and dumped nRF31512 from the Disney Band V2 🥳🤯
DEC2 glitching worked after about 10 hours of trying
The morning coffee helped
Teardown of the Disneyland entry band, friendly donation by you know who you are❤️
FCC: Q3E-MB-R1G2
First stage disassembly is quite easy via 2 screws but comes to a sonic welded inner part
From the outside you can talk to it via NFC
🧐a battery as well?
Lets look deeper!
1/N
17
170
1K
22
119
942
Did put the Christmas tree up!
Finally some Christmas feeling😅
E-Paper wall FTW
24
105
916
Many many years ago I hidden install an ESP8266 in our local parking garage to get free entry🤫
Its been demolished since then so gonna share it now😅
20
67
902
The Xiaomi Mi Band 8 custom firmware can now successfully read the touchscreen 🥳🥳
15
91
856
How the reverse engineering of the Xaomi Mi Band 8 display proto looks like.
SPI in quad mode at 48 MHz
Half way there, custom firmware successfully writes data to it but expects the answer on a different pin so only reads 0 more to come
13
94
830
These days LIDL offers the PDM 300 C3 Multimeter for 15€ again🥳
The special part about it is that is offers a convenient UART 2400 baud TX line which spits out the current measurements!
Fully reversed and neat tools available here:
21
109
784
What a genius idea!
Put an led in parallel to a Fuse to see if it smoked.
Will remeber
27
137
689
How i Hacked 2.5 million IP Cameras in just 3 nights
DISCLAIMER: This story may or may not be true for legal reasons.
About 2 years ago a friend of mine bought himself a IP Camera for his garage.
Just to test how far i can get i asked for only the App this Cam uses... 1/x
10
157
646
That is a successful SWD Connection and Flash read / write of the Xiaomi Band 8 🥳😋
Oh and also a kind of Teardown
Its running the Apollo4 Blue Lite SoC Cortex-M4 luckily they supply an open SDK
18
73
621
What a result!
E-Paper Segment wall works including pixel mapping🤩🥰
Watch this additonal YouTube video for more details:
It needs more pixel but is soo much work!
15
87
593
The image quality of the Xiaomi Mi Band 8 Amoled display is quite pretty!
Custom firmware on the AMA4BL
12
63
592
Happy to announce that from now on i will not hack on E-Paper Pricetags as a hobby anymore!
Last week i started a full time employement and joint the wonderful team at SES-imagotag the global leader in E-Paper Shelf Labels 🙂🥳
42
18
523
Lets just say i do know now why the recplacement soldering iron is just 3$
58
66
503
Was able to Dump, Reverse engineer and re-flash the Waveshare Passive NFC E-Paper displays SoC
Here is a fully bare custom firmware running on the undocumented TN2115S2 SoC 🥳
YouTube Video (uncut^^)
and Source code:
@andymassey
10
63
479
WIFI Toothbrush completely OTA under full control, no need of pressing buttons🥳
"Exploit" ESP32 Opens WIFI Network: evowera 12345678 (default set in Toothbrush🤪) and answers all the right requests to make the custom firmware update
Demo video here🎬:
11
93
454
22
23
444
Just released a new port to OpenEPaperLink.
This enables the direct use of Gicisky BLE E-Paper displays
It uses the internal BLE of the ESP32, which means a single ESP32 can be used as the full OEPL AP 🥳
Video demo🎬:
8
36
398
Teardown of one of those Light Bulb Security Cameras
They are at freaking at 12€ now so I had to buy one^^
It has everything you'd ask for:
Speaker
Motors
Light, IR
Mic
This one does not feature an Motor IR filter
Just no security🤣
Thread 1/N
19
47
387
We got a winner 🥳🥳
Custom firmware on the Xiaomi Mi Band 8 successfully drives the 192x490 16bit pixels at 50hz 🤩
Short demo video here:
How the reverse engineering of the Xaomi Mi Band 8 display proto looks like.
SPI in quad mode at 48 MHz
Half way there, custom firmware successfully writes data to it but expects the answer on a different pin so only reads 0 more to come
13
94
830
4
49
370
Another sensor of the Xiaomi Mi Band 8 is reversed and usable in the custom Firmware.
