Hacking The Cenzic POV Fan October 6, 2009
At Black Hat this year the Cenzic booth was giving away some portable personal fans, with a slight twist: these were persistence of vision fans. I’d only ever seen one other POV fan, and it wasn’t portable, so the Cenzic fan seemed like a prime candidate for hacking.
Not having any prior experience with POV, I started poking at things to see how it worked. It turns out that Cenzic made it very easy to access the fan’s EEPROM chip, and with a simple RS232-to-I2C interface you can re-write the EEPROM on this device to make it display whatever you like:
Disassembly was pretty simple, as all the plastic covers can be pried off with your fingers or a small screwdriver. The first step to taking the Cenzic fan apart was to gently pry up the small cover on the front of the fan:
This revealed a four pin header, which was very encouraging. Note that this is really all the disassembling you’ll need to do in order to re-program the EEPROM.
Next, prying off the plastic cap revealed the fan blades that double as a sheath for the LED strip:
Prying off the cover below that allowed access to the circuit board:
Here you can see the two springs that sit between the circuit board and fan body to supply power to the circuitry while the fan is spinning:
The hardware in the Cenzic fan is pretty sparse: an unknown controller (covered with epoxy), a few resistors and capacitors, and a single EEPROM chip located right next to the four pin header:
The EEPROM chip is a 24C02N, which is a 2Kb I2C EEPROM chip. The four pin header attaches to the 24C02, allowing it to be read from and re-written. The header pin out from bottom to top, as pictured above, is: GND, SDA, Vcc, SCL:
In order to read and write to the EEPROM chip, a simple serial to I2C interface was required. I built the serial adapter circuit found on Chiprecharge.com, which works nicely with PonyProg. This circuit drops the RS-232 voltage on the data and clock lines down to 5v via a pair of zener diodes, and provides 5v power to the EEPROM chip:
Attaching the adapter to the fan’s four pin header allowed me to read out the contents of the EEPROM chip:
And here’s what the above data displays on the POV fan:
The data dump obtained from the Cenzic fan may need some explanation. If you watched the above video, you saw that the original Cenzic message was broken into five parts:
- WEB APPS
The first byte of data in the EEPROM tells the controller how many parts there are to the message (in this case, five, or 0×05).
Following the 0×05 is the byte 0×06; this is the number of letters in the first part of the message (“SECURE”). Each part of the message is prefixed with its string length in bytes.
Each letter is displayed on a 5×7 matrix, that is, there are 7 LEDs aligned vertically, and each letter gets 5 pulses as the LED array moves around in a circle (5 LEDs in width, 7 LEDs in height).
Each of the vertical LED patterns (5 per letter, since each letter is 5 LEDs in width) are describe by a single byte. The first part of the original message is “SECURE”, which is 6 characters long. Therefore, the size of the first part of the message when stored in EEPROM is 6 * 5 = 30 bytes. If we go to offset 0×20 (which is the next byte after the 30 “SECURE” bytes), we see the number 4, which is the string length of the second part of the message (“YOUR”). The microcontroller reads these patterns from the EEPROM until all parts of the message have been displayed, at which point it starts the message over again.
Each byte in the message represents a vertical LED display pattern, with the high-order bit in each byte controlling the bottom LED, and the low-order bit controlling the top LED. A 1 indicates that the corresponding LED is off, while a 0 turns the LED on; however, there are only 7 LEDs, and 8 bits in each byte, so something has to give. The fourth lowest-order bit is ignored, and can be set to either a 1 or a 0 without affecting the resulting display.
Because the fan rotates in a counter-clockwise direction, the letters entered in the EEPROM are a mirror image of what will be displayed; that is, when displaying a message, the controller starts at the end of a message, and works its way backwards. So, the first five bytes in the first message tell the controller how to display the letter “E”, although if you visually mapped out the bit patterns for these five bytes, you would see that the “E” is actually backwards (again, it needs to be a mirror image of what should be displayed).
To help visualize this, take a look at how to display the letter “E”. First, map out a mirror image of the letter on a 5×7 grid:
00000 <- Low order bits 0 0 00000 <- This row of bits will be ignored 00000 0 0 00000 <- High order bits
Now, fill in everything else with 1′s:
00000 <- Low order bits 11110 11110 00000 <- This row of bits will be ignored 00000 11110 11110 00000 <- High order bits
The resulting hex values for each column of bits is, from left to right:
And the resulting image that will be displayed by the fan is:
00000 0 0 00000 0 0 00000
In order to make it easier to load new text onto the Cenzic fan, I wrote a Python script to translate ASCII text into a data dump that can be loaded into the fan’s EEPROM using PonyProg. Currently it only supports uppercase letters and smileys, but if you understand the above description, it’s easy enough to modify the script to produce any pattern you’d like. Usage is fairly straightforward; to generate a message that displays “Hello World”:
C:\>python ascii2cenzic.py hello world > hello.bin
The resulting hello.bin file can then be opened with PonyProg and written to the EEPROM chip: