r/hardwarehacking

My girlfriend (f32) swiped my (m34) phone and her sister admitted to hacking it . What are my next steps for this evasion of privacy?

Ya so pretty much what the title says. I think it’s bullshit how she swiped my phone and her sister blatantly admitted she has hacked it. Also my girlfriend Samsung cloud is hooked up to a different number then the one I call her at and when I try to log into her Samsung account she can’t verify with text message because it doesn’t got her number but she says it is her brothers cell number. I also found out she is using a secondary digital SIM card that’s connected to her phone .

reddit.com
u/Delicious-Bridge-824 — 4 hours ago
▲ 6 r/hardwarehacking+2 crossposts

help fix GeoSLAM ZEB Horizon RT

Hi everyone,

I’m a computer engineering student, and I was assigned to try to diagnose and possibly repair a GeoSLAM ZEB Horizon RT system because we currently do not have the budget to ship it to Germany for FARO service/repair.

I’m looking for advice from anyone familiar with GeoSLAM/ZEB systems, LiDAR scanners, embedded Linux dataloggers, or rugged field-mapping hardware.

Device

  • System: GeoSLAM ZEB Horizon RT
  • Datalogger model: GS-610334
  • Scan head model: GS-610090

Background

The history is not fully clear, but I was told that the unit may have been interrupted during a firmware update. However, before the attempted update, the system was already randomly shutting down, which is why the update was attempted in the first place.

Earlier, the scan head reportedly used to light up briefly for a few seconds and then turn off. Now the scan head does not light up at all.

Current symptoms

  • The datalogger powers on.
  • The datalogger status LED flashes blue indefinitely.
  • It never changes to orange or any other state.
  • The CPU fan never turns on.
  • Ethernet repeatedly connects/disconnects when connected to a computer.
  • The scan head receives some power — I can hear faint internal/electrical/mechanical noise — but:
    • the scan head LED strip never lights,
    • the head never rotates,
    • the scan head never initializes.
  • When connected to a monitor via DisplayPort, the datalogger starts booting Linux, shows boot logs, then appears to reboot. I keep seeing the motherboard/BIOS screen repeatedly.
  • The boot log shows Linux starting services, but the system does not remain stable long enough to finish normal startup.

What I found internally

The datalogger is basically an embedded x86 PC:

  • Intel-based embedded board
  • DDR3 RAM
  • Transcend M.2 SATA SSD, 128 GB
  • DisplayPort/HDMI output
  • USB ports
  • Ethernet
  • Internal IFB/interface board connected to the scanner/control system

FARO support said the issue could be either the SSD or the IFB board, and that normally the full system should be returned for service and calibration. Unfortunately, shipping + repair cost may be too high for us.

What I already tried

  • Tested with a charged PAG battery.
  • Connected the scan head normally.
  • Connected the datalogger to monitor via DisplayPort.
  • Confirmed it reaches Linux boot messages.
  • Tried reading the M.2 SATA SSD using a USB enclosure, but neither Mac nor PC detected it. I am not fully sure whether the enclosure supports M.2 SATA correctly or only NVMe/SATA combo claims.
  • I have not installed a fresh OS or overwritten the SSD.

My questions

  1. Does this sound more like:
    • corrupted SSD / OS,
    • failed M.2 SATA SSD,
    • IFB/interface board fault,
    • power rail issue,
    • watchdog reboot,
    • or scan head fault?
  2. Since the datalogger reaches Linux boot logs, is it realistic to repair this by cloning/replacing/reimaging the SSD, or is the GeoSLAM software/configuration too proprietary?
  3. Would installing a fresh Linux be pointless because the GeoSLAM services, drivers, calibration files, and IFB board software are proprietary?
  4. How would you diagnose whether the reboot is caused by:
    • watchdog,
    • missing/faulty IFB board,
    • overheating/fan issue,
    • bad SSD,
    • or power instability?
  5. Should I focus first on:
    • getting a proper M.2 SATA adapter and cloning the SSD,
    • checking boot logs,
    • replacing the fan,
    • checking power rails with a multimeter,
    • or testing the IFB board?

I’ll attach screenshots/video of the boot process and the startup behavior.

