Wednesday, July 31, 2013

Saeco Talea - automatic coffee machine - teardown and analysis

I got this coffee machine from work because it was a maintenance nightmare. I'll tear it down, do the analysis on how it works and detail on some design problems as well.

It's going to be a rather long post with quite a lot of pictures. I've marked all the detected problems with an asterisk "*", I'm sure some have been forgotten as this teardown was performed 6 months ago.



Wednesday, July 24, 2013

Building a new firmware for the Senseo coffee machine



This is one of those projects that just takes forever to finish, I must've started this 6 months ago.

This part will describe all the hardware and various techniques used to figure out which signal goes where.

Why do this? It's an improvement on the original firmware and an exercise in consumer product design. My goals will be listed in the second part of this post.







Tuesday, July 23, 2013

Android game automation - part 2

In the previous post I touched upon the fact that simulating hardware input events was very slow and not really suited for fast, repeated actions.

The second approach is based on MonkeyRunner, a free library included with the Android SDK. It is able to talk to the Android device using a Python-like language.

Part 1: http://hackcorellation.blogspot.de/2013/07/android-game-automation-part-1.html


Monday, July 22, 2013

txtr Beagle - native code analysis

I've been avoiding to do a write-up on this section for several reasons.
First, I'm using the IDA disassembler which is pretty expensive and thus quite extensively pirated. Unfortunately there are no freely available tools that I know of that can perform this task.

Second, I really suck at assembler and C so might not be the best person to do these analysis. I've used the freely available Thumb decompiler plugin which is able to translate assembly into readable code but only in about 30% of the cases. There's no substitute for knowledge, it seems.

Part 1: http://hackcorellation.blogspot.de/2013/07/txtr-beagle-teardown-part-1.html

Part 2: http://hackcorellation.blogspot.de/2013/07/txtr-beagle-part-two-software.html

Part 3: http://hackcorellation.blogspot.de/2013/07/txtr-beagle-part-3-storage-and-transfer.html

Part 4: http://hackcorellation.blogspot.de/2013/07/txtr-beagle-card-parser.html

Nevertheless, quite a few people have expressed their problems in being able to work out what compression has been used and the window size so this will aid in future reverse engineering.


Once the file has been loaded, depending on the IDA version used, you might not see the offending function listed in the functions window. A simple search takes care of that:


2x DVR repair

I've gotten two DVR MPEG4 recorders for free because they were labeled as "unfixable". Both of them were diagnosed with "no video" or "video problems".

 Ever since I've had them I had suspected the 2.5V supply to be at fault but had no oscilloscope nor variable PSU at hand, so they have been sitting in my drawer for a few months.

It was a 10 minute job:
- probe the 2.5V output and see it oscillating between 2.4 and 4.2V
- probe the PAL/AV output and see the scope could not get a lock even though it looked almost ok
- bypass the supply and feed 2.5V from a variable PSU
- probe and do a quick run to see everything is stable.

I wish I could do a burn test but my trusty variable PSU is a linear one, getting quite hot at this voltage drop.



Sunday, July 21, 2013

txtr Beagle - card parser

I started playing around with the SD card contents to see how I can parse it and verify the functionality.

The result is a small Java program that is able to read the contents page by page and display it on a little panel. You can type the page number and press <Enter>, you can use arrow keys or mouse wheel to scroll.


Friday, July 19, 2013

Power supply project - part 1


I've had a car charger break down on me and haven't been able to fix it. It has a sturdy metallic case and the transformer is still fine.

The idea is to use some existing PSU modules I have laying around and fit those into the case, providing a readout on the display. Since it has to have a microcontroller (overpowered if I might add) it can also do some basic logging, over-voltage and over-current protection.

I really hate designing my own supplies since there are so many ready-made around which are much better than I could ever accomplish.


Experiment - USB from 1V instead of 12V

This experiment was done about a year ago so I don't have all the details at hand. I wanted to see if a car USB charger can be modified to run on 1-3V.

