The first Python script, ascii2cenzic.py, was mentioned in my original article; you simply pass it the ASCII text that you want the fan to display, and it will generate the binary data that you need to load onto the fan’s EERPOM using PonyProg. It has been updated to support uppercase alpha numeric characters, some punctuation, and smiley and frowney faces.

If you want to display an image that the ascii2cenzic script doesn’t support, you have to figure out the necessary byte patterns. This can be time consuming, so the second script included in the tool kit is graph2hex.py. Graph2hex will take a 5×7 character ASCII art image and generate the five byte sequence needed in order to display that image on the fan. There are two important notes regarding the use of this tool:

1. The image MUST be 5×7 characters, no more, no less
2. Zeros in the ASCII art image will be where the LEDs are turned on; anything else is considered “off”.

There is also an example ASCII art image of a smiley face included in the zip file, example_graph.txt. Note that there are five columns, with seven rows each, no more, no less:

11111
01110
11111
11011
11111
01110
10001

To make the image clearer, you can replace all the 1′s with spaces. Be careful with this though, it’s easy to accidentally add extra white space and then you’ll be left wondering why graph2hex is throwing errors:

0   0

  0  

0   0
 000

Running graph2hex on this file produces the five byte sequence needed to properly display this image:

c:>python graph2hex.py example_graph.txt
0xBD,0x7F,0x6F,0x7F,0xBD

Once you have these bytes, you can add an entry to the ascii_table dictionary in ascii2cenzic.py (note that the key in the dictionary must be ONE character):

…
‘)’ : [0xBD,0x7F,0x6F,0x7F,0xBD], #Close paren displays a smiley face
…

You can download the tool kit here.

Not having any prior experience with POV, I started poking at things to see how it worked. It turns out that Cenzic made it very easy to access the fan’s EEPROM chip, and with a simple RS232-to-I2C interface you can re-write the EEPROM on this device to make it display whatever you like:

Disassembly was pretty simple, as all the plastic covers can be pried off with your fingers or a small screwdriver. The first step to taking the Cenzic fan apart was to gently pry up the small cover on the front of the fan:

Cenzic POV Fan

Header Cover Removed

This revealed a four pin header, which was very encouraging. Note that this is really all the disassembling you’ll need to do in order to re-program the EEPROM.

Next, prying off the plastic cap revealed the fan blades that double as a sheath for the LED strip:

Fan Cap Removed

Prying off the cover below that allowed access to the circuit board:

Fan Circuit Board

Here you can see the two springs that sit between the circuit board and fan body to supply power to the circuitry while the fan is spinning:

Brush Springs

The hardware in the Cenzic fan is pretty sparse: an unknown controller (covered with epoxy), a few resistors and capacitors, and a single EEPROM chip located right next to the four pin header:

Closer View Of The Circuit Board

The EEPROM chip is a 24C02N, which is a 2Kb I2C EEPROM chip. The four pin header attaches to the 24C02, allowing it to be read from and re-written. The header pin out from bottom to top, as pictured above, is: GND, SDA, Vcc, SCL:

24C02 Header Pin Out

In order to read and write to the EEPROM chip, a simple serial to I2C interface was required. I built the serial adapter circuit found on Chiprecharge.com, which works nicely with PonyProg. This circuit drops the RS-232 voltage on the data and clock lines down to 5v via a pair of zener diodes, and provides 5v power to the EEPROM chip:

PonyProg EasyI2C Serial Interface

Attaching the adapter to the fan’s four pin header allowed me to read out the contents of the EEPROM chip:

Dumping The EEPROM

PonyProg Data Dump

And here’s what the above data displays on the POV fan:

The data dump obtained from the Cenzic fan may need some explanation. If you watched the above video, you saw that the original Cenzic message was broken into five parts:

1. SECURE
2. YOUR
3. WEB APPS
4. WITH
5. CENZIC

The first byte of data in the EEPROM tells the controller how many parts there are to the message (in this case, five, or 0×05).

Following the 0×05 is the byte 0×06; this is the number of letters in the first part of the message (“SECURE”). Each part of the message is prefixed with its string length in bytes.

