After seeing a critical mass of Magic Mirror builds online, I caved and built one as a Christmas gift for my girlfriend – I made a few innovations on top of the other builds I’ve seen, so I’ve documented them here.  I drew much of the inspiration from Dylan Pierce in particular, so be sure to check out his build log as well!  Here’s the finished product, before wall-mounting:



Build Process:

As I did not have the patience to spec out my own LCD panel, I decided to purchase a used victim TV, and worked from there.  The first step was to pop the bezel off and take a few measurements:




With measurements of the LCD panel itself, I was able to mount the LCD panel in a basic 2×4 frame:


The LCD Panel did not have any usable mounting holes that could mate with the 2×4, so I held it in place with some small angle brackets.


After installing the brackets, I realized the single-screw mounting hole would be prone to rotation – some flank screws made for a quick fix.  Also pictured: speed holes



I eventually added small metal mending plates to sandwich the LCD bezel in the frame (not pictured)

The TV I had cannibalised did not support HDMI/CEC control via the raspi, so I patched in to the power button with an opto-isolator (Sharp PC817).  By using an opto-isolator, the raspi only “sees” an LED as the load, allowing for safe coupling between the raspi and the TV circuitry.  The pin spacing on the PC817 was conducive to patching in directly to the tactile switches.  I also replaced the TV’s “off” LED with an opto-isolator connected in the opposite direction – this lets the raspi know if the TV is on or not.  This is important, because the power button is of the on/off toggle type; the raspi wouldn’t be able to know if it was turning it “on” or “off” otherwise, it would only know that it is changing the state.




Originally, I was going to power the TV on and off via cron job, until a coworker suggested putting a sensor in to turn the mirror on when someone is in front of it.  I just happened to have a spare ultrasonic sensor around, so I mounted it into the frame and wired it up via GPIO pins on the rpi:


With all the electronics connected + working, I glued the fancy mirror-glass in place (Actually, it’s acrylic), and added a nice aesthetic touch with some faux-oak molding and iron-on veneer (ran out of veneer, so the bottom got the thin piece).  I measured the mirror piece to have a 0.5″ margin beyond the viewable LCD portion so that I could affix it to the LCD bezel for a tight fit.  Mirror glass was the same used by Dylan Pierce available at TAP Plastics:


The notch is in place to accommodate a power cable while wall-mounted.  Also pictured: speed holes


The ultrasonic sensors were a bit tricky; I drilled holes in the moulding and adjusted them with a dremel.  They are by no means perfect…



And here’s a view of the rear/electronics – the intention is that this will be wall-mounted, so I didn’t bother with a protective cover.  Zip ties were applied liberally.





Note: The optoisolator / ultrasonic sensor circuitry was soldered onto a piece of perfboard that mated with the RPi’s GPIO header


The base software installation uses raspbian jessie and MagicMirror², and raspbian packages python-gpiozero and wiringpi (i.e. install via sudo apt-get install _____).  All GPIO control code is below.

Note: all .sh and .py files live in /home/pi, the .service files live in /etc/systemd/system/, enable via:

  • cd /etc/systemd/system
  • sudo systemctl enable detect_person.service
  • sudo systemctl enable tv.service

This allows for control via, e.g. sudo service tv [start|stop].  The tv.service serves to turn on the tv during the boot process (as well as for general debugging), while the detect_person service performs the ongoing operation for person detection.   Note that the particulars in need to be tuned to the environment that the mirror is installed in!

I also had to play with some settings /boot/config.txt to get the right screen orientation, see the comments in that file for details.




This is a continuation of “Hacking Dollar-Store Bluetooth Devices (The Kindness of Strangers) part 2”

Inspired by fellow SkullSpace member Edwin, who utilised a bus pirate to re-write the bluetooth device name via EEPROM (Note – this is indeed the right tool for the job) I took the initiative to get it done similarly, with my trusty Arduino Uno and some light coding.

Now, the neat thing about I2C is that it’s multi-master capable; at least, the bus is designed to be such.  This means that we can interface the EEPROM without disconnecting the usual master (ie the bluetooth IC).  So in short, you don’t need to lift the pins on your EEPROM, and toast the thing in the process:


Unfortunately I forgot about this design feature, and spent quite a bit of time trying to read this IC from the arduino. It wasn’t until I took the same method to my second Bluetooth device that I realised that the first was toasted:


After hacking a few devices (into oblivion), you eventually learn you should buy more than one…. this time around I added a terminal block and hot glue for stability

With that all wired up, I connected my arduino and started testing that I could read EEPROM addresses:



