Monday, December 9, 2013

Inside stuff: 0-30V cheap panel voltmeter

This is just a reiteration of my post on http://www.eevblog.com/forum/. Since then some people have picked up the challenged and designed new firmware for the microcontroller. Let me explain.

The module is a cheap (2-3$) 0-30V voltmeter. It has a 3-digit output, is pretty accurate and begs curiosity with it's TXD/RXD soldermask labels.


The inside sports an STM800S3F3 chip with nice features:

  • 2.95-5.5V supply voltage
  • 16 Mhz internal oscillator
  • 3 timers
  • 4 CCP/PWM modules
  • 5-channel 10-bit ADC
  • UART, SPI, I2C
  • 8k Flash, 1k RAM
Thoughtfully, the programming/debug port is also broken out, just not labeled. The pinout would then be:


  SWIM / PD1 (HS)
  TX / AIN5(HS) / PD5
  RX / AIN6 (HS) / PD6
  NRST
  VDD
  VSS

The board also includes a 3V/30mA linear regulator that can take up to 30V. All-in-all a very cheap development board that can be used for a lot of stuff


Here's a close-up picture of the board under strong light so you can reference the double-sided PCB without taking the thing apart:


And if you want to dig into this deeper just have a look at http://smokedprojects.blogspot.ca/2013/08/i2c-led-display-from-hacked-voltmeter.html and http://hackaday.com/2013/08/25/turning-cheap-voltmeters-into-i2c-displays/.

The board in the article looks slightly different than mine, but I just bought the cheapest one I could find on ebay.

Saturday, December 7, 2013

Inside stuff - smoke/fire detector FireAngel ST-620

Update: if you came here looking for a fix to the annoying beep I might have one - if you are feeling handy: take the unit apart, desolder one wire from the battery terminal, discharge the capacitor (by touching the disconnected wire to the other wire) and solder it back on.
Take care not to short the battery, you only want to discharge the circuit with the battery disconnected.
If you do not understand perfectly what you need to do then please do not attempt this!
This has 'fixed' one of my units (since 6 months) and has quitened another one for ~2 months.

Back to the original post:
On of the my smoke detectors - installed by the landlord under legal obligation - started acting up by emitting annoying short beeps and random intervals, moreso during the night.

The producer boasts a 10-year service lifetime, smoke detection as well as heat detection.
Since they are the "non-user-serviceable" type nothing else remains than to take it apart and see what makes it tick. Spoiler: it's less complicated than you might think.


The housing comes apart by first prying the small plastic retainers on the underside edge. Apart from the VERY LOUD piezo, a CR123 battery and a "snooze" button there's not much too see. But all the interesting stuff is beneath the button so we need to take that plastic frame off.

Peeling off the sticker reveals some other 3 retaining clips which means the mainboard sitting under the button can be simply unscrewed off. You do not need to peel the sticker, it's enough to just screw the button assembly counter-clockwise.


Oh, the big plastic lever above is pressed in when the sensor is affixed to the ceiling mount. This in turn presses up the metal tongue below, breaking off a contact on the board and waking up the sensor.


Piezo sensor - part 1

I'm working on a small project in which I'm trying to find out if I can output a sound on a piezo while reading the force exerted on it. It's like a small piano where the input is also the output.

I did something similar with LEDs where I measured the light level by first reverse polarising the led and then measuring the discharge time (capacitance).

To have an idea with what levels I'm dealing some measurements were in order. Two sets of measurements were taken, one with the original molded plastic housing and one with the housing removed and two wires solder to the piezo. I'm using a normal buzzer, the cheapest I could find, so that I can buy several of them. Raw buzzers should be 10x cheaper than what I paid.


This is a light tap on the table while the sensor is sitting about 1m away pressed against the table. The housing was on. Around 1Nm of force from a lighter.



A stronger tap under the same conditions, around 5Nm.


The same stronger tap 15cm away from the sensor.



This strange waveform was measured while I was cracking the housing open with a plier. The peaks are over 40V.



With the sensor exposed I pressed lightly with the finger (first peak) then removed the finger and applied constant pressure.



With the piezo placed under a notebook (the paper one) I first very lightly tapped the notebook and then applied increasing pressure. The signals are much stronger, probably because the crystal and vibrations are better confined.