Each letter is displayed on a 5×7 matrix, that is, there are 7 LEDs aligned vertically, and each letter gets 5 pulses as the LED array moves around in a circle (5 LEDs in width, 7 LEDs in height).

Each of the vertical LED patterns (5 per letter, since each letter is 5 LEDs in width) are describe by a single byte. The first part of the original message is “SECURE”, which is 6 characters long. Therefore, the size of the first part of the message when stored in EEPROM is 6 * 5 = 30 bytes. If we go to offset 0×20 (which is the next byte after the 30 “SECURE” bytes), we see the number 4, which is the string length of the second part of the message (“YOUR”). The microcontroller reads these patterns from the EEPROM until all parts of the message have been displayed, at which point it starts the message over again.

Each byte in the message represents a vertical LED display pattern, with the high-order bit in each byte controlling the bottom LED, and the low-order bit controlling the top LED. A 1 indicates that the corresponding LED is off, while a 0 turns the LED on; however, there are only 7 LEDs, and 8 bits in each byte, so something has to give. The fourth lowest-order bit is ignored, and can be set to either a 1 or a 0 without affecting the resulting display.

Because the fan rotates in a counter-clockwise direction, the letters entered in the EEPROM are a mirror image of what will be displayed; that is, when displaying a message, the controller starts at the end of a message, and works its way backwards. So, the first five bytes in the first message tell the controller how to display the letter “E”, although if you visually mapped out the bit patterns for these five bytes, you would see that the “E” is actually backwards (again, it needs to be a mirror image of what should be displayed).

To help visualize this, take a look at how to display the letter “E”. First, map out a mirror image of the letter on a 5×7 grid:

00000  <- Low order bits
    0
    0
00000  <- This row of bits will be ignored
00000
    0
    0
00000  <- High order bits

Now, fill in everything else with 1′s:

00000  <- Low order bits
11110
11110
00000  <- This row of bits will be ignored
00000
11110
11110
00000  <- High order bits

The resulting hex values for each column of bits is, from left to right:

0×66,0×66,0×66,0×66,0×00
 

And the resulting image that will be displayed by the fan is:

00000
0
0
00000
0
0
00000

In order to make it easier to load new text onto the Cenzic fan, I wrote a Python script to translate ASCII text into a data dump that can be loaded into the fan’s EEPROM using PonyProg. Currently it only supports uppercase letters and smileys, but if you understand the above description, it’s easy enough to modify the script to produce any pattern you’d like. Usage is fairly straightforward; to generate a message that displays “Hello World”:

C:\>python ascii2cenzic.py hello world > hello.bin
 

The resulting hello.bin file can then be opened with PonyProg and written to the EEPROM chip:

Configure PonyProg I/O Settings

Write Data To EEPROM

The obvious solution was to build a small AM transmitter and modulate the signal with the audio output from my computer. I built a very simple, low-cost, low-power AM transmitter:

Simple AM transmitter schematic

However, I had some self-imposed restrictions to overcome:

1. The receiver could not pick up the low-power transmitter unless the two were right next to each other.
2. A larger antenna would improve reception, but I didn’t want to have a large piece of wire hanging off the back of the radio since I planned on placing it in the living room.
3. Adding an amplifier to the transmitter would improve reception, but would make the circuit more complex; more importantly, I would have to be careful about the FCC’s part 15 rules.
4. I didn’t want to put a computer in the living room – most of the ones that I have laying around are noisy, so it would be best to keep the audio source (computer) in the basement.

I needed a way of relaying (preferably legally, cheaply and simply) the audio from the computer in the basement up to the AM transmitter located just behind the receiver. After considering several possibilities, I finally settled on using a baby monitor set to do the relay. My wife picked up this set from Target, which sells for $20, claims a 600+ foot range and operates on 49MHz:

Safety 1st Baby Monitors

They aren’t Hi-Fi by any means, but neither is the Crosley. Besides, $20 for a TX/RX pair is about as cheap as it gets. The transmitter was easily modified to accept a direct audio line in by replacing the electret microphone with a 20dB attenuator and 1/8″ stereo jack; I simply drilled out the mic hole to accommodate the line input jack:

Relay transmitter with 20dB attenuator

Relay transmitter exterior view

For the receiver, I just replaced the speaker with a 1/8″ line out jack:

