X-Raying closed modules and IC’s

I think adding cellular connectivity to projects is super neat, but the modules available up until recently have been a bit cost prohibitive.  For a few years I’ve considered ordering a Spreadtrum SM5100B Arduino shield to play with, but that’s ~$100 which seems ridiculous to me when you consider that you can buy dual-SIM cellphones from Chinese suppliers for $20/piece.  One day a few months ago I noticedSIM800L chip front that Adafruit was selling a cellular board which uses the SIMCOM SIM800L module.  After some searching I found I could order SIM800L’s by the reel from DealExtreme for $8 each.  The modules are designed to be easily integrated into projects; they have solder pads for a microphone, keypad, speaker, and a serial connection.  With the serial connection you can issue commands to dial and answer voice calls, but can also send data via GPRS.  The module has an internally implemented TCP/IP stack with built-in FTP and HTTP protocol negotiation so your host device doesn’t have to work very hard to send raw data back and forth.  At $8 this module is pretty hard to turn down, so I ordered one.  Three weeks later a little brown envelope arrived from China.

The module was small, about two centimeters on a side.  The solder pads are located on the reverse in a grid pattern.  I had planned to hook it up to an arduino and throw commands at it, but quickly began to wonder what was inside the RF can.  With a TCP/IP stack and the various other features that are advertised, this module probably has some serious silicon under the hood.  I didn’t want to wreck the chip, but I did want to know what was inside.  Luckily, a fellow Hacklab member’s father happens to be a dentist with access to an X-Ray machine and a soft-spot for hackers.  Time for some radiological investigation!

The member in question took my module, and a few days later returned the module along with a film X-Ray negative and some digital X-Ray prints, all of varying qualities.


The first, mostly unfiltered X-Ray of the SIM800L

The first set I looked at were the digital X-Rays.  The first two printouts that I had were mostly raw data from the digital X-Ray imager with little post-processing. You can definitely make out components on the first prints, but there’s a lot of noise.  One interesting part of this experiment was that the member who had the X-Rays done for me discovered that the printed versions were of a much worse resolution than the ones displayed on-screen in the software provided by the X-Ray vendor.  We’re not sure why this is, but at least one person speculated it might be some sort of incentive to buy licenses for the X-Ray software rather than sharing the images around in a more open format.

A very cleaned up digital X-Ray

A very cleaned up digital X-Ray

After a bit of cleaning up, the above image begins to look like the one on the right, which is much more useful.  This really interested me; there’s clearly something taking up most of the package real-estate on the right side.  I guessed that this was probably some sort of chip soldered in the package via Ball Grid Array (BGA).  There’s also what looks like multiple components surrounded by a dotted line (solder joints from another RF can?) on the upper-left side.  The image quality is definitely useful, but a little limited.

X-Ray negative on the Hacklab light table.

X-Ray negative on the Hacklab light table.

I inspected the film negative next.  Hacklab has a fully-operational chemical darkroom with a light-table, which is how I got the picture on the left.  As you can see, the negative itself is quite small.  If you look at the negative at full resolution, you’ll notice a significant number of dots with rings around them all over the place.  At first I thought this was due to some dust or other foreign substance in the developer solution, but a fellow Hacklab member with experience in circuit board design suggested that they’re likely vias which connect the various layers of the board together.  Super cool!

Final photographic enlargement of SIMCOM SIM800L

Final photographic enlargement of SIMCOM SIM800L

Another Hacklabber decided to stick the negative into the photographic enlarger in the dark room, and printed an 8 1/2″ by 11″ positive, which came out looking very nice.  I scanned the print, and the picture on the right is the result.  The resolution is quite good, and the major components are all visible.  The print was unfortunately made with the negative upside-down, but now that I’ve scanned it it can be flipped in GIMP or another image editing tool. If you squint, you can make out traces on the board as well.  I bet the contrast of the traces could be improved by making another X-Ray with different exposure values.

After viewing all of these X-Rays, my curiosity got the best of me and I decided to remove the RF-can with a rotary tool and an abrasive cut-off disk.  The following pictures are potato quality because they were taken with a cheap USB microscope that was the best and only option at Hacklab at the time.

Uncapped module

I knew that the module had to contain at least a microcontroller based on all of the features it had, but I was pretty surprised to find that it contained a full ARM SOC.  Mediatek seems to specialize in SOC’s for this type of application.  The SOC for this module is a Mediatek MT6260SA, which is closely related to the processor in the $12 Chinese cellphone that Bunnie Huang wrote about a few years ago.  Bunnie has a write-up about this line of chips (and some more really neat X-Rays) here.

