[HN Gopher] Show HN: Reverse-Engineering a Switch Lite with 1,91...
___________________________________________________________________
Show HN: Reverse-Engineering a Switch Lite with 1,917 wires
Hey Hackers. This is a project I solo-developed that turns
completed PCB assemblies into an easy to use boardview with some
accompanying boardscans. There are lots of easier and better ways
of doing this, but this is an experimentation to do it as cheaply
as possible, with the highest quality and lowest chance of errors.
The technical details are in the link. Most public boardviews are
almost entirely the result of industrial espionage, other than a
few encrypted subscription based software platforms that provide
extensive access. The process output is released as donationware,
as my main concern is that even released as a low-cost purchase,
there is a very strong culture to share this type of information at
no cost. I would like to have a more sophisticated suggested
donation system adaptive to user country, but I wasn't able to find
a good solution. In terms of 'good startup ideas', I don't think
this is one of them. The very high level of soldering skill
required makes it difficult to scale, and the prevailing piracy
culture makes it challenging to monetize. My main advantage is that
costs are very low now that I have the entire thing working. Other
than forge ahead at a loss and hope for the best, or to pivot hard
leveraging the imaging technology, I'm not sure what other options
I have. It feels too complicated and repetitive for shoft-form
video content. If you have any feedback, questions, suggestions,
etc., I'd love to hear them.
Author : uSoldering
Score : 334 points
Date : 2024-02-25 14:27 UTC (8 hours ago)
(HTM) web link (usoldering.com)
(TXT) w3m dump (usoldering.com)
| tubetime wrote:
| great project! i ran into it the other day and was impressed with
| the number of wires.
|
| i've been reverse engineering PCBs (mostly 2-4 layers) for a few
| years now and this is a part of the problem that i've been
| thinking about how to solve. best i can think of is a flying
| probe station cobbled together from 3d printers. basically you'd
| 1) scan the top and bottom of the board 2) generate a list of
| test points and pads 3) feed the coordinates into the flying
| probe system to generate the netlist
|
| the other way to handle multilayer boards (and the most accurate,
| imo, because it captures exact ground plane designs, guard
| traces, and structures like that) is the scan-sand-scan approach.
| you'll get exact artwork--unfortunately the dust it generates is
| pretty nasty stuff.
| willis936 wrote:
| Is there an automated tool for generating netlists from scanned
| PCB layers?
| alright2565 wrote:
| Looks like the answer is yes, for money. Nothing I can
| quickly find that is FOSS.
|
| It doesn't seem like this problem requires anything crazy,
| just traditional computer vision, but of course the devil is
| in the details.
| uSoldering wrote:
| The issue I was concerned about was dealing with high-
| density interconnect microvias. This PCB is 10-layers with
| a core of 4 layers of normal vias, and 3 layers of lasered
| microvias on each side. Someone has actually done the sand
| and scan method on this board you can view here:
| https://balika011.hu/switch/lite/
|
| PCBs can warp to various amounts post reflow, which can
| cause all sorts of problems with parallelism between your
| PCB and sanding surface. You would also be able to mitigate
| this type of attack by filling vias with conductive epoxy
| and plating over them, which is a well established process
| option in PCB fabrication.
| alright2565 wrote:
| I expected scan-and-sand to be somewhat automated, but
| they're doing it by hand? Incredible!
|
| Might another way to resolve issues with the PCB dishing
| be to photograph the layers at a fraction of a layer
| height? So that in that way you have a lot more slices to
| work with, and you can digitally "flatten" the PCB?
| uSoldering wrote:
| Making a machine to automagically remove a tiny bit of
| material and image the result over and over would be easy
| for me. The image processing to take the stack of 3D
| sequential images and automagically process them into a
| netlist is well beyond my programming capabilities. If
| anyone thinks they could do this, contact me.
| Keyframe wrote:
| Not gonna pretend I have the solution, but it sounds like
| most of the groundwork for that has been laid out in
| medical imagery already. CT scans, combined into volumes,
| identifying structures..
| alright2565 wrote:
| That's what I was thinking, but now I'm pretty sure it
| doesn't even need crazy algorithms like that.
|
| 1. align the image stack. not trivial, but a common task.
|
| 2. take several cross-sections, in both dimensions, and
| have a human draw a line along a specific layer line
|
| 3. linearly interpolate these lines into a surface.
|
| 4. for each pixel in each output layer, set the value to
| layers[l + offset][x][y], where the offset was calculated
| in step 3.
| kayson wrote:
| There are automated tools for generating a netlist from
| scanned IC layers (nm thick). They're proprietary trade
| secrets of course, but it's done all the time.
| uSoldering wrote:
| I think with the Image->CAD data you could hack together
| something resembling a die-bond machine to automate the
| process. A flying probe would need two heads on both sides for
| full coverage of continuity, and some algorithms to probe
| multiple times with micro-offsets to deal with near-hits and
| bad connection hits. You could also monitor the probe heads for
| changes in capacitance to infer the quality of the probe hit.
| archi42 wrote:
| I was also surprised not to see a flying probe system - I
| would expect this to be viable with modern 3D printer motion
| & control systems, but obviously this is highly non-trivial
| and has lots of mean details in the mechanical, electronics
| and software domains to solve.
|
| I did not think of a die-bond machine (I suppose it bonds a
| wire to each pad instead of you doing it by hand?), but of
| course that also makes sense. And at least the motion system
| is much simpler.
|
| A first step/experiment could be to automate creation of the
| gnd net. For that you only need a single tool head, meaning
| you can repurpose mostly any 3D printer motion system; for
| small increments, this could (later) happen during the die-
| bond process or become a precursor to a flying probe tool
| head. Of course I can not judge if that's a worthy investment
| of your time, or if you would enjoy building something like
| this ;)
|
| Anyway, the effort, skill and dexterity are amazing! Spending
| 3 weeks soldering 1917 tiny leads seems to be just the icing
| on the cake :)
| MuffinFlavored wrote:
| What can be done with the reverse-engineered data about the
| PCB? You have a working one, you reverse-engineer it, and then
| ultimately you can make your own?
| nyanpasu64 wrote:
| PCB information is useful for, among other things, doing
| board-level diagnostics and repairs of broken electronics to
| avoid turning it into e-waste.
| wiseowise wrote:
| > If the goal is to just make money, I could sell 6,000 PPI
| panoramas of women's feet as NFT's. Note: Do not contact me about
| this.
|
| Lmao.
| barbegal wrote:
| This seems like a lot of effort to get a net list given other
| techniques to deduce what pads are connected (e.g. knowing the
| most connected net is the ground plane, looking up the pinouts
| for the ICs, looking at the voltages and signals when the board
| is powered).
| crote wrote:
| That approach will get you 80% of the way there - which for a
| lot of applications is next to useless.
|
| The problem is that for a lot of chips there aren't any
| datasheets available. Sure, something like a memory bus is
| trivial to trace, but how are you going to reason about Unknown
| Pin #464 coming from Unlabeled IC #4 which seems to randomly
| have a 500ms pulse on bootup and every few minutes afterwards?
| alright2565 wrote:
| Did you take a panorama of the board after desoldering all the
| components? I'm curious (although not likely to want to dedicate
| more than minimal time to) if it would be possible
| minimize/eliminate your innovation #2 by using computer vision.
|
| Or are you maybe aware of other images of depopulated boards?
| uSoldering wrote:
| I didn't take a depopulated panorama because I did all the
| photography without an automated stage, which is what I'm
| currently working on. There are some boardscans that are
| depopulated, with the various layers you can go through here:
| https://balika011.hu/switch/
|
| I am okay at programming, but slow. I think it's definitely
| possible, but processing of computer vision is still magic to
| me.
| kayson wrote:
| Wow I would've loved to have something like this. In the last few
| months I tried reverse engineering a Dell server motherboard
| (just the power supply interface) and a Lenovo ThinkCentre
| motherboard (PCI-E riser) and its such a pain to do by hand I
| mostly gave up after figuring out some basic connectivity.
|
| It's not really clear to me what your goal is here. It seems like
| this would make for a great open source project. Even if you want
| to make money from it, I think you can generate a lot of value
| from the process rather than the tools (which only you can really
| use anyway).
|
| You mentioned in a comment below automating the process further
| like a bonding machine. There's been a ton of work in this
| general space in a mechanical sense for 3D printers. I bet you
| could fairly easily adapt it for probing.
| uSoldering wrote:
| The original goal was to just turn an idea I thought was
| possible and figure out exactly how to execute it. The current
| goal is something like improve and iterate, while seeing what
| the market interest for something like this actually is.
|
| I think most of the value is in the imaging technology, and
| could easily be offered as a mail-in service. I can also bulk
| manufacture the extractor PCBs and sell them at a small markup,
| while open sourcing the rest.
| nativeit wrote:
| People like Ken Shirriff (who routinely posts here on HN, and
| collaborates with @CuriousMarc on YouTube) and Eric
| Schlaepfer (aka @TubeTime, published _Open Circuits: The
| Inner Beauty of Electronic Components_ ) would probably have
| some unique insights for this endeavor.
| TheJoeMan wrote:
| I don't have any direct experience to suggest, but for your
| funding model you seem to be mostly concerned that you wouldn't
| make much money after releasing the work due to piracy. Perhaps
| you could consider the crowdfunding model instead, collect the
| money first! It also has the benefit of implicit voting for most-
| wanted projects.
|
| This model would be similar to the notorious Denuvo DRM cracker
| Empress, who is essentially the only person who can break this
| gaming anticheat.
| https://en.m.wikipedia.org/wiki/Empress_(cracker) . I will warn
| they have quite some drama about them, but the financials seem to
| be working.
|
| I would also consider what your work could be useful for / value
| proposition for others. The trimmed-down Wii consoles come to
| mind. Perhaps a small group of people would heavily value a
| netlist of their favorite circuit that they could recreate even
| smaller with more layers/modern techniques.
| chx wrote:
| I strongly suspect a lot of people who could crack Denuvo
| simply do not want to.
|
| We've grown up. We got solid, well paying developer jobs. I do
| not want to even risk violating some law. It's been a hoot
| 1987-2004 but I have not opened IDA in two decades. That book
| is closed. I doubt I am alone.
|
| Once... so long ago... I could disassemble Z80 in my head.
| Today? C9 was RET. The rest I forgot.
| fnordpiglet wrote:
| The nature of life is as you age others are born. While your
| soul may have been crushed by the years, new smart but
| foolish ones have arisen to hack what you leave unhacked.
| tamimio wrote:
| Sounds pretty much accurate.
| krater23 wrote:
| Show me the young people that know how to work with IDA or
| Ghidra. The way to use tools like this without ever written
| assembly is way harder than the way we had 10 years ago.
| They found other things to hack, things where we don't know
| anything about.
| rescbr wrote:
| You're not alone.
|
| A couple weeks ago I played around with a piece of software
| for my personal usage, and I certainly won't release anything
| at all.
|
| Not worth the trouble with the law, I'm not underage anymore
| and a day job gets in the way of keeping the required mental
| state/context for RE.
|
| Ah, the simpler times at the University when I had the time
| and energy.
| ckocagil wrote:
| Also games became very affordable compared to the time period
| you mentioned. The number of games worth playing were much,
| much fewer. Not to mention the F2P or even open source games
| we have now.
| chx wrote:
| Well yes Diablo 2 was $50 when released http://web.archive.
