Hacking Dollar-Store Bluetooth Devices (The Kindness of Strangers) part 1

Ah, the dollar store – risky condoms, something labelled as mustard, and every permutation of pastey-looking, thin-plastic discharge courtesy of third-world prisons factories all line the utilitarian wire-shelves; How do our capitalist overlords tolerate such thrift?  Just how much nausea-ketchup must one purchase to turn a profit at $1/bottle?  I don’t even care to know, because I’m too busy ogling the most modern dollar store trinket yet(?); this Bluetooth camera shutter!




This things works right out of the box – but that’s boring, because that’s what we expected it to do (actually, I didn’t even expect it to do that.)  I decided to take this thing to SkullSpace (my local hackerspace) to see what makes this zany device tick –  this three-dollar chunk of plastic that wirelessly talks to my cell phone!?

20160904_183253See those two lines coming from the large chip to the small chip?  Yup, thats an I2C bus!  Googling the part number (RDA5871 ) reveals that the larger chip is a bluetooth IC with an integrated ARM core, and the smaller one is ostensibly a configuration ROM.  After connecting our handy logic analyser and twiddling with the I2C settings, I was able to get a log of all the data being read from the smaller chip:


saleae_log (text file, output from Saelae logic)


Lo and behold, searching through the text file for the Bluetooth name – “AB Shutter”, we find it:



1.363374400000000,7,’161′,’ ‘,Read,ACK
1.363564800000000,7,’161′,’ ‘,Read,ACK


Looks like we are reading the chip correctly!  I noticed the above block is one giant read (about 6.8kB) starting from ROM address 0x0228 – We see two writes to address 160, the data of which is 0x0228.  This is a typical I2C EEPROM “Start reading data from here” command.   The device then spits out consecutive bytes, starting from the supplied address, on every read.   I carved out the relevant 6.8k read manually, and used awk to extract the “read” column.  Then, I used this simple python script to convert the decimal “read data” output into a binary file (note – I had to change the csv data from ASCII to decimal in Saleae Logic):

test_out (Arbitrary extension, just binary data)

But what is this file?  Is it an ARM binary? I have no idea!  I was hopeful that the device was reading a full firmware image directly from the I2C ROM, but I cannot find any indication of such (yet).  I have tried looking at earlier reads in the I2C transactions to discern any kind of header information, but nothing was obvious – I’ve tried pointing the file command at it to determine it’s type via magic bytes, and I’ve also tried running it through various ARM dissemblers with no luck.

I did manage to find this defunct google code page regarding the RDA5871, and I am happy to report that the previous maintainer has replied to my random emails with some documentation on how to configure the device via ROM!  I am hopeful to get this pointed at the mystery file dump that I have.   The only hurdle is that the document is primarily in chinese, so stay tuned for when I wrangle together a translation –  for any of you willing to take a gander, here it is: rda5871_progguide




When life gives you lemons, make a blog post

Halfway through a haircut, my hair clippers died.  After some serious self-reflection, I came to realize I am nowhere near cool enough to wear half a haircut:


…maybe if I got some sick frames, tho…

In my half awake state, I managed to open up the clippers without electrocuting myself too severely.  I suspected the switch to be bad – a fried motor usually throws off some smoke when it fails, and this wasn’t the case.  I confirmed this by shorting the switch leads with a screwdriver, which made it jump back to life.

the culprit

I was able to bypass the switch entirely. This means it will always be on while plugged in, but it also means I won’t look like a doofus today:

operation++; safety–;


“Good” as “new”!


Halloween 2014 – a functioning gameboy

For Halloween this year, I decided to step up my costume game and make a fully functioning gameboy costume:


A ton of people who saw the costume wouldn’t believe it worked until they pushed a button….. but the reaction was always priceless


Click ‘Continue Reading’ to see how the magic works!

Read more “Halloween 2014 – a functioning gameboy”

Wolfson Pi Audio Card – a first look

I recently acquired the Wolfson Pi Audio Card  from Newark. Awesome! In this post I’m simply exploring the functionality of the new device, with some more ambitious projects to come.

The Wolfson Pi – If you lose one of the mounting screws, a rubber band works just as good

The Wolfson Pi brings audio support to the raspberry pi – see this page for detailed specs. What got me excited about the Wolfson Pi, is the ability to add enhanced audio capabilities and potentially incorporate this with JACK or other linux-based real-time audio processing.

The first step is to download and install the wolfson SD card image ( available here ). I found that the unzip utility in Ubuntu could not unzip the file properly… I wound up using 7zip instead, and it worked fine.  For those of us using a *nix-based OS, the following can be used to flash your SD card (note that a class 6 is recommended at minimum):

  1. Insert SD card – use the output of dmesg to determine its device file (/dev/sdb for example).  It should be the last one mentioned.
  2. use dd to write the card – be very careful to select the right device!!  dd bs=4M if=wolfson.img of=/dev/sdb.  This will take a while.  Physically install the Wolfson Pi onto the raspberry pi while you wait.
  3. Once dd is done, plug it into the pi and you should be ready to go.

If you are like me and want to access it via ssh, the credentials are still the same as the raspbian distro – username pi, password raspberry.  The OS uses DHCP by default.

