reverse engineering lcd display price
Next check the display response by changing the signal inputs and recording the response. You don’t need to record everything the display does just if it changes or not and if the display goes out. Since Pin 1 is negative voltage and no signal, and pin two is 0 voltage and no signal we can assume they are Vss. and ground.
Pin 3 and 4 are fixed high so start with Pin 5 checking one pin at a time, fix the voltage too high, or in this case 2.3 volts and observe what happens to the display.
Record the response of pin 5 then move to Pin 6 fixing it to high then observe the response on the display and record it. Continue with this process for pin 7 and pin 8. The changes on the display were funky symbols in the alphanumeric segments and random lighting up of the custom bar. You may notice the response only affects the custom bar or the alphanumeric bars make note of that because the pin data inputs may be bar specific.
Starting with Pin 3 start checking one pin at a time, fix the voltage to low or in this case 0 volts and observe what happens to the display. Pin 3 and 4 when set low shut down the display, pins 5 to 8 when set to low or 0 volts made different symbols in the alphanumeric segments, and different random lighting up of the symbols in the custom bar.
The current marketplace allows hobbyists to easily find inexpensive, well-documented displays, but what if you wanted to interface with something more complicated, such as the screen on an iPod Nano 6? [Mike] has given us a detailed and insightful video showing his process for reverse engineering a device with little-to-no documentation. Here he covers the initial investigation, where one scours the web in search of any available information. In [Mike’s] example, the display uses an MIPI D-PHY interface, which he has never worked with. He learns that the MIPI Alliance will provide design specs in exchange for a signed NDA (Non-Disclosure Agreement) and a modest $8000 fee. Nice.
[Mike] shows off some serious hardware hackery, tackling some extremely difficult soldering in order to set up a proper test platform. He then demonstrates how to use a rather awesome oscilloscope to better understand the display protocol. We found it fascinating to see the video signals displayed as waveforms, especially when he shows how it is possible to count the individual binary values. The amount of information he uncovers with the oscilloscope is nothing short of amazing, proving these little devices are more complex than they seem.
A large share of our business originates from customers who need our LCD reverse engineering services for a replacement display module. Their current supplier has discontinued the LCD series or no longer supplies Liquid Crystal Displays.
A short time ago a customer contacted our technical engineering support department and asked if we could develop a 40x2 custom character LCD display to replace a module that their previous supplier had discontinued. They required our LCD reverse engineering services to provide a drop-in equivalent including EL backlight and exact pin-out.
This display is much larger than most character LCD displays with a length of 9.8 inches and a width of 1.5 inches. Its character height is a little over ½ inch.
This large character display is a good solution for products that need to be read at a distance. This includes industrial, test and measurement, scales and many outdoor applications.
Although the standard display configuration is with an EL (Electro-luminescent) backlight, the character display can be manufactured with a LED (Light Emitting Diode) backlight.
EL backlights are AC (Alternating Current) driven which means there needs to be an inverter on the LCD or on the customers PCB to convert the DC (Direct Current) to AC. This adds cost and requires real estate on the PCB.
EL backlights now have a higher minimum order quantity of 500 displays per build. Focus is able to hold inventory in our Chandler warehouse if necessary.
EL backlights are limited in their size, when a larger backlight is required, a CCFL (Cold Cathode Fluorescent Lamp) is required. The challenge is that CCFL backlights in LCDs have been phased out.
LEDs can create hot and cold spots under the LCD glass. Most of the time the light can be ‘smoothed’ out with a diffuser, but the brighter the LED backlight is driven, the greater the chances of hot spots.
Character displays can be built in a variety of background and backlight colors. The photos below present a sampling of different options. Available colors include:
The standard operating temperature range for this character display is -20C to 60C, but it is possible to build the display as a wide temperature version that will operate from -30C to 70C.
If the display needs to operate to a lower temperature than -30C, it would be necessary to add a heater. Contact Focus Displays for help with your custom LCD heater.