With the sensor held by wires in blew air lightly on it and then a bit stronger.

Findings

In trying to break the piezo out of the housing I bent it quite badly. I believe as long as the crystal is not badly damaged (in my case only the metal substrate was bent) the sensor will still work just fine.

The housing connected the buzzer via small springs. Soldering wires on the exposed piezo can be hard but doable as long as you only tack some solder and then the wire. Keeping temperature too long will likely cause the crystal to lift off the substrate.

The voltage response from the piezo is much higher when used without the (resonant?) housing. It is also much higher when confined within a space but I doubt it's ability to output sound with a 3.3-5V signal. Luckily, the sensor responds really well to taps in free air as well.

The force response is surprisingly accurate. You can detect slight vibrandos in the finger, air pressure changes possibly even heart pulse. Unfortunately it's DC-centered so it cannot be used for absolute measurements. However its AC response is really good and linear.

I can see a lot of applications for these kind of sensors in areas where they might be yet used:

  • wind/pressure changes
  • tap sensing
  • heartbeat monitor
  • traffic weight detection
  • MAF (mass air flow) sensors since the pressure is varying on each stroke
  • active vibration dampening systems (vehicle suspensions)
  • detecting noises and resonance for sound applications
I have an idea where they might be currently used:

  • window breaking detection
  • vehicle traffic counter
  • vibration sensor for alarms
I was using the 1Mohm input from the oscilloscope so a 5-20k input from a microcontroller might yield unmeasurable signals. Still, I will try to achieve some levels of input without any other active components. The clamping diodes on the microcontroller should handle the HV peaks just fine.

Sunday, November 3, 2013

Senseo custom firmware - update

This project is taking longer than anticipated even though it was supposed to be something simple.
I will publish a schematic of the complete circuit in the near future (this year) but in the meantime there is still the slow process of troubleshooting.

Safety considerations:

  • the complete circuit is not isolated from mains so testing is pretty critical. I have been feeding 3.6V to test the low-voltage part but in the end it will have to be hooked up to 220V
  • the boiler / water heater can only take a limited amount of pressure. If the thermistor is not properly calibrated in software there is the risk of a scalding hot water explosion
With that being said there is some small but steady progress being done.

The MSP430 has a some strange power requirements that are not properly documented. The VCC supply 
needs to rise with >1V/ms otherwise it gets into an undefined state. That undefined state might also mean that some GPIOs are high, causing catastrophical failure. Currently the nRST pin is tied directly to Vcc but I think I will wire that through a diode or LED that will provide a voltage drop so that the chip only starts when power is well above 2.5V. This is a job for a voltage monitor but there is no place to stick one in.

A 2.2k pull-up resistor from the power button was burned out causing strange issues.

The water sensor, which is basically a hall transistor, does not work properly with less than 5V. So, when the magnet is nearby it is only producing 0.5V instead of >3V required to trigger the Schmidt on the chip input. This means that the input will have to be read analogically, not a big issue.

I've got the schematic wrong for the NTC thermistor which means that all my calculations were wrong. The voltage on the analog input RISES with temperature instead of decreasing as I originally thought. It is ~0.5V at room temperature, 3V at 200C and 2.6V at 180C.
It's probably a non-linear curve so it will have to either be calibrated or carefully calibrated so that the boiler cannot get a chance to reach >100C causing a blow-out.

The original circuit had an input directly from the line voltage which had me puzzled for a while. I finally figured out what that might be: input for a zero-crossing detector. The triac that turns on the boiler should turn on only on the 0V crossing of the mains voltage, otherwise large EMI could occur. Maybe I can get around without needing this.

Another point to consider would be the optimal temperature to start brewing the coffee, assuming the coffee pads use real coffee and not some substitute. According to Wikipedia the ideal temperature should be between 91C and 94C, though Breaking Bad suggests a bit lower (85C). I guess also the pressure is also above atmospheric so it makes sense to lower the brewing point.
Considering that there is some thermal inertia between the temperature reported by the sensor and the actual water temperature with the heater running I would choose 85C as the right temperature to start the pump. I just wish there was a way to feed a precise temperature to the sensor, this might come in a future 'episode'. Unfortunately my JBC station goes down only to 180C and I don't trust the multimeter so much. Time for an IR thermometer.

