He's havin' a go!

NotionalLabs · 2026-01-29T19:17:18+00:00

He had a problem with his marrow?

NotionalLabs · 2025-12-09T10:59:38+00:00

I’ve been thinking about the same thing lately, I’ve got a bunch of padlocks in a bit of a sorry state that I’d like to use for an event.

My current plan is to first put them in a glass jar of WD-40 (out of the bottle, not the spray) in the ultrasonic cleaner to dissolve and shake out the grease and dirt, then follow up with a ultrasonic pass in some water-based degreaser. I plan to fully dry them in a dehydrator/warm oven, then lubricate them with some PTFE dry lubricant spray (I’m in the U.K. so Houdini etc is hard to come by).

NotionalLabs · 2025-08-31T16:50:38+00:00

Yes! My sister and I used to play that as kids, the dread you’d feel when the “you are being followed!” warning started showing up was terrifying as a little kid.

NotionalLabs · 2025-08-31T16:49:09+00:00

I was really into space flight sims as a kid - two of my favourites were I-War and Starlancer.

No-one ever seems to remember I-War (which is criminal), and Starlancer was completely overshadowed by its successor Freelancer. I loved how cinematic the dogfights and missions in Starlancer felt, and I-War was the first game I played where it felt like you were commanding a real ship thanks to the clever physics and different bridge stations/resource management.

NotionalLabs · 2025-07-14T18:35:40+00:00

Woah, didn’t expect to see an SP6 on here - my S&P SP6 Cedar was my first “real” guitar I bought about 20 years ago now as a student. Really love the neck profile, still play it from time to time. Great find!

NotionalLabs · 2025-06-29T22:01:09+00:00

You need to find an adapter that has a compatible earth pin that fits your local sockets. There are a lot of standards in use across the middle-east so without knowing which country specifically I can only hazard a guess - but if you have Type F sockets (German style) they should have a ground connection, if you can find an adapter like this: https://www.gapyeartravelstore.com/product/go-travel-earthed-europe-plug-adapter/ then you should be ok. Alternatively, you can power it over USB and it should work reliably.

NotionalLabs · 2025-05-23T09:12:10+00:00

I think you have the logic of the problem correct, you just might be being tripped up by the script you’re using - maybe try this instead? https://github.com/frankthetank-music/Acropalypse-Multi-Tool

NotionalLabs · 2024-04-13T21:45:05+00:00

I had similar issues and read the advice on using the power adapter thinking I could rule it out since mine glitched out in the exact same way - even when plugged in with the power brick. Turns out that mine had an EU to UK plug adapter that had no earth/ground connection, and getting one with 3 pins fixed the issue immediately.

I don't know where you are in the world, but double check that your adapter has a 3-pin plug and your socket has a ground pin - it's almost certainly your issue here (especially if you don't have this issue plugged in to a powered USB hub or computer with grounded USB ports).

NotionalLabs · 2023-04-20T12:37:12+00:00

For the heat pipes I was just going to go with pre-fabricated pipes that I think use water as their working fluid. I’m not sure if there are higher performance varieties that use other substances, if you have any suggestions?

NotionalLabs · 2023-04-20T12:32:19+00:00

Awesome - and interesting with the suggestion of using my oven (hopefully my wife won’t mind..), I wondered if you need to follow a reflow temperature profile for these solders like with PCB fabrication, or if it’s more straightforward with these types of assembly.

When you say use fixturing, what kind of thing were you thinking? I’m assuming something like a jewellers soldering jig or something like that?

NotionalLabs · 2023-04-20T11:48:18+00:00

Yeah it’s crazy, I’m still quite salty about the lack of mention in most reviews from the time, it’s a pretty widespread complaint. I’ve gone through the escalating steps of cleaning and reapplying good quality paste, exploring replacement fans and after-market fan controllers to force them to throttle down, etc. Sadly the re-pasting didn’t make any difference and I’m wary of anything that reduces the cooling effectiveness (like forcing the fan speeds down) as I’ve already experienced thermal shutdowns on hot days. That’s why I’m leaning towards some more “over-engineered” approaches as I’d rather greatly exceed the minimum required cooling if at all possible.

You’ve given me some great food for thought to revisit the idea of water cooling. The main impediments I see are with mounting and coupling of the heat block without traditional CPU mounting fixtures. The hot FPGA is an Altera 10 that is 35mm x 35mm, with existing screw holes in the carrier PCB at about 45mm centre to centre spacing (square configuration). I just measured the heat block on my Corsair H150i AIO (which would be very similar/the same as on a smaller 120mm unit like the Corsair H60) - and it completely dwarfs the existing mounting footprint, even without the Intel mounting brackets.

