ATC1441
LightNews LightNews
banner
atc1441.bsky.social
ATC1441
@atc1441.bsky.social
1.2K followers 31 following 98 posts
Hack the planet! my biggest passion is to run a custom firmware on as many devices as possible
Posts Media Videos Starter Packs
atc1441.bsky.social
ATC1441 @atc1441.bsky.social · 19d
Lets take a look inside one of those tiny Pill Cameras that you swallow to check your innards😳
Video on YouTube:
youtu.be/pf_eOLRd6B4
Pill Camera Teardown, Capsule endoscopy
YouTube video by Aaron Christophel
youtu.be
5
atc1441.bsky.social
ATC1441 @atc1441.bsky.social · 23d
Finally there is code execution on this Shi**y Realtek RTL8752H and RTL8762ESL ARM SoC🥳

Full custom firmware goes Brrrrr

These chinese vendors like Realtek Bluetrum and Jieli only care about copy protection and cribble down a perfectly fine ARM Core with their tooling🙄
4
atc1441.bsky.social
ATC1441 @atc1441.bsky.social · Sep 20
Teardown of the Tuya KWS-303WF Wifi Power Meter including cut-off Relay

Inside we can find:
- Tuya CBU Modul with Beken BK7231N ARM SoC 2MB Flash 256KB RAM
- Relay claimed 63A
- Power Meter
- LCD 60x160 Pixel
- External NTC Temp Sensor

aliexpress.com/item/1005008...
1
atc1441.bsky.social
ATC1441 @atc1441.bsky.social · Sep 20
Teardown of an OBD Find My Adapter from Aliexpress
aliexpress.com/item/1005007...

As expected as simple as it could get,
3.3V Voltage Regulator with an currently unknown BLE SoC ESM412 2449XFD

No connection to CAN and OBD just for power
1 1
atc1441.bsky.social
ATC1441 @atc1441.bsky.social · Sep 20
DOOM on a Vape via ScreenSharing and custom Firmware 😁

Source code on Github here:
github.com/atc1441/Vape...

And find a full video on Youtube with more details:
youtu.be/rVsvtEj9iqE
1
atc1441.bsky.social
ATC1441 @atc1441.bsky.social · Sep 18
Teardown of the 2" LCD Screen Mirror device
~20€ From Aliexpress
s.click.aliexpress.com/e/_oCyfENx

Surprisingly packed

- Unknown DH390D HT2522A SoC likely HiChip HC15xx 4MB SPI Flash
- Battery Powered
- Speaker
- Realtek WiFi Chip
- Jieli BLE SoC

Similar to youtu.be/pFBn6lMJ7q8
4
atc1441.bsky.social
ATC1441 @atc1441.bsky.social · Sep 11
Fun fact this 3€ USB-C to Headphone converter has more Flash and RAM then the first moon landing.
de.aliexpress.com/item/1005009...

The internal RISCV Bluetrum SoC AB136D got:
128 KB Flash
60 KB RAM

Perfect USB Rubber Ducky, easy to reflash without opening via the USB DP Pin🤪
1 4 21
atc1441.bsky.social
ATC1441 @atc1441.bsky.social · Sep 9
Also got the OLED Amiibo Emulator😅
Sometimes for < 8€ in the combo offers!
aliexpress.com/item/1005008...

They are just too cute and a nice Hackable gadget with everything included in a small case.

nRF52832 SoC
SPI Flash
LCD/OLED
NFC
Battery
Arduino able

x.com/atc1441/stat...
5
atc1441.bsky.social
ATC1441 @atc1441.bsky.social · Sep 9
Teardown massacre of random 2€ Aliexpress Airpod clones 😅

80% Bluetrum (AB) and 20% Jieli
4
atc1441.bsky.social
ATC1441 @atc1441.bsky.social · Sep 8
Feels like there is some security issue in the connection between the Case and Headphones.

The Phone is connected to the Headsets which again are connected to the Charging case and will forward Playing songs contacts etc. as well as allows to call and change songs.

Nice target
atc1441.bsky.social
ATC1441 @atc1441.bsky.social · Sep 8
While not a full custom firmware you can find the current Bluetrum AB5682 SoC Hacking results here
github.com/atc1441/Blue...

This SoC Is used in the A9 Pro Airpod Clones and many more cheap BLE Gadgets.

