Hi,
The likes of the Tasmota forums have examples of reverse engineered devices, but the basic flow is likely to be:
-
Identify the main components, including the main microprocessor (e.g. ESP32) and any peripherals connecting I/O.
-
Use the silk-screen on the board to get as many hints as possible - e.g. U23 could be a small micro, but T23 is more likely to be a transistor/ mosfet. Watch Big Clive, or eevBlog tear downs for hints on reverse engineering PCBs - a light box (to see through the board) or clear printed photos (one reversed) help a lot.
EDIT: Example Big Clive video showing his method of reverse-engineering (photos + reversed copper side prints) -
Mark up major tracks in coloured pen e.g. ground, 3v3, 5v.
-
Get the data sheets, and identify major interconnections such as I2C or SPI between components.
-
Web search, web search, web search! Hackaday might not have the same hardware as a project, but data sheets, and hints from similar kit can inspire.
-
With the device OFF, use a meter to trace out major GPIO - switches, LEDs, relays, I2C / SPI, etc, using the data sheets to help. A LED display will be “charlieplexed” with buttons (look for diodes), but could use a dedicated I2C PIO with a data sheet, or worst case, an anonymous uP.
-
Is there a serial / programming header? Does the existing code send debug to the console?
-
Do you have a storage scope? If so, it might be possible to snoop on I2C to see setup commands or PIO being set. The Bus Pirate is an example of a hardware tool for this sort of debug.
EDIT: Bus Pirate hardware logic analyser -
Do you want to try snooping the WLAN comms? There are tools to establish man-in-the-middle attacks on the network for debug.
-
Try to dump the existing ROM, just in case you need to revert back. It may not work if the chip has been protected.
-
Try loading your own test code - nothing fancy, just enough to send “Hello World” or flash a LED you are sure you know the GPIO of.
-
Worst case, desolder the existing ESP, add pins, and clip in your own device.
-
Rinse, repeat the test code adding tests to toggle PIO, look for I2C addresses, etc. Add a robust debug connector glued to something if you need to disconnect to test. Anything that reduces test cycle time and random failures (which confuse, and loose days chasing a bad connection) are good.
-
Remember - commercial designers don’t have time to be clever - most just copy the data sheet verbatim!
In my time, I’ve reverse engineered kit from guitar effects pedals to heating controllers, but smaller and smaller surface mount puts me off so have worked on a lot less recent kit. Tooling is also a limit - an old analogue 'scope and desktop sound card aren’t quite a DSO or bus pirate!
That said, a recent video from Black Hat showed a guy with basic electronics knowledge reverse engineer a John Dere tractor GPSr self-driving controller, including using a clothes iron to re-ball and resolder the flash memory chips - impressively low-tech tools for the results he achieved.
I’m not looking for another project, but might be able to share my stupidity.
TTFM,
James