| org/web/20000815052708/http://www.gamesto... which would be
| like $90 today adjusted for inflation. Diablo IV is $70 and
| people were raging how expensive that is. And Last Epoch is
| $35 and it seems like more fun than D IV. And of course
| Path Of Exile is free to play but you need to consider the
| price of a math degree totes required for that thing :D htt
| ps://www.reddit.com/r/pathofexile/comments/wydq91/my_frie..
| . And before someone posts the obligatory "Still sane,
| Exile?" I would like point out two things: a) I do have a
| math degree b) my Last Epoch Falconer is called
| TrappedInWraeclast. Sanity left the building, long ago :D
| Retr0id wrote:
| These are the words of someone who has not tried to crack
| Denuvo.
| billforsternz wrote:
| CD was CALL, 3E was LD A,imm but yes, I've forgotten most of
| them too.
| uSoldering wrote:
| A bounty hunter-like crowdfunding system would probably be
| ideal. I could probably hack together some forum software with
| each thread being a different crowdfunding campaign. Thanks for
| the suggestion.
| gargablegar wrote:
| Such a great project, really enjoyed it. I'm a hardware engineer.
| I really appreciate this
| analognoise wrote:
| You're right, but I don't want to solder 2k wires to things. Last
| time I "professionally" reverse engineered a board we sent it out
| to get a CT scan of it, and got delivered a self executing
| program which contained a point cloud of data and an interface to
| extract surfaces, adjust the histogram (to make features visible)
| etc.
|
| I'd take a handful of automated probes in a 3D printer chassis,
| and some vision/registration/classical computer vision
| algorithms.
|
| This type of thing already exists but I'd rather have an open
| source one.
| bsder wrote:
| > This type of thing already exists but I'd rather have an open
| source one
|
| Is it possible to make an open-source X-ray machine to do this
| kind of CT scan?
|
| It really seems like it ought to be, but I don't know enough
| about the source and the CCD detectors to think about how to
| assemble it.
| ooterness wrote:
| Well, step one would be to reverse-engineer an existing CT
| scanner. But to do that, you'd need a CT scan of the boards
| in the CT scanner...
| bsder wrote:
| Not really.
|
| The big question is how to get an X-ray source with enough
| energy to penetrate metals and a detector with enough
| resolution.
|
| Everything else can be cheap.
| analognoise wrote:
| I mean, we buy them and start learning?
|
| Famous last words: how hard could it be?
| mkoryak wrote:
| Do you have a full time job? Do you have young kids?
|
| I am guessing one of these is a "no", probably the later.
|
| If I am wrong, please tell me the secret
| uSoldering wrote:
| No kids and my job is running/programming SMT production lines,
| so when the process is stable I get to supervise the machines
| and read technical documents as training.
| blubbity wrote:
| This is completely brilliant!
|
| If the painful part is the soldering, and the novel part is the
| imaging, there is definitely opportunity here. Seems like an
| opportunity to create a dirt cheap flying probe based off an
| ender3 3D printer. This is possibly a perfect situation where
| smart software can make up for the shortcomings of cheap
| hardware.
| crote wrote:
| It's definitely a really cool project, but this doesn't really
| look like something that would scale. While a boardview is nice
| to have, investing what looks like hundreds of hours per board
| simply isn't viable for the vast majority of projects -
| especially the hobbyist market you seem to be targeting.
|
| You can get something similar-ish done quite cheaply in China: a
| digital copy of a 2-layer board is only $150[0], and turning that
| into a netlist shouldn't be _too_ difficult. I expect multi-layer
| boards to be quite a bit more expensive, but still nothing like
| this process.
|
| Heck, even for a plain netlist it'd probably be orders of
| magnitude easier to DIY your own flying-probe machine. All the
| hardware for 3D printers is widely available, after all.
|
| [0]: https://dirtypcbs.com/store/pcbclone
| newsclues wrote:
| I feel like contacting Louis rossman from YouTube for an
| interview on right to repair etc would be great!
