Breaking Open The Quirky Nimbus

Nimbus

The Nimbus is a little Internet-connected device put out by a company called Quirky. It features four analog dials, each with graphic LCDs, with WiFi connectivity to show you how many tweets you’ve made in the past day. You know, in case you forgot, or something.

[Edu] didn’t find the social media-oriented Nimbus very useful, but Internet connected analog gauges are just so cool, so out came the screwdriver and the writing of new firmware commenced.

Inside the Nimbus there’s an SPI Flash, PIC micro, and an Electric Imp, a tiny ARM microcontroller and WiFi adapter stuffed inside an SD card. The Imp is always tied to a cloud service, in this case, a Quirky-lined cloud, but the folks at Quirky were keen to help [Edu] in his quest for better firmware.

After figuring out all the traces, [Edu] wrote a simple firmware that can control everything there is to control – the dials, displays, two buttons, and a speaker. So far he’s put some graphics on the display and PWM’d the theme from Monkey Island. This is just scratching the surface of what the device can do – [Edu] can still make use of the WiFi connectivity, and those dials can do much more than spin around in circles.

Monkey Island video below.

Comments

  1. Rob Thomas says:

    Wow, what a great post, and more importantly what an amazing company to unlock the device for hacking

  2. kag says:

    >Inside the Nimbus there’s an SPI Flash, PIC micro, and an Electric Imp
    >Electric Imp

    go to hell with that crap.

  3. Gronk says:

    If he could get this connected to IFTTT then quirky would have a much broader market to sell this device. A physical status board like Panic

  4. Indyaner says:

    The Site is not loading for me.
    “Error establishing a database connection”

    • I think we gave it the HaD hug of death…

    • Yeah, sorry about that. After this article went public, I’ve had ~150 bots attacking my site every second, and sadly I don’t have that much control over the server. I’m trying to do a migration to mitigate this.

      • Greenaum says:

        There are bots that follow HAD links? HAD should feel a little responsible, tho it’s not their fault. Perhaps you need to start munging the links, or adding some clever intermediate server, or something. It’s bad enough that interested humans end up HADding small websites without hearing that some buttholes are using it to send attack bots after.

        Or is it a case of them going through Google or other sites that link to HAD? I suppose you can’t help being popular. This would be worth study by people who know networking.

        • Well, I had ~150 IPs trying to load ajax-admin.php every second, with an HTTP referrer of my blogpost (the same linked here), supposedly to not raise any alarms. This happened just after the HAD post (thanks btw!), so I very much doubt it was just a coincidence :).

          Anyway, I’ve setup an emergency copy at another host with some horrible theme, but at least it works :). Let’s hope the DNS propagation is fast enough!

          • David says:

            Doesn’t every access to a WordPress site load ajax-admin.php?

          • I think so, although I think it depends on the plugins. But in this case, the same IPs repeatedly POSTing to ajax-admin.php during more than an hour… No, that wasn’t just someone trying to read my page, I don’t have such hardcore fans ;)

        • > Perhaps you need to start munging the links, or adding some clever intermediate server

          Yeah, that would be useful, but I can’t even imagine the volume of comments saying “hackaday is somehow profiting off this practice” and “hackaday’s against an open internet”.

          I’ve been told to kill myself for suggesting readers turn off adblock.

  5. Brett_cgb says:

    After reading up on the IMP and PIC, I suspect you could simply remove the IMP, and assume communications with the PIC (requires wiring in another controller, but it’s I2C – only 2 wires (3 counting gnd)). No need to “un-bless” the imp.

    Without being able to probe live I2C communications, you might have a difficult time reverse engineering the I2C commands.

    That all might be moot. You’ve apparently already reverse engineered the the displays and at least one indicator.

    There’s usually more than one way to skin a cat….

    • Yeah, you can remove the imp and do the communications yourself, but that was not the point of my hack. I wanted to rewrite the firmware without having to modify the hardware, so others can reply my experiment with their Nimbus if they want to.

      Not sure about what do you mean with the I2C. I already have all the I2C codes for every display and gauge (not only the first one :))

      • Brett_cgb says:

        With the I2C commands/status between the IMP and PIC, a very minor hardware addition to the SCL and SDA lines would have made for a completely reversable hack.

        I haven’t seen any details regarding what’s on the I2C bus. There wasn’t anything published on your project page.

        I’d assumed the I2C bus connects to only the IMP and PIC, and that the PIC directly manages the displays and indicators. It seems that was a bad assumption. What does the PIC do?

        The PIC can reprogram itself (write to flash memory). A bootloader in the PIC would simply require a communications channel (I2C in this case) to provide the new firmware.

        I don’t suppose you downloaded the PIC’s program memory before overwriting it with your own code?

        • Well, as I said in the post, I didn’t include the I2C details because I didn’t want the post to grow too much.

          The IMP communicates with the PIC using I2C, and in turn, the PIC communicates with the dials and the displays using I2C as well.

          I haven’t modified the PIC code (check my post, I said that I didn’t know if that was possible from the IMP), but in the PCB there is an (empty) connector for doing ICP.

          If you remove the IMP and replace it with your own chip, you can still communicate with the PIC and make everything work the same.

          • Brett_cgb says:

            As stated previously…
            …There’s more than one way to skin a cat…
            (Although, why anyone would want to is beyond me.)

            I’m curious to see what else is inside.

    • Nova says:

      The IMP requires an external ROM to ascertain it’s unique unit ID, without it the imp is useless until you get a different registered ROM with unique ID, and if you swap a different IMP card in it will use that same ROM and redownload it’s original code. So they need to detach the serial number from their control basically.

  6. Kenz Dale says:

    Really cool hack, and judging by the comments on https://www.quirky.com/shop/596 it might actually make the device useful.

  7. Domenick says:

    Sweet article, Brian! It was great working with Edu. If you’re also interested in hacking the Nimbus, shoot us an e-mail at questions@quirky.com. Edu put in a lot of work rewriting the firmware, but we also have an open API that we can give you access to. We <3 hackers.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 96,725 other followers