Once you log in, you will see a number of shell scripts in your home directory.  Playback_to_*.sh are used to configure the default output device.  For my tests, I wanted to test recording with the built-in DMIC (onboard microphone) and output to the Line out connection.  To record and play a test file:

  1. ./Playback_to_Lineout.sh
  2. ./Record_From_DMIC.sh
  3. arecord -Dhw:0 -r 44100 -c 2 -f S32_LE test.wav , use Ctrl+C to stop recording
  4. aplay -Dhw:0 -r 44100 -c 2 -f S32_LE test.wav

Note – don’t try to play FLAC files with aplay, the sound of mismatched formats will hurt your ears…

That’s all for now, stay tuned for more experiments with the Wolfson Pi!

Tube amp repair

A few years ago I picked up this little gem of an amp at a gun show for a paltry 25 bucks.  Not a bad snag!


It worked great, except the volume knob didn’t seem to do much… it always sounded like it was on full blast.  So, I brought it down to Skullspace to tinker with it.

Aside from the potentiometer not really changing the volume, it was also quite scratchy when changing volumes.  This is usually a sign of a worn-out potentiometer, so I ripped out the old one and temporary wired up a replacement off ebay.

Doing a test run with alligator clips

I carefully tested the amplifier (you really dont want to touch the high-voltage tube supply wires in there when it’s powered…) and it sounded way better than before!  I deemed it a success and installed the new potentiometer, still with test connections:

Dry fit before everything gets soldered

Everything seemed to work alright, so I soldered everything in place:

hand-wired goodness

The only issue I faced was that the old wires did not really wick up the solder so well.  I suspect there are some poor connections because of this, but for now it works… maybe some proper flux paste would work better than rosin-core solder?


Stay tuned for an audio clip!

Free stuff to good home(s)

Hey folks, looking to get rid of a bunch of books/electronics/etc… contact me if you’re interested in any of it!

Custom made stuff:


Biznass BoomBox – I hacked an old FM radio into a classy briefcase for a decentralized dance party – needs a slight bit of work, IIRC the volume knob has become detached.


One funky-ass axe.  A modified Ibanez GRX40.  Faux fur, no animals were harmed during the making of this guitar....
One funky-ass axe. A modified Ibanez GRX40. Faux fur, no animals were harmed during the making of this guitar….

Network gear:

24 port switch, Nortel BayStack 450-24T
24 port switch, Nortel BayStack 450-24T
Oldschool Linksy WRT45G wireless router
Oldschool Linksy WRT54GS wireless router
A pile o' Nortel VoIP phones
A pile o’ Nortel VoIP phone parts (headsets, main units, need PoE or DC power supply). Untested



Buncha books! pt 1
Buncha books! pt 1
Buncha books! pt2
Buncha books! pt2

Misc Neat stuff

Super Nintendo, has a power supply issue.  Complete with 1 controller and some aladdin game
Super Nintendo, has a power supply issue. Complete with 1 controller and some aladdin game
Ibanez Chorus/Flanger pedal.  Still works, never use anymore
Ibanez Chorus/Flanger pedal. Still works, never use anymore
Random Thin Client.  Never tested.
Random Thin Client. Never tested.
Rotary tool, works, comes with grinding bit pictured
Rotary tool, works, comes with grinding bit pictured



Misc Electronic equipment

ATX Power supply, was used to power a gigantic LED circuit, one of the molex connectors is chopped off.  Still works.
ATX Power supply, was used to power a gigantic LED circuit, one of the molex connectors is chopped off. Still works.  You could easily replace it with a connector from newark!
Some PIC dev boards, ancient... comes with PicBASIC software cd, rs232 programmer, etc
Some PIC dev boards, ancient… comes with PicBASIC software cd, rs232 programmer, etc
Some junky +5V,+12VDC power supply i built before university.  Standard linear regs (7805,7812)
Some junky +5V,+12VDC power supply i built years ago.  Still works. Standard linear regs (7805,7812)
High-voltage DC Nixie Tube power supply.  Specs unknown, but is DC
High-voltage DC Nixie Tube power supply. Specs unknown.  Comes with Nixie tubes if you want them!




Gameduino2 test game

Hello internet, I recently received my Gameduino2 via kickstarter and dreamt up a quick demo – tilting the screen moves the ball around (with realistic-ish physics), and keeping it on the “path” longer earns more points:

This demo doesn’t even touch the Gameduino2’s capabilities – just a fun proof of concept.  Maybe someone can build off of it?

Anyways, code is available at https://github.com/trdenton/gameduino2-ballgame, including a pre-compiled .elf file for the arduino Uno.  I am using the Eclipse Arduino plugin from http://baeyens.it/eclipse, and have included the project files.  It should still work in the arduino IDE if you remove the eclipse project files – Enjoy!


Using web browser on one interface when multiple are available

In some cases, you need to connect to a VPN to do remote work. Typically this sets the VPN interface to be the default gateway – and so, all your web traffic/etc will route through your VPN connection. This becomes troublesome if your VPN endpoint wont route out to the web.

For example, I’m ssh-ed into some work servers right now, and need the internet to write this awesome blog post. My VPN endpoint at the office does not route any traffic to the web, by design.

To get around this, first add a static route for the subnet associated with your VPN interface

sudo route add -net netmask gw

Then, remove the default route that is trying to shove all your http traffic onto the VPN

sudo route del default

Finally, re-create your default interface to specifically route out your LAN’s gateway

sudo route add default gw

There are probably better ways to configure this – likely, there exists a way to keep the VPN interface from becoming the default gateway – but this is quick and easy 🙂