| indrora wrote:
| Not OP, but the less I encounter of Lous "I should be allowed
| to beat my kids" Rossmann, the better I've become.
|
| Rossmann is the RMS of the right to repair movement. A lot of
| ideas that align with the overall goal but a terrible
| figurehead because he has a fairly myopic view of right-to-
| repair scene at this point, coupled with some Yikes opinions
| outside of it. He has actively held back some RtR folks simply
| because of his crass comments about women & minorities, but
| also because he doesn't think the issue extends to some things
| (like dishwashers, which he's said a few times on stream are
| "simple shit nobody needs boardview for").
|
| Similarly like RMS, he's made comments (like the one I alluded
| to before) where he has explained (while very drunk on a live
| stream) that he has some beliefs that don't... always align
| well with the status quo in terms of basic human decency.
| newsclues wrote:
| Dunno about that but I do know that RMS made a huge
| contribution to open source and Rossman seems to be doing the
| same for right to repair.
|
| I'm happy that people are doing good work even if they have
| shitty opinions or are even shitty humans. I will appreciate
| what they have done for humanity.
| atlas_hugged wrote:
| This sounds like Dave Chappelle's view about Cosby: "he
| rapes, but he saves"
| newsclues wrote:
| Nobody is perfect.
|
| If you want to live in a world built by perfect people,
| you won't have a house or music or new or movies or
| companies.
|
| I'm not defending shitty behaviour, I'm not throwing out
| the baby with the bath water.
| atlas_hugged wrote:
| You're the first comment I've seen that has the same view as
| me. I don't know why so many people worship that guy. Same
| with RMS. Both of those dudes give me the creeps even though
| I often hold the same or similar views on their areas of
| specialization.
|
| Someone, long ago, once told me: "There's always going to be
| someone on your side that you wish was on the other side."
|
| I didn't realize how true that would become until years
| later.
| newsclues wrote:
| A) don't worship him
|
| B) just know about his right to repair work
|
| C) don't know anything negative about him, nor has anyone
| provided any evidence he is a bad person and just attacked
| his character.
| 486sx33 wrote:
| Isn't crosstalk an issue ? Just wondering
| uSoldering wrote:
| At 20kHz it only takes 3 minutes to run the extraction program.
| I run it multiple times and at slower frequencies, but the
| output is stable.
| mNovak wrote:
| I'm wondering if a 'bed of nails' approach could be used to
| eliminate the mechanical difficulty of the flying probes?
| Basically a grid of (many thousands) probes at some resolution,
| connecting to essentially the same switch matrix backend you
| already have.
|
| In particular something like [1] might just have enough
| resolution. The 'probes' now are just pads on the sensing PCB.
| This converts it from a mechanical problem to a crazy high
| density PCB layout problem, which sounds like it'd be up your
| alley!
|
| Heat cure for the anisotropic layer is annoying, and might make
| it a single-use solution (but that's not bad if you're selling
| the boards!)
|
| Another 'just dumb enough to work' concept would be to take the
| board scans, and print a custom PCB of the same pad layout
| mirrored, and you can directly mount the two boards face-to-face.
| Basically a board level breakout, either to make the wire
| soldering easier, or better, again directly incorporate the
| netlisting hardware.
|
| [1] https://www.3m.com/3M/en_US/p/d/b5005076018/
| eternauta3k wrote:
| I like the last one, but how do you connect the boards to each
| other? Solder balls? Just pressure?
| flutas wrote:
| Might be able to find pogo pins that small. That would be my
| best idea (if they're available).
| dclowd9901 wrote:
| Had this same idea as I was reading the article. You could
| really automate a lot of the probing.
| ooterness wrote:
| This approach doesn't scale.
|
| Modern portable devices often have BGA packages with 0.5mm
| spacing. At this resolution, a relatively small 5x5 cm board
| would require at least 100x100 = 10k probes per side. Count
| increases quadratically with board size.
