Category Archives: Experimental

12V BATTERY REVIVAL

#110 Reviving an old 100A 12v lead acid battery

After the first zap the battery was around 4V…

Why do some South Africans have to scrape the bottom of the barrel reconditioning old batteries?

Opening themselves up to potential health concerns and pollution of the environment?

Maybe I can explain.

We’ve had load shedding for years now and with the recent shenanigans for almost half a decade it’s got exponentially worse with even the ultra wealthy feeling it a bit.

You’d think these clever a wealthy men would have come up with a solution by now… but it’s seems as if they have either found a way to get comfortable or they just don’t care… As long as they are making money from their diabolical cadres and corrupt hand shakers why should they care? After all they can run their water, washing machine, stove and medical equipment because they either don’t get loadshedding in their public servant mansions or they have installed million rand solar systems using taxpayers monies it’s a win-win “we fail upwards in life”.

All this while endorsing terrorist activities blatantly with no recourse or accountability using South Africa’s past to manipulate the current population into submission for the “election year” the audacity is unbelievable.. but yeah with the 30% pass rate these guys have dumbed us down and are extremely comfortable in the current climate they have designed. They really set an honourable bar to pass. I could go on but this is article is about a battery.

Seems bleak and it’s hard to ignore or be patriotic and loving towards your county and fellow citizens when there’s so much negative energy being pumped in by the guys we are supposed to trust in looking after us.. giving our data to, trusting their banks… No wonder there’s so much crime and hate.. these guys flourish in it like bacteria fueled by glucose eating a tooth. Even when the tooth is rotten the bacteria continuous to eat and will.. if not treated get into the bloodstream infecting the entire body. The bacteria doesn’t take into consideration that in future it will die along with the tooth it just consumes indiscriminately.

With that being said lets get into battery reconditioning.

Recently I got hold of an old 12v lead acid 100A battery. This battery was bought 20 years ago and stored in a corner for a rainy day.

The battery was never charged and never used.

Upon inspection the battery was at around a measly 1.95V.. this did not look good but luckily I have a DC MIG/MMA welder and decided to use the good old crude welding trick on this big boy.

I removed the MIG setup and installed the stick clamp to the + terminal and the ground to the – terminal. see the photo.

Welder settings:

I set the welder volts to about 21V and the amps to around 25A. Make sure you are using a DC welder AC will NOT work.

Make sure you do this outside or in a well ventilated room. It’s VERY important.. battery acid is no joke to organic materials.

First I did 21v at 25A for 5 minutes then let the battery rest for a whole day to observe it.

Once I concluded it seemed like it was fine my formula was 21v at 25A for 5 minutes then a 10 minute cooldown in between.

I did this 6 times and measured the battery in between times.

Times:

cycle: 19.17 V
cycle: 29.50 V
cycle: 310.97 V
cycle: 411.41 V
cycle: 511.75 V
cycle: 611.77 V

Once this was done I let the battery rest for a day.

Battery at 9V

Now comes the patience part… The battery could hold a charge but ever so slightly would drain and it was supper thirsty.

So I setup a dumb charger at 5A and let the battery charge up for a few days checking intermittently.

Next I setup my recondition charger and let it do it’s thing for a week and what do you know the recondition charger reported great values.

However the battery was still thirsty so I switched back to the 5A dumb charger and let it run for another week..

Fast forward about 3 weeks of low current and recondition charging and the battery seems to be doing fine

Holding a rock solid 12.6V and running my LED lights.

So my conclusion is that it is possible to desulfate and recondition a 100A lead acid battery that has never been used. The initial welder zapping was only the start I needed at least 3 weeks after that to “recondition” the battery to a useable state and I still don’t know the long term potential issues.

It really was just a patience game and also don’t do anything like messing around with the acid weights.

I would still like to figure out how to balance acid and water plus all the battery chemistry stuff but for now this welder trick is good enough.

UPDATE:

About a week later the battery began acting up again seems the internal resistance is high and there is a constant draw bringing the battery voltage down.

Overall I can say that this was a temporary solution and at the moment I don’t have all the fancy battery tools or chemistry knowledge to experiment further.

