#102 Reprogramming an old CM140 radio

Motorola CM140 From 2003.
Testing shows great results.

If you do not have the code plug password or a saved code plug with the radios serial number then this post is for you.

I recently came into possession of 2 Motorola CM140 25W radios. These radios belonged to my grandfathers old security company which is now dissolved, however amongst a lot of the kit I was able to save a few gems.

Upon inspection these radios were in immaculate condition despite there age. I was able to power up both radios only to find that they were programmed to one channel and when I used Commercial Series CPS (customer programming software) I could not read or write to the radio since the code plug was password protected.

Luckily I found a sample code plug for the model of CM140 radio I had. This allowed me to clone and change the password of the radio using the sample code plug now I can read/write to the radio

I have created a step by step document on my GitHub page here.

Schematic For The Programming Cable.
Any 5v TTL Device Can Work.


#101 Reverse Engineering A Simple Crack

A lot of times the ordinary everyday person is unable to resist using pirated software. After all it’s free and usually works, there is the chance of contracting a virus or other malware but using reputable “sources” is acceptable because if many comments praise the distributor then obviously the software can be fine right?

Well…. not necessarily… in some cases bots can create comments and high seed counts creating the appearance of a well received product. Also flags as false positives can be used as camouflage, sometimes the crack installs discrete backdoors sometimes following the living of the land principal. Basically using the files and programs already installed out of the box on Windows or Linux. This makes it very difficult to find the malware as no foreign exe or files are used (at least in the initial stage of infection)

Therefore antivirus software can get stuck with behavior analysis and hash scans. Creating large files (hundreds of megabytes) and reversing code, using BOM to obfuscate are a few little tricks that may be caught by themselves but layering all these techniques can make the malware almost undetectable.

So I decided to create an example using a real life application and crack I found for IBM analyst’s notebook which is used by private and government organizations. Opening a broad portal to many computers luckily when I decoded the scripts I did not see anything too suspicious. however after the patch (DTD.dll) is installed I do not know what behavior the application will show.

The application was downloaded via torrent and yes all the files were correct no man in the middle attacks took place.

Three files are present after unzipping IBM i2 Analyst’s Notebook 9.2.3

Luckily windows CMD and Powershell are used to copy the cack.

Initial folder contents.


Crack folder contents.

Interesting enough Readme.txt only instructs the user to run patch.bat although the file DTD.dll is copied to \Program Files (x86)\Common Files\i2 Shared\i2 Analyst’s Notebook 7\Components\DTD.dll

There’s no mention of the i2 Analyst’s Notebook 7 folder and we are presumably installing version 9.2.3

patch.bat is obfuscated due to some carefully chosen bytes at the very beginning of the file that are able to trick file and other charset detection software.

Obfuscated patch.bat file
Taking a peek inside the obfuscated patch.bat file

As referenced by this

However once we remove the character and save the file we can see that the .bat file calls Powershell and then extracts and reverses a script from the bin.dat file.. then runs the extracted script in the terminal.

After removing the character

This 1st Powershell script checks for admin privilege then reverses and reads another script from bin.dat.

The 2nd Powershell script checks the install folders and makes use of the windows dialogs then uses virtualalloc to copy DTD.dll from the bin.dat file to the
\Program Files (x86)\Common Files\i2 Shared\i2 Analyst’s Notebook 7\Components\ directory

Then ends with a messagebox Patch complete!

Opening DTD.dll with dependency viewer shows only 4 functions.

Methods inside of the DTD.dll file

A VirusTotal scan of DTD.dll shows only 3 positives.


#100 Monitoring A Line UPS Remotely

Modernizing the old UPSilon 2000 application was a daunting task my first thought was to read the serial output but unfortunately the UPS is listed as a HID device and not a simple COM port. So I went down the rabbit hole of trying to communicate with hid devices which have strict security to combat keyloggers. I tried to use kernel32 and the create file read and write file methods but I got access denied. Looking closer I could read some of the inputs of the ups hid device but it was going to take too long to figure out direct communication to the ups without an SDK or a good example app using USB HID to communicate with a UPS.

