Reverse Engineering
Reverse engineering in the UAE for electronics, communication protocols and fiber-optic links.
When the original drawings are gone, the supplier has vanished, the firmware is locked or the protocol was never documented — SAS Middle East FZC rebuilds the missing knowledge. We work on PCBs, ICs, controllers, encoders, drives, sensors, gateways, fiber-optic links and proprietary serial frames for customers across the UAE and GCC. Technically, we have no limits: if a signal can be probed, captured or measured, we can decode and reproduce it.
Reverse-Engineering Snapshot
SAS Middle East FZC
PCB & Schematic Recovery
Multi-layer redraw with verified netlist
Protocol Decoding
CAN, UART, SPI, I²C, RS-485, Modbus, EtherCAT, fiber
Firmware & Logic
Extraction, analysis, behavioural replication
Core Capabilities
End-to-end reverse engineering for electronics, firmware and industrial communication.
Every project starts the same way: capture the original signal, document the original behavior, then build a fully understood, fully reproducible replacement. Below are the disciplines we combine on every engagement.
PCB Reverse Engineering
Multi-layer PCB redrawing, copper-trace reconstruction, X-ray analysis for buried vias and BGA balls, layer-by-layer scanning and a fully verified netlist that matches the physical board.
Schematic Recovery
Convert an unknown board into a clean, hierarchical schematic in Altium, KiCad or Eagle. Identify nets, power planes, decoupling strategy, clock domains and signal-integrity choices made by the original designer.
Component Identification & BOM
Decode unmarked, sanded or rebranded ICs (house-marked, EOL, MIL-spec). Cross-reference to active equivalents, build a manufacturable BOM and propose authorized sourcing strategies to defeat obsolescence.
Firmware Extraction & Analysis
JTAG / SWD / BDM / ISP / UART boot-loader extraction, EEPROM & SPI/QSPI flash dumping, glitch-resistant readout where authorized. Disassembly with Ghidra / IDA, control-flow recovery and behavioural documentation.
Protocol & Signal Decoding
Logic-analyzer, oscilloscope and bus-sniffer captures decoded into frame structures, state machines and message dictionaries. Custom Python & C decoders for any framing — including RMT-style timed pulse streams.
Fieldbus & Industrial Network RE
CAN, J1939, CANopen, ISOBUS, NMEA 2000, LIN, Modbus RTU/TCP, PROFIBUS DP, PROFINET, EtherNet/IP, EtherCAT, Powerlink, BACnet, KNX, M-Bus, HART, IO-Link — full packet capture, replay and OEM-proprietary frame reverse-engineering.
Encoder, Drive & Motor-Feedback RE
Decode incremental, SSI, BiSS-C, EnDat 2.x, Hiperface, Resolver and OEM-proprietary serial encoders. Recreate timing, CRC and command sets to integrate or replace obsolete servo and CNC feedback chains.
Fiber-Optic Link RE
Identify wavelength, modulation, line coding (8b/10b, 64b/66b, Manchester) and frame format on optical links. Decode SFP/SFP+/QSFP behavior and proprietary serial-over-fiber buses; rebuild the link with COTS or custom optics.
RF & Wireless Signal Analysis
SDR-based capture of sub-GHz, 2.4 GHz, BLE, LoRa, Zigbee, proprietary ISM and industrial wireless. Demodulation, packet structure recovery and replay for legitimate maintenance and interoperability.
Security & Safety Assessment
Identify weak authentication, hard-coded keys, unencrypted firmware, exposed debug ports and protocol-level injection paths in OT equipment — so we can fix them or recommend secure replacements.
Obsolete-System Replacement
Drop-in modern hardware that talks the original protocol on one side and a current protocol on the other — built on the SAS IntelliLink™ platform when it fits, or as a custom design when it doesn’t.
Spec Reconstruction & Documentation
Re-create the missing datasheet: timing diagrams, register maps, message catalogs, electrical limits and test procedures — so your maintenance team owns the knowledge, not just the box.
Supported Buses, Protocols & Signals
If it carries data, we can capture, decode and reproduce it.
The list below is not exhaustive — it is what we use most. New or proprietary protocols are added on every project. Tell us what you have, and we’ll tell you how we’ll decode it.
CAN Family
Classic CAN 2.0A/B, CAN-FD, J1939, CANopen, ISOBUS, NMEA 2000, DeviceNet and OEM-proprietary CAN. Bit-timing analysis, CRC verification and PGN/SPN reconstruction.
Serial & UART Family
UART, LIN, RS-232, RS-422, RS-485, multidrop serial, MIDI, SDI-12. Auto-baud detection, framing recovery, parity/stop-bit identification and full byte-stream decoding.
Embedded Buses
SPI, QSPI, I²C, I3C, 1-Wire, SMBus, PMBus, parallel memory buses, I²S, TDM audio — on-board chip-to-chip traffic and external sensor links.
Industrial & Fieldbus
Modbus RTU / ASCII / TCP, PROFIBUS DP, PROFINET, EtherNet/IP, EtherCAT, Powerlink, SERCOS III, AS-i, HART, IO-Link, BACnet MS/TP and BACnet IP.
Building & Metering
KNX/EIB, DALI, M-Bus (wired and wireless), DMX-512, Modbus over RS-485 for HVAC/BMS, OPC UA & OPC DA integration.
Motor & Encoder Feedback
A/B/Z TTL & HTL, 1 Vpp Sin/Cos, SSI, BiSS-C, EnDat 2.1/2.2, Hiperface, Resolver and OEM-proprietary serial encoder protocols.
Pulse & Timed Signals (RMT-style)
IR remote codes, NEC / RC-5 / RC-6 / Sony SIRC, ESP32 RMT-style streams, stepper pulse trains, PWM-encoded telemetry and custom pulse-width / pulse-position modulation.