The car charger is based MC34063 chip which can function in both buck and boost configurations.

Household hacking

Jack bottle to soap dispenser



Thursday, July 18, 2013

txtr Beagle teardown

As you might now the txtr Beagle is the new kid on the block: the cheapest and lightest ebook reader around. Or at least that's what the marketing says.
I bought mine for around 20E, which is quite a bit more than the 10-13 EUR they were aiming for. I guess that's the price one must pay to stay on top of technology.
The main reason I bought one was to have some kind of remote display for use for example as a wall clock, To-Do board or bike GPS readout.

Part 2: http://hackcorellation.blogspot.de/2013/07/txtr-beagle-part-two-software.html

Part 3: http://hackcorellation.blogspot.de/2013/07/txtr-beagle-part-3-storage-and-transfer.html

Part 4: http://hackcorellation.blogspot.de/2013/07/txtr-beagle-card-parser.html

Part 5: http://hackcorellation.blogspot.de/2013/07/txtr-beagle-native-code-analysis.html

It's a bit hard to take apart since everything is glued together. There are two TR5 screws but they serve no other reason than to annoy.

First, some information on how it's supposed to work:
  • - you bind the reader via bluetooth to a phone or tablet
  • - you download the book on the phone, set the font size and upload it to the reader
  • - each subsequent font change requires reuploading the book
  • - the reader can only hold 5 books, though it's supposed to have 4GB of memory
  • - one-year battery life on two AAA cells

It's obvious that the books are pre-rendered on the phone prior to being uploaded because it takes about 2-5 minutes to upload a text-only book and the reader has instant start-up, so no parsing is involved.
Before tearing it down I assumed a low-cost ARM processor, some soldered down flash memory, a common bluetooth chip and the eInk controller along with the usual host of auxiliary components: DC-DC converters, breakout and testing pads, perhaps some level translators.

Inside there is a bit of surprise: a microSD flash card along with its socket. I can't imagine how this is cheaper than just soldering a flash chip, but there you go.


My assumptions seemed to be correct, there is low-cost LPC ARM Cortex M3 uC, no RAM chips, the 4GB card raw image compresses to 40MB.

Android game automation - part 1

First: this is borderline immoral so don't ask for any source code or help.


My friend got me into a repetitive Android game that I will not name here. Basically it's a different kind of Farmville (I assume) that requires you to mindlessly click 'animals' to 'farm' money from them. On top of that you have to also activate two type of farms in order to feed the animals and evolve them. Feeding is not a requirement, so it will only be done in the second iteration of this automation.

As a rule of thumb any task that takes you at least 5 minutes every day for a year should be automated if it could be done in less than 20 hours.


iPod classic - SSD conversion

In a previous posting I described how I got this iPod Classic 6G working again by just using an older 1.8" drive.
I did not provide any pictures, so here are two of them with the "roadkill".

txtr Beagle - Part two - software

Bluetooth


Thanks to Moritz I was able to connect to txtr via the Bluetooth SPP profile. To do this you need to disable the txtr app that is installed on your phone and install any app that does Bluetooth serial debugging. I used "Bluetooth SPP", available freely on the Play Store.

UPDATE: Andreas Schier has written an open-source java toolchain for Beagle: https://github.com/schierla/jbeagle


UPDATE: Florian Echtler has built two Python scripts, one emulating the server and another one for the client. The server allows you to send images to your reader: http://floe.butterbrot.org/matrix/hacking/txtr/

Turn on Bluetooth on the phone and Beagle, start the app and choose "Real-time mode". Inside the prompt you should type "HELP" (all caps) followed by the enter key (not "Done") so a newline is inserted after the command. You should see a listing of available commands.
Here's the [obscured] output from my device:

Connecting…
Bluetooth connect OK.

Bluetooth Protocol v8

Accepted commands:

(GET)PARTNER, GETBOOKS, (DELETE)BOOK, QUIT, MEMORY, INFO, HELP, etc.

