Out of curiosity, I redrew the Supercon Vectorscope badge schematics in KiCad last year. As you might suspect, going from PCB to schematic is opposite to the normal design flow of KiCad and most other PCB design tools. As a result, the schematics and PCB of the Vectorscope project were not really linked. I decided to try it again this year, but with the added goal of making a complete KiCad project. As usual, [Voja] provided a well drawn schematic diagram in PDF and CorelDRAW formats, and a PCB design using Altium’s Circuit Maker format (CSPcbDoc file). And for reference, this year I’m using KiCad v8 versus v7 last year.

Importing into KiCad

This went smoothly. KiCad imports Altium files, as I discovered last year. Converting the graphic lines to traces was easier than before, since the graphical lines are deleted in the conversion process. There was a file organizational quirk, however. I made a new, empty project and imported the Circuit Maker PCB file. It wasn’t obvious at first, but the importing action didn’t make use the new project I had just made. Instead, it created a completely new project in the directory holding the imported Circuit Maker file. This caused a lot of head scratching when I was editing the symbol and footprint library table files, and couldn’t figure out why my edits weren’t being seen by KiCad. I’m not sure what the logic of this is, was an easy fix once you know what’s going on. I simply copied everything from the imported project and pasted it in my new, empty project.

While hardly necessary for this design, you can also import graphics into a KiCad schematic in a similar manner to the PCB editor. First, convert the CorelDRAW file into DXF or SVG — I used InkScape to make an SVG. Next do Import -> Graphics in the Kicad schematic editor. However, you immediately realize that, unlike the PCB editor, the schematic editor doesn’t have any concept of drawing layers. As a work around, you can instead import graphics into a new symbol, and place this symbol on a blank page. I’m not sure how helpful this would be in tracing out schematics in a real world scenario, since I just drew mine from scratch. But it’s worth trying if you have complex schematics.

Note: this didn’t work perfectly, however. For some reason, the text doesn’t survive being imported into KiCad. I attribute this to my poor InkScape skills rather than a shortcoming in KiCad or CorelDRAW. Despite having no text, I put this symbol on its own page in sheet two of the schematic, just for reference to see how it can be done.

Just like last year, the footprints in the Circuit Maker PCB file were imported into KiCad in a seemingly random manner. Some footprints import as expected. Others are imported such that each individual pad is a standalone footprint. This didn’t cause me any problems, since I made all new footprints by modifying standard KiCad ones. But if you wanted to save such a footprint-per-pad part into a single KiCad footprint, it would take a bit more effort to get right.

Recreating Schematics and Parts

After redrawing the schematics, I focused on getting the part footprints sorted out. I did them methodically one by one. The process went as follows for each part:

• Start with the equivalent footprint from a KiCad library
• Duplicate it into a local project library
• Add the text SAO to the footprint name to avoid confusion.
• Position and align the part on the PCB atop the imported footprint
• Note and adjust for any differences — pad size and/or shape, etc.
• Update the part in the project library
• Attach it to the schematic symbols in the usual manner.
• Delete the imported original footprint (can be tricky to select)

Some parts were more interesting than others. For example, the six SAO connectors are placed at various non-obvious angles around the perimeter. I see that [Voja] slipped up once — the angle between connectors 4 and 5 is at a definitely non-oddball angle of 60 degrees.

SAO Angle Difference
#1 326 102 6->1
#2 8 42 1->2
#3 61 53 2->3
#4 118 57 3->4
#5 178 60 4->5
#6 224 46 5->6

With all this complete, the PCB artwork consists of all new footprints but uses the original traces. I needed to tweak a few traces here and there, but hopefully without detracting too much from [Voja]’s style. Speaking of style, for those interested in giving that free-hand look to hand-routed tracks in KiCad, check the options in the Interactive Router Settings menu. Choose the Highlight collisions / Free angle mode and set the PCB grid to a very small value. Free sketch away.