Also though the battery has issues it can still be somewhat used for low voltage applications now. So I guess I’ll view this as a feature instead of a bug 🙂 cheers

COMMON RF MODULES IN SOUTH AFRICA

#109 Types of 433Mhz RF modules in ZA

FS1000A module at 5v no attenuator just using antenna.

Recently I have been using wireless technologies for a few projects.

While looking for a balance between price, functionality and disposability I decided to focus on the 433Mhz RF modules.

These use a free spectrum and have been around for a long time. There’s is a few different types and kinds, with LORA being kind of new and better in almost every way but this comes at a high price compared with the standard 433 RF modules.

So I purchased a few receivers and transmitters from electronics suppliers located in South Africa.

All my tests consisted of running the 4 receivers at 5v and a single 17.3cm straight LAN cable strand as an antenna. The signal sent was a 23bit ASK signal with a pulse length of 1200ms.

All 3 transmitters were tested at 3.3v with a single 17.3cm straight LAN cable strand as an antenna.

The transmitters testes were the FS1000A, CYT1 and the WL102-341.

The crude module actually has more power and range at 5V but I am using them at 3.3v for super low power applications so In this case the module loses.

The Tests were done on farm land.

All transmitters could trigger the receivers at 400m line of sight but only a few could penetrate foliage and a galvanised steel shed.

I only needed MAX 400m which is why I stopped there but some sources claim up to 600m – 800m + for these superheterodyne modules. Not as good as LoRa but for the price what reason do I need not to use them?

*Sidenote Using RF or LoRa in conjunction with a 2.4G Wifi module like the ESP32 or even 3G/4G modules can create multi dimensional divers systems. where we are leveraging the long range and penetration + power output of 433Mhz and 868Mhz but also allowing packets of data to connect over the internet to be stored on a server for data analysis and the creation of graphs to make the data more visually appealing.

Currently I do have some pilot devices and hope to one day make some good quality sensors in 3 different tiers:

  1. Cheap and disposable sensors
  2. Affordable long term sensors
  3. High end sensors

These will be focused on use within rural outdoor areas and I will have a version with Gerber files and schematics etc. available for anyone to download and make for themselves. However the more refined version with a nice enclosure and style will be sold commercially since I do want to be paid for my work.

Back to the modules..

The transmitters that support 5v could penetrate a little better sometimes.

The position of the transmitter/receiver could also greatly affect the received signal especially at range.

Also during summer and during rain the signal was worse with the foliage and water most likely absorbing and/or reflecting the signal

All receivers were superheterodyne with a crystal and I did not use any counterpoise though it would help in some circumstances it makes the receiver unpractical and large.

From worst to best

Some people may wonder why I am using these modules instead of the fashionable LoRa modules. This is simply due to cost and availability.

Designing a good circuit cost time and money. Inserting said circuit into an extremely hostile environment like for example.. rural South Africa is an even more costly exercise

I have had devices damaged by the sun, damaged by water, damaged by ants, damaged by cows, damaged by some kind of rabid animal (assuming jackal) The list goes on.

AND I have not even mentioned the human element… devices damaged by criminals some even STOLEN… for what? You telling me that criminal is sitting in the bush conspiring to reverse engineer my simple circuit and RF protocol and some how will be able to defeat Microchips code protection? I highly doubt it but it is possible…

So now I hope you can understand why these cheap modules do work and are very useful + inexpensive for my purposes.

I also have LoRa versions but for now I only use those when distance and extreme sensitivity is needed.

IP5306 MH-CD42 HEARTBEAT

#108 Low current standby fix for IP5306 MH-CD42

BC547B NPN Transistor
IP5306 Module

Over the past few years I have been using the IP5306 chip and specifically the module shown in the image above.

The module is a great all in one solution for LiPo battery powered projects: charge, discharge, protection, 5v step up etc.

That being said there is 1 massively annoying caveat:

If the load current drops below 45mA during 32 seconds, the IP5306 will go into standby mode…

For low power battery operations this is simply unacceptable.. and I will not simply increase the current draw to keep it on.

There is an I2C version which allows us to change a few settings like standby mode in the IP5306 but for this fix I will focus on the “dumb version”.