The standard, stock display is built as a positive mode, but can be built as a negative mode.Positive mode means that there are dark letters on a light colored background.
Below are photos of two character displays in both positive and negative mode. Positive mode is standard, but the character LCD can be built as negative mode
The negative mode version requires the backlight to be on for the display to be readable, and is not the best solution for battery and solar powered products.
FSTN monochrome LCD displays contains a retardation film applied to the STN display to produce a black and white display. The film produces a higher contrast and wider viewing angle than STN or TN.
STN monochrome LCDs require less power and are less expensive to manufacture than TFT’s. They produce a sharper contrast then TN but less sharp then FSTN. Basic color options are Gray, Blue and Yellow/Green (most common). Other colors are available through the use of filters.
TN monochrome LCDs is the lowest cost of the three options. Contrast is not as sharp as STN and FSTN. Primary color options are black letters on a gray background. Other colors are available through the use of filters.
As mentioned at the beginning of the article. Focus Displays is able to design and build an equivalent character LCD to take the place of a discontinued display. Sometimes it may require LCD reverse engineering services.
Many times a one-time tooling or NRE (Non-Recurring Engineering) fee is required. This tooling fee is much lower for segment, character and monochrome graphic displays than it is for OLEDs (Organic light emitting diode) and TFT"s (thin-film-transistor).
The first step is for the customer to send Focus Displays the datasheets for the LCD they were using. If the customer does not have a current datasheet or there is a concern that it may not be accurate, Focus may be able to ‘estimate’ a cost from a photo.
Most LCD displays require some type of on-board controller driver processor. There are many companies that manufacture LCD IC’s. The challenge is that a controller from one company may not be 100% compatible with the controller from a second company.
Focus Display Solutions provides off-the-shelf standard displays as well as custom LCD design services to help companies replace their current LCD. Call Focus now (480-503-4295) if you need LCD reverse engineering services. Or fill out the contact form.
The LCD display control a diplay driver IC which controls both the DATA and SCAN lines. The vertical lines usually the DATA lines and the horizontal lines are the SCAN lines. My main interres was how manufacturers can make such a small edge around the active area of the display. If you think about this the usual mobile phone display has more than 1000-4000 vertical pixels, but the edge of the display is not more than a millimeter or two.
OLED display logic driving is simillar compared to LCD, but the fundamental difference the OLED pixels need current driving till for the LCD enough voltage driving.
My main focus here also was the row pixel driving circuit (scan lines), which are takes place on the very edge of the display around 1mm wide. This circuit fundamentaly work the same way as on the LCD display it has shift registers which scans through the rows one after an other. The complecity comes from the current driving which for Samsung displays has pixel driving compensation circuit as well.
To be able to see the better the tft layer of the display I had to etch away the top metal layer, which was the sub-pixel anode contacts and on the scan drive curcuit had a metal mesh shilding possibly. On the next two picture width are 100um across the image, just for scale.
At 11 June 2013, 13:42:13 user Allan wrote: [reply @ Allan]Very interesting. Thanks for taking time to make these videos. What exactly does your breadboard circuit do in order to shift (scroll) to the next scan line on the LCD ?
At 24 August 2012, 7:22:43 user Giorgos Lazaridis wrote: [reply @ Giorgos Lazaridis]@kiranvarma-npeducations which software do you mean? The PIC software? It is very messy and i made it only for testing the LCD. If this is what you want, i can certainly give it to you. But it is not commented.
At 3 July 2012, 8:36:44 user kiranvarma-npeducations wrote: [reply @ kiranvarma-npeducations]Is that software shown in video is designed by you, its cool! simply generating binary code for bitmap images and serializing.. to LCD panel via some controller (i think from Philips). Which language that u have used to develop software. Final output in LCD panel is mind blowing, you are genius in both software and hardware part. Really amazing video, really reverse engineering. Thanks for such wonderful project tutorial. I will bookmark your site for my learning benefit
At 6 May 2012, 20:31:17 user Giorgos Lazaridis wrote: [reply @ Giorgos Lazaridis]@sdfdsfadsjk But first i will finish my coffee maker for which this LCD is supposed to go. But due to lack of funds, the project will be delayed for a while.
