Tearing down and analyzing a cheap-ass “Xtreme” $3.50 external phone battery

I was shopping around at this electronics liquidation store and stumbled upon a couple cheap buys: A “1900 mAh” external phone battery and another 4400 mAh pack (which will be the subject of another post and teardown). The batteries were originally priced at $7 and $38 respectively, but they were on sale at half price. For $3.50, I was curious enough about the 1900 mAh battery’s real capacity that I bought it anyway, expecting to be disappointed.

The pack itself is roughly half the size of a typical smartphone and about 1.5 times thicker. The casing itself has no screws; the manufacturer decided it was too expensive to use screws so they simply ultrasonic-welded the case shut. After about half an hour with a plastic spudger tool, I was able to crack the case open.

2014-01-05 00.11.26The soldering quality, surprisingly, is pretty good for a sub-$10 device, save for a bunch of hand-soldered components with flux residue left behind. The circuit board is made up of a battery protection circuit (yes, they actually put one in!), an ME2108A-50 boost converter,  something I’d assume to be a charging circuit, and an LM324 op-amp as a “gas gauge” (if you could even call it that!).

2014-01-05 00.11.36The cell appears to be a thicker version of a typical cell phone battery. It’s similar in size to something like a Nokia BL-5C which is a 1020 mAh cell, and is 5.6 mm thick. The cell in the charger is 7.7 mm thick. The charger’s cell is only 37.5% thicker but should have 190% of the capacity… yeah, no. This is not going to be very promising, given how the spot-welded nickel strips literally fell off the cell when I tried to desolder it from the PCB.

After soldering some 20-gauge solid wire to the terminals and hooking it up to a bq27425-G2A fuel gauge chip, I noticed that it reported that the fully-charged voltage is 4.25 volts. This charger tries to squeeze the most out of the cell by overcharging it! Granted, a Li-Ion cell’s maximum terminal voltage is 4.25 volts but it shouldn’t settle down to this voltage after charging!

1900 mah charger overvoltageAfter performing a few learning cycles to determine capacity and resistance, the cell holds merely 1370 mAh. The internal resistance is about 85 milliohms, which tells me that at least they used a relatively fresh cell in this charger and not just some recycled cell (*cough* UltraFire *cough*).

1900 mah charger graphI knew from the get-go that this battery was going to be a let-down, and I was right. But hey, for $3.50 I get a half-decent 1370 mAh cell and a few scrap chips (no way I’m reusing that battery’s PCB as-is!). But my verdict: Avoid this battery pack if you intend to use it to, I dunno, charge your phone. 😛

Advertisements

Skin-Deep Authenticity: Tearing down a “genuine fake” Samsung Galaxy S II battery

When you have the same smartphone for almost 3 years, it’s likely that your original battery’s not going to last as long as the service contract. And as long as you’re not an iPhone user you will probably look into a replacement or spare battery.

coverMy first replacement cell was a 2-pack of “1800 mAh” batteries for $5. These had 66% of the stated capacity and TI’s Impedance Track gauge said that the DC internal resistance was about 250 milliOhms. That’s… pretty terrible. Those two cells quickly led their end in a battery recycling bin. My next two were “genuine” cells from eBay. They cost about $12 each and had rather authentic-looking labels on them too. Their performance was pretty good, but one of them became all bloated so I decided I’d take a look at the cell that’s inside. I peeled off the label, and the truth comes out…

2014-01-01 04.53.39This battery was an outright lie in terms of capacity! 1350 mAh is about 80% of the 1650 mAh capacity that was written on the outer label. The cell’s manufacturer is unknown, but the battery markings read “BMW-524655AR 1350mAh 2012.09.03.1110”. Wait, look at that manufacturer date. Something’s fishy…

2014-01-01 04.53.54The outer label states a manufacture date of July 20, 2012. The internal cell states one of September 3, 2012. Unless this battery was manufactured in a time-bending factory, then these batteries certainly aren’t genuine.

