✧✦Catherine✦✧3d ago

first impressions of the Lego smart brick, before I do any actual tearing down: wow, I forgot how good they are at working with plastic. the injecton molding remains impeccable, at least for this specific piece (I know about their recent QC issues elsewhere)

it's hard for me to look at the positively microscopic (I am literally using a microscope to look at it) "Li-Ion" lettering and think of anything but "showing off!"

(treehouse doesn't let me attach the full size images, you can grab them here: front, side)

Show thread✧✦Catherine✦✧3d ago

on the side, there are microscopic openings for the speaker to move air through. I would have really liked to be a fly on the wall in a meeting with the mold engineer who had to make this happen

original

Show thread✧✦Catherine✦✧3d ago
I'm not yet sure how I'll open it up. I don't have a hacksaw (somehow... I should fix that), so my options are somewhat limited: it's either cracking or melting plastic. from what others have done I know I there's plastic welding all around the joined region.
Show thread✧✦Catherine✦✧3d ago

okay I've decided on an idea: I will heat up the plastic to make it pliable and then cut it with a knife

as a knfe girl, this is my professional obligation.

Show thread✧✦Catherine✦✧3d ago
here's a video that shows in more detail the moldwork in the transparent plastic part
Show thread✧✦Catherine✦✧3d ago
if you've never heard of anybody opening welded plastic this way, i can now tell you why: because it's a bad idea. until you heat ABS to the point where it flows (which you don't want here, as it'll make later teardown even worse), it acts rubbery. imagine cutting hot rubber. doesn't work
Show thread✧✦Catherine✦✧3d ago

it did however let me lop off the top of it easily

this is I think a 2.4G antenna?

next step is sanding

Show thread✧✦Catherine✦✧3d ago

yep that did the thing. probably should've started with sanding at the beginning.

it was somewhat more destructively than i wanted, but that's ok: i was trying to challenge my (incorrect) belief that sanding is always a tedious pan in the arse

Show thread✧✦Catherine✦✧3d ago
took it apart. there's a sort of a plastic "carrier" that gets manufacured first, then inserted into the final package that's welded shut
Show thread✧✦Catherine✦✧3d ago
okay, i've extracted the firmware-bearing parts. this is a tiny 45 mAh battery. (part of the lettering was torn off by the glue it was attached with)
Show thread✧✦Catherine✦✧3d ago

close-ups of the component side (well, the side with more components)

originals: 1 2

Show thread✧✦Catherine✦✧3d ago
EM9305 is an em|bleu microcontroller in QFN
Show thread✧✦Catherine✦✧3d ago
it has over half a megabyte of flash!
Show thread✧✦Catherine✦✧3d ago
ok so this would be the JTAG pins
Show thread✧✦Catherine✦✧3d ago
also, here's a close-up of the markings on the tiny WLCSP between the BGA and QFN
Show thread✧✦Catherine✦✧3d ago

decided the next thing to do would be to dump the presumed Winbond flash WLCSP

here it is mounted on a SOIC-8 pinout with a tiny bit of UV epoxy, like a particularly exotic dead bug

Show thread✧✦Catherine✦✧3d ago

connected half of the pads

this is my first time soldering a 0.3mm pitch WLCSP, so it took me a bit to set up the workspace the way that makes it possible, but it's not too bad

Show thread✧✦Catherine✦✧3d ago
finally done. no shorts and (as far as i can tell under mag) no opens
Show thread✧✦Catherine✦✧3d ago
complete success
Show thread✧✦Catherine✦✧3d ago
contrary to everything i've seen online, this is a Winbond W25Q16JWBY part (but one person got the closest, they thought it is a W25Q16JVBY. the difference is major: one is 3.3V, the other is 1.8V)
Show thread✧✦Catherine✦✧3d ago

NotImplementedError: quad enablement SFDPJEDECQuadEnableRequirements.Reg2Bit1_Read35h_Write05h not implemented yet

ah yes. i remember why i hate SPI flashes now

Show thread✧✦Catherine✦✧3d ago

tried using dual mode and the SFDP tells me to transmit half a byte

once i dump it this flash is definitely going into the naughty pile (of unit tests in glasgow)

Show thread✧✦Catherine✦✧3d ago
here's the flash contents https://upload.whitequark.org/1775953651-lego_brick_00F2MZ_749DF5_W25Q16JWBY.bin
Show threadMäh W.

@whitequark Just in case, others want to dig deeper: I cut out the binary starting from offset 0x105000 and can confirm, that I can parse the unencrypted, uncompressed read-only file system (ROFS) there:

https://codeberg.org/maehw/SmartBrickToolkit/src/branch/main/kaitai/smart_brick_decompressed_rofs_segment.ksy + other parts in the repo

I guess that the remaining parts are meta data... and probably also diagnostic data which are collected by the brick and may be transmitted to TLG via their companion app.

Apr 12 at 12:18pmWeb
Show threadMäh W.2d ago

@whitequark Help in finding checksum or hash algorithms... timestamps or whatsoever in the data structure is more then welcome. Happy to get pull aka merge requests on Codeberg.

Edit: Also let me know if there should be a more proper "getting started" or "what am I doing here" guide in the README.md. Also planning to give a talk.. an intro to Smart Play/ Smart Brick. Maybe in German... unless there's interest here -- then it could be in English.