At 21 November 2011, 5:41:30 user Kammenos wrote: [reply @ Kammenos]@Annonymois sure there are methods for this, but not by hacking the LCD that way. There are programs for example for PCs and others for telephones to do this, there are also very VERY cheap gadgets (http://www.ebay.com/sch/?_kw=gsm%20spy&_clu=2&_fcid=5&_localstpos=&_sop=15&_stpos=&gbr=1). If i were you, i would start with a simple PC format, and then install a firewall on the PC. Any surveillance program installed would then be erased.
At 20 November 2011, 22:10:52 user Annonymois wrote: [reply @ Annonymois]Hi. I saw your YouTube video about reverse engineering an LCD screen. And some posters had said this process is used by hackers in order to spy on people through their computer screens? And I started googling this questions because I perceive I am being watched by people I know. I don"t know how. I suspect there is a website where the hackers stream the audio and visuals to the recipients who include friends and so-called family members. They drop subtle hints to me as to the fact they they know what I"m doing by posting comments on YouTube videos I"ve just watched or they repeat the words I"ve just spoken by writing it down on my Facebook wall or in my junk email subject line. If you google gang stalking, cause stalking, gas lighting, you will see that there are a lot of people who are experiencing electronic surveillance. It"s crazy. I know I saw a real life police show once and they were receiving visual feed from the cell phone of a criminal. I don"t know how they did it. But I have been abused by people I know at work and in the last year by my own family because they used to like / love me and now they hate me. My brothers family in particular and my nephew from my sister have been befriended by these cause stalkers and they constantly let me know I"m being watched. They don"t admit it but I"ve heard them talk about private conversations I"ve had when they were no where near me! It"s crazy.
I finally got my display working! It"s only 160x80 so I can get great refresh rates from a pic... right now the controller is an 18f2455 and i"m using it"s internal ram for the display. Currently it only displays a test image that I stored in program memory, but I plan to add a 5x7 font, a gal for timing logic, external serial display ram, and serial character input... then I"ll use it for console output on a couple of hacked linux devices. Thanks for all the information!!
I have obtained a large (200-300) lot of bare LCD Screens (no driver/controller boards). About half of them are 3.8" Sharp LQ038 screens. These were stored loose in a box and many are obviously broken. I would like to do something with these and I am at this point looking for a simple circuit so that I can test them, also possibly a way to turn them into digital photo frames. I am an Electrical Engineer, but it has been a while since I have done detailed component work like this and I have never worked with Color LCD displays before. Can someone direct me to where I can find some circuit designs that I may be able to use?
At 2 August 2011, 18:30:42 user Tom wrote: [reply @ Tom]Just recently got back to my lcd project... The M signal is to drive the LCD voltages: the col/seg drivers use it to alternate the voltage applied to the cells, otherwise the lifespan is shortened. The pic simply alternates M from high to low every frame.
My lcd is only 160x80, and I"ve generated a test image with a pic18f2455... I"m only running at 20MHz right now but the refresh rate is good because it"s a much smaller screen. Thanks again!!
At 12 April 2011, 21:00:08 user jparker wrote: [reply @ jparker]You are very good at debugging (reverse engineering). I like your honesty when you talk about your projects/experiments. You also inspire me to explore some of my broken devices parts. Hang on to the curiosity you have and it will be kind to you in the future I"m sure. Thx for the website.....
My first monochrome LCD, like yours, didn"t have a smart controlle, I put the LC7981 controller on it and it worked. My second monochrome LCD was this:
I had to do a change there. It"s been a long time and I don"t remember but here is bottom line: The SED1335 supports a 16 bit address bus and the memory on this LCD is only 8 kBytes. I found an 32 kBytes RAM with the same layout as the 8 kBytes. The difference was that the 8 kBytes RAM had two NC lines in the place of the two extra address lines on the 32 kBytes RAM. So, I replaced the RAM, hardwired the NC pins to the correct SED1335 pins and it worked perfectly :)
At 27 March 2011, 21:10:58 user Tom wrote: [reply @ Tom]Nice work! You gave me the idea to work on my own 160x80 lcd which has the same common and segment driver. Two questions if you don"t mind...