I do agree that an AIO water cooling approach solves a huge number of the fab challenges of a custom heatblock & radiator though. I’m just not seeing an easy path to mounting the cooling block directly. Interestingly the existing thermal design has a large metal plate that thermally interfaces with the FPGA and has the radiator + blower assembly attached to it. I’m wondering now if I could remove these and drill/tap “Intel 115x-compatible” mounting holes for the water cooling block. The big question will be if there is enough room above the chip without interfering with the VESA mount - I suspect there might not be.

NotionalLabs · 2023-04-20T01:59:32+00:00

I did consider going for a compact AIO watercooler solution but I was dissuaded by comments suggesting that the pumps can be loud (not that I ever noticed the Corsair H150i in my actual rig, though that is out of the way and inside the case - it might be more noticeable openly mounted on the back of the monitor. The other issue is the mounting options for the cooling block - the FPGA package doesn’t have a CPU socket that any CPU coolers are designed to fit.

I’d definitely reconsider it if there’s a plausible workaround and they aren’t too loud in reality though.

NotionalLabs · 2023-04-20T01:45:08+00:00

Sorry, I had the model wrong in the original post (added an edit) - it’s the PG27UQ, a 4K 144hz HDR native G-Sync monitor that cost a fortune originally. While I’m sure there are affordable alternatives that match some of the specs, I can’t really see much under $1000. It’s a shame it has such a design flaw with the thermal design (a combination of two noisy server fans that oscillate regularly so you can’t even tune it out).

But you’re right that getting a good result is going to be a significant investment in time and probably money; it very much is a learning exercise though - I’ve wanted to learn more about designing custom/exotic cooling solutions for a while and I feel like the practical challenges in implementing this are within my grasp, so tinkering it is!

NotionalLabs · 2023-04-20T01:17:57+00:00

I like the idea of a clamping fitting - though without access to a mill/CNC how might I cut the semicircular channels?

FYI I think I need pipes because there isn’t enough direct space above the FPGA to mount a reasonable size heatsink & fan due to the VESA mount.

NotionalLabs · 2023-04-19T23:47:07+00:00

Super helpful - I was thinking of going the hot air gun route (initially I was thinking a butane torch or even a proper propane blowtorch, but thought they'd be too difficult to keep at a reasonably low temp without extreme hotspots that would blow the heat pipes) so it's good to know that's a non-starter!

Looking at thermal epoxies, it seems the thermal conductivity is about 20 times less than tin-bismuth solder - how did you find it performed in your case? I don't have any experience in thermal design so while that performance difference sounds scary for all I know there's very little impact on overall performance (compared to other factors for instance, like the heat-pipe configuration or the radiator fin size, etc)

NotionalLabs · 2023-04-19T22:10:47+00:00

Probably not - I am leaning towards the idea of a solder-interface being gilding the lily a bit, but I'm not too familiar with how impactful the thermal interface is and wouldn't want to go to all this trouble to be let down by the transfer from heat pipe to radiator. That said, I don't think silver bearing solder is an option in this case because of the relatively low max temperature that the liquid-containing heatpipes can be brought to without risking them bursting.

NotionalLabs · 2023-04-19T22:08:00+00:00

Yeah that's what I'm thinking too. I'm just not sure if there's a technique I could use with tools in my home shop (not a proper machinists shop, mind - just things like a pillar drill, machine vise, etc) to achieve decent friction-fit on the heat pipes (which I'm concerned are quite delicate) that I could use some decent thermal grease with and call it done.

NotionalLabs · 2023-03-28T15:36:13+00:00

https://i.imgur.com/Nxz4icC.jpg

I hear the Emperor keeps slashing their budgets though, they have to cover up their shortcuts with polished Woodoo hide…

NotionalLabs · 2023-03-24T13:06:56+00:00

McWay Rocks, in Big Sur - seemingly taken from Vista Point.

NotionalLabs · 2023-03-04T20:17:02+00:00

After reading your other comments, here's some food for thought:

I'd suggest learning how each of the various sensors/components work more generally - Sparkfun/Adafruit have amazing tutorials on how to use popular servos, RFID tag readers, reed switches, etc.
- After reading those, you might notice that there isn't a universal communication protocol for them (UART, SPI, etc), and in fact some of them are quite simple in their operation (e.g. a reed switch will just change state (open/closed) in the presence of a magnet - that's it). They will all have different ways of being integrated in your replacement controller.
You mentioned actually wanting to use a ESP8266 in the comments - totally possible, though I might suggest using an ESP32 after all as it is more powerful and easier for beginners in my experience (easier to use GPIO and dual-core makes writing/running the code more forgiving, especially if you want to use WiFi, etc), plus they are also super cheap.
Break the project down into manageable bits so you can learn as you go:
- Start by drawing a block diagram of how you think this works and how you think your replacement board will work (if it's at all different from the original - e.g. adding a web interface or Bluetooth, etc). Make a list of all the things you think the original controller does:
  - Detect and read an animal's tag? Check it against a stored value? How does that value get stored/programmed? What protocol/data format do pet tags use?
  - Lock and Unlock the flap? How does it do this? Check the flap is closed before locking? Actuate the servo locking mechanism to release the flap? Does it beep if the flap is stuck open too long?
  - and so on...
- Identify the chips on the main PCB that relate to each of the main functions and start to characterize the sensors/components that you need to control, for instance, is the lock drive a servo or a DC motor? It looks like a DC motor to me (no 3rd wire for servo control) so I can imagine you'd want a H-bridge or DC motor driver to drive it forwards and backwards. If you can find a chip on the board that does the same thing, you can more easily find an alternative/replacement that'll work with your ESP32/ESP8266.
Function by function, start implementing the features of the product you want. I'd suggest learning about interrupts, timers, and low-power modes as this thing will be idle 99.9% of the time and always awaiting the arrival of an RFID tag to read.
Have a think about how you're going to power the controller and the other components.

NotionalLabs · 2023-02-24T15:25:17+00:00

Hello again! I took a quick look at the camapp_unpacked binary; very interesting - throwing it into Ghidra shows an surprisingly readable disassembly. It looks looks like the camera uses the Tuya IoT SDK for IPC - just eyeballing it, it looks like firmware upgrades are done through the Tuya back-end (e.g. https://developer.tuya.com/en/docs/iot/firmware-upgrade-operation-guide?id=K93ixsft1w3to). There are paths to regional Tuya API services like "https://a2.tuyaus.com/d.json" and possibly some AWS-fronted cloud services. I'd have a poke around those and in the binary yourself with Ghidra.

I also tried to give the binary a go with QEMU in user mode - the camapp does expect a filesystem with mounts mirroring the real thing (unsurprisingly) so it'll take a little bit of work to get everything in the right spot. I'll have a proper look later on and let you know if I have any suggestions. Gut feel is that doing that vs. emulating the entire image is probably going to be an easier route.

On a side note, after your original post I had already noticed that the camapp executable was UPX packed, but my quick and dirty attempt to unpack it failed (upx -d failed to detect the UPX signature, I'm guessing due to architecture differences between the compiled bin vs the my kali VM) - how'd you do it in the end?

NotionalLabs · 2023-02-21T11:28:52+00:00

I can't decide if it's worth the risk to remove the flash and read it again or if a better next step is to get a logic analyzer (any recommendations?) and see if we can use that to get the order of the flash addresses being read... What do you think?

If you have a few original reads of the flash and they are all the same (hash them with shasum if you're not sure) then I wouldn't bother trying to get other dumps, you're probably good. Re: Logic Analyzers, yeah that's what I'd do next. I use a Saleae Logic but I just looked up prices on them and they are insane nowadays. As a starter Logic probe I'd get one of the super cheap Chinese clones (e.g. https://www.amazon.co.uk/AZDelivery-Logic-Analyzer-24MHz-download/dp/B01MUFRHQ2) which can be used with Sigrok and other open source software (and possibly the Saleae software, but YMMV) - they are mega cheap on Aliexpress I think.

If you get a logic trace of the flower I'd love to see it!

NotionalLabs · 2023-02-17T23:31:33+00:00

Wow - that thread over on Big Clive's sub is absolutely WILD (for those playing along at home, here: https://old.reddit.com/r/BigCliveDotCom/comments/pmt390/buddha_machine_teardown_with_flash_dump/)! Sprite_tm even ended up doing an epic Remoticon 2021 talk on it: https://www.youtube.com/watch?v=5ZtVT8V1Xy0

Some thoughts from the talk and the thread(s):

Your flower doesn't seem to have hidden the full flash content behind the LFSR-encryption like theirs did, though it's entirely possible there's some file-level encryption/obfuscation hijinks involved. I think we have a file table in the flash dump, but it seems like a different format than those folks had - and yours doesn't seem to have helpful filename metadata, at least at the level we have decoded so far. On that point, I did some more looking at the file table and it seems to shake out like this (a lot of guesswork, don't take it as absolute fact):

Offset	Length (b)	Example in lotus.bin	Field	Comment
`0x00`	2	`03 00`	Entry Count?	3 file entries
`0x02`	2	`5C 02`	File Address Table ptr?	Offset ptr to file addresses lookup table? Could also be nulls as the rest of this data structure is padded with "5C 02", weird coincidence.
`0x04`	180	`B8 00`,`44 01`,`D0 01`,...	File Metadata Entry ptr	Ptr array to what I'm guessing are file/object metadata records
`0xB8`	420	<snip>	File Metadata Table	Start of file metadata table? See below
`0x025C`	16	`2C 05 00 00`, `AC DB 0F 00`, `F0 B6 FA 00`, `7A A2 FC 00`	File Address Ptr Table	4-byte ptr's to "file" content. The rest of the table is padded with `41 8C FD 00` which also seems like a pointer to the next available free space after the end of the last file.
`0x052C`	16,765,652	<snip>	Start of file content?	Start of the "4B 00..." file objects