Next up was the protection circuit. The “genuine fake” battery uses a DW01 protection IC and uses a generic 8205A dual NFET for swiching. And there wasn’t even a thermistor; the PCB uses a 1.5k ohm resistor to simulate one. A genuine board uses a single SMD package that integrates the FETs and the protection IC.

Below is a comparison of the protection board of a fake battery and a “genuine fake” one. At least the “genuine fake” uses the same black appearance of the original.

The “genuine fake” battery, after only 2 months of usage (not even 20 charge cycles’ worth), became so swollen that I can’t keep the back cover on. Running this battery through a bq27425-G2A battery gas gauge determined that the real capacity of the battery is a paltry 944 mAh, with an average internal resistance of 187 milliOhms. Absolutely pathetic.

samsung galaxy s ii replacement battery old ra graphGoes to show you get what you pay for. But some things may be more deceiving than others…

Using a laptop battery to power lighter-socket devices

Laptop batteries can be a rather handy source of power, even if it’s not being used in a laptop computer. I built an adapter that converts the knife-blade connector that a laptop battery uses to a car lighter socket.

2013-12-24 02.02.02The connections are made by taking the blades of an ATO or ATC (regular size) car fuse, soldering them to some 16-gauge speaker wire, then soldering the other end to an inexpensive DC lighter socket.

2013-12-24 02.05.39This setup is only good for roughly 5 amps (the overcurrent protection on this battery is set to 6 amps) and the voltage near the end of discharge can be too low for certain devices; power inverters will stop at about 10 to 11 volts which leaves a small amount of battery capacity unused.

Mini-Ramble: I’m such an icon artist!

After working so much with these battery chips, I thought I should spice up the Windows file icon for the .gg files that clutter my documents folder.

I’m not a person for glossy icons, but I’m also not a fan of the super-flat colour scheme that the Windows Metro UI uses. I prefer the good old style of Windows 9x-esque icons (hey, it’s what I grew up on! 🙂 ), albeit with a more… contemporary colour scheme. Keep it simple!

Windows .ico file download: https://www.dropbox.com/s/u7kjb3og7ecvpsj/gas%20gauge%20file.ico

You can use Nirsoft’s FileTypesMan to add an icon in Windows. Personally, I configured it so that .gg files open up in Notepad++ for manual editing.

Update: How to install Windows x64 drivers for the Schlumberger Reflex USB smart card reader

Update (December 11, 2017): For those on Windows 10, click HERE for the SCR300 driver package – digitally signed to ensure compatibility. Extract the files, right-click the appropriate x86/x64 .INF file and select “Install”. Proceed with the installation as shown below.

A viewer requested help on installing the drivers for the Schlumberger Reflex USB smart card reader, so I’ve created a step-by-step instruction guide on doing so.

1. Plug in the smart card reader into an available USB port. Windows should attempt to install a driver but won’t succeed.

 

2. Open Device Manager, and select the “SLB ReflexUSB SmartCard Reader” in the list.

 

3. Follow the wizard and opt to install the drivers manually.

 

4. Enjoy your now-functional smart card reader.

 

Reverse-engineering the Toshiba Tecra R840’s battery interface… the long way

Since the summer I’ve been all about interfacing with smart batteries. All the laptops I’ve had, I’ve deciphered the pinouts for. However, our college-supplied laptops, the Toshiba Tecra R840, has eluded me for over a year. The IT department didn’t allow me to obtain an old battery pack for disassembly (not like I was expecting them to 🙂 ), so instead I looked at disassembling the laptop to find out the interface. The reason I decided to take apart the laptop as opposed to the battery, is that the laptop is generally able to be taken apart and re-assembled without leaving permanent marks; batteries are often ultrasonically welded and can only be opened with brute force or a hot knife.

Laptop bottom cover removed and powered by battery

Laptop bottom cover removed and powered by battery

After removing many screws and popping the bottom of the laptop apart, I looked to the battery connector to find out the pinout.