|
| Far easier is a "flying probe" machine [1] with a handful of
| probes that can be moved quickly. This option is mentioned in
| the article, but dismissed due to up-front cost.
|
| [1] https://en.wikipedia.org/wiki/Flying_probe
| layer8 wrote:
| I think I got most of the jargon, but what is a "binned
| location"?
| uSoldering wrote:
| It's just unique spot to hold each part. There are 8 trays with
| 100 pockets each, so if you wanted to know a specific
| component's electrical properties, I could look up which tray
| and pocket it's in and measure it. Or if I get around to
| measuring all of them, I can push that data into the boardview
| itself.
| layer8 wrote:
| So, it means "put it somewhere in a way that you still know
| which is which"?
| uSoldering wrote:
| Yep!
| punnerud wrote:
| Quick creation of a Openseadragon viewer of the PCB from the
| article: https://ha-norge.no/images/pcb_highres/highres_pcb.html
|
| Full resolution on mobile phone without the need for downloadning
| 124MB JPG. The image consist of layer with different resolution,
| and a lot of tiny pictures (+ 45.000). Enjoy.
| uSoldering wrote:
| Thank you so much for the bandwidth. I would like to do this
| for boardscans going forward, but I don't have the hosting
| infrastructure. I know OSD can do overlays, it would be awesome
| to have the functionality of OpenBoardView as a webapp.
| punnerud wrote:
| Only the part that you zoom into is loaded in gradually
| higher resolution, that save bandwidth and less data to
| download. Send me an email (on my profile) and I can describe
| how to run the Python processing etc yourself.
|
| That way I believe you can host it.
|
| Had to make some adjustments because of the size of the
| original image.
| xt00 wrote:
| If you / somebody is doing the sand and scan or xray/CT method
| (which you could pay somebody to do rather than buying a CT
| machine), then you can create a gerber -- then manually clean it
| up. Then you have a dangling set of nets that are only separated
| by layers. You can then infer connectivity from the gerbers on
| layer to layer manually again to create a reduced set of nets by
| the shape / visual cues of what the vias look like. That would be
| far easier than soldering wires to every ball on both sides of a
| board -- and a netlist doesn't automatically generate a schematic
| for you, you need to still do a chunk of work to actually create
| the schematic. To be honest, a netlist is not actually all that
| useful unless your goal is to attempt to create a full schematic
| out of the board. For reverse engineering efforts, you would
| likely focus on one chip and just manually follow each trace for
| the thing you care about and draw up a schematic manually for
| that. In most cases you would likely spend like 1 day after you
| got the scans back building up a schematic for the key chips of
| interest. For anything that is a bit questionable about if a via
| actually connects or not, then you would just manually ohm that
| out. Anyway, I guess if you like soldering and are just doing
| something for fun, then sure do this method. Otherwise, there are
| way better approaches than this.
| nxobject wrote:
| Your brute-force approach to finding hidden connections is simple
| but brilliant. I know a lot of current hobbyist reverse-
| engineering efforts have to go a lot further, are destructive and
| involve sanding things off layer-by-layer (resulting in 1:1
| reconstructions, rather than just board views), but I'm sure that
| gets harder and harder the more PCD layers are involved,
| especially with cutting-edge consumer tech.
| boringuser2 wrote:
| Regarding industrial espionage on PCBs, would you say most are
| out of China?
| eichin wrote:
| This is amazing (particular the hand soldering - I love the genre
| of "this is impossible, you'd need to do this thing thousands of
| times" "so I did the thing thousands of times" persistence) but I
| wonder, now that homebrew pick-and-place is starting to become a
| thing, is there any practical way to take advantage of that? I
| pick-and-place tip that was vaguely like a wire-wrap tool seems
| almost plausible. Or is this more like bond-wires on chips and
| needs an order of magnitude more precision?
___________________________________________________________________
(page generated 2024-02-25 23:00 UTC)