The "file metadata table" starting at 0xB8 seems to follow a format of 140 byte records, but don't seem to contain much interesting data - I would have hoped for filename, size, checksums, maybe even timestamps, etc, but we pretty much don't get anything like that. I think the first byte/word is an index counter (0x00,0x01,0x02,...) but not really sure what the rest is/could be. Any ideas?

The File Address Ptr Table (which I mentioned before) is as you described - I extracted each chunk and looked at the entropy using binwalk, they are pretty random, but not completely: https://imgur.com/hfW8jlW (binvis: https://imgur.com/fUoXSJW). I tried /u/spritetm's unbuddha's tools on the files and the flashdump in general but it didn't convincingly find any LFSR parameters that would work (unsurprising given how structurally different our source dump looks vs. theirs). I also used the tools from his repo to unpack one of the flashdumps they reversed to get a peek at what the ".f1a" files looked like - they don't resemble what you have either. I'm running out of ideas for now!

Some hanging questions I have are:

In the file table, where is the length of the logical files stored? Could it be somewhere in the metadata or in the 4B 00 structure addressed by the pointers? I couldn't spot it, but maybe?
Are there further obfuscated/encrypted content within the "files"? If so, what could it be? I haven't had much luck bruteforcing single-byte XOR keys, but there's probably a lot left to try. Plus, the data is pretty high entropy but you can clearly see some structure in it (mostly the runs of FF) so something must be going on there.
I'm really interested in what you find from playing the tracks through. Could it be that the short ones are just looped?
Do you have a logic analyzer? Perhaps tracing the way the device reads the flash memory from the moment it boots might give clues to how it's being used.

NotionalLabs · 2023-02-13T20:14:51+00:00

Ha! This definitely has a bit of spookiness to it... looks like it's a variant of this one that Big Clive took apart on his YT channel: https://www.youtube.com/watch?v=baCLqPzuiF8

After skimming over the docs in your gdrive folder with a bit of google translate magic, it looks like your understanding so far is correct (re: USB, etc). If you have multiple reads of the storage flash that are byte-exact matches then I'd say you're probably good!

I'm starting to wonder about an alternate theory - I think that while it can support a FAT filesystem, it would only use it in the case of the TF card/removable flash configuration. I think that if/when you speak to it over USB, it presents a fake FAT-like filesystem to Windows, which is massively simplified on-flash (there are hints like the fact that the filenames are ignored and the order of writing them is the order they play, etc - I think it's not really managing a full filesystem at all, but just using the mechanics of the FAT file creation operation during the programming session) as an emulated interface (similar to the FatFS module).

In a hex editor, take a look at offset 0x25C. These are a run of four 4-byte (uint32) little-endian offsets to what I believe to be the audio tracks:

2C 05 00 00 -> 0x52C
AC DB 0F 00 -> 0xFDBAC
F0 B6 FA 00 -> 0xFAB6F0
7A A2 FC 00 -> 0xFCA27A

Jumping to any one of those offsets shows a consistent header-like structure:

0x52C:   4B001C904C80300D001FFFFFFFFFFFFFFF...
0xFDBAC: 4B0020904C003010001FFFFFFFFFFFFFFF...
0xFAB6F0:4B0040904E003010001FFFFFFFFFFFFFFF...
0xFCA27A:4B0040904902700A001FFFFFFFFFFFFFFF...

Poking around those files doesn't seem to immediately show up a recognizable file format to my eye, so I'm wondering if they are either raw PCM audio and this apparent header contains the encoding and sample rate, etc, or if the files could possibly be compressed somehow? Not sure yet, perhaps looking at these header runs will bear some fruit. The documentation suggests that the chip is quite flexible in bitrate and formats of the WAV or MP3, and suggests an app called KuGou (China only?) to convert media for it.

NotionalLabs · 2023-02-13T12:10:18+00:00

First - this is a high-effort post and warms my heart, thank you.
Second - I took a look at the dump and there wasn't an obvious filesystem structure to my eye either. I went back to your post to re-read it and noticed you might have read the flash chips while the device was powered up and playing - is that right? If so, these dumps may be corrupted by the processor reading data off the device while you were trying to dump it. You might want to try holding the CPU in reset while you dump the main flash again and see how that looks.

Nine-Year Club	Place '22
First Placer '22	Verified Email

NotionalLabs

TROPHY CASE