Solution

An easy solution is to create a simple heartbeat circuit.

Since there is a button which will prevent the IC from going into standby mode, if pressed it will reset the *32 seconds 45mA* timer.

The module I have also has a solder pad where I can easily solder a wire to control this button via an MCU.

Using a *BC457 NPN* transistor we can create a simple switch to “press the button” at least once within the 32 seconds within a loop.

In this way we can constantly keep the module powered.

Parts

– NPN transistor (I used the BC547B)

– resistor (1k is fine)

– hookup wires

Connections

The Base connects to the resistor and then your MCU pin of choice.

Emitter gets connected to GND.

Collector gets solddered to the button pad.

Code

Once everything is soldered and double checked you can then add the code for the heartbeat.

In this case I use the millis() function and a simple repeating timer all written in a sketch .ino

ULTRASONIC WATER LEVEL SENSOR

#106 AJ-SR04M ultrasonic distance sensor for water

looks like a STM8S003F3 MCU, unmarked crystal and unmarked TTL IC
Underside has a 2 pin socket and is quite dirty…

Recently I have had an old mildly annoying problem snowball into a new serious problem…

Every few months the clean water supply from uThukela Water (Pty) Ltd has been switched off for multiple reasons… striking, damaged electric motors due to Eskom, sabotage and other issues to name a few very serious reasons.

So two large 2500L water tanks were installed in series as a backup which worked well for small water issues that would last maybe a week or two.

However recently There has been no water from uThukela for over a month, and this is very serious.

This event triggered me to investigate water related problems and solutions specifically for my use case.

Order of importance:

  1. I need readily available clean drinking water
  2. Store this water for longer (get extra tanks)
  3. Keep water safely in the tank (no contaminates)
  4. Add sensors to monitor (water level sensor in this case)

For this article will be focusing on the 4th order of importance since this is a tutorial website mainly about electronics.

Therefore I will start by saying I searched for a suitable water level sensor and came across the JSN-SR04T and clones.

This sensor looks very promising and easy to use with 6 available sensor modes (adding increased diversity).

N.B the copy does not have 6 extra modes which was disappointing considering their price point…

2.2m wire with the sensor at the end.

The copy has 3 modes and is similar to the JSN-SR04T-2.0

Now my goal is to use the JSN-SR04T with an ESP8266 connected via WiFi to send readings to my server every 30s, this unit will be completely powered by solar.

The ESP8266 will also have a LAN dashboard to view the readings in real time connected to WiFi but with a connection to the internet not needed, just in case the internet goes down I can still read the water level values.

unfortunately finding a commonly available original JSN-SR04T Ultrasonic Distance Sensor has been quite difficult in South Africa.

I have only been able to find the AJ-SR04M (functions like the JSN-SR04T-2.0) which is a clone but works just like the original, however I see the price is equivalent and sometimes even more than the original which is quite strange. An of course the extra modes are missing…

The waterproof sensor
The sensor is epoxied and completely sealed looks easy enough to install

Mode 1: R27 = is open.

The sensor returns an analogue signal. The formula to calculate the distance from the data is:

Test distance = (high time * speed of sound (340M / s)) / 2;

Mode 2: R27 = A 47K resistor is soldered.

Every 100ms serial data will be sent in mm.

Serial baud rate: 9600, n, 8,1.

The frame format is: 0XFF + H_DATA + L_DATA + SUM
1.0XFF: for a frame to start the data, used to judge;
2.H_DATA: the upper 8 bits of the distance data;
3.L_DATA: the lower 8 bits of the distance data;
4.SUM: data and, for the effect of its 0XFF + H_DATA + L_DATA = SUM (only low 8)

Mode 3: R27 = A 120K resistor is soldered.

Good for low power applications.

After the module is powered on, the module enters standby mode.

If the module receives 0X55 it will send data over serial.

Serial baud rate: 9600, n, 8,1.

Datasheet for the stm8s003f3

ROBOGUARD INTEGRATION

#105 Custom integration sensors with custom receiver

V1.0 breadboard prototype with DIY EEPROM module
V1.0 stripboard soldered prototype with USB and Lipo battery
Testing 2x custom sensors (1x ATTINY85 and 1x ATTINY412) with 433 RF modules

Recently I wanted to integrate the RoboGuard system with some custom sensors on my farming property.