It turns out that the “AB Shutter” device name was not where I expected it to be, based on my binary image – the most likely explanation is that my binary processing program is buggy 🙂  So, undeterred, I wrote a little arduino sketch that searched through the EEPROM’s memory byte-by-byte for a simple “AB” pattern (the first two characters of the device name).  Interestingly, “AB Shutter” shows up at 0x3B44 and 0x5B44.  This is the sketch I used:


Then, knowing the address, I wrote another little sketch to over-write that address space, and confirm it by reading it back.  I wrote to 0x3B44, and it reads back correctly from both 0x3B44 and 0x5B44, suggesting some paging or mirroring going on:

And, lo and behold, my PC picked it up with the new name!….almost:


The trailing ” 3″ is part of the old name – I tried over-writing it, with no success.  Perhaps there is some paging mechanism I am not taking into account 🙂


Next steps include searching through the memory via arduino sketches, and attempting to locate where it stores its keyboard “key codes”, if at all.  This would let me change which keys are sent to the PC/smartphone, at least in theory. Stay tuned!

This is a continuation of “Hacking Dollar-Store Bluetooth Devices (The Kindness of Strangers) part 1”

After putting the EEPROM programming document (rda5871_progguide) through google translate, I was able to discern the format of this mysterious binary dump I had created – I created a simple program to parse the Saleae log file (saleae_log) into one contiguous binary image (binary_image – extension is just to get around wordpress, it’s binary) and parse the info header as well as  some of the configuration data (hopefully).

However, the data I got back was pretty trivial:

Parsing info header…
Chip ID: 0x5873
Version: 6.4
PSKey Length: 532
Data Length: 6912
Length: 0
Data: {}

This at least provided a sanity check against the info header format – the Chip ID matches what is laid out in the guide.  But, none of the datasheet’s “PSKey” information located at 0x88 seems to be used – just 532 bytes of “SYS_CONFIG_ID_NULL” and zero-length data blocks.  As well, the ISR code regions described seem to reside well out of the memory range of the binary dump – e.g. 0x80006880 – so it appears I am no further along in the binary image, pending further ingenuity…


But then I noticed some clearly labelled serial connections!


I was able to squeeze in a tiny terminal header to break out the TX/RX solder pads


Pro tip – you can pop the Atmel IC out of an arduino board, and you have a simple USB <-> TTL RS232 bridge



I was able to discern from my ‘scope that the data was transmitting at a line discipline of 115200 Baud 8N1 – however, the data that it spat back at me was indecipherable.  Consistent, but gibberish.  I had some hopes that it was unicode / chinese characters, but this was quickly ruled out (unless this serial prompt also uses arabic…).  If I had to guess, this is some binary debug and/or manufacturing automation output.  Oh well.

I also noticed that the device would pair to my PC as a USB keyboard – it ends up sending a “Volume up” keystroke and a “Enter” keystroke between the two buttons.  I was hopeful that the EEPROM image would contain the keycodes for these, allowing us to change it’s behaviour, but I was unable to find such.

My next step will be to selectively write some of the EEPROM data & (hopefully) change the device’s name – stay tuned!

Ah, the dollar store – risky condoms, something labelled as mustard, and every permutation of pastey-looking, thin-plastic discharge courtesy of third-world prisons factories all line the utilitarian wire-shelves; How do our capitalist overlords tolerate such thrift?  Just how much nausea-ketchup must one purchase to turn a profit at $1/bottle?  I don’t even care to know, because I’m too busy ogling the most modern dollar store trinket yet(?); this Bluetooth camera shutter!




This things works right out of the box – but that’s boring, because that’s what we expected it to do (actually, I didn’t even expect it to do that.)  I decided to take this thing to SkullSpace (my local hackerspace) to see what makes this zany device tick –  this three-dollar chunk of plastic that wirelessly talks to my cell phone!?

20160904_183253See those two lines coming from the large chip to the small chip?  Yup, thats an I2C bus!  Googling the part number (RDA5871 ) reveals that the larger chip is a bluetooth IC with an integrated ARM core, and the smaller one is ostensibly a configuration ROM.  After connecting our handy logic analyser and twiddling with the I2C settings, I was able to get a log of all the data being read from the smaller chip:


saleae_log (text file, output from Saelae logic)


Lo and behold, searching through the text file for the Bluetooth name – “AB Shutter”, we find it:



1.363374400000000,7,’161′,’ ‘,Read,ACK
1.363564800000000,7,’161′,’ ‘,Read,ACK


Looks like we are reading the chip correctly!  I noticed the above block is one giant read (about 6.8kB) starting from ROM address 0x0228 – We see two writes to address 160, the data of which is 0x0228.  This is a typical I2C EEPROM “Start reading data from here” command.   The device then spits out consecutive bytes, starting from the supplied address, on every read.   I carved out the relevant 6.8k read manually, and used awk to extract the “read” column.  Then, I used this simple python script to convert the decimal “read data” output into a binary file (note – I had to change the csv data from ASCII to decimal in Saleae Logic):

test_out (Arbitrary extension, just binary data)

