Monthly Archives: March 2008

diy r/c frequency checker part 1

I started looking for a good radio frequency project. It just so happened that at the same time, everyone at work was interested in mini r/c helicopters and things like that. In my googling of everything r/c helicopter page ever, I came across a neat little r/c frequency checker for r/c airplanes. I also just happened to be reading some articles on superhet design. A r/c frequency checker seemed like a neat little project to try to do myself. So I set about starting to think about how I would build such a thing. The first thing that I figured I would need would be the LEDs. The r/c airplane spectrum starts at 72Mhz and each channel is 20Khz wide. All in all for airplanes there is a total of 50 channels so I would need 50 LED’s. I started to look around for a 10×5 LED matrix. My searches turned up nothing. Sure I could get a 8×8 LED Matrix and just not use the extra 14 leds but I didn’t think it would look as cool. So I set out to design my own. It seemed that If I designed mine so that it was just the LEDs and some pins on one board and all the control circuits on another board then I could re-use my LED matrix just like if I had bought one.

The way LED matrices work is all the anodes of a column are connected and all the cathodes of a row are connected. See the schematic below. 
10x5 LED Matrix
When you see the layout of the PCB you’ll see why I have the extra pins for the rows. Anyway when you want to display a certain set of LEDS you scan through each column enabling one column at a time and while each column is on you enable the correct rows corresponding to the LED you want on. If you cycle through all of the columns fast enough the eye thinks all the LEDs are really on at the same time.

I took this time to also teach myself EagleCAD since it’s free and there seem to be a lot of good tutorials on it. So I decided for the PCB that I would layout all the LEDS on one side and then put some breakway headers on the bottom side. This would then let me design a second board with female headers and all the LED controlling circuitry and RF circuitry on it.  
10x5 LED Matrix PCB
I decided to keep all 10 pins for the rows even though I only have 5 rows just for stability when plugging into the second board. Overall I found EagleCAD easy to use. The schematic was really easy to draw up after getting the controls down. The PCB took a little more time but I think for my first attempt at a custom PCB it came out okay.

The real reason for this post is that I just got my custom PCBs in the mail and I wanted to share pictures. 
pcb front and back
I ordered 1 copy but ended up with 4 which was even better. The picture above is two of the PCBs one showing the front of the board and the other showing the back. Anyway check back for more posts as I assemble the LED matrix and the second board with all the controlling circuitry. 

Advertisements

qt reversing

I came across an application the other day that I was interested in taking a peek at under the hood. The first thing I did was to search through all the strings to see if there was anything interesting. Two things jumped out at me. The first was a lot of strings that looked like this: “cClass1”, “cClass2”, “cClass3”. Alright seems like it could be something written in C++. And then I also came across this string, “qt-win-commercial-3.2.3” Alright so this information gives me a lot to start with. It is for sure C++ code and what’s more I now know what GUI toolkit it’s using. So first thing I usually do when looking at a C++ applications is to try to find the RTTI information since it makes identifying code much easier. I started by checking references to the class name strings I had found. Unfortunately I didn’t find any RTTI information. What I did find however were lots of functions that looked like this

004E574B   . B8 1C217700    MOV EAX,app.0077211C     ;  ASCII "cClass1"
004E5750   . C3             RETN

This immediately jumps out at me as some sort of Class.getName() type thing. If I had of known anything about QT I would have known right away that QT doesn’t use normal C++ RTTI information, but they use their own custom stuff.

Anyway this led me down the path of finding out more about QT. Since QT is open source it made this whole thing a lot easier. The way QT does RTTI information is with a layer they build on top of normal C++ classes. They use custom macros that are put into the classes and then use their meta object compiler to include all the extra functions of the class to do things like dynamic typing. The easiest way to see this is with an example.

class MyClass : public QObject { 
    
    Q_OBJECT 

public: 
    
    MyClass( QObject * parent=0, const char * name=0 ); 
    
    MyClass();
signals:
 
  void mySignal();
public slots:
    void mySlot();
};

Here’s the output from moc (meta object compiler)

#if !defined(Q_MOC_OUTPUT_REVISION)
#define Q_MOC_OUTPUT_REVISION 2
#elif Q_MOC_OUTPUT_REVISION != 2
#error "Moc format conflict - please regenerate all moc files"
#endif

#include "./MyClass.h"
#include 


const char *MyClass::className() const
{
    return "MyClass";
}

QMetaObject *MyClass::metaObj = 0;


#if QT_VERSION >= 200
static QMetaObjectInit init_MyClass(&MyClass::staticMetaObject);
#endif

void MyClass::initMetaObject()
{
    if ( metaObj )
        return;
    if ( strcmp(QWidget::className(), "QObject") != 0 )
        badSuperclassWarning("MyClass","QObject");
    
#if QT_VERSION >= 200
    staticMetaObject();
}

void MyClass::staticMetaObject()
{
    if ( metaObj )
        return;
    QObject::staticMetaObject();
#else

    QObject::initMetaObject();
#endif

    m1_t0 v1_0 = &AccountTable::mySlot;
    m1_t1 v1_1 = &AccountTable::mySignal;
    QMetaData *slot_tbl = new QMetaData[1];
    slot_tbl[0].name = "mySlot()";
    slot_tbl[0].ptr = *((QMember*)&v1_0);
    QMetaData *signal_tbl = new QMetaData[1];
    signal_tbl[0].name = "mySignal()";
    signal_tbl[0].ptr = *((QMember*)&v1_1);
    metaObj = new QMetaObject( "MyClass", "QObject", slot_tbl, 1, signal_tbl, 1 );
}

So now things get interesting. We can clearly see that for every QT class that is written, moc will generate a className() function as well as generating a function called staticMetaObject that hooks up the class hierarchy and the singals and slots that QT uses. This is great news for reversing because it means not only do we have class names and class hierarchies, but we also have function names for slots and signals.