Close-up of battery connector

Close-up of battery connector

The PCB had an unpopulated spot for some 3-terminal ESD protection diode, and this was a hint that these two pins were what I was looking for. I soldered some wires to the pins and a third ground wire, and attached them to a pin header. I used a logic analyzer to examine the signals (if any) that passed through the connector.

toshiba battery

Logic analyzer trace of initial battery insertion

And I hit pay dirt, or so I thought. I was able to find out that there indeed was communication between the battery and the laptop. However, the fun ends there. Looking closely at the I2C transactions, I could see that the battery wasn’t speaking the normal SBS (Smart Battery System) protocol. Testing with my Texas Instruments EV2400 confirmed that this isn’t a smart battery. It appears that the battery likely only contains an EEPROM for some battery information storage but lacks any real means of gas gauging. That would probably explain why battery life is abysmal on these machines!

Toshiba battery not detected with smart battery hardware/software

Toshiba battery not detected with smart battery hardware/software

I was able to mostly figure out the pinout for the battery, but what has yet to be seen, is which pins provide power to the EEPROM chip, as it seems that it is not powered internally.

Currently known battery pinout

Currently known battery pinout

Sometime later I’ll have to delve further into the contents of the EEPROM, or try and obtain one of these batteries for disassembly. We’ll just have to see.

Ramble: 1.5-volt lithium polymer AA battery? What sorcery is this?

Been a while since I’ve posted anything on here, but I decided to share my thoughts on a peculiar AA battery.

This AA battery is the Kentli lithium-polymer AA cell. It has a built-in 1.5 volt regulator that converts the typical 3.7 volts down to 1.5 volts (open-circuit at least). I bought a 4-pack of these cells from AliExpress back in October, but have yet to receive them. Even though I haven’t gotten them, there is some things that I’ve taken note of.

Current/voltage output

A graph promoting the battery discharge curve of the Kentli cell is shown below, taken from a sales page on AliExpress (rehosted on this blog to prevent image bandwidth-hogging):

705255222_102The interesting thing I found out was the green dashed line. This is supposed to represent the output voltage when used in a wireless microphone. However, the graph itself provides no meaningful data because no current loads are specified at all. In an attempt to get some sort of information from the graph, a Google search for a spec sheet for a typical microphone gives a discharge current of 125 mA. But a 0.3 volt drop at 125 mA? I dunno, this doesn’t seem right.

Safety

From a safety point of view, I’m not sure about how much temperature would rise in the cell from high current draw and whether overheating could occur in use, and if any typical Li-Ion protection circuitry is used (voltage and discharge protection). Given how this is made by some relatively unknown Chinese company, who knows.

I’m not saying anything definite until I see these cells and have a chance to get my paws on them for testing and disassembly. Until then, we’ll just have to wait.

Ramble: AC Power DoS attacks via a GFCI tester

GFCI (ground fault circuit interrupters) are the rarely-recognized heroes of the electrical world. They can protect a person who is unlucky enough to end up between the AC line and ground, and, if working correctly, are a life-saving invention used in almost every home, commercial and industrial building out there.

2013-08-22_21.59.39[1]

Although GFCIs come with a built-in test feature, AC outlet testers are available that simulate a true fault condition; that is, it actually induces a ground leakage to verify that the GFCI circuit actually works. However, I was thinking that, if used maliciously, these tools can be used to disrupt power circuits that are protected via a remote GFCI breaker; for example, outdoor power outlets on a building which generally are wired 2 to 5 per breaker.
If the breaker trips, then someone will have to go to the breaker room and manually switch the circuit back on, which can definitely cause headaches for anyone who needed to use that circuit.

The effects of this aren’t that dire. One can’t take out a whole building’s power infrastructure this way and the worst that happens will be some downtime until maintenance comes out to restore power. Still, that doesn’t mean some prankster would do this just to have a laugh at anyone who needed to use that power outlet later.

Ramble: Consumer external batteries that have firmware updates and SCADA? I don’t get it!