2. what is the M pin (pin 94 on the 79430 and pin 86 on the 79401) on your lcd connected to? i have a pin on my connector that goes to M on the drivers and i"m not sure what to do with it... the specs say M is an input - "LCD drive output alternating current (AC) signal"
You can have a 32MHz INTOSC (8MHz with 4x PLL; see section 5.2.2.6 of the 16F1934 data sheet). You can also use the MSSP to fetch bytes from the external memory for you at one bit per CPU cycle while sending the previous byte to the LCD, or get display data from internal program memory or even RAM instead.
Of more interest is that with small changes you can store tiles in program memory for easy character display. It is slightly slower, but can (barely) achieve 50Hz screen refresh with a fully tile-based screen layout. For example, code to choose among 64 tiles, 16x16 pixels in size (2kword program memory), might look like:
Reverse Engineering Stack Exchange is a question and answer site for researchers and developers who explore the principles of a system through analysis of its structure, function, and operation. It only takes a minute to sign up.
I"ve got a custom segment style LCD that I need to have made by another vendor and do not have the original documentation for. I have already done some initial RE and know the bias type (1/4 multiplexed) and have a partial pinout for the 4 common pins. What I need next is the segment pin map (schematic) so that I can finish the drawings needed to have the display made.
Another thought was to de-laminate the two glass sections to see if I could generate the schematic that way. I only have one display and don"t want to ruin my chance of mapping this one.
The display is driven by a PIC with a built-in LCD controller. I don"t have the source code for the PIC so can"t go about it that way. The product that uses this display has been in production for years and there is no chance of altering the LCD"s pinout at this point or changing the firmware.
But all components have a service life, and a manufacturing lifetime. And when your part goes out of production and then your spares-bin runs dry, sometimes keeping your machine running requires some deeper problem solving. When you work in the public-facing technology sphere (theatre, museum work, retail displays, etc), a lot of the solutions are literally one-of-a-kind, even if they"re constructed from commercial parts.
The Lascar EM32-4-LED is a four-digit seven-segment panel mount LED display meant for general-purpose data display. Its small digit size (.39" tall), machined aluminum housing, small footprint (32.5mm diameter punchout) and NEMA 4X/IP67 made it a compact choice for anyone needing to display a single value with 4 digits of precision. It also had the ability to drive four external LEDs, for additional status or process indicators.
A piece of equipment I"ve been working on recently had just such a LASCAR display installed a few years back to serve as a timer. I""m going to have to be a little vague about the specifics of the equipment itself, but since this post is focused on technical process and not the piece itself, I think I can safely share enough details for the following to make sense:
The piece is an interactive object that triggers some actions and servos, demonstrates a physical phenomenon, and then takes about 25 seconds to cool back down before can be used again. The user is presented with a green illuminated button to activate the system - when the system is in active or cooling down, the illuminated button turns red. But because it"s not entirely clear from the action of the device alone when it will be cool enough for use, a countdown timer (two digits) is displayed on the EM32 display, counting the number of seconds until we"re good to run again.
Sadly, this particular EM32 display died shortly after LASCAR decided the product hit its End of Life. What"s more, I"m currently without the ability to modify the programming of the PLC that"s driving the whole shebang. In order to maintain the functionality of the piece, it became necessary to build a device that would ingest the existing signals being sent by the PLC, interpret them, and drive a newly crafted 7-segment display of some kind.
In our case, the EM32-4 is unique enough that there are no major variants. The paragraph mostly tells us what we already know - it"s a 4-digit, 3 decimal point display in a metal bezel. But it does call out the "optional external LEDs." While it"s unclear at this point exactly what this means, it"s useful to make note of these surprises early on, as they"ll often explain a what-the-heck-is-that moment late in the datasheet.
