#109 Types of 433Mhz RF Modules in ZA

FS1000A module at 5v no attenuator just using antenna.

Recently I have been using wireless technologies for a few projects.

While looking for a balance between price, functionality and disposability I decided to focus on the 433Mhz RF modules.

These use a free spectrum and have been around for a long time. There’s is a few different types and kinds, with LORA being kind of new and better in almost every way but this comes at a high price compared with the standard 433 RF modules.

So I purchased a few receivers and transmitters from electronics suppliers located in South Africa.

All my tests consisted of running the 4 receivers at 5v and a single 17.3cm straight LAN cable strand as an antenna. The signal sent was a 23bit ASK signal with a pulse length of 1200ms.

All 3 transmitters were tested at 3.3v with a single 17.3cm straight LAN cable strand as an antenna.

The crude module actually has more power and range at 5V but I am using them at 3.3v for super low power applications so In this case the module loses.

The Tests were done on farm land.

All transmitters could trigger the receivers at 400m line of sight but only a few could penetrate foliage and a galvanised steel shed.

The transmitters that support 5v could penetrate a little better sometimes.

The position of the transmitter/receiver could also greatly affect the received signal especially at range.

Also during summer and during rain the signal was worse with the foliage and water most likely absorbing and/or reflecting the signal

All receivers were superheterodyne with a crystal and I did not use any counterpoise though it would help in some circumstances it makes the receiver unpractical and large.

From worst to best


#108 Low current standby fix for IP5306 MH-CD42

BC547B NPN Transistor
IP5306 Module

Over the past few years I have been using the IP5306 chip and specifically the module shown in the image above.

The module is a great all in one solution for LiPo battery powered projects: charge, discharge, protection, 5v step up etc.

That being said there is 1 massively annoying caveat:

If the load current drops below 45mA during 32 seconds, the IP5306 will go into standby mode…

For low power battery operations this is simply unacceptable.. and I will not simply increase the current draw to keep it on.

There is an I2C version which allows us to change a few settings like standby mode in the IP5306 but for this fix I will focus on the “dumb version”.


An easy solution is to create a simple heartbeat circuit.

Since there is a button which will prevent the IC from going into standby mode, if pressed it will reset the *32 seconds 45mA* timer.

The module I have also has a solder pad where I can easily solder a wire to control this button via an MCU.

Using a *BC457 NPN* transistor we can create a simple switch to “press the button” at least once within the 32 seconds within a loop.

In this way we can constantly keep the module powered.


– NPN transistor (I used the BC547B)

– resistor (1k is fine)

– hookup wires


The Base connects to the resistor and then your MCU pin of choice.

Emitter gets connected to GND.

Collector gets solddered to the button pad.


Once everything is soldered and double checked you can then add the code for the heartbeat.

In this case I use the millis() function and a simple repeating timer all written in a sketch .ino


#107 Identifying fake IP5306 MH-CD42 modules

Over the past 4 years I have been purchasing an all in one LiPo charge, protect and step up module for my LiPo battery projects.

This module has worked quite well but I have noticed some fake modules starting to creep in the market again…

Now I can live with fake chips that work close to spec.. but in this case the IC would power on once.. and then die completely.

The Module uses the IP5306 all in one power bank IC. There is a version which uses the MH-CD42 IC but I have always received a module containing the IP5306.

Therefore I will focus on this IC.

The module charges via 5v and steps up a non protected 3.7V battery to 5v, it also offers protection to the battery.

Over current protection (OCP), over-voltage protection (OVP) short circuit protection (SCP) and over temperature protection (OTP)

2.1A of current can be supplied which is a great reservoir for DIY projects and sometimes even an overkill.

After stating the most attractive traits above you can see why this module is much loved.

Fake on the left with a few distinctions on the IC.

Unfortunately once a module becomes extremely successful fakes start appearing out of the wood work trying to steal some glory.

And as usual the consumer suffers the brunt of the con job..

Thankfully in my case I only came across 2 modules that were fake and I was able to alert my local supplier.