I’m looking at  XPAL Power’s website, where they advertise that their batteries can:

  • check battery manufacture date
  • remotely report charge cycle count, and remaining cycle count before wear-out
  • perform a battery calibration via a charge-discharge cycle
  • remotely monitor and report battery temperature
  • perform battery firmware resets and updates

Some of these features are definitely feasible, some others… well, I have a very hard time trying to believe some of these.

  • Manufacture date check: Definitely doable. Any decent manufacturer would keep records of serial numbers and correlate it to manufacture date, lot codes and so on.
  • Remote cycle count and SoH (state of health) reporting: I honestly cannot see how this would be feasible without either a USB cable or some other means of data transfer. Bluetooth may be an option but that brings issues of its own (you’d need a BT transceiver in the battery, which I strongly doubt exists in a consumer external battery). However, the idea of cycle count and health monitoring isn’t anything unusual; as mentioned in previous posts, modern gas gauges are definitely capable of counting charge cycles and other battery health parameters.
  • Battery calibration: If the battery has a (at least moderately) smart gas gauge IC, then this would be done for calibration anyway; nothing novel here.
  • Remote temperature monitoring and reporting: This would fall under my statement about SoH reporting and so on. Additionally, the whole idea of continuous reporting of temperature to the user (and the manufacturer) would require some sort of network connection, whether it be wireless or wired. Either way, this would mean that a prohibitively expensive solution would be needed to implement what is essentially SCADA (supervisory control and data acquisition)… in an external battery used to charge a phone, tablet or laptop. But, if this feature is used then I guess there could be a way to use the device’s network connection (maybe USB-to-serial or something) to communicate with the manufacturer to transfer data. Once again, this would bring problems with device compatibility, and I strongly doubt that a USB charger would implement a microcontroller system that has enough oomph to implement USB host functionality just to send battery data.
  • Remote firmware control:  I don’t see how this would be implemented outside a laptop battery that uses the Smart Battery System to communicate. Even if a battery had a microcontroller (most out there would have basic protection, charging and DC-DC conversion), I doubt that a means of programming would be exposed to an external data port. What if  a communication problem caused the firmware update to abort prematurely?

I don’t mean to bash XPAL or anything (I have many of their products and their batteries have outlasted any other Li-Ion based devices I have had) but I’m just not sold on how they can implement remote reporting and firmware updates  for their batteries, given the amount of processing required host- and battery-side to implement these functions. Even if it was a fully remote and wireless solution, then it’d require RF interfacing which would cost far too much to implement in a way that would require nearly zero user intervention.

That said, I myself have plans to implement something like this (a battery with a BT interface) but it definitely isn’t something that would be feasible for the mass market. That will be revealed in a later post, but in the meantime I’m mourning the loss of a very nice 4-cell battery that I built that used my bq27421 chip to do charge gauging.

Convenient chips but even more inconvenient packages – Fail, fail, fail and fail again: Trying to solder the TPA2011D1 speaker amplifier

I was doing some prototyping of the TI TPA2011D1 3 watt Class-D amplifier that’s in a 1.2 x 1.2 mm 9-ball BGA package. Unlike my tries with the bq27421, these chips are downright painful to solder. Out of 5 chips that I’ve tried to solder, only one of them actually worked. That’s a 20% success rate. Bummer. The only thing that’s preventing me from being any more angry about these chips is that my back and shoulders hurt quite a bit after hunching over to try and solder these bastards for a good 6 hours.

“Thumbs down!” –Dave Jones

2013-07-25 01.35.11

Convenient chips, inconvenient packages: Making use of the Texas Instruments bq27421-G1 lithium-ion battery fuel gauge chip

As seen on Hack A Day!

I ordered some sample chips from TI a few weeks ago, most of them being lithium-ion battery “fuel gauge” chips. These chips are used in electronic devices to determine exactly how much energy is in the battery, and if the chip’s sophisticated enough, provide a “time until empty” prediction.