The Light sensor🥳
6
32
369
Reverse engineering the Smart WIFI Toothbrush without even having the hardware available is a nice challenge 😅
No idea how much should be shared, but the possibility to poke around is there🙊🙈
ESP32-C3 + ST7789 LCD + Firmware from "sources"
😇
16
46
356
Successfully ported the OpenEPaperLink project to 3 new platforms in the past night shifts 🥳
In addtion to the 8051 devices it now also supports:
- Reversed Marvell 88MZ100 ARM
- Telink TLSR8258 (Seen in the Xiaomi thermometers)
- Nordic nRF52811 ARM
All still alpha but working
5
28
349
Since Xiaomi now added signed OTA to their cheap Thermometers and it is harder to flash my custom firmware onto them
Lets take a look into a few other Thermometers out there with mostly Tuya Backend
and
6
42
348
Teardown of the myPOS Go payment Terminal
Rebranded Nexgo K300
See iam not telling you should buy a bunch of them for 15€ of eBay while available i just mention you could 🤐
Included 4G data SIM and USB-C Cable/Charger
Lets do a thread.
7
25
333
Here is a never finished project of mine:
A self driving Computer mouse.
The idea, if you have lost the curser you press a key and the mouse will drive the curser back to the center of the screen👌...
the Proof of concept worked
9
41
321
Cuatom ESP32-S3 Board with 20uA sleep works first revision🥳(espressif module😅🤐)
Made to be OpenEPaperLink compatible and still be powerful with 16MB Flash and 8MB RAM
Features:
- Lipo Charger
- USB-C
- WS RGB Led
->works with 99% of the 24pin E-Paper display in all sizes
13
29
318
Is this duty free soldering or on the fly soldering? 🤔
I will see myself out...
At least the soldering did work 👌
20
13
314
Starting to loose interest in the Xiaomi Mi Band hacking...
So here is the current custom firmware released 👌🥳
Not polished at all!
Better I release this now than that it will never see the light of the day
8
42
294
Teardown of the Aliexpress RGB Led Matrix mask
Bought without much expectations and because of BLE
Looks surprisingly good in the dark
4
25
292
Teardown of the Action / Tuya Smart Solar IP Cam ~38€
Easy to open by one screw
Inside we can find:
Ingenic T31 SoC (SDK Available)
16MB Flash
Camera Modul
Azurewave Wifi module
4400mAh 18650 Batteries
Mic and Speaker
Kinda nice device to build a custom firmware up on
14
26
290
Fun little Hacking target!
The so called ZIKR Ring,
BLE and OLED Enabled 10€ prayer reminder Ring
Teardown in this Thread
and an extra YouTube explanation video here🎬
1/n
12
45
287
Interesting that basically 80% of the ZigBee tech on Aliexpress is running the Telink TLSR8258 SoC Family
(Same as in the Xiaomi BLE Thermometer)
This means easy dumping of the firmware, SoC does not support locking^^
+ easy custom firmware creation with BLE or ZigBee for cheap
9
31
290
The newest hit for your home decoration!
The E-Paperpot 😅
Printed in go👌
14
31
263
Very unusual, after hitting connect I was greeted by a happily connected SWD Flasher which was able to read the full flash without problems 🥳
wonder who slept there at Philips...
6
3
259
Cheapo OpenHaystack / FindMy Prototype
TLSR8258 Module 1,50€
Battery Holder 0,07€
@system21_
7
30
283
Since lately the RF sniffing of the NFC Password was blogged by Cyrill Künzi I could not stop thinking on how to crack it.
So this afternoon I bought the cheapest available Toothbrush with the NFC feature (40€) and opened it up.
Quite simple to open!
2
8
234
That's all 🙂
Finally that thought is satisfied!
You can find this story on YouTube as well:
And of course the example code here:
7
9
231
It arrived🥳
Does this count as a real DDOS attack via the WIFI Toothbrush?😂
And yes it works on every device worldwide without authorization🤦♂️
3
29
231
Lets take a look at this "cheap" ~10€ Aliexpress Digital Inclinometer by "SHAHE"
Runs via 2xAAA Batteries and has a Backlight LCD
Only 1 Axis is supported otherwise it shows the "Err"
Affiliate:
1/N
4
15
235
Fossil FB-01 Hybrid E-Paper Smartwatch teardown.
😳What an impressive piece of tech!