Wednesday, October 16, 2013

Toshiba Regza TL868 firmware analysis

My TV has a quite complex set of features, none of which work particularly well. Except perhaps using it as a PC display.



Input latency is quite bad, ranging from over 200ms in normal mode to 100ms in "gaming" mode.
The latency can easily be tested by going to this link and making a picture of both displays (native and external) at the same time, preferably with a flash, in order to shorten exposure time.



There's a half-assed [HBBTV] implementation that crashes once in a while, a horrible YouTube app that takes 1-2 seconds to react to keypresses, a barely-workable DLNA implementation and barely-acceptable USB media integration. Oh, it also does triple-tuner TV, but I don't watch TV.
Sometimes I'm just wishing they would have stuck with a Linux, WinCE or Android implementation with freeware apps instead of reinventing the square wheel each time.

What's worse, each of these apps (TV, DLNA, HBBTV, YouTube, USB media) seems to be written by a different party.
As with most (all?) TVs you can kiss your updates goodbye once you've taken it out of the box.

Frustrated by this and having stumbled into this article I've decided to try and break the firmware down into managable pieces.

Zoom G1 guitar effects pedal repair



I got this unit essentially for free a few years back after getting rid of my VooDu Valve which was too expensive/overkill.
It's a nice little unit great for practicing guitar and has the added bonus of foot switches (the two big knobs at the bottom):



This unit has seen better days and it kept switching itself off or resetting once in a while whenever the cables were moved. Also, it didn't want to work on battery power.

Monday, September 16, 2013

Teardown and modding a car mp3 player - part 2

In the first part I identified the problem leading to the unit overheat: a design decision consisting of dropping more than 10 Watts on a couple of 3W resistors.

I've thought of several ways to address the issue:
  • change the 5V rail to a switching design
  • put bigger resistors and mount the 7805 on a heatsink
  • have a switching or linear preregulator that drops 12V to a more manageable 7-9 Volts
I have a few switching supplies bought from ebay at around 2-4$ each based on the LM2596 reference design. However they might be noisy and I'm not sure how well they handle high loads. Should be good enough for charging the USB and anyway the 1.8V and 3.3V lines go through linear regulators first, cleaning them of noise.

The bigger resistor solution would also work but I did not have any 10W resistors at hand and I'm not sure they would fit in the small space between the CD tray and the case.

Since I have a few LM7808 and LM7809 from scrap I decided to go with the third solution. So I would basically bypass both resistors, go through the 7808 to drop 2-7V and use the 7805 to drop the remaining 3V.

I started by removing the "leaking" resistors and dead regulator. See the black stuff left behind by the droppers?



The LM7808 is prepared by soldering some heavy gauge wire and add heat-shrink tubing for insulation.



Teardown and modding a car mp3 player

I've bought a somewhat cheap car MP3 player a few years ago on the reason that it had Bluetooth support and nice amber lights to complement the design of my E39.

I understand some people will come here looking for a wiring diagram so I should start with that first:
Model: Watson CRC8060MU





I've always had the issue of not being able to charge anything from the USB port or the unit resetting with some strange USB sticks. Also, the unit lost its settings when cranking the engine with a low battery while it was playing music.

After the jump I start taking it apart to see how it works and what can be done to address the issues.

Thursday, August 8, 2013

Etching boards for SMD - follow-up on precision

I wanted to see the limits of the current method so I set out hunting a board template for that.


SMD breakouts and etching tutorial

Completed prototype board
For today I've planned some easy-reading and low-tech tutorial.

The bane of a lot of software guys is moving up from the ubiquitous breadboard to a self-made PCB. The other common fear is switching from through-hole parts to surface-mount technology.

Friday, August 2, 2013

Follow-up on 2x DVR repair

I was scoping around to see what caused the 2.5V supply modules to go bust.

Just as a reminder, they are pretty generic modules, with a 5V preregulator that steps down the 12V input. The 5V is then dropped through linear regulators to three supply rails of 1.8V, 2.5V and 3.3V. In this application only the 2.5V output is being used.