This motivated me to study the hardware and RF protocols used by the RoboGuard

I would like to also account for multiple RoboGuard transmitters scattered over the property each RoboGuard device has 2x pir sensors and sends an alarm signal once both are triggered.

They also send a heartbeat ping every 15min.

They have a range of roughly 400m from transmitter RoboGuard to receiver HQ.

Testing EEPROM data storage.

Now the RoboGuard system uses 433.92Mhz to send signals to the HQ however the HQ can only add up to 8 paired RoboGuards.

Once you reach this limit you will need to purchase more RoboGuard units.

For example if you had 12 RoboGuards, 2 HQ units would be required but if you wanted an HQ that can store more than 8 you would be out of luck.

luckily I had made my own custom RoboGuard receiver and was able to add my own DIY sensors to the RoboGuard device ecosystem

The protocol used is 433.92 ASK and each RoboGuard has 3 signals

  • alarm
  • tamper/learn
  • heartbeat ping
Testing penetration behind galvanised shed (using CY33 module)

Now my receiver needs to store the received device learn UID and this is done via EEPROM on my board

Now my custom device receives all signals just like the RoboGuard HQ.

Next is communicating with the TAK Server.

I could swap the 328P for an ESP8266 which allows WiFi connectivity to the internet

This then allows the device to connect wirelessly.

It still receives RF data from the RoboGuards and just ports these signals over the internet

In future I will make a device with an integrated WiFi connection but In this case all I wanted was more zones and an affordable extra device to keep in my laboratory permanently with the capability to receive 433mhz signals walking around the premises. If need be

Overall my unit contains

A speaker
6 push buttons
2000mAH Lipo battery
built in charger
ability to add clients 12 RoboGuards (more depending on EEPROM size)
433 MHz superheterodyne receiver only
logic to handle all these features

Front of the 433 Transmitter
Back of the 433 Transmitter

More info + datasheets and schematics etc. on my GitHub here

LINEAR POWER SUPPLY FROM 1993

#104 Reverse engineering an old linear power supply

Back panel connectors Antronics made by TPW

Recently I came into possession of two working ups devices from 1993. both of them had old capacitors and old 12v7a lead acid batteries inside the devices.

First thing I did was clean the cases and the PCB boards. Once that was done I replaced the old capacitors and the 12v7a batteries, then I tested both devices. both work fine but the design is old and a bit dangerous.

Secondary side
Primary side

So I decided to reverse engineer the circuit in order to better understand the design and to see if I could make any improvements to a design I would like to make.

While reversing the PCB I noticed that the mains earth and the GND of the circuit were connected together. I also notices sone discoloration from what looks like heat between the regulator and the transformer. Also the 330 ohm resistor for the led appeared to be discoloured from what also looks like excessive heat.

Mirrored for reversing
The original schematic I reversed
Schematic after I implemented suggestions

With these issues in mind I also noticed that the heatsink for the LM317T was very small and close to the transformer and the mains 1A fuse was placed after the choke and varistors instead of before them.

In conclusion I decided to choose between a different regulator at a fixed voltage or a chain of 4 LM317Ts providing around 6A of peak current, Since I do not need to adjust my voltage like the original circuit I should be able to get 13.75v by using a fixed 1k and 10k resistor. I also wanted better heat dissipation and Amps so I will definitely install good heatsinks with thermal compound. Depending on the size of the enclosure I get for the project I may add a fan.

The project files and components list etc. can be found on my Github here.

THE GAP BETWEEN YOU AND MAINS

#103 Dangerous BK-357 USB charger teardown

Listing on Takealot
Claimed output…

While looking for a new multi port USB charger I came across the Model BK-357 sold on Takealot by OQ Trading. This charger had many positive reviews with a 4.1 star rating at the time of writing this article and for the low price of R149.00 I had to give this device a try.

Caps could potentially be repurposed from e-waste…

Once I received my charger I noticed That the fast charge USB port was working flawlessly but the 3 normal charging USB ports seemed to have current divided between them.