Quite Beefy for its price:
RISCV
2MB Flash
162KB RAM
98KB ROM
1 1
atc1441.bsky.social
ATC1441 @atc1441.bsky.social · Sep 2
Thats Code execution on the infamous

AB5682B BLE SoC used in the cheap headsets and other BLE hardware🥳

This Bluetrum Chip series is ugly 😅 Debug via 1 Wire UART and a somewhat secured proto

This code now runs from RAM since we next need a loader to dump an write to Flash
3
atc1441.bsky.social
ATC1441 @atc1441.bsky.social · Aug 29
Why does this aspire PIXO Vape got a hidden BLE Chip inside? 🤔

Internals:
Puya PY32F403 ARM SoC 256kb flash 64kb RAM
16MB External flash
LCD with Full touch
Unmentioned WS8000 BLE Module

Full hackability with an USB Flash drive update not including any CRC or sign checking🙌
4
atc1441.bsky.social
ATC1441 @atc1441.bsky.social · Aug 28
One more Doom port^^

This time on an Epaper Translator🥳

Running an XR872at SoC and an 296x152 BW E-Paper display with around 400ms of refresh time

Find a teardown done some time ago here:
x.com/atc1441/stat...

Full Youtube video here:
youtu.be/PvTJpbVPxUo
5
atc1441.bsky.social
ATC1441 @atc1441.bsky.social · Aug 27
Lets take a closer look inside an 20€ Aliexpress Alarmo clone "Smart AI Kids clock" based on the XR872ats SoC

And of course port Doom to it😅

Full Teardown Youtube video:
youtu.be/QutpZBTJRDY

Github repo with full source code:
github.com/atc1441/XR87...
1 4
atc1441.bsky.social
ATC1441 @atc1441.bsky.social · Aug 23
It had to be done 😅

DOOM on the Xiaomi Mi Band 8 Fitnessband

Running super smooth on the Amoled Display and the custom firmware with toom on just 2MB of Flash

Full video on Youtube:
youtu.be/iqyR_LNp9vc
3
atc1441.bsky.social
ATC1441 @atc1441.bsky.social · Aug 18
DOOM on the ANKER Prime Charging station😅

The internal SWM34S MCU is just way too nice!
8MB RAM + 16MB Flash directly mapped to memory goes brrrr

Video on Youtube: youtu.be/MdOU8SqCqeY
3 12
atc1441.bsky.social
ATC1441 @atc1441.bsky.social · Aug 16
Quick teardown video of an Battery powered 4" LCD Screen Mirror device around 25€ from Aliexpress

TLDR: Main SoC is an HCSEMI C3100 which is very similar to the one used in the 20€ Handheld Console SF2000

Video Here:
youtu.be/pFBn6lMJ7q8
7
atc1441.bsky.social
ATC1441 @atc1441.bsky.social · Aug 14
Some info's

It was important to separate DVcc and AVcc as much as possible to prevent resets and glitch on DVcc

All expect the last byte of the read CMD was send and the glitch timed to the last byte to prevent any big jitter

After position was found a glitch takes ~1minute
2
atc1441.bsky.social
ATC1441 @atc1441.bsky.social · Aug 14
That's a success 🥳

Glitched and fully Dumped MSP430F417 in a non destructive way

Doing a Read data CMD and glitching the check if the password was entered we can dump 240bytes at once

By dumping the pass(vector) area we can read the full flash after one glitch
bsky.app/profile/atc1...
1 5
atc1441.bsky.social
ATC1441 @atc1441.bsky.social · Aug 12
DOOM on a Toothbrush? Sure!

Info's to this,
The Toothbrush contains an ESP32-C3 with 4MB Flash.
With the codebase from Spritetm github.com/Spritetm/esp... and wad github.com/fragglet/min... I was able to get the complete size down to the 4MB🥳

(Reupload from you know where for the sake of history)
1 1 15
atc1441.bsky.social
ATC1441 @atc1441.bsky.social · Aug 12
Mendatory Dong DOOM ...

In depth details in this Youtube Video:
www.youtube.com/watch?v=rAE1...

(Reupload from you know what platform for the sake of history)
4
atc1441.bsky.social
ATC1441 @atc1441.bsky.social · Aug 12
More details now also in this Youtube video about the Anker Prime Power Bank Hacking:
youtu.be/WtEIjkMUH_8
Hacking the Bluetooth enabled Power Bank Anker Prime 27650mAh
YouTube video by Aaron Christophel
youtu.be
3
atc1441.bsky.social
ATC1441 @atc1441.bsky.social · Aug 11
No OTA signature bypass found so far 😔
But did create an WebBluetooth tool which allows you to connect to your Power bank and reads basic info's via the encrypted protocol

There is a potential bug which lets you set the OTA Size to uint32, read more about it in the GitHub Repo
1 2
atc1441.bsky.social
ATC1441 @atc1441.bsky.social · Aug 11
Fun fact 50% of the (Latest)Firmware in the
BLE Enabled Power Bank Anker Prime 27650mAh
is just for OTA checking and encryption...

Fw version prior to 1.6.2 do not verify OTA at all so better update😅

Did take a look inside and reverse engineered it
github.com/atc1441/Anke...
1 1 8