Uncapped module 2

The other major chip inside the RF can is a RFMD RF7176 quad-band transmit, dual-band receive GSM/GPRS RF module.  I haven’t had time to dive into the data sheet yet, but my impression is that this chip performs RF modulation/demodulation for the SOC, as well as signal amplification.

2015-01-17-235953After taking the above pictures, I was curious about the underside of the ARM SOC.  The X-Rays had shown a grid of dots which I suspected was a BGA.  I hit the chip with a heat-gun and pried the SOC off the board, at this point completely committed to not getting the module working ever again.  That’s okay though; the teardown was fun and interesting, and I’ve paid $8 for things which aren’t half as fun as this, so my money was well spent.

Above, you can see the underside of the SOC.  The pattern of dots was in fact a BGA.  You can see the outlines of various traces inside of the SOC if you look carefully.


It was interesting to see how closely the X-Rays matched the physical characteristics of the module.  The X-Rays gave me a really good idea of what to expect before taking the RF can off; a Hacklab member who was more familiar with electronics looked at the initial X-Rays and was able to successfully identify multiple types of components without ever having to open the module.  I can see how this might be useful for reverse engineering other tech.

The Hacklabber whose father performed the X-Ray for me said it cost less than a dollar for materials, so dental X-Rays seem to be a cheap method for investigating sealed modules if you know someone who is willing to donate their time.  If you don’t have a friend who is a dentist, you could probably convince a random dentist to do this sort of thing but you would probably have to pay for their time.  That’s a non-trivial expense, but probably better than industrial radiography places.

The dental X-Ray quality is not good enough as far as I can tell for examining very thin wire traces and internal silicon structure, so I suspect that a person wishing to get that level of detail might be looking at some expensive industrial radiography services.  Still, one might be able to play with the settings of the machine to get better results; dental X-Ray machines are designed to use as little radiation as possible to minimize health risks, but aside from considerations for operator safety, one isn’t constrained to low dosage levels when X-Raying most electronics.  A higher intensity beam and much less sensitive film with better granularity would improve things a lot.  I suspect most machines could be configured by the operator for greater output (or even just multiple exposures), and less sensitive X-Ray films with better granularity could be used for finer detail.

This was fun.  I look forward to having more stuff to X-Ray!

The Cyberpunk present

A Raspberry Pi connected to a USB batteryDollarama was selling $3 1850mAh Duracell USB power banks today, and they put out enough juice to run a Raspberry Pi.  The fact that a USB battery bank doesn’t cost 10 times what I paid astounds me, which probably means I’m getting old.  The cost of living keeps going up, we can barely feed our poorest citizens and nobody’s found a cure for HIV/AIDS yet, but if you want to run a rogue mobile server with a $50 Raspberry Pi, a $8 wifi dongle, a $10 SD card and a $3 USB power-bank, apparently that’s a thing you can do.


Digital, Wireless Dead-Drops On The Cheap

I like wireless technology, and I have a soft spot for sneaky cloak and dagger stuff. A long time ago I read about a non-internet-connected wireless dead-drop called PirateBox, and I really liked the idea. It was kind of subversive and hyper-local, and I liked that it kept no logs and allowed anyone to post content. Being a little strapped for cash however I thought I wasn’t in a position to put one together — a piratebox was about $150-200 to put together when it was first announced, which is a little steep for me for a quick weekend project.

A few things happened though — first, I did a bake-sale at Hacklab.to for a semi-related wireless project which brought in a bit of cash to play with. Second, the PirateBox sofware was released for the TP-Link TL-WR703N, a $20-30 3G Internet Stick Router.

I already had a 703N for the above-mentioned wireless project, and it was sitting around doing nothing. I picked up a 64GB, $32 USB storage drive and stuck it in the 703n’s USB port, flashed the PirateBox firmware on the 703n, and I had a working dead-drop.

Picture of a PirateBox

My PirateBox hangs out on Hacklab’s ceiling near the front windows.

Associating a phone or laptop with the PirateBox and opening up a browser will get you the PirateBox front page, where you can upload files, chat in real-time with other users, use an imageboard, download files other people have uploaded, or use it as a wireless media server. It’s pretty great. If I really wanted to turn it into a spy-movie plot device I could trade messages with my friends at Hacklab.to over the PirateBox with messages hidden steganographically in images on the imageboard. And if I wanted to take it another step further I could rig up a solar charging circuit, stick the entire thing in a waterproof box and hide it in a tree somewhere, Geo-caching style.

