Fun fact, these Bluetooth enabled heated socks do use an AES Encrypted proto.
Just that the Hardcoded KEY and IV is hidden inside the app in 2 images 😅
Teardown of the Disneyland entry band, friendly donation by you know who you are❤️
FCC: Q3E-MB-R1G2
First stage disassembly is quite easy via 2 screws but comes to a sonic welded inner part
From the outside you can talk to it via NFC
🧐a battery as well?
Lets look deeper!
1/N
These Amiibo emulators 15-20€ are a nice little nRF52832 basis to build custom NFC / BLE enabled shenanigans
Make sure to get one with USB-C and LiPo and not the CR2032 version
Affiliate Aliexpress link:
How do i say this,
Thats a freaking glitched and dumped nRF31512 from the Disney Band V2 🥳🤯
DEC2 glitching worked after about 10 hours of trying
The morning coffee helped
Teardown of the Disneyland entry band, friendly donation by you know who you are❤️
FCC: Q3E-MB-R1G2
First stage disassembly is quite easy via 2 screws but comes to a sonic welded inner part
From the outside you can talk to it via NFC
🧐a battery as well?
Lets look deeper!
1/N
How the reverse engineering of the Xaomi Mi Band 8 display proto looks like.
SPI in quad mode at 48 MHz
Half way there, custom firmware successfully writes data to it but expects the answer on a different pin so only reads 0 more to come
These days LIDL offers the PDM 300 C3 Multimeter for 15€ again🥳
The special part about it is that is offers a convenient UART 2400 baud TX line which spits out the current measurements!
Fully reversed and neat tools available here:
How i Hacked 2.5 million IP Cameras in just 3 nights
DISCLAIMER: This story may or may not be true for legal reasons.
About 2 years ago a friend of mine bought himself a IP Camera for his garage.
Just to test how far i can get i asked for only the App this Cam uses... 1/x
That is a successful SWD Connection and Flash read / write of the Xiaomi Band 8 🥳😋
Oh and also a kind of Teardown
Its running the Apollo4 Blue Lite SoC Cortex-M4 luckily they supply an open SDK
What a result!
E-Paper Segment wall works including pixel mapping🤩🥰
Watch this additonal YouTube video for more details:
It needs more pixel but is soo much work!
Happy to announce that from now on i will not hack on E-Paper Pricetags as a hobby anymore!
Last week i started a full time employement and joint the wonderful team at SES-imagotag the global leader in E-Paper Shelf Labels 🙂🥳
Was able to Dump, Reverse engineer and re-flash the Waveshare Passive NFC E-Paper displays SoC
Here is a fully bare custom firmware running on the undocumented TN2115S2 SoC 🥳
YouTube Video (uncut^^)
and Source code:
@andymassey
WIFI Toothbrush completely OTA under full control, no need of pressing buttons🥳
"Exploit" ESP32 Opens WIFI Network: evowera 12345678 (default set in Toothbrush🤪) and answers all the right requests to make the custom firmware update
Demo video here🎬:
Just released a new port to OpenEPaperLink.
This enables the direct use of Gicisky BLE E-Paper displays
It uses the internal BLE of the ESP32, which means a single ESP32 can be used as the full OEPL AP 🥳
Video demo🎬:
Teardown of one of those Light Bulb Security Cameras
They are at freaking at 12€ now so I had to buy one^^
It has everything you'd ask for:
Speaker
Motors
Light, IR
Mic
This one does not feature an Motor IR filter
Just no security🤣
Thread 1/N
How the reverse engineering of the Xaomi Mi Band 8 display proto looks like.
SPI in quad mode at 48 MHz
Half way there, custom firmware successfully writes data to it but expects the answer on a different pin so only reads 0 more to come
Reverse engineering the Smart WIFI Toothbrush without even having the hardware available is a nice challenge 😅
No idea how much should be shared, but the possibility to poke around is there🙊🙈
ESP32-C3 + ST7789 LCD + Firmware from "sources"
😇
Successfully ported the OpenEPaperLink project to 3 new platforms in the past night shifts 🥳
In addtion to the 8051 devices it now also supports:
- Reversed Marvell 88MZ100 ARM
- Telink TLSR8258 (Seen in the Xiaomi thermometers)
- Nordic nRF52811 ARM
All still alpha but working
Since Xiaomi now added signed OTA to their cheap Thermometers and it is harder to flash my custom firmware onto them
Lets take a look into a few other Thermometers out there with mostly Tuya Backend
and
Teardown of the myPOS Go payment Terminal
Rebranded Nexgo K300
See iam not telling you should buy a bunch of them for 15€ of eBay while available i just mention you could 🤐
Included 4G data SIM and USB-C Cable/Charger
Lets do a thread.
Here is a never finished project of mine:
A self driving Computer mouse.