Hopefully they will do something about it… and in case anyone has a similar issue I will do a small breakdown of the tattle tail signs these con boards display.

So you too will be able to identify and maybe save yourself some annoyance and time but most importantly save yourself some money.

Now I was able to compare 2 modules.

The fake has external circuitry which works and is laid out the same way as the original.

The fake IP5306 IC is the culprit here.

Soldering an original to the fake module actually can bring the module back to life again!

So if you are able to get a few working IP5306 chips you may be able to get your modules working again.

The tattle tail singes are:

Fake: text on PCB is faded

Fake: text on inductor is faded

Fake: text on IC looks elongated

Fake: text on IC is also slightly faded

Fake: The pin one identification is a small circular flat indent (original has a smaller concave ident like a ball)

Fake: the Infineon logo is close to the centre left of the IC and the thickness of the logo is very thin (original has a thick logo and is located upper left on the IC)

Fake: the inductor is completely flat (original has an ident all around the edge of the inductor)

The face capacitors, resistors, LED’s, button and inductor seem to be the correct values but I cannot speak to the quality of them

My theory is that the chip has a dye which is far inferior to that of the original and thus it failed.

It could also be a complete fake in some cases.

Faded fake on the right.


#106 AJ-SR04M ultrasonic distance sensor for water

looks like a STM8S003F3 MCU, unmarked crystal and unmarked TTL IC
Underside has a 2 pin socket and is quite dirty…

Recently I have had an old mildly annoying problem snowball into a new serious problem…

Every few months the clean water supply from uThukela Water (Pty) Ltd has been switched off for multiple reasons… striking, damaged electric motors due to Eskom, sabotage and other issues to name a few very serious reasons.

So two large 2500L water tanks were installed in series as a backup which worked well for small water issues that would last maybe a week or two.

However recently There has been no water from uThukela for over a month, and this is very serious.

This event triggered me to investigate water related problems and solutions specifically for my use case.

Order of importance:

  1. I need readily available clean drinking water
  2. Store this water for longer (get extra tanks)
  3. Keep water safely in the tank (no contaminates)
  4. Add sensors to monitor (water level sensor in this case)

For this article will be focusing on the 4th order of importance since this is a tutorial website mainly about electronics.

Therefore I will start by saying I searched for a suitable water level sensor and came across the JSN-SR04T and clones.

This sensor looks very promising and easy to use with 6 available sensor modes (adding increased diversity).

N.B the copy does not have 6 extra modes which was disappointing considering their price point…

2.2m wire with the sensor at the end.

The copy has 3 modes and is similar to the JSN-SR04T-2.0

Now my goal is to use the JSN-SR04T with an ESP8266 connected via WiFi to send readings to my server every 30s, this unit will be completely powered by solar.

The ESP8266 will also have a LAN dashboard to view the readings in real time connected to WiFi but with a connection to the internet not needed, just in case the internet goes down I can still read the water level values.

unfortunately finding a commonly available original JSN-SR04T Ultrasonic Distance Sensor has been quite difficult in South Africa.

I have only been able to find the AJ-SR04M (functions like the JSN-SR04T-2.0) which is a clone but works just like the original, however I see the price is equivalent and sometimes even more than the original which is quite strange. An of course the extra modes are missing…

The waterproof sensor
The sensor is epoxied and completely sealed looks easy enough to install

Mode 1: R27 = is open.

The sensor returns an analogue signal. The formula to calculate the distance from the data is:

Test distance = (high time * speed of sound (340M / s)) / 2;

Mode 2: R27 = A 47K resistor is soldered.

Every 100ms serial data will be sent in mm.

Serial baud rate: 9600, n, 8,1.

The frame format is: 0XFF + H_DATA + L_DATA + SUM
1.0XFF: for a frame to start the data, used to judge;
2.H_DATA: the upper 8 bits of the distance data;
3.L_DATA: the lower 8 bits of the distance data;
4.SUM: data and, for the effect of its 0XFF + H_DATA + L_DATA = SUM (only low 8)

Mode 3: R27 = A 120K resistor is soldered.