So after finding all of this out I set about writing a script to automatically label all the class vtables and label all moc generated functions. The way I did it was like this. I searched for all sequence of bytes that looked like this “B8 * * * * C3” So basically find all of the className() methods. I narrowed down any false positives by making sure that the string that was referenced started with a lower case c since all the class names in this particular application started with a c. After I found the className method the script followed the reference to it to label the vtable for the class. Once the vtable is found since moc always generates the same functions in the same order it was a simple matter of labeling the first handful of function pointers in the vtable for the class to the auto generated moc methods.

The final key thing that is helpful to know is that once you have the staticMetaObject for a QT class found you now know what the parent class is based on what staticMetaObject method is called and you know the definition of the signal_tbl and the slot_tbl. If you trace references to these two tables you can find the references to the actual implementations of these methods and label those as well. Have fun reversing QT applications!

trimet

My daughter seems to be interested in robots so I set out to look for some sort of robot for her. Unfortunately there’s not a lot of stuff out there for a 3 year old. I figured that if nothing else I could build something and then let her play with it and tell her how it worked. I googled around for a bunch of stuff and eventually came across BEAM bots. They seemed nice and simple and interesting. I decided to order some solar panels from solarbotics and set out to build a trimet. I had just dismantled an old all in one radio, tape, cd player that was going in the garbage so I had managed to salvage a handful of motors from this. A trimet is real simple, you have a DC motor, you hook the solar panel up to some capacitors and then wire the capacitors to turn the motor on when they store up enough juice. It’s really a neat little thing. Here’s a picture of the guts of it all.

trimet2

You can see the resistor, two transistors and the 1381 voltage detector underneath the solar panel. The body of the motor is used as ground for the circuit and then a paper clip ring is formed to be the postive rail. Then all the components hook up in the center and the solar panel on top. Here’s another shot of the trimet closed up.

trimet1

The only thing I was really disappointed about was that there really hasn’t been a sunny enough day here to get the little thing going. It scoots around but not nearly as fast as if I just hooked up a straight 5v supply to it. I ordered up some extra solar panels so maybe I’ll make some other BEAM bots too.

breadboard card reader

card reader

Alright so after the CMoy amplifier I set about for something more fun. I stumbled upon an open source program called Stripe Snoop I quickly bought a Omron V3A card reader from digikey and set about hooking it up to my mac book via USB. The card reader comes with no wires attached and then you have to pop open the sides and either connect a really tiny hard to find molex connector or there are pads in front of the pin connector that you can solder directly to. So I decided to just solder directly to the pads. But first I needed to create my cable. I decided that since this was going to be something to play with that I wanted to be able to connect it to my breadboard, so I went out and bought a DB9 connector. I used all the individual pins to crimp onto the wires and make something that would fit into my breadboard easier. Then all I had to do was solder up the wires and snap the case back on. It worked great! I hooked up some simple LEDs to the card detect pin and PWR and GND and could swipe cards and light the LED. The next step was to wire it up to my AVR micro and then connect the AVR through my FTDI 232 breakout board to my laptop. Well I connected that all up but so far have been to lazy to write the firmware to get it all talking together. Just one more thing on my list of things to do.

cmoy

So for my second project I picked something to work on my soldering skills. A cmoy headphone amplifier seemed like a good choice. I managed to find a great web site explaining how they work and different parts I would need. Definitely check out “How to Build the CMoy Pocket Amplifier”. The tutorial made it easy to build. The hardest part was soldering all the connections to the switches and input jacks since I don’t currently have a third hand tool to help me hold stuff so it can get pretty tricky. Anyway here’s the result.

cmoy

It sounded great and was loud enough that when I plugged in a crappy pair of earbud headphones and cranked it up it sounded like a set of speakers. Unfortunately I used solid wire which made the bending of the wires really hard and I was not able to shove it all inside an Altoids case. Either way it was a fun project and I figure I can probably re-use the potentiometer and switche in other projects. 

breadboard, power supply, microcontroller

So my first task was to get a breadboard, because how could I do cool electronics type stuff without one. It seemed to me that learning to use a micro controller would be a good idea as well. I decided to follow the “Beginning Embedded Electronics Tutorials” at Sparkfun.com. Anyway the tutorials were easy to follow and I ended up with this… 

breadbord

 It worked pretty well, I have a basic 5V power suply running on my breadboard now and I managed to solder together a programmer for my AVR micro and could make things blink. Seems like a good first step 

intro

So I had tried to start a blog at blogger.com but never seemed to use it. For some reason though I think I should be writing in this to document my adventures into electronics and other hackery. Unfortunately I’ve already not posted about a bunch of stuff, so I’m going to try to post some catch up type entries covering some of the things that I’ve done already. Then hopefully I can keep up to date with the different projects that I’m working on. I intend to post mostly about electronics type things since that’s what I seem to be focusing on right now, but I figure an occasional post about reverse engineering wouldn’t hurt.