So far I’ve loaded most of the works of Cory Doctorow on it, some music by Good Old Neon, and a few documentaries — all CC licensed content that I was able to download for free with few restrictions. The PirateBox gets some attention during Hacklab’s Tuesday Night Open House as well, with people downloading content and uploading things they want to share.  It’s slowly filling with weird and wonderful content.

The speeds are very slow however — 200KB/s upload and 1000KB/s download when both the router and the USB stick should be able to do much more than that. I’m going to try investigating what the issue is when I have some spare time, but for now I power the device down and connect the usb stick directly to my computer when I want to add a large file.

I think after dealing with speed issues, next steps are to see about powering the PirateBox via an external USB battery, and taking it with me during morning rush-hour on the Subway. There’s no cell reception or wifi down there, so I’ll be the only access point people can connect to underground. Maybe I can use the built-in PirateBox chatroom to converse with the various subway riders while they’re on their way to work. This reminds me in part of the Dark (Roast) Net from the Sentient City Survival Kit, another neat project.

Anyway, it was a fun project to slap together.  If you’re ever at the Hacklab you should contribute some content.

Back To The Usual Air-Quality Geekery

Two laser-cut snowflakes.

Two laser-cut snowflakes.

The holidays are now over, and I’m beginning to return to my normal routine.  I had a nice time this year; I visited friends and family, and also organized a Hacklab.to Christmas eve open house we dubbed “Hackmas”.  Hackmas came complete with vegan hot-chocolate (rum optional), laser-cut snow flakes, a red coconut curry someone described as “A Christmas miracle”, fresh baked cookies, and non-traditional holiday music.  For a few of the songs we enjoyed, you should listen to Tim Minchin’s White Wine In The Sun, Dar Williams’ The Christians And The Pagans, and the Electronic Frontier Foundation’s The NSA Is Coming To Town.  There were only a couple of us left on Christmas morning, but I made some walnut and cranberry pancakes from scratch and they were thoroughly enjoyed.

Now that the festivities are done with I’ve turned my attention back to geeking out on air quality.  My research on oxygen sensors is beginning to bear fruit, and while I will save my sensor comparisons for another post, I can tell you that the solid-state sensors which use the fluorescence-quenching qualities of oxygen are looking pretty ingenious and awesome.  The mechanisms used in solid-state gas and chemical vapour sensors in general are pretty clever, and half the fun of my research is learning how the sensing mechanism works.  I’ll post more about that later.

One of the things I want to do once I have some data on Hacklab’s air is take some steps to actively improve the quality of the atmosphere inside the space by improving the atmospheric oxygen concentration and removing volatile organic compounds (VOC’s), smoke, and other toxins.  There are efficient air filtration systems with activated charcoal and HEPA filters that I could use for toxin removal, but I’m quite interested in the possibility of using houseplants to perform the same task.  I’ve been looking at some research which suggests certain houseplants are quite efficient at removing airborne toxins, though I’m finding a need to review some of the research methodology and fact check many claims; there’s a lot of questionable science and subjective experience mixed into the data.

While I’m researching sensors and plants, you should watch this short TED Talk about using houseplants to improve indoor air quality in India.

Sensor Selection: CO2

I’m very interested in how much CO2 collects in the lab, particularly during open-house nights so a CO2 sensor is a must.  CO2 sensors don’t come cheap though – a search on digikey indicates that I can pay hundreds of dollars for a single sensor module.  After doing some poking around, I found CO2meter.com, which listed two promising candidates at prices that might actually be affordable.  The first is the SenseAir K-30 0-10,000 ppm CO2 sensor for $65.00.  The second is the Gas Sensing Solutions COZIR 0-10,000 ppm sensor for $109.00.  Both of these sensors are solid-state – they make use of Non-Dispersive Infra-Red sensor technology, which means they won’t wear out as quickly as an electrochemical sensor.  COZIR sensors come in measurement ranges of 0-2,000 ppm, 0-5,000 ppm as well as the 0-10,000 ppm sensor, but I’ll probably skip the lower range sensors for a 0-10,000 ppm sensor.  While atmospheric CO2 is only around 400 ppm, some comments on the forum post here suggest that a small, poorly ventilated space with many occupants will easily reach 3,500 ppm CO2 or higher.  Hacklab isn’t much bigger than some living rooms, and we will sometimes have a couple dozen occupants, so I want to be able to measure very high levels.

