Circles' $0* plan

Not a hairpin

Circles.Life launched a head-turning “Flexi $0 plan” that claims that there’s no catch. However, my initial experience with them did bring up some peculiarities:

  • There’s a hidden S$6 registration fee
  • “Flexi” $0 plan is hidden during registration
  • Contradicting information about their iOS/Android CirclesCare app

Ripping functions from PE binaries and reusing them elsewhere

Accessing a function from a PE via Python3

Accessing a PE’s function via Python!

There may be occasions where a PE binary contains helpful functions that could be reused elsewhere. If the function’s implementation is not critical, it may be possible to rip the code out as-is. The function will then be used as a black box where input data is processed and returned as an output without knowledge of its internal workings.

There are some applications where this technique could be especially useful:

  • Using features from legacy binaries such as proprietary parsers
  • Implementing encryption/decryption functions
  • Building keygens

Recently, I was disassembling a binary that had a function to decrypt a block of data. At over a thousand lines of x86 instructions, the function proved to be tricky to re-implement, hence I thought of trying this process as an experiment.

Coupling the Instax 8 with a vintage lens


Meet the Instax-Paxina, with a 75mm, f/3.5 lens!

The idea of an “instant film back” for large format cameras has been explored before, but I thought it would be exciting to try the opposite - to mount a medium format lens and shutter onto an Instax instead.

The process would (ideally) involve removing only the optical elements and the shutter from the Instax, while preserving the rest of its functionality, so that the camera is still able to process and develop the exposed film.

Extracting the recovery image from my Router/ONT

UART on the board, complete with headers

Finding the UART on a Broadcom device usually enables access to its CFE, and consequently access to the device’s flash memory

In the past, device firmware files were typically made available to users by their respective manufacturers. A recent trend has emerged where ISPs are completely managing their consumer premise equipments, including provisioning and firmware updates. As such, publicly available firmware files may be scarce or unavailable for some new ONTs or routers.

It may be possible to extract the current firmware (or recovery image, stored in alternate bank) in the right situation:

  • Device is based on a Broadcom processor
  • UART pins/pads/headers are available
  • CFE (Broadcom’s bootloader) is recent enough
  • CFE is not deliberately crippled by manufacturer
  • Prerequisite hardware is available to access the UART

Decapping ICs with Sulphuric Acid

Decapped IC

There are only two hard parts about IC decapsulation: obtaining a usable acid and doing it safely.

Recently, I ordered some exotic integrated circuits which were only available in China via Taobao. Obtaining ICs from China is a hit-or-miss process, as the products may be new (ideal), used (still okay), “compatible” (barely usable), or fake (unusable).

Chip packaging and die markings are easily faked, hence decapsulation is a practical method to expose the IC’s die, and thus verify if the chip is usable by comparing it with a decapsulated original die.

Building Braille signage with PCBs

Purple Braille signage!

This was designed and processed in the comfort of home! Hopefully this technique may enable more people to improve accessibility for the visually impaired.

A while ago, I passed some damaged Braille signs and felt that repairing them may be difficult or infeasible. It led me to wonder about how one could go about building a Braille signage. Typical commercial approaches involve:

  • Accurately punching sheet metal
  • Pressing (and binding) metal bearings into plastics

While working on PCBs, I also noticed that solder tends to form a prominent bead on round pads. I decided to design, order and build a bunch of Braille PCB signs as an experiment, and so far it appears to be excellent!

Depth Effect on a budget (action camera)

Bees on a flower approximately a meter away

TL;DR: Attach the US$26 Fujian CCTV lens on the Yi Camera to achieve a lovely depth effect. More photos below

The depth effects on modern phone cameras are attractive especially in portraiture, but are only available on select high-end models which usually costs a pretty penny.

Furthermore, this effect is generated by interpolating the image data of two cameras with different focal lengths, and consequently leads to undesirable effects such as clipping of fine details such as hair.

I set out to achieve this depth effect on a (peasant) budget, using my existing Yi Camera (~US$60) and having some requirements in mind:

  • Lens with appropriate focal length. Too much focal length results in an overly-zoomed image, while having too little leads to in a mild bokeh and insufficient focusing travel.
  • Lens with a wide aperture. A lower f-number is desirable in selecting a lens and also while shooting. Prime lenses are ideal here.
  • Large enough imaging sensor. Larger sensors will capture a greater (apparent) depth of field. Coincidentally, the best sensor I’ve seen so far in the budget action camera market is the IMX206 at 1/2.3 inch , found in the original Yi Action camera and some SJCAM products.
  • Proper composition. The distance between the camera and subject should be kept to a minimum, and the distance between the subject and background should be increased to achieve a stronger blur.