Glitches

I used two photos of the actual board to check when something wasn’t clear. One such puzzle was the 3-pad SMT solder ball jumper. This was shown on the schematic and on the fully assembled PCB, but it was not in the Circuit Maker design files. I assumed that the schematics and photos were the truth, and the PCB artwork was a previous revision. There is a chance that I got it backwards, but it’s an easy to fix if so. Adding the missing jumper took a bit of guesswork regarding the new and adjusted traces, because they were hard to see and/or underneath parts in the photo. This redrawn design may differ slightly in appearance but not in functionality.

DRC checks took a little more iterating than usual, and at one point I did something to break the edge cuts layer. The irregular features on this PCB didn’t help matters, but I eventually got everything cleaned up.

I had some trouble sometimes assigning nets to the traces. If I was lucky, putting the KiCad footprint on top of the traces assigned them their net names. Other times, I had traces which I had to manually assign to a net. This operation seemed to work sporatically, and I couldn’t figure out why. I was missing a mode that I remember from another decade in a PCB tool, maybe PCAD?, where you would first click on a net. Then you just clicked on any number of other items to stitch them into the net. In KiCad it is not that simple, but understandable given the less-frequent need for this functionality.

You may notice the thru hole leads on the 3D render are way too long. Manufacturers provide 3D files describing the part as they are shipped, which reasonably includes the long leads. They are only trimmed at installation. The virtual technician inside KiCad’s 3D viewer works at inhuman speeds, but has had limited training. She can install or remove all through hold or SMT parts on the board, in the blink of an eye. She can reposition eight lamps and change the background color in mere seconds. These are tasks that would occupy a human technician for hours. But she doesn’t know how to trim the leads off of thru hole parts. Maybe that will come in future versions.

Project Libraries

I like to extract all symbols, part footprints, and 3D files into separate project libraries when the design wraps up. KiCad experts will point out that for several versions now this is not necessary. All (or most) of this information is now stored in the design files, alghouth with one exception — the 3D files. Even so, I still feel safer making these project libraries, probably because I understand the process.

KiCad can now do this with a built-in function. See the Export -> Symbols to New Library and Export -> Footprints to New Library in the schematic and PCB editors, respectively. These actions give you the option to additionally change all references in the design to use this new library. This didn’t work completely for me, for reasons unclear. Eventually I just manually edited the sch and pcb file and fixed the library names with a search and replace operation.

Hint: When configuring project libraries in KiCad, I always give them a nickname that begins with a dot. For example, .badge24 or .stumbler. This always puts project libraries at the top of the long list of libraries, and it makes it easier to do manual search and replaces in the design files if needed.

What about 3D files, you say? That isn’t built into KiCad, but have no fear. [Mitja Nemec] has you covered with the Archive 3D Models KiCad plugin. It was trivial to activate and use in KiCad’s Plugin and Content Manager.

All Done

In the end, the design passed all DRCs, and I could run Update PCB from Schematic... without errors. I went out on a limb and immediately placed an order for five PCBs, hoping I hadn’t overlooked something. But it’s only US$9.00 risk. They are on the way from China as I type this.

All the files can be found in this GitHub repo. If you find any errors, raise an issue there. I have not done this procedure for any of the SAO petals, but when I do, I will place a link in the repository.
Schematics showing jumper

Introduction

In May 2020, Bitdefender released a white paper containing a detailed analysis of Mandrake, a sophisticated Android cyber-espionage platform, which had been active in the wild for at least four years.

In April 2024, we discovered a suspicious sample that appeared to be a new version of Mandrake. Ensuing analysis revealed as many as five Mandrake applications, which had been available on Google Play from 2022 to 2024 with more than 32,000 installs in total, while staying undetected by any other vendor. The new samples included new layers of obfuscation and evasion techniques, such as moving malicious functionality to obfuscated native libraries, using certificate pinning for C2 communications, and performing a wide array of tests to check if Mandrake was running on a rooted device or in an emulated environment.

Our findings, in a nutshell, were as follows.

• After a two-year break, the Mandrake Android spyware returned to Google Play and lay low for two years.
• The threat actors have moved the core malicious functionality to native libraries obfuscated with OLLVM.
• Communication with command-and-control servers (C2) uses certificate pinning to prevent capture of SSL traffic.
• Mandrake is equipped with a diverse arsenal of sandbox evasion and anti-analysis techniques.