The SenseAir K-30 module features are:

SenseAir K-30.  Source: http://senseair.se

SenseAir K-30
Source: http://senseair.se

  • No case/packaging.
  • Measurement range of 0-5,000 ppm “within specifications”, 0-10,000 ppm “total”.
  • Accuracy of +/- 30 ppm, +/- 3% of measured value.
  • Outputs readings every 2 seconds.
  • Serial communication with I2C and MODBUS protocols. It also has analog voltage output for CO2 indications.
  • The sensor has embedded calibration code which assumes that the ambient CO2 concentration is 400 ppm most of the time and corrects accordingly once per week.  I suspect this may cause trouble for me at some point if I can’t find a way to turn it off.

The Gas Sensing Solutions COZIR 10K ppm module features are:

Gas Sensing Solutions COZIR 10K ppm.  Source: http://www.gassensing.co.uk

Gas Sensing Solutions COZIR 10K ppm sensor
Source: http://www.gassensing.co.uk

  • Finished case with 3 mounting holes.
  • Measurement range of 0-10,000 ppm.
  • Accuracy of +/- 50 ppm, +/- 3% of measured value.
  • Outputs readings every 0.5 seconds.
  • Serial communication as well as analog voltage output for CO2 indications, though it’s not clear if you have to request the analog output functionality specifically or if it ships by default.
  • According to a datasheet sent to me by GSS, the COZIR sensor comes factory-calibrated and has an auto-calibration function to correct for long-term sensor drift.  Again, I suspect this may cause problems unless it can be bypassed.

Right now I’m leaning towards the SenseAir K-30; it’s low-priced, accurate, and has a wide variety of communications protocol options.  The readings only come in once every two seconds, but for monitoring Hacklab’s atmosphere I don’t really require the high reading rate of the COZIR sensor.  I also don’t need a finished housing since I’ll be designing my own.  Ultimately I think both sensors would work quite well, but right now the K-30 is looking like a very solid option, particularly if you consider cost as a major influencing factor as I do.

I’m in the process of trying to obtain one of the K-30 modules to hack on, and I’ll write an update about working with the sensor module when I’m able.

Hacklab Indoor Air Quality Project

Recently a fellow member of Hacklab.to bought a couple of bench-top fume extractors for the lab.  People solder things constantly here, and the fumes from the solder rosin can cause some really unpleasant health effects.  Respiratory irritation, asthma, skin diseases and chemical hypersensitivity are possible side-effects of rosin fume exposure.  I solder at Hacklab a lot, so reducing my fume exposure even a little has palpable health benefits.

The concern over solder fumes at the lab got me thinking; what about other aspects of indoor air quality?  The lab is relatively small – about 630 square feet, and we do a lot with that space.  On a Tuesday night open house the space regularly has 20 or more people producing fumes through cooking, soldering, lasering and 3D-printing.  All of those people respirate and perspire, consume oxygen, exhale CO2 and produce small quantities of airborne volatile organic compounds (VOC’s).  Dust, pollen and other allergens collect in the lab as well.  And since we are in Toronto we have to deal with smog coming in from outside.  All things considered, the air in the lab can get downright nasty.

I decided to build an indoor air quality station with sensors that can give me data about various aspects of Hacklab’s atmosphere.  This project is partly practical, but mostly for fun; I want to learn to make neat things with sensors that can do cool and useful things.

The most obvious choices for the project platform are Arduino, Raspberry Pi and Beagle Bone.  Arduino is an easy choice here; they’re a bit cheaper than the alternatives, there are lots of helpful people at the Hacklab who have experience programming for Arduino, and I also happen to have an Arduino Uno sitting in my bin at the lab just waiting for a project.  In the future I can always redesign it around another platform if I want more functionality out of it.

Sensors are the main consideration after the platform.  I want sensors which will give me a wide variety of statistics on the air in the lab.  Some of the things I might be interested in measuring are:

  • Carbon Dioxide (CO2) concentration.
  • Oxygen concentration.
  • Volatile Organic Compound (VOC) concentration, particularly benzene, formaldehyde, trichloroethylene, xylene, toluene, and ammonia, just to name a few of the most common and potentially harmful VOC’s.
  • Smoke and Ultra Fine Particle (UFP) concentration.
  • Temperature.
  • Humidity.

I’m currently researching sensors for all of these things, so I’ll post an update on sensor selection when I have a better idea of what I can add to the project.  There might be other things I want to measure too – if you think I might have missed something, leave a comment!

First Post

I’m a twenty-something geek living in Toronto and trying to pick up some programming, networking and web-dev skills at Hacklab.TO.  My friends at the Hacklab told me I should start a blog to keep track of my adventures, so I decided to follow their advice.  I have a few interesting projects on the go, which I’ll start sharing over the coming weeks.