 Issuing the INFO command:
PROTOCOL VERSION=8
FIRMWARE ID=Beagle-F-U BUILDDATE=18.April.2013 GIT=cxxxxxx IAP=0 BLUETOOTH=u.3

DEVICE SERIAL=8888888 BDADDR=00:xx:xx:xx:xx:xx DISPLAY=V110

# bookselect button activated

VCOM VALUE=1910

SDCONTENT REVISION=2

OPTION LOWFLASH=0 FFTBT=1
INFOOK

 Issuing GETBOOKS:
BOOK ID=1111111111111111 FIRSTPAGE=1 LASTPAGE=19 CURRENTPAGE=19 AUTHOR=sgsdfgsdfgdgsd TITLE=sdfgsdfgsdfgsdfg
BOOK ID=888888888888888 FIRSTPAGE=1 LASTPAGE=183 CURRENTPAGE=5 AUTHOR=adfrgsdfgsdfgsdfgsdfgsdfg TITLE=sdfgsdfgsdfgsdfgsdfg

BOOK ID=888888888888 FIRSTPAGE=1 LASTPAGE=423 CURRENTPAGE=1 AUTHOR=TG9uZG9uLCBKYWNr TITLE=V2hpdGUgRmFuZw

BOOK ID=888888888888888 FIRSTPAGE=1 LASTPAGE=447 CURRENTPAGE=321 AUTHOR=sdfgsdfgsdfgsdfg TITLE=sdfgsdfgsdfgsdfg

GETBOOKSOK


 Issuing MEMORY:
BOOKS USE=4 MAXIMUM=15
CLUSTERS USE=21 MAXIMUM=255 SIZE=59

MEM TOTAL=8192 FREE=2168

MEMORYOK

 QUIT:
QUITOK
Partner:
PARTNER ID=B234E345D123

txtr Beagle - part 3 - storage and transfer protocol

I'm wrapping this up for now as one of the COG (chip-on-glass) devices has apparently fried and the reader has sold out.

UPDATE: Andreas Schier has written an open-source java toolchain for Beagle: https://github.com/schierla/jbeagle


UPDATE: Florian Echtler has built two Python scripts, one emulating the server and another one for the client. The server allows you to send images to your reader: http://floe.butterbrot.org/matrix/hacking/txtr/


Part 1: http://hackcorellation.blogspot.de/2013/07/txtr-beagle-teardown-part-1.html

Part 2: http://hackcorellation.blogspot.de/2013/07/txtr-beagle-part-two-software.html

Part 4: http://hackcorellation.blogspot.de/2013/07/txtr-beagle-card-parser.html

Part 5: http://hackcorellation.blogspot.de/2013/07/txtr-beagle-native-code-analysis.html




I've scratched some of the white glue-like stuff away but the burn can be seen inside the glass. It was drawing abour 1A upon changing pages and the COG was getting very hot.

Wednesday, July 17, 2013

Moving on to business

After a few hours of hunting templates I've finally settled on one that should be easy on the eyes. Just a matter of preference. This is not the final choice but until I learn the WordPress system it will have to do.

I have about 20 articles waiting to be written, all the pictures are already taken, but I don't know where to start:
- custom dual power supply with Stellaris (Tiva) Launchpad diagnostics
- marathon repair of 30+ out-of-factory items
- custom firmware for coffee machine
- lessons learned from reviving SLA, NiCd and LiPo batteries
- various laptop repairs
- workbench build log
- automating a native game on Android
- sending Android navigation instructions to a Bluetooth device
- reverse engineering Java and Android apps (one at a time)

On top of that there are a lot of smaller articles in the loop, basically tips, mostly useful for beginners (diskless/thin clients, workbench organization, protocol debugging, Android development, teardowns etc.).

I'll try to cover all the ground above in a systematic manner, meaning that longer articles will need to be split and mixed with others.