Kaspersky products detect this threat as
HEUR:Trojan-Spy.AndroidOS.Mandrake.*.

Technical details

Background

The original Mandrake campaign with its two major infection waves, in 2016–2017 and 2018–2020, was analyzed by Bitdefender in May 2020. After the Bitdefender report was published, we discovered one more sample associated with the campaign, which was still available on Google Play.

The Mandrake application from the previous campaign on Google Play

In April 2024, we found a suspicious sample that turned out to be a new version of Mandrake. The main distinguishing feature of the new Mandrake variant was layers of obfuscation designed to bypass Google Play checks and hamper analysis. We discovered five applications containing Mandrake, with more than 32,000 total downloads. All these were published on Google Play in 2022 and remained available for at least a year. The newest app was last updated on March 15, 2024 and removed from Google Play later that month. As at July 2024, none of the apps had been detected as malware by any vendor, according to VirusTotal.

Mandrake samples on VirusTotal

Applications

Mandrake applications on Google Play

We were not able to get the APK file for
com.brnmth.mtrx, but given the developer and publication date, we assume with high confidence that it contained Mandrake spyware.

Application icons

Malware implant

The focus of this report is an application named AirFS, which was offered on Google Play for two years and last updated on March 15, 2024. It had the biggest number of downloads: more than 30,000. The malware was disguised as a file sharing app.

AirFS on Google Play

According to reviews, several users noticed that the app did not work or stole data from their devices.

Application reviews

Infection chain

Like the previous versions of Mandrake described by Bitdefender, applications in the latest campaign work in stages: dropper, loader and core. Unlike the previous campaign where the malicious logic of the first stage (dropper) was found in the application DEX file, the new versions hide all the first-stage malicious activity inside the native library
libopencv_dnn.so, which is harder to analyze and detect than DEX files. This library exports functions to decrypt the next stage (loader) from the assets/raw folder.

Contents of the main APK file

Interestingly, the sample
com.shrp.sght has only two stages, where the loader and core capabilities are combined into one APK file, which the dropper decrypts from its assets.
While in the past Mandrake campaigns we saw different branches (“oxide”, “briar”, “ricinus”, “darkmatter”), the current campaign is related to the “ricinus” branch. The second- and third-stage files are named “ricinus_airfs_3.4.0.9.apk”, “ricinus_dropper_core_airfs_3.4.1.9.apk”, “ricinus_amber_3.3.8.2.apk” and so on.

When the application starts, it loads the native library:

Loading the native library

To make detection harder, the first-stage native library is heavily obfuscated with the OLLVM obfuscator. Its main goal is to decrypt and load the second stage, named “loader“. After unpacking, decrypting and loading into memory the second-stage DEX file, the code calls the method
dex_load and executes the second stage. In this method, the second-stage native library path is added to the class loader, and the second-stage main activity and service start. The application then shows a notification that asks for permission to draw overlays.
When the main service starts, the second-stage native library
libopencv_java3.so is loaded, and the certificate for C2 communications, which is placed in the second-stage assets folder, is decrypted. The treat actors used an IP address for C2 communications, and if the connection could not be established, the malware tried to connect to more domains. After successfully connecting, the app sends information about the device, including the installed applications, mobile network, IP address and unique device ID, to the C2. If the threat actors find their target relevant on the strength of that data, they respond with a command to download and run the “core” component of Mandrake. The app then downloads, decrypts and executes the third stage (core), which contains the main malware functionality.

Second-stage commands:

Third stage commands:

When Mandrake receives a
start_v command, the service starts and loads the specified URL in an application-owned webview with a custom JavaScript interface, which the application uses to manipulate the web page it loads.
While the page is loading, the application establishes a websocket connection and starts taking screenshots of the page at regular intervals, while encoding them to base64 strings and sending these to the C2 server. The attackers can use additional commands to adjust the frame rate and quality. The threat actors call this “vnc_stream”. At the same time, the C2 server can send back control commands that make application execute actions, such as swipe to a given coordinate, change the webview size and resolution, switch between the desktop and mobile page display modes, enable or disable JavaScript execution, change the User Agent, import or export cookies, go back and forward, refresh the loaded page, zoom the loaded page and so on.