I know this is a niche device, but it seems like a very interesting embedded Linux + LiDAR hardware recovery project. If anyone has experience with GeoSLAM, FARO, mobile mapping systems, embedded Linux watchdogs, or scanner dataloggers, I’d really appreciate your guidance.

u/XXCypress — 1 day ago
▲ 66 r/hardwarehacking+1 crossposts

Jimmy - The 2011 FrankenBook

Hey MacGyvers,

I present to you Jimmy the Frankenbook, my trusty MacBook Pro 8,1 (2011) running Debian Linux.

Recently, the internal speakers suffered from terminal foam rot—completely disintegrated around the edges, leaving me with nothing but ear-piercing high-pitched squeaks. Instead of ordering cheap, tinny OEM replacements, I decided to go full Cyberpunk and repurpose a cheap portable speaker I had lying around.

The Mod Breakdown:

  1. The Battery Bypass (Continuous Power): I tore down the cheap speaker, ripped out the internal Lithium battery, and wired a USB power cable directly to the battery terminals on the board. Now it draws constant 5V power from the laptop. No more "battery low" warning beeps mid-movie, and zero risk of battery bloat.

  2. The 3M Spacer: I mounted a Ugreen USB hub to the lid using 2mm thick heavy-duty 3M adhesive pads. The 2mm clearance is the magic touch—it lifts the hub just enough so I can plug in thick USB drives without them hitting the aluminum screen lid.

  3. Quick Release Magnetic Mount: The speaker is held in place by a folding magnetic arm glued to the lid. When it's movie/music time, I just snap the speaker on. When I need to pack Jimmy into my bag, I pop the speaker off, fold the arm flat, and it's perfectly portable.

  4. Flush Cable Styling: Used a 90-degree USB adapter on the side of the chassis to keep the cable running flush and tidy. Cable managed everything with some velcro ties because even MacGyvers have standards.

It sounds 10x louder and punchier than the original Apple speakers ever did. Plus, Jimmy now looks like a field terminal from a sci-fi movie.

Rate my redneck engineering :D

u/Smurf_00_ — 2 days ago
▲ 16 r/hardwarehacking+1 crossposts

Ford BCEM JTAG help

​

I am trying to get to the JTAG of a Ford BECM, It is a C-Max BECM, but they are standard across the Fusion, Focus and other Ford vehicles.

I would like to see if I can get any additional information from JTAG that the CAN Bus is not giving me or get access to to read the firmware on the chip

It uses a mpc5534mvz80 chip, but there are no silk screen information points on the board at all. There is a 51 pin test area though.

What is the best way to start pining out the JTAG and is there a preferred probe.

Thank you,

Rick

u/rb0074 — 2 days ago

FDK/OOK Based layer-2 protocol reverse engineering

Lately I've been trying to recove the key fob protocol of my bmw 320d 2005 car till I discovered that the key fob operates on 868.35mhz with what is called Frequency Shift Keying to lock/unlock or trunk, everytime I capture something using the RTL sdr with gqrx on Kali I get different signals for pressing same button which indicates that this is not a trivial On Off Keying but some proprietary protocol is being implemented, from the amplitude to time plot I can clearly see the preamble alternating bits then a fixed and indow of bits across all button pressings which suggests some sort of an identifier.

Any one has experience on such project feel free to leave a comment.

Or if u know some sort of tip that helps me recover the binary representation of the msg being transmitted you are welcomed.

u/mahdi_sto — 3 days ago
▲ 5 r/hardwarehacking+1 crossposts

Need Help Decoding 2026 KuKirin G4 Bluetooth Packets (Beken BK-BLE-1.0)

Hi everyone,I am trying to build a custom HTML site using the Web Bluetooth API to connect to my 2026 KuKirin G4 e-scooter, which runs a BK-BLE-1.0 Bluetooth module (Firmware version 6.1.2).No official or third-party apps connect to this scooter model, but I successfully cracked the code to unlock the Bluetooth data stream. By continuously sending the passcode A5 00 00 00 00 00 00 A5 every 600ms to the write channel (0000fff1), the scooter stays connected and streams data back to me on the notification channel (0000fff2).While the scooter is sitting completely still at 0 km/h with a 100% full battery, it continuously alternates back and forth between two different 16-byte data packets.Here are the exact numbers that show up on my screen:Packet Type 1 (Starts with 25 26)25 26 82 17 DF 19 18 00 04 00 00 00 00 00 DB 0BPacket Type 2 (Starts with F2 B0)F2 B0 11 28 8C 14 00 8C 1A 55 11 04 1F 00 00 13What changes when testing:When sitting idle (0 km/h): The bytes change back and forth by themselves between these two packets, which causes values like battery and speed placeholders to jump around constantly.When accelerating: Byte 11 immediately switches from 00 to A9. Meanwhile, Byte 13 starts changing frantically, spiking all the way up to 90 or higher from a standstill, but then drops all the way back down to 00 even if I hold the throttle steady at speed.I do not know what these byte numbers mean, how they are formatted, or how the scooter calculates its actual speed and battery percentage from them.If anyone knows how to decode this specific Beken controller data format, please let me know!