Computer Management Hid UPS

Some details of my ups hid were:
VID = 0001 PID = 0000 Path = \?\hid#vid_0001&pid_0000#6&7efa158&0&0000#{4d1e55b2-f16f-11cf-88cb-001111000030} SerialNumber = Manufacturer = MEC Product: MEC0003

Communication over USB

So after wasting 2 days I went back to the drawing board this time instead of using Wireshark to catch the USB packets I decided to take a closer look at the upsilon 2000 application. unfortunately the .dll's don’t show any useful functions in dependency viewer so I can’t call C++ functions from them in C#. So next I switched Wireshark to local monitoring and I found some very useful traffic.

tcp.port == 2570 connect as a client and get data
tcp.port == 8652 read the data from the sms server
udp.port == 11541 udp data

Port 8652 allows me to read alerts sent to the SMS server but instead I re-direct them to my C# application.

GET /smssend_hide.cgi?$sms_recptmobile=0123456789&$sms_content=DESKTOP-294DAYV: This is a test message!&$sms_code=1 HTTP/1.1
User-Agent: RUPS2K SMS
Connection: Keep-Alive

Port 2570 allows me to TCP connect as a client with no auth and now I get all the stat report strings every 1 second.

(238.7 238.7 238.7 007 50.1 27.4 --.- 00001000

The UDP port 11541 always receives upsXXXcnt001 for constant monitoring and I haven’t observed any other use besides this.

ups000cnt001 – connected ups
upsdiscnt001 – not connected

The exe files communicating between themselves are
Monw32.exe 11541 udp listner
RupsMon.exe 2570 tcp listner
UPSilon.exe connects as client

So after finding this info I was able to build a C# app that works in conjunction with UPSilon 2000 but the C# app offers more flexibility such as remote messaging via Telegram or forwarding the stats to a webserver for remote viewing.

The application checks the cd key every time it starts it connects to an IP in Taiwan on port 80 however is you go to port 8080 you get a webpage cd key checking form.

Reporting serial key and NTFS to home via:

The only thing I couldn’t do was send commands directly to the ups because that communication link is done within the upsilon app itself however I am happy with the overall outcome.

Source code of my application can be found on GitHub


#99 Custom WiFi Mosfet PCB with battery backup

Version 1.0 of the protoboard not as appetizing as the schematic…
Reverse side with thicker black wires for the MosFets.

Creating a a custom 4ch Mosfet switch PCB with a built in backup 12v battery changeover circuit takes some careful planning. Since I had experience working with mechanical relay versions the task was not too difficult however it did come with a few extra challenges.
Mosfets require more parts to work reliably they also have significantly different ratings when compared to relays. In this case I was using an esp8266 with 3.3v logic. I had to create an amplifying circuit out of two transistors in order to get around 6.6V to allow the Mosfets to turn on completely thus allowing me to utilize their max current ratings.

The beginning of prototyping always looks so clean…
Bread Board prototyping is always a good idea before soldering.

On my 4ch PCB I used 3x IRL520N and 1x IRLZ44N N channel Mosfets. The IRLZ44N is the best rated for logic level and also the most expensive and rare here at least at this time. I also needed a large amount of amps for the LED strips it was going to switch on and off. The other three IRL520N Mosfets will be used with applications using under 5A of current. Technically I could have just used TIP120 NPN transistors but I wanted to keep the entire PCB Mosfet compatible in case I wanted to swap out any chips.

Drawing block diagrams by hand help the though process.
Creating a clean schematic in KiCad makes building the board easy.

For more info on the project check it out on Github


#98 Commonly available MOSFETS in South Africa

When looking for affordable and commonly available MOSFETs in SA I came across a few candidates.
Now there are mostly big tradeoffs with N-channel logic level MOSFETs however, I find that most of the time I use them instead of relays for slow switching applications.
Most of my projects have not been using PWM so I have not had any issues using the logic MOSFETs . And I find that I use the N-channel MOSFETs almost all the time.

“real fet” characteristics
“fake fet” characteristics

Finding MOSFETs with decent specs for a decent price was quite tricky but I found a sweet spot with the IRL520N now there’s always the chance of getting fake chips and I might have fallen victim to this but the “fake chip” had specs that were quite close to the “real chip” in a comparison I did between two chips. The fake one also had a slightly larger and glossier form factor.