In our case, there"s only 6 lines, but 6 important lines they are. We learn that this is a 5V part, but can run at up to 9V so we can"t assume we"ll have 5V power available. Nominal power usage is ~20mA, so the power available on existing supply lines may be limited. The operating and storage temperature ranges are typical. VLED is a a bit confusing - does this refer to the display itself, in which case we have no real purpose for this voltage? Or perhaps it refers to the voltage available for the external LEDs.
Finally, there"s a Reset pin for soft-resetting the data displayed - this would be useful if the end product was configured so the displayed retained power when the controller turned off - the controller could simply reset the display (or many displays in parallel) to ensure that no data was present for a fresh start.
One of the starting placing for replacing this display was the possibility that there might be some driver circuitry driving ageneric 7-segment display. If the display itself was still good, perhaps we can simply replace the driver and have a visually identical display. Those hopes were dashed, however, when I opened up the EM32-4 LED to find...
An OEM 4-LED - the power behind the throne - it"s the same product, right down to the block diagram, but in a DIP-style package. The EM32-4, it turns out, is the OEM-4 with a nice aluminum case and terminal blocks. And the back of the OEM-4 is epoxy-blobbed together, so even if we were to break into the thing, there"s a good chance everything is wirebonded all the way to nowhere and back. Reusing the display on this thing is a non-starter.
We can now see in much more detail that, yes indeed, the display is based around an internal shift register architecture, with bits being clocked in and held in the device. We can see that there"s a start bit ("1") and the 35 data bits we saw in the EM32"s datasheet, so we"ll need to clock 36 physical bits into the device, whereupon it will automatically load the data (presumably into the data latches and output buffer). Then in 30 ns it will automatically reset and be ready The clock timing, which is listed as 500 Khz nominal, can in theory be pushed to 2 MHz if the 500 ns cycle time (250 ns + 250 ns) can be believed. (Not that we"re hoping it"s that high). We can also get some detail about the external reset signals and the data input timing.
Remember, all this sleuthing is with a goal - not of driving an EM32, but of creating a display controller which takes the place ofan EM32 in a specific installation. Any details we can deduce from the datasheets will help us narrow down where we begin with our investigation of the controller itself.
At first blush the circuit diagram appears to tell us what we already know - there"s a shift-register LED driver inside this thing that"s taking clocked data in and driving LEDs on the downstream side. But there are actually two key things to note here - while I had assumed the VLED pin was only for the external LED"s, it"s actually the anode connection for all the segments of the display! This means that connecting it isn"t optional for driving external LEDs, it"s mandatory if we want the OEM-4 to work. Looking back at the block diagram from the EM32, we can understand the purpose of the built-in regulator shown there.
Now we don"t have to try to deducing the bit-order from what we think the data stream is displaying, we can build that data into our programming from the beginning. Thank goodness, since I"d never actually seen this display in action before I undertook the task to replace it!
In the next post, we"ll start probing the signals coming from the controller, building a version of the display in software, and testing some theories about how the display operates.
Does anyone have any ideas or interest in the project? If you’d like to help reverse engineer one of these and have the tools/knowledge to do so but lack the Micro Arcade to work on let me know! If you have one but don’t want to risk damaging it but can help out, let me know!
Welcome to what will probably be the last in the series of articles in which I reverse engineer one of the Nokia QVGA cellphone displays from the pre-smartphone era. I think that by now I’ve covered every possible aspect of these incredibly cost effective little displays and hopefully opened up new avenues for hobbyists needing a richer display experience than they can get with a simple character LCD.
If you’ve been following these articles then you’ll know that I’ve successfully reverse engineered the 2730, 6300, N82 and N95 8Gb displays. Each one is readily and cheaply available on ebay making them ideal for incorporation into your microcontroller projects. All of my reverse engineering efforts have been accompanied by free, open-source libraries for the Arduino and the STM32.
