[Sprite_TM]’s Keyboard Plays Snake

Hackaday Prize judge, hacker extraordinaire, and generally awesome dude [Sprite_TM] spends a lot of time at his computer, and that means a lot of time typing on his keyboard. He recently picked up a board with the latest fad in the world of keyboards, a board with individually addressable LEDs. He took this board to work and a colleague jokingly said, ‘You’ve had this keyboard for 24 hours now, and it has a bunch of LEDs and some arrow keys. I’m disappointed you haven’t got Snake running on it yet.” Thus began the quest to put the one game found on all Nokia phones on a keyboard.

The keyboard in question is a Coolermaster Quickfire Rapid-I, a board that’s marketed as having an ARM Cortex CPU. Pulling apart the board, [Sprite] found a bunch of MX Browns, some LEDs, and a 72MHz ARM Cortex-M3 with 127k of Flash and 32k of RAM. That’s an incredible amount of processing power for a keyboard, and after finding the SWD port, [Sprite] attempted to dump the Flash. The security bit was set. There was another way, however.

Coolermaster is actively working on the firmware, killing bugs, adding lighting modes, and putting all these updates on their website. The firmware updater is distributed as an executable with US and EU versions; the EU version has another key. Figuring the only difference between these versions would be the firmware itself, [Sprite] got his hands on both versions, did a binary diff, and found only one 16k block of data at the end of the file was different. There’s the firmware. It was XOR encrypted, but that’s obvious if you know what to look for.

flashdata The firmware wasn’t complete, though; there were jumps to places outside the code [Sprite] had and a large block looked corrupted. There’s another thing you can do with an executable file: run it. With USBPcap running in the background while executing the firmware updater, [Sprite] could read exactly what was happening when the keyboard was updating. With a small executable that gets around the weirdness of the updater, [Sprite] had a backup copy of the keyboard’s firmware. Even if he bricked the keyboard, he could always bring it back to a stock state. It was time to program Snake.

The first part of writing new firmware was finding a place that had some Flash and RAM to store the new code. This wasn’t hard; there was 64k of Flash free and 28K of unused RAM. The calls to the Snake routine were modified from the variables the original firmware had. If, for example, the original keyboard had a call to change the PWM, [Sprite] could change that to the Snake routine.

Snake is fun, but with a huge, powerful ARM in a device that people will just plug into their keyboard, there’s a lot more you can do with a hacked keyboard. Keyloggers and a BadUSB are extremely possible, especially with firmware that can be updated from a computer. To counter that, [Sprite] added the requirement for a physical condition in order to enter Flash mode. Now, the firmware will only update for about 10 seconds after pressing the fn+f key combination.

There’s more to playing Snake on a keyboard; Sprite has also written a new lighting mode, a fluid simulation thingy that will surely annoy anyone who can’t touch type. You can see the videos of that below.

Continue reading “[Sprite_TM]’s Keyboard Plays Snake”

Hackaday Munich Speaker: Sprite_TM

Plans for Hackaday Munich are coming along quite nicely. Today we’re happy to announce that [Sprite_TM] will be speaking at the event. Click that link above and make sure you get your tickets for November 13th. You can do some hands-on hacking at the Embedded Hardware Workshop, hear the talks, find out which of the five finalists will be the grand prize winner, and enjoy The Hackaday Prize Party along with the Hackaday crew.

You may also know [Sprite_TM] as [Jeroen Domburg], one of the judges for The Hackaday Prize. That’s him on the left in the image above (we love a good avatar!). If you follow Hackaday, you should already be thrilled about meeting him and hearing his talk. The last talk we remember reading about was an epic hard drive controller hack. Just last month we saw a well-executed clock radio overhaul from him. While we’re on the topic, his micro-bots were a spectacular project.

[Sprite_TM] has also offered to help out with the reverse engineering workshop. We’re hard at work making sure everything is in place for those afternoon hacking events. As we solidify details we’ll be adding workshop pages (and emailing those already registered for Hackaday Munich) to let everyone know what to expect. We can report that we have shipped [Sprite_TM] a Bus Pirate so that he can be familiar with it. This will be the primary tool provided for this particular workshop.

The entire Hackaday crew is looking forward to it. See you there!

[Sprite_TM] Puts Linux in a Clock Radio

[Sprite] needs an alarm clock to wake up in the morning, and although his phone has an infinitely programmable alarm clock, his ancient Phillips AJ-3040 has never failed him. It’s served him well for 15 years, and there’s no reason to throw it out. Upgrading it was the only way, with OLED displays and Linux systems inside this cheap box of consumer electronics.

After opening up the radio, [Sprite] found two boards. The first was the radio PCB, and the existing board could be slightly modified with a switch to input another audio source. The clock PCB was built around an old chip that used mains frequency as the time base. This was torn out of the enclosure along with the old multiplexed LCD.

A new display and brain for the clock was needed, and [Sprite] reached into his parts drawer and pulled out an old 288×48 pixel OLED display. When shining though a bit of translucent red plastic, it’s can be a reasonable facsimile of the old LEDs. The brains of the clock would be a Carambola Linux module. After writing a kernel module for the OLED, [Sprite] had a fully functional Linux computer that would fit inside a clock radio.