Thursday, August 1, 2013

Ancient DVR teardown - Dallmeier DLS 6

I just bought a cheap broken DVR from eBay and thought to share pictures from inside the unit since there aren't any on the Internet.
It was a state of the art unit at the beginning of 2000, probably costing several thousands of dollars. Some documents and review from that time praise the wavelet-type encoding quality and savings, custom-made ATX power supply and build quality. I beg to differ on a few fronts.

Wednesday, July 31, 2013

Saeco Talea - automatic coffee machine - teardown and analysis

I got this coffee machine from work because it was a maintenance nightmare. I'll tear it down, do the analysis on how it works and detail on some design problems as well.

It's going to be a rather long post with quite a lot of pictures. I've marked all the detected problems with an asterisk "*", I'm sure some have been forgotten as this teardown was performed 6 months ago.



Wednesday, July 24, 2013

Building a new firmware for the Senseo coffee machine



This is one of those projects that just takes forever to finish, I must've started this 6 months ago.

This part will describe all the hardware and various techniques used to figure out which signal goes where.

Why do this? It's an improvement on the original firmware and an exercise in consumer product design. My goals will be listed in the second part of this post.







Tuesday, July 23, 2013

Android game automation - part 2

In the previous post I touched upon the fact that simulating hardware input events was very slow and not really suited for fast, repeated actions.

The second approach is based on MonkeyRunner, a free library included with the Android SDK. It is able to talk to the Android device using a Python-like language.

Part 1: http://hackcorellation.blogspot.de/2013/07/android-game-automation-part-1.html


Monday, July 22, 2013

2x DVR repair

I've gotten two DVR MPEG4 recorders for free because they were labeled as "unfixable". Both of them were diagnosed with "no video" or "video problems".

 Ever since I've had them I had suspected the 2.5V supply to be at fault but had no oscilloscope nor variable PSU at hand, so they have been sitting in my drawer for a few months.

It was a 10 minute job:
- probe the 2.5V output and see it oscillating between 2.4 and 4.2V
- probe the PAL/AV output and see the scope could not get a lock even though it looked almost ok
- bypass the supply and feed 2.5V from a variable PSU
- probe and do a quick run to see everything is stable.

I wish I could do a burn test but my trusty variable PSU is a linear one, getting quite hot at this voltage drop.



txtr Beagle - native code analysis

I've been avoiding to do a write-up on this section for several reasons.
First, I'm using the IDA disassembler which is pretty expensive and thus quite extensively pirated. Unfortunately there are no freely available tools that I know of that can perform this task.

Second, I really suck at assembler and C so might not be the best person to do these analysis. I've used the freely available Thumb decompiler plugin which is able to translate assembly into readable code but only in about 30% of the cases. There's no substitute for knowledge, it seems.

Part 1: http://hackcorrelation.blogspot.de/2013/07/txtr-beagle-teardown-part-1.html

Part 2: http://hackcorrelation.blogspot.de/2013/07/txtr-beagle-part-two-software.html

Part 3: http://hackcorrelation.blogspot.de/2013/07/txtr-beagle-part-3-storage-and-transfer.html

Part 4: http://hackcorellation.blogspot.de/2013/07/txtr-beagle-card-parser.html

Part 5: http://hackcorrelation.blogspot.de/2013/07/txtr-beagle-native-code-analysis.html

Nevertheless, quite a few people have expressed their problems in being able to work out what compression has been used and the window size so this will aid in future reverse engineering.


Once the file has been loaded, depending on the IDA version used, you might not see the offending function listed in the functions window. A simple search takes care of that:


Sunday, July 21, 2013

txtr Beagle - card parser

I started playing around with the SD card contents to see how I can parse it and verify the functionality.

The result is a small Java program that is able to read the contents page by page and display it on a little panel. You can type the page number and press <Enter>, you can use arrow keys or mouse wheel to scroll.


Friday, July 19, 2013

Household hacking

Jack bottle to soap dispenser



Experiment - USB from 1V instead of 12V

This experiment was done about a year ago so I don't have all the details at hand. I wanted to see if a car USB charger can be modified to run on 1-3V.

The car charger is based MC34063 chip which can function in both buck and boost configurations.