In this final article I will tackle the N93 2.4″ display, which at the time of writing is available for just a few pounds, dollars or euros on ebay. Let’s see how I get on.
The physical LCD is the same layout as all the previous Nokia LCDs that I’ve tackled. A short FPC cable runs from the LCD and is terminated by a board-to-board connector at the end.
The type of connector is usually a primary source of concern when reverse-engineering a cellphone LCD. Fortunately for me I discovered early on that the 24-pin 0.4mm pitch connector is made by a company called JST. The part number is 24R-JANK-GSAN-TF. Here’s the datasheet.
Determining the connector pinout was not difficult. A little googling quickly unearthed the cellphone repair manual and schematic. Once the LCD connector was located in the schematic it was a simple matter of matching up pins 1..24 with the physical device.
It’s become something of a tradition for me to prove the reverse engineering by designing a development board for the Arduino Mega and I’ll continue that tradition here.
Before producing the LCD development board I verified that the level conversion strategy would work by hacking up some wires to the leads of the IC and verifying that an input level of 5V would be correctly converted down to 3.3V.
The schematic image shows the display connector, level converter, backlight circuit and arduino connector all linked together. I decided to add a small amount of capacitance to the active-low RESET line to enhance its stability. I’ve never seen any unexpected resets in any of my boards but I note that all the official Nokia schematics add capacitance here so I’ve followed suit this time.
The most critical part of this layout is the positioning of the LCD connector. It has to be accurately placed so that the LCD, when connected, wraps around the board and sits perfectly on the other side mounted on double-sided sticky pads to lift it clear of the board traces. In the above image pin 1 of the LCD connector is down the bottom right.
Only now, several weeks after starting do I get to see if the whole thing works. I’m hopeful though, given the success of the previous reverse-engineering efforts.
I quickly determined that the LCD controller is much the same as the 2730, 6300 and N82 with only minor differences around the commands that control the orientation. We don’t really know the official identity of this controller but it’s close enough to the MagnaChip MC2PA8201 that we can work from its datasheet with a high degree of confidence.
Here’s a short demo video on YouTube that shows the LCD board in action. Click on the ‘YouTube’ logo at the bottom right to watch it in a larger format at the YouTube site.
I’ve constructed the remaining PCBs that I have and am selling them on a first come first served basis. The price including delivery is £16.90 for UK and £18.49 for anywhere else in the world. They come with the LCD fitted and are ready to plug in and play. The LCD is one of the high quality ‘original Nokia’ models described in the above article.
As I could not find any information from the vendor regarding how the LCD screen of my scooter communicates with the speed controllers, and because I was curious and interested in knowing how feasible it would be to in the future integrate this LCD with a different speed controller, I decided to do this analysis on my own.
The first step was to remove and open the LCD display. While it is not the same and has no model identification on it other than the reference JPY803B in the PCB (the only thing that I know is that it belongs to the Jipinmanufacturer, sometimes also labelled as J&P or JP), it is externally very similar to the QS-S4 display. Internally the board is different and the micro-controller chip has a different identification on it.
It is a pretty versatile device, as it is adjustable and tolerates a maximum of 100 Volts of input voltage. Even though this LCD unit is normally powered from the 67.2 Volts battery supply, I was able to run it successfully at 12 Volts. Considering the specs on the electrolytic capacitors at the input, it is likely that this LCD display can be powered from a 72 Volts battery without much of a problem.
The second aspect I only spotted after cleaning the board with isopropyl alcohol and figuring out with a magnifier that I had accidentally removed a bodge solder bridge that seems to have been done because of poor PCB etching (which left a trace open). Upon testing the device without putting the bridge back in place, a few segments in one of the digits would not appear on the LCD.
While testing the LCD outside of the scooter, I measured the sensor signal varying between 0.7 and 3.8 Volts as I pressed between 0 and full throttle. The measured low value is a slightly more conservative than the value reported by the manufacturer, but the conditions (i.e. strength of the magnet and proximity to the sensor) might contribute to the differences.