But what is this file?  Is it an ARM binary? I have no idea!  I was hopeful that the device was reading a full firmware image directly from the I2C ROM, but I cannot find any indication of such (yet).  I have tried looking at earlier reads in the I2C transactions to discern any kind of header information, but nothing was obvious – I’ve tried pointing the file command at it to determine it’s type via magic bytes, and I’ve also tried running it through various ARM dissemblers with no luck.

I did manage to find this defunct google code page regarding the RDA5871, and I am happy to report that the previous maintainer has replied to my random emails with some documentation on how to configure the device via ROM!  I am hopeful to get this pointed at the mystery file dump that I have.   The only hurdle is that the document is primarily in chinese, so stay tuned for when I wrangle together a translation –  for any of you willing to take a gander, here it is: rda5871_progguide




Halfway through a haircut, my hair clippers died.  After some serious self-reflection, I came to realize I am nowhere near cool enough to wear half a haircut:



…maybe if I got some sick frames, tho…

In my half awake state, I managed to open up the clippers without electrocuting myself too severely.  I suspected the switch to be bad – a fried motor usually throws off some smoke when it fails, and this wasn’t the case.  I confirmed this by shorting the switch leads with a screwdriver, which made it jump back to life.


the culprit

I was able to bypass the switch entirely. This means it will always be on while plugged in, but it also means I won’t look like a doofus today:


operation++; safety–;


“Good” as “new”!


I recently acquired the Wolfson Pi Audio Card  from Newark. Awesome! In this post I’m simply exploring the functionality of the new device, with some more ambitious projects to come.

The Wolfson Pi – If you lose one of the mounting screws, a rubber band works just as good

The Wolfson Pi brings audio support to the raspberry pi – see this page for detailed specs. What got me excited about the Wolfson Pi, is the ability to add enhanced audio capabilities and potentially incorporate this with JACK or other linux-based real-time audio processing.

The first step is to download and install the wolfson SD card image ( available here ). I found that the unzip utility in Ubuntu could not unzip the file properly… I wound up using 7zip instead, and it worked fine.  For those of us using a *nix-based OS, the following can be used to flash your SD card (note that a class 6 is recommended at minimum):

  1. Insert SD card – use the output of dmesg to determine its device file (/dev/sdb for example).  It should be the last one mentioned.
  2. use dd to write the card – be very careful to select the right device!!  dd bs=4M if=wolfson.img of=/dev/sdb.  This will take a while.  Physically install the Wolfson Pi onto the raspberry pi while you wait.
  3. Once dd is done, plug it into the pi and you should be ready to go.

If you are like me and want to access it via ssh, the credentials are still the same as the raspbian distro – username pi, password raspberry.  The OS uses DHCP by default.

Once you log in, you will see a number of shell scripts in your home directory.  Playback_to_*.sh are used to configure the default output device.  For my tests, I wanted to test recording with the built-in DMIC (onboard microphone) and output to the Line out connection.  To record and play a test file:

  1. ./
  2. ./
  3. arecord -Dhw:0 -r 44100 -c 2 -f S32_LE test.wav , use Ctrl+C to stop recording
  4. aplay -Dhw:0 -r 44100 -c 2 -f S32_LE test.wav

Note – don’t try to play FLAC files with aplay, the sound of mismatched formats will hurt your ears…

That’s all for now, stay tuned for more experiments with the Wolfson Pi!

A few years ago I picked up this little gem of an amp at a gun show for a paltry 25 bucks.  Not a bad snag!



It worked great, except the volume knob didn’t seem to do much… it always sounded like it was on full blast.  So, I brought it down to Skullspace to tinker with it.

Aside from the potentiometer not really changing the volume, it was also quite scratchy when changing volumes.  This is usually a sign of a worn-out potentiometer, so I ripped out the old one and temporary wired up a replacement off ebay.

Doing a test run with alligator clips

I carefully tested the amplifier (you really dont want to touch the high-voltage tube supply wires in there when it’s powered…) and it sounded way better than before!  I deemed it a success and installed the new potentiometer, still with test connections:


Dry fit before everything gets soldered

Everything seemed to work alright, so I soldered everything in place:


hand-wired goodness

The only issue I faced was that the old wires did not really wick up the solder so well.  I suspect there are some poor connections because of this, but for now it works… maybe some proper flux paste would work better than rosin-core solder?


Stay tuned for an audio clip!