everhack Stuff I've been messing with, or just thinking about.


Fixed my Oscilloscope

Several months ago I picked up a Tektronix TDS 640, 4-channel 500mhz oscilloscope at a hamfest for $50.

It was failing several of the power-on self tests with some mysterious errors like "FAIL ++ Acquisition" and "FAIL ++ Attn/Acq interface". After my successes repairing Cricuts and resurrecting my first $20 analog scope with a bunch of Deoxit spray I figured I'd get my money's worth of entertainment out of it.

Googling the subject quickly revealed this as the inevitable consequence of "Capacitor Plague." It seems the original SMD electrolytic capacitors all end up leaking corrosive gases and goo onto the circuit boards, which, if not cleaned up in time, eventually results in assorted broken vias and board traces. The visible result of all this is these failed self-tests.

The Tektronix Community Oscilloscope Technical Support Forum, fortunately, has accumulated quite a few threads over time with information and various troubleshooting & repair tips for this issue.

So after a couple of months of building up my courage, buying a ESD-safe temp-controlled iron, antistatic work mat, and desoldering "hot tweezers", I was ready!

I started out by practicing desoldering and resoldering a bunch of similar SMD caps on a handful of old busted PC graphics cards from the pile on the hack shelf.

Removing all the old caps turned out to be pretty easy. As it turns out, and it's hard to believe this until you try it out, the best way to remove the old parts is actually to press down and gently wiggle the part right off. The copper leads work-harden and snap off without stressing the underlying solder pad one bit. After I learned about this method I practiced it a dozen times to prove to myself that it was actually the LEAST damaging way to get them off there. (The corroded old solder doesn't take heat well).

Fast forward to last week, I'd ordered in and received all the new capacitors and was ready to dig in.

After removing all 100 or so old caps on 3 circuit boards, the next thing was to use a combination of solder sucker, iron, and desoldering braid to remove all the old solder and remnants of broken leads, leaving the solder pads as clean as possible.

Once this is done, you super clean the entire board with a toothbrush and full strength Simple Green, rinse in the sink under super hot water. Bake in the oven at 125 degrees for an hour or two, followed by an Isopropanol rinse, and another overnight drying period in a warm place.

The resoldering process follows by putting some flux on all the solder pads, and melting a little pillow of solder on each one. Since the caps are polarized, you need to take care to orient the new one properly, but on this scope the process is super easy because nearly every single one is oriented in the same direction, and all but one pad is marked with a +.

Soldering the cap goes like this: use the iron to melt the solder pillow on one pad, and, just using your fingers, hold the cap in place. Touch the iron to the lead and stay long enough to make sure it bonds properly (too quick and you'll get a cold-solder joint). The cap will be attached on one side now, and slightly cocked due to the unmelted pillow under the other lead. To finish soldering, just press down lightly with one finger while heating up the lead. When the solder melts, you'll feel the part move downwards until it's fully seated on the board.

Now, just repeat this process 100 times 🙂 🙂 It sounds like a really big job, but after the first few dozen it goes very quickly. The whole process excluding drying time only took a few hours.

At this point, I was eager to fire up the scope and see if those darn errors went away. Annnnnnd... no change! Arrgh!

Going back to the Tek Forum, I learned that the reason for this was almost certainly due to some combination of corroded vias, broken traces, or fried components.

The way to start finding these is to use the voltmeter and, with the machine running, carefully check the voltage across all the capacitors and make sure they are all about 5 or 15 volts. Similarly, check the voltages across the power & ground leads to all the dozen or so opamp chips on the board to make sure they are also similarly valued.

In my case, I found one opamp chip with a bad ground, and one capacitor with only 1 volt across it instead of 5. Both problems ended up being due to a broken via, and were fixable by carefully determining exactly where the broken lead went to and soldering on a tiny little 30-gauge jumper wire to bridge the gap. (tracing the connections can be a little tricky with a multilayer board like this)...

After a couple rounds of probing and probing and installing the two jumper wires, I fired the scope back up... and YES, the self test passes completely now, and the formerly failing Signal Path Compensation routine also passes.