Wireless & RF
BLE, Zigbee, Thread, LoRa / LoRaWAN, Wi-Fi management frames, proprietary sub-GHz ISM, NFC/RFID (LF/HF/UHF) and industrial 2.4 GHz telemetry.
Fiber & High-Speed Serial
Manchester / NRZ / 8b10b / 64b66b on copper or fiber, SFP/SFP+/QSFP modules, SerDes lanes, proprietary serial-over-fiber control buses and optical encoder feedback.
Host & Device Buses
USB 2.0/3.x (LS/FS/HS/SS), SDIO/eMMC, PCIe link-layer behavior, JTAG / SWD / BDM debug chains and parallel address/data buses on legacy controllers.
Engagement Method
A repeatable, auditable reverse-engineering workflow.
Reverse engineering is not guesswork. We follow a documented method on every project so that what we deliver can be verified, maintained and extended — long after the original equipment is gone.
1. NDA & Scope
Mutual NDA, written confirmation that you own or are authorized to service the equipment, and a sharp scope: what must be recovered, what must be replaced, what success looks like.
2. Capture & Characterize
Bench setup with logic analyzer, oscilloscope, bus sniffer, SDR or optical tap. Power-rail mapping, clock recovery, signal-integrity check and clean reference captures.
3. Decode & Document
Frame structure, addressing, CRC, timing and command set extracted into a written specification. Symbol tables, register maps and state diagrams reviewed with you.
4. Rebuild & Validate
Replacement hardware, drop-in firmware or protocol bridge. Bit-accurate side-by-side comparison against the original on a real machine before sign-off.
5. Handover
Schematics, BOM, gerbers, firmware sources, protocol spec and test procedures — delivered in editable formats. Your team can build the next unit without us.
6. Long-Term Support
Spare-parts continuity, design revisions, security patches and protocol extensions. We stay reachable for the lifetime of the equipment.
Where Reverse Engineering Pays Off
Typical industrial scenarios we handle every month.
Discontinued control board on a critical machine
Single point of failure, no spares, supplier closed. We redraw the schematic, identify a modern equivalent for every component and deliver a manufacturable drop-in replacement with documented test procedures.
OEM CAN protocol with no public documentation
Dual-CAN capture on the live machine, frame clustering, CRC discovery and command-set identification. Decoded into a clean message catalog and exposed over OPC UA / MQTT for plant integration.
Obsolete serial encoder on a CNC retrofit
Proprietary serial feedback decoded, timing and CRC reproduced, and the SAS IntelliLink™ Encoder Bridge configured as a transparent replacement — without touching the drive or the control.
Proprietary fiber-optic remote-I/O bus
Optical tap, wavelength & modulation analysis, line-code identification and frame reconstruction. Custom transceiver firmware that talks the original link on one side and EtherCAT on the other.
Locked controller with no source code
Authorized firmware extraction via debug port, disassembly, behavioural mapping and reproduction of the original control law in a maintainable codebase — with a clear upgrade path for safety and security.
Timed-pulse remote control on legacy equipment
Pulse-width / pulse-position stream captured, decoded into commands and reproduced with a modern microcontroller — lost remotes replaced, broken IR sections bypassed, integration into the plant control made possible.
Why SAS
Hardware, firmware and protocol expertise — in one team.
No technical limits
Copper, fiber or wireless. 1-bit pulse or 10-gigabit serial. 8-bit MCU or modern SoC. We pick the right tool and the right discipline for the job.
Strict confidentiality
Mutual NDA before any data is shared. Captures and recovered documentation stay on isolated hardware and are delivered only to you.
From decode to deployment
We don’t stop at a PDF. We deliver the replacement board, the bridge, the firmware or the integration — running on your real machine.
SAS IntelliLink™ platform
When a project fits, we leverage our own hardware family — PSCU-V6, Encoder Bridge, AI Hardware Interface — for faster delivery and lower lifecycle risk.
Verifiable results
Every recovered protocol or replacement board is bench-validated against the original. You receive the captures, the diffs and the test reports.
Compliant by default
We only work on equipment you own or are authorized to service. Outputs target interoperability, maintenance and security — not IP theft.
Frequently Asked
Reverse engineering — common questions.
Is reverse engineering legal in the UAE?
For interoperability, maintenance, spare-parts continuity and security assessment on equipment you legally own or are authorized to service: yes. We require written confirmation of ownership / authorization and a mutual NDA before any work begins. We do not copy protected IP for resale.
I only have the broken board. Can you still help?
Yes. We routinely work from a single physical sample — even with cracked PCBs, missing components or de-marked ICs. X-ray, microscope and electrical probing fill in the gaps.
Can you do it without taking the machine offline?
In most cases yes. Bus sniffers, optical taps and passive logic analyzers capture live traffic without interrupting production. Intrusive work is scheduled around your maintenance windows.
What about encrypted firmware or secure boot?
Where the manufacturer has locked the device and you do not have legal authorization to defeat that protection, we will say so and propose alternatives — behavioural replication, protocol-bridge replacement or a clean-room redesign.
Do you handle fiber-optic links?
Yes. We characterize wavelength, modulation and line coding on optical links, identify SFP/SFP+/QSFP behavior and rebuild the link with COTS or custom optics.
What do I receive at the end?
Editable schematics, gerbers, BOM, firmware sources, written protocol specification, test procedures and — when in scope — a working replacement device validated on your real equipment.
Have a mystery board, an undocumented protocol or an obsolete system?
Send us photos, a high-level description and (if you have it) a sample capture. We’ll come back with a feasibility assessment, a recommended approach and a transparent project plan.