reddit.com
u/Future_Register2954 — 3 days ago
▲ 9 r/hardwarehacking+3 crossposts

Looking for circular eink display approx 1.6 inch for smart watch

Hi everyone, I'm building a DIY smart watch and I want to use an epaper display, but the only one I've found so far is the 1.6in spectra 6 which looked perfect but does not support partial refresh which is a deal-breaker for the software I want to run. Any recommendations? I feel like the 1.1inch ones are too small for the vision I have in mind. If anything I'd be prepared to go slightly larger on the diameter. If anyone can help me find something I'd greatly appreciate it, I'm coming up empty at the moment. Thanks!

reddit.com
u/TheIronSpineOfficial — 3 days ago
▲ 4 r/hardwarehacking+1 crossposts

Stuck on legacy Cisco Codec Plus / Precision 60 upgrade – Need a hand finding a CE9 firmware package (halleyce9)

Hey everyone,

I’m trying to revive a legacy standalone setup with a Cisco Codec Plus and a Precision 60 camera. Right now, the camera won't update because the codec is pointing to a dead legacy server domain (management.join.vc) and throwing a Failed to connect / No route to host error.

I need to flash it locally over the web GUI to fix this, but I'm completely stuck trying to source the firmware package.

I’ve already exhausted the usual routes:

official cisco route - completely blocked - I don't have an active SmartNet contract, and Cisco's registration portal keeps throwing a "server error" and rejecting my personal email domain anyway

"index of" search - spent hours looking for halleyce9_15 or s53200ce9 PKG/COP files on open indices, but the mirrors I found are either dead or taken down

cloud/DevNet sandboxes are retired, so I can't spin up a quick Webex Control Hub trial org to let it auto-provision over the internet.

Does anyone happen to have a stable CE9 bundle (ideally halleyce9_15_3_26.pkg or the cmterm-synergy-ce9 COP file) sitting in their deployment archives that they could drop into a temporary Google Drive or Dropbox link?

Any pointers appreciated!

--- UPDATE ---

I forgot to mention that the whole reason I bought the codec is to get these cameras (got 3, couldn't help myself) to fully work standalone - full PTZ, exposure and other parameters control. Plan is to capture and reverse-engineer the codec-camera IP communication

--- UPDATE - Solved ---

When I initially set up the camera (wizard) provisioning was switched to some custom mode (codec tried to download the firmware from admin.vc or similar address). I did a lot of stuff at once, so I am not sure if provisioning config was enough:

>!Generally I've experimented with different provisioning configurations, and I think switching to webex integration (not webex edge/iot) has helped. I also created a free normal (not control hub) webex account and while clicking through found "devices" section in settings. It has an option to activate a device which generates the standard activation code. I did not have high hopes, but strangely the codec accepted the code happily! At some point codec upgrade started installing. Some time later the camera got silently upgraded to the same version (I didn't even notice at first because I expected CE camera firmware, but it has HC prefix with the following version number the same as codec software).!<

reddit.com
u/pink33n — 3 days ago
▲ 16 r/hardwarehacking+7 crossposts

[Tool] Crimson Cloak, iOS/iSH Security Wrapper with RealTime Dashboard

If you play around with running iSH on iPhone/iPad as a mobile red/blue team rig:

Crimson Cloak gives you a full HTTP + WebSocket dashboard inside iSH:
- Embedded dark-themed control panel
- Tool discovery & shortcut launching
- Clipboard sync, file events, network monitoring
- SSH reverse tunnel auto-connect to Kali/Pi backend

All sandboxed. No jailbreak required.

Repo: https://github.com/synchancybersecurity/Crimson-Cloak-ISH-wrapper-iOS-

Curious if anyone else is using iSH for mobile ops.

github.com
u/Fillmoslim — 3 days ago
▲ 5 r/hardwarehacking+1 crossposts

Confusion while reversing stm32f103 binary: weird vector table

I was curious about the content of an STM32F103RFT6 firmware binary. It uses CAN communication and it is being updated via CAN bootloader, thats how the firmware is being updated.