Power supply project - part 1


I've had a car charger break down on me and haven't been able to fix it. It has a sturdy metallic case and the transformer is still fine.

The idea is to use some existing PSU modules I have laying around and fit those into the case, providing a readout on the display. Since it has to have a microcontroller (overpowered if I might add) it can also do some basic logging, over-voltage and over-current protection.

I really hate designing my own supplies since there are so many ready-made around which are much better than I could ever accomplish.


Thursday, July 18, 2013

txtr Beagle - part 3 - storage and transfer protocol

I'm wrapping this up for now as one of the COG (chip-on-glass) devices has apparently fried and the reader has sold out.

UPDATE: Andreas Schier has written an open-source java toolchain for Beagle: https://github.com/schierla/jbeagle


UPDATE: Florian Echtler has built two Python scripts, one emulating the server and another one for the client. The server allows you to send images to your reader: http://floe.butterbrot.org/matrix/hacking/txtr/


Part 1: http://hackcorrelation.blogspot.com/2013/07/txtr-beagle-teardown-part-1.html

Part 2: http://hackcorrelation.blogspot.de/2013/07/txtr-beagle-part-two-software.html

Part 3: http://hackcorrelation.blogspot.de/2013/07/txtr-beagle-part-3-storage-and-transfer.html

Part 4: http://hackcorellation.blogspot.de/2013/07/txtr-beagle-card-parser.html

Part 5: http://hackcorrelation.blogspot.de/2013/07/txtr-beagle-native-code-analysis.html




I've scratched some of the white glue-like stuff away but the burn can be seen inside the glass. It was drawing abour 1A upon changing pages and the COG was getting very hot.

txtr Beagle - Part two - software

Bluetooth


Thanks to Moritz I was able to connect to txtr via the Bluetooth SPP profile. To do this you need to disable the txtr app that is installed on your phone and install any app that does Bluetooth serial debugging. I used "Bluetooth SPP", available freely on the Play Store.

UPDATE: Andreas Schier has written an open-source java toolchain for Beagle: https://github.com/schierla/jbeagle

My own version: https://github.com/ligius-/jbeagle

UPDATE: Florian Echtler has built two Python scripts, one emulating the server and another one for the client. The server allows you to send images to your reader: http://floe.butterbrot.org/matrix/hacking/txtr/

Turn on Bluetooth on the phone and Beagle, start the app and choose "Real-time mode". Inside the prompt you should type "HELP" (all caps) followed by the enter key (not "Done") so a newline is inserted after the command. You should see a listing of available commands.
Here's the [obscured] output from my device:

Connecting…
Bluetooth connect OK.

Bluetooth Protocol v8

Accepted commands:

(GET)PARTNER, GETBOOKS, (DELETE)BOOK, QUIT, MEMORY, INFO, HELP, etc.

 Issuing the INFO command:
PROTOCOL VERSION=8
FIRMWARE ID=Beagle-F-U BUILDDATE=18.April.2013 GIT=cxxxxxx IAP=0 BLUETOOTH=u.3

DEVICE SERIAL=8888888 BDADDR=00:xx:xx:xx:xx:xx DISPLAY=V110

# bookselect button activated

VCOM VALUE=1910

SDCONTENT REVISION=2

OPTION LOWFLASH=0 FFTBT=1

INFOOK

 Issuing GETBOOKS:
BOOK ID=1111111111111111 FIRSTPAGE=1 LASTPAGE=19 CURRENTPAGE=19 AUTHOR=sgsdfgsdfgdgsd TITLE=sdfgsdfgsdfgsdfg
BOOK ID=888888888888888 FIRSTPAGE=1 LASTPAGE=183 CURRENTPAGE=5 AUTHOR=adfrgsdfgsdfgsdfgsdfgsdfg TITLE=sdfgsdfgsdfgsdfgsdfg

BOOK ID=888888888888 FIRSTPAGE=1 LASTPAGE=423 CURRENTPAGE=1 AUTHOR=TG9uZG9uLCBKYWNr TITLE=V2hpdGUgRmFuZw

BOOK ID=888888888888888 FIRSTPAGE=1 LASTPAGE=447 CURRENTPAGE=321 AUTHOR=sdfgsdfgsdfgsdfg TITLE=sdfgsdfgsdfgsdfg

GETBOOKSOK


 Issuing MEMORY:
BOOKS USE=4 MAXIMUM=15
CLUSTERS USE=21 MAXIMUM=255 SIZE=59

MEM TOTAL=8192 FREE=2168

MEMORYOK

 QUIT:
QUITOK
Partner:
PARTNER ID=B234E345D123

iPod classic - SSD conversion

In a previous posting I described how I got this iPod Classic 6G working again by just using an older 1.8" drive.
I did not provide any pictures, so here are two of them with the "roadkill".