Now that I knew the pin assignments, my next objective was to figure out something more about the serial communication. As such I first connected this LCD display to a 12 Volt power supply, and tapped into the TX pin of its serial port (blue wire) with an oscilloscope. I could see that as the device is turned on, it continuously tries to send messages:
Because another user had success with the similar QS-S4 LCD display (more details here), by inspecting the transmission occurring at 1200 bps, I decided to start with the same bit rate (although I could have inferred it from analysing the signal captured on the oscilloscope, I was lazy and tried that first). And, surprisingly the received frames seemed consistent in format with the messages that this user obtained with his QS-S4.
The only varying bytes (and here the display was not connected to the scooter) were byte 2, which appears to be the sequence number of the frame, and byte 5 which contains values that vary in a seemingly random pattern. Byte 7 (value 0x46) and byte 10 (value 0x02) don"t vary and are consistent (could be a coincidence) with the P08 parameter (0x46 = 70%) and the current speed setting at the time.
In a next iteration I will be tapping the communications while the LCD display is connected to the speed controllers, and try to figure out more information about the communications protocol and the meaning of the fields in each frame.
The person who bought the pricetags wanted to use them in a project, but didn’t find any documentation on how to communicate with them to display things on the screen. They donated three to Zeus with the challenge to get communication working and to draw something on the screen. This is the perfect number of devices according to bunnie’s book ‘The Hardware Hacker’ The biggest barrier to hacking is often the fear that you’ll break something while poking around. But you have to break eggs to make an omelet; likewise, you have to be willing to sacrifice devices to hack a system. Fortunately, acquiring multiple copies of a mass-produced piece of hardware is easy. I often do a bit of dumpster diving or check classified advertisements to get sample units for research purposes. I generally try to start with three copies: one to tear apart and never put back together, one to probe, and one to keep relatively pristine.
At the time of writing this blog post, 30.19% of the 32K flash memory of the e-ink tag has been read out. This memory was then loaded into Ghidra (a reverse engineering framework), where we confirmed that the dumped code is valid and sensible 8051 code. A next blog post will (hopefully) contain details about the reverse engineered protocol and how to talk with the e-ink tags. All exploit code is available in this repository.
Reverse engineering is a process where a product, structure, or mechanism is disassembled or deconstructed to gather information about how the design works. As the name suggests, the design process is the opposite of a typical product engineering process. Instead of assembling a product or design part by part, with reverse engineering services, it is disassembled in a backward sequence. Some companies use reverse engineering to improve their products, reduce production costs, or make legacy replacement parts. Other firms may use reverse engineering to understand how competitors build their designs and launch competing products.
In the United States, a reverse engineer charges anywhere from $50 to $145 per hour. Engineers very rarely charge on a per-project basis because there is a probability of discovering “unknowns” during the process, especially when the objective is to determine faulty parts in an existing product. Since it is difficult to determine if the job will be easy or difficult, reverse engineers tend to charge a higher rate in the range. The cost of reverse engineering is affected by various factors, such as locations, desired output, and timeframe.
Most design engineering firms suggest that the clientship the product to their facility. The engineers will outline requirements when the project requires on-site inspections. In this instance, the client will compensate for travel costs. An in-house project completed in the firm’s facility can run from a few hundred dollars for a simple product to thousands of dollars for complex machinery with electrical and mechanical parts.
Product complexity increases the difficulty level, and so does the desired output. If a client wants a detailed report of each component in a complex product, the price can go up considerably from the introductory rate. The typical time frame for reverse engineering work on a simple product is around two weeks. An expedited project takes about one week from delivery and will add up to 30 percent of the standard pricing.
The most critical requirement for reverse engineering a product is obtaining a physical sample. Engineers will need tools and equipment to take effect apart and do the examination. The process of reverse engineering always involves disassembly. Once the outer shell of the product is removed, the internal mechanisms, including electronic components and mechanical parts, can be closely inspected. All product parts and components are documented in detail, including information about dimension, color, assembly sequence, function, specification, manufacturers, and price. Such a method allows engineers to figure out the blueprint of a product.