So I opened it in a hex editor and had a look. But that was not what I expected.

reverse engineering binary

Right in the beginning, there seems to be a 0x200 long header. The first four bytes are the size of the whole file, that was easy. Then four bytes containing the version, I guess, because I have another firmware which is a bit newer and they just differ by increasing 0x2c to 0x30.

Everying after that I don't understand right away, and the header after 0x050 is just zeros until it ends at 0x1FF.

At offset 0x200, the real firmware seems to start:

reverse engineering binary

At first glance, it looks as expected: First four bytes show the stack pointer address, and it's located in SRAM (starting 0x2000_0000).

But the following entries are supposed to be a vector table, and the addresses in there point to strings:

reverse engineering binary

I know that's thumb addressing, and all the LSB are set, but in the vicinity of these addresses there's just strings.

I don't understand that. And I don't know how to go on from here, if I don't know where the actual entry point is located.

For comparison, I opened an STM32 .elf for a project I wrote. In this .elf, the real code starts at offset 0x1000:

STM32.elf

Four bytes stack pointer, and then flash locations for the vector table. Going there and taking the file offset 0x1000 into account:

STM32.elf

I figured, fe e7 fe e7 must be pretty rare in the original firmware binary, so I searched for it:

reverse engineering binary

That does look pretty similar. But why is that, and where does this offset come from? And how should I continue?

reddit.com
u/PhreakSh0w — 5 days ago

is there any way to hack into this machine (for educational purposes)

so this is indifoss milkoscreen machine used for testing milk samples for dairy purposes. what could be done to manipulate the readings

u/Commercial-Lock-4725 — 5 days ago

How do service technicians identify individual Bluetooth headsets?

I'm curious about how manufacturers identify individual Bluetooth headsets and other consumer electronics during service or warranty inspections.

If two units of the same model look identical and don't have a visible serial number, how do service technicians distinguish one from another? Do they use an internal serial number, Bluetooth MAC address, firmware ID, or other unique hardware identifier? Can these identifiers be read using diagnostic software through the USB port?

I'd appreciate insights from electronics repair technicians or anyone with experience servicing these devices.

reddit.com
u/procrafty — 6 days ago
▲ 289 r/hardwarehacking+8 crossposts

Blast from the past! Can a 1980's era Bernoulli drive be used to store and play games from the Wii U? With only 90MB to work from on a non-USB drive, this will be the greatest challenge yet for the Wii U! Link to full video below!

u/napabar1989 — 8 days ago
▲ 174 r/hardwarehacking+2 crossposts

codelight — Claude Code status display

Custom firmware for the GeekMagic Ultra that turns it into a live Claude Code dashboard. A companion Python script on your computer polls usage and session state and pushes it to the device over WiFi.

https://github.com/henrikekblad/codelight

The code is "ready". But as the disclaimer on github says, I managed to rip the screen cable when doing the final tests.

u/mysensors — 9 days ago

Hacking a fancy water pump.

I have a nice 4815VDC water pump stripped from some industrial gear that has a three connector plug - +2415V, -NEG, and a small bi-directional control wire which allows the controller hardware to tell the pump how fast to run and the pump to tell the controller it's actual speed, voltage, and current draw.

Unfortunately, without the controller, the pump does not run.

The pump is a completely sealed unit that can only be opened destructively (although I have one I can hack up if needed) and the person I acquired it from who has access to the internal documentation server of the manufacturer can only find the internal part number and price. The only extra info I have is that the control wires for all the pumps in the system are separate, suggesting that it is not an addressable protocol.

So any guesses as to the protocol used, and a means of reverse engineering it to get the pump running?

Update:
Here is the schematic of the wiring to the pump in its current usage, showing there is an unused "PWM" pin in the plug that I assume will allow me to ignore whatever protocol is used in the existing installation.
https://i.imgur.com/dtqmX49.png

And here is the insides of the pump. The upper layer has some pretty fancy filtration.
https://i.imgur.com/i5P2vG4.jpeg