Building a PCB lapel

The completed lapel!


A while ago, I chanced upon a satirical “boy scout badge” featuring the text “Centered vertically in CSS” by @mrgan.

I had little experience with fabric, but building a lapel out of PCB seemed like something that might just work. PCBs are typically built with extremely high tolerances for its copper and mask layers and still acceptably accurate for the silkscreen.

Hopefully this post documenting my build process will be helpful if you’d like to give PCB lapel designs a shot!

Disabling updates in MacsFanControl (by replacing a byte)

MacsFanControl is this utility that enables manual controls for my Macbook’s fans on Windows. Recently, I had the unpleasant chance to interact with their update mechanism.

Update pls

The update prompt must be acknowledged, and there is user-configurable option to disable or ignore the updates. Considering the app works just fine as it is, along with the fact that future updates will still have this issue, I chose to disable the updater permanently.

Adding new, undocumented features into a kernel driver

Note: this is a recollection of my memory (and source files) from about 2 years ago AX88179 USB3 Ethernet device

How would I go about changing the MAC address (permanently) on this AX88179 USB 3.0 device without breaking it open?

I found myself with an unusual challenge - the MAC address of many networking devices, if not already burnt into One-Time Programmable memory, could possibly be stored in an external (rewritable) EEPROM. Breaking open the device and directly accessing the EEPROM would be trivial, however I was unwilling to scuff the glossy plastic enclosure; I sought to do this without dismantling the device.

Defeating wireless fixed code systems with just US$23

Doorbell being triggered Wireless doorbell being triggered. No, it’s not someone else’s :^)

Fixed-code wireless systems are not unlike having someone shout a specific password to open a door (or anything else) with a certain pitch and speed, except that this occurs in the electromagnetic domain instead of moving air.

This can be best described as “security-by-obscurity”, or, hoping that others are unable to capture and replay the signal. However, readily-accessible and affordable hardware is now within reach of most. As of writing, US$23 nets all the required parts to do just that.

Radio Frequency shares much with sound, so this post will attempt to draw similarities between them. Lets get going!

Hacking the NDP Pixmob bands - How I got the LED band to run my code

It lives!! hehehe

The NDP 2016 Pixmob band - thousands mesmerized, documented by many, but still not hacked to run custom code.

This (fairly lengthy) post documents how I learnt about the ISP protocol, built a board to implement it and integrated it with the Arduino IDE.

The Pixmob band

Pixmob band as-is

Within the milky plastic enclosure lies a compact board comprising of

  • IR Sensor (38KHz)
  • Vibration sensor switch
  • I2C EEPROM (AT24C02S)
  • ABOV MC81F4204
  • CR2032 battery (~3V)

Everything listed is available as a jellybean part except for the very unusual MC81F4204,

The ABOV (MC)81F4204

“8-bit MCU, 4KB Flash, 192B RAM using a custom architecture (“810 Core”)”

Takeaway: difficult to source, ancient proprietary IDE, requires a special programmer

Also: No UART. 192 bytes of RAM

Identifying and buying a good iPhone battery from China

7.57 shipped!

Purchasing a replacement battery for an iPhone (5S) from typical Chinese sources yield fantastic prices, but they rarely match up with their advertised capacity.

What’s in an iPhone battery?

'OEM' battery

Above: What sellers describe as an “OEM” battery. I’ve removed the tape off the battery controller. It is difficult to discern between this and the “Apple Original” battery.

The 2 significant parts of an iPhone battery are:

  1. Lithium Polymer battery (“1S1P”). The remaining capacity of the battery can be approximated by its voltage, at ~3.7V flat, and ~4.2V full. The iPhone 5S has a 1560mAh battery.

  2. The charge controller. This tiny board contains circuitry to protect the board from over-temperature, over-charge and over-discharge, and also reports the battery’s vitals such as its charge state. The 5S board contains the Texas Instrument’s bq27545 and the proprietary flex cable, and is spot welded on the battery’s terminals.