Electronics, coding and hacking. And ADD.

Microscope, tags and a trip down memory lane


I recently bought a 500x USB microscope off ebay. Let's use that as an excuse to have a look at two arch rivals from the late 2000's: Q-Free and Fenrits electronic toll tags.

Here's the microscope. It's actually just a very near-sighted webcam with a mount, but it does the job. The quality is so-so. Up close it's not very good, but if you zoom out a little it's acceptable. I guess there's something about the saying "you get what you pay for." With a little extra lighting and some patience on the zoom wheel it's OK.

The one we'll have a look at first is the Q-Free tag that was recently removed from my car. I was told the battery is dead, and the tag should be disposed of. Heh, no. I was very interested in what's inside this one.

Now, the first thing I noticed is the tamper pin. When you remove the tag from its mounting bracket, this spring-like pin will drop to a contact surface and pull a pin on the DSRC controller up. A "tamper bit" is set and the toll road officials will be notified the next time you pass. If it's an automated booth, like we have here in Norway, your photo will be taken for further inspection. This is to prevent from tags from being moved between cars.

It's also interesting to see that the PCB is directly exposed at this point. This must mean that the mounting bracket forms a pretty good seal, condering the amount of moisture that accumulates on the inside of a windshield.

On the front side of the housing there are 9 drilled holes that also caught my attention.

These are guides to a set of test pins on the PCB, probably used to personalize the tag so it identifies your vehicle.

Here is the bottom side of the PCB exposed. The silver housing is a grounded RF noise shield for the PCB antenna located on the other side. Interestingly, there's also an additional reflector inside the case as well. The battery is labelled "Size 1/2 AA" and is a 3.6V Tadiran Lithium SL850/P.

This is the front side of the PCB. There's a handwritten number on top, B331. I don't know what this means, or why it's written there. Maybe it's a batch number. Anyway, let's inspect the three IC's, starting to the left going clockwise. The first IC is a 7404 NAND gate, so there's really nothing surprising going on there. However the next IC on is the DSRC controller 27PA5885N-2C. I couldn't find any datasheets for this IC, which leads me to think it may be a proprietary ASIC. It even has a dedicated 12MHz crystal.

Here's a close-up of the IC. The second line says "DSRC EFC CTRL", which probably stands for "Dedicated Short Range Communications Electronic Fee Collection Controller." This little guy deals with the communication, 3DES encryption and the local storage.

The next IC is AT25160 a serial EPROM (pdf). This chip can also be programmed via the test pins I mentioned earlier, and this is probably where all the personalized data is stored, as well as a short transaction log. I suspect that this is also the place the DES keys are stored. I will try to dump the contents of this one later on, but I doubt I will find anything useful.

I used to work for a Q-Free competetor called Fenrits. We did some low volume production for Norway, and attempted to take some international market. Unfortunately the competition was too hard, and eventually the production was halted rendering employees reduntant. I kept a tag as a souvenir, and let's have a look at it and compare it to the one from Q-Free.

This tag has the optional buzzer mounted, as well as a debug port (bottom pins). Other than that, the tag is pretty much standard. You'll notice that it does not have an on-board battery, but a connector on the side for replaceable batteries. This was a major selling point back then. There's also completely different design on the PCB antenna, as opposed to the square one on the Q-Free tag.

This is the Fenrits FZB240i, which is a proprietary RF ASIC manufactured by Fenrits. When it detects activity in the 5.8GHz range, it wakes up the FZP460i and feeds it the demodulated bit stream. It also generates the clock for the mcu, if I remember correctly.

This is the main FZP460i MCU that maintains all the 3DES, communication, storage, keys and transaction logs. It's capable of implementing a variety of protocols with minimal effort.

All tag personalization was done via the radio link. We also experimented with patching and upgrading the firmware via the same RF link, which would have simplified and extended the life span of the tags dramatically. Unfortunately, the shop was closed before we got a chance to break the news.

Back to the future?


Back when I was 9 years old I got my first computer, a 48K Oric-1, and it is still in my posession. A couple of months ago I wanted to see if I could build my own replica of it, so I started playing with some components and doing some schematics in Eagle. I wanted a real 6502, RAM, ROM and an AVR to emulate things.

Long story short, and with some routing help from Runar (known from the C64FC project), the boards got done. A couple of weeks later the boards arrived from DirtyPCBs. The board is called "Historic":

The board features a genuine 6502 CPU, 32kb of EPROM and 16kb of RAM. The latter is dual-ported and also interfaced to an ATmega16 which is responsible for rendering the video signals in real-time, as well as feeding the memory with keyboard data.

Unfortunately the board had a couple of critical hardware bugs, they were patched with enameled wire where possible, and a couple of missing components were introduced through a few breakouts.

There! Fixed it.

Here's proof that it works. The Oric ROM boots and accepts user input from the keyboard. This computer is obviously at a very early stage, but it works and can be programmed as long as you stick to the text mode. The ATmega16 will be replaced with a much faster ARM controller later, this will improve the video emulation and open for the other screen modes.

One interesting thing about the Oric is that it uses a 6 pixel wide font. The ATmega16 renders the video using 8-bit SPI. This explains why the font spacing looks a bit funky.

The keyboard is currently interfaced using one of those PS/2-to-UART modules. It gets the job done for now.

It can be programmed, and that's a milestone in itself.

Did I mention this board has an ace up its sleeve? You know, the video generator can pull the video contents from any memory location. This means that we can -- at least theoretically -- run a wide range of different system ROMs.

Here it's running an unmodified Apple II ROM:

Ok, that's all for now, folks! Happy hollidays!

Edit: And now, a VIC-20, too!

Let's play Де́нди!