Good for low power applications.

After the module is powered on, the module enters standby mode.

If the module receives 0X55 it will send data over serial.

Serial baud rate: 9600, n, 8,1.

Datasheet for the stm8s003f3


#105 Custom integration sensors with custom receiver

V1.0 breadboard prototype with DIY EEPROM module
V1.0 stripboard soldered prototype with USB and Lipo battery
Testing 2x custom sensors (1x ATTINY85 and 1x ATTINY412) with 433 RF modules

Recently I wanted to integrate the RoboGuard system with some custom sensors on my farming property.

This motivated me to study the hardware and RF protocols used by the RoboGuard

I would like to also account for multiple RoboGuard transmitters scattered over the property each RoboGuard device has 2x pir sensors and sends an alarm signal once both are triggered.

They also send a heartbeat ping every 15min.

They have a range of roughly 400m from transmitter RoboGuard to receiver HQ.

Testing EEPROM data storage.

Now the RoboGuard system uses 433.92Mhz to send signals to the HQ however the HQ can only add up to 8 paired RoboGuards.

Once you reach this limit you will need to purchase more RoboGuard units.

For example if you had 12 RoboGuards, 2 HQ units would be required but if you wanted an HQ that can store more than 8 you would be out of luck.

luckily I had made my own custom RoboGuard receiver and was able to add my own DIY sensors to the RoboGuard device ecosystem

The protocol used is 433.92 ASK and each RoboGuard has 3 signals

  • alarm
  • tamper/learn
  • heartbeat ping
Testing penetration behind galvanised shed (using CY33 module)

Now my receiver needs to store the received device learn UID and this is done via EEPROM on my board

Now my custom device receives all signals just like the RoboGuard HQ.

Next is communicating with the TAK Server.

I could swap the 328P for an ESP8266 which allows WiFi connectivity to the internet

This then allows the device to connect wirelessly.

It still receives RF data from the RoboGuards and just ports these signals over the internet

In future I will make a device with an integrated WiFi connection but In this case all I wanted was more zones and an affordable extra device to keep in my laboratory permanently with the capability to receive 433mhz signals walking around the premises. If need be

Overall my unit contains

A speaker
6 push buttons
2000mAH Lipo battery
built in charger
ability to add clients 12 RoboGuards (more depending on EEPROM size)
433 MHz superheterodyne receiver only
logic to handle all these features

Front of the 433 Transmitter
Back of the 433 Transmitter

More info + datasheets and schematics etc. on my GitHub here


#104 Reverse engineering an old linear power supply

Back panel connectors Antronics made by TPW

Recently I came into possession of two working ups devices from 1993. both of them had old capacitors and old 12v7a lead acid batteries inside the devices.

First thing I did was clean the cases and the PCB boards. Once that was done I replaced the old capacitors and the 12v7a batteries, then I tested both devices. both work fine but the design is old and a bit dangerous.

Secondary side
Primary side

So I decided to reverse engineer the circuit in order to better understand the design and to see if I could make any improvements to a design I would like to make.

While reversing the PCB I noticed that the mains earth and the GND of the circuit were connected together. I also notices sone discoloration from what looks like heat between the regulator and the transformer. Also the 330 ohm resistor for the led appeared to be discoloured from what also looks like excessive heat.

Mirrored for reversing
The original schematic I reversed
Schematic after I implemented suggestions

With these issues in mind I also noticed that the heatsink for the LM317T was very small and close to the transformer and the mains 1A fuse was placed after the choke and varistors instead of before them.

In conclusion I decided to choose between a different regulator at a fixed voltage or a chain of 4 LM317Ts providing around 6A of peak current, Since I do not need to adjust my voltage like the original circuit I should be able to get 13.75v by using a fixed 1k and 10k resistor. I also wanted better heat dissipation and Amps so I will definitely install good heatsinks with thermal compound. Depending on the size of the enclosure I get for the project I may add a fan.

The project files and components list etc. can be found on my Github here.


