Looking for help reverse engineering an ESP32 device

Hardware
1

So I have an ESP 32 device that I am in the process of attempting to add support to home assistant for using a third party API.

While working on that I thought it would be really great to not have to rely on that third party API and be able to load up ESP home on that device.

I have a lot of experience building ESP devices but have no experience reverse engineering circuits so would really need some sort of mentor that would be willing to help me understand what I’m looking at and see if it’s even possible to implement something like this.

The device has a lots of peripherals an LED 7 segment display, speaker, LED lights and several buttons.

If anyone would be willing to assist, please let me know. Thanks.

2

Hi,
The likes of the Tasmota forums have examples of reverse engineered devices, but the basic flow is likely to be:

  • Identify the main components, including the main microprocessor (e.g. ESP32) and any peripherals connecting I/O.

  • Use the silk-screen on the board to get as many hints as possible - e.g. U23 could be a small micro, but T23 is more likely to be a transistor/ mosfet. Watch Big Clive, or eevBlog tear downs for hints on reverse engineering PCBs - a light box (to see through the board) or clear printed photos (one reversed) help a lot.
    EDIT: Example Big Clive video showing his method of reverse-engineering (photos + reversed copper side prints)

  • Mark up major tracks in coloured pen e.g. ground, 3v3, 5v.

  • Get the data sheets, and identify major interconnections such as I2C or SPI between components.

  • Web search, web search, web search! Hackaday might not have the same hardware as a project, but data sheets, and hints from similar kit can inspire.

  • With the device OFF, use a meter to trace out major GPIO - switches, LEDs, relays, I2C / SPI, etc, using the data sheets to help. A LED display will be “charlieplexed” with buttons (look for diodes), but could use a dedicated I2C PIO with a data sheet, or worst case, an anonymous uP.

  • Is there a serial / programming header? Does the existing code send debug to the console?

  • Do you have a storage scope? If so, it might be possible to snoop on I2C to see setup commands or PIO being set. The Bus Pirate is an example of a hardware tool for this sort of debug.
    EDIT: Bus Pirate hardware logic analyser

  • Do you want to try snooping the WLAN comms? There are tools to establish man-in-the-middle attacks on the network for debug.

  • Try to dump the existing ROM, just in case you need to revert back. It may not work if the chip has been protected.

  • Try loading your own test code - nothing fancy, just enough to send “Hello World” or flash a LED you are sure you know the GPIO of.

  • Worst case, desolder the existing ESP, add pins, and clip in your own device.

  • Rinse, repeat the test code adding tests to toggle PIO, look for I2C addresses, etc. Add a robust debug connector glued to something if you need to disconnect to test. Anything that reduces test cycle time and random failures (which confuse, and loose days chasing a bad connection) are good.

  • Remember - commercial designers don’t have time to be clever - most just copy the data sheet verbatim!

In my time, I’ve reverse engineered kit from guitar effects pedals to heating controllers, but smaller and smaller surface mount puts me off so have worked on a lot less recent kit. Tooling is also a limit - an old analogue 'scope and desktop sound card aren’t quite a DSO or bus pirate!

That said, a recent video from Black Hat showed a guy with basic electronics knowledge reverse engineer a John Dere tractor GPSr self-driving controller, including using a clothes iron to re-ball and resolder the flash memory chips - impressively low-tech tools for the results he achieved.

I’m not looking for another project, but might be able to share my stupidity.
TTFM,

James

5 Likes
3

Lots of great info here! I took the device apart earlier today and there is a lot going on but everything is well labeled and the ICs all look to be standard components that come with with a quick Google search. Not sure how much time I’ll have to really dig in on this, but I hope to get some time to try and learn this as it’s always been very interesting to me. I’m a software developer but have always found hardware interesting.

I’ll update here if anything comes of this.