When Mandrake receives a
start_i command, it loads a URL in a webview, but instead of initiating a “VNC” stream, the C2 server starts recording the screen and saving the record to a file. The recording process is similar to the “VNC” scenario, but screenshots are saved to a video file. Also in this mode, the application waits until the user enters their credentials on the web page and then collects cookies from the webview.
The
start_a command allows running automated actions in the context of the current page, such as swipe, click, etc. If this is the case, Mandrake downloads automation scenarios from the URL specified in the command options. In this mode, the screen is also recorded.
Screen recordings can be uploaded to the C2 with the
upload_i or upload_d commands.
The main goals of Mandrake are to steal the user’s credentials, and download and execute next-stage malicious applications.

Data decryption methods

Data encryption and decryption logic is similar across different Mandrake stages. In this section, we will describe the second-stage data decryption methods.

The second-stage native library
libopencv_java3.so contains AES-encrypted C2 domains, and keys for configuration data and payload decryption. Encrypted strings are mixed with plain text strings.
To get the length of the string, Mandrake XORs the first three bytes of the encrypted array, then uses the first two bytes of the array as keys for custom XOR encoding.

Strings decryption algorithm

The key and IV for decrypting AES-encrypted data are encoded in the same way, with part of the data additionally XORed with constants.

AES key decryption

Mandrake uses the OpenSSL library for AES decryption, albeit in quite a strange way. The encrypted file is divided into 16-byte blocks, each of these decrypted with AES-CFB128.

The encrypted certificate for C2 communication is located in the
assets/raw folder of the second stage as a file named cart.raw, which is decrypted using the same algorithm.

Installing next-stage applications

When Mandrake gets an
apk command from the C2, it downloads a new separate APK file with an additional module and shows the user a notification that looks like something they would receive from Google Play. The user clicking the notification initiates the installation process.
Android 13 introduced the “Restricted Settings” feature, which prohibits sideloaded applications from directly requesting dangerous permissions. To bypass this feature, Mandrake processes the installation with a “session-based” package installer.

Installing additional applications

Sandbox evasion techniques and environment checks

While the main goal of Mandrake remains unchanged from past campaigns, the code complexity and quantity of the emulation checks have significantly increased in recent versions to prevent the code from being executed in environments operated by malware analysts. However, we were able to bypass these restrictions and discovered the changes described below.

The versions of the malware discovered earlier contained only a basic emulation check routine.

Emulator checks in an older Mandrake version

In the new version, we discovered more checks.

To start with, the threat actors added Frida detection. When the application starts, it loads the first-stage native library
libopencv_dnn.so. The init_array section of this library contains the Frida detector function call. The threat actors used the DetectFrida method. First, it computes the CRC of all libraries, then it starts a Frida detect thread. Every five seconds, it checks that libraries in memory have not been changed. Additionally, it checks for Frida presence by looking for specific thread and pipe names used by Frida. So, when an analyst tries to use Frida against the application, execution is terminated. Even if you use a custom build of Frida and try to hook a function in the native library, the app detects the code change and terminates.
Next, after collecting device information to make a request for the next stage, the application checks the environment to find out if the device is rooted and if there are analyst tools installed. Unlike some other threat actors who seek to take advantage of root access, Mandrake developers consider a rooted device dangerous, as average users, their targets, do not typically root their phones. First, Mandrake tries to find a su binary, a SuperUser.apk, Busybox or Xposed framework, and Magisk and Saurik Substrate files. Then it checks if the system partition is mounted as read-only. Next, it checks if development settings and ADB are enabled. And finally, it checks for the presence of a Google account and Google Play application on the device.

C2 communication

All C2 communications are maintained via the native part of the applications, using an OpenSSL static compiled library.