When a mere fraction of a millimeter is considered consequential on the assembly or overall product function, 3D scanning technology comes in handy. A single component is scanned multiple times, each from a different angle, to provide a view from every possible direction. The scanner collects the component’s geometric data to redraw a realistic 3D model. Some 3D scanners used for reverse engineering purposes include CMM (coordinate measuring machines) and structured light digitizers. Industrial CT scanners, the same technology employed in medical imaging, can also be used.
CT scanners use X-ray equipment to display the scanned object’s internal and external 3D representations. The automatically reconstructed 3D asset may not be perfect, but the most important thing is that all the essential geometric data are successfully collected and compiled. An experienced AutoCAD drafting and design specialist can further refine the image in CAD software by removing visual imperfections. Refinements should not be a problem if they don’t alter component specifications. Scanning, taking measurements, and final retouching are repeated as many times as necessary to cover all the components used in the product.
The exact process applies when the project involves a PCB for reverse engineering. The electronic prototype and design expert will examine, identify, and uninstall various circuit board components. A typical board contains resistors, capacitors, transistors, inductors, transformers, sensors, diodes, and sometimes LEDs. Each component has a unique specification, which determines features and affects performance. Before deconstruction starts, engineers take close-up pictures of both sides of the board to document the layout and composition.
For reverse engineering, it is necessary to take note of the board’s technical details, including but not limited to the materials, trace patterns, wire/lead insulation gap, trace width, and safety certifications. PCB can be recreated as a digital (simulated) file to test the performance and capacity without building a physical board. Most designs can be modified in a simulated environment to test different components and usage scenarios.
Product concept designers or manufacturers utilize reverse engineering to gain in-depth knowledge about how something works. If done correctly, the information gathered during the operation helps create a digital copy of every part, mechanism, and assembly process. It is like having a blueprint of a product. Some of the most common purposes or benefits of reverse engineering are as follows:
Reverse engineering is most commonly associated with failure analysis. If or when a product fails, the easiest and most comprehensive way to determine the issue is by taking it apart. Once the parts are disassembled and examined, it becomes easier to determine where the problem is, how it happens, and why the issue arises. To repair a faulty product, you must know what’s wrong with the design in the first place.
When reverse engineering is done using CAD software, it is possible to test product performance through a simulation program. A simulation analyzes how a product performs under various conditions, such as extreme heat or cold, careless handling, exposure to water, or normal usage. Performance reports based on simulated runs help inform how to fix the underlying problem.
The problem is that the manufacturer no longer produces the component; it has been discontinued, so a custom-made job is in order. Custom manufacturing is not complex when performed by the right professionals with the right equipment, assuming you know which part is faulty. Otherwise, the machine has to be taken apart to determine the issue and pinpoint the culprit. In short, you need reverse engineering.
The reverse engineering cost can be more expensive than purchasing a whole new machine, depending on the machine’s size and complexity. The real value of the undertaking is the documentation. Once reverse-engineered, the factory can use the information indefinitely and build replacements for other components as often as necessary. In this situation, it is best to work with a reverse engineering company that can custom-build mechanical components.
Reverse engineering for design improvement does not merely aim to create better components or find product faults. The exact process is employed to simplify the assembly process, reduce any excess by removing unnecessary parts, and ultimately reduce manufacturing costs without sacrificing usability and features. This is where DFM services come in very handy.
On a much larger scale, reverse engineering helps determine whether an entire system comprised of multiple independent machines—such as in an industrial process—is working at its best. The flow of a manufacturing operation in a factory depends on how well each machine runs. When equipment underperforms, efficiency will suffer, and an excessive load is placed on the interconnected system.
Large-scale reverse engineering treats and examines the system as a single unit. It is much more complex, time-consuming, and costly than machine disassembly, but the virtual copy can help a company prevent unexpected loss or extensive damage due to one weak link in the chain.
Ms.Josey 
Ms.Josey