Filed under: Uncategorized 2 Comments

Sniffer Nano 2.0

Now that I understand how it all works, here's a much nicer looking version of my reader. It's the $20 Sniffer Nano 2.0 - a nice SMD AVR168 design on a daughterboard, powered by arduino sketch.. Glad I didn't discover this one earlier, it might have ruined all the fun 🙂


here's the code:

Filed under: Uncategorized No Comments

AVR RFID Reader, part 6 – Successful Reads!


Even after reading up on Manchester encoding from a number of sources, and reading Beth Scott's reader code & comments, I still just couldn't quite understand how to do the decoding.

My biggest problem with the reader code from part 5 was that I was only detecting the lengths of the LOW periods, but not the HIGH periods, so I was only getting half the bits.

Secondly, after a hint from a RFID reader IC datasheet (http://www.125khz-rfid-reader.com/how-the-driver-works/how-the-driver-functions), I realized I also didn't have to muck about with detecting both rising and falling edges as various other literature indicated.

"Using a clever detection method the driver only needs to detect each rising edge to determine the preceeding bit states, reducing the interrupt burden on the main application. Also only detecting each rising edge removes issues of dealing with non perfect high and low widths within each cycle – being radio they are often not perfectly 50/50, but the overall bit frequency will be relatively accurate."

At this point, I was logging the timer value for each rising edge to the serial port so I can get a look at what exactly was being received. Just as a picture tells a thousand words this text file pointed me towards what to do next.

Here's a piece of the log where I've manually annotated the lows and highs to indicate short or long lows and highs. (0 is a short low, 00 is a long low, 000 is a "triple low," which occurs only in the tag header. 1s indicate the length of the highs similarly).

Basically, the lows are easy, they're always around 900-1000 'ticks' for a short, and around 1500-1600 for a long. A triple long low is around 2500.

The highs are a little trickier. Since the carrier is pulsed, we get a rising edge every time the carriers rises above the threshold value. These show up in the log as multiple entries around 150 ticks in duration. A "short high" gives about 4, a "long high" is about 8, and a "triple long high" (seen right after the leading 000) gives about 14 of them.

180:2585 000
194:153 111
195:919 0
199:152 1
200:1065 0
204:154 1
235:1671 00

One additional tricky part was figuring how to detect the end of a "high" period, since the event trigger only gives rising edges, meaning I don't know the High is done before I reach the end of the Low period immediately after. To solve this, I added an Overflow interrupt handler to my input capture timer, set to a length of 200. This ensures that the overflow interrupt will always fire as soon as "no more rising edges" are detected in a sequence.

A problem I'd been having all along at home had been viewing the received signal on my analog non-storage oscilloscope due to the inability to "pause" the display, or accurately trigger on the beginning of the tag signal.

However, this was solved once I was accurately able to detect the "3T low 3T high" tag header in my code. I enabled a second debug pin and toggle it on and off each time I detect that sequence. This now finally allows me to accurately view the received manchester bits on my scope.

I still didn't quite get the idea of reconstructing the data clock, but after finding this forum comment and having a long chat with Danny at the hackerspace, I finally had my decoding approach:


Basically, two things you need to do are to:
A) accurately determine where the message begins. Looking at the data, I realized there was a repeating 3T low followed by a 3T high. Since Manchester encoding forbids any high or low longer than 2T, this was clearly our header signal. Thus, the first rising edge after our 3T high marks the beginning of the actual data stream.
B) decode the 0s and 1s into the original data bits. In my case, the expanded representation of the "shorts" as 1 digit, and "longs" as two digits effectively reconstructs our clock signal, and lets us decode the stream by simply interpreting every received "01" as a data "0", and every "10" as a data "1".

Finally once you have the actual data bits, you have to convert them back to the card values, which for HID means the first 20 bits contain the "Manufacturer Code" (always constant), then 8 bits of "site code", and finally 16 bits of 'card code' and a trailing parity bit.

This is where the code stands right now. I can read both my badges pretty reliably, but the threshold voltage is still manually adjusted which limits the read distance to a very narrow range.

Next steps, I want to:
- implement a dynamic threshold voltage via PWM,
- display the decoded digits via LCD, or at least flash a LED on successful read.
- start spoofing the digits
- design a PCB and begin to package this thing

Filed under: Uncategorized No Comments