The bq27421 from TI is packaged in a tiny 9-ball grid array, packaged as a wafer-level chip scale package (WLCSP). This means there is no epoxy covering like normal ICs, making for a compact design that’s a good thing for space-constrained applications like modern cell phones. I’ll talk about this chip later on in this post.

The tiny BGA package means that prototyping with these chips is difficult if not impossible, depending on how large the chip is that you’re working with. The bq27421 is about 1.6 mm x 1.6 mm, which is less than 1/3 of the size of a grain of rice. No way you’d be able to put that on a breadboard… right?

2013-06-14 15.51.58Well, you can, with a small breakout board, some magnet wire, epoxy (a bigger deal than you might initially think), patience and steady hands. I mounted the chips in what I call a mix between dead-bug (where the contacts face up as if the chip was like a dead bug on the ground) and chip-on-board construction (where the chip is glued directly to a board, wire-bonded and then covered in epoxy). I used some SOIC-to-DIP boards from DipMicro Electronics (link). I often use these boards when doing work on prototyping board since using these surface-mount parts reduce the board’s height compared to using actual DIP packaged chips (which are much less common for modern ICs anyway).

The chip is first affixed to the breakout board using a small amount of epoxy and allowed to cure for several hours. The epoxy, from what I’ve found, is crucial to your success; superglue and other adhesives won’t stand up to the heat of a soldering iron, and if it loosens you can end up ruining your chip and wasting your time spent working on it.

After letting the epoxy cure, I then prepare the bond pads around the chip. I place a liberal amount of solder on each pad to allow easy connection with the iron later; I want to minimize the stress on the tiny 40-gauge magnet wire because once the connection is made, the solder ball that the chip came with won’t be as easy to solder to the second time around.

Next up is the actual soldering process. I created a pinout for the board in PowerPoint to help plan out how I’ll solder the wires. After tinning a long length of 40-gauge magnet wire, I then solder the wire first to the solder ball on the chip, then solder the other end to the pad I previously put solder on. To minimize the stress on the wire afterwards, I use a small utility knife to cut the end of the wire where the pad is. I then complete this for the rest of the contacts. This took me an hour and a half the first try, but took me about 20 minutes the second time around. Also, for my second try, for the BAT and SRX pins, which carry the full current for any loads connected, I used 30-gauge wire-wrapping wire to allow a bit more current-carrying capacity. It probably is overkill since the maximum current rating for the bq27421 is 2 amps continuous, but I felt a bit more at ease connecting the pins this way.

After checking for short and open circuits with a multimeter I then placed headers onto the board and put it into my “evaluation board” that I created just for this chip. Using an EV2400 box from TI, used to connect to their vast range of battery-management chips, I connect the box to my PC and run their GaugeStudio software to verify that the chip works.

… and it does, like a charm! I was able to communicate with the chip and also view its operation in real-time.

One thing that was causing me trouble before was that after removing the battery and putting another one in, I found that the gauge chip sometimes wouldn’t be recognized by the PC. Being unsure why it was doing this, I dug through the reference manual, and found one tiny part in the manual that showed me why it wasn’t working consistently.

gpoutThe GPOUT pin was left floating on my board, and the chip requires a logic high signal before it starts up. This brings back memories of my digital electronics class in college; these floating inputs can cause all sorts of trouble if you’re not careful, and in this case, it was mentioned only once in the reference manual. After using a 1 megohm resistor to pull up the pin, the chip worked flawlessly. Now that I verified that the chip was working, I mixed up some more epoxy and covered the chip, making sure that the bond wires and chip were covered to prevent damage.

After all that, I had a couple working highly-advanced battery gauges that I could fool around with, and also learned a couple things about deadbugging SMT components and also the basics of chip-on-board construction.

Tearing down a Razer Orochi Bluetooth gaming mouse

Today, I randomly felt like I should take apart my Razer Orochi gaming mouse to see what’s inside. I figured that if I’m going to take it apart, I should document it.

So I did.