So I decided to open the charger to investigate further. I noticed the bottom part was glued into place and could be pried open carefully with a small screwdriver and spudger.

Primary and secondary sides with a thin line in-between…

Once opened the PCB was in good condition and contains 2 small switching transformers and a nice fusible resistor that also acts as an inrush limiter but that’s where to positives end. The interference capacitor was skimped on also the electrolytic capacitors are all different colours and brands It’s possible that they have been taken off old junk and re-purposed which is okey but they may have a diminished quality which is almost as alarming as the gap between the primary and secondary sides of the transformers. The biggest gap is around 4.8mm which is not to bad but right in the middle the gap closes all the way to 1.3mm!!!

Largest gap is around 4.8mm and the smallest is a whopping 1.3mm!!

This is very dangerous since there is 1.3mm of PCB space between you and mains voltage!!!

I will be posting my findings as a review on Takealot.

When purchasing multiple socketed USB chargers go for the larger more expensive ones.. As you can see in this case the tiny transformers just can’t output enough current on the cheapies.

The article from Europe’s Safety Gate Alerts can be found here. They identified the problems and measured the charger all the way back in December 2021 in Ireland and here in SA we are happily selling these.

I have also included an article from a Russian review back in March 2021. where The charger was also analysed and determined to be a potential hazard the article can be found here.

1x fast charge 3x normal charge with current divided by 3

MOTOROLA CM140

#102 Reprogramming an old CM140 radio

Motorola CM140 From 2003.
Testing shows great results.

If you do not have the code plug password or a saved code plug with the radios serial number then this post is for you.

I recently came into possession of 2 Motorola CM140 25W radios. These radios belonged to my grandfathers old security company which is now dissolved, however amongst a lot of the kit I was able to save a few gems.

Upon inspection these radios were in immaculate condition despite there age. I was able to power up both radios only to find that they were programmed to one channel and when I used Commercial Series CPS (customer programming software) I could not read or write to the radio since the code plug was password protected.

Luckily I found a sample code plug for the model of CM140 radio I had. This allowed me to clone and change the password of the radio using the sample code plug now I can read/write to the radio

I have created a step by step document on my GitHub page here.

Schematic For The Programming Cable.
Any 5v TTL Device Can Work.

REVERSING ANB CRACK

#101 Reverse Engineering A Simple Crack

A lot of times the ordinary everyday person is unable to resist using pirated software. After all it’s free and usually works, there is the chance of contracting a virus or other malware but using reputable “sources” is acceptable because if many comments praise the distributor then obviously the software can be fine right?

Well…. not necessarily… in some cases bots can create comments and high seed counts creating the appearance of a well received product. Also flags as false positives can be used as camouflage, sometimes the crack installs discrete backdoors sometimes following the living of the land principal. Basically using the files and programs already installed out of the box on Windows or Linux. This makes it very difficult to find the malware as no foreign exe or files are used (at least in the initial stage of infection)

Therefore antivirus software can get stuck with behavior analysis and hash scans. Creating large files (hundreds of megabytes) and reversing code, using BOM to obfuscate are a few little tricks that may be caught by themselves but layering all these techniques can make the malware almost undetectable.

So I decided to create an example using a real life application and crack I found for IBM analyst’s notebook which is used by private and government organizations. Opening a broad portal to many computers luckily when I decoded the scripts I did not see anything too suspicious. however after the patch (DTD.dll) is installed I do not know what behavior the application will show.

The application was downloaded via torrent and yes all the files were correct no man in the middle attacks took place.

Three files are present after unzipping IBM i2 Analyst’s Notebook 9.2.3 Multilingual.zip

Luckily windows CMD and Powershell are used to copy the cack.

crack.zip
IBM_I2_ANB_V9.2.3.exe
IBM_I2_CHART_READER_V9.2.3.exe

Initial folder contents.

Inside crack.zip
bin.dat
patch.bat
Readme.txt

Crack folder contents.

