vtech phonics

So, I’ve been working on a couple different toys lately. One of them is a VTech Phonics toys. It has all the letters of the alphabet on it and a couple different shape buttons. I started to take this apart and then didn’t have any pots or switches small enough to fit in the case. For now here’s a picture of the main PCB. If you follow the link I’ve annotated some of the pins on the Flickr page.

DSCN0885

Advertisements

atari punk console

This was an awesome little weekend project. It consists of mainly a 556 IC which is really two timer chips stuck together. It pretty much creates square waves. there’s a volume knob on the side that doesn’t seem to be very volumy? Maybe because I stuck two speakers in the box making it 4 ohms instead of one 8 ohm speaker. The knobs on top are for frequency and time between the square wave samples. Fun little toy and a way to kill some time on a Sunday evening. I’ve got a really awsome V-Tech phonics toy from my daughters that I’m working on now too.

bent button

DSCN0780

So at work yesterday we got a button. All it is, is a big purple Yahoo button that someone got for free. You press the button and it plays Yahooooo really loud. Pretty boring. I figured I would open it up and show people how to smash their fingers on the resistors to change the pitch.

DSCN0783

So I unscrewed the thing and took a look. Pretty simple thing, of course the IC chip is a COB item underneath a blob of epoxy. This makes it really hard to figure out fun things. Someone then pointed out that there seemed to be a little 3 pin socket on the bottom of the thing. As I stared at the thing I saw that one of the pins was labeled Rec. Hmmm, I wondered if it would be possible to re-record the button to be even more obnoxious. I took a couple minutes and inspected the rest of the pins. I had two pins going to the switch to make the thing play. I had a Pl pin that if I jammed a wire between it and the positive power supply it would play. Alright Pl pin is a Play pin. It plays as long as you pull the pin high. There was the Rec pin, an IC pin a GND pin, two pins for the speaker and then a pin going to the resistor.

We sat for a while jamming wires on things and pressing our fingers on the resistor annoying everyone in the office. Then I finally tried connecting the Rec pin to the positive rail. Oops no more Yahooooo sound. I figured I blew something up. But wait I realized there was no more Yahoo but just a hissing. The I realized that the IC pin had a hidden letter and was really a Mic pin. Aha, I’m an idiot, so this turns out to be just a little 10 second recorder chip. All you need to do is pull the Rec pin high and input a mic or something else to the Mic pin and it will record.

We quickly cut up a mini jack cord, plugged it into my iPod and then touched the Rec pin to the power pin and it worked, kinda. It was way to quiet. I realized that I would need to bring the thing home and solder some proper wires to it in order to get good clear connections for recording. So I came home and started tweaking. First thing I did was reconnect the switch to the Play pin, this way when someone hit the button it would only play as long as the button was held down. Seemed like a good way to keep it less annoying if someone recorded something long. Second thing I did was to splice in a button between the Rec pin and the power supply. This way I didn’t have to hold some wire every time I wanted to record. Then I connected a mini jack connector to the Mic pin so it would be easier to record things. The final step was to take the Dremel and make some holes for the new input jack and button

DSCN0787

It came out pretty good. The only problem was the button didn’t hot glue to the case very well. So I ended up just keeping it outside the case until I get something better to attach it. The only thing left that would be cool to do would be to get a decent variable resistor so you can mess with the pitch while holding the button. Over all, a fun little project for the night.

busy days of spring

So I haven’t posted anything lately. And all in all I haven’t really finished any projects lately yet either. I haven’t made any headway on the frequency counter because I haven’t bought the parts I need. I did manage to snag some awesome old Atari joysticks at a church rummage sale. The plan is to convert them to wireless so they can control other things. Last week I attended TI Tech Days 2008. It was a good event. I didn’t pay anything because Digikey sent me a “don’t pay for this event” coupon in the email. They had some good talks on Zigbee and charging lithium ion batteries. I ordered up a neat like 40 dollar TI wireless dev kit that consists of a MSP430 chip and a CC2500 chip. I’m hoping that I can use those for the wireless Atari joy sticks. Also I’ve started building another robot.

J-R the Robot

My daughter has named him J-R. Couple things about him. His body is made of 1/16 inch aluminum, which sucks to cut and drill and bend when all you have is a hack saw, power drill and a counter edge. I went and picked up the aluminum pieces this weekend and since I’m sorta measurement retarded was surprised and how thick it was. Also there’s a couple parts made out of 1/4 inch aluminum bar and this time I was surprised at how small it was. I had to make the parts a couple times over because it was so tiny and the drill holes kept getting messed up. Overall he looks pretty good, not so straight, but straight enough. I have to get a Tamiya dual motor setup and a Sharp GP2D12 infrared sensor and then a bunch of various other components. I’m hoping I’ll be able to wire him up in the next month and then start programming.

