Mastodawn

✧✦Catherine✦✧3d ago

first impressions of the Lego smart brick, before I do any actual tearing down: wow, I forgot how good they are at working with plastic. the injecton molding remains impeccable, at least for this specific piece (I know about their recent QC issues elsewhere)

it's hard for me to look at the positively microscopic (I am literally using a microscope to look at it) "Li-Ion" lettering and think of anything but "showing off!"

(treehouse doesn't let me attach the full size images, you can grab them here: front, side)

✧✦Catherine✦✧3d ago

on the side, there are microscopic openings for the speaker to move air through. I would have really liked to be a fly on the wall in a meeting with the mold engineer who had to make this happen

✧✦Catherine✦✧3d ago

I'm not yet sure how I'll open it up. I don't have a hacksaw (somehow... I should fix that), so my options are somewhat limited: it's either cracking or melting plastic. from what others have done I know I there's plastic welding all around the joined region.

✧✦Catherine✦✧3d ago

okay I've decided on an idea: I will heat up the plastic to make it pliable and then cut it with a knife

as a knfe girl, this is my professional obligation.

✧✦Catherine✦✧3d ago

here's a video that shows in more detail the moldwork in the transparent plastic part

✧✦Catherine✦✧3d ago

if you've never heard of anybody opening welded plastic this way, i can now tell you why: because it's a bad idea. until you heat ABS to the point where it flows (which you don't want here, as it'll make later teardown even worse), it acts rubbery. imagine cutting hot rubber. doesn't work

✧✦Catherine✦✧3d ago

it did however let me lop off the top of it easily

this is I think a 2.4G antenna?

next step is sanding

✧✦Catherine✦✧3d ago

yep that did the thing. probably should've started with sanding at the beginning.

it was somewhat more destructively than i wanted, but that's ok: i was trying to challenge my (incorrect) belief that sanding is always a tedious pan in the arse

✧✦Catherine✦✧3d ago

took it apart. there's a sort of a plastic "carrier" that gets manufacured first, then inserted into the final package that's welded shut

✧✦Catherine✦✧3d ago

okay, i've extracted the firmware-bearing parts. this is a tiny 45 mAh battery. (part of the lettering was torn off by the glue it was attached with)

✧✦Catherine✦✧

close-ups of the component side (well, the side with more components)

originals: 1 2

✧✦Catherine✦✧3d ago

EM9305 is an em|bleu microcontroller in QFN

✧✦Catherine✦✧3d ago

it has over half a megabyte of flash!

✧✦Catherine✦✧3d ago

ok so this would be the JTAG pins

✧✦Catherine✦✧3d ago

also, here's a close-up of the markings on the tiny WLCSP between the BGA and QFN

✧✦Catherine✦✧3d ago

decided the next thing to do would be to dump the presumed Winbond flash WLCSP

here it is mounted on a SOIC-8 pinout with a tiny bit of UV epoxy, like a particularly exotic dead bug

✧✦Catherine✦✧3d ago

connected half of the pads

this is my first time soldering a 0.3mm pitch WLCSP, so it took me a bit to set up the workspace the way that makes it possible, but it's not too bad

✧✦Catherine✦✧3d ago

finally done. no shorts and (as far as i can tell under mag) no opens

✧✦Catherine✦✧3d ago

complete success

✧✦Catherine✦✧3d ago

contrary to everything i've seen online, this is a Winbond W25Q16JWBY part (but one person got the closest, they thought it is a W25Q16JVBY. the difference is major: one is 3.3V, the other is 1.8V)

✧✦Catherine✦✧3d ago

NotImplementedError: quad enablement SFDPJEDECQuadEnableRequirements.Reg2Bit1_Read35h_Write05h not implemented yet

ah yes. i remember why i hate SPI flashes now

✧✦Catherine✦✧3d ago

tried using dual mode and the SFDP tells me to transmit half a byte

once i dump it this flash is definitely going into the naughty pile (of unit tests in glasgow)

✧✦Catherine✦✧3d ago

here's the flash contents https://upload.whitequark.org/1775953651-lego_brick_00F2MZ_749DF5_W25Q16JWBY.bin

✧✦Catherine✦✧3d ago

here's how the flash was mounted in its natural environment, in absence of feline predators

the SPI bus seems to be shared with something else & they're definitely using ViP

✧✦Catherine✦✧3d ago

alright let's dump the ARC chip now

✧✦Catherine✦✧3d ago

not my best work but it should do the trick

feat. comically big q-tip

✧✦Catherine✦✧3d ago

unfortunately, i could not access JTAG. i think i ran out of time i have for playing with this board, good luck @ everyone else

shout out to:
https://github.com/nanash1/smart_brick
https://codeberg.org/shelfofsheelfs/SMART-Brick
for doing good work!

GitHub - nanash1/smart_brick: Lego Smart Brick reverse engineered schematic

Lego Smart Brick reverse engineered schematic. Contribute to nanash1/smart_brick development by creating an account on GitHub.

GitHub

✧✦Catherine✦✧3d ago

after reading the datasheet a bit more carefully, i know why i couldn't: the JTAG port is simply not exposed unless the firmware configures the pin mux that way. i'd have to dump the firmware in some other way

@whitequark oh how fun, but makes sense for such a pin-constrained device. Is there any other way to access it or is the chip just impossible to reprogram it if it doesnt expose JTAG?

✧✦Catherine✦✧3d ago

@cinebox it has a bootloader which I assume is how it's programmed by LEGO; I think I know how to trigger that but I just wanted to connect JTAG because it was more challenging to solder these tiny wires and I'm bad at doing it

@whitequark could it have booted in cJTAG mode?