Relay receiver with line out jack

Relay receiver exterior view

Initially I tried placing the AM transmitter in the relay receiver enclosure and powering them both from the same 9v wall wart, but this resulted in nothing but heavy static feeding into the AM transmitter. Instead, I enclosed the AM transmitter in a separate case and powered it off an external battery; given that the AM transmitter draws a relatively low 50mA of current, this was an acceptable compromise:

AM transmitter assembled in case

The primary audio source for the transmitter is my PC, but I also wanted to be able to re-transmit CD, cassette and FM radio programs as well. I’m using an old Pioneer SX-2300 stereo to manage the audio sources; the Pioneer, cassette deck and CD player were all pulled from the dumpster:

Transmitting station

Here you can see the audio output of the baby monitor connected to the audio input of the AM transmitter, and the RF output of the AM transmitter connected to the antenna input of the Crosley. Radio, “the way it used to be” (more or less):

Get the Flash Player to see this player.

But what if you want to use WPA and allow anyone to connect to your WiFi network? Well, you’d simply have to keep pusing the WPS button once every two minutes (WPS has a two minute time-out period). Granted, there probably aren’t many (any?) legitimate uses for this, but it would be a great opportunity for some nefarious individual: with such a system in place, he can always get in no matter how strong you make your WPA key.

This hack is very simple; you just have to create a circuit that “pushes” the WPS button on the router. With some routers, such as Linksys, you can simply short out the pins on the WPS button, causing WPS to remain permanently on. This can be done very easily using the foil wrapper from a stick of gum; note that since WPS will always be activated, the WPS LED will be constantly blinking, so it’s probably a good idea to cover up the LED:

Placing the foil in the Linksys' case

When the board is placed back in the case, the foil shorts the pins on the WPS button

Use the remaining foil to cover up the WPS LED

Although a simple hack, using gum to back door a router is not the best solution. In the routers tested, the gum hack only worked on our Linksys router; the rest require us to push, hold, and release the WPS button before they would activate WPS. Even in the Linksys device, this is a non-stealthy hack, as the administrative interface will (rather obnoxiously) indicate that WPS is activated whenever an administrator logs in to view the wireless settings.

A far better solution can be found by using a simple NE555 timer circuit. The push buttons are typically configured with one contact connected to ground, and the other contact connected to something else that reads the button’s state. Using an NE555, we can connect the non-ground pin on the button to ground for a second or two, and then return the pin to it’s open state. The following circuit will push the WPS button for 1.5 seconds every 2.5 minutes:

NE555 Schematic

Vcc and ground are connected to the router’s DC power supply. Since the 555 can be powered from a wide range of voltage sources (4.5v – 16v), no voltage regulator should be required (routers typically run off of 5 – 12 volt DC power adapters). Conn1 is connected to the non-grounded pin on the WPS button.

The output (pin 3) stays high for 2.5 minutes and goes low (i.e., is grounded) for 1.5 seconds. D1 ensures that there is no charge flowing into pin 3 (probably not likely, but we don’t know exactly what the WPS button is connected to). When pin 3 goes low, it effectively grounds the button connected to Conn1; resistor R3 limits any current flowing through D1 during this period. The circuit can be modified to stay high for much longer periods of time by increasing the value of the R1 resistor.

Although the NE555 is not very precise when used to time long periods, precision is not really a concern in this application, so activating WPS once every 10-12 hours is possible. This has the added benefit of making such a back door more difficult to detect; WPS has a two minute time out period (if no client is found within two minutes, the router stops looking for a client until the button is pushed again), so the light will only be blinking for two two-minute intervals throughout a 24 hour period.

Below are pictures of the above circuit connected to several routers from various vendors. Since the WPS button works the same way on basically all routers, this circuit is a universal hardware back door for practically any router that has WPS support:

The circuit connected to a Linksys WRT160N

The circuit connected to a D-Link DIR-628 The circuit soldered up and placed inside a Belkin router

The circuit soldered up and placed inside a Belkin F5D8233-4v3

Now, you just wait for WPS to be activated (WPS state can be passively monitored real-time using WPSpy) and use a WPS-capable WiFi card (or software) to retrieve the key:

Using a Belkin WiFi card to retrieve the WPA key via WPS