Anyway, hopefully in the coming months I’ll get some more projects finished. So stay tuned

diy r/c frequency checker part 1

I started looking for a good radio frequency project. It just so happened that at the same time, everyone at work was interested in mini r/c helicopters and things like that. In my googling of everything r/c helicopter page ever, I came across a neat little r/c frequency checker for r/c airplanes. I also just happened to be reading some articles on superhet design. A r/c frequency checker seemed like a neat little project to try to do myself. So I set about starting to think about how I would build such a thing. The first thing that I figured I would need would be the LEDs. The r/c airplane spectrum starts at 72Mhz and each channel is 20Khz wide. All in all for airplanes there is a total of 50 channels so I would need 50 LED’s. I started to look around for a 10×5 LED matrix. My searches turned up nothing. Sure I could get a 8×8 LED Matrix and just not use the extra 14 leds but I didn’t think it would look as cool. So I set out to design my own. It seemed that If I designed mine so that it was just the LEDs and some pins on one board and all the control circuits on another board then I could re-use my LED matrix just like if I had bought one.

The way LED matrices work is all the anodes of a column are connected and all the cathodes of a row are connected. See the schematic below. 
10x5 LED Matrix
When you see the layout of the PCB you’ll see why I have the extra pins for the rows. Anyway when you want to display a certain set of LEDS you scan through each column enabling one column at a time and while each column is on you enable the correct rows corresponding to the LED you want on. If you cycle through all of the columns fast enough the eye thinks all the LEDs are really on at the same time.

I took this time to also teach myself EagleCAD since it’s free and there seem to be a lot of good tutorials on it. So I decided for the PCB that I would layout all the LEDS on one side and then put some breakway headers on the bottom side. This would then let me design a second board with female headers and all the LED controlling circuitry and RF circuitry on it.  
10x5 LED Matrix PCB
I decided to keep all 10 pins for the rows even though I only have 5 rows just for stability when plugging into the second board. Overall I found EagleCAD easy to use. The schematic was really easy to draw up after getting the controls down. The PCB took a little more time but I think for my first attempt at a custom PCB it came out okay.

The real reason for this post is that I just got my custom PCBs in the mail and I wanted to share pictures. 
pcb front and back
I ordered 1 copy but ended up with 4 which was even better. The picture above is two of the PCBs one showing the front of the board and the other showing the back. Anyway check back for more posts as I assemble the LED matrix and the second board with all the controlling circuitry. 

qt reversing

I came across an application the other day that I was interested in taking a peek at under the hood. The first thing I did was to search through all the strings to see if there was anything interesting. Two things jumped out at me. The first was a lot of strings that looked like this: “cClass1”, “cClass2”, “cClass3”. Alright seems like it could be something written in C++. And then I also came across this string, “qt-win-commercial-3.2.3” Alright so this information gives me a lot to start with. It is for sure C++ code and what’s more I now know what GUI toolkit it’s using. So first thing I usually do when looking at a C++ applications is to try to find the RTTI information since it makes identifying code much easier. I started by checking references to the class name strings I had found. Unfortunately I didn’t find any RTTI information. What I did find however were lots of functions that looked like this

004E574B   . B8 1C217700    MOV EAX,app.0077211C     ;  ASCII "cClass1"
004E5750   . C3             RETN

This immediately jumps out at me as some sort of Class.getName() type thing. If I had of known anything about QT I would have known right away that QT doesn’t use normal C++ RTTI information, but they use their own custom stuff.

Anyway this led me down the path of finding out more about QT. Since QT is open source it made this whole thing a lot easier. The way QT does RTTI information is with a layer they build on top of normal C++ classes. They use custom macros that are put into the classes and then use their meta object compiler to include all the extra functions of the class to do things like dynamic typing. The easiest way to see this is with an example.

class MyClass : public QObject { 
    
    Q_OBJECT 

public: 
    
    MyClass( QObject * parent=0, const char * name=0 ); 
    
    MyClass();
signals:
 
  void mySignal();
public slots:
    void mySlot();
};

Here’s the output from moc (meta object compiler)

#if !defined(Q_MOC_OUTPUT_REVISION)
#define Q_MOC_OUTPUT_REVISION 2
#elif Q_MOC_OUTPUT_REVISION != 2
#error "Moc format conflict - please regenerate all moc files"
#endif

#include "./MyClass.h"
#include 


const char *MyClass::className() const
{
    return "MyClass";
}

QMetaObject *MyClass::metaObj = 0;


#if QT_VERSION >= 200
static QMetaObjectInit init_MyClass(&MyClass::staticMetaObject);
#endif

void MyClass::initMetaObject()
{
    if ( metaObj )
        return;
    if ( strcmp(QWidget::className(), "QObject") != 0 )
        badSuperclassWarning("MyClass","QObject");
    
#if QT_VERSION >= 200
    staticMetaObject();
}

void MyClass::staticMetaObject()
{
    if ( metaObj )
        return;
    QObject::staticMetaObject();
#else

    QObject::initMetaObject();
#endif

    m1_t0 v1_0 = &AccountTable::mySlot;
    m1_t1 v1_1 = &AccountTable::mySignal;
    QMetaData *slot_tbl = new QMetaData[1];
    slot_tbl[0].name = "mySlot()";
    slot_tbl[0].ptr = *((QMember*)&v1_0);
    QMetaData *signal_tbl = new QMetaData[1];
    signal_tbl[0].name = "mySignal()";
    signal_tbl[0].ptr = *((QMember*)&v1_1);
    metaObj = new QMetaObject( "MyClass", "QObject", slot_tbl, 1, signal_tbl, 1 );
}

So now things get interesting. We can clearly see that for every QT class that is written, moc will generate a className() function as well as generating a function called staticMetaObject that hooks up the class hierarchy and the singals and slots that QT uses. This is great news for reversing because it means not only do we have class names and class hierarchies, but we also have function names for slots and signals.