On my desk today is a game console from the 90's called Dendy (Де́нди), and as the cyrillic implies, it was aimed for the Russian market. A friend of mine recently got his hands on this console, but since it did not appear to work I was asked to have a look at it.

It's like the design is from a Star Wars movie

Opening the case was no big deal. 6 Phillips screws later the case was open and the main PCB was exposed. I did some work on an original NES a couple of weeks earlier, and was expecting something a bit more... uh, "more" than this.

Take me to your leader

At first I thought this was the interface board, and that a smaller, more populated board wold be underneath. But no, this was it: a single-sided PCB with a penny pinching sprinkle of passives. Worth noting is the center-negative 9V power input, which is regulated down to 5V via the linear 7805.

When I saw the bottom of the board, I had one of those "a-ha" moments that you read about on blogs. So, "a-ha". This is a NOAC (NES On A Chip) clone system. The UM6561F-2 does all the magic involving CPU, GPU, audio and I/O.

What's interesting on the mechanical topic, is the cartridge ejector. Just like the one on the Famicom consoles, except it doesn't work. Here you see the plastic construction consisting of two two wedge shaped ejectors that are supposedly there to eject the cartridge, however this construction is so weak that I hesitated using force on it.

Here's how it works from the cartridge view. If you try this with a cartridge the ejector will probably break.

Anyway, back to the repair job. It was in fact dead simple, and only a matter of a dodgy barrel connector. A replacement was donated from a dead Arduino. I applied a generous amount of solder to make sure it stays in place. However, I would consider hacking it to be center-positive, since this is more or less the standard and opens for a wider range of power supplies.

I was tempted to dump the cartridges, and opened one for inspection. Turns out they are budget chip-on-boards and not 27-series EPROMs as I was hoping for. Dumping them is not impossible, but I requires a bit more effort.

One last thing, though, and that's the neat joystick slots on the side of the case. These are nice.

Oh, and animated GIFs instead of Youtube videos - yay or nay?

Trondheim Makerfaire 2015


This weekend I attended Trondheim Makerfaire 2015, along with a few other members from Hackheim. Despite the bad weather, we had a blast meeting all the visitors and each other. I should also stress that this was a wet event. The rain was pretty rough Thursday night while we were rigging up the gear, we had a little river running through our tent to the drain. And when I say river I mean a pretty decent one; a fellow hacker actually built a model boat that sailed through it.

Let's take a quick walk through the 'faire and let's see what we have here.

This is Hackheim's fruit-o-phone (mainly banana-and-melon-o-phone), based on the Makey makey:

Just behind the fruit-o-phone was Timeexpander's bench, featuring the Götterdämmerung (I and II) 3D-printers, as well as the intriguing Citybeest:

Here's Hans Jørgen Grimstad, the creator of the Citybeest, showing his robot in action on the pavement:

The augmented sandbox was a great success last year. It's running Linux and gets its 3D vision from an XBox 360 Kinect:

The Stacker clone I was working on was done in time, too. I have no idea how many games were played, but it was in the hundreds. Not many made it to the top, though.

The latest revision of the C64FC was also shown. Quite a few recognized the computer from their childhood, and a lot of kids even took the time to play some old classic games. I had to cover the C64 in cling foil to protect it from the rain.

Some commercial and a couple of homebrew quadracopters were also on display. I did not know those small buggers could do loops, but I do now.

This was ARM's tent. Unfortunately I didn't get a good picture from inside due to the crowd, but they demonstrated their Mali graphics chip, in both mobile and embedded platforms. They even gave away a few arcades to some lucky contestants.

Awesome metal sculpts from Scvulp. Yes please.

As the sign says, it's a "Post apocalyptic supermarket." featuring fancy items such as zombie survival kits.

A motorized monowheel by Smørekoppen.

Revolve's electric racing car. This thing moves.

If you don't fancy electric motors, try this twin turbo based turbine beast for change. Here's a 6-second clip of it idling (RIP in peace, headphone users)

..and if you don't like driving, then how about flying? These eight hexacopters can, with a small dose of added bravery, lift an adult person.

And that's about all the pictures I had from this years Makerfaire!

I'm already making plans for next year. It will definitely be something waterproof.

MF2015: Stacker clone


Since nobody's asking, I'll tell you myself: these days I'm building my entry for this year's Trondheim Maker Faire: a just, purely skill based version of the game called Stacker.

Technically speaking it's not very challenging. Instead, I'm aiming for an entertaining contribution to this years faire, it will be on free play, and will reward those go make it to the top by dispensing a candy. Oh, and I must stress that it will be fair - unlike the original, this game won't cheat.

Here's what sparked the idea, a gutted Indiana Jones slot machine that I got my hands on. The 100mm yellow pushbutton was the first part to arrive, and was included in this photo so that "you can picture the rest." ... Well, can you?

I decided to use one big display instead of breaking it into two parts, as the original Indiana Jones game did. My godsend friend Tom Erik volunteered to do the woodwork for me, and he quickly fixed the 7x15 matrix I needed to house the LEDs. I could have opted to use the entire width of the display, and may change this one day.

When the backplate arrived it was time to start the tedious task soldering some of the 200 10mm diffused LEDs I bought off ebay. This may look like a two hour job, but due to my bad back I had to spread it out over a period of three days.

Remember what I said about changing the display? Yeah... no. Not happening.

Anyway, fast forward, and the display is programmed. I used an Arduino for the task, since I'm lazy and didn't bother building a custom board for this job.

Here's the display scrolling some text for testing. I experimented with some additional diffusing by applying a sheet of sandwich paper. It's just to give an idea of what it will look like with a properly frosted glass plate.

The gameplay is nearly finished, and I will post another update once the display is mounted.

Add to Google