“real fet” left and the “fake fet” right

These are my top 3 N-channel MOSFETs which are common

  • IRL520N
  • IRLZ44N
  • IRFZ44N

I would like to add some honorable mentions as well. These N-channel MOSFETs are either not common stock with the online stores I use or are way to expensive for a hobbyist however sometimes they are mandatory requirements for specific projects.

  • IRF3710
  • IRF540N
  • IRF3205


#96 A mystery chip causing IR remote trouble

Recently I had to update a DSTV system from the old explorer to the new HD decoder + remote.
Unfortunately older remotes don’t work with the new decoders however when you purchase a decoder you get a new remote in package.

Now I had a bad experience with the B8 remote which brought an even worse issue to light.

The decoder was checked by the technician in the shop and all was well however when I setup the decoder at home I noticed the remote was not working and upon inspection I noticed the orange LED was emitting a very weak signal when I pressed the buttons.

B8 remote

I really did not want to go all the way back to the shop so I opened the remote and I noticed that the IR chip had its numbers filed off… so now the remote also had a mystery chip that I couldn’t search for in order to find potential solutions…

Looking at the PCB everything seemed fine.. the traces, solder joints, button pads, and overall condition was good so the culprit had to be the IR mystery chip. This was confirmed once I received a new remote from the shop after explaining to them what the problem was.

Shaved mystery IR chip

I opened the new remote in order to do a simple comparison. Immediately I noticed that the IR chip in the new remote had text I could read. literally everything else was the same. I also noticed the orange LED was now shining brightly when the buttons were pressed. Keep in mind that these remote PCB boards have are exactly the same in version number and part placement. Only the IR IC is different..

Working chip with markings.

So I came to the conclusion that the unmarked mystery chip was the problem. They even went through the hassle of sanding the text off that inferior chip they used. from here on I can only speculate as to why the factory did this. One reason could be to hide the chip from competitors also they could have been using a cheap replacement which obviously failed yet they still went out to the public. There is a lot to speculate and non of it looks good for DSTV and their made in South Africa labelling.. seems they have been up to some shady business. We will see what else comes out in the future but for now that’s all I have to say.


#95 A simple Sonoff siren trigger

Remote siren Sonoff device

While looking for ways to trigger a siren through the internet I decided to make a small project using inexpensive modules. I decided to use the SonOff RE5V1C without an enclosure because it was the cheapest option available that would satisfy all my requirements. Likewise I used the LM2596S because it was a cheap and easy to use option unfortunately some of the mini options (like the LM2596 Mini Buck Regulator) are to cumbersome when adjusting the output voltage.

Simple schematic (replaced mini with LM2596S )

The number 1 major pain of this simple project was the red and black speaker wire I used…. This wire is actually more of a pinkish color and the insulation can be torn easily by my fingers however, the problem is dirty copper wire inside this cheap cable that would not solder even with a generous amount of flux.. I had to expose the copper and then try to clean them with vinegar and this partially worked.. However lots of time was wasted with this mundane cleaning. Even standard store bought ripcord solders fine compared to this wire….

Anyway in the end it worked out the way I wanted it to and it’s quite light and reliable, I have the whole system hooked up to a dedicated 12v battery that is trickle charged so when the power goes out the devices will still be operational for quite a while.

The RE5V1C uses from 80mA to 250mA according to the datasheet but I have a 40W siren connected to the relay so if triggered it will use from about 3A to 3.5A depending on the supplied voltage 11.5v – 13v


#94 another mini ups review

Nice honest stats compared to others.

Looking at other mini ups manufactures I decided to give Jiageng a go. The outer plastic enclosure looks very similar to a lot of other generic mini ups devices. I suspect they all originate from the same factory but have slight improvment’s to the actual PCB inside.

Decent PCB with good amperage Inductors.

Once opened I was greeted with a beautifully soldered matt black PCB with a higher version number than the previous mini ups from Andowl.

The PCB has quality components and no mystery chips. It also has the iconic Wintonic 18650 cells.

2 differences I noticed are that all the LEDs are a dark green color (the Andowl unit had 2 different greens) and the unit powers off automatically at a low voltage so that it doesn’t require a reboot after it runs “flat”.

The unit also has flashing LEDs as apposed to the Andowl’s fading LEDs

SKE-POE430-V3.0 matt black
Main IC is the STC8H1K08

Datasheet can be found here.
Andowl artical can be found here.