2013-05-12 16.26.39

The Razer Orochi is a laptop gaming mouse made by a company called Razer. They make a lot of gaming products like keyboards, mice and headsets. My brother has a bunch of Razer gaming devices (keyboard, headset and mouse) but this is my only Razer product that I own. The Orochi has a detachable micro-USB cord and also has Bluetooth support.

Looking inside, it appears that Razer definitely built this device to a price point. There are only 4 screws holding the device together (T6 Torx screws) and the rest are held together with plastic posts, with some components having the end posts melted to form a “weld” which might hamper repair efforts later if need be.

As for the electronics inside the mouse, there is a Freescale MC9S08JM60 8-bit HC08-architecture microcontroller, housing a 48 MHz CPU, 60 kB of program Flash memory, 4 kB of SRAM, 256 bytes of USB buffer RAM, a full-speed USB interface (12 Mbps), a real-time clock (I doubt that’s being used :)), an 8-pin keyboard interrupt module, and a few other peripherals expected of any general microcontroller (ADC, hardware serial interfaces, etc.). Bluetooth support is provided by a Broadcom BCM2042 module, which is advertised as being a single-chip device providing the HID (Human Interface Device) class and a full Bluetooth stack. It has its own 8051 8-bit CPU, 20 kB of internal SRAM, 8 kB of its own flash memory for configuration data, keyboard inputs, LED and LCD display drivers, quadrature decoders and a bunch of other features which are likely to be unused.

I was intending to replace the LEDs in the mouse (blue is such an ugly colour for LEDs) but it appears that the one on the mainboard is a red/blue bi-colour LED and the one in the scroll wheel is encased in plastic which has the end post melted in lieu of a screw.

Oh well, at least I was able to take a look inside this little piece of plastic and electronics.

Mini-Ramble: Magical flying smart card wishes you much success

magical flying smart card

Drew this during the end of my C programming final exam. If you know me in real life, you’ll know that I’m all about smart cards, little pieces of plastic with a processor inside of them. Also, 0x90 00 merely means “success” in smart-card language, hence the little tagline under the drawing.

Making use of a Schlumberger Reflex USB Smart Card Reader in Windows 7 x64

2013-05-08 01.31.41 2013-05-08 01.34.57For a tutorial on how to install the drivers, click here.

A while back a friend of mine gave me an old smart card reader that was of no use to him; he had no need to use smart cards at home and the reader he gave me, a Schlumberger Reflex USB reader, had no support in 64-bit Windows 7, or so it seemed.

I cracked open the reader (didn’t take any effort, there are no screws nor snap-clips holding the case together) and found the internal part number: an SCM Microsystems SCR301 reader. Forcing Windows to use the SCM Microsystems SCR300 driver was successful in getting the reader to show up in Windows, meaning that I had a free, usable smart card reader to tinker around with. Awesome.

scr300 reflex usbUpdate on June 20, 2013: Added a screenshot of the reader in Device Manager.

Making use of an old TI-83 Plus LCD Screen

Since my previous attempts at getting the Motorola smart cards to work were generally fruitless, I decided to revive an old attempt to get a TI-83 Plus LCD screen to work by itself. Earlier tries failed due to mistakes in creating a pinout for the LCD, and at one point I thought I damaged the driver as the chip got very hot.

After completing a recent assignment for my electronics engineering class involving the classic 8-bit parallel HD44780 LCD (and finally understanding the difference between 8080 and 6800-type parallel interfacing), I dug up a datasheet for the LCD and spent about an hour and a half getting it to display content.

2013-03-02 13.17.52

… And it worked! Because this LCD is a graphic LCD, there is no built-in method to display text. For my tests I manually entered the command and graphic data, by hand, using nothing more than a bank of DIP switches and a debounced pushbutton.

The LCD, when first initialized, has complete garbage in the built-in display SRAM. I had to manually enter 0s for all the visible pixels on screen in order to clean up the display, then set the rows and columns manually to print out “Hello world!” on-screen.