Rip that off and it exposes some pretty fancy innards. Looks to me like it's an in-built 3 phase VFD.
https://i.imgur.com/SXDVTYN.jpeg

u/Mick_Tee — 7 days ago
▲ 3 r/hardwarehacking+1 crossposts

Bsp d9 hardware hack

Is it possible to hack a bsp d9 and get its inputs via the data, clk and d+ and d-. There's also ice2 which cant access. When i connect to the clk line it gives me 1 n 0. Data line gives me 1 while ice2 doesnt work. Im using the xiao es32s3 sense. Im doing this because the if i manually solder the x,y,a,b,l1,l2, all 3 leds, joystick 3, ps and another button and a rumble motor. It would take up all the gpios. Im trying to see if thrs anyway i could reduce it. Thr was a 15 pin ribbon connector. I ripped it out cause i couldnt get the pinout

u/Lil_ripper_6 — 6 days ago
▲ 0 r/hardwarehacking+1 crossposts

8 cell hardware fault injection lab for $5K, W/architecture breakdown &amp; seeking feedback

!!CAGE LAB🧪🥼!!! hardware security testing framework, I guess I just wanted to share the architecture with people who understand both the offensive and defensive sides.

D.Z.D.E or Daedalus SubZD Engine lil break down:

8 independent cells, each running a Raspberry Pi 5 controller with auto detected I2C/SPI/UART/USB extensions.
Designed for Rowhammer, EMFI, laser fault injection, thermal manipulation, and voltage glitching all commodity hardware under $15K total.

The bs problem it solves imo:

Hardware security R&D usually dies at the whole "can we even talk to this chip?"
This auto detects extensions, provides per target calibration interfaces, and runs everything through a physical kill switch with CAGE/LIVE/WAR safety modes.

Cost per cell hardware is \~$600:

Pi 5 8GB + Pi Edge HAT
RTL-SDR / HackRF for RF verification
RFID (MFRC522), LoRa (SX1276), GPS (NEO-6M), CAN (MCP2515)
EMFI coils, 808nm laser diodes, TEC1 12706 Peltier
ADS1115 ADC + MCP4725 DAC for precision glitching
8 channel relays, PCA9685 PWM drivers.

Repo: github.com/synchancybersecurity/Daedalus-SubZD-Engine-1.0

Cage lab authorized only.
Physical kill switch is the sole fail-safe.

Agent F.

reddit.com
u/Fillmoslim — 8 days ago

Help Needed with Pinout Reverse Engineering For Xiaomi Redmi Note 5 screen

I am trying to get the pinout of a Xiaomi Redmi Note 5 screen. I have been able to identify 14 GND pins, 5 differential pairs, and A K1 and K2 (for the backlight) I also found a pin that will short with GND for a second then flash off then back on, and then another pin that shorts with GND, but will also short with a bunch of the capacitors and resistors on the flex PCB.

If anyone has any ideas or tips on how to figure out what the last 11 pins are, I would greatly apricate it! I have no clue what to do from here.

Here is my current list of all the known pins.

1 GND
2
3 GND
4
5
6
7 GND
8 Saying GND then flashing off then Back to GND over and over and over again.
9 GND
10 GND
11
12
13
14 GND (Shorts with Resistors and capacitors)
15 GND
16 A
17
18 K1
19 K2
20 GND
21 GND
22 Differential Pair
23 Differential Pair
24 GND
25 Differential Pair
26 Differential Pair
27 GND
28 Differential Pair
29 Differential Pair
30 GND
31 Differential Pair
32 Differential Pair
33 GND
34 Differential Pair
35 Differential Pair
36 GND
37
38
39 GND
40
u/TheAsherBot — 6 days ago

Trying to turn an old RK2818 ebook into a Tamagotchi. Stuck at the monolithic firmware stage, need guidance

This summer I started a personal project: turning my old 2009-ish ebook reader (Rockchip RK2818X) into a Tamagotchi-like virtual pet.
Not because it’s useful, but because I want to learn how to reshape closed systems.

So far I’ve:

  • Identified the SoC (RK2818X).
  • Dumped the original firmware.
  • Unpacked everything with the few tools that still work for this platform.
  • Loaded the main binary into Ghidra.

And now I’m stuck.

The firmware isn’t Linux-based, it’s a single monolithic blob full of trampolines, DSP-style pipelines, mixed code/data regions, weird control flow, and functions that look autogenerated.

I can analyze pieces, but I don’t know the right strategy to move forward.

If anyone has experience with Rockchip devices, monolithic DSP firmware, or general blob reverse engineering…

I’d really appreciate any pointers, workflows, or documentation.
Just need direction, not someone to do the work for me.

Thanks!

reddit.com
u/7or3h — 6 days ago