✧✦Catherine✦✧3d ago

@ldcd the datasheet explicitly says the JTAG pins are GPIO'd

@whitequark yup i only mention because TMSC (GPIO11) and TCKC (GPIO10) both go straight to vias (and then maybe to the array of testpoints on the back?); Wheras TDO (GPIO9) seems to go to the flash and TDI (GPIO8) seems to go ??.

So I was thinking there's a chance they might be explicitly configuring it as cJTAG and using it for a boundary scan test after manufacture.

@whitequark Just in case this were really the end... would you give away your PCB in the state it is right now? And maybe some advice how to dump it? I guess you mean the configuration mode thingie?

✧✦Catherine✦✧3d ago

@maehw I am open to giving it away; I might consider doing a little bit more of RE work e.g. to probe if maybe the LEGO ASIC has a JTAG port available

@whitequark I won't stop you doing more RE'ing! Just curious if the internal flash could still be dumped and before it goes to the trash. Even though I may be lacking the skills to do so.

Mutesplash 2d ago

@whitequark ☹️

@whitequark oh lol I thought it was a cat’s paw

✧✦Catherine✦✧3d ago

@dev that would be a really small cat

I love this, so I 3d ago

@whitequark @dev or a really big IC

verified_dragon

@whitequark I know this seems like an ordinary jump to you but if I managed to get one as clean as this, I'd feel like a goddamn hero 😭

I ruined a beautiful rf01(one of those xbox 360 donor rf recievers wired through usb) with my soldering

Then it died but I think that was because I wasn't supplying the right power the right way(iirc it wanted a stable 3.3v and I just gave it a nodemcu 3v3) which was a common problem on these boards

✧✦Catherine✦✧3d ago

@sounddrill if you're in the area I can teach you how to do it as cleanly as this. nothing special about it

verified_dragon

@whitequark I'm way out in South India but hey, thanks!

I first learned basics of PCB design years ago over a discord server so I'll be sure to ask if I need to pick something up

@sounddrill @whitequark you need MacGyver, a paperclip and two elastic bands, clearly… This is the closest I could find to an appropriate MacGyver picture…

Pxl Phile 3d ago

@whitequark Monkey Island Q-tip comes to mind

Mutesplash 3d ago

@whitequark 🤘

artemist 3d ago

@whitequark very important pad

@artemist @whitequark 🅱️IP

artemist 3d ago

@ldcd @whitequark 🆎ℹ️🅿️

Nicolás Alvarez 3d ago

@whitequark hey @zhuowei does this match anything you found in the LEGO Smart Brick app? Or does the app have a newer firmware version?

@nicolas17 @whitequark @zhuowei for everyone else who got invested now, I think you're referring to this thread: https://notnow.dev/objects/cccfc047-da57-444a-be6f-63a5a766bcf7

Zhuowei Zhang: “The Lego Smart Assist app is out: https://play.google.com/store/apps/details?id=com.lego.smartassist I expect homebrewers to run Doom on the Lego Smart Brick at 1x1 resolution, a week before its of...”

Zhuowei Zhang (@[email protected]): “The Lego Smart Assist app is out: https://play.google.com/store/apps/details?id=com.lego.smartassist I expect homebrewers to run Doom on the Lego Smart Brick at 1x1 resolution, a week before its of...”

@whitequark Just in case, others want to dig deeper: I cut out the binary starting from offset 0x105000 and can confirm, that I can parse the unencrypted, uncompressed read-only file system (ROFS) there:

https://codeberg.org/maehw/SmartBrickToolkit/src/branch/main/kaitai/smart_brick_decompressed_rofs_segment.ksy + other parts in the repo

I guess that the remaining parts are meta data... and probably also diagnostic data which are collected by the brick and may be transmitted to TLG via their companion app.

@whitequark Help in finding checksum or hash algorithms... timestamps or whatsoever in the data structure is more then welcome. Happy to get pull aka merge requests on Codeberg.

Edit: Also let me know if there should be a more proper "getting started" or "what am I doing here" guide in the README.md. Also planning to give a talk.. an intro to Smart Play/ Smart Brick. Maybe in German... unless there's interest here -- then it could be in English.

The Doctor 3d ago

@whitequark What are you using to dump the chips?

✧✦Catherine✦✧3d ago

@drwho https://glasgow-embedded.org/

Glasgow Interface Explorer

A highly capable and extremely flexible open source multitool for digital electronics

The Doctor 3d ago

@whitequark Cool! Thank you.

@whitequark @drwho oh boy i want one so bad, shame i don't have the time of day to use it though

Chris Friedt 3d ago

@whitequark xtra smol 🤏🏼

arclight 3d ago

@whitequark This is wonderful :)

@whitequark its...

a brick

with an arm core, wifi and speakers?

✧✦Catherine✦✧3d ago

@Viss bluetooth le, but yes

@whitequark hah, wow

@whitequark someone had identified it as a Winbond SPI flash (to be confirmed, I guess).

✧✦Catherine✦✧3d ago

@maehw lemme dump this flash then

@whitequark yeah, I'd love to see that being done. What's your plan of how to do it? I think you'd need to un-power or desolder the Bluetooth SoC as this one connects the the CS signals and hence should be the bus master. Or desolder the flash? It's so teeny tiny... I can't do it. You could have it from my second PCB.

✧✦Catherine✦✧3d ago

@maehw oh i'll just desolder and mount it manually

@whitequark Great to see that you got yourself a #LEGO #SmartBrick. Curious to know what set you got yourself. And eben more curious if you can get JTAG working... or find the relevant test pins. Yesterday, I started sniffing the SPI bus. Unfortunately, the ASIC Chip Select pin was not identified in the test pad matrix when I last looked up published schematics.

@whitequark You'll probably also try to power it with a DC power supply instead of the battery, right?