To prevent network traffic sniffing, Mandrake uses an encrypted certificate, decrypted from the
assets/raw folder, to secure C2 communications. The client needs to be verified by this certificate, so an attempt to capture SSL traffic results in a handshake failure and a breakdown in communications. Still, any packets sent to the C2 are saved locally for additional AES encryption, so we are able to look at message content. Mandrake uses a custom JSON-like serialization format, the same as in previous campaigns.
Example of a C2 request:
node #1
{
uid "a1c445f10336076b";
request "1000";
data_1 "32|3.1.1|HWLYO-L6735|26202|de||ricinus_airfs_3.4.0.9|0|0|0||0|0|0|0|Europe/Berlin||180|2|1|41|115|0|0|0|0|loader|0|0|secure_environment||0|0|1|0||0|85.214.132.126|0|1|38.6.10-21 [0] [PR] 585796312|0|0|0|0|0|";
data_2 "loader";
dt 1715178379;
next #2;
}
node #2
{
uid "a1c445f10336076b";
request "1010";
data_1 "ricinus_airfs_3.4.0.9";
data_2 "";
dt 1715178377;
next #3;
}
node #3
{
uid "a1c445f10336076b";
request "1003";
data_1 "com.airft.ftrnsfr\n\ncom.android.calendar\n\[redacted]\ncom.android.stk\n\n";
data_2 "";
dt 1715178378;
next NULL;
}
Example of a C2 response:
node #1
{
response "a1c445f10336076b";
command "1035";
data_1 "";
data_2 "";
dt "0";
next #2;
}
node #2
{
response "a1c445f10336076b";
command "1022";
data_1 "20";
data_2 "1";
dt "0";
next #3;
}
node #3
{
response "a1c445f10336076b";
command "1027";
data_1 "1";
data_2 "";
dt "0";
next #4;
}
node #4
{
response "a1c445f10336076b";
command "1010";
data_1 "ricinus_dropper_core_airfs_3.4.1.9.apk";
data_2 "60";
dt "0";
next NULL;
}
Mandrake uses opcodes from 1000 to 1058. The same opcode can represent different actions depending on whether it is used for a request or a response. See below for examples of this.

• Request opcode 1000: send device information;
• Request opcode 1003: send list of installed applications;
• Request opcode 1010: send information about the component;
• Response opcode 1002: set contact rate (client-server communication);
• Response opcode 1010: install next-stage APK;
• Response opcode 1011: abort next-stage install;
• Response opcode 1022: request user to allow app to run in background;
• Response opcode 1023: abort request to allow app to run in background;
• Response opcode 1027: change application icon to default or Wi-Fi service icon.

Attribution

Considering the similarities between the current campaign and the previous one, and the fact that the C2 domains are registered in Russia, we assume with high confidence that the threat actor is the same as stated in the Bitdefender’s report.

Victims

The malicious applications on Google Play were available in a wide range of countries. Most of the downloads were from Canada, Germany, Italy, Mexico, Spain, Peru and the UK.

Conclusions

The Mandrake spyware is evolving dynamically, improving its methods of concealment, sandbox evasion and bypassing new defense mechanisms. After the applications of the first campaign stayed undetected for four years, the current campaign lurked in the shadows for two years, while still available for download on Google Play. This highlights the threat actors’ formidable skills, and also that stricter controls for applications before being published in the markets only translate into more sophisticated, harder-to-detect threats sneaking into official app marketplaces.

Indicators of Compromise

File Hashes
141f09c5d8a7af85dde2b7bfe2c89477
1b579842077e0ec75346685ffd689d6e
202b5c0591e1ae09f9021e6aaf5e8a8b
31ae39a7abeea3901a681f847199ed88
33fdfbb1acdc226eb177eb42f3d22db4
3837a06039682ced414a9a7bec7de1ef
3c2c9c6ca906ea6c6d993efd0f2dc40e
494687795592106574edfcdcef27729e
5d77f2f59aade2d1656eb7506bd02cc9
79f8be1e5c050446927d4e4facff279c
7f1805ec0187ddb54a55eabe3e2396f5
8523262a411e4d8db2079ddac8424a98
8dcbed733f5abf9bc5a574de71a3ad53
95d3e26071506c6695a3760b97c91d75
984b336454282e7a0fb62d55edfb890a
a18a0457d0d4833add2dc6eac1b0b323
b4acfaeada60f41f6925628c824bb35e
cb302167c8458e395337771c81d5be62
da1108674eb3f77df2fee10d116cc685
e165cda25ef49c02ed94ab524fafa938
eb595fbcf24f94c329ac0e6ba63fe984
f0ae0c43aca3a474098bd5ca403c3fca