The idea, if you have lost the curser you press a key and the mouse will drive the curser back to the center of the screen👌...
the Proof of concept worked
Cuatom ESP32-S3 Board with 20uA sleep works first revision🥳(espressif module😅🤐)
Made to be OpenEPaperLink compatible and still be powerful with 16MB Flash and 8MB RAM
Features:
- Lipo Charger
- USB-C
- WS RGB Led
->works with 99% of the 24pin E-Paper display in all sizes
Starting to loose interest in the Xiaomi Mi Band hacking...
So here is the current custom firmware released 👌🥳
Not polished at all!
Better I release this now than that it will never see the light of the day
Teardown of the Action / Tuya Smart Solar IP Cam ~38€
Easy to open by one screw
Inside we can find:
Ingenic T31 SoC (SDK Available)
16MB Flash
Camera Modul
Azurewave Wifi module
4400mAh 18650 Batteries
Mic and Speaker
Kinda nice device to build a custom firmware up on
Fun little Hacking target!
The so called ZIKR Ring,
BLE and OLED Enabled 10€ prayer reminder Ring
Teardown in this Thread
and an extra YouTube explanation video here🎬
1/n
Interesting that basically 80% of the ZigBee tech on Aliexpress is running the Telink TLSR8258 SoC Family
(Same as in the Xiaomi BLE Thermometer)
This means easy dumping of the firmware, SoC does not support locking^^
+ easy custom firmware creation with BLE or ZigBee for cheap
To everyone wondering what was driving the
@hackaday
Berlin 2023 E-Paper display Event Schedule, you can find the OpenEPaperLink project here 🥳
A very simple mesh type event proto was used to get the messages even into the last corner
Love to Jelmer!
Very unusual, after hitting connect I was greeted by a happily connected SWD Flasher which was able to read the full flash without problems 🥳
wonder who slept there at Philips...
Since lately the RF sniffing of the NFC Password was blogged by Cyrill Künzi I could not stop thinking on how to crack it.
So this afternoon I bought the cheapest available Toothbrush with the NFC feature (40€) and opened it up.
Quite simple to open!
Lets take a look at this "cheap" ~10€ Aliexpress Digital Inclinometer by "SHAHE"
Runs via 2xAAA Batteries and has a Backlight LCD
Only 1 Axis is supported otherwise it shows the "Err"
Affiliate:
1/N
Fossil FB-01 Hybrid E-Paper Smartwatch teardown.
😳What an impressive piece of tech!
Matrix E-Paper display Frontlight+analog Clock moved by motors
available in different versions and generations
Using an Dialog DA14585 SoC
HR sensor
Accl
Vibration
opt Microphone for Alexa
Just ordered a new and tiny Access Point Flex PCB design for the Project 👌
The Nano AP
This allows old E-Paper Price tags to be reused with a custom firmware to control more of them via Zigbee and fits for the 1.54" and 2.9" variant
Teardown of another ~6-9€ Amiibo simulator from Aliexpress
It can emulate the Amiibo figures to get extra items in some games
But its also interesting to get a cheap NFC/BLE enabled
@NordicTweets
nRF52832 platform for a custom firmware with Arduino etc.
After an exiting reverse engineering session in IDA everything came together and the NFC Password calculation was found.
And as shown already its a very simple CRC Calculation over the NFC Tag UID and the Manufacturing String that is in NFC Tag and also printed on the Brush Head
Aha an NRF31512 M plus an additional NFC Tag,
seems like the RF guest locating part is real!
Google reveals other people searching for that chip without any results or datasheet.
Its power consumptions shows activity every~2 seconds
The battery hides testpads
lets look deeper
Teardown of an 23€ "Electronic Word Card",an E-Paper learner
SoC is an XR872 ARM M4 4MB Flash 416K RAM + WiFi🤯
Pretty powerful for that device!
Flash dumped, unclear if secureboot is on🤔
Used in Smart Doorbells as well
UART on USB data Lines
Combining the two main topics of interest.
Found "THE" Smartwatch 😅
Sony FES WA1
Matrix E-Paper Display around the wrist!
BLE via nRF52832 but only used for that and a second SOC for the display as it seems.
Not cheap but cool
Contra:
-no vibration
-no HRS
Are there any crazy Hacks you can do with a bunch of these fiber transceivers?
Has the laser diode any power?🤔
And of course there is an 8051 core in each of them... what else 🤣
Teardown of the 900€ - 13" E-Paper meeting room display "Joan 13" by VISIONECT
It offers 1600x1200 pixel, WIFI and is battery powered
Received it to look for potential cloud unbinding hacking as they only offer a subscription based service.
Lets see how that goes!
Thread
1/n
Quick teardown of the Lidl Parkside Robot Mower
PMRA 20-Li A1 at around ~300€
Tuya based... they are everywhere
It works well does keep the grass short as wanted
Opening is possible with a normal Phillips screwdriver and around 30 screws
It looks nice without the case😅
1/n
Just finished two additional and successful SoC ports for the OpenEPaperLink project 🥳
This time we take care of the Access Point site,
From only 8051 AP to now:
- ESP32-C6
- CC1352P
Each running as 802.15.4 Zigbee interface with an ESP32-S2 As server to generate the content.
Further testing shows that there is definitely control over the debug interface.
Unfortunately the Main Page readout seems locked 🥲only returns 00 some CMD bruteforce fails
The protect byte returns 4
But at least the pinout is a discovery for the NRF31512 as unknown so far😍
Would anyone be interested in a detailed how-to Reverse engineer with IDA video?
Well here it is🥳
A how-to Hack the 30€ Spot Welding firmware to get a rotated screen:
(Looong video)🎬
To anyone asking if i share some of the displays, Yes, PM 🙃
By the way this post is an important peace, all these Price Tags do use the ZBS243 8051 SOC
Just released the project ZBS_Flasher on GitHub
Its a simple tool to flash the so called ZBS243 /SEM9110 8051 Core SOC used in many E-Paper Price Tags
Here is an explanation video on YouTube as well
A teardown/hacking review of the 15€ Colmi Bluetooth Smart Ring is now online.
Great hackibility with a questionable usefulness 😅
Ring on aliexpress:(Affiliate)
Please Like and Retweet based on the new twitter feature🙄
Since the Lora Radio Chip SX1262 from Semtech can be tweaked to "Speak" GFSK it was possible to make the "Heltec Wireless Paper" fully SubGhz OpenEPaperLink compatible🥳
Here is a PoC Demo
This was a nice challenge to learn more about Radio in general, needed a custom whitening
Inside of this version we can find an
NXP NFC Reader MFRC630
and an MindMotion MM32F001 Cortex M0 SoC
16Kb Flash and 2Kb RAM
Plus nicely labeled Debug Pins...
Ok how much on the bet that it will be locked... but lets see...
Interesting new hackable smartwatch with nRF52840.
The so called G5 Smartwatch, not cheap but nice hardware and with screws in the back so easy to open.
With an impressive 1.39" 454x454 Pixel Amoled display
Dumped the locked flash in 5 minutes with ma ESP32 SWD glitcher tool.
After some pinout reversing of the Disney band and test pads probing it fits more and more
So of to the Arduino IDE we go...
Using and modifying DeanCording's Programmer looks good, that's definitely data back from the NRF31512M ! 🥳🥳
Teardown and look into the SOLUM Smart Tag, a BLE Tracker.
To some extend Samsung's answer to the Apple Airtag
But hey they even add a keychain ring 😅
Quite rare and from a company well known to me so I had to spend the 16€ to take a closer look. And maybe even deeper 🧐
1/n
When looking at other available nRF SoC's the NRF24LE1 sticks out.
Checking its pinout reveals its programming header sounding very similar to these named test pads of a laser remote PCB with an NRF31512 NICE
AHA a path to follow!
Bit of Ti CC1352P playing
Lets see how many different protocols we can "emulate" with this.
From Sub-1GHz, Zigbee, Bluetooth, 2.4GHz and more eveything in one including an ARM SoC
Hello world runs 👌
The Disney MagicBand Hacking continuous,
video with the RF Firmware reversing is now on YouTube.
These where some sleepless nights!
Now we can emulate the RF part 😅 or reuse the pinging at home..
Really loved the reversing to learn more static analysis
Received the SI012 Pro Max Soldering iron from Sequre(No Ad, got it for free!)
Sooo teardown time!
It has this very mendatory Disco mode and a Pink PCB
Compatible to different types of Tips S1/TS/T12 👍
Costs ~30$ and makes a solid impression
1/n
Reverse engineered encryption and minimal communication now available here possible by Web-Bluetooth 🥳🤣
Header is AA55
1 byte for the CMD
and 3 for data
On first connection CMD 01 and random 3bytes are send to "verify" the connection.
Nice challenge!
Teardown of this tiny Aliexp Tuya Zigbee Motion sensor
All just clipped together
Running by one CR2540 battery
Main SoC Z2🤔 but the printed SWS Debug pin reveals it being a Telink TLSR8258 🥳
(Tuya also advertises it as Z2/TLSR8258 but not too simple to find)
Firmware dumped👌
Info's to this,
The Toothbrush contains an ESP32-C3 with 4MB Flash.
With the codebase from Spritetm and miniwad I was able to get the complete size of DOOM and WAD file down to the 4MB of the ESP32🥳
Teardown of an "60 days Temperature Data Logger" model
No real opening needed as only a foam casing
The Logging is created in an nicely formatted PDF
and can be accessed via Flash drive USB
Lets take a closer look
Damn WCH gets big
@patrick_riscv
1/n
If you plan to build a small Telink Zigbee/BLE device here a size comparisons between the cheaper modules
TB-03F ~1,50€
E180-Z6907A ~2,56€
E104-Bt05 ~2,45€
JDY-10 ~1,20€ at 100
Received the InfiRay P2 Pro Thermal Camera(For free)
Damn is this thing small!
The resolution and framerate is pretty good
Will be definitely finds its usage in the future
ESP32 S2-Mini example
No teardown this time but mike has you covered in his review