#93 why we need an emergency LED tube

While load shedding continues to plague the average south African citizen I noticed that some of the well off citizens were not that phased out with the power going off and water running dry. Upon further investigation I found out that “big surprise” they had proper solar infrastructure and water tanks coupled with the right political connections they don’t need to suffer for decisions made by people who bear no consequence if that decision flops.

There’s nothing new about the facts I mentioned above however it got me thinking about looking for cheaper efficient and longer lasting solutions using technology even if they are not ideal its better to have something rather than nothing… what a shameful thing I had to say taking into consideration its the 21st century and governments are still using their governmental privilege to mess things up without facing a tar a feather spectacle such a shame..

Well unfortunately I can’t control things on a national scale but I can make a review of some affordable LED lights and hopefully that can help someone make a well educated effective decision to mitigate some of the frustrations and pain.

While browsing Takealot I noticed some prices fluctuate quite often but if you keep a price you are willing to pay in mind you can create a sort of mental filter that helps. So for this article I decided to search for LED lights containing these parameters:

  • Affordable
  • Rechargeable
  • Li-po or li-ion
  • LED light
  • 5v to charge
  • Have an enclosure
  • Easy access and battery replacement
  • Decent circuit with charge protection
  • LED’s must not get too hot

I managed to find a product that came as a value pack (the so called emergency LED tube) and passed all my requirements. The product came as a value 3 pack of generic LED lights each light is about 32cm long and very light with magnetic discs.

I got mine at R210.00 for 3 emergency LED tubes that’s R70.00 for 1 so definitely affordable since I can’t get any 18650 battery for under R100.00 anywhere I have searched online in South Africa. I might just purchase these lights and harvest the battery in future just because it’s cheaper than purchasing the li-ion battery by itself.


The lights come with 1x unmarked 18650 battery and a charge controller chip with 1 button and a female micro USB port to allow charging via 5v

The button allows the light to function in 3 modes: bright, dim and strobe.

Even though the listing claims these lights are 18w when I tested them at a theoretical max of 4.2v (li-ion battery max) I only got around 10w and the LED strip got hot.

4.2v running at 10.4W though box claims 18w (LEDs super hot burns skin)
Mystery chip

A few cons I noticed are:

  • Solder wires soldered directly on to the 18650 battery
  • Cheap solder
  • Some joints were not soldered sturdily
  • Blue end caps can come off easily sometimes

All in all the lights did work out of the box however I touched up a few joints and glued one end of the blue cap just so it doesn’t come out when hanging the light via the plastic loop.

Once fully charged the light has lasted through 2-4 hours of loadshedding with a few hours of charge time.

Overall the light does its job and is affordable and the battery can be swapped or cascaded for longer lifetimes.

The only major concern I have it the lifespan of the LED chips and the mystery chip but only time will tell.

Blue wire was soldered to B+

Link to listing here.


#92 Repairing a D5 EVO PCB board

D5 EVO top enclosure
Big burn inside enclosure with semi melted screw.
Back of IR beam PCB board compared with new PCB
Burnt IR bean PCB positive in diode

After a huge thunderstorm I noticed that the IR beams on my old electric gate were not working so I decided to take a look at the IR beams connected my electric gates poles.

After opening the IR beams enclosure I was greeted with a burnt PCB.

Upon closer inspection I was able to determine that after a lightning strike the bolt flowed through the pole then through the screw inside the enclosure and then from the bolt to the IR PCB board,
The board fried and then the bolt transferred from the IR beam PCB to the D5 EVO positive output PCB terminal and blew up a SMD power mosfet above the 12v relay.

Full top of PCB board
Close up of burnt mosfet.

Strangely enough the D5evo PCB could still open and close the electric gate it seems that the only thing affected by the lightning strike was the output power terminal and the destroyed mosfet (55L104 N-Channel)

I had to purchase a set of two new IR beams for R950.00 but I decided to see if I could repair the D5EVO PCB myself. I decided to use an IRL520N N-Channel mosfet since this was commonly available at the time. Unfortunately I could only find the TO-220 package so I had to bend the mosfet a bit but it worked out in the end.

IRL520N N-Channel mosfet
Datasheet comparison
A few value differences

Passionate about technology!