The LCD driver is a Toshiba T6K04, which has 128×64 resolution internally but only the left 96 pixels are visible on the screen. It uses an 8-bit 6800-type parallel interface (CE is used for clocking in data) and, depending on the age of the calculator, has all the support circuitry on the same PCB.

Note that newer TI-83 Plus models are built a lot “cheaper” than the older models. The newer ones don’t have a PCB on the back of the LCD screen and all the support components are on the mainboard. I had one that was made around 2004, give or take a couple years. There are older models that use the Toshiba T6A04. I believe the pinout for the older TI-83s using the T6A04 is different, but the command set is the same.

For the ~2004 era of TI-83 Plus calculators, the pinout is as follows:

  1. Reset: Active-low input for resetting the LCD screen.
  2. D0: Input for the 8-bit parallel interface
  3. D1: Input for the 8-bit parallel interface
  4. D2: Input for the 8-bit parallel interface
  5. D3: Input for the 8-bit parallel interface
  6. D4: Input for the 8-bit parallel interface
  7. D5: Input for the 8-bit parallel interface
  8. D6: Input for the 8-bit parallel interface
  9. D7: Input for the 8-bit parallel interface
  10. CE: Active-low clock for the parallel interface
  11. RW: Input for parallel interface read/write mode: High = read, low = write. For most purposes you can leave this tied low.
  12. D/I: Selects whether to send graphic data, or to send a command. High = data, low = command.
  13. STB: Active-low standby input. Typically you would leave this tied high unless you want to put the LCD in a low-power state.
  14. NC: Bare pad that is not connected to anything on the PCB.
  15. NC: Bare pad that is not connected to anything on the PCB.
  16. VCC: Power supply input: 2.7-5.5 volts DC.
  17. GND: Power supply ground.

After a bit of tinkering I’ve created a table of commands to send to the LCD to initialize it.

D/¬I

R/¬W

D7

D6

D5

D4

D3

D2

D1

D0

Action

0

0

0

0

0

0

0

0

0

1

Set 8 bit mode

0

0

0

0

0

0

0

0

1

1

Enable display

0

0

1

1

x

x

x

x

x

x

Set contrast (0bxxxxxx)

0

0

0

0

0

0

0

1

0

1

Sets counter mode: 8 bits along X, each write increases row # by 1

0

0

0

1

c

c

c

c

c

c

Set column (0bcccccc), display driver is 128×64 but left 96 columns are visible

0

0

1

0

r

r

r

r

r

r

Set row (0brrrrrr)

1

0

d

d

d

d

d

d

d

d

Write display data (8 bits wide)

If time permits (and after college midterms are over, etc.) I’ll write up a quick microcontroller program to control the LCD.

Making Use of a Motorola Smart Card (Part 3)

(Disclaimer: As stated in previous posts, this blog is not intended to further piracy of paid TV and such. This is merely a personal blog outlining my recreational research.)

I seem to have finally stumbled across some potential information on the background of this smart card. A very old (dating back to 1997!) article from CNET showed that Motorola sent out a press release about their “new” M-Smart Combination Card, which combined a contact card with an RFID interface. However, the information track stops there. There is no picture of what their cards looked like, nor did they have a link to any sort of info from Motorola themselves (although I believe their smart card division was bought out a while ago.)

Might be a good time to email Motorola and see if they didn’t burn their old smart card documentation 🙂
EDIT: I asked my professor if he’d be alright with me taking a look at the chip under the microscope. He’s fine with it; hopefully I’ll have some pictures of the silicon die this week.

Making Use of a Motorola Smart Card – Part 2

(Disclaimer: Smart card piracy is a very bad thing. This set of blog posts is NOT intended to further illegal hacking of paid services, but is merely a personal record of my research, which is not being done for any financial reasons but is only done for personal leisure. Besides, these cards won’t help you break scrambled TV signals, so don’t bother trying it :))

In between pulling all-nighters goofing off doing college homework and trying to stay marginally sane and/or healthy, I’ve been doing some more research into the cards. This time, I was a bit more invasive with my approach. However, I’ve found out a bit more about the card’s brains this way.