#103 Dangerous BK-357 USB charger teardown

Listing on Takealot
Claimed output…

While looking for a new multi port USB charger I came across the Model BK-357 sold on Takealot by OQ Trading. This charger had many positive reviews with a 4.1 star rating at the time of writing this article and for the low price of R149.00 I had to give this device a try.

Caps could potentially be repurposed from e-waste…

Once I received my charger I noticed That the fast charge USB port was working flawlessly but the 3 normal charging USB ports seemed to have current divided between them.

So I decided to open the charger to investigate further. I noticed the bottom part was glued into place and could be pried open carefully with a small screwdriver and spudger.

Primary and secondary sides with a thin line in-between…

Once opened the PCB was in good condition and contains 2 small switching transformers and a nice fusible resistor that also acts as an inrush limiter but that’s where to positives end. The interference capacitor was skimped on also the electrolytic capacitors are all different colours and brands It’s possible that they have been taken off old junk and re-purposed which is okey but they may have a diminished quality which is almost as alarming as the gap between the primary and secondary sides of the transformers. The biggest gap is around 4.8mm which is not to bad but right in the middle the gap closes all the way to 1.3mm!!!

Largest gap is around 4.8mm and the smallest is a whopping 1.3mm!!

This is very dangerous since there is 1.3mm of PCB space between you and mains voltage!!!

I will be posting my findings as a review on Takealot.

When purchasing multiple socketed USB chargers go for the larger more expensive ones.. As you can see in this case the tiny transformers just can’t output enough current on the cheapies.

The article from Europe’s Safety Gate Alerts can be found here. They identified the problems and measured the charger all the way back in December 2021 in Ireland and here in SA we are happily selling these.

I have also included an article from a Russian review back in March 2021. where The charger was also analysed and determined to be a potential hazard the article can be found here.

1x fast charge 3x normal charge with current divided by 3


#102 Reprogramming an old CM140 radio

Motorola CM140 From 2003.
Testing shows great results.

If you do not have the code plug password or a saved code plug with the radios serial number then this post is for you.

I recently came into possession of 2 Motorola CM140 25W radios. These radios belonged to my grandfathers old security company which is now dissolved, however amongst a lot of the kit I was able to save a few gems.

Upon inspection these radios were in immaculate condition despite there age. I was able to power up both radios only to find that they were programmed to one channel and when I used Commercial Series CPS (customer programming software) I could not read or write to the radio since the code plug was password protected.

Luckily I found a sample code plug for the model of CM140 radio I had. This allowed me to clone and change the password of the radio using the sample code plug now I can read/write to the radio

I have created a step by step document on my GitHub page here.

Schematic For The Programming Cable.
Any 5v TTL Device Can Work.


#101 Reverse Engineering A Simple Crack

A lot of times the ordinary everyday person is unable to resist using pirated software. After all it’s free and usually works, there is the chance of contracting a virus or other malware but using reputable “sources” is acceptable because if many comments praise the distributor then obviously the software can be fine right?

Well…. not necessarily… in some cases bots can create comments and high seed counts creating the appearance of a well received product. Also flags as false positives can be used as camouflage, sometimes the crack installs discrete backdoors sometimes following the living of the land principal. Basically using the files and programs already installed out of the box on Windows or Linux. This makes it very difficult to find the malware as no foreign exe or files are used (at least in the initial stage of infection)

Therefore antivirus software can get stuck with behavior analysis and hash scans. Creating large files (hundreds of megabytes) and reversing code, using BOM to obfuscate are a few little tricks that may be caught by themselves but layering all these techniques can make the malware almost undetectable.

So I decided to create an example using a real life application and crack I found for IBM analyst’s notebook which is used by private and government organizations. Opening a broad portal to many computers luckily when I decoded the scripts I did not see anything too suspicious. however after the patch (DTD.dll) is installed I do not know what behavior the application will show.

The application was downloaded via torrent and yes all the files were correct no man in the middle attacks took place.

Three files are present after unzipping IBM i2 Analyst’s Notebook 9.2.3

Luckily windows CMD and Powershell are used to copy the cack.

Initial folder contents.