Matrix E-Paper display Frontlight+analog Clock moved by motors
available in different versions and generations
Using an Dialog DA14585 SoC
HR sensor
Accl
Vibration
opt Microphone for Alexa
7
9
227
Just ordered a new and tiny Access Point Flex PCB design for the Project 👌
The Nano AP
This allows old E-Paper Price tags to be reused with a custom firmware to control more of them via Zigbee and fits for the 1.54" and 2.9" variant
4
24
224
Teardown of another ~6-9€ Amiibo simulator from Aliexpress
It can emulate the Amiibo figures to get extra items in some games
But its also interesting to get a cheap NFC/BLE enabled
@NordicTweets
nRF52832 platform for a custom firmware with Arduino etc.
5
15
229
After an exiting reverse engineering session in IDA everything came together and the NFC Password calculation was found.
And as shown already its a very simple CRC Calculation over the NFC Tag UID and the Manufacturing String that is in NFC Tag and also printed on the Brush Head
2
2
223
Aha an NRF31512 M plus an additional NFC Tag,
seems like the RF guest locating part is real!
Google reveals other people searching for that chip without any results or datasheet.
Its power consumptions shows activity every~2 seconds
The battery hides testpads
lets look deeper
4
7
223
Teardown of an 23€ "Electronic Word Card",an E-Paper learner
SoC is an XR872 ARM M4 4MB Flash 416K RAM + WiFi🤯
Pretty powerful for that device!
Flash dumped, unclear if secureboot is on🤔
Used in Smart Doorbells as well
UART on USB data Lines
4
25
217
This 2.99€ Wifi Light Bulb by WIZ features and ESP32 instead of the usual expected ESP8266 !?
Found at Action
13
13
218
What a disturbing movie
Never knew you can buy the lcd drivers like that
17
9
215
Combining the two main topics of interest.
Found "THE" Smartwatch 😅
Sony FES WA1
Matrix E-Paper Display around the wrist!
BLE via nRF52832 but only used for that and a second SOC for the display as it seems.
Not cheap but cool
Contra:
-no vibration
-no HRS
11
22
215
Are there any crazy Hacks you can do with a bunch of these fiber transceivers?
Has the laser diode any power?🤔
And of course there is an 8051 core in each of them... what else 🤣
28
17
201
Teardown of the 900€ - 13" E-Paper meeting room display "Joan 13" by VISIONECT
It offers 1600x1200 pixel, WIFI and is battery powered
Received it to look for potential cloud unbinding hacking as they only offer a subscription based service.
Lets see how that goes!
Thread
1/n
13
20
205
Quick teardown of the Lidl Parkside Robot Mower
PMRA 20-Li A1 at around ~300€
Tuya based... they are everywhere
It works well does keep the grass short as wanted
Opening is possible with a normal Phillips screwdriver and around 30 screws
It looks nice without the case😅
1/n
6
13
196
Just finished two additional and successful SoC ports for the OpenEPaperLink project 🥳
This time we take care of the Access Point site,
From only 8051 AP to now:
- ESP32-C6
- CC1352P
Each running as 802.15.4 Zigbee interface with an ESP32-S2 As server to generate the content.
2
21
192
Further testing shows that there is definitely control over the debug interface.
Unfortunately the Main Page readout seems locked 🥲only returns 00 some CMD bruteforce fails
The protect byte returns 4
But at least the pinout is a discovery for the NRF31512 as unknown so far😍
2
4
191
Would anyone be interested in a detailed how-to Reverse engineer with IDA video?
Well here it is🥳
A how-to Hack the 30€ Spot Welding firmware to get a rotated screen:
(Looong video)🎬
8
32
196
To anyone asking if i share some of the displays, Yes, PM 🙃
By the way this post is an important peace, all these Price Tags do use the ZBS243 8051 SOC
Just released the project ZBS_Flasher on GitHub
Its a simple tool to flash the so called ZBS243 /SEM9110 8051 Core SOC used in many E-Paper Price Tags
Here is an explanation video on YouTube as well
6
11
100
16
10
189
A teardown/hacking review of the 15€ Colmi Bluetooth Smart Ring is now online.
Great hackibility with a questionable usefulness 😅
Ring on aliexpress:(Affiliate)
Please Like and Retweet based on the new twitter feature🙄
3
31
194
Since the Lora Radio Chip SX1262 from Semtech can be tweaked to "Speak" GFSK it was possible to make the "Heltec Wireless Paper" fully SubGhz OpenEPaperLink compatible🥳
Here is a PoC Demo
This was a nice challenge to learn more about Radio in general, needed a custom whitening
2
18
191
Inside of this version we can find an
NXP NFC Reader MFRC630
and an MindMotion MM32F001 Cortex M0 SoC
16Kb Flash and 2Kb RAM
Plus nicely labeled Debug Pins...