I’ve torn open one of the cards and taken a peek inside. The chip itself is a bit different in that the epoxy backing is molded much like a regular chip as opposed to the drop of epoxy used in many newer cards. The chip itself is pretty big, at 6mm x 4mm and with 0.1 mm thickness; the center gold pad is the entire area of the card.

There are many methods of getting the plastic off of a chip, and the more professional labs use fuming nitric acid (very nasty stuff) but one easy way to do so at home is using a blowtorch to burn the epoxy and simply chip it off with a toothpick. If it’s burnt thoroughly enough, the epoxy will just fall off the chip, revealing the pretty silicon underneath. I used a small butane torch to heat up the chip, which was done outside and on a piece of ceramic tile (safety first! :)) After a bit of picking at the chip, I was able to see the inner workings of the smart card’s chip.

I see 4 large blocks on the die but can’t tell much more without a microscope, and a 10x jewelry loupe only goes so far. My best guess is that the 4 blocks encompass the CPU, RAM, program ROM and maybe some EEPROM storage. There’s 14 pads on the chip; 5 pins are used for the contacts, maybe 2-3 for the radio interface, and the others might be for factory testing or programming  but it’s speculation at best.

Now hopefully my college prof won’t mind me using the classroom microscope later this week 🙂

Making Use of a Motorola Smart Card (part 1 of ???)

(Disclaimer: Trying to pirate satellite TV using hacked smart cards is dumb and wrong; I am writing this article merely to explore the card and the field of smart cards in general, and to provide some sort of documentation on this otherwise unknown card.)

Back in the summer I bought four generic, blank (I assume) Motorola brand smart cards from Active Surplus during my vacation to Toronto. Over the past few weeks I’ve been doing some research and hands-on testing of what this card is (in)capable of doing.

The card itself is an ISO 7816-compliant smart card that uses the asynchronous (UART) T=0 byte-wise protocol and communicates using industry standard APDU (application protocol data unit) commands.

The card is a dual-interface card; it has the standard six-contact chip and also has an antenna for RFID. There is an antenna coil 3 windings wide around the perimeter of the card and connects to the chip itself. So far I have not had any progress in getting it to contact an RFID reader, but hooking up an LED from the chip’s Vcc to ground causes it to flash when brought up to a BlackBerry Bold’s NFC antenna.

The chip has an answer-to-reset of 3B 76 13 00 00 80 62 07 41 81 80. When parsing this via the PysCard smart card library (http://smartcard-atr.appspot.com/parse?ATR=3B76130000806207418180) the site identifies it as a “Generic mass produced Motorola smart card” which doesn’t get me any further than what I already know; the Motorola logo is in the center of the darn chip!

Current attempts to make use of the card have been unsuccessful. It responds with 0x6D00 (unknown command) on pretty much every industry-standard command I try. The only command that doesn’t give this is 0xC0 00 00 00, which is the “GET RESPONSE” command which returns 0x6F00 (generic error, no details available).

Attempts to get the card running with PC/SC have not gone far. The system will acknowledge its existence and with a bit of work in the Registry, I can get it to register as a “Generic Motorola SmartCard”. That said, this still doesn’t get anywhere. Attempts to use it to store credential certificates causes Windows to say that ‘the card is not the one required for the current operation.’

I think that the card may simply be unprogrammed and is merely running a bootloader to install firmware on, but since many smart cards have mask ROM, there is a chance that the card is of pretty much no use. But hey, for 50 cents for a smart card it’s no big loss.
If you know anything else about this smart card, gimme a shout in the comments section. I’ll be posting more updates as I find out more about this peculiar piece of plastic.

First of the Year

Whoa, turns out I had this blog lying dormant for a good 10 months!

I’m Jason, this is my tech hack-mod-make style of blog, along the lines of nearly every other hack-mod-make style of blog. I’ll be posting occasional posts, pictures and maybe a few ramblings here and there.