Interesting enough Readme.txt only instructs the user to run patch.bat although the file DTD.dll is copied to \Program Files (x86)\Common Files\i2 Shared\i2 Analyst’s Notebook 7\Components\DTD.dll

There’s no mention of the i2 Analyst’s Notebook 7 folder and we are presumably installing version 9.2.3

patch.bat is obfuscated due to some carefully chosen bytes at the very beginning of the file that are able to trick file and other charset detection software.

Obfuscated patch.bat file
Taking a peek inside the obfuscated patch.bat file

As referenced by this

However once we remove the character and save the file we can see that the .bat file calls Powershell and then extracts and reverses a script from the bin.dat file.. then runs the extracted script in the terminal.

After removing the character

This 1st Powershell script checks for admin privilege then reverses and reads another script from bin.dat.

The 2nd Powershell script checks the install folders and makes use of the windows dialogs then uses virtualalloc to copy DTD.dll from the bin.dat file to the
\Program Files (x86)\Common Files\i2 Shared\i2 Analyst’s Notebook 7\Components\ directory

Then ends with a messagebox Patch complete!

Opening DTD.dll with dependency viewer shows only 4 functions.

Methods inside of the DTD.dll file

A VirusTotal scan of DTD.dll shows only 3 positives.

UPSILON REMOTE MONITOR

#100 Monitoring A Line UPS Remotely

Modernizing the old UPSilon 2000 application was a daunting task my first thought was to read the serial output but unfortunately the UPS is listed as a HID device and not a simple COM port. So I went down the rabbit hole of trying to communicate with hid devices which have strict security to combat keyloggers. I tried to use kernel32 and the create file read and write file methods but I got access denied. Looking closer I could read some of the inputs of the ups hid device but it was going to take too long to figure out direct communication to the ups without an SDK or a good example app using USB HID to communicate with a UPS.

Computer Management Hid UPS

Some details of my ups hid were:
VID = 0001 PID = 0000 Path = \?\hid#vid_0001&pid_0000#6&7efa158&0&0000#{4d1e55b2-f16f-11cf-88cb-001111000030} SerialNumber = Manufacturer = MEC Product: MEC0003

Communication over USB

So after wasting 2 days I went back to the drawing board this time instead of using Wireshark to catch the USB packets I decided to take a closer look at the upsilon 2000 application. unfortunately the .dll's don’t show any useful functions in dependency viewer so I can’t call C++ functions from them in C#. So next I switched Wireshark to local monitoring and I found some very useful traffic.

tcp.port == 2570 connect as a client and get data
tcp.port == 8652 read the data from the sms server
udp.port == 11541 udp data

Port 8652 allows me to read alerts sent to the SMS server but instead I re-direct them to my C# application.

GET /smssend_hide.cgi?$sms_recptmobile=0123456789&$sms_content=DESKTOP-294DAYV: This is a test message!&$sms_code=1 HTTP/1.1
User-Agent: RUPS2K SMS
Host: 127.0.0.1
Connection: Keep-Alive

Port 2570 allows me to TCP connect as a client with no auth and now I get all the stat report strings every 1 second.

(238.7 238.7 238.7 007 50.1 27.4 --.- 00001000

The UDP port 11541 always receives upsXXXcnt001 for constant monitoring and I haven’t observed any other use besides this.

ups000cnt001 – connected ups
upsdiscnt001 – not connected

The exe files communicating between themselves are
Monw32.exe 11541 udp listner
RupsMon.exe 2570 tcp listner
UPSilon.exe connects as client

So after finding this info I was able to build a C# app that works in conjunction with UPSilon 2000 but the C# app offers more flexibility such as remote messaging via Telegram or forwarding the stats to a webserver for remote viewing.

The application checks the cd key every time it starts it connects to an IP in Taiwan http://upsilon.icv99.net on port 80 however is you go to port 8080 you get a webpage cd key checking form.
http://59.124.238.71:80
http://upsilon.icv99.net:8080/download_sys/
http://upsilon.icv99.net:8080/download_sys/keycheck.php?cdkey_check=testkey

Reporting serial key and NTFS to home via: http://59.124.238.71

The only thing I couldn’t do was send commands directly to the ups because that communication link is done within the upsilon app itself however I am happy with the overall outcome.

Source code of my application can be found on GitHub