After having a board fabbed with the power supplies, I2C expanders, USB stereo DAC, and SPI port for the OLED, [Sprite] had a clock radio that booted Linux on an OLED screen. In the video below, [Sprite] walks through the functions of the clock, including setting one of the many alarms, streaming audio from the Internet, and changing the font of the display. There’s also a web UI for the clock that allows alarms to be set remotely – from a phone, even, if [Sprite] is so inclined.

Continue reading “[Sprite_TM] Puts Linux in a Clock Radio”

Judge Spotlight: Sprite_TM

Sprite_TM

His friends call him [Jeroen], but everyone else on the Internet knows this god of hacks and mods as [Sprite_TM]. He’s done everything from hacking hard drive controllers to making the best computer ever made even better. As one of the preeminent hardware hackers around, we’re proud to have [Sprite] as a judge in The Hackaday Prize, and happy to interview him on his thoughts on connected devices, the cloud-based Internet of Things, and his process of opening up black box devices for some sometimes subtle modifications.


judge-spotlight-q5You’re well known for your highly technical electronic hacks on your
blog SpritesMods. What about the professional side of your life, what kind
of projects keep you busy there?

judge-spotlight-a5I’m a software developer for a big broadcasting equipment manufacturer. Every now and then a hardware project comes along and I try to grab those too.

Continue reading “Judge Spotlight: Sprite_TM”

[Sprite_TM] OHM2013 Talk: Hacking hard drive controller chips

Even if he hadn’t done any firmware hacking on this hard drive [Sprite_TM’s] digital exploration of the controller is fascinating. He gave a talk at this year’s Observe, Hack, Make (OHM2013) — a non-commercial community run event in the Netherlands and we can’t wait for the video. But all the information on how he hacked into the three-core controller chip is included in his write up.

[Sprite_TM] mentions that you’re not going to find datasheets for the controllers on these drives. He got his foot in the door after finding a JTAG pinout mentioned on a forum post. The image above shows his JTAG hardware which he’s controlling with OpenOCD. This led him to discover that there are three cores inside the controller, each used for a different purpose. The difference between [Sprite_TM’s] work and that of mere mortals is that he has a knack for drawing surprisingly accurate conclusions from meager clues. To see what we mean check out the memory map for the second core which he posted on page 3 or his article.

Using JTAG he was able to inject a jump into the code (along with a filler word to keep the checksum valid) and run his own code. To begin the firmware hacking portion of the project he pulled the flash ROM off of the board and installed it on that little board sticking out on the left. This made it easy for him to backup and reflash the chip. Eventually this let him pull off the same proof of concept as a firmware-only hack (no JTAG necessary). He goes onto detail how an attacker who has root access could flash hacked firmware which compromises data without any indication to they system admin or user. But we also like his suggestion that you should try this out on your broken hard drives to see if you can reuse the controllers for embedded projects. That idea is a ton a fun!

When we were poking around the OHM2013 website (linked above) we noticed that the tickets are sold out; good for them! But if you were still able to buy them they take Bitcoin as one payment option. Are there any other conferences that allow Bitcoin for registration?

[Sprite_tm] connects an LCD to a tiny Linux board

One of [Sprite_tm]’s colleagues recently challenged him to connect a small LCD touch screen to a Raspberry Pi. Sadly, [Sprite_tm] has yet to take delivery of a Raspberry Pi, but he did manage to connect an LCD to a Linux board without video capabilities.

Because [Sprite_tm]’s display has a 16-bit parallel interface, and 16 GPIO pins are hard to come by on the Carambola Linux board, a few shift registers had to be brought into the build to make the LCD work. These shift registers are connected to the Carambola board via an SPI interface; a very simple way to connect all the LCD pins to the Linux board.

Of course, there’s no way for Linux to speak to the LCD without a kernel driver; [Sprite_tm] wrote a framebuffer driver so the LCD can be used as a console, an X session, or used by any other program that can write to a framebuffer device.

Like all good driver authors, [Sprite_tm] is giving away the patch to enable SPI-ified LCD panels on the Carambola along with the shift register schematic. With any luck we’ll also see the Raspi drivers when [Sprite_tm] takes delivery of his Raspberry Pi.

[Sprite_tm]’s three-component FM transmitter

When the Regency TR-1 transistor radio came out onto the market in the 1950s, it was hailed as a modern marvel of microelectronics. With only four transistors and a handful of other components, the TR-1 was a wonder of modern engineering. [Sprite_tm] may have those old-timers beat, though. He built an FM transmitter with the lowest parts count of any transmitter ever.

Like most of [Sprite_tm]’s builds, it’s an unimaginably clever piece of work. [Sprite] overclocked the internal RC oscillator of an ATtiny45 to 24 MHz. After realizing the PLL running at four times the frequency of the oscillator was right in the middle of the FM band, he set about designing a tiny FM transmitter.

[Sprite_tm] remembered his work on MONOTONE and made a short song for hit ATtiny. The firmware for the build takes the notes from his song and varies the 96 MHz PLL frequency a tiny bit, thereby serving as a tiny FM transmitter.

Does it work? Well, if you want to compare it to a Mister Microphone, the range is incredibly limited. That being said it works. It’s an FM transmitter built out of a microcontroller and a battery, and that’s very impressive. Check out [Sprite_tm]’s demo after the break.

Continue reading “[Sprite_tm]’s three-component FM transmitter”