Domains and IPs
45.142.122[.]12
ricinus[.]ru
ricinus-ca[.]ru
ricinus-cb[.]ru
ricinus-cc[.]ru
ricinus[.]su
toxicodendron[.]ru

securelist.com/mandrake-apps-r…

By the time you read this the Iowa-class battleship USS New Jersey (BB-62) should be making its way along the Delaware River, heading back to its permanent mooring on the Camden waterfront after undergoing a twelve week maintenance and repair period at the nearby Philadelphia Navy Yard.

The 888 foot (270 meter) long ship won’t be running under its own power, but even under tow, it’s not often that you get to see one of the world’s last remaining battleships on the move. The New Jersey’s return home will be a day of celebration, with onlookers lining the banks of the Delaware, news helicopters in the air, and dignitaries and veterans waiting eagerly to greet her as she slides up to the pier.

But when I got the opportunity to tour the New Jersey a couple weeks ago and get a first-hand look at the incredible preservation work being done on this historic ship, it was a very different scene. There was plenty of activity within the cavernous Dry Dock #3 at the Navy Yard, the very same slip where the ship’s construction was completed back in 1942, but little fanfare. Staff from North Atlantic Ship Repair, the company that now operates the facility, were laboring feverishly over the weekend to get the ship ready.

While by no means an exhaustive account of the work that was done on the ship during its time in Dry Dock #3, this article will highlight some of the more interesting projects that were undertaken while it was out of the water. After seeing the thought and effort put into every aspect of the ship’s preservation by curator Ryan Szimanski and his team, there’s no doubt that not only is the USS New Jersey in exceptionally capable hands, but that it will continue to proudly serve as a museum and memorial for decades to come.

A Fresh Coat of Paint

The primary goal of putting New Jersey into dry dock was to repaint the hull below the water line, something which had not been done since the ship was deactivated by the US Navy in 1990. Under normal circumstances this is the sort of routine maintenance that would be done every few years, but for a static museum ship, the recommended dry docking interval is 30 years. There was no indication that the hull was in particularly bad shape or in need of emergency repair — most of the work done during this yard period was preventative in nature.

The first step in this process was to remove the old paint, along with any biological growth and rust. Unfortunately, there’s no “easy” way to do this. The entire surface area of the underwater hull, totaling roughly 125,000 square feet (11,600 square meters), was painstakingly cleaned using ultra-high pressure washers operating at approximately 30,000 psi. In some areas, getting close enough to the surface of the hull meant putting workers up on a lift, but for the ship’s relatively flat bottom, personnel had to squat down and spray the surface over their heads.

As the ship is resting on around 300 “keel blocks”, this process had to be done in two separate phases. First, the approximately 90% of the hull that was not covered by the blocks was stripped, painted, and left to dry. Then the dry dock was flooded just enough to get the ship floating , so it could be pulled forward a few feet and dropped back down to uncover the areas of the hull that were previously covered.

Checking for Leaks

Even though the steel of the hull itself might be intact, a large ship will have many openings under the water line that can leak if not properly maintained. According to Ryan the New Jersey has about 165 such openings, ranging from tiny drain lines to massive seawater intakes. While the ship was in operation each one of them would have served an important purpose, but as a floating museum with essentially no operating hardware onboard, they’re a liability.

The easiest solution would have been to simply weld plates over all of them. But part of the arrangement that allows the New Jersey to operate as a museum is that the Navy has the right to take the ship back and reactivate it at any time. Admittedly it’s an unlikely prospect, but those are the rules.

Permanently blocking up all those critical openings would make the ship’s reactivation that much more difficult, so instead, each one was “boxed over” with a custom-made steel enclosure. The idea is that, should the ship ever need to return to operation, these boxes could easily be cut off without damaging the hull.