So after finding all of this out I set about writing a script to automatically label all the class vtables and label all moc generated functions. The way I did it was like this. I searched for all sequence of bytes that looked like this “B8 * * * * C3” So basically find all of the className() methods. I narrowed down any false positives by making sure that the string that was referenced started with a lower case c since all the class names in this particular application started with a c. After I found the className method the script followed the reference to it to label the vtable for the class. Once the vtable is found since moc always generates the same functions in the same order it was a simple matter of labeling the first handful of function pointers in the vtable for the class to the auto generated moc methods.

The final key thing that is helpful to know is that once you have the staticMetaObject for a QT class found you now know what the parent class is based on what staticMetaObject method is called and you know the definition of the signal_tbl and the slot_tbl. If you trace references to these two tables you can find the references to the actual implementations of these methods and label those as well. Have fun reversing QT applications!

trimet

My daughter seems to be interested in robots so I set out to look for some sort of robot for her. Unfortunately there’s not a lot of stuff out there for a 3 year old. I figured that if nothing else I could build something and then let her play with it and tell her how it worked. I googled around for a bunch of stuff and eventually came across BEAM bots. They seemed nice and simple and interesting. I decided to order some solar panels from solarbotics and set out to build a trimet. I had just dismantled an old all in one radio, tape, cd player that was going in the garbage so I had managed to salvage a handful of motors from this. A trimet is real simple, you have a DC motor, you hook the solar panel up to some capacitors and then wire the capacitors to turn the motor on when they store up enough juice. It’s really a neat little thing. Here’s a picture of the guts of it all.

trimet2

You can see the resistor, two transistors and the 1381 voltage detector underneath the solar panel. The body of the motor is used as ground for the circuit and then a paper clip ring is formed to be the postive rail. Then all the components hook up in the center and the solar panel on top. Here’s another shot of the trimet closed up.

trimet1

The only thing I was really disappointed about was that there really hasn’t been a sunny enough day here to get the little thing going. It scoots around but not nearly as fast as if I just hooked up a straight 5v supply to it. I ordered up some extra solar panels so maybe I’ll make some other BEAM bots too.

breadboard card reader

card reader

Alright so after the CMoy amplifier I set about for something more fun. I stumbled upon an open source program called Stripe Snoop I quickly bought a Omron V3A card reader from digikey and set about hooking it up to my mac book via USB. The card reader comes with no wires attached and then you have to pop open the sides and either connect a really tiny hard to find molex connector or there are pads in front of the pin connector that you can solder directly to. So I decided to just solder directly to the pads. But first I needed to create my cable. I decided that since this was going to be something to play with that I wanted to be able to connect it to my breadboard, so I went out and bought a DB9 connector. I used all the individual pins to crimp onto the wires and make something that would fit into my breadboard easier. Then all I had to do was solder up the wires and snap the case back on. It worked great! I hooked up some simple LEDs to the card detect pin and PWR and GND and could swipe cards and light the LED. The next step was to wire it up to my AVR micro and then connect the AVR through my FTDI 232 breakout board to my laptop. Well I connected that all up but so far have been to lazy to write the firmware to get it all talking together. Just one more thing on my list of things to do.

cmoy

So for my second project I picked something to work on my soldering skills. A cmoy headphone amplifier seemed like a good choice. I managed to find a great web site explaining how they work and different parts I would need. Definitely check out “How to Build the CMoy Pocket Amplifier”. The tutorial made it easy to build. The hardest part was soldering all the connections to the switches and input jacks since I don’t currently have a third hand tool to help me hold stuff so it can get pretty tricky. Anyway here’s the result.

cmoy

It sounded great and was loud enough that when I plugged in a crappy pair of earbud headphones and cranked it up it sounded like a set of speakers. Unfortunately I used solid wire which made the bending of the wires really hard and I was not able to shove it all inside an Altoids case. Either way it was a fun project and I figure I can probably re-use the potentiometer and switche in other projects. 

breadboard, power supply, microcontroller

So my first task was to get a breadboard, because how could I do cool electronics type stuff without one. It seemed to me that learning to use a micro controller would be a good idea as well. I decided to follow the “Beginning Embedded Electronics Tutorials” at Sparkfun.com. Anyway the tutorials were easy to follow and I ended up with this… 

breadbord

 It worked pretty well, I have a basic 5V power suply running on my breadboard now and I managed to solder together a programmer for my AVR micro and could make things blink. Seems like a good first step