Usually I have a blog post about building/breaking something with the intention of actually building or breaking it. This one however is not like the others.
It started about 2 years ago, I got a POV fan from the Lockheed Martin booth at Blackhat, it looked as follows:
This is how I destroyed that fan. I made a lot of dumb mistakes and learnt a couple of things too.
I figured, since I’d like to play more with hardware this fan is a good starting point, I have no idea whats running on the inside, so id get to really black box this.
The first thing I saw online was a number of people who did similar projects, such as https://zjembedded.blogspot.co.za/2011/08/hacking-led-pov-fan.html which also included a github repo for it with an arduino sketch!
Most of the blogs online seemed to include a fairly similar approach:
1. Dump the EEPROM (because you dont want to lose it — RIGHT?)
2. Use the standard way most of these fans work to debug it works that way
3. Write EEPROM
4. Enjoy
I figured this would be a fairly easy walk in the park. Next I opened up my POV fan to take a look inside:
Okay so my fan was a little different, it had a much bigger EEPROM and a weird Hirose MQ172X connector. I first figured out which the EEPROM was, it was marked, downloaded the datasheet and had a look. It seemed a fairly generic knockoff of so I was pleased id be able to use some normal libraries.
First thing I figured I’d need to do is speak to it (its where the data is right!), so I got the antenna cable from my proxmark (also the Hirose) and soldered up a usb connector with some wires on the other side I could feed into my arduino, using the A4/5 pins as well as GND/5v ( I guessed 5v since the fan is powered by 3x AA batteries — this was probably one of the many mistakes made!).
First thing I wanted to make sure my pins were correct. So I used the i2cdetect script I found at github ( https://github.com/hotchpotch/Arduino-i2cdetect ) this basically just tells you if the i2c is wired up correct, the output looks as follows:
(4 addresses for 4x 1K ‘pages’)
So from here I was like, well shucks guys, we are practically there. Next step, reading the EEPROM. This was probably the first of the catastrophic failboats I did. I first downloaded some really rough I2C EEPROM code to read and write to an EEPROM. Naturally I tested sweet nothing of it, uploaded it to an arduino nano wired into the fan and ran the code. The code outputted that the EEPROM contained either FE or FF for every byte of the 4K memory.
It Was At This Moment He Knew…. He Fucked Up
Naturally deciding to actually read the code that I had just uploaded I noticed that it first FUCKING WROTE to the EEPROM. AYYYOOO. Great, I had just trashed the data. Turning on the fan ended up with nothing happening which I figured, yup, could have called that. Naturally here I probably should have stopped, tried to extract most of the EEPROM since it didn’t write to all of it and then try figure out which parts broke. Naturally I didn’t do that, the very next exercise I did was to overwrite ALL the space.
Not to fear, there were all those other people that had written code to write to the fan to get it to display funny text and so on, I can just use their code.. right? Unfortunately while most fans run a particular structure this one does not. To test however I used the arduino program stolen from the above links and this was the result:
Clearly that failed fairly spectacularly. At this stage the fan still works, I can clearly write to the EEPROM but there is no way to know what format/structure the 4K of data could have looked like.
Finally having grasped some of the intricacies of how everything fits together I decided to write some code to unfuck the fan. Firstly having to upload code to change the EEPROM values was a painful process, instead I wrote something that would simply allow me to input the values I wanted via Serial and also if just a single value was presented show me the EEPROM memory. I ended up using this awesome library called extEEPROM ( https://github.com/PaoloP74/extEEPROM ). I figured this code is probably useful for someone playing with EEPROMs:
So now I could read/write easily to the EEPROM I decided to start debugging. First I tried uploading ONLY 0xFF’s to see if it would be always on, nadda, fan just spun. Next I tried 0x55’s, then I tried 0x00’s and a few other combonations, I was getting nowhere with this :( I even tried just trying to use the first part of the code that produced the deranged text without any luck!
The slowest part of testing was that if I was wired into the hirose connector the fan wouldnt turn and for some reason the LEDs didn’t illuminate either — strange, but im fairly delusional that I figured it was some check in the micro to say if the connector was in place don’t do anything! The testing process was thus, connect to serial, send new EEPROM values, unplug and turn on. fml.
Okay so it had been about 2 weeks and I wanted to rather gargle glass than look at this stupid fan again. But alas, I couldn’t let it go. I started asking around and I found a few tips that suggested that I buy a bus pirate and try and sniff the EEPROM. Bingo! This sounds awesome, at least I could get the first addresses it was looking for and I could work with that.
Naturally now the fan was in a lot of different pieces:
Wiring up the bus pirate I was sure this would work out the bag, but there was a slight problem is that for some reason if the motor didnt turn, the micro didnt seem to run the program. UGH! So next I got a slip ring so I could wire up to the EEPROM and have the fan spinning so I could read the values. This was gonna be awesome. So I went about wiring up directly to the EEPROM:
(look my soldering isn’t great, but I didnt have a decent magnifying glass okay, lets say thats a valid reason)
Pity it turns out that the fan is so weak it wont even spin with the slip ring >_< I figured okay I might burn out the DC motor, but at least the rest of the board will work. What do I get on the bus pirate sniffer? As per the rest of my ‘research’ absolutely f-all.
Further testing to make sure it was working I kept the wiring in place and wrote to the EEPROM via the arduino and I could clearly see the data flowing within the bus pirate interface. SO WTF IS GOING ON NOW? Okay so I figure the micro isnt getting power or there is something else i’m missing, so I then go and try manually power the micro with a careful selection of tape and jumper cables:
Micro is giving me nothing ( but I havent tried all the pins — pulling them down), I have no readings on the buspirate, I consider this micro dead. FML. After all this the fan has just died. I consider that maybe the voltage tolerance was very low and 5v was too high for the poor devices, it seems unlikely, but I’m out of ideas!
At this stage, actually starting to just pack everything away and put together the morsel of knowledge I had, I figured i’d blown the micro, however I put the fan back and it turned on again. What the actual fuck. So I take off the plastic lid on the top, turn it on again, no joy. Put the plastic lid (I mean there is nothing in this lid) back on and the fan works again!
After looking a bit closer at the fan it appears that when the lid is on it pushes the whole ‘spinning bit’ onto a spring and there appears to be a track at the bottom of the PCB. Either this is powering the fan or it needs it to turn on and off at certain moments, I have no idea.
I’m officially putting this project back in the box until I have enough mental stamina to look at it again! If anyone has any knowledge of what the EEPROM for *this* particular fan should look like, PLEASE let me know.
-AM