Only one of these boxes was known to be leaking before pulling New Jersey out of the water, but out of an abundance of caution, the integrity of each one was manually checked by pressurizing them with air. If the box held pressure, it was good to go. If it lost air, then it was sprayed with soapy water and closely inspected for bubbles. If there were no bubbles on the outside that meant the air was leaking into the ship through whatever the enclosed fitting was — a problem the Navy might need to address in World War Three, but not something the museum needed to concern themselves with.

Swapping Out Anodes

To help fight off corrosion ships use a technique known as cathodic protection, which essentially turns the steel of the hull into the cathode of a electrochemical cell. The surrounding water serves as the electrolyte, and blocks made of a metal with a high ionization tendency are mounted to the ship to act as the anode. As electrons flow through this circuit, the sacrificial anode dissolves, sparing the hull and other underwater gear such as the propellers.

New Jersey was fitted with 1,200 anodes when the Navy deactivated her, but unfortunately, they ended up being the wrong type. At the time it was assumed that the ship would be stored in a saltwater port as part of what’s known as the “Mothball Fleet”, so zinc anodes were used. There was no way to know that, a decade later, the ship would be transferred to the fresh waters of the Delaware River to live out the rest of its life as a museum.

Because of this, the zinc anodes didn’t corrode away as was intended. In fact when the dry dock was drained, it was revealed that the anodes were in nearly perfect condition. You could even still read the manufacturing info stamped into many of them. On the plus side, they’ll make for excellent souvenirs in the museum’s gift shop. But in terms of corrosion protection, they didn’t do a thing.

Luckily, fresh water is relatively forgiving, so the battleship didn’t suffer too badly for this lack of functioning cathodic protection. Even so, it was decided to install 600 aluminum anodes in place of the originals, which are more suitable for the conditions the ship is stored in.

Closing Off the Shafts

Before New Jersey went in for this yard period, there was some debate about removing its propellers and drive shafts. The idea being that the huge openings in the hull which the shafts pass through were a long-term liability. But not only would this have deviated from the museum’s overall goal of keeping the ship as intact as possible, it would have been a considerable undertaking.

Instead it was decided to seal off where the shafts pass through the hull with custom-made steel enclosures, much like the other openings on the bottom of the ship. In addition, the shafts were wrapped with fiberglass where they pass through the support brackets on the rear of the ship. The fiberglass isn’t expected to be a permanent solution like the steel boxes around the shafts, but should provide at least some measure of protection.

Lots and Lots of Caulk

One of the surprising things discovered upon inspecting the hull of New Jersey was that caulking had been applied to all the seams along the riveted hull plates. At least in theory, this shouldn’t be necessary, as the overlapping plates are designed to be watertight. But if the Navy thought it was worth the time and expense to do it, there must have been a reason.

Sure enough, a dive into the ship’s onboard reference library revealed a document from October of 1990 that described a persistent water intrusion issue on the ship. Basically, water kept getting inside the hull, but they couldn’t figure out where it was coming from. Although the Navy couldn’t actually find any leaks between the hull plates, the document went on to explain that the decision was made to caulk them all anyway in hopes that it would solve the issue.

Since the ship hadn’t been taking on any mysterious water while docked in Camden, it would appear the fix worked. As such, it was decided to re-caulk the roughly 18,000 linear feet (5,500 meters) of plate seams just like the Navy did in 1990. Since the manufacturer of the product was mentioned in the document, the museum was even able to get the exact same caulking used by the Navy 34 years ago.

Views From Dry Dock

Documentation for the Future

Walking along the ship’s massive hull, the projects I’ve listed here were the most obvious to even the untrained eye. But as I said at the start, this isn’t a complete list of the work done to the USS New Jersey during its dry docking. It’s hard to overstate the scale of the restoration work that was accomplished in such a short amount of time. It took years of planning by a team of very dedicated individuals to pull this off.

But you don’t have to take my word for it. Ryan Szimanski and his team have done an incredible job of documenting the entire dry docking process on the ship’s official YouTube channel. Putting all of this information out for the public to view and learn from will undoubtedly inform the restoration efforts on other museum ships going forward, but even if you don’t have a battleship in your backyard, it makes for fascinating viewing.

youtube.com/embed/jcScaxaF2PQ?…