Crack folder contents.

Interesting enough Readme.txt only instructs the user to run patch.bat although the file DTD.dll is copied to \Program Files (x86)\Common Files\i2 Shared\i2 Analyst’s Notebook 7\Components\DTD.dll

There’s no mention of the i2 Analyst’s Notebook 7 folder and we are presumably installing version 9.2.3

patch.bat is obfuscated due to some carefully chosen bytes at the very beginning of the file that are able to trick file and other charset detection software.

Obfuscated patch.bat file
Taking a peek inside the obfuscated patch.bat file

As referenced by this

However once we remove the character and save the file we can see that the .bat file calls Powershell and then extracts and reverses a script from the bin.dat file.. then runs the extracted script in the terminal.

After removing the character

This 1st Powershell script checks for admin privilege then reverses and reads another script from bin.dat.

The 2nd Powershell script checks the install folders and makes use of the windows dialogs then uses virtualalloc to copy DTD.dll from the bin.dat file to the
\Program Files (x86)\Common Files\i2 Shared\i2 Analyst’s Notebook 7\Components\ directory

Then ends with a messagebox Patch complete!

Opening DTD.dll with dependency viewer shows only 4 functions.

Methods inside of the DTD.dll file

A VirusTotal scan of DTD.dll shows only 3 positives.


#100 Monitoring A Line UPS Remotely

Modernizing the old UPSilon 2000 application was a daunting task my first thought was to read the serial output but unfortunately the UPS is listed as a HID device and not a simple COM port. So I went down the rabbit hole of trying to communicate with hid devices which have strict security to combat keyloggers. I tried to use kernel32 and the create file read and write file methods but I got access denied. Looking closer I could read some of the inputs of the ups hid device but it was going to take too long to figure out direct communication to the ups without an SDK or a good example app using USB HID to communicate with a UPS.

Computer Management Hid UPS

Some details of my ups hid were:
VID = 0001 PID = 0000 Path = \?\hid#vid_0001&pid_0000#6&7efa158&0&0000#{4d1e55b2-f16f-11cf-88cb-001111000030} SerialNumber = Manufacturer = MEC Product: MEC0003

Communication over USB

So after wasting 2 days I went back to the drawing board this time instead of using Wireshark to catch the USB packets I decided to take a closer look at the upsilon 2000 application. unfortunately the .dll's don’t show any useful functions in dependency viewer so I can’t call C++ functions from them in C#. So next I switched Wireshark to local monitoring and I found some very useful traffic.

tcp.port == 2570 connect as a client and get data
tcp.port == 8652 read the data from the sms server
udp.port == 11541 udp data

Port 8652 allows me to read alerts sent to the SMS server but instead I re-direct them to my C# application.

GET /smssend_hide.cgi?$sms_recptmobile=0123456789&$sms_content=DESKTOP-294DAYV: This is a test message!&$sms_code=1 HTTP/1.1
User-Agent: RUPS2K SMS
Connection: Keep-Alive

Port 2570 allows me to TCP connect as a client with no auth and now I get all the stat report strings every 1 second.

(238.7 238.7 238.7 007 50.1 27.4 --.- 00001000

The UDP port 11541 always receives upsXXXcnt001 for constant monitoring and I haven’t observed any other use besides this.

ups000cnt001 – connected ups
upsdiscnt001 – not connected

The exe files communicating between themselves are
Monw32.exe 11541 udp listner
RupsMon.exe 2570 tcp listner
UPSilon.exe connects as client

So after finding this info I was able to build a C# app that works in conjunction with UPSilon 2000 but the C# app offers more flexibility such as remote messaging via Telegram or forwarding the stats to a webserver for remote viewing.

The application checks the cd key every time it starts it connects to an IP in Taiwan on port 80 however is you go to port 8080 you get a webpage cd key checking form.

Reporting serial key and NTFS to home via:

The only thing I couldn’t do was send commands directly to the ups because that communication link is done within the upsilon app itself however I am happy with the overall outcome.

Source code of my application can be found on GitHub

Passionate about technology!