Ok how much on the bet that it will be locked... but lets see...
3
3
179
Interesting new hackable smartwatch with nRF52840.
The so called G5 Smartwatch, not cheap but nice hardware and with screws in the back so easy to open.
With an impressive 1.39" 454x454 Pixel Amoled display
Dumped the locked flash in 5 minutes with ma ESP32 SWD glitcher tool.
5
23
178
After some pinout reversing of the Disney band and test pads probing it fits more and more
So of to the Arduino IDE we go...
Using and modifying DeanCording's Programmer looks good, that's definitely data back from the NRF31512M ! 🥳🥳
1
4
178
Teardown and look into the SOLUM Smart Tag, a BLE Tracker.
To some extend Samsung's answer to the Apple Airtag
But hey they even add a keychain ring 😅
Quite rare and from a company well known to me so I had to spend the 16€ to take a closer look. And maybe even deeper 🧐
1/n
6
15
178
100 Displays arrived 🎉
0,96" 80x160 Pixel and easy to drive software and hardware wise
At 1€ each including shipping that's a steal 😅
15
8
178
OTA from stock to Custom firmware on the 1,20€ Smartwatch goes Brrrr🥳
See a detailed video log here:
4
15
191
When looking at other available nRF SoC's the NRF24LE1 sticks out.
Checking its pinout reveals its programming header sounding very similar to these named test pads of a laser remote PCB with an NRF31512 NICE
AHA a path to follow!
1
2
174
Bit of Ti CC1352P playing
Lets see how many different protocols we can "emulate" with this.
From Sub-1GHz, Zigbee, Bluetooth, 2.4GHz and more eveything in one including an ARM SoC
Hello world runs 👌
7
10
170
😳 1920x1080 Full HD at 0,49" but just a little pricey
Someone maybe played with them already ?
13
14
171
The Disney MagicBand Hacking continuous,
video with the RF Firmware reversing is now on YouTube.
These where some sleepless nights!
Now we can emulate the RF part 😅 or reuse the pinging at home..
Really loved the reversing to learn more static analysis
3
33
172
Teardown of the 50€ Lidl / Tuya WIFI enabled Coffee machine SKMS 900 A1
spoiler, it consists of exactly what you would think...
1/n
4
12
172
Received the SI012 Pro Max Soldering iron from Sequre(No Ad, got it for free!)
Sooo teardown time!
It has this very mendatory Disco mode and a Pink PCB
Compatible to different types of Tips S1/TS/T12 👍
Costs ~30$ and makes a solid impression
1/n
6
18
170
Reverse engineered encryption and minimal communication now available here possible by Web-Bluetooth 🥳🤣
Header is AA55
1 byte for the CMD
and 3 for data
On first connection CMD 01 and random 3bytes are send to "verify" the connection.
Nice challenge!
3
10
166
Teardown of this tiny Aliexp Tuya Zigbee Motion sensor
All just clipped together
Running by one CR2540 battery
Main SoC Z2🤔 but the printed SWS Debug pin reveals it being a Telink TLSR8258 🥳
(Tuya also advertises it as Z2/TLSR8258 but not too simple to find)
Firmware dumped👌
5
12
160
Info's to this,
The Toothbrush contains an ESP32-C3 with 4MB Flash.
With the codebase from Spritetm and miniwad I was able to get the complete size of DOOM and WAD file down to the 4MB of the ESP32🥳
9
16
164
Teardown of an "60 days Temperature Data Logger" model
No real opening needed as only a foam casing
The Logging is created in an nicely formatted PDF
and can be accessed via Flash drive USB
Lets take a closer look
Damn WCH gets big
@patrick_riscv
1/n
4
23
159
If you plan to build a small Telink Zigbee/BLE device here a size comparisons between the cheaper modules
TB-03F ~1,50€
E180-Z6907A ~2,56€
E104-Bt05 ~2,45€
JDY-10 ~1,20€ at 100
3
18
163
Received the InfiRay P2 Pro Thermal Camera(For free)
Damn is this thing small!
The resolution and framerate is pretty good
Will be definitely finds its usage in the future
ESP32 S2-Mini example
No teardown this time but mike has you covered in his review
4
16
162