Android game automation - part 1

First: this is borderline immoral so don't ask for any source code or help.


My friend got me into a repetitive Android game that I will not name here. Basically it's a different kind of Farmville (I assume) that requires you to mindlessly click 'animals' to 'farm' money from them. On top of that you have to also activate two type of farms in order to feed the animals and evolve them. Feeding is not a requirement, so it will only be done in the second iteration of this automation.

As a rule of thumb any task that takes you at least 5 minutes every day for a year should be automated if it could be done in less than 20 hours.


txtr Beagle teardown

As you might now the txtr Beagle is the new kid on the block: the cheapest and lightest ebook reader around. Or at least that's what the marketing says.
I bought mine for around 20E, which is quite a bit more than the 10-13 EUR they were aiming for. I guess that's the price one must pay to stay on top of technology.
The main reason I bought one was to have some kind of remote display for use for example as a wall clock, To-Do board or bike GPS readout.

Video:
http://youtu.be/KTEGRSdxxxg

Part 1: http://hackcorrelation.blogspot.de/2013/07/txtr-beagle-teardown-part-1.html

Part 2: http://hackcorrelation.blogspot.de/2013/07/txtr-beagle-part-two-software.html

Part 3: http://hackcorrelation.blogspot.de/2013/07/txtr-beagle-part-3-storage-and-transfer.html

Part 4: http://hackcorellation.blogspot.de/2013/07/txtr-beagle-card-parser.html

Part 5: http://hackcorrelation.blogspot.de/2013/07/txtr-beagle-native-code-analysis.html

It's a bit hard to take apart since everything is glued together. There are two TR5 screws but they serve no other reason than to annoy.

First, some information on how it's supposed to work:
  • - you bind the reader via bluetooth to a phone or tablet
  • - you download the book on the phone, set the font size and upload it to the reader
  • - each subsequent font change requires reuploading the book
  • - the reader can only hold 5 books, though it's supposed to have 4GB of memory
  • - one-year battery life on two AAA cells

It's obvious that the books are pre-rendered on the phone prior to being uploaded because it takes about 2-5 minutes to upload a text-only book and the reader has instant start-up, so no parsing is involved.
Before tearing it down I assumed a low-cost ARM processor, some soldered down flash memory, a common bluetooth chip and the eInk controller along with the usual host of auxiliary components: DC-DC converters, breakout and testing pads, perhaps some level translators.

Inside there is a bit of surprise: a microSD flash card along with its socket. I can't imagine how this is cheaper than just soldering a flash chip, but there you go.


My assumptions seemed to be correct, there is low-cost LPC ARM Cortex M3 uC, no RAM chips, the 4GB card raw image compresses to 40MB.

Wednesday, July 17, 2013

Moving on to business

After a few hours of hunting templates I've finally settled on one that should be easy on the eyes. Just a matter of preference. This is not the final choice but until I learn the WordPress system it will have to do.

I have about 20 articles waiting to be written, all the pictures are already taken, but I don't know where to start:
- custom dual power supply with Stellaris (Tiva) Launchpad diagnostics
- marathon repair of 30+ out-of-factory items
- custom firmware for coffee machine
- lessons learned from reviving SLA, NiCd and LiPo batteries
- various laptop repairs
- workbench build log
- automating a native game on Android
- sending Android navigation instructions to a Bluetooth device
- reverse engineering Java and Android apps (one at a time)

On top of that there are a lot of smaller articles in the loop, basically tips, mostly useful for beginners (diskless/thin clients, workbench organization, protocol debugging, Android development, teardowns etc.).

I'll try to cover all the ground above in a systematic manner, meaning that longer articles will need to be split and mixed with others.